Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 331681 - sys-apps/openrc[pam] pam_limits not respected by start-stop-daemon
Summary: sys-apps/openrc[pam] pam_limits not respected by start-stop-daemon
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High normal
Assignee: PAM Gentoo Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-08 19:51 UTC by Grzegorz Kulewski
Modified: 2010-09-03 20:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Grzegorz Kulewski 2010-08-08 19:51:19 UTC 
Often you need to override some limits for some daemons, for example the number of open files for nginx.

But this doesn't seem to work:

# ldd /sbin/start-stop-daemon 
        linux-vdso.so.1 =>  (0x00007fffe5eec000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007f3773dae000)
        librc.so.1 => /lib64/librc.so.1 (0x00007f3773ba2000)
        libeinfo.so.1 => /lib64/libeinfo.so.1 (0x00007f377399c000)
        libncurses.so.5 => /lib64/libncurses.so.5 (0x00007f377374b000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f3773547000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00007f377333a000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f3772fe1000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f3773fb1000)

[ebuild   R   ] sys-apps/openrc-0.6.1-r1  USE="ncurses pam unicode -debug" 0 kB

 # grep -Ri limits /etc/pam.d/ 
/etc/pam.d/cron:session optional        pam_limits.so
/etc/pam.d/start-stop-daemon:session         optional        pam_limits.so
/etc/pam.d/system-auth:session          required        pam_limits.so 
/etc/pam.d/system-services:session              required        pam_limits.so

start() {
        configtest || return 1
        ebegin "Starting nginx"
        start-stop-daemon --start  --pidfile /var/run/nginx.pid \
                --exec /usr/sbin/nginx -- -c /etc/nginx/nginx.conf
        eend $? "Failed to start nginx"
}

[is still doesn't work even if I add change user and group options to s-s-d invocation]

Of course I have this in /etc/limits.conf:
*               -       nofile          65535

It works for su, doesn't work for s-s-d.


Reproducible: Always

Steps to Reproduce:

Actual Results:  
Limits inherited from console or init.

Expected Results:  
Limits set from limits.conf

# emerge --info
Portage 2.2_rc67 (!gp/overlays/machine/profiles/machine, gcc-4.4.3, glibc-2.11.2-r0, 2.6.32-ovz1 x86_64)
=================================================================
System uname: Linux-2.6.32-ovz1-x86_64-Intel-R-_Xeon-R-_CPU_X3210_@_2.13GHz-with-gentoo-2.0.1
Timestamp of tree: Thu, 05 Aug 2010 22:30:01 +0000
app-shells/bash:     4.0_p37
dev-lang/python:     2.6.5-r2, 3.1.2-r3
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.65
sys-devel/automake:  1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.3-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--complete-graph --keep-going --noconfmem"
FEATURES="assume-digests buildsyspkg distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en"
LC_ALL="POSIX"
LDFLAGS="-Wl,-O1 -Wl,--sort-common"
LINGUAS="en"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/etc/gp/overlays/gp /etc/gp/overlays/organization /etc/gp/overlays/machine"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl amd64 bash-completion bzip2 caps cxx fam iconv idn ipv6 ithreads logrotate mailwrapper mmx multilib ncurses nptl pam pcre python readline slang sse sse2 ssl tcpd threads unicode vim-syntax xattr zlib" ELIBC="glibc" KERNEL="linux" LINGUAS="en" RUBY_TARGETS="ruby18" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Wormo (RETIRED) gentoo-dev 2010-08-09 00:22:27 UTC 
For a long time people have been thinking start-stop-daemon would use PAM sessions when it didn't, but since you're running openrc-0.6.1-r1 with USE=pam that feature really is supposed to exist.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-09 01:09:57 UTC 
Will try to work on this tomorrow.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-03 20:32:38 UTC 
I've just tried to reproduce this and failed... and I just noticed in the report you talk about /etc/limits.conf... pam_limits uses /etc/security/limits.conf instead, that might actually be your problem.

If so, I apologise for not noticing before :/ If that's not it... please reopen and I'll try to track down what the problem could be...