unbit / uwsgi

uWSGI application server container

http://projects.unbit.it/uwsgi

Other

3.45k stars 691 forks source link

setrlimit(): Operation not permitted [core/uwsgi.c line 2157] #203

Closed 77cc33 closed 11 years ago

77cc33 commented 11 years ago

ubuntu 12.04 lts 64 bit

I have /etc/security/limits.conf set as 135K

www-data hard nofile 133333 www-data soft nofile 133333 root hard nofile 133333 root soft nofile 133333

I enabled pam_security module, so when I log in as root or www-data - I have: ulimit -n 133333

but when I start uwsgi, it shows me: detected max file descriptor number: 1024

I tried to set fd-max, and got this: setrlimit(): Operation not permitted [core/uwsgi.c line 2157] detected max file descriptor number: 1024

I start uwsgi as root with help of emperor and later set uid to www-data

is there some workaround to fix it ASAP?

unbit commented 11 years ago

every application wanting to use pam, must explicitely support it. You have to load the "pam" plugin and use --pam or --pam-user (based on your need). The pam plugin is not builtin by default but its only dependancies are the pam development headers.

unbit commented 11 years ago

in addition to this, remember you can set the max-fd in the emperor, and this limit will be inherited by vassal (without bothering with pam)

77cc33 commented 11 years ago

I tried emperor, and it didn't work. it's my ubuntu upstart init script

Emperor uWSGI script

description "uWSGI Emperor"; start on runlevel [2345] stop on runlevel [06]

exec uwsgi \ --master \ --die-on-term \ --emperor /etc/uwsgi \ --logto /var/log/uwsgi/emperor.log \ --logdate \ --auto-procname \ --no-orphans \ --need-app \ --max-fd 30000

and it's what I have in my emperor log Fri Mar 29 07:48:48 2013 - detected max file descriptor number: 30000

and it what I have in application log setrlimit(): Operation not permitted [core/uwsgi.c line 2157] detected max file descriptor number: 1024

unbit commented 11 years ago

you are right, setrlimit is called too late, while it should be called before privileges drop, will be fixed in the next few minutes

unbit commented 11 years ago

hmm should be managed in another way, as it could be a security problem allowing the user to increase its max-fd before privileges drop. Will leave this open, i will post the solution as soon as possible

unbit commented 11 years ago

you can try with latest code from github and adding --max-fd to the emperor. The vassals wil inherit the limit.

From now on this is the blessed way

77cc33 commented 11 years ago

thank you!

just wanted to aprove that it works now!