On Aug 28, 2019 5:39 PM, Allan Streib <astreib@indiana.edu> wrote:
>
> Allan Streib <astreib@indiana.edu> writes:
>
> > I see that fstat -u _ldapd always ends at FD 119 when the hang occurs:
> >
> > [...]
> > _ldapd ldapd 42641 117* internet stream tcp 0x0 172.29.202.69:389 <-- 172.29.200.108:47864
> > _ldapd ldapd 42641 118* internet stream tcp 0x0 172.29.202.69:389 <-- 172.29.200.104:56746
> > _ldapd ldapd 42641 119* internet stream tcp 0x0 172.29.202.69:389 <-- 172.29.200.106:40436
> >
> > I tried the following:
> >
> > Gave _ldapd a login class of "ldap"
> >
> > Added to login.conf:
> >
> > ldap:\
> > :openfiles=512:\
> > :tc=daemon:
> >
> > restart ldapd.
> >
> > Still hangs with fstat output the same.
>
> OK I apparently misunderstand how login.conf works. I had assumed that
> the above would give the "ldap" class an openfiles limit of 512 and
> everything else as defined for the "daemon" class. My daemon entry
> looked like this:
>
> daemon:\
> :ignorenologin:\
> :datasize=infinity:\
> :maxproc=infinity:\
> :openfiles-max=1024:\
> :openfiles-cur=128:\
> :stacksize-cur=8M:\
> :localcipher=blowfish,a:\
> :tc=default:
>
> However apprently the daemon class openfiles-cur=128 was being enforced;
> I changed that to 512 as a test, restarted ldapd, and now fstat is
> showing around 170 FDs for _ldapd and that seems to be where it's
> stabilizing, and the hangs are not occuring.
>
> The login.conf man page says that tc "Interpolate/expands records from
> corresponding login.conf. See getcap(3)."
>
> What I'm seeing seems to indicate it's working backwards from what the
> "Override resource limits" comment indicates above the bgpd and unbound
> classes, which I used as a model, but maybe I'm missing something?
>
> I include the entire login.conf below, with my current openfiles-cur
> setting for the daemon class.
>
> Allan
>
>
>
>
>
> # $OpenBSD: login.conf,v 1.9 2017/02/06 18:11:33 sthen Exp $
>
> #
> # Sample login.conf file. See login.conf(5) for details.
> #
>
> #
> # Standard authentication styles:
> #
> # passwd Use only the local password file
> # chpass Do not authenticate, but change users password (change
> # the YP password if the user has one, else change the
> # local password)
> # lchpass Do not login; change user's local password instead
> # radius Use radius authentication
> # reject Use rejected authentication
> # skey Use S/Key authentication
> # activ ActivCard X9.9 token authentication
> # crypto CRYPTOCard X9.9 token authentication
> # snk Digital Pathways SecureNet Key authentication
> # tis TIS Firewall Toolkit authentication
> # token Generic X9.9 token authentication
> # yubikey YubiKey authentication
> #
>
> # Default allowed authentication styles
> auth-defaults:auth=passwd,skey:
>
> # Default allowed authentication styles for authentication type ftp
> auth-ftp-defaults:auth-ftp=passwd:
>
> #
> # The default values
> # To alter the default authentication types change the line:
> # :tc=auth-defaults:\
> # to be read something like: (enables passwd, "myauth", and activ)
> # :auth=passwd,myauth,activ:\
> # Any value changed in the daemon class should be reset in default
> # class.
> #
> default:\
> :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\
> :umask=022:\
> :datasize-max=768M:\
> :datasize-cur=768M:\
> :maxproc-max=256:\
> :maxproc-cur=128:\
> :openfiles-max=1024:\
> :openfiles-cur=512:\
> :stacksize-cur=4M:\
> :localcipher=blowfish,a:\
> :tc=auth-defaults:\
> :tc=auth-ftp-defaults:
>
> #
> # Settings used by /etc/rc and root
> # This must be set properly for daemons started as root by inetd as well.
> # Be sure reset these values back to system defaults in the default class!
> #
> daemon:\
> :ignorenologin:\
> :datasize=infinity:\
> :maxproc=infinity:\
> :openfiles-max=1024:\
> :openfiles-cur=512:\
> :stacksize-cur=8M:\
> :localcipher=blowfish,a:\
> :tc=default:
>
> #
> # Staff have fewer restrictions and can login even when nologins are set.
> #
> staff:\
> :datasize-cur=1536M:\
> :datasize-max=infinity:\
> :maxproc-max=512:\
> :maxproc-cur=256:\
> :ignorenologin:\
> :requirehome@:\
> :tc=default:
>
> #
> # Authpf accounts get a special motd and shell
> #
> authpf:\
> :welcome=/etc/motd.authpf:\
> :shell=/usr/sbin/authpf:\
> :tc=default:
>
> #
> # Building ports with DPB uses raised limits
> #
> pbuild:\
> :datasize-max=infinity:\
> :datasize-cur=4096M:\
> :maxproc-max=1024:\
> :maxproc-cur=256:\
> :tc=default:
>
> #
> # Override resource limits for certain daemons started by rc.d(8)
> #
> bgpd:\
> :openfiles=512:\
> :tc=daemon:
>
> unbound:\
> :openfiles=512:\
> :tc=daemon:
>
> ldap:\
> :openfiles=512:\
> :tc=daemon:
>
May need to use rcctl to change it's class to ldap.
Untested:
rcctl set ldapd class ldap
Edgar
No comments:
Post a Comment