Allan Streib <[email protected]> writes:
> I see that fstat -u _ldapd always ends at FD 119 when the hang occurs:
>
> [...]
> _ldapd ldapd 42641 117* internet stream tcp 0x0 172.29.202.69:389 <--
> 172.29.200.108:47864
> _ldapd ldapd 42641 118* internet stream tcp 0x0 172.29.202.69:389 <--
> 172.29.200.104:56746
> _ldapd ldapd 42641 119* internet stream tcp 0x0 172.29.202.69:389 <--
> 172.29.200.106:40436
>
> I tried the following:
>
> Gave _ldapd a login class of "ldap"
>
> Added to login.conf:
>
> ldap:\
> :openfiles=512:\
> :tc=daemon:
>
> restart ldapd.
>
> Still hangs with fstat output the same.
OK I apparently misunderstand how login.conf works. I had assumed that
the above would give the "ldap" class an openfiles limit of 512 and
everything else as defined for the "daemon" class. My daemon entry
looked like this:
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-max=1024:\
:openfiles-cur=128:\
:stacksize-cur=8M:\
:localcipher=blowfish,a:\
:tc=default:
However apprently the daemon class openfiles-cur=128 was being enforced;
I changed that to 512 as a test, restarted ldapd, and now fstat is
showing around 170 FDs for _ldapd and that seems to be where it's
stabilizing, and the hangs are not occuring.
The login.conf man page says that tc "Interpolate/expands records from
corresponding login.conf. See getcap(3)."
What I'm seeing seems to indicate it's working backwards from what the
"Override resource limits" comment indicates above the bgpd and unbound
classes, which I used as a model, but maybe I'm missing something?
I include the entire login.conf below, with my current openfiles-cur
setting for the daemon class.
Allan
# $OpenBSD: login.conf,v 1.9 2017/02/06 18:11:33 sthen Exp $
#
# Sample login.conf file. See login.conf(5) for details.
#
#
# Standard authentication styles:
#
# passwd Use only the local password file
# chpass Do not authenticate, but change users password (change
# the YP password if the user has one, else change the
# local password)
# lchpass Do not login; change user's local password instead
# radius Use radius authentication
# reject Use rejected authentication
# skey Use S/Key authentication
# activ ActivCard X9.9 token authentication
# crypto CRYPTOCard X9.9 token authentication
# snk Digital Pathways SecureNet Key authentication
# tis TIS Firewall Toolkit authentication
# token Generic X9.9 token authentication
# yubikey YubiKey authentication
#
# Default allowed authentication styles
auth-defaults:auth=passwd,skey:
# Default allowed authentication styles for authentication type ftp
auth-ftp-defaults:auth-ftp=passwd:
#
# The default values
# To alter the default authentication types change the line:
# :tc=auth-defaults:\
# to be read something like: (enables passwd, "myauth", and activ)
# :auth=passwd,myauth,activ:\
# Any value changed in the daemon class should be reset in default
# class.
#
default:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin
/usr/local/sbin:\
:umask=022:\
:datasize-max=768M:\
:datasize-cur=768M:\
:maxproc-max=256:\
:maxproc-cur=128:\
:openfiles-max=1024:\
:openfiles-cur=512:\
:stacksize-cur=4M:\
:localcipher=blowfish,a:\
:tc=auth-defaults:\
:tc=auth-ftp-defaults:
#
# Settings used by /etc/rc and root
# This must be set properly for daemons started as root by inetd as well.
# Be sure reset these values back to system defaults in the default class!
#
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-max=1024:\
:openfiles-cur=512:\
:stacksize-cur=8M:\
:localcipher=blowfish,a:\
:tc=default:
#
# Staff have fewer restrictions and can login even when nologins are set.
#
staff:\
:datasize-cur=1536M:\
:datasize-max=infinity:\
:maxproc-max=512:\
:maxproc-cur=256:\
:ignorenologin:\
:requirehome@:\
:tc=default:
#
# Authpf accounts get a special motd and shell
#
authpf:\
:welcome=/etc/motd.authpf:\
:shell=/usr/sbin/authpf:\
:tc=default:
#
# Building ports with DPB uses raised limits
#
pbuild:\
:datasize-max=infinity:\
:datasize-cur=4096M:\
:maxproc-max=1024:\
:maxproc-cur=256:\
:tc=default:
#
# Override resource limits for certain daemons started by rc.d(8)
#
bgpd:\
:openfiles=512:\
:tc=daemon:
unbound:\
:openfiles=512:\
:tc=daemon:
ldap:\
:openfiles=512:\
:tc=daemon:
