Re: [PATCH 06/45] KEYS: Make the keyring quotas controllable through/proc/sys [ver #35]

From: Berthold Cogel
Date: Tue Apr 01 2008 - 12:04:47 EST

Next message: Metzger, Markus T: "RE: [question] utrace user api / branch trace support"
Previous message: Chris Mason: "Re: [ANNOUNCE] Btrfs v0.13"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Howells schrieb:

Make the keyring quotas controllable through /proc/sys files:

(*) /proc/sys/kernel/keys/root_maxkeys
/proc/sys/kernel/keys/root_maxbytes

Maximum number of keys that root may have and the maximum total number of
bytes of data that root may have stored in those keys.

(*) /proc/sys/kernel/keys/maxkeys
/proc/sys/kernel/keys/maxbytes

Maximum number of keys that each non-root user may have and the maximum
total number of bytes of data that each of those users may have stored in
their keys.

Also increase the quotas as a number of people have been complaining that it's
not big enough. I'm not sure that it's big enough now either, but on the
other hand, it can now be set in /etc/sysctl.conf.

Hello David,

you're our hero! ;-)

We just hit this wall while migrating from RHEl 3 to RHEL 5 with some of our webservers.

[root@lvr11 ~]# cat /proc/key-users
0: 99 98/98 96/100 1681/10000
32: 2 2/2 2/100 56/10000
38: 2 2/2 2/100 56/10000
43: 2 2/2 2/100 56/10000
51: 2 2/2 2/100 56/10000
68: 2 2/2 2/100 56/10000
81: 2 2/2 2/100 56/10000
99: 2 2/2 2/100 56/10000
348: 2 2/2 2/100 58/10000
42216: 2 2/2 2/100 62/10000
55188: 3 3/3 3/100 72/10000
56537: 2 2/2 2/100 62/10000
63743: 2 2/2 2/100 62/10000
68054: 2 2/2 2/100 62/10000

....

We're using OpenAFS on our systems and most of our webpages are stored in AFS. We have a lot of small projects for which a separate server would be a waste of 'metal'. Even in a virtual environment. So we're hosting a lot of apache instances on a single machine. Beause suexec doesn't work in an AFS environment, each instance is started by root with its own IP (to be able to talk HTTPS) and in a PAG with a separate token for a service user (to isolate the projects). Although each apache switches over to the service user, the initial tokens are acquired by root.

On RHEL 3 with the old 2.4 kernel this was never a problem. But now...

Btw.: We have some machines with about hundred (!) different projects which need tokens.

Best regards,

Berthold Cogel

--
Dr. Berthold Cogel University of Cologne
E-Mail: cogel@xxxxxxxxxxxx ZAIK-US (RRZK)
Tel.: +49(0)221/470-7873 Robert-Koch-Str. 10
FAX: +49(0)221/478-85845 D-50931 Cologne - Germany
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Metzger, Markus T: "RE: [question] utrace user api / branch trace support"
Previous message: Chris Mason: "Re: [ANNOUNCE] Btrfs v0.13"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]