We need to change to couchbase user without side effect of lowering rlimits (was: We should be included our own security limits file so the user doesn't have to edit their own (and possibly get it wrong))

Perry Krug added a comment - 27/Mar/13 1:02 PM core limit setting as well

Aleksey Kondratenko added a comment - 27/Mar/13 6:18 PM Found this to be caused by unclean behavior of su. Something we in fact discovered long ago but failed to seriously fix. I.e. see http://review.couchbase.org/#/c/21431/ which is related fix and I was involved too. We'll have to find better way to change user than su.

Aleksey Kondratenko added a comment - 27/Mar/13 9:00 PM http://review.couchbase.org/25380 has fix. I.e. we're now avoiding use of su precisely to avoid pam session setup which may change rlimits and do all sorts of things beyond our control.

Aleksey Kondratenko added a comment - 27/Mar/13 9:01 PM Well, just realized that some people may in fact object to this change. I.e. previously via pam it was possible to control environment that couchbase server gets (rlimits, environment variables, perhaps even selinux things) which is not the case anymore. Alternative would be to use su (and thus pam) but then check if somebody messed up with rlimits we really need and panic.

Perry Krug added a comment - 28/Mar/13 4:31 AM Alk, are we not able to generate our own limit.d file upon installation?

Aleksey Kondratenko added a comment - 28/Mar/13 11:59 AM My problem with that is that there can be all sorts of pam configurations that could override or interfere with what we need. So it's easier and seemingly more robust to adjust rlimits as part of initscript where we know we're root and therefore able to change any of them to exact value we need.

Aleksey Kondratenko added a comment - 28/Mar/13 12:18 PM BTW raising nofile to something very big will cause beam.smp to eat lots of ram. I allocates table of ports that's as big as fds rlimit and I've seen that table to eat few hundreds of megs for nofile rlimit of 1 million.

Maria McDuff added a comment - 02/Apr/13 1:08 PM per alk, meged/fixed.

Maria McDuff added a comment - 05/Apr/13 3:30 AM pls verify/close if passes against current 2.0.2 build. thanks.

Thuan Nguyen added a comment - 11/Apr/13 6:27 PM Install couchbase 2.0.2-760 on centos 5.8 64bit, Verified parameters below are set ulimit -n 10240 ulimit -c unlimited ulimit -l unlimited root@cen-1913 ~]# ps aux | grep couchbase 101 4716 0.0 0.0 10568 412 ? S 16:17 0:00 /opt/couchbase/lib/erlang/erts-5.8.5/bin/epmd -daemon 101 4734 2.3 1.1 110284 93816 ? SLl 16:17 0:00 /opt/couchbase/lib/erlang/erts-5.8.5/bin/beam.smp -A 16 -sbt u -P 327680 -K true -MMmcs 30 -- -root /opt/couchbase/lib/erlang -progname erl -- -home /opt/couchbase -- -smp enable -kernel inet_dist_listen_min 21100 inet_dist_listen_max 21299 error_logger false -sasl sasl_error_logger false -name babysitter_of_ns_1@127.0.0.1 -noshell -noinput -noshell -noinput -run ns_babysitter_bootstrap -- -couch_ini /opt/couchbase/etc/couchdb/default.ini /opt/couchbase/etc/couchdb/default.d/capi.ini /opt/couchbase/etc/couchdb/default.d/geocouch.ini /opt/couchbase/etc/couchdb/local.ini -ns_babysitter cookiefile "/opt/couchbase/var/lib/couchbase/couchbase-server.cookie" -ns_server config_path "/opt/couchbase/etc/couchbase/static_config" -ns_server pidfile "/opt/couchbase/var/lib/couchbase/couchbase-server.pid" -ns_server nodefile "/opt/couchbase/var/lib/couchbase/couchbase-server.node" -ns_server cookiefile "/opt/couchbase/var/lib/couchbase/couchbase-server.cookie-ns-server" -ns_server enable_mlockall true 101 4764 9.3 2.0 224392 166780 ? SLsl 16:17 0:03 /opt/couchbase/lib/erlang/erts-5.8.5/bin/beam.smp -A 16 -sbt u -P 327680 -K true -- -root /opt/couchbase/lib/erlang -progname erl -- -home /opt/couchbase -- -smp enable -setcookie nocookie -kernel inet_dist_listen_min 21100 inet_dist_listen_max 21299 error_logger false -sasl sasl_error_logger false -nouser -ns_server babysitter_cookie 'HIRAZDFCWNGUHHGRTTTM' -run child_erlang child_start ns_bootstrap -- -smp enable -kernel inet_dist_listen_min 21100 inet_dist_listen_max 21299 error_logger false -sasl sasl_error_logger false -couch_ini /opt/couchbase/etc/couchdb/default.ini /opt/couchbase/etc/couchdb/default.d/capi.ini /opt/couchbase/etc/couchdb/default.d/geocouch.ini /opt/couchbase/etc/couchdb/local.ini -ns_babysitter cookiefile "/opt/couchbase/var/lib/couchbase/couchbase-server.cookie" -ns_server config_path "/opt/couchbase/etc/couchbase/static_config" -ns_server pidfile "/opt/couchbase/var/lib/couchbase/couchbase-server.pid" -ns_server nodefile "/opt/couchbase/var/lib/couchbase/couchbase-server.node" -ns_server cookiefile "/opt/couchbase/var/lib/couchbase/couchbase-server.cookie-ns-server" -ns_server enable_mlockall true 101 4796 0.0 0.0 3796 540 ? Ss 16:17 0:00 /opt/couchbase/lib/erlang/lib/os_mon-2.2.7/priv/bin/memsup 101 4797 0.0 0.0 3792 396 ? Ss 16:17 0:00 /opt/couchbase/lib/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup 101 4798 0.0 0.0 38340 1732 ? Ss 16:17 0:00 /opt/couchbase/lib/erlang/lib/ssl-4.1.6/priv/bin/ssl_esock 101 4802 0.0 0.0 92260 1688 ? Ssl 16:17 0:00 /opt/couchbase/bin/moxi -Z port_listen=11211,default_bucket_name=default,downstream_max=1024,downstream_conn_max=4,connect_max_errors=5,connect_retry_interval=30000,connect_timeout=400,auth_timeout=100,cycle=200,downstream_conn_queue_timeout=200,downstream_timeout=5000,wait_queue_timeout=200 -z url= http://127.0.0.1:8091/pools/default/saslBucketsStreaming -p 0 -Y y -O stderr 101 4803 0.2 0.7 178204 58832 ? Ssl 16:17 0:00 /opt/couchbase/bin/memcached -X /opt/couchbase/lib/memcached/stdin_term_handler.so -X /opt/couchbase/lib/memcached/file_logger.so,cyclesize=104857600;sleeptime=19;filename=/opt/couchbase/var/lib/couchbase/logs/memcached.log -l 0.0.0.0:11210,0.0.0.0:11209:1000 -p 11210 -E /opt/couchbase/lib/memcached/bucket_engine.so -B binary -r -c 10000 -e admin=_admin;default_bucket_name=default;auto_create=false root 4823 0.0 0.0 61232 780 pts/0 S+ 16:17 0:00 grep couchbase [ root@cen-1913 ~]# cat /proc/4716/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 10485760 unlimited bytes Max core file size unlimited unlimited bytes Max resident set unlimited unlimited bytes Max processes 73728 73728 processes Max open files 10240 10240 files Max locked memory unlimited unlimited bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 73728 73728 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 [ root@cen-1913 ~]# cat /proc/4734/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 10485760 unlimited bytes Max core file size unlimited unlimited bytes Max resident set unlimited unlimited bytes Max processes 73728 73728 processes Max open files 10240 10240 files Max locked memory unlimited unlimited bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 73728 73728 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 [ root@cen-1913 ~]# cat /proc/4803/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 10485760 unlimited bytes Max core file size unlimited unlimited bytes Max resident set unlimited unlimited bytes Max processes 73728 73728 processes Max open files 10240 10240 files Max locked memory unlimited unlimited bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 73728 73728 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0