Linux security limits are not applied
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
Medium
|
Dmitry Bilunov | ||
6.0.x |
Won't Fix
|
Medium
|
Bartłomiej Piotrowski | ||
6.1.x |
Won't Fix
|
High
|
MOS Maintenance | ||
7.0.x |
Won't Fix
|
High
|
MOS Maintenance | ||
8.0.x |
Fix Released
|
High
|
Dmitry Bilunov |
Bug Description
Environment:
- MOS 6.0
- Ubuntu
Security limits are configured:
cat /etc/security/
# Raising open file limit for OpenStack services
* soft nofile 102400
* hard nofile 112640
But limits are not applied:
# sudo -u rabbitmq bash
bash: /root/.bashrc: Permission denied
rabbitmq@node-23:~$ ulimit -n
1024
rabbitmq@node-23:~$
This affects all services.
For example, rabbitmq has internal limit for sockets count, which depends on linux nofile soft limit.
When sockets pool if fully used, new client's connections fails by timeout.
After investigation found that limits module is not used by PAM for su/sudo.
This line:
"session required pam_limits.so"
should be added to:
/etc/pam.
/etc/pam.d/su
/etc/pam.d/sudo
Changed in fuel: | |
milestone: | none → 6.1 |
assignee: | nobody → Fuel Library Team (fuel-library) |
Changed in fuel: | |
status: | New → Triaged |
Changed in fuel: | |
importance: | Undecided → Medium |
tags: |
added: low-hanging-fruit removed: rabbitmq |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Bartlomiej Piotrowski (bpiotrowski) |
Changed in fuel: | |
assignee: | Bartlomiej Piotrowski (bpiotrowski) → Fuel Library Team (fuel-library) |
no longer affects: | fuel/8.0.x |
tags: | added: area-library |
tags: | removed: low-hanging-fruit |
tags: | added: team-bugfix |
Changed in fuel: | |
milestone: | 8.0 → 9.0 |
status: | Incomplete → New |
no longer affects: | fuel/future |
Changed in fuel: | |
status: | New → Invalid |
tags: | removed: area-library |
tags: | removed: team-bugfix tech-debt |
tags: | added: feature |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Dmitry Bilunov (dbilunov) |
status: | Confirmed → In Progress |
Changed in fuel: | |
status: | Fix Committed → Confirmed |
tags: | added: move-to-mu |
tags: | added: on-verification |
information type: | Public → Public Security |
tags: | removed: move-to-mu |
tags: | added: on-verification |
tags: | removed: on-verification |
The ulimit settings for rabbitmq are set in /etc/default/ rabbitmq- server. It can be easily proven that limits are applied:
root@node-1:~# pgrep -f -l rabbitmq
6738 rabbitmq-server
6756 su
6757 sh
6758 beam.smp
root@node-1:~# cat /proc/6738/limits | fgrep 'open files'
Max open files 102400 105472 files
root@node-1:~# cat /proc/6758/limits | fgrep 'open files'
Max open files 102400 105472 files