jail process limits

While we're on the topic of jail resource limits, I think I'll ask my question again... I asked last month but got no response...


I've got a jail server (FreeBSD 6.3/amd64) which runs a bunch of web site development environments. There is an apache or lighttpd running in each jail as user httpd (same UID on base system and each jail).

On the jail host, I counted 231 processes owned by httpd.

If I try to start an application server (or any process) as user httpd in one of the jails, it exits immediately with "Cannot fork: Resource temporarily unavailable". Even if I "su httpd" I get the same error on any command I try to run such as "ls". If I run the same on the jail host, it has no problems. The jail itself only has 34 processes running.

On the jail host, the following is logged:

Apr 22 16:34:38 staging kernel: maxproc limit exceeded by uid 80, please see tuning(7) and login.conf(5).

tuning(7) and login.conf(5) have pretty much nothing to say about "maxproc".

The sysctl settings are all default on this box.

kern.maxproc: 6164
kern.maxprocperuid: 5547

The user httpd is of login class "daemon". My login.conf is unchanged from the distributed version, which states "unlimited" for max processes.

Why am I getting the resource unavailable when I barely have 230 processes, not even close to the limits.

Apache seems unaffected since the parent is run as root, so it can fork children willy-nilly and not be blocked by any limits.

Can anyone tell me where to look to find out what is limiting user httpd from creating new processes inside the jail, and what exactly that limit is? More importantly, how to increase it.
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • [SoC] Jail Resource Limits
    ... folks: I've completed the Summer of Code work on the jail resource limits; jails can now have soft-ish limits placed on their memory and CPU usage. ... Briefly, when a jail uses more memory than its limit, pages are clawed back by a new kernel process, jpager. ... When a jail uses more CPU time in proportion to total CPU time used than the number of its CPU usage shares to the total CPU usage shares, its processes are dropped in priority until it's had its fair share of the total CPU time; if there are no other processes that want to run, they'll use up as much CPU time as they otherwise would. ...
    (freebsd-hackers)
  • Re: jail & security
    ... > On Thu, 23 Aug 2001, Alexey Zakirov wrote: ... >> actually can given the right patches to the jail subsystem. ... the cpu/memory limits were being properly limited by login.conf. ... This is obviously required allot of memory/CPU. ...
    (FreeBSD-Security)
  • Re: limit jail disk space
    ... > I mean jail disk limit ... The tools may control all limits such as cpu time, ... > hooks for inode/blocks control of jail in FreeBSD. ...
    (freebsd-hackers)
  • Re: CA death penalty
    ... That's the jail in AZ where the sheriff thinks he's ...
    (sci.med.transcription)
  • Re: Fair Share Scheduling Needed. I want 1/3 of a server
    ... > My ISP runs 40-50 jails per computer, and I fear in the near future that ... > fair share of the cpu. ... I believe that FreeBSD does not yet offer any such resource restrictions. ... New jail features are being added all the time though, ...
    (freebsd-isp)