[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process limits (was: Spamassain question, whitelist?)



On Tue, Dec 09, 2003 at 06:06:52PM -0800, Karsten M. Self wrote:
> on Tue, Dec 09, 2003 at 10:51:26AM -0800, Vineet Kumar (vineet@doorstop.net) wrote:
> > * Karsten M. Self (kmself@ix.netcom.com) [031208 19:46]:
> > > on Mon, Dec 08, 2003 at 06:44:04PM -0800, Vineet Kumar (vineet@doorstop.net) wrote:
> > > > * Karsten M. Self (kmself@ix.netcom.com) [031208 16:52]:
> > > > > For performance reasons, I also have in /etc/security/limits:
> > > > > 
> > > > >     mail            hard    nproc           30
> > > > > 
> > > > > ...to avoid runaway conditions when large mail loads hit.  Mail
> > > > > processing will be limited to a max of 30 processes (generally 10 exim
> > > > > processes, 10 spamassassin clients, and a bit of overhead), but the
> > > > > system as a whole won't be bogged.
> > > > 
> > > > So you have spamc running as mail, and not as the destination user
> > > > account?  
> > > 
> > > No.
> > 
> > As I understand the line you gave above, that limits the number of
> > processes being run as the mail user.  (I'm not using
> > /etc/security/limits.conf ; this is my understanding from reading the
> > comments in that file.)  
> 
> Correct.
> 
> > So how does this work?  Is it that spamd forks for each client, and
> > that's running as mail, and that's where the limit comes into play?
> 
> Yes.
> 
> > It looks like spamd's default behavior is to run as root.  
> 
> This is true, but its children run as 'mail'.  I think.

My understanding is that spamc will change its uid from root to the
calling user if "-u" is not given.  For example, I call spamc from
procmail without "-u".  Spamd logs:

   Dec  9 21:05:02 zeus spamd[1807]: connection from localhost [127.0.0.1] at port 43665
   Dec  9 21:05:02 zeus spamd[20562]: info: setuid to bill succeeded
   Dec  9 21:05:02 zeus spamd[20562]: processing message <[🔎] 20031210025219.GA13917@shorty.ca> for bill:1000.


And while in action:

   UID        PID  PPID  C STIME TTY          TIME CMD
   root      1807     1  0 Dec03 ?        00:00:10 /usr/sbin/spamd --create-prefs --max-children 10 --auto-whitelist -H -d --pidfile=/var/run/spamd.pid
   bill     20696 20682  0 21:16 ?        00:00:00 formail -s procmail
   bill     20697 20696  0 21:16 ?        00:00:00 procmail
   bill     20698 20697  1 21:16 ?        00:00:00 procmail
   bill     20699 20698  0 21:16 ?        00:00:00 spamc
   bill     20700  1807 47 21:16 ?        00:00:00 /usr/sbin/spamd --create-prefs --max-children 10 --auto-whitelist -H -d --pidfile=/var/run/spamd.pid

So: formail -> procmail -> procmail -> spamc -> spamd(1807) -> spamd(20700)

Your earlier posts suggest to me you are doing the same.  Correct?

> What I know is that the above config *does* keep a box from spawning
> endless processes in response to spam swarms.

Well, you've place the resource control at the begginning of the
pipeline and indirectly control the number of spamd runs, I think.  The
number of spamd runs, however, still remains unlimited by the system but
restricted by the max-children arguement, right?

-- 
OS/2 must die!



Reply to: