Re: process limits (was: Spamassain question, whitelist?)
On Tue, Dec 09, 2003 at 06:06:52PM -0800, Karsten M. Self wrote:
> on Tue, Dec 09, 2003 at 10:51:26AM -0800, Vineet Kumar (firstname.lastname@example.org) wrote:
> > * Karsten M. Self (email@example.com) [031208 19:46]:
> > > on Mon, Dec 08, 2003 at 06:44:04PM -0800, Vineet Kumar (firstname.lastname@example.org) wrote:
> > > > * Karsten M. Self (email@example.com) [031208 16:52]:
> > > > > For performance reasons, I also have in /etc/security/limits:
> > > > >
> > > > > mail hard nproc 30
> > > > >
> > > > > ...to avoid runaway conditions when large mail loads hit. Mail
> > > > > processing will be limited to a max of 30 processes (generally 10 exim
> > > > > processes, 10 spamassassin clients, and a bit of overhead), but the
> > > > > system as a whole won't be bogged.
> > > >
> > > > So you have spamc running as mail, and not as the destination user
> > > > account?
> > >
> > > No.
> > As I understand the line you gave above, that limits the number of
> > processes being run as the mail user. (I'm not using
> > /etc/security/limits.conf ; this is my understanding from reading the
> > comments in that file.)
> > So how does this work? Is it that spamd forks for each client, and
> > that's running as mail, and that's where the limit comes into play?
> > It looks like spamd's default behavior is to run as root.
> This is true, but its children run as 'mail'. I think.
My understanding is that spamc will change its uid from root to the
calling user if "-u" is not given. For example, I call spamc from
procmail without "-u". Spamd logs:
Dec 9 21:05:02 zeus spamd: connection from localhost [127.0.0.1] at port 43665
Dec 9 21:05:02 zeus spamd: info: setuid to bill succeeded
Dec 9 21:05:02 zeus spamd: processing message <[🔎] 20031210025219.GA13917@shorty.ca> for bill:1000.
And while in action:
UID PID PPID C STIME TTY TIME CMD
root 1807 1 0 Dec03 ? 00:00:10 /usr/sbin/spamd --create-prefs --max-children 10 --auto-whitelist -H -d --pidfile=/var/run/spamd.pid
bill 20696 20682 0 21:16 ? 00:00:00 formail -s procmail
bill 20697 20696 0 21:16 ? 00:00:00 procmail
bill 20698 20697 1 21:16 ? 00:00:00 procmail
bill 20699 20698 0 21:16 ? 00:00:00 spamc
bill 20700 1807 47 21:16 ? 00:00:00 /usr/sbin/spamd --create-prefs --max-children 10 --auto-whitelist -H -d --pidfile=/var/run/spamd.pid
So: formail -> procmail -> procmail -> spamc -> spamd(1807) -> spamd(20700)
Your earlier posts suggest to me you are doing the same. Correct?
> What I know is that the above config *does* keep a box from spawning
> endless processes in response to spam swarms.
Well, you've place the resource control at the begginning of the
pipeline and indirectly control the number of spamd runs, I think. The
number of spamd runs, however, still remains unlimited by the system but
restricted by the max-children arguement, right?
OS/2 must die!