[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process limits (was: Spamassain question, whitelist?)



on Tue, Dec 09, 2003 at 10:51:26AM -0800, Vineet Kumar (vineet@doorstop.net) wrote:
> * Karsten M. Self (kmself@ix.netcom.com) [031208 19:46]:
> > on Mon, Dec 08, 2003 at 06:44:04PM -0800, Vineet Kumar (vineet@doorstop.net) wrote:
> > > * Karsten M. Self (kmself@ix.netcom.com) [031208 16:52]:
> > > > For performance reasons, I also have in /etc/security/limits:
> > > > 
> > > >     mail            hard    nproc           30
> > > > 
> > > > ...to avoid runaway conditions when large mail loads hit.  Mail
> > > > processing will be limited to a max of 30 processes (generally 10 exim
> > > > processes, 10 spamassassin clients, and a bit of overhead), but the
> > > > system as a whole won't be bogged.
> > > 
> > > So you have spamc running as mail, and not as the destination user
> > > account?  
> > 
> > No.
> 
> As I understand the line you gave above, that limits the number of
> processes being run as the mail user.  (I'm not using
> /etc/security/limits.conf ; this is my understanding from reading the
> comments in that file.)  

Correct.

> So how does this work?  Is it that spamd forks for each client, and
> that's running as mail, and that's where the limit comes into play?

Yes.

> It looks like spamd's default behavior is to run as root.  

This is true, but its children run as 'mail'.  I think.

What I know is that the above config *does* keep a box from spawning
endless processes in response to spam swarms.


> ISTR it needs this to be able to maintain users' ~/.spamassassin files
> (auto-whitelists, Bayes DBs, etc.).

Possibly handed to the children by the root process?  I'm not sure of
the guts here.

> I'm trying to understand this better since I'm interested in setting
> this up on one of my systems, which has, in the past, fallen victim to
> what was essentially a spamassassin fork-bomb (a big sa-learn job in
> the middle of the day, without nice).

The above should help.

> good times,
> Vineet
> -- 
> http://www.doorstop.net/
> -- 
> One nation, indivisible, with equality, liberty, and justice for all.

Amen ;-)


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Unless you are very rich and very eccentric, you will not enjoy the
   luxury of having a computer in your own home.
     -- Ed Yourdon, _Techniques of Program Structure and Design_, 1975

Attachment: pgpCtW3hXWfF8.pgp
Description: PGP signature


Reply to: