| Main Archive Page > Month Archives > linux-kernel archives |
Re: [PATCH 06/45] KEYS: Make the keyring quotas controllable through /proc/sys [ver #35]
From: Berthold Cogel <cogel_at_nospam>Date: Tue Apr 01 2008 - 15:29:54 GMT
To: David Howells <dhowells@redhat.com>
David Howells schrieb:
> Make the keyring quotas controllable through /proc/sys files:
>
> (*) /proc/sys/kernel/keys/root_maxkeys
> /proc/sys/kernel/keys/root_maxbytes
>
> Maximum number of keys that root may have and the maximum total number of
> bytes of data that root may have stored in those keys.
>
> (*) /proc/sys/kernel/keys/maxkeys
> /proc/sys/kernel/keys/maxbytes
>
> Maximum number of keys that each non-root user may have and the maximum
> total number of bytes of data that each of those users may have stored in
> their keys.
>
> Also increase the quotas as a number of people have been complaining that it's
> not big enough. I'm not sure that it's big enough now either, but on the
> other hand, it can now be set in /etc/sysctl.conf.
>
Hello David,
you're our hero! ;-)
We just hit this wall while migrating from RHEl 3 to RHEL 5 with some of our webservers.
[root@lvr11 ~]# cat /proc/key-users 0: 99 98/98 96/100 1681/10000 32: 2 2/2 2/100 56/10000 38: 2 2/2 2/100 56/10000 43: 2 2/2 2/100 56/10000 51: 2 2/2 2/100 56/10000 68: 2 2/2 2/100 56/10000 81: 2 2/2 2/100 56/10000 99: 2 2/2 2/100 56/10000 348: 2 2/2 2/100 58/10000 42216: 2 2/2 2/100 62/10000 55188: 3 3/3 3/100 72/10000 56537: 2 2/2 2/100 62/10000 63743: 2 2/2 2/100 62/10000 68054: 2 2/2 2/100 62/10000
....
We're using OpenAFS on our systems and most of our webpages are stored in AFS. We have a lot of small projects for which a separate server would be a waste of 'metal'. Even in a virtual environment. So we're hosting a lot of apache instances on a single machine. Beause suexec doesn't work in an AFS environment, each instance is started by root with its own IP (to be able to talk HTTPS) and in a PAG with a separate token for a service user (to isolate the projects). Although each apache switches over to the service user, the initial tokens are acquired by root.
On RHEL 3 with the old 2.4 kernel this was never a problem. But now...
Btw.: We have some machines with about hundred (!) different projects which need tokens.
Best regards,
Berthold Cogel -- Dr. Berthold Cogel University of Cologne E-Mail: cogel@uni-koeln.de ZAIK-US (RRZK) Tel.: +49(0)221/470-7873 Robert-Koch-Str. 10 FAX: +49(0)221/478-85845 D-50931 Cologne - Germany -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html