linuxapacheubuntuapache2setrlimit

Apache 2.4 hits rlimit_nproc: hidden processes?

My webapp allows users to execute some arbitrary code in a sandbox. To prevent forkbombs, the application calls setrlimit and limits RLIMIT_NPROC to 50 before executing user code. This worked great in Ubuntu 12.04 up till Ubuntu 13.04. However, after upgrading to Ubuntu 13.10 (which ships with Apache 2.4 and Linux 3.11), we hit the limit of 50 www-data processes, even when Apache2 is idle!

The problem is most easily reproduced by running bash as user www-data with ulimit. First switch into user www-data and start bash:

jeroen@Ubuntu:/$ sudo su www-data
$ bash
www-data@Ubuntu:/$

Now gradually lower RLIMIT_NPROC until we hit problems:

#RLIMIT_NPROC=100: works fine   
www-data@Ubuntu:/$ ulimit -u 100
www-data@Ubuntu:/$ ls
bin    dev   initrd.img      lib64   mnt   root  srv  usr      vmlinuz.old
boot   etc   initrd.img.old  lost+found  opt   run   sys  var
cdrom  home  lib         media   proc  sbin  tmp  vmlinuz

#RLIMIT_NPROC=50: limit reached
www-data@Ubuntu:/$ ulimit -u 50
www-data@Ubuntu:/$ ls
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: Resource temporarily unavailable

Hence after setting RLIMIT_NPROC to 50, the process can no longer fork. This implies that there are already 50 or more processes running as user www-data. However, this does not seem to be the case, the server is just a blank idle Apache 2.4. According to ps, there are currently only 2 procs owned by www-data:

jeroen@Ubuntu:~$ ps aux | grep www-data
www-data 11473  0.0  0.5 631296 46164 ?        Sl   14:28   0:01 /usr/sbin/apache2 -k start
www-data 11474  0.0  0.5 565656 45632 ?        Sl   14:28   0:01 /usr/sbin/apache2 -k start
jeroen   12136  0.0  0.0  13644   956 pts/4    S+   14:51   0:00 grep --color=auto www-data

So why is www-data is hitting the RLIMIT_NPROC limit of 50 in Apache 2.4, even when idle?

Solution

  • Found the problem thanks to the suggestion from @sarnold. My Application depends on mpm_prefork and up till Ubuntu 13.04, this module was automatically enabled when the apache2-mpm-prefork package is installed. I assumed this was still the case, but it turned out that it was running mpm_event.

    It seems that in Apache 2.4 the packaging of MPM's has changed and mpm_prefork needs to be enabled manually after installation:

    sudo a2dismod mpm_event
sudo a2enmod mpm_prefork
sudo service apache2 restart

    Now the problems seem to have disappeared.