clinuxlimitslinux-capabilitiessetrlimit

which is better way to edit RLIMIT_NPROC value


My application creates per connection thread . Application is ruinng under the non-zero user id and Sometimes number of threads surpasses default value 1024 . I want to edit this number so I have few options

run as root [very bad idea and also have to compromise with securty ,so dropping it]

run under underprivilaged user use setcap and give capability CAP_SYS_RESOURCE . then I can add code im my program

      struct rlimit rlp; /* will initilize this later with values of nprocs(maximum number of desired threads)*/
      setrlimit(RLIMIT_NPROC, &rlp);
      /*RLIMIT_NPROC
      *The maximum number of processes (or, more precisely on Linux, threads) that can      
      * created for the real user ID of the
      *calling process.  Upon encountering this limit, fork(2) fails with the error
      *EAGAIN. */

Other thing is editing /etc/securitylimits.conf where simply I can make entry for the development user and can put lines e.g.

            @devuser        hard    nproc           20000
            @devuser        soft    nproc           10000

where 10k is enough .So being litle reluctant in chaning source code should I proceed with last option . And I am more curios to know what is more robust and standars approach.

seeking your opinions , and thank you in advance :)

PS: What will happen if a single process will be served with more than 1k threads . ofcource i have 32GB of Ram also


Solution

  • First, I believe you are wrong in having nearly a thousand threads. Threads are quite costly, and it is usually not reasonable to have so much of them. I would suggest having a few dozen threads at most (unless you run on a very costly super-computer).

    You could have some event loop around a multiplexing syscall like poll(2). Then a single thread can deal with many thousands of connections. Read about the C10K problem and epoll. Consider using some event libraries like libevent or libev etc...

    You could start your application as root (perhaps by using setuid techniques), set-up the required resources (in particular, opening privileged TCP/IP ports), and change the user with setreuid(2)

    Read Advanced Linux Programming...

    You could also wrap your application around a tiny setuid C program which increase the limits using setrlimit(2), change the user with setreuid, and at last execve(2) your real program.