From piotr.rotter at active24.pl Fri Feb 8 17:00:33 2013 From: piotr.rotter at active24.pl (Piotr Rotter) Date: Fri, 08 Feb 2013 23:00:33 +0100 Subject: [MaraDNS list] MaraDNS and nproc limit problem Message-ID: <51157581.2030204@active24.pl> Hello, I have problem with maraDNS and nproc limit. Whatever i set in /etc/security/limits.conf maradns process has limited to 64 processes # cat /proc/`ps -e | grep mara | cut -d ' ' -f 1`/limits | grep 'Max processes' Max processes 64 64 processes This gives effect in dmesg like that: grsec: From 192.168.67.2: denied resource overstep by requesting 64 for RLIMIT_NPROC against limit 64 for /usr/sbin/maradns[maradns:26027] uid/euid:99/99 gid/egid:99/99, parent /usr/bin/duende[duende:26026] uid/euid:0/0 gid/egid:0/0 grsec: From 192.168.67.2: denied resource overstep by requesting 64 for RLIMIT_NPROC against limit 64 for /usr/sbin/maradns[maradns:26027] uid/euid:99/99 gid/egid:99/99, parent /usr/bin/duende[duende:26026] uid/euid:0/0 gid/egid:0/0 It's strange because duende has diffrent limit Max processes 63859 63859 processes I use gentoo with hardened kernel and mara 1.4.12 Please help, and sorry my english. From maradns at gmail.com Sat Feb 23 02:35:09 2013 From: maradns at gmail.com (Sam Trenholme) Date: Fri, 22 Feb 2013 23:35:09 -0800 Subject: [MaraDNS list] MaraDNS and nproc limit problem In-Reply-To: <51157581.2030204@active24.pl> References: <51157581.2030204@active24.pl> Message-ID: > I use gentoo with hardened kernel and mara 1.4.12 [Apologies if this was sent twice to the list] MaraDNS 1.4.12 is outdated. The best version of MaraDNS to use is MaraDNS 2.0.07 (which includes Deadwood 3.2.03), which I released last month. Unlike MaraDNS 1, MaraDNS 2 only has two processes: One for MaraDNS, and one for Deadwood, MaraDNS 2's recursive resolver [1]. Deadwood, unlike MaraDNS 1, only uses a single process to process all recursive DNS queries; it uses the "select() model" to not require multiple threads. Information on updating from MaraDNS 1 to MaraDNS 2 is here: http://maradns.org/tutorial/update.html MaraDNS 2.0 can be downloaded here: http://www.maradns.org/download.html - Sam [1] If you must use the TCP "zoneserver", more processes will be needed, since "zoneserver" uses the fork() model. Note that maradns.org does not use zoneserver; I think it's optional. From maradns at gmail.com Sat Feb 23 02:44:44 2013 From: maradns at gmail.com (Sam Trenholme) Date: Fri, 22 Feb 2013 23:44:44 -0800 Subject: [MaraDNS list] New Deadwood snapshot http://cbv2.vk.tj/ Message-ID: New Deadwood snapshot. Details at: http://cbv2.vk.tj/ Deadwood is MaraDNS 2's recursive resolver. For the last time, I will post the contents of that page here on the list at the end of this message. This will be last posting to the mailing list until after March 20th, barring a new security problem in MaraDNS with a CVE number. - Sam The problem When I updated Deadwood to no longer read the cache if the dwood3rc file is newer, there was still a problem when: * Deadwood is started * The dwood3rc file is modified * Deadwood is stopped, writing a new cache file When this happens with Deadwood 3.2.03, the cache file (which is a stale cache) is newer than the dwood3rc file. The solution In order to solve this problem, Deadwood needs to have this workflow: * Make a note of the timestamp for the dwood3rc file when Deadwood is started * The dwood3rc file is replaced with a new file * The cache is written, including a note of when the dwood3rc was modified when Deadwood is started * Deadwood is started again. It sees that, while dwood3rc is older than the cache, the dwood3rc timestamp is not the same as the older one, so it doesn't load the cache. * The cache is no longer stale. I spent today adding the ability to write metadata to a cache file in a format that allows the cache to be read by older Deadwood releases. Now, I need to add the code to make sure the dwood3rc file hasn't changed since the last cache read before reading the cache. I will do that in March. It can be downloaded here: http://www.maradns.org/deadwood/snap/ I plan to work on MaraDNS/Deadwood again one day in March, after the 21st. From piotr.rotter at active24.pl Sat Feb 23 05:29:55 2013 From: piotr.rotter at active24.pl (Piotr Rotter) Date: Sat, 23 Feb 2013 11:29:55 +0100 Subject: [MaraDNS list] MaraDNS and nproc limit problem In-Reply-To: References: <51157581.2030204@active24.pl> Message-ID: <51289A23.7080102@active24.pl> Thanks for your answer. I solve this problem temporary dirty way. For some reason this do not work properly for me. MaraDNS.c line 4058: maxprocs = read_numeric_kvar("maxprocs",64); maxprocs is always 64, no matter what is set in /etc/security /limits.conf. I do not have time and knowledge to check whats going on, so i set maxprocs fix to 1024 in code and recompile mara. I hope that it isn't big mistake.