Bug 869705

Summary: SAPInstance resource agent should apply configured resource limits for SAP processes
Product: Red Hat Enterprise Linux 5 Reporter: Julio Entrena Perez <jentrena>
Component: rgmanagerAssignee: Ryan McCabe <rmccabe>
Status: CLOSED ERRATA QA Contact: Cluster QE <mspqa-list>
Severity: high Docs Contact:
Priority: high    
Version: 5.10CC: agk, cluster-maint, djansa, edamato, fdinitto, jentrena, jkortus, lhh, mjuricek
Target Milestone: rcKeywords: EasyFix, OtherQA, Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rgmanager-2.0.52-40.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 869695 Environment:
Last Closed: 2013-09-30 22:36:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 869695    
Bug Blocks: 836232, 928849    
Attachments:
Description Flags
Example cluster.conf
none
Example /usr/sap/sapservices none

Description Julio Entrena Perez 2012-10-24 15:30:22 UTC 
Created attachment 632859 [details]
Example cluster.conf

+++ This bug was initially created as a clone of Bug #869695 +++

Created attachment 632838 [details]
Example cluster.conf

> Description of problem:
SAP instances started by SAPInstance cluster resource agent inherit limits on system resources (e.g. max # of open file descriptors) for root user.
SAP instances need higher limits on the maximum number of open files (ulimit -n), the maximum stack size (ulimit -s) and the maximum size of data segments (ulimit -d).
Those limits can not be applied by PAM due to the way that SAP processes are started by cluster, see "Additional info" below.

> Version-Release number of selected component (if applicable):
rgmanager-2.0.52-28.el5_8.5

> How reproducible:
Always.

> Steps to Reproduce:
1. Configure a clustered SAP instance (see attached cluster.conf example).
2. Start the clustered service that includes the SAP instance (clusvcadm -e).
3. Observe current resource limits of the instance processes:

# ps -ef | grep jepadm |grep -v grep
jepadm    6032     1  0 Oct23 ?        00:00:18 /usr/sap/JEP/ASCS00/exe/sapstartsrv pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs -D -u jepadm
jepadm    6307     1  0 Oct23 ?        00:00:00 sapstart pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs
jepadm    6322  6307  0 Oct23 ?        00:00:01 ms.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
jepadm    6323  6307  0 Oct23 ?        00:00:23 en.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
  
> Actual results:
# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files

> Expected results:
Limits specified in /usr/sap/sapservices are taken into account by SAPInstance RA:

# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files

> Additional info:

Currently the following sequence of events occurs when rgmanager starts a SAP Instance:

- rgmanager starts SAPInstance RA as root.
- SAPInstance starts sapstartsrv as root with the account username as a parameter ('-u'):
195     $SAPSTARTSRV pf=$SAPSTARTPROFILE -D -u $sidadm
                                                ^
- sapstartsrv process starts as root and drops privileges by calling setgid() and setuid() (and then clones into new processes).
- SAPInstance calls sapcontrol to start the instance:
270     output=`$SAPCONTROL -nr $InstanceNr -function Start`

- sapcontrol instructs sapstartsrv to start SAP instance as described in [1].

Due to this sequence of events:
- PAM limits configured in /etc/security/limits.conf as described in SAP note 1496410 are not applied to processes started by rgmanager/SAPInstance RA.
- limits configured in /usr/sap/sapservices as described in SAP note 1437105 are not applied either since instances are not started by /etc/init.d/sapinit but by rgmanager/SAPInstance RA instead.

SAPInstance RA should take limits configured in /usr/sap/sapservices into account.
If no limits are specified in /usr/sap/sapservices then safe default limits should be applied.

[1] http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b3/903925c34a45e28a2861b59c3c5623/content.htm

--- Additional comment from jentrena on 2012-10-24 16:12:02 BST ---

Created attachment 632842 [details]
Example /usr/sap/sapservices

--- Additional comment from jentrena on 2012-10-24 16:13:03 BST ---

Created attachment 632844 [details]
SAP note 1437105

--- Additional comment from jentrena on 2012-10-24 16:13:58 BST ---

Created attachment 632846 [details]
SAP note 1496410

--- Additional comment from pm-rhel on 2012-10-24 16:15:18 BST ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 1 Julio Entrena Perez 2012-10-24 15:31:38 UTC 
Created attachment 632860 [details]
Example /usr/sap/sapservices
Comment 7 Ryan McCabe 2013-04-16 15:15:12 UTC 
Applied patch from upstream resources.git that resolved bug #869695
Comment 8 Ryan McCabe 2013-04-16 15:15:49 UTC 
s/resources/resource-agents/
Comment 15 errata-xmlrpc 2013-09-30 22:36:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1316.html