869695 – SAPInstance resource agent should apply configured resource limits for SAP processes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 869695 - SAPInstance resource agent should apply configured resource limits for SAP processes

Summary: SAPInstance resource agent should apply configured resource limits for SAP pr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	resource-agents
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Chris Feist
QA Contact:	Cluster QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	782183 869705 886216
TreeView+	depends on / blocked

Reported:	2012-10-24 15:11 UTC by Julio Entrena Perez
Modified:	2018-12-03 17:53 UTC (History)
CC List:	7 users (show)
Fixed In Version:	resource-agents-3.9.2-20.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	869705 (view as bug list)
Environment:
Last Closed:	2013-02-21 07:52:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Example cluster.conf (4.29 KB, application/octet-stream) 2012-10-24 15:11 UTC, Julio Entrena Perez	no flags	Details
Example /usr/sap/sapservices (447 bytes, application/octet-stream) 2012-10-24 15:12 UTC, Julio Entrena Perez	no flags	Details
First draft of a proposed patch that applies resource limits from /usr/sap/sapservices before starting sapstartsrv (2.21 KB, patch) 2012-10-25 16:55 UTC, Julio Entrena Perez	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	238983	0	None	None	None	2012-10-24 15:40:41 UTC
Red Hat Product Errata	RHBA-2013:0288	0	normal	SHIPPED_LIVE	resource-agents bug fix and enhancement update	2013-02-20 20:36:39 UTC

Description Julio Entrena Perez 2012-10-24 15:11:01 UTC

Created attachment 632838 [details]
Example cluster.conf

> Description of problem:
SAP instances started by SAPInstance cluster resource agent inherit limits on system resources (e.g. max # of open file descriptors) for root user.
SAP instances need higher limits on the maximum number of open files (ulimit -n), the maximum stack size (ulimit -s) and the maximum size of data segments (ulimit -d).
Those limits can not be applied by PAM due to the way that SAP processes are started by cluster, see "Additional info" below.

> Version-Release number of selected component (if applicable):
resource-agents-3.9.2-12.el6

> How reproducible:
Always.

> Steps to Reproduce:
1. Configure a clustered SAP instance (see attached cluster.conf example).
2. Start the clustered service that includes the SAP instance (clusvcadm -e).
3. Observe current resource limits of the instance processes:

# ps -ef | grep jepadm |grep -v grep
jepadm    6032     1  0 Oct23 ?        00:00:18 /usr/sap/JEP/ASCS00/exe/sapstartsrv pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs -D -u jepadm
jepadm    6307     1  0 Oct23 ?        00:00:00 sapstart pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs
jepadm    6322  6307  0 Oct23 ?        00:00:01 ms.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
jepadm    6323  6307  0 Oct23 ?        00:00:23 en.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
  
> Actual results:
# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files

> Expected results:
Limits specified in /usr/sap/sapservices are taken into account by SAPInstance RA:

# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files

> Additional info:

Currently the following sequence of events occurs when rgmanager starts a SAP Instance:

- rgmanager starts SAPInstance RA as root.
- SAPInstance starts sapstartsrv as root with the account username as a parameter ('-u'):
195     $SAPSTARTSRV pf=$SAPSTARTPROFILE -D -u $sidadm
                                                ^
- sapstartsrv process starts as root and drops privileges by calling setgid() and setuid() (and then clones into new processes).
- SAPInstance calls sapcontrol to start the instance:
270     output=`$SAPCONTROL -nr $InstanceNr -function Start`

- sapcontrol instructs sapstartsrv to start SAP instance as described in [1].

Due to this sequence of events:
- PAM limits configured in /etc/security/limits.conf as described in SAP note 1496410 are not applied to processes started by rgmanager/SAPInstance RA.
- limits configured in /usr/sap/sapservices as described in SAP note 1437105 are not applied either since instances are not started by /etc/init.d/sapinit but by rgmanager/SAPInstance RA instead.

SAPInstance RA should take limits configured in /usr/sap/sapservices into account.
If no limits are specified in /usr/sap/sapservices then safe default limits should be applied.

[1] http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b3/903925c34a45e28a2861b59c3c5623/content.htm

Comment 1 Julio Entrena Perez 2012-10-24 15:12:02 UTC

Created attachment 632842 [details]
Example /usr/sap/sapservices

Comment 5 Julio Entrena Perez 2012-10-25 16:55:26 UTC

Created attachment 633461 [details]
First draft of a proposed patch that applies resource limits from /usr/sap/sapservices before starting sapstartsrv

I'm attaching a first draft of a proposed patch.

If SAPInstance RA needs to start sapstartsrv, it will first check for resource limits configured at /usr/sap/sapservices and, if found, it will "eval" those before starting sapstartsrv, and will log the applied values with info level.

That's enough since processes of SAP instances will be started by sapstartsrv (at sapcontrol request) and will inherit the resource limits from it.

Comment 28 errata-xmlrpc 2013-02-21 07:52:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0288.html

Note You need to log in before you can comment on or make changes to this bug.