869705 – SAPInstance resource agent should apply configured resource limits for SAP processes

Bug 869705 - SAPInstance resource agent should apply configured resource limits for SAP processes

Summary: SAPInstance resource agent should apply configured resource limits for SAP pr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	rgmanager
Sub Component:
Version:	5.10
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Ryan McCabe
QA Contact:	Cluster QE
Docs Contact:
URL:
Whiteboard:
Depends On:	869695
Blocks:	836232 928849
TreeView+	depends on / blocked

Reported:	2012-10-24 15:30 UTC by Julio Entrena Perez
Modified:	2018-12-03 17:53 UTC (History)
CC List:	9 users (show)
Fixed In Version:	rgmanager-2.0.52-40.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:	869695
Environment:
Last Closed:	2013-09-30 22:36:47 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Example cluster.conf (4.29 KB, application/octet-stream) 2012-10-24 15:30 UTC, Julio Entrena Perez	no flags	Details
Example /usr/sap/sapservices (447 bytes, application/octet-stream) 2012-10-24 15:31 UTC, Julio Entrena Perez	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	238983	0	None	None	None	2012-10-24 15:41:13 UTC
Red Hat Product Errata	RHBA-2013:1316	0	normal	SHIPPED_LIVE	rgmanager bug fix and enhancement update	2013-09-30 21:13:21 UTC

Description Julio Entrena Perez 2012-10-24 15:30:22 UTC

Created attachment 632859 [details]
Example cluster.conf

+++ This bug was initially created as a clone of Bug #869695 +++

Created attachment 632838 [details]
Example cluster.conf

> Description of problem:
SAP instances started by SAPInstance cluster resource agent inherit limits on system resources (e.g. max # of open file descriptors) for root user.
SAP instances need higher limits on the maximum number of open files (ulimit -n), the maximum stack size (ulimit -s) and the maximum size of data segments (ulimit -d).
Those limits can not be applied by PAM due to the way that SAP processes are started by cluster, see "Additional info" below.

> Version-Release number of selected component (if applicable):
rgmanager-2.0.52-28.el5_8.5

> How reproducible:
Always.

> Steps to Reproduce:
1. Configure a clustered SAP instance (see attached cluster.conf example).
2. Start the clustered service that includes the SAP instance (clusvcadm -e).
3. Observe current resource limits of the instance processes:

# ps -ef | grep jepadm |grep -v grep
jepadm    6032     1  0 Oct23 ?        00:00:18 /usr/sap/JEP/ASCS00/exe/sapstartsrv pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs -D -u jepadm
jepadm    6307     1  0 Oct23 ?        00:00:00 sapstart pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs
jepadm    6322  6307  0 Oct23 ?        00:00:01 ms.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
jepadm    6323  6307  0 Oct23 ?        00:00:23 en.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
  
> Actual results:
# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files

> Expected results:
Limits specified in /usr/sap/sapservices are taken into account by SAPInstance RA:

# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files

> Additional info:

Currently the following sequence of events occurs when rgmanager starts a SAP Instance:

- rgmanager starts SAPInstance RA as root.
- SAPInstance starts sapstartsrv as root with the account username as a parameter ('-u'):
195     $SAPSTARTSRV pf=$SAPSTARTPROFILE -D -u $sidadm
                                                ^
- sapstartsrv process starts as root and drops privileges by calling setgid() and setuid() (and then clones into new processes).
- SAPInstance calls sapcontrol to start the instance:
270     output=`$SAPCONTROL -nr $InstanceNr -function Start`

- sapcontrol instructs sapstartsrv to start SAP instance as described in [1].

Due to this sequence of events:
- PAM limits configured in /etc/security/limits.conf as described in SAP note 1496410 are not applied to processes started by rgmanager/SAPInstance RA.
- limits configured in /usr/sap/sapservices as described in SAP note 1437105 are not applied either since instances are not started by /etc/init.d/sapinit but by rgmanager/SAPInstance RA instead.

SAPInstance RA should take limits configured in /usr/sap/sapservices into account.
If no limits are specified in /usr/sap/sapservices then safe default limits should be applied.

[1] http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b3/903925c34a45e28a2861b59c3c5623/content.htm

--- Additional comment from jentrena on 2012-10-24 16:12:02 BST ---

Created attachment 632842 [details]
Example /usr/sap/sapservices

--- Additional comment from jentrena on 2012-10-24 16:13:03 BST ---

Created attachment 632844 [details]
SAP note 1437105

--- Additional comment from jentrena on 2012-10-24 16:13:58 BST ---

Created attachment 632846 [details]
SAP note 1496410

--- Additional comment from pm-rhel on 2012-10-24 16:15:18 BST ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 1 Julio Entrena Perez 2012-10-24 15:31:38 UTC

Created attachment 632860 [details]
Example /usr/sap/sapservices

Comment 7 Ryan McCabe 2013-04-16 15:15:12 UTC

Applied patch from upstream resources.git that resolved bug #869695

Comment 8 Ryan McCabe 2013-04-16 15:15:49 UTC

s/resources/resource-agents/

Comment 15 errata-xmlrpc 2013-09-30 22:36:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1316.html

Note You need to log in before you can comment on or make changes to this bug.