This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 869705 - SAPInstance resource agent should apply configured resource limits for SAP processes
SAPInstance resource agent should apply configured resource limits for SAP pr...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: rgmanager (Show other bugs)
5.10
All Linux
high Severity high
: rc
: ---
Assigned To: Ryan McCabe
Cluster QE
: EasyFix, OtherQA, Patch
Depends On: 869695
Blocks: 836232 928849
  Show dependency treegraph
 
Reported: 2012-10-24 11:30 EDT by Julio Entrena Perez
Modified: 2013-09-30 18:36 EDT (History)
9 users (show)

See Also:
Fixed In Version: rgmanager-2.0.52-40.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 869695
Environment:
Last Closed: 2013-09-30 18:36:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Example cluster.conf (4.29 KB, application/octet-stream)
2012-10-24 11:30 EDT, Julio Entrena Perez
no flags Details
Example /usr/sap/sapservices (447 bytes, application/octet-stream)
2012-10-24 11:31 EDT, Julio Entrena Perez
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 238983 None None None 2012-10-24 11:41:13 EDT

  None (edit)
Description Julio Entrena Perez 2012-10-24 11:30:22 EDT
Created attachment 632859 [details]
Example cluster.conf

+++ This bug was initially created as a clone of Bug #869695 +++

Created attachment 632838 [details]
Example cluster.conf

> Description of problem:
SAP instances started by SAPInstance cluster resource agent inherit limits on system resources (e.g. max # of open file descriptors) for root user.
SAP instances need higher limits on the maximum number of open files (ulimit -n), the maximum stack size (ulimit -s) and the maximum size of data segments (ulimit -d).
Those limits can not be applied by PAM due to the way that SAP processes are started by cluster, see "Additional info" below.

> Version-Release number of selected component (if applicable):
rgmanager-2.0.52-28.el5_8.5

> How reproducible:
Always.

> Steps to Reproduce:
1. Configure a clustered SAP instance (see attached cluster.conf example).
2. Start the clustered service that includes the SAP instance (clusvcadm -e).
3. Observe current resource limits of the instance processes:

# ps -ef | grep jepadm |grep -v grep
jepadm    6032     1  0 Oct23 ?        00:00:18 /usr/sap/JEP/ASCS00/exe/sapstartsrv pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs -D -u jepadm
jepadm    6307     1  0 Oct23 ?        00:00:00 sapstart pf=/sapmnt/JEP/profile/JEP_ASCS00_jep-ascs
jepadm    6322  6307  0 Oct23 ?        00:00:01 ms.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
jepadm    6323  6307  0 Oct23 ?        00:00:23 en.sapJEP_ASCS00 pf=/usr/sap/JEP/SYS/profile/JEP_ASCS00_jep-ascs
  
> Actual results:
# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            10485760             unlimited            bytes     
Max open files            1024                 4096                 files

> Expected results:
Limits specified in /usr/sap/sapservices are taken into account by SAPInstance RA:

# for i in 6032 6307 6322 6323 ; do echo "$i:"; cat /proc/$i/limits | egrep "open|data|stack"; done
6032:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6307:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6322:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files     
6323:
Max data size             unlimited            unlimited            bytes     
Max stack size            268435456            268435456            bytes     
Max open files            65536                65536                files

> Additional info:

Currently the following sequence of events occurs when rgmanager starts a SAP Instance:

- rgmanager starts SAPInstance RA as root.
- SAPInstance starts sapstartsrv as root with the account username as a parameter ('-u'):
195     $SAPSTARTSRV pf=$SAPSTARTPROFILE -D -u $sidadm
                                                ^
- sapstartsrv process starts as root and drops privileges by calling setgid() and setuid() (and then clones into new processes).
- SAPInstance calls sapcontrol to start the instance:
270     output=`$SAPCONTROL -nr $InstanceNr -function Start`

- sapcontrol instructs sapstartsrv to start SAP instance as described in [1].

Due to this sequence of events:
- PAM limits configured in /etc/security/limits.conf as described in SAP note 1496410 are not applied to processes started by rgmanager/SAPInstance RA.
- limits configured in /usr/sap/sapservices as described in SAP note 1437105 are not applied either since instances are not started by /etc/init.d/sapinit but by rgmanager/SAPInstance RA instead.

SAPInstance RA should take limits configured in /usr/sap/sapservices into account.
If no limits are specified in /usr/sap/sapservices then safe default limits should be applied.

[1] http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b3/903925c34a45e28a2861b59c3c5623/content.htm

--- Additional comment from jentrena@redhat.com on 2012-10-24 16:12:02 BST ---

Created attachment 632842 [details]
Example /usr/sap/sapservices

--- Additional comment from jentrena@redhat.com on 2012-10-24 16:13:03 BST ---

Created attachment 632844 [details]
SAP note 1437105

--- Additional comment from jentrena@redhat.com on 2012-10-24 16:13:58 BST ---

Created attachment 632846 [details]
SAP note 1496410

--- Additional comment from pm-rhel@redhat.com on 2012-10-24 16:15:18 BST ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 1 Julio Entrena Perez 2012-10-24 11:31:38 EDT
Created attachment 632860 [details]
Example /usr/sap/sapservices
Comment 7 Ryan McCabe 2013-04-16 11:15:12 EDT
Applied patch from upstream resources.git that resolved bug #869695
Comment 8 Ryan McCabe 2013-04-16 11:15:49 EDT
s/resources/resource-agents/
Comment 15 errata-xmlrpc 2013-09-30 18:36:47 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1316.html

Note You need to log in before you can comment on or make changes to this bug.