David Howells schrieb:
quoted text
> Make the keyring quotas controllable through /proc/sys files:
> 
>  (*) /proc/sys/kernel/keys/root_maxkeys
>      /proc/sys/kernel/keys/root_maxbytes
> 
>      Maximum number of keys that root may have and the maximum total number of
>      bytes of data that root may have stored in those keys.
> 
>  (*) /proc/sys/kernel/keys/maxkeys
>      /proc/sys/kernel/keys/maxbytes
> 
>      Maximum number of keys that each non-root user may have and the maximum
>      total number of bytes of data that each of those users may have stored in
>      their keys.
> 
> Also increase the quotas as a number of people have been complaining that it's
> not big enough.  I'm not sure that it's big enough now either, but on the
> other hand, it can now be set in /etc/sysctl.conf.
> 

Hello David,

you're our hero! ;-)

We just hit this wall while migrating from RHEl 3 to RHEL 5 with some of 
our webservers.

[root@lvr11 ~]# cat /proc/key-users
     0:    99 98/98 96/100 1681/10000
    32:     2 2/2 2/100 56/10000
    38:     2 2/2 2/100 56/10000
    43:     2 2/2 2/100 56/10000
    51:     2 2/2 2/100 56/10000
    68:     2 2/2 2/100 56/10000
    81:     2 2/2 2/100 56/10000
    99:     2 2/2 2/100 56/10000
   348:     2 2/2 2/100 58/10000
42216:     2 2/2 2/100 62/10000
55188:     3 3/3 3/100 72/10000
56537:     2 2/2 2/100 62/10000
63743:     2 2/2 2/100 62/10000
68054:     2 2/2 2/100 62/10000

....


We're using OpenAFS on our systems and most of our webpages are stored 
in AFS. We have a lot of small projects for which a separate server 
would be a waste of 'metal'. Even in a virtual environment. So we're 
hosting a lot of apache instances on a single machine. Beause suexec 
doesn't work in an AFS environment, each instance is started by root 
with its own IP (to be able to talk HTTPS) and in a PAG with a separate 
token for a service user (to isolate the projects). Although each apache 
switches  over to the service user, the initial tokens are acquired by root.

On RHEL 3 with the old 2.4 kernel this was never a problem. But now...

Btw.: We have some machines with about hundred (!) different projects 
which need tokens.


Best regards,

Berthold Cogel

-- 
Dr. Berthold Cogel                             University of Cologne
E-Mail: cogel@uni-koeln.de                     ZAIK-US (RRZK)
Tel.:   +49(0)221/470-7873                     Robert-Koch-Str. 10
FAX:    +49(0)221/478-85845                    D-50931 Cologne - Germany
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/