同一用户的多个会话。当其中一个无法再运行新程序时,他们都无法运行,甚至该用户的新登录也无法运行。其他用户仍然可以正常运行新程序,包括新登录。
通常用户限制位于limits.conf中,但其文档显示“请注意,所有限制设置都是每次登录时设置的。它们不是全局的,也不是永久的;仅在会话期间存在。”
我的内存还远远不够(44GB 可用),但我不知道还能看什么。存在哪些限制会对使用相同 UID 而不是其他 UID 的所有会话产生全局影响?
于 2016 年 6 月 12 日 8:45p 编辑添加:
在编写下面的内容时,我意识到问题可能与 X11 有关。该盒子上的用户帐户几乎专门用于 GUI 应用程序。有没有一个好的基于文本的程序我可以尝试从 bash 运行,该程序将使用大量资源并给出良好的错误消息?该框还没有达到甚至无法运行 ls 的地步。
不幸的是,这个问题通常影响的 GUI 程序(Chrome 和 Firefox)不能很好地留下错误消息。 Chrome 标签将开始显示空白或完全无用的“噢,啪!”错误。 Firefox 将拒绝启动。我设法获得的唯一甚至部分有用的错误消息来自尝试从 bash 启动 Firefox:
[pascal@firefox ~]$ firefox --display=:0 --safe-mode
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(rv)), 1))) && thread (Should successfully create image decoding threads), at /builddir/build/BUILD/firefox-45.2.0/firefox-45.2.0esr/image/DecodePool.cpp:359
#01: ???[/usr/lib64/firefox/libxul.so +0x10f2165]
#02: ???[/usr/lib64/firefox/libxul.so +0xa2dd2c]
#03: ???[/usr/lib64/firefox/libxul.so +0xa2ee29]
#04: ???[/usr/lib64/firefox/libxul.so +0xa2f4c1]
#05: ???[/usr/lib64/firefox/libxul.so +0xa3095d]
#06: ???[/usr/lib64/firefox/libxul.so +0xa52d44]
#07: ???[/usr/lib64/firefox/libxul.so +0xa4c051]
#08: ???[/usr/lib64/firefox/libxul.so +0x1096257]
#09: ???[/usr/lib64/firefox/libxul.so +0x1096342]
#10: ???[/usr/lib64/firefox/libxul.so +0x1dba68f]
#11: ???[/usr/lib64/firefox/libxul.so +0x1dba805]
#12: ???[/usr/lib64/firefox/libxul.so +0x1dba8b9]
#13: ???[/usr/lib64/firefox/libxul.so +0x1e3e6be]
#14: ???[/usr/lib64/firefox/libxul.so +0x1e48d1f]
#15: ???[/usr/lib64/firefox/libxul.so +0x1e48ddd]
#16: ???[/usr/lib64/firefox/libxul.so +0x20bf7bc]
#17: ???[/usr/lib64/firefox/libxul.so +0x20bfae6]
#18: ???[/usr/lib64/firefox/libxul.so +0x20bfe5b]
#19: ???[/usr/lib64/firefox/libxul.so +0x21087cd]
#20: ???[/usr/lib64/firefox/libxul.so +0x2108cd2]
#21: ???[/usr/lib64/firefox/libxul.so +0x210aef4]
#22: ???[/usr/lib64/firefox/libxul.so +0x22578b1]
#23: ???[/usr/lib64/firefox/libxul.so +0x228ba43]
#24: ???[/usr/lib64/firefox/libxul.so +0x228be1d]
#25: XRE_main[/usr/lib64/firefox/libxul.so +0x228c073]
#26: ???[/usr/lib64/firefox/firefox +0x4c1d]
#27: ???[/usr/lib64/firefox/firefox +0x436d]
#28: __libc_start_main[/lib64/libc.so.6 +0x21b15]
#29: ???[/usr/lib64/firefox/firefox +0x449d]
#30: ??? (???:???)
Segmentation fault
[pascal@firefox ~]$ firefox --display=:0 --safe-mode -g
1465632860286DeferredSave.extensions.jsonWARNWrite failed: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860287addons.xpi-utilsWARNFailed to save XPI database: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860288addons.xpi-utilsWARNFailed to save XPI database: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860289addons.xpi-utilsWARNFailed to save XPI database: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860289addons.xpi-utilsWARNFailed to save XPI database: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860290addons.xpi-utilsWARNFailed to save XPI database: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860358DeferredSave.addons.jsonWARNWrite failed: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
1465632860359addons.repositoryERRORSaveDBToDisk failed: Error: Could not create new thread! (resource://gre/modules/PromiseWorker.jsm:173:18) JS Stack trace: [email protected]:173:18 < [email protected]:292:9 < [email protected]:315:40 < [email protected]:933:23 < [email protected]:812:7 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:746:1 < [email protected]:770:1 < [email protected]:284:9
Segmentation fault
[pascal@firefox ~]$
[pascal@localhost ~]$ ulimit -aH
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 579483
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65536
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) unlimited
cpu time (seconds, -t) unlimited
max user processes (-u) 579483
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[pascal@localhost ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 579483
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 32768
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 4096
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[pascal@localhost ~]$ set /proc/*/task/*/cwd/.; echo $#
306
[pascal@localhost ~]$ prlimit
RESOURCE DESCRIPTION SOFT HARD UNITS
AS address space limit unlimited unlimited bytes
CORE max core file size 0 unlimited blocks
CPU CPU time unlimited unlimited seconds
DATA max data size unlimited unlimited bytes
FSIZE max file size unlimited unlimited blocks
LOCKS max number of file locks held unlimited unlimited
MEMLOCK max locked-in-memory address space 65536 65536 bytes
MSGQUEUE max bytes in POSIX mqueues 819200 819200 bytes
NICE max nice prio allowed to raise 0 0
NOFILE max number of open files 32768 65536
NPROC max number of processes 4096 579483
RSS max resident set size unlimited unlimited pages
RTPRIO max real-time priority 0 0
RTTIME timeout for real-time tasks unlimited unlimited microsecs
SIGPENDING max number of pending signals 579483 579483
STACK max stack size 8388608 unlimited bytes
于 2016 年 6 月 13 日 10:24p 编辑添加:
不是 GUI 问题。当我今天尝试向用户 su 时,这甚至不起作用。根没问题。我可以 ls,vi,创建一个新用户,su 到该用户,该用户一切正常,我退出并尝试 su 到问题用户,但没有成功。 Bash 第一次加载了,但甚至退出也不起作用。我必须重新连接才能回到root。
[root@firefox ~]# su - pascal
Last login: Sat Jun 11 03:08:47 CDT 2016 on pts/1
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: Resource temporarily unavailable
-bash-4.2$ ls
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: Resource temporarily unavailable
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: Resource temporarily unavailable
-bash-4.2$ exit
logout
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: Resource temporarily unavailable
-bash-4.2$
[root@firefox ~]# ls -l /
total 126
lrwxrwxrwx. 1 root root 7 Jan 28 23:53 bin -> usr/bin
---- snip ----
drwxr-xr-x. 19 root root 23 May 27 18:03 var
[root@firefox ~]# vi /etc/rc.local
[root@firefox ~]# useradd test
[root@firefox ~]# su - test
[test@firefox ~]$ cd
[test@firefox ~]$ ls -l
total 0
[test@firefox ~]$ ls -l /
total 126
lrwxrwxrwx. 1 root root 7 Jan 28 23:53 bin -> usr/bin
---- snip ----
drwxr-xr-x. 19 root root 23 May 27 18:03 var
[test@firefox ~]$ vi /etc/rc.local
[test@firefox ~]$ exit
logout
[root@firefox ~]# su - pascal
Last login: Mon Jun 13 22:12:12 CDT 2016 on pts/1
su: failed to execute /bin/bash: Resource temporarily unavailable
[root@firefox ~]#
答案1
nproc 是问题所在:
[root@localhost ~]# ps -eLf | grep pascal | wc -l
4068
[root@localhost ~]# cat /etc/security/limits.d/20-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
* soft nproc 4096
root soft nproc unlimited
[root@localhost ~]#
man limits.conf 指出:
Also, please note that all limit settings are set per login. They are
not global, nor are they permanent; existing only for the duration of
the session. One exception is the maxlogin option, this one is system
wide. But there is a race, concurrent logins at the same time will not
always be detected as such but only counted as one.
在我看来,nproc 仅在每次登录时强制执行,但在全局范围内计数。因此,使用 nproc 8192 和 5000 个线程登录不会有问题,但使用 nproc 4096 和 50 个线程同时登录同一 UID 将无法创建更多线程,因为全局计数 (5050) 高于其 nproc 设置。
[root@localhost ~]# ps -eLf | grep pascal | grep google/chrome | wc -l
3792
答案2
如果您根本无法访问该帐户,您将很难找出问题所在。但请检查系统或应用程序日志,希望某些程序会在那里留下线索(特别是对于失败的登录尝试)。
如果您可以运行程序进行实验,则可以通过尝试增加每个限制值并查看其何时有效以及何时尝试失败(并显示 )来判断已达到哪个限制EAGAIN。还可以列出每个值使用的资源;我想不出有一种实用程序可以收集所有限制的数据,但很可能有一个。
假设问题是内核限制,这些问题列在setrlimit手册页。适用于每个用户 ID 的内容包括:
RLIMIT_MEMLOCK— 不可交换内存的大小。不应阻止登录,很少有程序请求不可交换的内存。RLIMIT_MSGQUEUE— 消息队列的大小。不应阻止登录,很少有程序使用消息队列。RLIMIT_NPROC— 最大进程数。这绝对是将要如果达到则阻止登录。增加限制/etc/security/limits.conf不会影响现有会话,但会影响新进程,因此如果系统管理员增加该值,用户将能够登录。RLIMIT_SIGPENDING— 待处理信号的最大数量。不应阻止登录,很少有程序使用sigqueue对信号进行排队。
所以对进程的限制是最有可能的一种。如果您有权访问正在运行的 shell,则可以通过尝试运行程序来确认;该错误应该非常明显:
$ ls
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: Resource temporarily unavailable
您可以使用 打印出此限制ulimit -u。如果您有权访问以有问题的用户身份运行的 shell,并且该用户尚未运行任何 setuid 程序,则可以使用set /proc/*/task/*/cwd/.; echo $#(列出用户可以读取cwd链接的内核线程,其中意味着用户可以完全控制该过程)。
答案3
答案4
nproc你可以确定https://unix.stackexchange.com/a/289589/8337
-n打开您可以确定的文件https://stackoverflow.com/a/21752125/32453
其余的不确定。
也许一次增加一项限制,直到您达到黄金水平? :)