7 replies to this topic

[stryder]

OS X has a very small maximum limit of the number of processes you can run. How did I discover this? Well, our webserver was suddenly denying connections, even though the maximum limit was set to 500, and we weren't getting 500 concurrent connections! If you don't raise the limits, and you reach them, you're locked out of even shutting down or restarting! Here's how to raise them:

in /etc/sysctl.conf:

kern.maxproc=2048
kern.maxprocperuid=512

--

in /etc/rc:

#
# ####################################################################
#
# ADDED TO PREVENT SYSTEM LOCKUP
#
# ####################################################################
#
sysctl -w kern.maxproc=2048
sysctl -w kern.maxprocperuid=512

--

in /etc/rc.common:

#######################
# Configure the shell #
#######################


# ####################################################################
#
# ADDED TO CANCEL OUT THE LIMIT OF THE NUMBER OF PROCESSES
#
# ####################################################################

ulimit -u 512

# #######################


The above additions will allow more processes to run (512 per user id, maximum of 2048 total). See Mac OS X client has a relatively conservative setting of 512 for kern.maxproc, while Mac OS X Server sets this to 2048. So I upped this as well and things seem to be going more smoothly on our servers.

[humasect]

Hey that's cool. Thanks for the info.

BSD and Apache can be joyous

[Daisuke]

Never EVER run sysctl -w kern.maxproc=0
or ulimit -u 0

It does NOT set it to unlimited.

[stryder]

Never EVER run sysctl -w kern.maxproc=0
or ulimit -u 0

It does NOT set it to unlimited.

No, it will set it to 0, which means you can't do ANYTHING!

If you want unlimited, set everything to like 32767.

[freedomlinux]

No, it will set it to 0, which means you can't do ANYTHING!

If you want unlimited, set everything to like 32767.

Hah! Ah, the miracle of *BSD - you get EXACTLY what you ask for.
If 0 doesn't make unlimited processes, would -1 ?

[jklmpqo]

but wut happens if you divide by zero

[PainWarlock]

No, it will set it to 0, which means you can't do ANYTHING!

If you want unlimited, set everything to like 32767.

hmmm i have an idea for a virus now lol

[Ranguvar]

That limit does seem a bit low, yeah. It's good to have a limit of ~30,000, prevents forkbombs from doing their full work.

To test immunity to a Bash forkbomb -- do NOT run this unless you're okay with a potential system lock with potential data loss of open apps! It creates many, many new processes that take up CPU and such. An attacker would likely use a more efficient version, like a C one or even ASM. http://en.wikipedia.org/wiki/Fork_bomb

:(){ :|:& };: