bash: fork: Resource temporarily unavailable

avalchfan

Registered
May 8, 2006
1
0
151
Thanks for this!

But beware, don't do like I did and ONLY cut and paste the new lines.. Be sure to copy ALL the lines, as the if/then statement has changed order.

Took me a while to notice that the order had changed. :)

Anyway, thanks for this!

John.
 

sureshm

Registered
Nov 5, 2006
4
0
151
it is not safe to give the nproc (max user processes) value same as root user.. 14335

reduce it according to your needs....

u can also change it at limits.conf file for a single user or for all users [use the wild card *].

Also, try setting soft and hard limit for users.

# ps aux | grep USERNAME | grep -v grep | wc -l

to check the number of open process and compare it with "ulimit -u" value of the user.
 

ispro

Well-Known Member
Verifed Vendor
Apr 8, 2004
628
2
168
Patches for cPanel's Shell Fork Bomb Protection

Hi, there.

Noticed that some customers having such problems and liked to freely show how we get rid off this problem (it is just one single the part of our servers management service - feel free to contact me for a details).

First of all create four patch files from examples below, you may create them at /root directory as a safe place:

/root/bashrc.patch:
Code:
--- bashrc	2008-07-12 21:11:45.000000000 +0300
+++ bashrc.patched	2008-07-13 00:39:41.000000000 +0300
@@ -78,8 +78,20 @@
         LIMITUSER=`/usr/bin/whoami`
 fi
-if [ "$LIMITUSER" != "root" ]; then
-        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
-else
+# Patch to set higher limits for users listed one each line at /etc/profile.exclude
+if [ -s "/etc/profile.exclude" ]; then
+	EXCLUDE=`grep -m1 -c "^$LIMITUSER$" /etc/profile.exclude`
+fi
+# Root limits
+if [ "$LIMITUSER" == "root" ]; then
         ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
+# Patch to set higher limits for system users
+elif [ "$LIMITUSER" == "mysql" ] || [ "$LIMITUSER" == "postgres" ] || [ "$LIMITUSER" == "nobody" ] || [ "$LIMITUSER" == "apache" ] || [ "$LIMITUSER" == "nginx" ] || [ "$LIMITUSER" == "nagios" ]; then
+        ulimit -n 4096 -u 200 -m unlimited -d unlimited -s 8192 -c 0 -v unlimited 2>/dev/null
+# Force higher limits for listed users
+elif [ "E$EXCLUDE" == "E1" ]; then
+	ulimit -n 4096 -u 200 -m unlimited -d unlimited -s 8192 -c 0 -v unlimited 2>/dev/null;
+# Others
+else
+        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
 fi
 #cPanel Added Limit Protections -- END
/root/profile.patch:
Code:
--- profile	2008-07-12 21:11:18.000000000 +0300
+++ profile.patched	2008-07-13 00:39:49.000000000 +0300
@@ -8,8 +8,20 @@
         LIMITUSER=`/usr/bin/whoami`
 fi
-if [ "$LIMITUSER" != "root" ]; then
-        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
-else
+# Patch to set higher limits for users listed one each line at /etc/profile.exclude
+if [ -s "/etc/profile.exclude" ]; then
+	EXCLUDE=`grep -m1 -c "^$LIMITUSER$" /etc/profile.exclude`
+fi
+# Root limits
+if [ "$LIMITUSER" == "root" ]; then
         ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
+# Patch to set higher limits for system users
+elif [ "$LIMITUSER" == "mysql" ] || [ "$LIMITUSER" == "postgres" ] || [ "$LIMITUSER" == "nobody" ] || [ "$LIMITUSER" == "apache" ] || [ "$LIMITUSER" == "nginx" ] || [ "$LIMITUSER" == "nagios" ]; then
+        ulimit -n 4096 -u 200 -m unlimited -d unlimited -s 8192 -c 0 -v unlimited 2>/dev/null
+# Force higher limits for listed users
+elif [ "E$EXCLUDE" == "E1" ]; then
+	ulimit -n 4096 -u 200 -m unlimited -d unlimited -s 8192 -c 0 -v unlimited 2>/dev/null;
+# Others
+else
+        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
 fi
 #cPanel Added Limit Protections -- END
/root/limit.csh.patch:
Code:
--- limits.csh	2008-07-12 21:11:34.000000000 +0300
+++ limits.csh.patched	2008-07-13 01:02:28.000000000 +0300
@@ -4,12 +4,13 @@
         setenv LIMITUSER `whoami`
 endif
-if ( "$LIMITUSER" != "root" ) then
-        limit descriptors 100
-        limit maxproc 20
-        limit memoryuse 200000
-        limit datasize 200000
-        limit stacksize 8192
-        limit coredumpsize 200000
+# Patch to set higher limits for users listed one each line at /etc/profile.exclude
+if ( -s "/etc/profile.exclude" ) then
+	setenv EXCLUDE `grep -m1 -c "^$LIMITUSER"$ /etc/profile.exclude`
 else
+	setenv EXCLUDE 0
+endif
+# Patch to set higher limits for system users
+# Root limits
+if ( "$LIMITUSER" == "root" ) then
         limit descriptors 4096
         limit maxproc 14335
@@ -18,4 +19,28 @@
         limit stacksize 8192
         limit coredumpsize 1000000
+# Patch to set higher limits for system users
+else if ( "$LIMITUSER" == "mysql" || "$LIMITUSER" == "postgres" || "$LIMITUSER" == "nobody" || "$LIMITUSER" == "apache" || "$LIMITUSER" == "nginx" || "$LIMITUSER" == "nginx" || "$LIMITUSER" == "nagios" ) then
+        limit descriptors 4096
+        limit maxproc 200
+        limit memoryuse unlimited
+        limit datasize unlimited
+        limit stacksize 8192
+        limit coredumpsize 0
+# Force higher limits for listed users
+else if ( "E$EXCLUDE" == "E1" ) then
+        limit descriptors 4096
+        limit maxproc 200
+        limit memoryuse unlimited
+        limit datasize unlimited
+        limit stacksize 8192
+        limit coredumpsize 0
+# Others
+else
+        limit descriptors 100
+        limit maxproc 20
+        limit memoryuse 200000
+        limit datasize 200000
+        limit stacksize 8192
+        limit coredumpsize 200000
 endif
 #cPanel Added Limit Protections -- END
/root/limit.sh.patch:
Code:
--- limits.sh	2008-07-12 21:11:28.000000000 +0300
+++ limits.sh.patched	2008-07-13 00:40:01.000000000 +0300
@@ -8,8 +8,20 @@
         LIMITUSER=`/usr/bin/whoami`
 fi
-if [ "$LIMITUSER" != "root" ]; then
-        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
-else
+# Patch to set higher limits for users listed one each line at /etc/profile.exclude
+if [ -s "/etc/profile.exclude" ]; then
+	EXCLUDE=`grep -m1 -c "^$LIMITUSER$" /etc/profile.exclude`
+fi
+# Root limits
+if [ "$LIMITUSER" == "root" ]; then
         ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
+# Patch to set higher limits for system users
+elif [ "$LIMITUSER" == "mysql" ] || [ "$LIMITUSER" == "postgres" ] || [ "$LIMITUSER" == "nobody" ] || [ "$LIMITUSER" == "apache" ] || [ "$LIMITUSER" == "nginx" ] || [ "$LIMITUSER" == "nagios" ]; then
+        ulimit -n 4096 -u 200 -m unlimited -d unlimited -s 8192 -c 0 -v unlimited 2>/dev/null
+# Force higher limits for listed users
+elif [ "E$EXCLUDE" == "E1" ]; then
+	ulimit -n 4096 -u 200 -m unlimited -d unlimited -s 8192 -c 0 -v unlimited 2>/dev/null;
+# Others
+else
+        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
 fi
 #cPanel Added Limit Protections -- END
Then create patch executor file or just add the following to your nightly/weekly/anything else cronjob:
Code:
cd /etc
cat /root/bashrc.patch | patch -p0 -s -t -N --no-backup-if-mismatch; /bin/rm -f bashrc.rej*;
cat /root/profile.patch | patch -p0 -s -t -N --no-backup-if-mismatch; /bin/rm -f profile.rej*;
cd /etc/profile.d
cat /root/limits.csh.patch | patch -p0 -s -t -N --no-backup-if-mismatch; /bin/rm -f limits.csh.rej*;
cat /root/limits.sh.patch | patch -p0 -s -t -N --no-backup-if-mismatch; /bin/rm -f limits.sh.rej*;
cd /scripts2/patches
Execute the code (make sure you have disabled and enabled "Shell Fork Bomb Protection" at "Main >> Security >> Security Center" just to clean files off your custom changes) and you are done!

What patches are doing? They set specific limits for system users (we assume them to be mysql, postgres, nobody, apache, nagios and nginx) and high limits for usernames listed in /etc/profile.exclude

Enjoy!

P.S. As said you may contact us for all server management needs.
 
Last edited:

Mat-d-rat

Well-Known Member
Jul 30, 2003
108
2
168
Trying this out on my server, as I have an account running a small game server that keeps getting the axe :) The execute is set in your example to call limits.xxx yet you set the files to limit.xxx (minor change). But when I run this I get a bunch of "patch unexpectedly ends in middle of line" and the folder /script2/patches doesn't exist. I used cpanel to create the files and cut and paste from here, so that could be why (I'll try again now and edit them on my c /upload)
 

Mat-d-rat

Well-Known Member
Jul 30, 2003
108
2
168
Ok, that worked better (must of used wrong charset). Any reason for the cd at the end? profile.exclude - simple text file with a list of accounts?
 

Mat-d-rat

Well-Known Member
Jul 30, 2003
108
2
168
Second question - you don't set the maximum time limit at all? how do I add that in, or where is the default to change?