Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 37851 invoked from network); 1 Mar 2006 18:30:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Mar 2006 18:30:59 -0000 Received: (qmail 1786 invoked by uid 500); 1 Mar 2006 18:31:42 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 1711 invoked by uid 500); 1 Mar 2006 18:31:41 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 1694 invoked by uid 99); 1 Mar 2006 18:31:41 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Mar 2006 10:31:41 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of b.candler@pobox.com designates 208.210.124.75 as permitted sender) Received: from [208.210.124.75] (HELO thorn.pobox.com) (208.210.124.75) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Mar 2006 10:31:40 -0800 Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 7E7A799; Wed, 1 Mar 2006 13:31:40 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id C75B51275B; Wed, 1 Mar 2006 13:31:38 -0500 (EST) Received: from brian by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FEW6U-0003te-J8; Wed, 01 Mar 2006 18:31:14 +0000 Date: Wed, 1 Mar 2006 18:31:14 +0000 From: Brian Candler To: Eric Covener Cc: dev@httpd.apache.org Subject: Re: AW: Limiting CGIs in 2.2.0 Message-ID: <20060301183114.GA14965@uk.tiscali.com> References: <1404e5910603010708xa700effs693b322b6f61bbc5@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1404e5910603010708xa700effs693b322b6f61bbc5@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On Wed, Mar 01, 2006 at 10:08:19AM -0500, Eric Covener wrote: > > Hmmm... the docs explain both a "soft limit" and a "maximum limit", but > > doesn't describe the difference between the two. > > The soft/hard limits are a notion held in the underlying > ulimit/setrlimit facility. > > Unrpivileged users can manipulate their soft limit to control the > limits on how much CPU time, memory, or # of processes their programs > can use. The "hard" limit acts as a ceiling for what the OS will let > you adjust your soft limit to. Also - an application can catch a signal when it reaches its soft limit (e.g. SIGXCPU when the soft limit for CPU time has been reached), but not when it reaches its hard limit. But these limits are per-child. Better, in my opinion, is to capture rusage information for each child, generate a log entry when each CGI terminates, and then use this to generate CGI stats showing (for example) the top 20 users of CPU time by CGI path or by virtual host. You can then penalise bad users appropriately. However Apache doesn't support this out-of-the-box as far as I know. I did it by modifying suexec to fork, run the child in a sub-process, and then capture this information when the child dies. Regards, Brian.