Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

inotify FD - why is the limit per user id and not per process?

Tags:

linux

linux-kernel

inotify

In Linux, limit on the number of inotify instances a process can have open is limited by a per user-id max number, specified in /proc/sys/fs/inotify/max_user_instances

Natural thing would be to limit it per process, like file FDs for example. Since the inotify FDs are limited by the user id, its more likely to hit the limit on servers where many processes might run with the same user id. But I guess there has to be a reason for this ?

This is a programming question because I have to use inotify in my code and want to set the right limit for the system.

like image 904
Manohar Avatar asked Jun 19 '12 22:06

Manohar

People also ask

What is inotify watch limit?

inotify requires kernel resources (memory and processor) for each file it tracks. As a result, the Linux kernel limits the number of file watchers that each user can register. The default settings vary according to the host system distribution; on Ubuntu 20.04 LTS, the default limit is 8,192 watches per instance.

What are inotify watchers?

Inotify Watch helps to keep track of the file changes under the directories on “watch” and report back to the application in a standard format using the API calls. We can monitor multiple file events under the watched directory using the API calls.

What is FS inotify Max_user_watches?

inotify. max_user_watches define user limits on the number of inotify resources and inotify file watches. If these limits are reached, you may experience processes failing with error messages related to the limits, for example: ENOSPC: System limit for number of file watchers reached...

Video Answer

1 Answers

The reason is to prevent non-root users DoSing the system by watching lots of files using inotify. inotify structures require non-negligible amount of memory to maintain (and it can't be swapped out to disk), so there needs to be some limit on how much non-privileged can commit.

epoll used to have similar restrictions (max_user_instances and max_user_watches), although in the end max_user_instances was removed and max_user_watches was just set to be 4% of memory.

A similar patch should probably be submitted for inotify, but hasn't been so far.

File descriptors are limited on a per-process basis for a completely different reason: when a process starts a file descriptor table is allocated and its size is proportional to the maximum allowed number of file descriptors. Keeping this as small as possible reduces the per-process memory overhead.

like image 139
jleahy Avatar answered Oct 18 '22 07:10

jleahy
Sign in to Comment

Related questions

Avoiding exporting symbols from executables on Linux
How can I find the connected components of a graph in Perl?
Setting Encoding format to java in shell Script
Is CLOCK_MONOTONIC process (or thread) specific?
Invalid max count in grep function
Find the default application name for a given file
Call a C program from php and read program output
How do I write a custom auto-crop script using the GIMP?
How to get the address of a kernel module that was inserted using insmod?
Check total file size of a specific directory for a specific user
unable to set variable in case statement bash
Is there a way to automatically determine dependencies when setting up a dpkg control file?
How to implement deterministic malloc
How can I find and delete files based on date in a linux shell script without find?
How to compile objc code on Linux?
explanation of D_GNU_SOURCE Why to use it and when?
How to get good performance when writing a list of integers from 1 to 10 million to a file?
metadata editing in bash linux for multimedia files(not images) in linux [closed]
How to get system statistics with node.js
How to uninstall Python2.6

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!