Symantec Access Management

 View Only
  • 1.  File descriptors not fully used by the policy sever in Red Hat 7

    Posted Mar 22, 2019 11:44 AM

    Currently, our /etc/security/limits.conf has the following entry:

     

    smuser           -       nofile          8192

     

    However, when we see how many file descriptors the policy server is using (using the 'smpolicysrv -stats' command),

     we see the following:

     

     Server 'Stats' command received
    [6776/139631865247488][Fri Mar 22 2019 15:30:01][CServer.cpp:4840][INFO][sm-Server-01990] ===================================================================================
    [6776/139631865247488][Fri Mar 22 2019 15:30:01][CServer.cpp:4841][INFO][sm-Server-02000] System Statistics
    [6776/139631865247488][Fri Mar 22 2019 15:30:01][CServer.cpp:4847][INFO][sm-Server-02010] Available file descriptors: 4096

     

    The policy server reports 4096 and not 8192

     

    This is happening in Red Hat 7 with policy server R12.8SP2.

     

    In  Red Hat 6 with policy server 12.6, we did not see this behavior. We would see the full usage of 8192.

     

    Has anyone seen this behavior? Any ideas?



  • 2.  Re: File descriptors not fully used by the policy sever in Red Hat 7

    Posted Mar 22, 2019 03:55 PM

    Does your smuser have anything in the profile which might be overriding the /etc/security/limits.conf?



  • 3.  Re: File descriptors not fully used by the policy sever in Red Hat 7

    Posted Apr 04, 2019 10:37 AM

    I don't think so. This started as a barebones Red Hat 7 box with the added new R12.8SP02 Policy Server. Not sure where a value would supersede the one in the limits.conf file. If I do the 'ulimit -n' command as smuser, I see the correct 8192 value.



  • 4.  Re: File descriptors not fully used by the policy sever in Red Hat 7
    Best Answer

    Posted Apr 07, 2019 07:23 PM

    The problem was that in Red Hat 7, in the /etc/systemd/system policy server .service file, you have to add the following line under [Service]

    LimitNOFILE=8192

     

    Then subsequently run the 'systemctl daemon-reload'

     

    Otherwise, the policy server does not pick up the right available file descriptors from the OS and defaults to an insufficient value.