hardening window against NewsBruiser

[Kurt von Finck <mneptok mneptok com>]

The NewsBruiser process balrog arose from the pit at around 23:30 UTC
December 7. We're pretty sure the Pearl Harbor anniversary is unrelated.
Alexander Larsson's blog has a bunch of pictures for the new search in
Nautilus, and this blog entry got picked up by both GNOMEDesktop.org and
OSNews.com. Things went downhill from there as the NB code attempted to
parse all the images through a Python script.

Bugzilla users were first to report the problem in #sysadmin, and
process count and load average spiked so high that creating new ssh
connections became impossible.

I don't have phone contact info for Matt Galgoci, so I phoned Owen who
in turn contacted Matt who then had window.g.o power-cycled.

When it came back up I stopped httpd and applied a quick fix. Owen then
made his own tweaks, and between the two methods it seems we have a
temporary, Apache-supplied fix for the NB issue, however inelegant it
may be.

Both changes affect only blogs.g.o and are implemented through its
Apache vhost entry. My solution was a CPU and child process throttle,
which is:

RLimitCPU 60 60
RLimitNPROC 10 10

This limits any single process to 60 seconds of CPU time, and limits to
10 the number of processes that can be launched by processes launched by
Apache children.

Owen implemented a mod-cache fix, which is:

CacheEnable mem /

Hopefully Owen's fix will do 90% of the heavy lifting, while mine will
be there to mop up overflow.

Sorry for the window outage, hopefully NB will be happy to live inside
its walled garden.

./k

kurt von finck
-- 
http://www.mneptok.com
mneptok mneptok com
--
public key at: pgp.mit.edu
server key id: 5229D26A
--
Success is more a function of consistent common sense than it is of
genius. - An Wang
--