SUMMARY ADD: Urgent: warning: cannot open /etc/hosts.allow: Too many open files

From: Luiz Alfredo Baggiotto <>
Date: Fri Mar 11 2005 - 06:47:50 EST
Hello Admins

About the problem, there are a new interesting message from Leonard J. Peirce.
It4s a good explanation about the problem and how to correct it.

> Hi....
> I replied to your message but sent it directory to the Sun
> Managers mailing list in the hope it would be posted for
> everyone to see.
> I saw your summary and realized that the moderator didn't put
> mine out for everyone so I figured I'd pass it along directly to you.
> > Recently, I was installed a openldap software in a Sun
> Solaris 9 box.
> > Initial tests are ok, but now, when I was migrated my users to this
> > system, frequently the ldap daemon stops to work. In the
> logs, I was saw this message:
> >
> > warning: cannot open /etc/hosts.allow: Too many open files
> >
> > Restarting the slapd daemon, the system works again, but with a
> > increment of the network demand, the error goes back and I need to
> > restarts again and again and again...
> > I searched about it in the net and I discovered something.
> Apparently,
> > the problem is that the file descriptors of the system is very low
> > (256). I was used the 'plimit' command to view the
> information of my slapd process:
> Boy, does this sound familiar.
> On Solaris 8 you'll need to increase the number of file
> descriptors per process by increasing rlim_fd_max in
> /etc/system.  The default for Solaris 8 is only 1024.  On
> Solaris 9 you don't need to do anything because the default
> for rlim_fd_max is 65536.  See
> You also need to set ulimit before you start slapd to be able
> to use all 65k file descriptors.
> But the biggest problem is actually in TCP wrappers.  libwrap
> likes to use standard I/O to read hosts.allow/hosts.deny and
> with accept()/open()/socket() all competing for file
> descriptors a hard-hit, multithreaded server like slapd will
> quickly run out once it hits OPEN_MAX (#defined in limits.h)
> even if rlim_fd_max is set high.
> We fought this for a while until I made some changes to
> OpenLDAP to work around the limitation in libwrap.  Basically
> I wrote a wrapper function for
> open() called stdio_safe_open().  All it does is take the
> file descriptor returned by open() and dup()'s it above
> OPEN_MAX so it stays out of the way of the fopen() call
> libwrap does when it reads hosts.allow/hosts.deny.
> I had to wire my new function in several files in the
> OpenLDAP source but it worked fine.  I sent a message to the
> PADL guys detailing what I did but never heard back from them.
> We ran into this TCP wrapper limitation in other places, too.
>  Stunnel comes immediately to mind.  There I also had to
> write wrapper functions for accept() and connect() that did
> the same thing.  Once in place stunnel worked nicely, too.
> Some day, if I get a some free time, I might update TCP
> wrappers to not use standard I/O.  Until then, if anyone
> wants the standard I/O safe versions of accept(), connect(),
> and open() I can send them out.
> __
> Leonard J. Peirce                    Email:
> Senior UNIX System Administrator
> Western Michigan University
> Office of Information Technology
> Kalamazoo, MI  49008                 Phone:  (269) 387-5430
sunmanagers mailing list
Received on Fri Mar 11 06:48:33 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:44 EST