How to resolve “Resource temporarily unavailable” error in SSH for cPanel servers

Photo of author

Rob Woodgate

Published:

Updated:

As we’ve grown, I’ve started seeing some occasional strange errors when trying to SSH or push to GIT repositories on certain user accounts on our cPanel server.

Then today, when switching an account to PHP8, the error locked up SSH entirely, and would only go away when I rolled back to PHP7.4

Turns out, the site in question was going over the cPanel fork bomb protection limit of 35 user processes.

What Is Fork Bomb Protection?

Fork bomb protection is a cPanel option that protects your server from a user spawning so many processes that it kills the server.

A traditional fork bomb (also called rabbit virus or wabbit) is a self-replicating process (recursive function) that spawns multiple copies of itself to create a denial of service.

A classic example is the bash fork bomb:

:(){ :|:& };:

Each time the function (called “:“) runs, it calls itself TWICE, creating a rapidly escalating number of processes.

So fork bomb protection is a GOOD THING… but in this case, is set too low.

Resource temporarily unavailable

When fork bomb protection is enabled, a user account cannot have more than 35 processes.

If that limit (or others) is breached, the system will prevent the process from spawning and the dreaded “resource temporarily unavailable” message appears.

What I had not appreciated before was that this limit is for all of a user processes… including IMAP, PHP-FPM and other account specific services!

This explains the rather intermittent nature of the error – depending on how busy the site was, the process count could quickly climb as it spun up PHP processes etc!

Overriding The Fork Bomb Settings (Safely)

Turning off fork bomb protection in cPanel isn’t a great idea. It leaves the server vulnerable to misconfigurations, miscreants or malware that can quickly take the server down.

But cPanel doesn’t make it simple to configure in WHM… so you have to use the terminal.

Here’s how…

When you enable fork bomb protection in WHM, cPanel grabs the following files:

/usr/local/cpanel/etc/login_profile/limits.csh
/usr/local/cpanel/etc/login_profile/limits.sh

And copies them to:

/etc/profile.d/limits.csh
/etc/profile.d/limits.sh

It then ALSO injects the contents of limits.sh into the following files:

/etc/bashrc
/etc/profile

Sooooo, rather than edit 4 files and risk getting it messed up… the safer option is to edit both the original files, then turn fork bomb protection off and on again!

Simples!

Editing /usr/local/cpanel/etc/login_profile/limits.sh

This is what the shipped default file looks like in WHM v102:

#cPanel Added Limit Protections -- BEGIN

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
    LIMITUSER=$(/usr/bin/whoami)
fi

# Limit the user only if we are not root and are a regular user (UID greater
# than or equal to UID_MIN).
if [ "$LIMITUSER" != "root" ] &&
    ! id -Gn | grep -qsP '(^| )(wheel|sudo)( |$)' &&
    [ "$(id -u)" -ge "$( (grep -s '^UID_MIN' /etc/login.defs || echo 'x 500') | awk '{print $2}')" ]
then
    ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END

The part to change is this line:

ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null

You can set whatever limits suit you, but I set mine so the number of open files (-n) is 2048 and the number of processes (-u) is 350.

ulimit -n 2048 -u 350 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null

Editing /usr/local/cpanel/etc/login_profile/limits.csh

This is what the shipped default file looks like in WHM v102:

#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
        setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" != "root" ) then
        limit descriptors 100
        limit maxproc 35
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else
        limit descriptors 4096
        limit maxproc 14335
        limit memoryuse unlimited
        limit datasize unlimited
        limit stacksize 8192
        limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END

As with the other file, the part to change is:

limit descriptors 100
limit maxproc 35

You should make sure the numbers you set here reflect what you chose for the other file:

limit descriptors 2048
limit maxproc 350

Finally, go to WHM and switch Fork Bomb Protection OFF, then switch it back ON.

Final Thoughts

It’s possible that the default configuration files will be overwritten when you upgrade your cPanel software, and this update may be flushed through to all the other files.

So if the issue comes back, you may need to do the edits once again and turn fork bomb protection off and on again to reset things.

An alternative approach, if this happens too frequently, is to leave fork bomb protection OFF and push your own version manually, as detailed in this cPanel tutorial.

Of course, if you do it manually, you are always at risk of some helpful server admin coming along and turning the default protection back on!

So that’s why we’ve gone with the above approach… Fork Bomb protection shows as being ON in WHM, and the limits are more workable for our sites.

Leave a Comment