- Optimizing Linux System Services: A Deep Dive into Open File Limits
- Scenario
- Issue Description
- Explanation
- The scope for /etc/security/limits.conf
- PAM (Pluggable Authentication Modules)
- Command with sudo and without sudo
- CentOS and Ubuntu
- Solution
- systemd.unit
- Usage
- Example
- systemd-system.conf
- Usage
- Example
- How to Increase Number of Open Files Limit in Linux
- Find Linux Open File Limit
- Check Hard Limit in Linux
- Check Soft Limits in Linux
- How to Check System wide File Descriptors Limits in Linux
- Set User Level Open File limits in Linux
- Final thoughts
Optimizing Linux System Services: A Deep Dive into Open File Limits
This article will go through an interesting configuration topics for:
- the max open file limit with system service (systemd daemon service)
- the relation between PAM (Pluggable Authentication Modules) and /etc/security/limit.conf
- the difference between CentOS7 and Ubuntu 20.04 on this matter
Scenario
When we want to modify the limit for max open file of the Linux process, we will configure the limit in /etc/security/limit.conf . For example, to set both the soft and hard limit to 65534 for open file (file descriptors):
$ cat /etc/security/limits.conf | grep nofile * soft nofile 65534 * hard nofile 65534 $ sudo reboot $ ulimit -Hn 65534 $ ulimit -Sn 65534
Issue Description
However, under the configuration mentioned above (both the soft and hard limit to 65534 ), with AWS System Manager(SSM) Run Command function 1 to execute command, we will find that the following situations for the process on a CentOS7 instance:
- When the command is without sudo :
- The soft limit will be 1024 .
- The hard limit will be 4096 .
- The soft limit and hard limit will both be 65534
Why does the soft and hard limit of max opened file for process will be different if a command is executed with sudo or not?
Explanation
The scope for /etc/security/limits.conf
First, we need to know that the configuration in /etc/security/limits.conf is only effective for the users logged in via PAM:
$ cat /etc/security/limits.conf # /etc/security/limits.conf # #This file sets the resource limits for the users logged in via PAM. #It does not affect resource limits of the system services.
And we also notice that /etc/security/limits.conf does not affect the system services (daemon service).
PAM (Pluggable Authentication Modules)
PAM is a module to authenticate user for the programs on Linux. 2 PAM will authenticate the program (login, su etc) according to the PAM configuration in /etc/pam.d/ . For instance, the PAM configuration for sudo on CentOS 7 will be:
$ cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session include system-auth
We can further check the configuration system-auth included for sudo :
$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. . session optional pam_keyinit.so revoke session required pam_limits.so ======================= Use /etc/security/limit.conf .
In /etc/pam.d/system-auth , it will use a module called pam_limits.so . According to the pam_limits man page, this module will refer to /etc/security/limits.conf to set the resource limit during the user login/execute command (the period is called session):
The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of uid=0 are affected by this limits, too. By default limits are taken from the /etc/security/limits.conf config file…
Command with sudo and without sudo
Therefore, when we use SSM to execute command with sudo (authenticated through /etc/pam.d/sudo ) or execute su (authenticated through /etc/pam.d/su ) on a CentOS7 system, the PAM will use pam_limits.so module for authentication and thus the max open file limit of the process executed with sudo will refer to /etc/security/limits.conf , which is 65534 .
Without sudo the command will not go though PAM authentication, the process will inherit the limit for the parent process and the limit will be 1024 for soft limit and 4096 for hard limit in this scenario.
CentOS and Ubuntu
We can also notice that this behaviour cannot be reproduced on an Ubuntu system. It is because the PAM configuration for sudo on Ubuntu does not include pam_limits.so module:
$ cat /etc/pam.d/sudo #%PAM-1.0 session required pam_env.so readenv=1 user_readenv=0 session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 @include common-auth @include common-account @include common-session-noninteractive
We can check all the included PAM modules /etc/pam.d/common-auth , /etc/pam.d/common-account and /etc/pam.d/common-session-noninteractive , we will see none of them include pam_limits.so . Therefore, even though we execute command with sudo on Ubuntu, the process will not use the configuration in /etc/security/limits.conf .
Solution
As /etc/security/limits.conf does not affect the system service, we can configure the resource limit for system service by:
systemd.unit
Usage
In a systemd.unit, we can configure the resource limit for certain systemd service by the following steps:
When systemd pursers the service unit file for systemd service, systemd will also purser the configuration files in drop-in directory. In this way, we needn’t change any configuration in the service unit file, as mentioned in the systemd.unit man page:
Along with a unit file foo.service, a “drop-in” directory foo.service.d/ may exist. All files with the suffix “.conf” from this directory will be parsed after the unit file itself is parsed. This is useful to alter or add configuration settings for a unit, without having to modify unit files. Drop-in files must contain appropriate section headers.
Example
Take amazon-ssm-agent daemon service for example:
check the amazon-ssm-agent original max open files limit :
$ cat /proc/$(pidof amazon-ssm-agent)/limits | grep files Max open files 1024 4096 files
Create a drop-in directory:
$ sudo mkdir -p /etc/systemd/system/amazon-ssm-agent.service.d/
Add a configuration file with extension .conf :
$ sudo vi /etc/systemd/system/amazon-ssm-agent.service.d/filelimit.conf
Add these two lines (according to the man page of systemd.service:The service specific configuration options are configured in the [Service] section):
[Service] LimitNOFILE=2048:8192
Reload systemd configuration and restart the amazon-ssm-agnet daemon service:
$ sudo systemctl daemon-reload $ sudo systemctl restart amazon-ssm-agent
Confirm the amazon-ssm-agent process use the max open file limit:
$ cat /proc/$(pidof amazon-ssm-agent)/limits | grep files Max open files 2048 8192 files
systemd-system.conf
Usage
In systemd-system.conf , we can configure the limit for all the systemd service by the following step:
With the step, we needn’t to change the configuration under /etc/systemd/system.conf , as mentioned in the systemd-system.conf man page:
When run as a system instance, systemd interprets the configuration file system.conf and the files in system.conf.d directories; … By default, the configuration file in /etc/systemd/ contains commented out entries showing the defaults as a guide to the administrator. This file can be edited to create local overrides.
Example
Take sshd daemon service for example:
Check sshd max open files limit:
$ systemctl status sshd | grep -i pid Main PID: 1596 (sshd) $ cat /proc/1596/limits | grep files Max open files 1024 4096 files
Create /etc/systemd/system.conf.d directory:
$ sudo mkdir /etc/systemd/system.conf.d
Create an configuration file with extension .conf :
$ sudo vi /etc/systemd/system.conf.d/filelimit.conf
Add the following two lines (according to systemd-system.conf man page :All options are configured in the [Manager] section):
[Manager] DefaultLimitNOFILE=3072:12288
Confirm sshd process use new max open file limit:
$ systemctl status sshd | grep -i pid Main PID: 1105 (sshd) $ cat /proc/1105/limits | grep files Max open files 3072 12288 files
We can see the amazon-ssm-agent process still use its own configuration. amazon-ssm-agent will not use the systemd-wide configuration:
$ cat /proc/$(pidof amazon-ssm-agent)/limits | grep files Max open files 2048 8192 files
How to Increase Number of Open Files Limit in Linux
In Linux, you can change the maximum amount of open files. You may modify this number by using the ulimit command. It grants you the ability to control the resources available for the shell or process started by it.
In this short tutorial we will show you how to check your current limit of open files and files descriptions, but to do so, you will need to have root access to your system.
First, Lets see how we can find out the maximum number of opened file descriptors on your Linux system.
Find Linux Open File Limit
# cat /proc/sys/fs/file-max 818354
The number you will see, shows the number of files that a user can have opened per login session. The result might be different depending on your system.
For example on a CentOS server of mine, the limit was set to 818354, while on Ubuntu server that I run at home the default limit was set to 176772.
If you want to see the hard and soft limits, you can use the following commands:
Check Hard Limit in Linux
# ulimit -Hn 4096
Check Soft Limits in Linux
# ulimit -Sn 1024
To see the hard and soft values for different users, you can simply switch user with “su” to the user which limits you want to check.
# su marin $ ulimit -Sn 1024
$ ulimit -Hn 4096
How to Check System wide File Descriptors Limits in Linux
If you are running a server, some of your applications may require higher limits for opened file descriptors. A good example for such are MySQL/MariaDB services or Apache web server.
You can increase the limit of opened files in Linux by editing the kernel directive fs.file-max . For that purpose, you can use the sysctl utility.
For example, to increase open file limit to 500000, you can use the following command as root:
You can check the current value for opened files with the following command:
With the above command the changes you have made will only remain active until the next reboot. If you wish to apply them permanently, you will have to edit the following file:
Of course, you can change the number per your needs. To verify the changes again use:
Users will need to logout and login again for the changes to take effect. If you want to apply the limit immediately, you can use the following command:
Set User Level Open File limits in Linux
The above examples, showed how to set global limits, but you may want to apply limits per user basis. For that purpose, as user root, you will need to edit the following file:
If you are a Linux administrator, I suggest you that you become very familiar with that file and what you can do to it. Read all of the comments in it as it provides great flexibility in terms of managing system resources by limiting users/groups on different levels.
The lines that you should add take the following parameters:
Here is an example of setting a soft and hard limits for user marin:
## Example hard limit for max opened files marin hard nofile 4096 ## Example soft limit for max opened files marin soft nofile 1024
Final thoughts
This brief article showed you a basic example of how you can check and configure global and user level limits for maximum number of opened files.
While we just scratched the surface, I highly encourage you to have a more detailed look and read regarding /etc/sysctl.conf and /etc/security/limits.conf and learn how to use them. They will be of great help for you one day.