Linux reload limits conf

linux security limits.conf deciding user limits process limits for nginx server

ulimit command is pretty useful but changes or not permanent.

if system restarts data will be wiped in memory.

for permanent changes to save a file. limits.conf

ulimit command is helpful to know current settings and adjust new settings instantly in shared memory.

follow ulimit command tutorial here.

root@instance-1:~# cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#
#
#Where:
# can be:
# – a user name
# – a group name, with @group syntax
# – the wildcard *, for default entry
# – the wildcard %, can be also used with %group syntax,
# for max login limit
# – NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, must be
# the literal username root.
#
# can have the two values:
# – “soft” for enforcing the soft limits
# – “hard” for enforcing hard limits
#
# can be one of the following:
# – core – limits the core file size (KB)
# – data – max data size (KB)
# – fsize – maximum file size (KB)
# – memlock – max locked-in-memory address space (KB)
# – nofile – max number of open file descriptors
# – rss – max resident set size (KB)
# – stack – max stack size (KB)
# – cpu – max CPU time (MIN)
# – nproc – max number of processes
# – as – address space limit (KB)
# – maxlogins – max number of logins for this user
# – maxsyslogins – max number of logins on the system
# – priority – the priority to run user process with
# – locks – max number of file locks the user can hold
# – sigpending – max number of pending signals
# – msgqueue – max memory used by POSIX message queues (bytes)
# – nice – max nice priority allowed to raise to values: [-20, 19]
# – rtprio – max realtime priority
# – chroot – change root to directory (Debian-specific)
#
#
#

#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp – chroot /ftp
#@student – maxlogins 4

Every process need at least 1-3 file descriptors or open files, every network connection = process/ thread

Don’t’ forget to set No Limit files values in mysql.php-fpm,nginx config files

verify those because those are mostly system defaults.

Faqs on etc/security/limits.conf

What is soft limit and hard limit in Linux?

soft limit can stretch upto hard limit. (maximum value that is allowed for the soft limit.)

A soft limit can be changed by the process at any time

Hard limit needed root access. (can only be raised by root)

root@instance-1:~# ulimit -Hn
100000
root@instance-1:~# ulimit -Sn
100000

root@instance-1:~# ulimit -n (default is soft limit for process)
100000

Do changes in ETC security limits Conf require a reboot?

Yep! only /etc/security/limis.conf

to avoid use ulimit command to set values shared memory until restart

also add same values in sysctl.conf and security/limits.conf

Источник

modify and apply limits.conf without reboot

However when I run ulimit -n it says 1024 which is the default value. I did a logout and login but still see 1024. How can I apply the change?

2 Answers 2

If you’re using bash , ulimit -n will only display the soft limit. To get the hard limit, you need to do ulimit -Hn .

$ ulimit -n 1024 $ ulimit -Hn 4096 

Changes made by ulimit command will be applied immediately without reboot (for new processes)

$ ulimit -n 4096 # set soft limit $ ulimit -Hn 16384 # set hard limit 

Also prlimit command (from util-linux package on Debian) can be used to check (or modify) limit value (for current shell):

$ prlimit RESOURCE DESCRIPTION SOFT HARD UNITS AS address space limit unlimited unlimited bytes CORE max core file size 0 unlimited bytes . 

Limits can be configured per-process, you can check it using:

cat /proc//limits # where is replaced by actual process ID prlimit -p 4562 # or using prlimit 

For modifying the limit is syntax is following:

set maximum number of opened files for process 4561 :

prlimit --pid 4561 --nofile=128051:256102 

In order to make such changes permanent, you have to modify /etc/security/limits.conf by adding your limits:

* soft nofile 4096 * hard nofile 16384 

However, wildcard * won’t apply for root user. In order to do so, you have to state it explicitly:

* soft nofile 4096 * hard nofile 16384 root soft nofile 4096 root hard nofile 16384 

These limits will be applied after creating a new session (of course after reboot). Switch to another user using su or login via ssh and check the updated limits:

su - myuser ulimit -Sa ulimit -Ha 

NOTE: Usually some service is running out of resources, be sure to check limits also on process level (having largest possible value for root user is not a solution). If value configured in /etc/security/limits.conf is too large (not supported on your kernel), the default value will be used instead.

On systemd systems there are /etc/systemd/user.conf ( /etc/systemd/user.conf.d/*.conf for user-specific values) config where limits per user can be overriden:

[Manager] DefaultLimitAS=4G:16G DefaultLimitNOFILE=1048576 

Also there /etc/systemd/system.conf for system-wide configuration.

Some older distributions had issues with applying limits immediately, where modifying /etc/pam.d/common-session or /etc/pam.d/login would help. This is usually not necessary:

session required pam_limits.so 

Make sure to check /var/log/auth.log first, when you’re having issues with applying limits.

Источник

do changes in /etc/security/limits.conf require a reboot?

Do changes in /etc/security/limits.conf require a reboot before taking effect? For example, if I have a script that sets the following limits in /etc/security/limits.conf , does this require a system reboot before those limits will take effect?

* hard nofile 94000 * soft nofile 94000 * hard nproc 64000 * soft nproc 64000 

5 Answers 5

No but you should close all active sessions windows. They still remember the old values. In other words, log out and back in. Every remote new session or a local secure shell take effect of the limits changes.

What if I want to set the limits for a user that doesn’t have a login, like if I want to set the nofile limit to 94000 for the mongodb user? How’d I do that without a reboot? Would I just need to restart the mongodb service?

@Gilles, thanks for the precisions, I edited my answer to to avoid ambiguity. However Starting a new service using sudo service mongodb restart is enough to let the service running with the new limit values.

if you are using Ubuntu, and mongodb is started by upstart, then changing these limits will not affect mongodb. As upstart does not read /etc/security config bugs.launchpad.net/ubuntu/+source/upstart/+bug/938669 you must set limit stanza in its upstart config file.

Apply the changes directly to a running process if you have prlimit installed (comes with util-linux-2.21)

prlimit --pid 12345 --nofile=1024:2048 

If you aren’t root, you are still bound by the settings in limits.conf, so the original question still comes into play (if you are relying on a modification to the hard limit, for example).

To temporarily set the open files limit for the user you are currently logged in under (e.g. ‘root’):You can also use the ulimit command to change the values in your current shell. However, hard limits can only be adjusted downwards unless you’re root.

# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 62449 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 1024 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited 

To change the nofile to 94000 you can do:

Источник

изменения в /etc/security/limits.conf требуют перезагрузки?

/etc/security/limits.conf Требуют ли изменения перезагрузки перед вступлением в силу?

Например, если у меня есть сценарий, который устанавливает следующие ограничения /etc/security/limits.conf , требует ли это перезагрузки системы, чтобы эти ограничения вступили в силу?

* hard nofile 94000 * soft nofile 94000 * hard nproc 64000 * soft nproc 64000 

Нет, но вы должны закрыть все активные окна сеансов. Они до сих пор помнят старые ценности. Другими словами, выйдите из системы и снова войдите в нее. Каждый новый удаленный сеанс или локальная безопасная оболочка вступают в силу изменений ограничений .

Что если я хочу установить ограничения для пользователя, у которого нет логина, например, если я хочу установить nofile ограничение 94000 для mongodb пользователя? Как я мог это сделать без перезагрузки? Нужно ли просто перезапустить mongodb сервис?

@ Жиль, спасибо за точность, я отредактировал свой ответ, чтобы избежать двусмысленности. Однако sudo service mongodb restart запуска нового сервиса с использованием достаточно, чтобы сервис работал с новыми предельными значениями.

Если вы используете Ubuntu, и mongodb запускается программой upstart, то изменение этих ограничений не повлияет на mongodb. Так upstart как не читает / etc / security config bugs.launchpad.net/ubuntu/+source/upstart/+bug/938669, вы должны установить limit stanza в его файле конфигурации upstart.

Это другая проблема. upstart по конструкции игнорирует ограничения, установленные в /etc/security/limits.conf .

Примените изменения непосредственно к работающему процессу, если у вас установлен prlimit (поставляется с util-linux-2.21)

prlimit --pid 12345 --nofile=1024:2048 

Чтобы временно установить лимит открытых файлов для пользователя, в котором вы в данный момент находитесь (например, «root»): Вы также можете использовать ulimit команду для изменения значений в вашей текущей оболочке. Однако жесткие ограничения могут быть скорректированы только вниз, если вы не root.

# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 62449 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 1024 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited 

Для того, чтобы изменить nofile к 94000 вы можете сделать:

Источник

Reload /etc/security/limits.conf

As far as I can see, I should be able to do that in /etc/security/limits.conf (or in /etc/security/limits.d/* ):

* soft rss 64000000 * hard nofile 50000 * soft nofile 1024 

I can, however, not find a way reload these values with out rebooting. I have read that the values are reloaded when logging in; it works when I do su — user but it does not work through ssh user@localhost .

I have the pam_limits.so in /etc/pam.d:

/etc/pam.d/login:session required pam_limits.so /etc/pam.d/sshd:session required pam_limits.so /etc/pam.d/su:session required pam_limits.so 

I have PAM in sshd_config:

/etc/ssh/sshd_config:UsePAM yes 

I know I can set the values using ulimit and sysctl , but I would like to test that the /etc/security/limits.conf is doing the right thing without rebooting.

How can I make sure that the values are being set when people login using ssh without rebooting?

Best Answer

A restart of sshd is only needed if UsePAM was changed from no to yes.

Disabling my own ~/.ssh/config was needed very much!

I had Control * statements in my ~/.ssh/config which re-used the ssh channel and thus I would not discover the change.

Thanks to Samed Beyribey and quanta, whose help gave me the idea to run ssh -vv which gives very different output when you have Control * statements.

Related Solutions

Linux – Setup “open files” limit in Linux per user. Cannot setup more than 1024

I suspect runuser doesn’t go through PAM’s «login» process that applies limits.conf, or maybe pam_limits.so is disabled. In Debian, at least, /etc/pam.d/su has pam_limits.so commented out so that the limits are inherited from the user running su.

Linux – how do i set hard and soft file limits for a non-root user at boot

/etc/security/limits.conf file is processed by the pam_limits PAM module and is used to assign resource limits for a user session. These will be applied only when PAM and the pam_limits module is used during the session setup.

In your system the su utility may be not configured to use the pam_limits module (see the /etc/pam.d/su.conf file) or uses it only when creating a new login session (called with a — , -l or —login option).

session required pam_limits.so 

To /etc/pam.d/su or/and /etc/pam.d/su-l .

It may also be the case, that your su utility is not compiled with PAM support at all. In such case it will never use the limits.conf file.

Related Topic

Источник