I am totally confused by obtaining the limits of open file descriptors in Linux.
which value is correct by them?
ulimit -n ======> 65535
but
vim /etc/security/limits.conf
soft nofile 50000
hard nofile 90000
The limits applied in /etc/security/limits.conf are applied by the limits authentication module at login if it's part of the PAM configuration. Then the shell gets invoked which can apply it's own limits to the shell.
If you're asking which one is in effect, then it's the result from the ulimit call. if it's not invoked with the -H option, then it displays the soft limit.
The idea behind the limits.conf settings is to have a global place to apply limits for, for example, remote logins
Limits for things like file descriptors can be set at the user level, or on a system wide level. /etc/security/limits.conf is where you can set user level limits, which might be different limits for each user, or just defaults that apply to all users. The example you show has a soft (~warning) level limit of 50000, but a hard (absolute maximum) limit of 90000.
However, a system limit of 65535 might be in place, which would take precedence over the user limit. I think system limits are set in /etc/sysctl.conf, if my memory serves correctly. You might check there to see if you're being limited by the system.
Also, the ulimit command can take switches to specifically show the soft (-Sn) and hard (-Hn) limits for file descriptors.
i think this conf is used by all the apps in the system. if you do want to change one particular app, you can try setrlimit() or getrlimt(). man doc dose explain everything.
Related
I am trying to understand this fragment from the benchmark of CentOs6' guide Hardering but I'm not been success yet... Can anybody explain me what it is a soft variable?
The context where is said is the next:
"Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core [...]"
Page 39 from Hardering Guide of CentOs6
Thank you so much!
Here read this: linux.die.net/man/5/limits.conf it helps explain hard v. soft. – Tom Myddeltyn
A "soft" limit is one that you may decrease or increase (up to the "hard" limit), and a "hard" limit is one that you can't increase.
Initial limits are imposed by the system configuration. See the limits.conf manual.
See also the entry for the ulimit builtin of your particular shell.
Since I have been told that if a user in my computer will create "infinite" number of folders / files (even empty) it can cause my computer to become much much slower (even stuck), I want to limit the maximum number of files/directories that user can create.
I'm afraid that one user will try to create a huge number of files and it will become a problem for all the other users, so it will be a security issue,
How do I do that, how do I limit the max number of files/directories each user can create?
You should first enable quota check on your filesystem
Modify the /etc/fstab, and add the keyword usrquota and grpquota to the corresponding filesystem that you would like to monitor.
The following example indicates that both user and group quota check is enabled on /home filesystem
# cat /etc/fstab
LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2
reboot after this is done.
Once you’ve enabled disk quota check on the filesystem, collect all quota information initially as shown below.
# quotacheck -avug
quotacheck: Scanning /dev/sda3 [/home] done
quotacheck: Checked 5182 directories and 31566 files
quotacheck: Old file not found.
quotacheck: Old file not found.
Now, use the edquota command as shown below, to edit the quota information for a specific user.
For example, to change the disk quota for user ‘ramesh’, use edquota command, which will open the soft, hard limit values in an editor as shown below.
# edquota ramesh
Disk quotas for user ramesh (uid 500):
Filesystem blocks soft hard inodes soft hard
/dev/sda3 1419352 0 0 1686 0 0
Hard limit – if you specify 2GB as hard limit, user will not be able to create new files after 2GB
Soft limit – if you specify 1GB as soft limit, user will get a warning message “disk quota exceeded”, once they reach 1GB limit. But, they’ll still be able to create new files until they reach the hard limit
Lastly, if you would like a report each day on a users quota you can do the following.
Add the quotacheck to the daily cron job. Create a quotacheck file as shown below under the /etc/cron.daily directory, that will run the quotacheck command everyday. This will send the output of the quotacheck command to root email address.
# cat /etc/cron.daily/quotacheck
quotacheck -avug
This is what quotas are designed for. You can use file system quotas to enforce limits, per user and/or per group for:
the amount of disk size space that can be used
the number of blocks that can be used
the number of inodes that can be created.
The number of inodes will essentially limit the number of files and directories a user can create.
There is extensive, very good quality documentation about how to configure file system quotas in many sources, which I suggest you read further:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-disk-quotas.html
https://wiki.archlinux.org/index.php/disk_quota
http://www.ibm.com/developerworks/library/l-lpic1-v3-104-4/
http://www.firewall.cx/linux-knowledgebase-tutorials/linux-administration/838-linux-file-system-quotas.html
we are facing a situation where a process gets stuck due to running out of open files limit. The global setting file-max was set extremely high (set in sysctl.conf) & per-user value also was set to a high value in /etc/security/limits.conf. Even ulimit -n reflects the per-user value when ran as that head-less user (process-owner). So the question is, does this change require system reboot (my understanding is it doesn't) ? Has anyone faced the similar problem ? I am running ubuntu lucid & the application is a java process. #of ephemeral port range too is high enough, & when checked during the issue, the process had opened #1024 (Note the default value) files (As reported by lsof).
One problem you might run into is that the fd_set used by select is limited to FD_SETSIZE, which is fixed at compile time (in this case of the JRE), and that is limited to 1024.
#define FD_SETSIZE __FD_SETSIZE
/usr/include/bits/typesizes.h:#define __FD_SETSIZE 1024
Luckily both the c library and the kernel can handle arbitrary sized fd_set, so, for a compiled C program, it is possible to raise that limit.
Considering you have edited file-max value in sysctl.conf and /etc/security/limits.conf correctly; then:
edit /etc/pam.d/login, adding the line:
session required /lib/security/pam_limits.so
and then do
#ulimit -n unlimited
Note that you may need to log out and back in again before the changes take effect.
When I tried to install a software on RedHat EL5, I got the error that the expected value of soft/hard nofile is 4096 while the default is 1024. I managed to increase the number, but I don't know what the parameters are. Are they refering to soft link and hard link?
The way I change it is:
A) modify the /etc/security/limits.conf
user soft nofile 5000
user hard nofile 6000
B) modify the /etc/pam.d/system-auth
session required /lib/security/$ISA/pam_limits.so
C) modify /etc/pam.d/login
session required pam_limits.so
After making the change (by switching to root). It seems that I have to reboot machine to make it effect. But some post online say that it should come to effect right after making the change. Would appreciate if someone can clarify it.
These are: a 'soft' and a 'hard' limit for number of files a process may have opened at a time. Both limit the same resource (no relation to hard links or anything). The difference is: the soft limit may be changed later, up to the hard limit value, by the process running with these limits and hard limit can only be lowered – the process cannot assign itself more resources by increasing the hard limit (except processes running with superuser privileges (as root)).
Similar limits can be set for other system resources: system memory, CPU time, etc. See the setrlimit(2) manual page or the description of your shell's ulimit build-in command (e.g. in the bash(1) manual page.
No reboot is required, but /etc/security/limits.conf is only processed when /lib/security/pam_limits.so runs, which is at login time, and the values are inherited by child processes. After a new login, anything under that login will inherit the values specified.
As an additional aside, some distros include /etc/security/limits.d where "snippets" of limit configurations can be placed. You can create files such as this:
$ ll /etc/security/limits.d/
-rw-r--r--. 1 root root 191 Aug 18 10:26 90-nproc.conf
-rw-r--r-- 1 root root 70 Sep 29 12:54 90-was-filedesc.conf
With files containing whatever limits you want to set:
$ more /etc/security/limits.d/90-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
* soft nproc 1024
root soft nproc unlimited
$ more /etc/security/limits.d/90-was-filedesc.conf
root hard nofile 20000
I find using this method to manage these types of overrides much cleaner than mucking with /etc/security/limits.conf.
Also if you want to set both soft/hard to the same value you can use the - as the type.
$ more /etc/security/limits.d/90-was-filedesc.conf
root - nofile 20000
I am a little concerned with the amount of resources that I can use in a shared machine. Is there any way to test if the administrator has a limit in the amount of resources that I can use? And if does, to make a more complete question, how can I set up such limit?
For process related limits, you can have a look in /etc/security/limits.conf (read the comments in the file, use google or use man limits.conf for more information). And as jpalecek points out, you may use ulimit -a to see (and possibly modify) all such limits currently in effect.
You can use the command quota to see if a disk quota is in effect.
You can try running
ulimit -a
to see what resource limits are in effect. Also, if you are allowed to change such limits, you can change them by the ulimit command, eg.
ulimit -c unlimited
lifts any limit for a size of a core file a process can make.
At the C level, the relevant functions (actually syscalls(2)...) could be setrlimit(2) and setpriority(2) and sched_setattr(2). You probably would want them to be called from your shell.
See also proc(5) -and try cat /proc/self/limits and sched(7).
You may want to use the renice(1) command.
If you run a long-lasting program (for several hours) not requiring user interaction, you could consider using some batch processing. Some Linux systems have a batch or at command.