Linux - Resource Manager - Processes limitations (/etc/security/limits.conf)

About

Limiting user processes is important for running a stable system. To limit user process resource, you have just to set shell limit by adding:

• a user name
• or group name
• or all users

to /etc/security/limits.conf file and impose then process limitations.

Example of /etc/security/limits.conf file

*               hard    nofile          65535
*               soft    nofile          4096
@student        hard    nproc           16384
@student        soft    nproc           2047

A soft limit is like a warning and hard limit is a real max limit. For example, following will prevent anyone in the student group from having more than 50 processes, and a warning will be given at 30 processes.

@student        hard    nproc           50
@student        soft    nproc           30

Hard limits are maintained by the kernel while the soft limits are enforced by the shell.

Syntax of the /etc/security/limits.conf file

The /etc/security/limits.conf file contains a list line where each line describes a limit for a user in the form of:

<domain> <type> <item> <shell limit value>

Where:

• <domain> can be:
  • an user name
  • a group name, with @group syntax
  • the wildcard *, for default entry
  • the wildcard %, can be also used with %group syntax, for maxlogin limit
• <type> can have two values:
  • “soft” for enforcing the soft limits (soft is like warning)
  • “hard” for enforcing hard limits (hard is a real max limit)
• <item> can be one of the following:
  • core - limits the core file size (KB)
• <shell limit value> can be one of the following:
  • core - limits the core file size (KB)
  • data - max data size (KB)
  • fsize - maximum filesize (KB)
  • memlock - max locked-in-memory address space (KB)
  • nofile - Maximum number of open file descriptors
  • rss - max resident set size (KB)
  • stack - max stack size (KB) - Maximum size of the stack segment of the process
  • cpu - max CPU time (MIN)
  • nproc - Maximum number of processes available to a single user
  • as - address space limit
  • maxlogins - max number of logins for this user
  • maxsyslogins - max number of logins on the system
  • priority - the priority to run user process with
  • locks - max number of file locks the user can hold
  • sigpending - max number of pending signals
  • msgqueue - max memory used by POSIX message queues (bytes)
  • nice - max nice priority allowed to raise to
  • rtprio - max realtime priority
  • chroot - change root to directory (Debian-specific)

How to

Set the limitations

• Open the /etc/security/limits.conf file and change the existing values for “hard” and “soft” parameters as it's given in your installation documentation.
• Restart the system after making changes.

*               hard    nofile          65535
*               soft    nofile          4096
*               hard    nproc           16384
*               soft    nproc           2047

Verify the limitations

To check the soft and hard limits, log as the user and enter the following ulimit command:

Test the limitations

The following bash function:

:(){
 :|:&
};:

or

:(){ :|:& };:

is a recursive function and is often used by sys admin to test user processes limitations.

Documentation / Reference

• Understanding Bash fork() bomb ~ :(){ :|:& };: