System Resource Control

 

Controlling the resources available to users is a basic element of the reliability of Linux system. The obvious thing here is; a carefully configured system will not suffer denial of service in the event of a process malfunction, or more or less conscious user attack (see Bash bomb fork).

Linux has awesome feature that allows you to limit the resources allocated to users, or groups of users, via the file “/etc/security/limits.conf” loaded by PAM (Plugable Authentication Module) at each logon.The user can then adapt the resources he has to his needs via the “ulimit” command .

 

Principle of limitations:
It is possible to define , for a certain number of resources (number of open files, file size, number of instantiated processes, CPU times, etc.), a “soft” limit (“soft” limit) that can be increased by the number of files. ‘user, via’ ulimit ‘, up to a maximum limit qualified as’ hard’ limit (hard limit).

The system does not exceed the value of the soft limit. If the user wishes to push this limit, he will have to define a new soft limit with ulimit.The soft limit is always less than or equal to the hard limit.In general, the limits applied to a user take priority over those applied to a group.

 

Managed resources:
The limits are set in the file “/etc/security/limits.conf”. “ulimit” Allows you to modify certain limits such as:

fsize (-f): file size;
nofile (-n): number of open files;
cpu (-t): maximum CPU time for a process (when the process reaches the soft limit it receives a SIGXCPU every second, when it reaches the hard limit, it receives SIGKILL);
nproc (-u): number of processes;
priority (-r): priority of the processes launched by the user (nice);

Other limits are non-modifiable and are imposed only by the file “/etc/security/limits.conf”:

maxlogins: maximum concurrent login count (not applicable to root);
maxsyslogins: maximum number of users logged on the system;
nice: maximum priority of user processes;

The “limits.conf” man page describes all manageable resources.

 

Using ulimit:
In general, passing the option “S” to “ulimit” will impact the effective limit (“soft” limit) and the “H” option the “hard” limit (maximum value that can be set by the user).

In the user space, “ulimit” is used to limit a program / script to a selected quantity of resource.

[training@beingexplorer ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 7922
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 1024
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

The values ​​of a particular resource are displayed using the options associated with them , e.g:

[training@beingexplorer ~]$ ulimit -u # maximum number of processes allowed:
1024

[training@beingexplorer ~]$ ulimit -Hu # the limit can be increased up to:
7922

Note: the order of the options is important.

 

Modify the limits:
To change limit you need to specify a value  associated with a resource to set the limit to apply.We will increase the number of authorized processes to 200 in below example:

[training@beingexplorer ~]$ ulimit -Su 200

[training@beingexplorer ~]$ ulimit -u
200

 

Once the hard limit has been defined, it is impossible to exceed it:

[training@beingexplorer ~]$ ulimit -Hu 400
[training@beingexplorer ~]$ ulimit -Hu 500
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted

 

Limit users of a system:
The job of the administrator is to define “reasonable” and functional limits for users. All this work is done in “/etc/security/limits.conf”.

 

Implementation in PAM:
The file “/etc/security/limits.conf” is loaded by PAM each time the user logs on. For this, the module “pam_limits.so” is loaded.

Note: It is possible to change the location of the “limits.conf” file by the “conf =” option passed to the PAM module.

If the limits you have defined are not taken into account, the first step is to check that the “pam_limits” module is activated in the PAM configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>