limits.conf configuration file is used to limit user, domain, process-related metrics. Limits.conf is related to
limits.conf Configuration File
There is a configuration file named limits.conf and located at /etc/security/ . The default content of this file is as below. We can see that there are different columns named
#<domain> <type> <item> <value> # #* soft core 0 #root hard core 100000 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #ftp - chroot /ftp #@student - maxlogins 4
As we can see all configurations are commented so they are not effective. There is also a directory which is use to store configuration files in a separate files to maintain easily. This location is
/etc/security/limits.d/ . It is by default empty but we can create rules in this directory easily.
Limits.conf file have a simple and reliable syntax. This syntax is defined to easily set context, type, limits and related values. We will look all of this terms below.
<domain> <type> <item> <value>
While limits configuration we need to specify context. This content can be defined in various ways and various parameters. The first column of the rule is the domain. A domain can be one of the following value.
While limiting there is two type of limit implementation. These are called
soft . Hard limits are set by root and enforced by kernel. The hard limits can not be exceeded. Soft limits have some range overload. But the overload can be for a little time and can not continue forever.
Items are the core of limits. Items are used to specify the item the limit will be applied. For example, if we want to limit the maximum process number we will use nproc numbers. Here are some of the items that can be used to for limit operation.
fsizespecifies maximum file size
nofilespecifies maximum number of file size
cpuspecifies maximum CPU time
nprocspecifies maximum number of process
maxloginsspecifies maximum number of logins
maxsysloginsspecifies maximum number of logins for all users
Specify User For Limit
Now we can start with examples. As we stated we can limit relevant items according to the user name. In the following rule, we will specify a limit for username
ismail where we specify the user name in the first column.
ismail hard core 100000
In this example we set
core or CPU limit for value
1000000 for username
Specify Group For Limit
In this example, we can specify the limit for a user group name. This type of limitation can be useful if we want to restrict some user group names.
@apache hard nproc 20
In this example we specify
apache group name to limit
process number as maximum
Use Wildcard For Limit
While specifying the domain or the users and groups we may need to set limits for all users and groups in a system. Here we will use * or a wildcard for this.
* hard rss 10000
In this example we set
rss limit for all users and groups in this systems.
Specify User ID Range For Limit
We want to specify limit some users. But they are not in a user group and we do not want or can create groups for these groups. Specifying limits one by one is a problem. We can specify multiple users like below. But the restriction is that we will specify the range.
1000:1010 hard rss 10000
The rule above will be applied to the users those User ID’s are between
1010 . The
: operator used to specify the range.
Specify Group ID Range For Limit
The similar definition like previous user range is group range. We will specify group ID range like below.
@500:510 hard rss 10000
In this example, the rules will be applied for the group ID between 500 and 510. We use @ operator to specify ID’s as a group and
: for range.
Limit Number of Process
Now we will start to look at different item types to use. There are more items than described here but these are the most popular ones. The first example is limiting the number of processes for a user.
ismail hard nproc 20
In the example, we limit the process number with nproc item. The user the rule will apply is ismail and the maximum number of the process for this user can own is
Limit CPU Time
Another useful item to limit is CPU time. We can set limits about the CPU time .
ismail soft cpu 10000
In this example we applied maximum
10000 cycles for user
ismail by using
Limit Number Of Open File
We can limit the numbers of files a user can open in time. This can be useful to prevent disk bottlenecks if the system has a lot of users those access files.
ismail hard nofile 512
In this example we specify that the user
ismail can only open
512 files or file descriptors with
Limit Number Of Logins
By default, a user can have infinite numbers of connections, sessions, or logins in a system. This may create some security or performance problems for the systems. We can set some limits on this.
@student - maxlogins 4
In these examples, we limit the student group’s user’s login count. We use maxlogins for each user in the student group. The maximum number of login can not be more than
Limit Number Of System Logins
In the previous example, we have restricted maximum logins as a user base. we can also specify the total number of logins in system-wide. This restriction will be effective in a general manner.
* - maxsyslogins 40
In this example, we restrict all users and groups but actually, this is not a user or group based restriction. We set this rule system-wide and use
maxsyslogin item as
Limit Maximum File Size
We may want to restrict file size. This restriction can be useful in temp or similar usage type files.
@student - fsize 4000000
In this example, we limit the student’s single file size as 4000000 . This is a presentation of
KB or kilobyte. So the example means
4 GB . We use
fsize as item type.