limits.conf configuration file is used to limit user, domain, process related metrics. Limits.conf is related with
There is configuration file named
limits.conf and located at
/etc/security/ . The default content of this file is like below.
#<domain> <type> <item> <value>
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
As we can see all configurations are commented so they are not effective. There is also a directory which is use to store configuration files in a separate files to maintain easily. This location is
/etc/security/limits.d/ . It is by default empty but we can create rules in this directory easily.
Limits.conf file have a simple and reliable syntax. This syntax is defined to easily set context, type, limits and related values. We will look all of this terms below.
<i><domain> <type> <item> <value></i>
While limits configuration we need to specify context. This content can be defined in various ways and various parameters. The first column of the rule is the domain. Domain can be following
While limiting there is two type of limit implementation. These are called
Hard limits are set by root and enforced by kernel
Soft limits have some range overload.
Items are the core of limits. Items are used to specify the item the limit will be applied. For example if we want to limit the maximum process number we will use
nproc numbers. Here are some of the items those can be used to for limit operation
fsizespecifies maximum file size
nofilespecifies maximum number of file size
cpuspecifies maximum CPU time
nprocspecifies maximum number of process
maxloginsspecifies maximum number of logins
maxsysloginsspecifies maximum number of logins for all users
Specify User For Limit
Now we can start examples. As we stated we can limit relevant items according to user name. In the following rule we will specify a limit for username
ismail where we specify the user name in the first column.
ismail hard core 100000
In this example we set
core or CPU limit for value
1000000 for username
Specify Group For Limit
In this example we can specify limit for a user group name. This type of limitation can be useful if we want to restrict some user group names.
@apache hard nproc 20
In this example we specify
apache group name to limit
process number as maximum
Use Wildcard For Limit
While specifying the domain or the users and groups we may need to set limit for all users and groups in a system. Here we will use
* or wildcard for this.
* hard rss 10000
In this exmaple we set
rss limit for all users and groups in this systems.
Specify User ID Range For Limit
We want to specify limit some users. But they are not in a user group and we do not want or can create group for these groups. Specifying limits one by one is a problem. We can specify multiple users like below. But the restriction is that we will specify range
1000:1010 hard rss 10000
The rule above will be applied to the users those User ID’s are between
1010 . The
: operator used to specify range.
Specify Group ID Range For Limit
The similar definition like previous user range is group range. We will specify group ID range like below.
@500:510 hard rss 10000
In this example the rules will be applied for the group ID’s between
510 . We use
@ operator to specify ID’s as group and
: for range.
Limit Number of Process
Now we will start to look different item types to use. There are more items than described here but these are most popular ones. First example is limiting number of processes for a user.
ismail hard nproc 20
In the example we limit process number with
nproc item. The user the rule will apply is
ismail and the maximum number of process for this user can own is
Limit CPU Time
Another useful item to limit is CPU time. We can set limits about the CPU time .
ismail soft cpu 10000
In this example we applied maximum
10000 cycles for user
ismail by using
Limit Number Of Open File
We can limit the numbers of file a user can open in time. This can be useful to prevent disk bottlenecks if the system have a lot of users those access files.
ismail hard nofile 512
In this example we specify that the user
ismail can only open
512 files or file descriptors with
Limit Number Of Logins
By default a user can have infinite numbers of connections, sessions or logins in a system. This may create some security or performance problems for the systems. We can set some limits about this.
@student - maxlogins 4
In this examples we limit
student groups users login count. We use
maxlogins for each users in student group. The maximum number of login can not be more than
Limit Number Of System Logins
In previous example we have restricted maximum logins as user base. we can also specify total number of logins in system wide. This restriction will be effective in general manner.
* - maxsyslogins 40
In this example we restrict for all users and groups but actually this is not a user or group based restriction. We set this rule system wide and use
maxsyslogin item as
Limit Maximum File Size
We may want to restrict file size. This restriction can be useful in temp or similar usage type files.
@student - fsize 4000000
In this example we limit the students single file size as
4000000 . This is presentation of
KB or kilobyte. So the example means
4 GB . We use
fsize as item type.