In Linux, there are two ways to control resources:
One is based on POSIX (dependent on the PAM module), which limits user session resources.
The other is based on Cgroup, mainly used for process resource limits.
By limiting resources, we can manage the resource usage of individual processes or user sessions, ensuring system stability and the Quality of Service (QoS) for other users and processes on the system. Therefore, adjusting reasonable resource limits can also achieve optimization.
ulimit Session Resource Limits
In a multi-user system, not limiting resources can be considered unfair. The older way to limit system resources is to use ulimit, which is enforced by the PAM module during login and session startup. The ulimit command is a built-in command in bash, mainly limiting the resources available to the shell and its child processes.
How ulimit Limits Resources
In the /etc/pam.d/system-auth file, the pam_limits module is called, which reads /etc/security/limits.conf and /etc/security/limits.d/, setting resource limits according to the configuration files. To view the module help documentation, use man pam_limits. What is /etc/pam.d/system-auth? /etc/pam.d/system-auth is a PAM (Pluggable Authentication Modules) configuration file. In Linux systems, PAM provides a flexible way to configure user authentication, authorization, and session management.This file is a text file containing PAM configuration lines used to define different authentication, authorization, and session modules and their parameters.The PAM module is responsible for handling user login, password verification, permission checks, and other operations.
To view the resource limit-related modules in the file, sometimes we may need to modify the relevant configurations in this file during some baseline rectifications.
┌──[[email protected]]-[~]└─$cat /etc/pam.d/system-auth | grep pam_limits session required pam_limits.so┌──[[email protected]]-[~]└─$In the PAM configuration, the pam_limits.so module is required to enforce session limits.
PAM (Pluggable Authentication Modules) is a system-level framework for authenticating users. The pam_limits.so module is part of the PAM framework, used to set session-level resource limits, such as the number of files a process can open, the memory a process can use, etc.
The ulimit command is a tool for limiting user-level resources, typically used to control the resource usage of shell processes and their child processes. Modifying the ulimit value only affects the current shell session and does not necessarily impact other users or system processes.
Using ulimit is one way to limit system resources, supporting hard and soft limits.
#<type> can have the two values:# - "soft" for enforcing the soft limits# - "hard" for enforcing hard limits##<item> can be one of the following:# - core - limits the core file size (KB)# - data - max data size (KB)# - fsize - maximum filesize (KB)# - memlock - max locked-in-memory address space (KB)# - nofile - max number of open file descriptors# - rss - max resident set size (KB)# - stack - max stack size (KB)# - cpu - max CPU time (MIN)# - nproc - max number of processes# - as - address space limit (KB)# - maxlogins - max number of logins for this user# - maxsyslogins - max number of logins on the system# - priority - the priority to run user process with# - locks - max number of file locks the user can hold# - sigpending - max number of pending signals# - msgqueue - max memory used by POSIX message queues (bytes)# - nice - max nice priority allowed to raise to values: [-20, 19]# - rtprio - max realtime priorityOrdinary users can set their own soft limits but cannot exceed hard limits. You can use ulimit -a to view the list of resource limits.
Soft limit (soft maxlogins): A soft limit is a warning threshold. When this limit is reached or exceeded, the system issues a warning message but does not prevent the user from logging in.
Hard limit (hard maxlogins): A hard limit is a strict limit. When this limit is reached or exceeded, the system will prevent the user from logging in.
┌──[[email protected]]-[~]└─$ulimit -Hn #Limit number 262144┌──[[email protected]]-[~]└─$ulimit -Sn #Limit number 1024┌──[[email protected]]-[~]└─$When specifying a limit, it limits the number; when not specified, it outputs the current setting.
To limit login times through configuration files, configure the kiosk group to allow only 2 simultaneous logins across multiple terminals.
┌──[[email protected]]-[~]└─$cat /etc/security/limits.conf | grep -v ^# | grep -v ^$ @kiosk soft maxlogins 2 @kiosk hard maxlogins 2┌──[[email protected]]-[~]└─$Other resource limits:
core: core file size limit (in KB) data: maximum data size limit (in KB) fsize: maximum file size limit (in KB) memlock: maximum locked memory address space limit (in KB) nofile: maximum number of open file descriptors limit rss: maximum resident set size limit (in KB) stack: maximum stack size limit (in KB) cpu: maximum CPU time limit (in minutes) nproc: maximum number of processes limit as: address space limit (in KB) maxlogins: maximum number of logins for this user (single user) maxsyslogins: maximum number of logins on the system (all users) priority: priority to run user processes locks: maximum number of file locks the user can hold sigpending: maximum number of pending signals limit msgqueue: maximum memory used by POSIX message queues (in bytes) nice: maximum nice priority allowed to raise to values: [-20, 19] rtprio: maximum realtime priority
