/etc/security/Detailed explanation and configuration process

/etc/security/The file is actuallyLinux PAM(Pluggable Authentication Modules)pam_limits.soconfiguration file, and only for a single session.

This setting does not affect the resource limits of the system services.

Also pay attention/etc/security//This directory.

1. /etc/security/Detailed explanation

/etc/security/ Configuration parsing

# /etc/security/
#
#This file sets the resource limits for the users logged in via PAM.
The file is passedPAMLogin user settings resource limits。
#It does not affect resource limits of the system services.
#It does not affect the resource limitations of system services.#Also note that configuration files in /etc/security/ directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
Please note/etc/security/The configuration files arranged in alphabetical order will be overwritten /etc/security/In-house
domainSame configuration
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
This means，For example, using wildcard charactersdomainWill be overwritten by the same wildcard configuration in the subdirectory，But a specific configuration of a user
Can only be overridden by the user's configuration in the alphabetical path。Actually, it's a userAIf/etc/security/Configure，when
/etc/security/There are also users in the configuration file in the subdirectoryAWhen the configuration，SoASome configurations will be overwritten。The final value is /etc/security/ Configuration of configuration files under。

#
#Each line describes a limit for a user in the form:
#Each line describes a user configuration#&lt;domain&gt; &lt;type&gt; &lt;item&gt; &lt;value&gt;

#Where:
#&lt;domain&gt; can be:
# - a user name A user name# - a group name, with @group syntax The user group format is @GROUP_NAME# - the wildcard *, for default entry is configured as *, representing all users# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit 
#
#&lt;type&gt; can have the two values:
# - "soft" for enforcing the soft limits 
# - "hard" for enforcing hard limits
havesoft，hardand-，soft指的是when前系统生效的设置值，Soft limits can also be understood as warning values。
hardThe maximum value that can be set in the table name system。softThe limitations cannot be compared withhardHigh limit，use-The table name is set at the same timesoftandhardValue of。
#<item> can be one of the following: <item># - core - limits the core file size (KB) Limits the size of the kernel file.# - data - max data size (KB) Maximum data size# - fsize - maximum filesize (KB) Maximum file size# - memlock - max locked-in-memory address space (KB) Maximum locked memory address space# - nofile - max number of open file descriptors Maximum number of open file descriptors (counted with file descriptors, file descriptors)# - rss - max resident set size (KB) Maximum persistent setting size# - stack - max stack size (KB) Maximum stack size# - cpu - max CPU time (MIN) Maximum CPU usage time in MIN minutes# - nproc - max number of processes# - as - address space limit (KB) Address space limit# - maxlogins - max number of logins for this user# - maxsyslogins - max number of logins on the system Maximum number of simultaneous online users# - priority - the priority to run user process with priority to run user process# - locks - max number of file locks the user can hold# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19] max nice priority allowed to raise to values: [-20, 19]# - rtprio - max realtime pr iority
#
#&lt;domain&gt; &lt;type&gt; &lt;item&gt; &lt;value&gt;
#

#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@st

/etc/security// directory

/etc/security// Table of contents

In this directory, the default*-File, which is used to restrict the user's thread limit. We can also create configuration files in this directory/etc/security//Next,.confEnding.

centos 7

/etc/security// in CentOS 7 version

# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
*    soft    nproc     4096 # All users can open the maximum number of processes by default: 4096root soft    nproc     unlimited # root The maximum number of processes can be opened by default by users Unlimited。

CentOS 6

existCentOS 6In version/etc/security//

2. How to configure ulimit

Configuration Notes

Note that it cannot be setnofileCannot be setunlimited，noprocCan.

When we set itnofileCannot be setunlimitedAfterwards, we proceedsshLog in, you cannot log in, and the following content is reported.

Generally we need to configure/etc/security//for.

root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535

/etc/security//Set as

*    -     nproc   65535
root soft  nproc  unlimited
root hard  nproc  unlimited

Pay attention to the coverage points

Example 1

when/etc/security/Configured:

root soft nofile 65538
root hard nofile 65538
* soft nofile 65539
* hard nofile 65539

thisroot The default value for the user is65538 ，*Although the cardinal characters arerootAfter configuration, howeverrootThe configuration can only berootMake coverage.

Let's look at this configuration, when this configuration is

root soft nofile 65538
root hard nofile 65538
* soft nofile 65539
* hard nofile 65539
root soft nofile 65539

Thisroot User value or65538, because althoughroot soft nofile 65539It will overwrite our previous configuration, but this configuration will not take effect.

becauseroot soft nofile 65539The value of the configuration is greater thanroot hard nofile 65538 , softThe value of the configuration cannot be greater thanhard.

Example 2

When we are/etc/security/Configured:

root soft nofile 65538
root hard nofile 65538
* soft nofile 65539
* hard nofile 65539

Then we're in/etc/security//Configured:

root soft nofile 65536
root hard nofile 65536
* soft nofile 65540
* hard nofile 65540

The final value is to be taken/etc/security//The value inside.

Configuration can only be covered by specific configuration.
The same configuration of the file under /etc/security// can override /etc/security/
Both soft and hard need to be set before they can take effect.
nofile cannot be set unlimited
The maximum value that nofile can be set is 1048576 (2**20). If the set value is greater than this number, you will not be able to log in.
The value set by soft must be less than or equal to the value of hard.
The specific detailed configuration is configured according to the application situation.

3. The ulimit configuration takes effect

Temporary configuration

Set the maximum number of files that can be opened as65536

ulimit  -SHn  65536

It fails after restart.

Permanent configuration

Configure to configuration file/etc/security/or/etc/security//middle.

Then log out of the current session and log in again. It will take effect and the restart configuration will be retained.

The problem of the configuration not taking effect

4. Common commands for ulimit

      -S	use the `soft` resource limit # Set soft limits      -H	use the `hard` resource limit # Set hard limits      -a	all current limits are reported# Show all configurations.      -b	the socket buffer size # Set the maximum value of socket buffer.      -c	the maximum size of core files created # Set the maximum value of the core file.      -d	the maximum size of a process's data segment  # Set the maximum value of thread data segment      -e	the maximum scheduling priority (`nice') # Set maximum scheduling priority      -f	the maximum size of files written by the shell and its children # Create maximum value of the file.      -i	the maximum number of pending signals # Set the maximum waiting signal      -l	the maximum size a process may lock into memory #Set the maximum value of locking process in memory      -m	the maximum resident set size 
      -n	the maximum number of open file descriptors # Set the maximum open file descriptor.      -p	the pipe buffer size
      -q	the maximum number of bytes in POSIX message queues
      -r	the maximum real-time scheduling priority
      -s	the maximum stack size
      -t	the maximum amount of cpu time in seconds
      -u	the maximum number of user processes  # Set the maximum number of processes that the user can create.      -v	the size of virtual memory  # Set the maximum value of virtual memory      -x	the maximum number of file locks

View configuration

View all configurations

ulimit  -a

View the maximum number of open files configured

ulimit  -n

Change configuration

ulimit  -SHn  65536

Summarize

The above is personal experience. I hope you can give you a reference and I hope you can support me more.