All geek questions in one place

How are user default user restrictions configured in /etc/security/limits.conf since setrlimit is process-based?

I noted that in the /etc/security/limits.conf file, limits are set for each user (or for each group), for example: @faculty hard nproc 50

I assume this is setrlimit, which does the job of setting limits, but setrlimit works based on the process, that is, it sets only the resource limits for its calling process, since it cannot set limits for the user, how can the OS limit the limits of resources configured in limits.conf?

Another question is, If a certain process exceeds the resource quota, will it be killed? If so, what signal? Thanks.

+4
source share
3 answers

You can set hard and soft limits for each user / group. To be able to change your own hard limit, the process must be privileged (root). What happens when a process tries to exceed its soft limit depends on the resource:

  • data limit - malloc and new will fail
  • open files - creating file descriptor failures (open, creat, socket, accept, etc.)
  • core-core file will be truncated
  • file size - SIGXFSZ is delivered to the damaged thread.
  • stack - SIGSEGV delivered to the upstream
  • and etc.

Take a look at the setrlimit manpage for more information.

In limits.conf, you set limits for each process for the specified user / group. Therefore, if you set a 10MiB size limit for user X, this means that every process running with user X credentials has a 100 MB stack limit. It is not a limit that describes the "sum of resources" for all processes owned by user X

+3
source

As already mentioned, the OS complies with user restrictions for each process, and not for the user.

If you want the restrictions to apply to all processes belonging to the user, you can use control groups:

http://en.wikipedia.org/wiki/Cgroups

+4
source

From man setrlimit

RLIMIT_NPROC The maximum number of processes (or, more precisely, on Linux, threads) that can be created for the real user ID of the calling process. When faced with this limit, fork (2) fails with error EAGAIN.

As you can see, setrlimit can set restrictions for the user of the calling process. Thus, it can set restrictions for the user through the calling process of that user.

To your second question, in some cases, the kernel does not allow the process to exceed its limit in the first place. In the above example, fork() itself fails, rather than killing the calling process after allocating more resources. In some cases, for example, when using the CPU, when the process exceeds its SOFT_LIMIT , a SIGXCPU message is sent. And when he exceeds his HARD_LIMIT , SIGKILL sets off

0
source

Source: https://habr.com/ru/post/1402175/

More articles:


All Articles