Linux /etc/security/limits.conf
文件实际是 Linux PAM 可插拔认证模块 中 pam_limits.so
的配置文件,只针对单个 session
生效,不会影响系统服务的资源限制。
作用
为通过 PAM
登录的用户设置资源限制
配置文件
- /etc/security/limits.conf
- /etc/security/limits.d
其中,/etc/security/limits.d
会覆盖 /etc/security/limits.conf
中的配置。
配置格式
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
domain
限制的范围:user、group以及通配符
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, <domain> must be
# the literal username root.
type
限制资源的类别,soft
的限制不能比 hard
限制高
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
item
限制的资源类型
#<item> can be one of the following:
# - core - limits the core file size (KB) # 限制内核文件的大小
# - data - max data size (KB) # 最大数据大小
# - fsize - maximum filesize (KB) # 最大文件大小
# - memlock - max locked-in-memory address space (KB) # 最大锁定内存地址空间
# - nofile - max number of open file descriptors # 最大打开的文件数(以文件描叙符,file descripter计数)
# - rss - max resident set size (KB) # 最大持久设置大小
# - stack - max stack size (KB) # 最大栈大小
# - cpu - max CPU time (MIN) # 最多CPU占用时间(分钟)
# - nproc - max number of processes # 进程的最大数目
# - as - address space limit (KB) # 地址空间限制
# - maxlogins - max number of logins for this user # 用户允许登录的最大数目
# - maxsyslogins - max number of logins on the system # 系统最大同时在线用户数
# - priority - the priority to run user process with # 运行用户进程的优先级
# - locks - max number of file locks the user can hold # 用户可以持有的文件锁的最大数量
# - sigpending - max number of pending signals # 等待的最大信号数
# - msgqueue - max memory used by POSIX message queues (bytes) # POSIX消息队列使用的最大内存
# - nice - max nice priority allowed to raise to values: [-20, 19] # 最大的nice优先级允许提高到值:[-20, 19]
# - rtprio - max realtime priority # 最大实时优先级
# - chroot - change root to directory (Debian-specific) # 将根目录更改为目录
value
限制的值
示例
#<domain> <type> <item> <value>
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
* soft nofile 204800
* hard nofile 204800
* soft nproc 204800
* hard nproc 204800
# End of file
设置所有用户 nofile、nproc
的 soft、hard
limit 值均为 204800
。
命令行
help
ulimit: usage: ulimit [-SHacdefilmnpqrstuvx] [limit]
参数:
- -S Set a soft limit for the given resource.
- -H Set a hard limit for the given resource.
- -a All current limits are reported.
- -c The maximum size of core files created.
- -d The maximum size of a process’s data segment.
- -e The maximum scheduling priority (“nice”)
- -f The maximum size of files created by the shell(default option).
- -i The maximum number of pending signals.
- -l The maximum size that can be locked into memory.
- -m The maximum resident set size.
- -n The maximum number of open file descriptors.
- -p The pipe buffer size.
- -q The maximum number of bytes in POSIX message queues.
- -r The maximum real-time scheduling priority.
- -s The maximum stack size.
- -t The maximum amount of cpu time in seconds.
- -u The maximum number of processes available to a single user.
- -v The maximum amount of virtual memory available to the process.
- -x The maximum number of file locks.
demo
# 查看配置
ulimit -a
# 查看最大打开文件数
ulimit -n
# 临时配置,打开文件的最大数为 `65535`,重启失效
ulimit -SHn 65535
# 不限制 core file size
ulimit -c unlimited
ulimit 生效
临时配置
打开文件的最大数为 65535
,重启失效:
ulimit -SHn 65535
永久配置
- 写入文件
/etc/security/limits.d
或 /etc/security/limits.conf
配置文件中。 - 由于是对 SSH
session
生效的,也可以写入 /etc/profile
中
# 配置
echo "ulimit -n 204800" >> /etc/profile
echo "ulimit -c unlimited" >> /etc/profile
egrep "^ulimit -n 204800" /etc/profile >& /dev/null || echo "ulimit -n 204800" >> /etc/profile
egrep "^ulimit -c unlimited" /etc/profile >& /dev/null || echo "ulimit -c unlimited" >> /etc/profile
生效:
source /etc/profile
配置命令行:
cp /etc/security/limits.conf /etc/security/limits.conf.raw
sed -i '/^es .*nofile/d' /etc/security/limits.conf
echo "es soft nofile 204800" >> /etc/security/limits.conf
echo "es hard nofile 204800" >> /etc/security/limits.conf
限制示例
限制 xiexianbin
用户最大使用 CPU
资源 1 分钟,配置 limits.conf
:
$ cat /etc/security/limits.conf
xiexianbin hard cpu 1
等同于 ulimit -t 60
- 跑 cpu 压测脚本,将 1 个 cpu 使用率打满
bash cpu_usage.sh consume 1
获取 pid 为 15274
$ strace -p 15274
strace: Process 15274 attached
+++ killed by SIGKILL +++
说明: