This post outlines how a Linux System administrator can limit the allowed number of processes for each user of the Operating System. There are two places where the maximum number of process allowed (nproc) can be configured.
- /etc/security/limits.conf
- /etc/security/limits.d/90-nproc.conf ( CentOS/RHEL 5,6 ) and /etc/security/limits.d/20-nproc.conf ( CentOS/RHEL 7 )
from the man page of pam_limits
Viewing Current nproc soft/hard limits
The Red Hat Enterprise Linux system uses two types of values to define the limits: soft and hard. The difference is that the ‘soft’ limit can be adjusted up to the ‘hard’ limit while ‘hard’ limit can only be lessened and it is the maximum resource limit a user may have.
Whenever a user runs a “ulimit -n” command, it will be presented with the “soft” limit. Hence, if the ‘/etc/security/limits.conf’ file has a hard value set, it will not be presented by default.
– To view soft limits, use the below command:
# ulimit -u -S
– Similarly, to view hard limits, use the below command:
# ulimit -u -H
How to set nproc (Hard and Soft) Limits
1. Setting soft nproc limits temporarily
The ‘soft’ limit can be adjusted upon the ‘hard’ limit with the below where N is less or equal of the ‘hard’ limit.
# ulimit -n N
For example:
# ulimit -n 1024
The above value is not permanent and will not persists across re-logins. You can make an entry of the above command in the users bash profile so that the limit is set every time user logins.
# vim ~/.bash_profile ulimit -n 1024
2. Setting nproc hard/soft limits permanently
– To set the nproc limit to unlimited system wide, the file /etc/security/limits.d/90-nproc.conf (RHEL5, RHEL6), /etc/security/limits.d/20-nproc.conf (RHEL7) should read. By default, the rules are read from the/etc/security/limits.conf file.
– Additionally, you can create individual configuration files in the /etc/security/limits.d directory specifically for certain applications or services.
– A default limit of user processes is defined in the file /etc/security/limits.d/90-nproc.conf (RHEL5, RHEL6), /etc/security/limits.d/20-nproc.conf (RHEL7), to prevent malicious denial of service attacks, such as fork bombs.
To set a hard/soft limit of nproc, use the below syntax.
# vi /etc/security/limits.conf [domain] [type] [item] [value]
Here,
[domain] can be a username, a group name, or a wildcard entry.
[type] denotes the type of the limit and it can have the following values:
- soft: This is a soft limit which can be changed by user
- hard: This is a cap on soft limit set by super user and enforced by kernel
[item] is the resource to set the limit for.
Examples of setting nproc limits
Below are a few examples of setting nproc values using the files /etc/security/limits.conf file and the /etc/security/limits.d/90-nproc.conf (RHEL5, RHEL6), /etc/security/limits.d/20-nproc.conf (RHEL7):
1. In the example below nproc limit is set as 2047 as there is a hard limit of 2047 in limits.conf.
# cat /etc/security/limits.conf | grep nproc | grep -v ^# test hard nproc 2047 test soft nproc 16384
# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^# * soft nproc 1024 root soft nproc unlimited test soft nproc 10023
# ulimit -u 2047
2. Here 1022 is used because the last entry is “test soft nproc 1022”, maximum hard limit would be “1025”.
# cat /etc/security/limits.conf | grep nproc | grep -v ^# test hard nproc 2048 test soft nproc 16384
# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^# * soft nproc 1024 * hard nproc 1025 root soft nproc unlimited test hard nproc 1025 test soft nproc 1022
# ulimit -u 1022
3. Here 1025 is used because “test hard nproc 1025” is set, “test soft nproc 1066” is being used because the soft limit exceeds the hard limit.
# cat /etc/security/limits.conf | grep nproc | grep -v ^# test hard nproc 1001 test soft nproc 16384
# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^# * soft nproc 1024 * hard nproc 1025 root soft nproc unlimited test hard nproc 1025 test soft nproc 1066
# ulimit -u 1025
4. Here 1066 is used because the last entry is “test soft nproc 1066” and 1066 does not exceed the hard limit.
# cat /etc/security/limits.conf | grep nproc | grep -v ^# test hard nproc 1001 test soft nproc 16384
# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^# * soft nproc 1024 * hard nproc 1025 root soft nproc unlimited test hard nproc 1100 test soft nproc 1066
# ulimit -u 1066