How does OS honor user limits configured in /etc/security/limits.conf since setrlimit is process based?

StackOverflow https://stackoverflow.com/questions/9765793

Question

I noted that in /etc/security/limits.conf, the limits are configured on a per user basis (or per group basis), for example: @faculty hard nproc 50

I assume that it is setrlimit that does the work to set limits, but setrlimit works on a process basis, that is, it only sets resource limits on its calling process, so since it can't set limits on user, how can OS honor resource limits configured in limits.conf?

Another question, If a certain process exceeds its resource quota, will it be killed? If so, by what signal? Thank you.

Was it helpful?

Solution

You can set hard and soft limits, per user/group. To be able to change its own hard limit the process needs to be privileged (root). What happens when process attempts to exceed its soft limit depends on the resourse:

  1. data limit - malloc and new would fail
  2. open files - creation of file descriptor failes (open, creat, socket, accept, etc.)
  3. core - core file would be truncated
  4. file size - SIGXFSZ is delivered to offending thread.
  5. stack - SIGSEGV delivered to offending thread
  6. etc.

Look on setrlimit manpage for more information.

In limits.conf you assign limits per process for a specified user/group. So if you set 10MiB stack limit for user X it means that each and every process executed with user X credentials has 10MB stack limit set. It is not a limit that describes 'a sum of resources' for all processes owned by user X

OTHER TIPS

As already answered, the OS honors user limits per process, not per user.

Should you want the limits to apply to all processes belonging to a user, you can use control cgroups:

http://en.wikipedia.org/wiki/Cgroups

From man setrlimit

RLIMIT_NPROC The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit, fork(2) fails with the error EAGAIN.

As you can see, setrlimit can set limits on the user of the calling process. So it can set limits on a user through the calling process of that user.

To your second question, in a few instances, the kernel does not allow a process to exceed its limit in the first place. In the above example, fork() itself fails rather than killing the calling process after allocating more resources. In some instances, for example in CPU usage , when the process exceeds its SOFT_LIMIT, a SIGXCPU is sent. And when it exceeds its HARD_LIMIT, SIGKILL is sent

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top