How does OS honor user limits configured in /etc/security/limits.conf since setrlimit is process based?
Domanda
I noted that in /etc/security/limits.conf, the limits are configured on a per user basis (or per group basis), for example: @faculty hard nproc 50
I assume that it is setrlimit that does the work to set limits, but setrlimit works on a process basis, that is, it only sets resource limits on its calling process, so since it can't set limits on user, how can OS honor resource limits configured in limits.conf?
Another question, If a certain process exceeds its resource quota, will it be killed? If so, by what signal? Thank you.
Soluzione
You can set hard and soft limits, per user/group. To be able to change its own hard limit the process needs to be privileged (root). What happens when process attempts to exceed its soft limit depends on the resourse:
- data limit -
malloc
andnew
would fail - open files - creation of file descriptor failes (open, creat, socket, accept, etc.)
- core - core file would be truncated
- file size - SIGXFSZ is delivered to offending thread.
- stack - SIGSEGV delivered to offending thread
- etc.
Look on setrlimit manpage for more information.
In limits.conf you assign limits per process for a specified user/group. So if you set 10MiB stack limit for user X it means that each and every process executed with user X credentials has 10MB stack limit set. It is not a limit that describes 'a sum of resources' for all processes owned by user X
Altri suggerimenti
As already answered, the OS honors user limits per process, not per user.
Should you want the limits to apply to all processes belonging to a user, you can use control cgroups:
From man setrlimit
RLIMIT_NPROC The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process. Upon encountering this limit, fork(2) fails with the error EAGAIN.
As you can see, setrlimit
can set limits on the user of the calling process. So it can set limits on a user through the calling process of that user.
To your second question, in a few instances, the kernel does not allow a process to exceed its limit in the first place. In the above example, fork()
itself fails rather than killing the calling process after allocating more resources. In some instances, for example in CPU usage , when the process exceeds its SOFT_LIMIT
, a SIGXCPU
is sent. And when it exceeds its HARD_LIMIT
, SIGKILL
is sent