我们遇到一个问题:在 limit.conf 中设置的 ulimit 参数默认情况下不会在通过 SSH 登录时生效。只有当我们再次使用 su – 命令切换到相同的用户 ID 时,才会应用我们设置的 ulimit 参数。操作系统在kylinOS和BClinux都遇到过,记录一下在bclinux中的配置。
多数没有启用 pam 模块,因此 limit.conf 中设置的 ulimit 没有生效.
# uname -a
Linux dev-zcloud-node1 5.10.0-153.24.0.100.6.oe2203sp2.bclinux.aarch64 #1 SMP Thu Nov 23 11:11:44 CST 2023 aarch64 aarch64 aarch64 GNU/Linux
# cat /etc/*release
BigCloud Enterprise Linux For Euler release 22.10U2 LTS
BigCloud Enterprise Linux For Euler release 22.10U2 LTS
NAME="BigCloud Enterprise Linux"
VERSION="22.10U2 LTS"
ID="bclinux"
VERSION_ID="22.10U2"
PRETTY_NAME="BigCloud Enterprise Linux For Euler 22.10U2 LTS"
ANSI_COLOR="0;31"
BigCloud Enterprise Linux For Euler release 22.10U2 LTS
# cat /etc/ssh/sshd_config|egrep -v '^#'|egrep -v '^$'|grep -i pam
UsePAM yes
# cat /etc/pam.d/sshd
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
# vi /etc/pam.d/sshd
# append
session required pam_limits.so
# cat /etc/pam.d/system-auth | grep "pam_limits.so"
session required pam_limits.so
# ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 122885
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 122885
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
# ulimit -n 4096
# ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 122885
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 4096
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 122885
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
# su - root
# ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 122885
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 4096
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 122885
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
# ssh root@172.20.23.204
# ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 122885
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 122885
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Note: ssh并没有生效
# vi /etc/security/limits.conf
# append
root soft nofile 4096
root hard nofile 4096
# ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 122885
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 4096
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 122885
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
# ssh root@172.20.23.204
# ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 122885
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 4096
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 122885
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
默认情况下会加载 /etc/security/limits.conf,但可以通过位于 /etc/security/limit.d/*conf 中的配置来覆盖它。
小结
确保UsePAM yes在 /etc/ssh/sshd_config文件中,并且 /etc/pam.d/sshd有 session required pam_limits.so, 在/etc/security/limits.conf中增加用户的ulimit配置。
pam_limits PAM 模块设置用户会话中可获取的系统资源的限制,当通过 SSH 使用 sshd 服务访问系统时,系统会参考/etc.pam.d/sshd策略文件.当您通过/bin/login程序登录时,会参考文件/etc/pam.d/login.由于 pam 模块配置不正确,无法加载/etc/security/limit.d/*.conf和/etc/security/limits.conf 文件造成的ssh无法生效。需要将上述代码添加到/etc/pam.d/login、system-auth、password-auth或 sshd 文件中。
除了以上,记的检查用户的HOME(~)目录中的.bashrc和.bash_profile和/etc/profile中是否有配置ulimit。
注:systemd 会忽略 /etc/security/limits.conf、/etc/security/limits.d/*.conf 或 /etc/security/limits.conf 中设置的限制,ulimit 和 Systemd 之间存在冲突
现在几乎所有 Linux 发行版都在从init 或 upstart 转向 systemd。
使用 systemd 作为初始化系统时,关于服务特定修改的说明
当服务使用 systemd 启动时,它不会考虑为进程所有者定义的 ulimit 值。systemd 提供了使用 systemd 变量(例如LimitNOFILE和LimitNPROC)来设置进程限制的选项。
您需要在 systemd 下创建一个覆盖文件。例如,如果服务名称是 nginx,则该文件应为 /etc/systemd/system/nginx.service.d/override.conf:systemctl edit nginx.service
接下来,添加以下内容以将打开的文件限制设置为 8192:
[服务] LimitNOFILE=8192
将 8192 调整到您所需的限制以设置文件描述符 (FD)。要使用最大支持值,请使用 `–max-supported`LimitNOFILE=infinity而不是 `–max-supported` LimitNOFILE=8192。然后,使用 `systemctl` 命令重新加载这些更改: 使用 `prlimit` 命令验证新的限制。例如, 在 Linux 系统中,您可以通过以下两个位置检查文件描述符的限制:
systemctl daemon-reload
# Reload nginx server #
systemctl restart nginx
检查是否生效
更改 ulimit 设置后,必须重启进程才能使修改后的设置生效。您可以使用/proc文件系统或prlimit查看正在运行的进程的当前限制。
prlimit -p $(</var/run/nginx/nginx.pid) | grep 'open'- 对于单个进程:cat /proc/<PID>/limits(请将<PID>替换为进程ID)
- 系统级默认值:cat /proc/sys/fs/file-max
当然,您也可以结合使用 prlimit 命令和 ps 命令/ pidof 命令。
要编辑服务 FD 限制
systemctl edit <service-name-here>.service
设置 LimitNOFILE
[服务] LimitNOFILE=65536
要查看服务 FD 限额
systemctl view <service-name-here>.service
重新加载服务 FD 限制
systemctl daemon-reload
systemctl restart <service-name-here>.service
— over —
References
https://access.redhat.com/solutions/537453
https://www.mydbops.com/blog/ulimit-conflict-with-pam-and-systemd