limits.conf解释及应用
时间:2007-01-15 来源:适兕
|
read the fuck man
limits.conf(5) - Linux man page
NAME
limits.conf - configuration file for the pam_limits moduleDESCRIPTION
The syntax of the lines is as follows:
<domain> <type> <item> <value>
The fields listed above should be filled as follows:
<domain> * a username * a groupname, with @group syntax. This should not be confused with netgroups. * the wildcard *, for default entry. * the wildcard %, for maxlogins limit only, can also be used with %group syntax. <type> hard for enforcing hard resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. softresource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. soft for enforcing soft resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-exisiting hard limits. The values specified with this token can be thought of as default values, for normal system usage. - for enforcing both soft and hard resource limits together.
Note, if you specify a type of '-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
<item> core limits the core file size (KB) data maximum data size (KB) fsize maximum filesize (KB) memlock maximum locked-in-memory address space (KB) nofile maximum number of open files rss maximum resident set size (KB) stack maximum stack size (KB) cpu maximum CPU time (minutes) nproc maximum number of processes as address space limit maxlogins maximum number of logins for this user maxsyslogins maximum number of logins on system priority the priority to run user process with (negative values boost process priority) locks maximum locked files (Linux 2.4 and higher) sigpending maximum number of pending signals (Linux 2.6 and higher) msqqueue maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) nice maximum nice priority allowed to raise to (Linux 2.6.12 and higher) rtprio maximum realtime priority allowed for non-privileged processes (Linux 2.6.12 and higher)In general, individual limits have priority over group limits, so if you impose no limits for admin group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session.
In the limits configuration file, the '#' character introduces a comment - after which the rest of the line is ignored.
The pam_limits module does its best to report configuration problems found in its configuration file via syslog(3).
EXAMPLES
These are some example lines which might be specified in /etc/security/limits.conf.
* soft core 0
* hard rss 10000
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
SEE ALSO
pam_limits(8), pam.d(5), pam(8)
AUTHOR
pam_limits was initially written by Cristian Gafton <[email protected]>http://www.die.net/doc/linux/man/man5/limits.conf.5.html
下面是一系统可开启最大文件数限制的具体配置(http://kbase.redhat.com/faq/FAQ_80_1540.shtm):
The current setting for maximum number of open files can be viewed with the command:
ulimit -nThis number indicates the maximum number of files normal users (i.e. non-root) can have open in a single session. Note that for the root user, ulimit -n will sometimes output 1024 even after following the procedure to increase the maximum number of open files. This won't effect root's ability to open large numbers of files, as only normal users are bound by this value.
To increase the maximum number of open files beyond the default of 1024, two changes to the system may be necessary. In these examples, we will increase the maximum number of open files to the arbitrary value of 2048. All changes need to be made by the root user and users will need to log out and log back in before the changes will take effect.
- Configure the system to accept the desired value for maximum number of open files Check the value in /proc/sys/fs/file-max to see if it is larger than the value needed for the maximum number of open files:
# cat /proc/sys/fs/file-max
If the value isn't large enough, echo an appropriate number into the variable and add the change to /etc/sysctl.conf to make it persistent across reboots. If the number is already larger than the value you wish to use, skip to step 2.
# echo 2048 > /proc/sys/fs/file-max
and edit /etc/sysctl.conf to include the line:
fs.file-max = 2048
- Set the value for maximum number of open files In the file /etc/security/limits.conf, below the commented line that reads
#<domain> <type> <item> <value>
add this line:
* - nofile 2048
This line sets the default number of open file descriptors for every user on the system to 2048. Note that the "nofile" item has two possible limit values under the <type> header: hard and soft. Both types of limits must be set before the change in the maximum number of open files will take effect. By using the "-" character, both hard and soft limits are set simultaneously.
The hard limit represents the maximum value a soft limit may have and the soft limit represents the limit being actively enforced on the system at that time. Hard limits can be lowered by normal users, but not raised and soft limits cannot be set higher than hard limits. Only root may raise hard limits.
依然是linux kernel控制着一切,这不是其一个模块的配置罢了。pam_limits modules.看文档!
linux-pam.这是www.kernel.org的文档所描述的:
The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of uid=0 are affected by this limits, too.
By default limits are taken from the /etc/security/limits.conf config file.
是的,我可以去了解其原理,但是如果系统真的在实际的运行着,某些东西超出了这个限制,那么系统会出现什么样的情况了呢?有何症状了呢?
而这恰又是个矛盾的命题,我需要经验来知道表面现象,才可对症下药;我没有经验,我怎么去判断一个现象?靠知识!
继续往后找,我的目前能力极限下的可以理解的:
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users.
In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication system without touching the applications themselves.
Historically an application that has required a given user to be authenticated, has had to be compiled to use a specific authentication mechanism. For example, in the case of traditional UN*X systems, the identity of the user is verified by the user entering a correct password. This password, after being prefixed by a two character ``salt'', is encrypted (with crypt(3)). The user is then authenticated if this encrypted password is identical to the second field of the user's entry in the system password database (the /etc/passwd file). On such systems, most if not all forms of privileges are granted based on this single authentication scheme. Privilege comes in the form of a personal user-identifier (UID) and membership of various groups. Services and applications are available based on the personal and group identity of the user. Traditionally, group membership has been assigned based on entries in the /etc/group file.
It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an application may use to request that a user be authenticated. This PAM library is configured locally with a system file, /etc/pam.conf (or a series of configuration files located in /etc/pam.d/) to authenticate a user request via the locally available authentication modules. The modules themselves will usually be located in the directory /lib/security or /lib64/security and take the form of dynamically loadable object files (see dlopen(3)).
下面是在网上搜到的台湾同胞的以为教授的ppt,对我们英语差的人无异于福音!
|
相关阅读 更多 +
