| 3/14/2007
-- Every administrator has at least one user who just seems bring your system/network/nerves down to a crawl. While they may not intentionally mean to do so, it often is a manifestation of their tying up processes and trying to do things that they aren't fully fluent with.
There are many ways to restrict what users can and cannot do. One of these is with the ulimit command. I tend to think of it as a poor admin's best solution since it is simple to do and is included in the bash shell. The beauty of it being a part of the shell is that you can include it in the individual user's profile and have it apply to them, or place your restrictions in /etc/profile and have them apply to all users.
It is important to know that ulimit does not limit storage space --- that is the domain of the quota series of commands. Instead, ulimit is intended to govern processes and you can limit them in three ways: unlimited (the default), hard limited (the user cannot exceed), soft limited (the user may barely exceed). Whether the limit you place is hard or soft is based solely on whether you use the –H or –S parameter.
A complete list of the parameters that can be set can be found in the man file for bash, and so the following discussion is not intended to be complete. Instead, I am showing examples of some of the best uses of this function.
Seeing What Is Currently Set
To see what limits are currently set, type ulimit at the command line. If there are no hard or soft restrictions set, the response returned will simply be “unlimited." This does not mean there are not limits, however, and you've got to be careful to not fall into the trap of thinking this way. Type ulimit –a and a list all restrictions will be shown. This is a much more useful response, and will resemble the following:
| core file size |
(blocks, -c) |
0 |
| |
|
|
| data seg size |
(kbytes, -d) |
unlimited |
| |
|
|
| file size |
(blocks, -f) |
unlimited |
| |
|
|
| max locked memory |
(kbytes, -l) |
32 |
| |
|
|
| max memory size |
(kbytes, -m) |
unlimited |
| |
|
|
| open files |
(-n) |
1024 |
| |
|
|
| pipe size |
(512 bytes, -p) |
8 |
| |
|
|
| stack size |
(kbytes, -s) |
unlimited |
| |
|
|
| cpu time |
(seconds, -t) |
unlimited |
| |
|
|
| max user processes |
(-u) |
2038 |
| |
|
|
| virtual memory |
(kbytes, -v) |
unlimited |
Not only does this give a more realistic picture of the system limitations, but it also includes the parameters you need to use to change any of the settings (thus saving you from having to read the man pages). Those settings you want to cap most often are those related to processes, virtual memory, and file size.
Setting a Value
The easiest way to set a limit is to use the parameter that is needed, and specify the value. For example, to significantly reduce the number of processes a user can have from the default to 100, you can use the command ulimit –u 100 . Interestingly enough, when you type ulimit, you will still get the response “unlimited." Now, however, when you type ulimit –a the response will resemble the following:
| core file size |
(blocks, -c) |
0 |
| |
|
|
| data seg size |
(kbytes, -d) |
unlimited |
| |
|
|
| file size |
(blocks, -f) |
unlimited |
| |
|
|
| max locked memory |
(kbytes, -l) |
32 |
| |
|
|
| max memory size |
(kbytes, -m) |
unlimited |
| |
|
|
| open files |
(-n) |
1024 |
| |
|
|
| pipe size |
(512 bytes, -p) |
8 |
| |
|
|
| stack size |
(kbytes, -s) |
unlimited |
| |
|
|
| cpu time |
(seconds, -t) |
unlimited |
| |
|
|
| max user processes |
(-u) |
100 |
| |
|
|
| virtual memory |
(kbytes, -v) |
unlimited |
Since neither –H nor –S were specified, the value set is both hard and soft. To see that this value has some meaning, however, set it very low on your own session and watch the result: ulimit –u 2 .
Setting Soft Limits
Once set, a hard limit cannot be increased, while a soft limit can be increased until it reaches the value of a hard limit. Assume the maximum user processes is still 2038 (which it can be set back to with ulimit –u 2038 ) and you only want to change the soft limit. The command to give to change only the soft limit is: ulimit –S –u 100 .
Typing in ulimit –a will show the value set at 100 and not really alert you to the fact that this is a soft limit. To see what is going on, type ulimit –H –a and ulimit –S –a and compare the output of both commands: they should be identical except for the number of user processes with the hard limit being 2038 and the soft limit being 100.
To see the difference this makes, try ulimit –S –u 2 and watch the result, comparing it with what happened earlier. You are now allowed to exceed the limit. In fact, you can think of a soft limit as more of a recommendation than a rule in that it does not affect things in nearly the same way.
Setting Hard Limits
As mentioned, a hard limit really is a rule. Once set, it cannot be exceeded.
The two ways to set the hard limit are to not specify anything ( ulimit –u 100 ), which effectively sets both the hard and soft limits, or use the –H parameter: ulimit –H –u 100 .
Miscellaneous Commands
Here are some more commands you will want to explore:
- To set a value to unlimited, use the word itself: ulimit –u unlimited .
- To see only one value, specify that parameter. For example, to see the soft value of user processes, enter: ulimit –Su
- Default values are set in /etc/profile but can -- in some implementations -- also be derivatives of values set in /etc/initscript or /etc/security/limits.conf.
With a little playing around, you'll discover that ulimit is a very powerful tool and it can be just what you need when you are looking for a quick solution to a pesky user problem.
|
