This post outlines how a Linux System administrator can limit the allowed number of processes for each user of the Operating System. There are two places where the maximum number of process allowed (nproc) can be configured.

 

  • /etc/security/limits.conf
  • /etc/security/limits.d/90-nproc.conf ( CentOS/RHEL 5,6 ) and /etc/security/limits.d/20-nproc.conf ( CentOS/RHEL 7 )

from the man page of pam_limits

 

By default, limits are taken from the /etc/security/limits.conf config file. Then individual *.conf files from the /etc/security/limits.d/ directory are read. The files are parsed one after another in the order of “C” locale. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing. If a config file is explicitly specified with a module option then the files in the above directory are not parsed.

 

Viewing Current nproc soft/hard limits

 

The Red Hat Enterprise Linux system uses two types of values to define the limits: soft and hard. The difference is that the ‘soft’ limit can be adjusted up to the ‘hard’ limit while ‘hard’ limit can only be lessened and it is the maximum resource limit a user may have.

Whenever a user runs a “ulimit -n” command, it will be presented with the “soft” limit. Hence, if the ‘/etc/security/limits.conf’ file has a hard value set, it will not be presented by default.

 

– To view soft limits, use the below command:

# ulimit -n -S

 

– Similarly, to view hard limits, use the below command:

# ulimit -n -H

 

How to set nproc (Hard and Soft) Limits

 

1. Setting soft nproc limits temporarily

 

The ‘soft’ limit can be adjusted upon the ‘hard’ limit with the below where N is less or equal of the ‘hard’ limit.

# ulimit -n N

 

For example:

# ulimit -n 1024

 

The above value is not permanent and will not persists across re-logins. You can make an entry of the above command in the users bash profile so that the limit is set every time user logins.

# vim ~/.bash_profile
ulimit -n 1024

 

2. Setting nproc hard/soft limits permanently

 

– To set the nproc limit to unlimited system wide, the file /etc/security/limits.d/90-nproc.conf (RHEL5, RHEL6), /etc/security/limits.d/20-nproc.conf (RHEL7) should read. By default, the rules are read from the/etc/security/limits.conf file.

– Additionally, you can create individual configuration files in the /etc/security/limits.d directory specifically for certain applications or services.

– A default limit of user processes is defined in the file /etc/security/limits.d/90-nproc.conf (RHEL5, RHEL6), /etc/security/limits.d/20-nproc.conf (RHEL7), to prevent malicious denial of service attacks, such as fork bombs.

 

To set a hard/soft limit of nproc, use the below syntax.

 

Here,

[domain] can be a username, a group name, or a wildcard entry.

[type] denotes the type of the limit and it can have the following values:

    • soft: This is a soft limit which can be changed by user
    • hard: This is a cap on soft limit set by super user and enforced by kernel

[item] is the resource to set the limit for.

 

Examples of setting nproc limits

 

Below are a few examples of setting nproc values using the files /etc/security/limits.conf file and the /etc/security/limits.d/90-nproc.conf (RHEL5, RHEL6), /etc/security/limits.d/20-nproc.conf (RHEL7):

 

1. In the example below nproc limit is set as 2047 as there is a hard limit of 2047 in limits.conf.

# cat /etc/security/limits.conf | grep nproc | grep -v ^#
test hard nproc 2047
test soft nproc 16384

 

# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^#
* soft nproc 1024
root soft nproc unlimited
test soft nproc 10023

 

# ulimit -u
2047

 

2. Here 1022 is used because the last entry is “test soft nproc 1022”, maximum hard limit would be “1025”.

# cat /etc/security/limits.conf | grep nproc | grep -v ^#
test hard nproc 2048
test soft nproc 16384

 

# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^#
* soft nproc 1024
* hard nproc 1025
root soft nproc unlimited
test hard nproc 1025
test soft nproc 1022

 

# ulimit -u
1022

 

3. Here 1025 is used because “test hard nproc 1025” is set, “test soft nproc 1066” is being used because the soft limit exceeds the hard limit.

# cat /etc/security/limits.conf | grep nproc | grep -v ^#
test hard nproc 1001
test soft nproc 16384

 

# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^#
* soft nproc 1024
* hard nproc 1025
root soft nproc unlimited
test hard nproc 1025
test soft nproc 1066

 

# ulimit -u
1025

 

4. Here 1066 is used because the last entry is “test soft nproc 1066” and 1066 does not exceed the hard limit.

# cat /etc/security/limits.conf | grep nproc | grep -v ^#
test hard nproc 1001
test soft nproc 16384

 

# cat /etc/security/limits.d/90-nproc.conf | grep nproc | grep -v ^#
* soft nproc 1024
* hard nproc 1025
root soft nproc unlimited
test hard nproc 1100
test soft nproc 1066

 

# ulimit -u
1066

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)