[systemd-devel] systemd user instance and raising limits

[Mantas Mikulėnas]

On Sun, Nov 19, 2017, 22:01 Jeff Solomon <jsolomon8080 at gmail.com> wrote:

> Hi,
>
> Two questions.
>
> I want to raise the "number of files" limits for the user instance.
>
> First, I set DefaultLimitNOFILE to something higher than the global system
> default in /etc/systemd/user.conf and I rebooted.
>
> Then I confirmed that the setting has taken effect:
>
> "systemctl --user show" showed the new DefaultLimitNOFILE and the unit
> itself showed the higher setting of LimitNOFILE when I ran "systemctl
> --user show foo".
>
> So far everything worked as expected.
>
> However, when I checked "cat /proc/<pid>/limits" on the ExecStart process
> of foo.service, I don't see the "number of files" limit has changed.
>
> What did I do wrong?
>
> Second question: if I want to raise the limit just for a single user, how
> would I go about it?
>
> Making a change in user.conf would make it apply in all user instances
> (assuming I could get it to work).
>
> I have found that if I create /etc/systemd/system/user@<uid>.service and
> add LimitNOFILE to the [Service] section of that file, then it will do two
> things. First, it actually works whereas editing user.conf did not. Second,
> the change only applies to user <uid> and not all users.
>
> I assume I'm not getting how systemd is supposed to work. So please
> enlighten me.
>
> Thanks,
>
> Jeff
>


First reason:

Limit* in user at .service is set by init before it starts the user instance.
Init is privileged and can raise limits above the current hard limit. (The
same could be done via pam_limit.)

DefaultLimit* in user.conf is set by the user instance itself, which runs
under your uid and does not have any special privileges. It cannot raise
the limits beyond the current hard limit, just as the `ulimit` command
cannot.

Second reason:

The defaults are for units – not for the service manager itself.

So although the defaults are *read* successfully, they will only be applied
when you start a service.

If you want to raise limits for all users, best to do that via pam_limits.
(Letting --user services have different limits than directly launched
programs is likely to result in confusion.)

If you want to override user at .service, you *do not have* to create an
instance for every uid; you can just have "/etc/systemd/system/user at .service";
that's how it looks in /usr/lib anyway.

Though a better method is to use drop-in configuration to only extend the
service with your new options, while still loading the rest from /usr.
Search the systemd.unit manpage for "drop-in", and put your extensions
in "/etc/systemd/system/user at .service.d/whatever.conf".

> --

Mantas Mikulėnas <grawity at gmail.com>
Sent from my phone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171119/e0f9d928/attachment.html>