[systemd-devel] systemd user instance and raising limits

Mon Nov 20 00:27:16 UTC 2017

Understood.

I didn't think that systemd paid one bit of attention to the settings
controlled by pam_limits?

I'm only interested in a user instance that is lingering and operates
outside of a session.

My goal is that the child processes of the user instance will have limits
that I set. If I understand correctly, if those limits are to be higher
than the system's hard limits, then the user instance itself must have
those higher limits set on it, yes?

I appreciate that the user instance doesn't need higher limits itself and
that it is weird that the children of the user instance will have
difference limits than a logged in user, but that's fine.

It seems to me that the only use of the defaults set in
/etc/systemd/user.conf is to further restrict the user instance's children
beyond  whatever restrictions are set by the system itself. I had
mistakenly believed that since /etc/systemd/user.conf was a restricted
file, that setting it would override system settings but it doesn't because
it's read by the user instance after it's already running at the user.

Thanks for the tip regarding /etc/systemd/system/user@
.service.d/whatever.conf.

I did previously know that user at .service would work. For my application,
I'm interested in a single special user only however. I don't want these
customizations to apply to all users.

On Sun, Nov 19, 2017 at 12:22 PM, Mantas Mikulėnas <grawity at gmail.com>
wrote:

> On Sun, Nov 19, 2017, 22:01 Jeff Solomon <jsolomon8080 at gmail.com> wrote:
>
>> Hi,
>>
>> Two questions.
>>
>> I want to raise the "number of files" limits for the user instance.
>>
>> First, I set DefaultLimitNOFILE to something higher than the global
>> system default in /etc/systemd/user.conf and I rebooted.
>>
>> Then I confirmed that the setting has taken effect:
>>
>> "systemctl --user show" showed the new DefaultLimitNOFILE and the unit
>> itself showed the higher setting of LimitNOFILE when I ran "systemctl
>> --user show foo".
>>
>> So far everything worked as expected.
>>
>> However, when I checked "cat /proc/<pid>/limits" on the ExecStart process
>> of foo.service, I don't see the "number of files" limit has changed.
>>
>> What did I do wrong?
>>
>> Second question: if I want to raise the limit just for a single user, how
>> would I go about it?
>>
>> Making a change in user.conf would make it apply in all user instances
>> (assuming I could get it to work).
>>
>> I have found that if I create /etc/systemd/system/user@<uid>.service and
>> add LimitNOFILE to the [Service] section of that file, then it will do two
>> things. First, it actually works whereas editing user.conf did not. Second,
>> the change only applies to user <uid> and not all users.
>>
>> I assume I'm not getting how systemd is supposed to work. So please
>> enlighten me.
>>
>> Thanks,
>>
>> Jeff
>>
>
>
> First reason:
>
> Limit* in user at .service is set by init before it starts the user
> instance. Init is privileged and can raise limits above the current hard
> limit. (The same could be done via pam_limit.)
>
> DefaultLimit* in user.conf is set by the user instance itself, which runs
> under your uid and does not have any special privileges. It cannot raise
> the limits beyond the current hard limit, just as the `ulimit` command
> cannot.
>
> Second reason:
>
> The defaults are for units – not for the service manager itself.
>
> So although the defaults are *read* successfully, they will only be
> applied when you start a service.
>
> If you want to raise limits for all users, best to do that via pam_limits.
> (Letting --user services have different limits than directly launched
> programs is likely to result in confusion.)
>
> If you want to override user at .service, you *do not have* to create an
> instance for every uid; you can just have "/etc/systemd/system/user at .service";
> that's how it looks in /usr/lib anyway.
>
> Though a better method is to use drop-in configuration to only extend the
> service with your new options, while still loading the rest from /usr.
> Search the systemd.unit manpage for "drop-in", and put your extensions
> in "/etc/systemd/system/user at .service.d/whatever.conf".
>
>> --
>
> Mantas Mikulėnas <grawity at gmail.com>
> Sent from my phone
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171119/a582d845/attachment-0001.html>