The Underappreciated ulimit
You can think of the ulimit command as a Linux administrator’s best solution for restricting what users can and cannot do. Every Linux admin has at least one user who just seems to know how to bring your system/network/nerves down to a crawl. While they may not intentionally mean to do so, it often is a manifestation of their tying up processes and trying to do things that they aren’t fully fluent with.
The ulimit command is simple to do and included in the bash shell. The beauty of it being a part of the shell is that you can either
Include ulimit in the individual user’s profile and restrict it to that user.
Place your restrictions in /etc/profile and have them apply to all users.
It is important to know that ulimit does not limit storage space — that is the domain of the quota series of commands. Instead, ulimit is intended to govern processes and you can limit them in three ways:
Unlimited (the default)
Hard limited (the user cannot exceed)
Soft limited (the user may barely exceed).
Whether the limit you place is hard or soft is based solely on whether you use the –H or –S parameter.
A complete list of the parameters that can be set can be found in the man file for bash, but these are some of the best uses of this function.
Seeing what is currently set
To see what limits are currently set, type ulimit at the command line. If there are no hard or soft restrictions set, the response returned will simply be unlimited. This does not mean there are not limits, however, and you’ve got to be careful to not fall into the trap of thinking this way. Type ulimit –a and a list of all restrictions will be shown. This is a much more useful response, and will resemble the following:
core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) unlimited cpu time (seconds, -t) unlimited max user processes (-u) 2038 virtual memory (kbytes, -v) unlimited
Not only does this give a more realistic picture of the system limitations, but it also includes the parameters you need to use to change any of the settings (saving you from having to read the man pages). Those settings you want to cap most often are those related to processes, virtual memory, and file size.
Setting a value
The easiest way to set a limit is to use the parameter that is needed, and specify the value. For example, to significantly reduce the number of processes a user can have from the default to 100, you can use the command ulimit –u 100. Interestingly enough, when you type ulimit, you will still get the response “unlimited”. Now, however, when you type ulimit –a the response will resemble the following:
core file siz (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) unlimited cpu time (seconds, -t) unlimited max user processes (-u) 100 virtual memory (kbytes, -v) unlimited
Because neither –H nor –S were specified, the value set is both hard and soft. To see that this value has some meaning, set it very low on your own session with this command and watch the result: ulimit –u 2.
Setting soft limits
Once set, a hard limit cannot be increased, while a soft limit can be increased until it reaches the value of a hard limit. Assume the maximum user processes is still 2038 (which it can be set back to with ulimit –u 2038) and you only want to change the soft limit. The command to give to change only the soft limit is: ulimit –S –u 100.
Typing in ulimit –a will show the value set at 100 and not really alert you to the fact that this is a soft limit. To see what is going on, type ulimit –H –a and ulimit –S –a and compare the output of both commands. They should be identical except for the number of user processes, with the hard limit being 2038 and the soft limit being 100.
To see the difference this makes, try ulimit –S –u 2 and watch the result, comparing it with what happened earlier. You are now allowed to exceed the limit.
Think of a soft limit as more of a recommendation than a rule.
Setting hard limits
A hard limit really is a rule. Once set, it cannot be exceeded.
The two ways to set the hard limit are to either
Not specify anything (ulimit –u 100), which effectively sets both the hard and soft limits
Use the –H parameter: ulimit –H –u 100
To set a value to unlimited, use the word itself: ulimit –u unlimited.
To see only one value, specify that parameter. For example, to see the soft value of user processes, enter: ulimit –Su
Default values are set in /etc/profile but can (in some implementations) also be derivatives of values set in /etc/initscript or /etc/security/limits.conf.