Bug 147983

Summary: Release Nots: Suggested ulimit text
Product: [openSUSE] SUSE Linux 10.1 Reporter: Kurt Garloff <garloff>
Component: Release NotesAssignee: Karl Eichwalder <ke>
Status: RESOLVED FIXED QA Contact: Andreas Jaeger <aj>
Severity: Normal    
Priority: P5 - None CC: aj, dmueller, sndirsch, suse-beta
Version: Beta 3   
Target Milestone: Beta 4   
Hardware: All   
OS: SUSE Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Kurt Garloff 2006-02-03 13:42:58 UTC 
In SUSE Linux 10.1, the package ulimit has been added to the default selection. It makes init start every process via /etc/initscript which
sets resource limits, also called ulimits. These limits are inherited and
thus apply globally. The ulimits can be configured in /etc/sysconfig/ulimit.

By default, only two limits are changed from the system defaults:
(i) SOFTVIRTUALLIMIT=80
This limits a single process to not allocate more than 80% of the available
virtual memory (RAM+swap).
(ii) SOFTRESIDENTLIMIT=85
This limits a single process to not occupy more than 85% of your physical
memory (RAM).

As they are soft limits they can be overridden with the ulimit command by a
user. Hard limits could only be overridden by root.

The defaults have been chosen conservatively to avoid breaking large
processes that have worked before. The limits do provide a moderately
effective way to protect the system from becoming unusably slow by single
processes that allocate excessive amounts of memory. The limits make the 
system kill the process before the Out-Of-Memory killer in the kernel would 
hit and thus makes the system recover more quickly.

If there are no legitimate processes with huge memory consumption, it is
advisable to set the limits lower to provide more effective protection against
runaway processes.

Note that the limits are per process and thus not an effective protection
against malicious users (unless you set hard limits for the amount of
processes per user such that the product of it and the allowed per process
memory usage is below the capacity of your system). The limits are meant to
protect against accidental excessive memory usage.

If you want to configure different limits depending on the user, this can be 
achieved by using the pam_limits functionality and configuring 
/etc/security/limits.conf. The ulimit package is not required for that,
but both mechanisms can be used in parallel; the limits configured in
limits.conf do override the global defaults from the ulimit package then.
Comment 1 Andreas Jaeger 2006-02-03 13:56:42 UTC 
This is too long.  Karl, can you summarize somehow?  Otherwise ok for me.
Comment 2 Karl Eichwalder 2006-02-03 13:59:03 UTC 
Thanks!  I'll try to shorten it (and re-using text for the SLES Admin Manual).
Comment 3 Karl Eichwalder 2006-02-06 09:38:37 UTC 
Please check whether it is short enough and still accurate:

Technical

ulimit Settings

   The ulimit settings can be configured in /etc/sysconfig/ulimit.
   By default, only two limits are changed from the kernel defaults:

     * SOFTVIRTUALLIMIT=80 limits a single process that it does
       not allocate more than 80% of the available virtual memory (RAM
       and swap).
     * SOFTRESIDENTLIMIT=85 limits a single process that it does not occupy
       more than 85% of the physical memory (RAM).

   These soft limits can be overridden with the ulimit command by the user.
   Hard limits could only be overridden by root.

   The values have been chosen conservatively to avoid breaking large
   processes that have worked before. If there are no legitimate processes
   with huge memory consumption, set the limits lower to provide more
   effective protection against run-away processes. The limits are per
   process and thus not an effective protection against malicious users.
   The limits are meant to protect against accidental excessive memory usage.

   To configure different limits depending on the user, use the pam_limits
   functionality and configure /etc/security/limits.conf. The ulimit package
   is not required for that, but both mechanisms can be used in parallel;
   the limits    configured in limits.conf override the global defaults from
   the ulimit package.
Comment 4 Andreas Jaeger 2006-02-07 15:47:21 UTC 
Fine with me.
Comment 5 Karl Eichwalder 2006-02-07 17:11:59 UTC 
thanks, submitted to /work, probably for beta4