Centos – Changes to /etc/security/limits.conf and /etc/security/limits.d/20-nproc.conf have no effect

centosulimit

On a CentOS Linux release 7.1.1503 (Linux kernel version 3.10.x) VM, I added the following lines to both /etc/security/limits.conf and /etc/security/limits.d/20-nproc.conf:

someuser          soft    nofile     8000
someuser          hard    nofileĀ     8000

After rebooting the VM, ulimit -n still reports 4096, and ulimit -n 8000 still results in "-bash: ulimit: open files: cannot modify limit: Operation not permitted".

I'm stumped as to how to increase the open files limit at this point.

Best Answer

The error might occurs due to many reasons.

First of all, Use the following command command to display maximum number of open file descriptors:

$ cat /proc/sys/fs/file-max

Let's pretend the output was 4096, what does it mean? It means, 4096 files a normal user can have open in single login session, you can also display it by checking its Hard and Soft limits by using the commands as follows:

$ ulimit -Hn
$ ulimit -Sn

The number of concurrently open file descriptors throughout the system can be changed by editing /etc/sysctl.conf. You can increase the maximum number of open files by setting system-wide file descriptors limits as a new value in kernel variable in /proc/sys/fs/file-max as follows:

$ sysctl -w fs.file-max=200000     #it forces the limit to 200000 files

Then you should edit /etc/sysctl.conf file so that after reboot the setting will remain as you wished. To do so, add the following lines:

$ fs.file-max = 200000

No need to log out and log back in again, just type:

$ sysctl -p

Then you can verify changes by:

$ cat /proc/sys/fs/file-max

OR

$ sysctl fs.file-max

Then for changing Soft and Hard limits for users, it's better to login as root since a normal user can only change its Soft limit, Hard limits are managed by root. As You've mentioned, for doing it as root you should change User Level File-Discriptor (FD) in /etc/security/limits.conf. For instance if it's for Oracle user:

oracle           soft    nofile          4096
oracle           hard    nofile          63536

For seeing the changes, you do not need to reboot, just reloging via sudo -i and check if it works or not, so you can make sure what the problem is. And for users without login, you should do the following as root:

$ sudo -i -u <user>

BTW, you may be in need of editing /etc/pam.d/login file and add the following line:

$ session required pam_limits.so

pam_limit.so in /etc/pam.d/login means at login time but no on sudo while /etc/pam.d/sudo limits will also be applied when running sudo without "-i", you may also need apply the above changes in /etc/pam.d/system-auth depending on your needs. I recommend you read about PAM modules.

BTW, for instant applying limits to currently running processes you should do the following additionally to changing /etc/security/limits.conf:

$ prlimit

I recommend you read this article from RedHat, since you may face with:

On some Linux systems setting "hard" and "soft" limits in the following examples might not work properly when you log in as user oracle via SSH. It might work if you log in as root and su to oracle. If you have this problem try to set UsePrivilegeSeparation to "no" in /etc/ssh/sshd_config and restart the SSH daemon by executing service sshd restart. The privilege separation does not work properly with PAM on some Linux systems. Make sure to talk to the people in charge of security before disabling the SSH security feature "Privilege Separation".

I hope I could help. Good luck.

Related Question