[LAU] memlock limits not set correctly?

David Runge dave at sleepmap.de
Fri Jan 18 23:50:05 CET 2019


On 2019-01-17 21:50:48 (-0500), Bill Gribble wrote:
> On 1/17/19 5:41 PM, David wrote:
> > On Thu, 17 Jan 2019 at 23:22, Bill Gribble<grib at billgribble.com>  wrote:
> > > I have opened a Debian bug report against the "libpam-modules" package
> > > (containing pam_limits.so, the module that actually reads and applies
> > > the /etc/security/limits.{conf,d} limits).  We'll see what happens!
> > For the benefit of other readers, I guess that would be this one:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919528
> 
> That's the one.  To summarize my later findings for posterity, this isn't a
> "bug" in libpam-modules per se but a known bad-interaction between systemd
> and gnome.
> 
> In short, systemd implements its own system for setting process limits on
> login, and /etc/security/limits.* are obsolete.
> 
> Here's the Link I Needed To Find:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1364332
> 
> The bummer is that systemd's mechanism for setting limits is less powerful
> than the limits.conf style and doesn't permit setting limits for users based
> on group membership.
> 
> I still haven't nailed the workaround (the ideas in the fedora thread above
> haven't worked, but I have little understanding of how systemd manages
> processes so I'm sort of poking in the dark) but I will post a followup to
> this thread when I do so that others might benefit as well.
I think this is only a problem in the weirdly integrated gnome apps,
such as gnome-terminal, which auto-launches a
gnome-terminal-server.service (user service) via dbus, that applies
(probably only some) systemd user service configurations or whatever. In
that case you would have to overload that user service locally (e.g.
~/.config/systemd/user/gnome-terminal-server.service), adding
`LimitNOFILE=<your-nofile>` [1]. This is because the user service is
started below your <username>@user.service and not in the
<session-number>.scope of that user. Theoretically, this approach is
more flexible (as one can have many different types of services, that
have different types of limits or settings or whatever, but that's a
different topic).

I recommend using other terminal emulators, such as termite or xterm or
urxvt (as they don't depend on a systemd user service) and are started
in .scope.

However, if this *did apply* to all applications, it *would be* a PAM
configuration problem (which might be specific to GDM), that your
distribution should figure out/ would need to fix. Therefore this only
marginally has something to do with systemd. There is no "systemd black
magic" preventing the limits from being applied (contrary to what some
others seem to believe), but rather bad design choices of gnome (of the
type "one size fits all) being applied.
As a sidenote: On Arch Linux we use the package 'pambase' [1], which
takes care of the configuration of e.g. system-auth, system-services and
I believe this functions simililarly on other distros.
If you do a `grep -R "pam_limits" /etc/pam.d`, I'm sure 'pam_limits.so'
will show up in some of the configuration files.

I don't really use gdm/gnome anymore (other bloat reasons), but just
tested my window manager and also a gnome session started from gdm and I
can't reproduce your problem (limits are applied), when using another
terminal emulator than gnome-terminal.

Bests,
David

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Process%20Properties
[2] https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/pambase

-- 
https://sleepmap.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.linuxaudio.org/archives/linux-audio-user/attachments/20190118/15c5305e/attachment.sig>


More information about the Linux-audio-user mailing list