How to set limits for services in RHEL and systemd

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7, 8, 9
  • systemd

Issue

How can I set the limits for services started at boot time via systemd?

Limits set in /etc/security/limits.conf or /etc/security/limits.d/*.conf are ignored.

Resolution

A service definition can be extended as described in the systemd.unit(5) man page in the section "Example 2. Overriding vendor settings", and in the Red Hat Enterprise Linux 7 System Administrator's Guide, Section 8.6. Creating and Modifying systemd Unit Files

To change a single service:

Using tftp.service as an example, create a new tftp.service.d directory under /etc/systemd/system, and then create a conf file in that directory which extends (or overrides) the settings for the service. In this example, the number of open file descriptors is limited to 500,000.

# mkdir -p /etc/systemd/system/tftp.service.d/
# cat >/etc/systemd/system/tftp.service.d/filelimit.conf <<EOF
[Service]
LimitNOFILE=500000
EOF

The change is applied after reloading the daemon configuration and restarting the service.

# systemctl daemon-reload
# systemctl restart tftp.service

The systemd-delta and systemctl status tftp.service commands both show that the service definition has been extended.

# systemd-delta --type=extended
[EXTENDED]   /usr/lib/systemd/system/tftp.service → /etc/systemd/system/tftp.service.d/filelimit.conf

1 overridden configuration file found.

# systemctl status tftp.service
● tftp.service - Tftp Server
   Loaded: loaded (/usr/lib/systemd/system/tftp.service; indirect; vendor preset: disabled)
  Drop-In: /etc/systemd/system/tftp.service.d
           └─filelimit.conf
  ...

The available limits are described in the following section from the systemd.exec(5) man page:

       LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
       LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
       LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
       LimitRTTIME=
           These settings control various resource limits for executed
           processes. See setrlimit(2) for details. Use the string infinity to
           configure no limit on a specific resource.

Note: Most process resource limits configured with these options are per-process, and processes may fork in order to acquire a new set of resources that are accounted independently of the original process, and may thus escape limits set. Also note that LimitRSS= is not implemented on Linux, and setting it has no effect. Often it is advisable to prefer the resource controls listed in systemd.resource-control(5) over these per-process limits, as they apply to services as a whole, may be altered dynamically at runtime, and are generally more expressive. For example, MemoryMax= is a more powerful (and working) replacement for LimitRSS=.

To set a limit for all services

Instead create a drop in file in /etc/systemd/system.conf.d/ and use the Default version of the limit:

# mkdir -p /etc/systemd/system.conf.d/
# cat >/etc/systemd/system.conf.d/10-filelimit.conf <<EOF
[Manager]
DefaultLimitNOFILE=500000
EOF

Important: Some services may have resource limits that cannot be changed in this way. One such example is sendmail which changes the resource limit for the maximum number of open files to 1024 (and can modify other resource limits). It is not possible to change these resource limits for sendmail - they are set explicitly and are not changable via sendmail configuration. This behaviour is not a defect, it is the expected behaviour for programs that manage and set their own resource limits.

Root Cause

Limits defined in /etc/security/limits.conf or /etc/security/limits.d/*.conf are set by pam when starting login session. This is configured by following line from /etc/pam.d/system-auth-ac:

session     required      pam_limits.so

Since daemons started by systemd don't employ pam login session, the limits can be set only in the service unit file.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments