Re: [systemd-devel] Per user limit defaults in systemd.conf
On Di, 01.09.20 08:57, Joshua Miller (joshuamille...@gmail.com) wrote: > On Tue, Sep 1, 2020 at 7:30 AM Lennart Poettering > wrote: > > Anyway, do you want this for login users or for system services? > > Initially your reference to User= suggests the latter, but your > > reference to PAM suggests the former. What is it now? > > I'm looking at system services; sorry for conflating the two. > > In this case, I'd specifically like to set MEMLOCK. It's got the property > of being accounted at the user level, > but the limit is enforced at the process level, which means if multiple > system services running > as the same user have different limits, the service with the lesser limit > can break. As mentioned, there is no construct for setting this per system user. If you want to this per-service use LimitMEMLOCK=. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Per user limit defaults in systemd.conf
On Tue, Sep 1, 2020 at 7:30 AM Lennart Poettering wrote: > Anyway, do you want this for login users or for system services? > Initially your reference to User= suggests the latter, but your > reference to PAM suggests the former. What is it now? I'm looking at system services; sorry for conflating the two. In this case, I'd specifically like to set MEMLOCK. It's got the property of being accounted at the user level, but the limit is enforced at the process level, which means if multiple system services running as the same user have different limits, the service with the lesser limit can break. Thanks, Joshua Miller ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Per user limit defaults in systemd.conf
On Mo, 31.08.20 17:34, Joshua Miller (joshuamille...@gmail.com) wrote: > Is there a way to set per-user defaults for values in systemd.conf? e.g. > I'd like to set DefaultLimitMEMLOCK for the 'app' user (User=app), such > that all units run as User=app get the setting. Something like that does not exist. > I'm looking for a way to do what's done via pam_limits per limits.conf > (e.g. `username hardnofile 512`) Nope, that's not what limits.conf does. limits.conf is only applied by pam_limits, i.e. whenever a PAM session is opened. And that typically means at login-time. (Some sloppy init scripts might have used "su" to request a PAM login session even for system services back in sysv, but that's really sloppy, people should use "setpriv" for that). Anyway, do you want this for login users or for system services? Initially your reference to User= suggests the latter, but your reference to PAM suggests the former. What is it now? You can use PAMName= in service unit files to allocate a PAM session for them too (and thus also go through pam_limits if you configure the stack like that). But it's a bit of a misuse to do so, given that PAM isn't really what system services should bother with. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Per user limit defaults in systemd.conf
Hello. On Mon, Aug 31, 2020 at 05:34:15PM -0700, Joshua Miller wrote: > Is there a way to set per-user defaults for values in systemd.conf? I don't think so. The config values are typically independent of the running user. > I'm looking for a way to do what's done via pam_limits per limits.conf > (e.g. `username hardnofile 512`) You may still hook into the PAM stack if you specify PAMName=... along with the User= directive (see systemd.exec(5)). HTH, Michal signature.asc Description: Digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel