[Bug 1837580] Re: memlock is not set
please reopen if this is still an issue ** Changed in: systemd (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
try this : modif : /etc/systemd/user.conf /etc/systemd/system.conf with : DefaultlimitNOFILE=65535 DefaultlimitMEMLOCK=500 modif : /etc/security/limits.conf with : mkasberg hard nofile 65535 mkasberg soft nofile 65535 @sudo hard memlock 500 @sudo soft memlock 500 reboot ulimit -l you will see : 500 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
This is currently an issue in 19.10's systemd (version 242). By default, unless services are configured to set LimitMEMLOCK, they will have 64k as their memlock limit (though oddly, systemd bumped its own memlock limit higher than previous versions have used). The only processes not affected are those that increase their own memlock rlimits at runtime, such as `systemd --user`. ``` # for pid in $(ps --ppid 1 | awk 'NR!=1 {print $1}'); do echo -n "${pid}: "; cat "/proc/${pid}/limits" | grep locked ; done 400: Max locked memory 6553665536bytes 480: Max locked memory 6553665536bytes 514: Max locked memory 6553665536bytes 559: Max locked memory 6553665536bytes 561: Max locked memory 6553665536bytes 596: Max locked memory 6553665536bytes 657: Max locked memory 6553665536bytes 658: Max locked memory 6553665536bytes 659: Max locked memory 6553665536bytes 661: Max locked memory 6553665536bytes 662: Max locked memory 6553665536bytes 665: Max locked memory 6553665536bytes 681: Max locked memory 6553665536bytes 685: Max locked memory 6553665536bytes 688: Max locked memory 6553665536bytes 704: Max locked memory 6553665536bytes 710: Max locked memory 6553665536bytes 711: Max locked memory 6553665536bytes 732: Max locked memory 6553665536bytes 939: Max locked memory 6553665536bytes 6673: Max locked memory 67108864 67108864 bytes 7310: Max locked memory 6553665536bytes # ps aux | grep 6673 root 6673 0.0 0.8 18132 8348 ?Ss 00:07 0:00 /lib/systemd/systemd --user root 10442 0.0 0.0 8020 864 pts/2S+ 03:32 0:00 grep --color=auto 6673 ``` This includes sshd, but the forked (still `sshd`) children of sshd appear to have their memlock limit increased. This results in direct shell operations under sshd having realistic limits. However, processes "kicked off" by an ssh shell session, but not actually originally parented under them, will have the austere 64k memlock limit. This is the case with docker (the ubuntu docker.io package) containers, as containerd's systemd configuration (/lib/systemd/system/containerd.service) does not set LimitMEMLOCK. And it should not have to. Per this thread (https://twitter.com/ChaosDatumz/status/1198075570921394177), this is causing problems for eBPF related functionality running under docker due to the fact that the memlock limit is used to track eBPF maps and is tracked on the user, which is an issue because root in a non-user namespaced container is technically root on the outside, so on top of this paltry memlock limit, existing host processes running as root are counting towards the container's memlock limit. This likely has cascading effects for anything eBPF-related that isn't being started by a user's shell, but the user-based memlock accounting behavior will likely cause other issues for anything running in a container that performs such checks given that on a typical system, root host processes may well already have more than 64k in locked kernel memory allocated. I don't think the solution for this is just to special case containerd (or docker.io) with a configuration, but to fix this at its heart, systemd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
** Changed in: systemd (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
Actually, its just systemd 240. Looks fixed in 241 and newer. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
Systemd 240 and newer introduced a clamp to RLIMIT_MEMLOCK in c8884aceefc85245b9bdfb626e2daf27521259bd. See https://github.com/systemd/systemd/issues/13331. ** Bug watch added: github.com/systemd/systemd/issues #13331 https://github.com/systemd/systemd/issues/13331 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
The same happens to me, same distro, some infos are different (namely the kernel, 4.18.0-18-generic, since 5.0.0... frozes my machine - another issue to be investigated), but I don't think these differences are relevant. I've set DefaultLimitMEMLOCK=infinity in /etc/systemd/system.conf and also /etc/systemd/user.conf (also tried to put a file in newly created /etc/systemd/user.conf.d) /etc/security/limits.d/audio.conf has @audio - rtprio 95 @audio - memlockunlimited As root I can ulimit -l to unlimited. As normal user (in the group audio of course) I can't go with more than 65536. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
I can REDUCE the memlock limit in /etc/systemd/system.conf, or by creating /etc/systemd/system.conf.d/ and a file in that, but cannot increase it beyond 65536kB. For instance: [Manager] DefaultLimitMEMLOCK=100M does nothing, and neither does specifying "infinity". -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
Thanks! Is something other than systemd setting the real-time priority? Because if I move audio.conf, rtprio is no longer set: $ulimit -l -r max locked memory (kbytes, -l) 65536 real-time priority (-r) 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
"https://bugzilla.redhat.com/show_bug.cgi?id=1364332 tl;dr it’s expected behavior since /etc/security/limits.* is not used by systemd, and further the behavior of pam_limits with group-based limits can’t be reproduced in systemd." https://bugs.debian.org/919528#10 ** Bug watch added: Red Hat Bugzilla #1364332 https://bugzilla.redhat.com/show_bug.cgi?id=1364332 ** Bug watch added: Debian Bug tracker #919528 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919528 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837580] Re: memlock is not set
systemd user fighting PAM for limits is from my POV certainly a systemd bug. ** Package changed: pam (Ubuntu) => systemd (Ubuntu) ** Also affects: systemd (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919528 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837580 Title: memlock is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1837580/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs