Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf
Control: tags -1 + pending Am 27.09.2016 um 16:29 schrieb Antonio Ospite: > Package: systemd > Version: 231-7 > Followup-For: Bug #838191 > > Dear Maintainer, > > I am attaching the patch to > debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch Committed as 9709b3 Thanks, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf
Package: systemd Version: 231-7 Followup-For: Bug #838191 Dear Maintainer, I am attaching the patch to debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch Thanks for the analysis about system-auth, I'll let you know what the upstream devs think about documenting better the systemd-user requirements. Ciao ciao, Antonio -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (900, 'unstable'), (500, 'unstable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.115 ii libacl1 2.2.52-3 ii libapparmor12.10.95-4+b1 ii libaudit1 1:2.6.6-1 ii libblkid1 2.28.2-1 ii libc6 2.24-3 ii libcap2 1:2.25-1 ii libcryptsetup4 2:1.7.0-2 ii libgcrypt20 1.7.3-1 ii libgpg-error0 1.24-1 ii libidn111.33-1 ii libip4tc0 1.6.0-3 ii libkmod222-1.1 ii liblzma55.1.1alpha+20120614-2.1 ii libmount1 2.28.2-1 ii libpam0g1.1.8-3.3 ii libseccomp2 2.3.1-2 ii libselinux1 2.5-3 ii libsystemd0 231-7 ii mount 2.28.2-1 ii util-linux 2.28.2-1 Versions of packages systemd recommends: ii dbus1.10.10-1 ii libpam-systemd 231-7 Versions of packages systemd suggests: ii policykit-10.105-16 ii systemd-container 231-7 pn systemd-ui Versions of packages systemd is related to: ii udev 231-7 -- no debconf information -- Antonio Ospite https://ao2.it https://twitter.com/ao2it A: Because it messes up the order in which people normally read text. See http://en.wikipedia.org/wiki/Posting_style Q: Why is top-posting such a bad thing? >From d3d900a938200decaa5d4e2afbd6f81604bc30e9 Mon Sep 17 00:00:00 2001 From: Antonio Ospite Date: Tue, 27 Sep 2016 16:10:52 +0200 Subject: [PATCH] debian/patches: update systemd-user pam config to require pam_limits.so MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Face: z*RaLf`X<@C75u6Ig9}{oW$H;1_\2t5)({*|jhM/Vb;]yA5\I~93>J<_`<4)A{':UrE Upstream loads pam_limits.so indirectly when launching systemd-user because it is loaded from the included system-auth. Debian does not include system-auth so, in order to honor the limits specified in /etc/security/limits.conf for user units, load pam_limits.so directly from /etc/pam.d/systemd-user. Closes: #838191 Thanks: Mantas Mikulėnas for the suggestion --- .../debian/Adjust-systemd-user-pam-config-file-for-Debian.patch | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch b/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch index c27a1de..979c975 100644 --- a/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch +++ b/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch @@ -5,14 +5,12 @@ Subject: Adjust systemd-user pam config file for Debian This pam config file is used by libpam-systemd/systemd-logind when launching systemd user instances. --- - src/login/systemd-user.m4 | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) + src/login/systemd-user.m4 |6 -- + 1 file changed, 4 insertions(+), 2 deletions(-) -diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4 -index f188a8e..ef544e3 100644 --- a/src/login/systemd-user.m4 +++ b/src/login/systemd-user.m4 -@@ -2,11 +2,12 @@ +@@ -2,11 +2,13 @@ # # Used by systemd --user instances. @@ -25,5 +23,6 @@ index f188a8e..ef544e3 100644 )m4_dnl session required pam_loginuid.so -session include system-auth ++session required pam_limits.so +@include common-session-noninteractive +session optional pam_systemd.so -- 2.9.3
Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf
Am 27.09.2016 um 11:25 schrieb Michael Biebl: > Am 18.09.2016 um 11:16 schrieb Antonio Ospite: >> If so I will send a standalone patch which applies _before_ >> debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it >> will be easier to have it merged upstream. > > The upstream pam config file is Redhat specific in this regard. It > includes /etc/pam.d/system-auth, which in turn has > > session required pam_limits.so > > We do use common-account and common-session-noninteractive in Debian, > which do no include pam_limits.so. So I guess we will have to keep that > as a downstream change. Which means, this change should be merged into debian/Adjust-systemd-user-pam-config-file-for-Debian.patch and not be added via a separate patch. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf
Am 18.09.2016 um 11:16 schrieb Antonio Ospite: > After a precious suggestion by Mantas Mikulėnas (grawity in > #debian-systemd) I verified that this is happening because > /etc/pam.d/systemd-user does not load pam_limits.so. > > The following change fixes the issue: > --- > --- /etc/pam.d/systemd-user.orig 2016-09-17 17:40:19.787522246 +0200 > +++ /etc/pam.d/systemd-user 2016-09-17 15:13:17.035405264 +0200 > @@ -7,5 +7,6 @@ > session required pam_selinux.so close > session required pam_selinux.so nottys open > session required pam_loginuid.so > +session required pam_limits.so > @include common-session-noninteractive > session optional pam_systemd.so > --- > > > After adding pam_limits and the settings in limits.conf, the units from > above have the expected behavior. > ... > I can send a patch for /etc/pam.d/systemd-user against the systemd > Debian package to address the issue, but I have a doubt: can this also > be considered a bug in the upstream src/login/systemd-user.m4? > > If so I will send a standalone patch which applies _before_ > debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it > will be easier to have it merged upstream. The upstream pam config file is Redhat specific in this regard. It includes /etc/pam.d/system-auth, which in turn has session required pam_limits.so We do use common-account and common-session-noninteractive in Debian, which do no include pam_limits.so. So I guess we will have to keep that as a downstream change. That said, maybe upstream could document better, which pam modules are supposed to be included for systemd-user. If you want to file an upstream bug report for that, this would be appreciated. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf
Package: systemd Version: 231-6 Severity: normal Dear Maintainer, I wanted to set resource limits from a systemd _user_ unit, with: LimitRTPRIO=96 LimitMEMLOCK=infinity Raising resource limits with ulimit(3) or setrlimit(2) is a privileged operation, however users are normally allowed to set resource limits within the boundaries set by hard limits in /etc/security/limits.conf. Currently this practice does not work with systemd user units. For example, I have these settings in limits.conf: --- * hard rtprio 96 * hard memlockunlimited --- The output of running prlimit from a shell is as follows: --- RESOURCE DESCRIPTION SOFT HARD UNITS ... MEMLOCKmax locked-in-memory address space 65536 unlimited bytes ... RTPRIO max real-time priority 096 ... --- And users are able to change the soft limit with ulimit from the shell. However "systemd --user" seems to ignore the hard limits, see the unit below (copied to /usr/lib/systemd/user/prlimit_defaults.service): --- [Unit] Description=Test setting limits [Service] ExecStart=/usr/bin/prlimit --- Starting the unit with "systemctl --user start prlimit_defaults.service" results in this output: --- Started Test setting limits. RESOURCE DESCRIPTION SOFT HARD UNITS ... MEMLOCKmax locked-in-memory address space 65536 65536 bytes ... RTPRIO max real-time priority 0 0 ... --- The limits are ignored and of course raising them does not work either: --- [Unit] Description=Test setting limits [Service] ExecStart=/usr/bin/prlimit # These work fine when running the unit as a system service, # but they don't have effect when using "systemctl --user" LimitRTPRIO=96 LimitMEMLOCK=infinity --- After a precious suggestion by Mantas Mikulėnas (grawity in #debian-systemd) I verified that this is happening because /etc/pam.d/systemd-user does not load pam_limits.so. The following change fixes the issue: --- --- /etc/pam.d/systemd-user.orig2016-09-17 17:40:19.787522246 +0200 +++ /etc/pam.d/systemd-user 2016-09-17 15:13:17.035405264 +0200 @@ -7,5 +7,6 @@ session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so +session required pam_limits.so @include common-session-noninteractive session optional pam_systemd.so --- After adding pam_limits and the settings in limits.conf, the units from above have the expected behavior. The mechanism explained in systemd-user.conf(5) to set default limits for all user units also works now; before it didn't. For instance these values in /etc/systemd/user.conf were completely ignored without the changes from above: --- DefaultLimitMEMLOCK=infinity DefaultLimitRTPRIO=96 --- I guess that too was because user.conf limits are meant to be within some system-wide limits (see the P.S. below). I can send a patch for /etc/pam.d/systemd-user against the systemd Debian package to address the issue, but I have a doubt: can this also be considered a bug in the upstream src/login/systemd-user.m4? If so I will send a standalone patch which applies _before_ debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it will be easier to have it merged upstream. Thanks, Antonio P.S. After I wrote the report above I found out that another way to solve the problem is to set system-wide limits in /etc/systemd/system.conf (or /lib/systemd/system.conf.d/nn_SOMETHING.conf), e.g.: [Manager] DefaultLimitMEMLOCK=65536:infinity DefaultLimitRTPRIO=0:96 and these limits will also apply to "systemd --user" (and so /etc/systemd/user.conf will work too within these limits); maybe this is even the "official" systemd way to solve the problem, but it does not give the ability to set per-user or per-group limits, so I still think that the report above is valid. -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers unstable A