Master Linux Resource Limits: /etc/security/limits.conf, ulimit, and systemd Explained

1. Detailed Explanation of /etc/security/limits.conf

The file is actually the PAM module

pam_limits.so

configuration and applies only to individual sessions; it does not affect system service limits. Also note the directory

/etc/security/limits.d/

which can override settings.

Configuration format

<code># /etc/security/limits.conf
# This file sets the resource limits for the users logged in via PAM.
# It does not affect resource limits of the system services.
# Also note that configuration files in /etc/security/limits.d directory,
# which are read in alphabetical order, override the settings in this file
# when the domain is the same or more specific.

# <domain> <type> <item> <value>
# <domain> can be a user name, a group name prefixed with @, * for all users,
# or % for maxlogin limits.
# <type> is "soft" (enforced soft limit) or "hard" (enforced hard limit).
# <item> can be core, data, fsize, memlock, nofile, rss, stack, cpu,
# nproc, as, maxlogins, maxsyslogins, priority, locks, sigpending,
# msgqueue, nice, rtprio, etc.
# Example entries:
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
</code>

/etc/security/limits.d/ directory

The directory contains default files such as

*-nproc.conf

that limit user processes. You can create additional

.conf

files here.

CentOS 7 uses

/etc/security/limits.d/20-nproc.conf

with default

* soft nproc 4096

and

root soft nproc unlimited

.

CentOS 6 uses

/etc/security/limits.d/90-nproc.conf

.

2. Configuring ulimit

Important notes

Do not set

nofile unlimited

. The maximum allowed value for

nofile

is 1 048 576 (2²⁰); exceeding it prevents SSH login and produces an error like “pam_limits(sshd:session): Could not set limit for ‘nofile’: Operation not permitted”.

Basic configuration

Place custom limits in

/etc/security/limits.d/

instead of directly editing

/etc/security/limits.conf

. For example, create

/etc/security/limits.d/20-nofile.conf

with:

<code>root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535
</code>

And

/etc/security/limits.d/20-nproc.conf

with:

<code>* - nproc 65535
root soft nproc unlimited
root hard nproc unlimited
</code>

Override behavior

Specific entries override more generic ones. For example, a

root soft nofile 65538

entry takes precedence over a wildcard

* soft nofile 65539

, but the soft value cannot exceed the hard value.

3. ulimit Effectiveness

Temporary configuration

Set a temporary limit with

ulimit -Sn 65536

; it is lost after a reboot.

Permanent configuration

Add the same lines to

/etc/security/limits.conf

or a file under

/etc/security/limits.d/

, then log out and back in for the changes to take effect.

4. Common ulimit Commands

<code>-S    set soft limit
-H    set hard limit
-a    display all current limits
-n    maximum number of open file descriptors
...</code>

Use

ulimit -a

to view all limits,

ulimit -n

for the open‑file limit, and

ulimit -Sn 65536

to change it.

5. systemd‑related Limits

Systemd services have their own limits, which can differ from the PAM configuration. The effective limits are taken from three places:

Global system configuration

/etc/systemd/system.conf

User‑service configuration

/etc/systemd/user.conf

Per‑service unit files

/usr/lib/systemd/system/*.service

To view a service’s limits, run

systemctl show sshd | grep '^Limit'

or inspect

/proc/<pid>/limits

for a running process.

To modify a service’s limit, either edit the global config and reload the daemon (

systemctl daemon-reexec

) or add

LimitNOFILE=32768

to the service’s unit file and run

systemctl daemon-reload && systemctl restart <service>

.

6. Additional Tips

Check a process’s limits with

cat /proc/<pid>/limits

.

Adjust a running process’s limits with

prlimit --pid <pid> --nofile=1024:4096

.