Linux – What are the potential problems with globally setting ulimit to unlimited

linuxSecurityulimit

My team recently had an issue with ulimit being set too low on our Apache servers. We talked about increasing the limit to some arbitrary number, but we couldn't think of any reason not to just globally set it to unlimited.

Are there some good reasons not to do this?

We realise there could use more resources, but it's easier to deal with a resource usage probably than an application crash or a "out of fd" problem.

Best Answer

ulimit is an interface to set all kinds of limits on a Linux system, not just open file descriptor limits:

~# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 20
file size               (blocks, -f) unlimited
pending signals                 (-i) 16382
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

The reason you actually would set limits on resources is because resources are finite. Setting limits basically protects your system from becoming unresponsive at the cost of limiting specific users. Even if you only have a single application to care about, you still need to ensure it does not bring the system to a halt so you even can't login via SSH to fix matters any more.

In the specific case of open file descriptors, the overhead of asynchronous operations using select() or poll() calls increases significantly if the file descriptor table is too large (which does not happen under usual conditions but might happen easily if one of your processes is leaking handles). This will hurt overall performance for asynchronous I/O system-wide.

Related Solutions

Linux ulimit – Practical Maximum Open File Descriptors for High Volume Systems

These limits came from a time where multiple "normal" users (not apps) would share the server, and we needed ways to protect them from using too many resources.

They are very low for high performance servers and we generally set them to a very high number. (24k or so) If you need higher numbers, you also need to change the sysctl file-max option (generally limited to 40k on ubuntu and 70k on rhel) .

Setting ulimit:

# ulimit -n 99999

Sysctl max files:

#sysctl -w fs.file-max=100000

Also, and very important, you may need to check if your application has a memory/file descriptor leak. Use lsof to see all it has open to see if they are valid or not. Don't try to change your system to work around applications bugs.

Linux and nginx – Understanding Max File Descriptors and Best Value for worker_rlimit_nofile

worker_rlimit_nofile will set the limit for file descriptors for the worker processes as oppose to the user running nginx. If other programs running under this user will not be able to gracefully handle running out of file descriptiors then you should set this limit slightly less then what is for the user.

First, What is using your file descriptors?

Each active connection to a client
Using proxy_pass? That will open a socket to the host:port handling these requests
Using proxy_pass to a local port? Thats another open socket. (For the owner of that process)
static files being served by nginx

Why would the limit per worker be less than the OS limit?

This is controlled by the OS because the worker is not the only process running on the machine. To change it for the user running nginx see below. It would be very bad if your workers used up all of the file descriptors available to all processes, don't set your limits so that is possible.

#/etc/sysctl.conf
#This sets the value you see when running cat  /proc/sys/fs/file-max
fs.file-max = 65536"


#/etc/security/limits.conf
#this sets the defaults for all users
* soft nofile 4096
* hard nofile 4096

#This overrides the default for user `usernamehere`
usernamehere soft nofile 10240
usernamehere hard nofile 10240

After those security limit changes I believe I still had to increase the softlimit for the user using ulimit.

How do I find out what my limit is now?

ulimit -a Will display all the limits associated with the user you run it as.

Best Answer

Related Solutions

Linux ulimit – Practical Maximum Open File Descriptors for High Volume Systems

Linux and nginx – Understanding Max File Descriptors and Best Value for worker_rlimit_nofile

Related Topic