Bug 1308423

Summary: /etc/security/limits.conf does not change memlock limit for regular user
Product: [Fedora] Fedora Reporter: nenad
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 23CC: gary, nenad, tmraz
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-17 17:36:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nenad 2016-02-15 08:04:30 UTC 
In the past (FC20) we used to change limits.conf file to change the memlock value (ulimit -l).  On FC23 that is not the case any more, and user's memlock is capped at 64 .  The root account seems to be getting limits set correctly based on the limits file.

What other options do I have to control this?  Is this feature blocked by some other setting?
Comment 1 Tomas Mraz 2016-02-16 09:36:53 UTC 
I do not think there was ever a memlock entry in limits.conf by default that would apply to all users. It is possible but improbable that some other package is/was dropping a conf file into limits.d that would contain a memlock entry for all users.

On my system I see /etc/security/limits.d/95-jack.conf from jack-audio-connection-kit-1.9.10-3.fc23.x86_64 package that contains:
@jackuser - memlock 4194304
So that applies only to users from group jackuser.

There is no point in changing the defaults in the limits.conf, it would not apply to services only to regular user logins.
Comment 2 nenad 2016-02-16 19:26:56 UTC 
I used to add a line like this: 

* - memlock unlimited

It should be a default 'memlock' for all the users.  The comment in the file is clear that this should apply to regular user logins, not services.  I do not need to have a config file under limits.d for this to work.

There were no other limits config files under limits.d that contained anything related to memlock.  I played with various combinations of settings in limits.d/ files with no success.

There IS a point in changing limits for every user under /etc/security.  We use infiniband libraries that require this.

Regardless of the need for this, do you think that this should work?  If yes have you tried it on FC23?

Even though I probably do not need to reboot I still did it few times.
Comment 3 nenad 2016-02-16 19:32:02 UTC 
I just tried it on Centos 7.2.1511 (I only have older RHEL).  Works as expected. 

Where is the default memlock of 64 specified?
Comment 4 Tomas Mraz 2016-02-17 08:42:09 UTC 
So we misunderstood each other - I thought you were talking about some package setting the default value not about manually changing the value in /etc/security/limits.conf by the sysadmin.

Yes, what you write in comment #2 should work fine. And indeed on my install of Fedora 23 it works. I tested it with console login and ssh login and for both sessions the limit is set to unlimited if I add the line from your comment in /etc/security/limits.conf.

Could you please test ssh and console login?

Also do you perhaps see some messages from SELinux? Can you try 'ausearch -m AVC -ts today'?
Comment 5 nenad 2016-02-17 17:36:20 UTC 
Console login worked. SSH did not.  Tracked this down to the following change:

UsePAM no

I guess if you don't use PAM you don't get pam_limits plugin.

Sorry for the trouble.