1308423 – /etc/security/limits.conf does not change memlock limit for regular user

Bug 1308423 - /etc/security/limits.conf does not change memlock limit for regular user

Summary: /etc/security/limits.conf does not change memlock limit for regular user

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-15 08:04 UTC by nenad
Modified:	2016-02-17 17:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-17 17:36:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description nenad 2016-02-15 08:04:30 UTC

In the past (FC20) we used to change limits.conf file to change the memlock value (ulimit -l).  On FC23 that is not the case any more, and user's memlock is capped at 64 .  The root account seems to be getting limits set correctly based on the limits file.

What other options do I have to control this?  Is this feature blocked by some other setting?

Comment 1 Tomas Mraz 2016-02-16 09:36:53 UTC

I do not think there was ever a memlock entry in limits.conf by default that would apply to all users. It is possible but improbable that some other package is/was dropping a conf file into limits.d that would contain a memlock entry for all users.

On my system I see /etc/security/limits.d/95-jack.conf from jack-audio-connection-kit-1.9.10-3.fc23.x86_64 package that contains:
@jackuser - memlock 4194304
So that applies only to users from group jackuser.

There is no point in changing the defaults in the limits.conf, it would not apply to services only to regular user logins.

Comment 2 nenad 2016-02-16 19:26:56 UTC

I used to add a line like this: 

* - memlock unlimited

It should be a default 'memlock' for all the users.  The comment in the file is clear that this should apply to regular user logins, not services.  I do not need to have a config file under limits.d for this to work.

There were no other limits config files under limits.d that contained anything related to memlock.  I played with various combinations of settings in limits.d/ files with no success.

There IS a point in changing limits for every user under /etc/security.  We use infiniband libraries that require this.

Regardless of the need for this, do you think that this should work?  If yes have you tried it on FC23?

Even though I probably do not need to reboot I still did it few times.

Comment 3 nenad 2016-02-16 19:32:02 UTC

I just tried it on Centos 7.2.1511 (I only have older RHEL).  Works as expected. 

Where is the default memlock of 64 specified?

Comment 4 Tomas Mraz 2016-02-17 08:42:09 UTC

So we misunderstood each other - I thought you were talking about some package setting the default value not about manually changing the value in /etc/security/limits.conf by the sysadmin.

Yes, what you write in comment #2 should work fine. And indeed on my install of Fedora 23 it works. I tested it with console login and ssh login and for both sessions the limit is set to unlimited if I add the line from your comment in /etc/security/limits.conf.

Could you please test ssh and console login?

Also do you perhaps see some messages from SELinux? Can you try 'ausearch -m AVC -ts today'?

Comment 5 nenad 2016-02-17 17:36:20 UTC

Console login worked. SSH did not.  Tracked this down to the following change:

UsePAM no

I guess if you don't use PAM you don't get pam_limits plugin.

Sorry for the trouble.

Note You need to log in before you can comment on or make changes to this bug.