kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Initial version of the kosmos-dirsrv cookbook

Browse Source 
It sets up 389 Directory Server, including a TLS cert acquired using
Let's Encrypt in production (that requires ldap.kosmos.org pointing to
the server's IP)
This commit is contained in:
Greg Karékinian
2019-11-04 18:15:44 +01:00
parent 529a4fc4a8
commit 9e4685a743
29 changed files with 1109 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cookbooks/ulimit/.foodcritic Normal file
View File

@@ -0,0 +1 @@
~FC059

68
cookbooks/ulimit/CHANGELOG.md Normal file
View File

@@ -0,0 +1,68 @@
# CHANGELOG for ulimit
This file is used to list changes made in each version of ulimit.
## 1.0.0
- Breaking change: This cookbook now requires Chef 12.7 or later
- LWRPs converted to custom resources with Chef 13 compatibility
- Added the rtprio property to the user resource
- Updated the cookbook to not append .conf onto filenames when the user already specified a name that ends in .conf
- Added a chefignore file to limit what files get uploaded to the chef server
- Added a Test Kitchen config + InSpec tests for unit testing
- Added the license file to the repo to resolve a Foodcritic warning
- Added a Berksfile
- Resolved all cookstyle warnings
- Fixed the metadata license string to be an SPDX standard license string to resolve Foodcritic warnings
- Add supports, source_url, issues_url, and chef_version metadata to resolve Foodcritic warnings
- Switched the default recipe from platform to platform_family to catch more Debian/Ubuntu derivatives
- Added testing with ChefDK's delivery local mode in Travis
- Expanded the readme with better information on requirements and usage examples
- Removed ChefSpec matchers that are autogenerated by ChefSpec now
- Added Cookstyle and autocorrected all code
- Added a basic ChefSpec unit test
## 0.3.2
- Resolves issue some users were having with a resource-loading race condition, thanks to Chris Roberts (<https://github.com/chrisroberts>)
## 0.3.1
- Fix domain typo, thanks to David Radcliffe (<https://github.com/dwradcliffe>) (also reported by Lewis Thompson (<https://github.com/lewisthompson>))
- Add support for split hard/soft nofile limits, thanks to Troy Ready (<https://github.com/troyready>)
- Fix license boilerplate, thanks to Troy Ready (<https://github.com/troyready>)
- Fix limits.d file extension, thanks to <https://github.com/soul-rebel>
## 0.3.0
- Add Domain LWRP for arbitrary rule creation. Thanks for Chris Roberts (<https://github.com/chrisroberts>)
## 0.2.0
- Support specifying users via attributes (as long as your runlist includes the ulimit::default recipe). Thanks to Dmytro Shteflyuk (<https://github.com/kpumuk>)
## 0.1.5
- Allow setting core_limit. Thanks to Aaron Nichols (<https://github.com/adnichols>)
## 0.1.4:
- Does not set any ulimit parameter by default - only when specified. Thanks to Graham Christensen (<https://github.com/zippykid>)
## 0.1.3:
- Adds node attribute node['ulimit']['pam_su_template_cookbook'] to allow users to provide a su pam.d template from another cookbook
## 0.1.2:
- Add memory limit handling, courtesy of Sean Porter (<https://github.com/bmhatfield/chef-ulimit/pull/3>)
## 0.1.0:
- Initial release of ulimit
--------------------------------------------------------------------------------
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.

145
cookbooks/ulimit/README.md Normal file
View File

@@ -0,0 +1,145 @@
# ulimit Cookbook
[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)
This cookbook provides resources for managing ulimits configuration on nodes.
- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.
- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.
The cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.
## Requirements
### Platforms
- Debian/Ubuntu and derivatives
- RHEL/Fedora and derivatives
### Chef
- Chef 12.7+
### Cookbooks
- none
## Attributes
- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from
- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.
## Default Recipe
Instead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.
### Example role configuration:
```ruby
"default_attributes": {
"ulimit": {
"users": {
"tomcat": {
"filehandle_limit": 8193,
"process_limit": 61504
},
"hbase": {
"filehandle_limit": 32768
}
}
}
}
```
To specify a change for all users change specify a wildcard resource or user name like so `user_ulimit "*"`
## Resources
### user_ulimit
The `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.
#### Actions:
- `create`
- `delete`
#### Properties
- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.
- `filename` - Optional filename to use instead of naming the file based on the username
- `filehandle_limit` -
- `filehandle_soft_limit` -
- `filehandle_hard_limit` -
- `process_limit` -
- `process_soft_limit` -
- `process_hard_limit` -
- `memory_limit` -
- `core_limit` -
- `core_soft_limit` -
- `core_hard_limit` -
- `stack_soft_limit` -
- `stack_hard_limit` -
- `rtprio_limit` -
- `rtprio_soft_limit` -
- `rtprio_hard_limit` -
#### Examples
Example of a resource where the resource name is the username:
```ruby
user_ulimit "tomcat" do
filehandle_limit 8192 # optional
filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)
filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)
process_limit 61504 # optional
process_soft_limit 61504 # optional; not used if process_limit is set)
process_hard_limit 61504 # optional; not used if process_limit is set)
memory_limit 1024 # optional
core_limit 2048 # optional
core_soft_limit 1024 # optional
core_hard_limit 'unlimited' # optional
stack_soft_limit 2048 # optional
stack_hard_limit 2048 # optional
rtprio_limit 60 # optional
rtprio_soft_limit 60 # optional
rtprio_hard_limit 60 # optional
end
```
Example where the resource name is not the username:
```ruby
user_ulimit 'set filehandle ulimits for our tomcat user' do
username 'tomcat'
filehandle_soft_limit 8192
filehandle_hard_limit 8192
end
```
### ulimit_domain
Note: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.
#### Actions:
- `create`
- `delete`
#### Examples:
```ruby
ulimit_domain 'my_user' do
rule do
item :nofile
type :hard
value 10000
end
rule do
item :nofile
type :soft
value 5000
end
end
```

5
cookbooks/ulimit/attributes/default.rb Normal file
View File

@@ -0,0 +1,5 @@
default['ulimit']['pam_su_template_cookbook'] = nil
default['ulimit']['users'] = Mash.new
default['ulimit']['security_limits_directory'] = '/etc/security/limits.d'
default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo'
default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil

9
cookbooks/ulimit/files/sudo Normal file
View File

@@ -0,0 +1,9 @@
#%PAM-1.0
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
session required pam_limits.so
@include common-auth
@include common-account
@include common-session-noninteractive

59
cookbooks/ulimit/libraries/domain.rb Normal file
View File

@@ -0,0 +1,59 @@
require 'chef/resource'
class Chef
class Resource
class UlimitDomain < Chef::Resource
property :domain, String
property :domain_name, String, name_property: true
property :filename, String
load_current_value do |new_resource|
new_resource.filename new_resource.name unless new_resource.filename
new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf')
new_resource.subresource_rules.map! do |name, block|
urule = Chef::Resource::UlimitRule.new("#{new_resource.name}:#{name}]", nil)
urule.domain new_resource
urule.action :nothing
urule.instance_eval(&block)
unless name
urule.name "ulimit_rule[#{new_resource.name}:#{urule.item}-#{urule.type}-#{urule.value}]"
end
urule
end
end
attr_reader :subresource_rules
def initialize(*args)
@subresource_rules = []
super
end
def rule(name = nil, &block)
@subresource_rules << [name, block]
end
action :create do
new_resource.subresource_rules.map do |sub_resource|
sub_resource.run_context = new_resource.run_context
sub_resource.run_action(:create)
end
new_resource.filename new_resource.name unless new_resource.filename
new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf')
template ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
source 'domain.erb'
cookbook 'ulimit'
variables domain: new_resource.domain_name
end
end
action :delete do
file ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
action :delete
end
end
end
end
end

31
cookbooks/ulimit/libraries/rule.rb Normal file
View File

@@ -0,0 +1,31 @@
require 'chef/resource'
class Chef
class Resource
class UlimitRule < Chef::Resource
property :type, [Symbol, String], required: true
property :item, [Symbol, String], required: true
property :value, [String, Numeric], required: true
property :domain, [Chef::Resource, String], required: true
load_current_value do |new_resource|
new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
node.run_state[:ulimit] ||= Mash.new
node.run_state[:ulimit][new_resource.domain] ||= Mash.new
end
action :create do
new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
node.run_state[:ulimit] ||= Mash.new
node.run_state[:ulimit][new_resource.domain] ||= Mash.new
node.run_state[:ulimit][new_resource.domain][new_resource.item] ||= Mash.new
node.run_state[:ulimit][new_resource.domain][new_resource.item][new_resource.type] = new_resource.value
puts "Create: #{node.run_state[:ulimit].inspect}"
end
action :delete do
# NOOP
end
end
end
end

63
cookbooks/ulimit/libraries/user.rb Normal file
View File

@@ -0,0 +1,63 @@
require 'chef/resource'
class Chef
class Resource
class UlimitUser < Chef::Resource
resource_name :user_ulimit
property :username, String, name_property: true
property :filename, String, default: lazy { |r| r.username == '*' ? '00_all_limits' : "#{r.username}_limits" }
property :filehandle_limit, [String, Integer]
property :filehandle_soft_limit, [String, Integer]
property :filehandle_hard_limit, [String, Integer]
property :process_limit, [String, Integer]
property :process_soft_limit, [String, Integer]
property :process_hard_limit, [String, Integer]
property :memory_limit, [String, Integer]
property :core_limit, [String, Integer]
property :core_soft_limit, [String, Integer]
property :core_hard_limit, [String, Integer]
property :stack_limit, [String, Integer]
property :stack_soft_limit, [String, Integer]
property :stack_hard_limit, [String, Integer]
property :rtprio_limit, [String, Integer]
property :rtprio_soft_limit, [String, Integer]
property :rtprio_hard_limit, [String, Integer]
action :create do
new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf')
template "/etc/security/limits.d/#{new_resource.filename}" do
source 'ulimit.erb'
cookbook 'ulimit'
mode '0644'
variables(
ulimit_user: new_resource.username,
filehandle_limit: new_resource.filehandle_limit,
filehandle_soft_limit: new_resource.filehandle_soft_limit,
filehandle_hard_limit: new_resource.filehandle_hard_limit,
process_limit: new_resource.process_limit,
process_soft_limit: new_resource.process_soft_limit,
process_hard_limit: new_resource.process_hard_limit,
memory_limit: new_resource.memory_limit,
core_limit: new_resource.core_limit,
core_soft_limit: new_resource.core_soft_limit,
core_hard_limit: new_resource.core_hard_limit,
stack_limit: new_resource.stack_limit,
stack_soft_limit: new_resource.stack_soft_limit,
stack_hard_limit: new_resource.stack_hard_limit,
rtprio_limit: new_resource.rtprio_limit,
rtprio_soft_limit: new_resource.rtprio_soft_limit,
rtprio_hard_limit: new_resource.rtprio_hard_limit
)
end
end
action :delete do
new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf')
file "/etc/security/limits.d/#{new_resource.filename}" do
action :delete
end
end
end
end
end

1
cookbooks/ulimit/metadata.json Normal file
View File

@@ -0,0 +1 @@
{"name":"ulimit","version":"1.0.0","description":"Resources for manaing ulimits","long_description":"# ulimit Cookbook\n\n[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)\n\nThis cookbook provides resources for managing ulimits configuration on nodes.\n\n- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.\n- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.\n\nThe cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu and derivatives\n- RHEL/Fedora and derivatives\n\n### Chef\n\n- Chef 12.7+\n\n### Cookbooks\n\n- none\n\n## Attributes\n\n- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from\n- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.\n\n## Default Recipe\n\nInstead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.\n\n### Example role configuration:\n\n```ruby\n\"default_attributes\": {\n \"ulimit\": {\n \"users\": {\n \"tomcat\": {\n \"filehandle_limit\": 8193,\n \"process_limit\": 61504\n },\n \"hbase\": {\n \"filehandle_limit\": 32768\n }\n }\n }\n }\n```\n\nTo specify a change for all users change specify a wildcard resource or user name like so `user_ulimit \"*\"`\n\n## Resources\n\n### user_ulimit\n\nThe `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Properties\n\n- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.\n- `filename` - Optional filename to use instead of naming the file based on the username\n- `filehandle_limit` -\n- `filehandle_soft_limit` -\n- `filehandle_hard_limit` -\n- `process_limit` -\n- `process_soft_limit` -\n- `process_hard_limit` -\n- `memory_limit` -\n- `core_limit` -\n- `core_soft_limit` -\n- `core_hard_limit` -\n- `stack_soft_limit` -\n- `stack_hard_limit` -\n- `rtprio_limit` -\n- `rtprio_soft_limit` -\n- `rtprio_hard_limit` -\n\n#### Examples\n\nExample of a resource where the resource name is the username:\n\n```ruby\nuser_ulimit \"tomcat\" do\n filehandle_limit 8192 # optional\n filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)\n filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)\n process_limit 61504 # optional\n process_soft_limit 61504 # optional; not used if process_limit is set)\n process_hard_limit 61504 # optional; not used if process_limit is set)\n memory_limit 1024 # optional\n core_limit 2048 # optional\n core_soft_limit 1024 # optional\n core_hard_limit 'unlimited' # optional\n stack_soft_limit 2048 # optional\n stack_hard_limit 2048 # optional\n rtprio_limit 60 # optional\n rtprio_soft_limit 60 # optional\n rtprio_hard_limit 60 # optional\nend\n```\n\nExample where the resource name is not the username:\n\n```ruby\nuser_ulimit 'set filehandle ulimits for our tomcat user' do\n username 'tomcat'\n filehandle_soft_limit 8192\n filehandle_hard_limit 8192\nend\n```\n\n### ulimit_domain\n\nNote: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Examples:\n\n```ruby\nulimit_domain 'my_user' do\n rule do\n item :nofile\n type :hard\n value 10000\n end\n rule do\n item :nofile\n type :soft\n value 5000\n end\nend\n```\n","maintainer":"Brian Hatfield","maintainer_email":"bmhatfield@gmail.com","license":"Apache-2.0","platforms":{"amazon":">= 0.0.0","centos":">= 0.0.0","redhat":">= 0.0.0","scientific":">= 0.0.0","oracle":">= 0.0.0","fedora":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/bmhatfield/chef-ulimit","issues_url":"https://github.com/bmhatfield/chef-ulimit/issues","chef_version":[[">= 12.7"]],"ohai_version":[]}

41
cookbooks/ulimit/recipes/default.rb Normal file
View File

@@ -0,0 +1,41 @@
# Cookbook:: ulimit
# Recipe:: default
#
# Copyright 2012, Brightcove, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
ulimit = node['ulimit']
case node['platform_family']
when 'debian'
template '/etc/pam.d/su' do
cookbook ulimit['pam_su_template_cookbook']
end
cookbook_file '/etc/pam.d/sudo' do
cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook']
source node['ulimit']['ulimit_overriding_sudo_file_name']
mode '0644'
end
end
if ulimit.key?('users')
ulimit['users'].each do |user, attributes|
user_ulimit user do
attributes.each do |a, v|
send(a.to_sym, v)
end
end
end
end

9
cookbooks/ulimit/templates/domain.erb Normal file
View File

@@ -0,0 +1,9 @@
<%
node.run_state[:ulimit][@domain].each do |item, entries|
entries.each do |type, value|
-%>
<%= @domain %> <%= type %> <%= item %> <%= value %>
<%
end
end
-%>

63
cookbooks/ulimit/templates/su.erb Normal file
View File

@@ -0,0 +1,63 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This file modified by Chef to enable ulimit switching with `su`
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

35
cookbooks/ulimit/templates/ulimit.erb Normal file
View File

@@ -0,0 +1,35 @@
# Limits settings for <%= @ulimit_user %>
<% unless @filehandle_limit.nil? -%>
<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%>
<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%>
<% end -%>
<% unless @process_limit.nil? -%>
<%= @ulimit_user -%> - nproc <%= @process_limit %>
<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%>
<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%>
<% end -%>
<% unless @memory_limit.nil? -%>
<%= @ulimit_user -%> - memlock <%= @memory_limit %>
<% end -%>
<% unless @core_limit.nil? -%>
<%= @ulimit_user -%> - core <%= @core_limit %>
<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%>
<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%>
<% end -%>
<% unless @stack_limit.nil? -%>
<%= @ulimit_user -%> - stack <%= @stack_limit %>
<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%>
<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%>
<% end -%>
<% unless @rtprio_limit.nil? -%>
<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %>
<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%>
<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%>
<% end -%>