9e4685a743
It sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP)
4.0 KiB
ulimit Cookbook
This cookbook provides resources for managing ulimits configuration on nodes.
user_ulimitresource for overriding various ulimit settings. It places configured templates into/etc/security/limits.d/, named for the user the ulimit applies to.ulimit_domainwhich allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.
The cookbook also includes a recipe (default.rb) which allows ulimit overrides with the 'su' command on Ubuntu.
Requirements
Platforms
- Debian/Ubuntu and derivatives
- RHEL/Fedora and derivatives
Chef
- Chef 12.7+
Cookbooks
- none
Attributes
node['ulimit']['pam_su_template_cookbook']- Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken fromnode['ulimit']['users']- Defaults to empty Mash. List of users with their limits, as below.
Default Recipe
Instead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.
Example role configuration:
"default_attributes": {
"ulimit": {
"users": {
"tomcat": {
"filehandle_limit": 8193,
"process_limit": 61504
},
"hbase": {
"filehandle_limit": 32768
}
}
}
}
To specify a change for all users change specify a wildcard resource or user name like so user_ulimit "*"
Resources
user_ulimit
The user_ulimit resource creates individual ulimit files that are installed into the /etc/security/limits.d/ directory.
Actions:
createdelete
Properties
username- Optional property to set the username if the resource name itself is not the username. See the example below.filename- Optional filename to use instead of naming the file based on the usernamefilehandle_limit-filehandle_soft_limit-filehandle_hard_limit-process_limit-process_soft_limit-process_hard_limit-memory_limit-core_limit-core_soft_limit-core_hard_limit-stack_soft_limit-stack_hard_limit-rtprio_limit-rtprio_soft_limit-rtprio_hard_limit-
Examples
Example of a resource where the resource name is the username:
user_ulimit "tomcat" do
filehandle_limit 8192 # optional
filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)
filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)
process_limit 61504 # optional
process_soft_limit 61504 # optional; not used if process_limit is set)
process_hard_limit 61504 # optional; not used if process_limit is set)
memory_limit 1024 # optional
core_limit 2048 # optional
core_soft_limit 1024 # optional
core_hard_limit 'unlimited' # optional
stack_soft_limit 2048 # optional
stack_hard_limit 2048 # optional
rtprio_limit 60 # optional
rtprio_soft_limit 60 # optional
rtprio_hard_limit 60 # optional
end
Example where the resource name is not the username:
user_ulimit 'set filehandle ulimits for our tomcat user' do
username 'tomcat'
filehandle_soft_limit 8192
filehandle_hard_limit 8192
end
ulimit_domain
Note: The ulimit_domain resource creates files named after the domain with no modifiers by default. To override this behavior, specify the filename parameter to the resource.
Actions:
createdelete
Examples:
ulimit_domain 'my_user' do
rule do
item :nofile
type :hard
value 10000
end
rule do
item :nofile
type :soft
value 5000
end
end