chef/cookbooks/ulimit

ulimit Cookbook

This cookbook provides resources for managing ulimits configuration on nodes.

• user_ulimit resource for overriding various ulimit settings. It places configured templates into /etc/security/limits.d/, named for the user the ulimit applies to.
• ulimit_domain which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.

The cookbook also includes a recipe (default.rb) which allows ulimit overrides with the 'su' command on Ubuntu.

Requirements

Platforms

• Debian/Ubuntu and derivatives
• RHEL/Fedora and derivatives

Chef

• Chef 12.7+

Cookbooks

• none

Attributes

• node['ulimit']['pam_su_template_cookbook'] - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from
• node['ulimit']['users'] - Defaults to empty Mash. List of users with their limits, as below.

Default Recipe

Instead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.

Example role configuration:

"default_attributes": {
   "ulimit": {
      "users": {
         "tomcat": {
            "filehandle_limit": 8193,
               "process_limit": 61504
             },
            "hbase": {
               "filehandle_limit": 32768
             }
       }
    }
 }

To specify a change for all users change specify a wildcard resource or user name like so user_ulimit "*"

Resources

user_ulimit

The user_ulimit resource creates individual ulimit files that are installed into the /etc/security/limits.d/ directory.

Actions:

• create
• delete

Properties

• username - Optional property to set the username if the resource name itself is not the username. See the example below.
• filename - Optional filename to use instead of naming the file based on the username
• filehandle_limit -
• filehandle_soft_limit -
• filehandle_hard_limit -
• process_limit -
• process_soft_limit -
• process_hard_limit -
• memory_limit -
• core_limit -
• core_soft_limit -
• core_hard_limit -
• stack_soft_limit -
• stack_hard_limit -
• rtprio_limit -
• rtprio_soft_limit -
• rtprio_hard_limit -

Examples

Example of a resource where the resource name is the username:

user_ulimit "tomcat" do
  filehandle_limit 8192 # optional
  filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)
  filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)
  process_limit 61504 # optional
  process_soft_limit 61504 # optional; not used if process_limit is set)
  process_hard_limit 61504 # optional; not used if process_limit is set)
  memory_limit 1024 # optional
  core_limit 2048 # optional
  core_soft_limit 1024 # optional
  core_hard_limit 'unlimited' # optional
  stack_soft_limit 2048 # optional
  stack_hard_limit 2048 # optional
  rtprio_limit 60 # optional
  rtprio_soft_limit 60 # optional
  rtprio_hard_limit 60 # optional
end

Example where the resource name is not the username:

user_ulimit 'set filehandle ulimits for our tomcat user' do
  username 'tomcat'
  filehandle_soft_limit 8192
  filehandle_hard_limit 8192
end

ulimit_domain

Note: The ulimit_domain resource creates files named after the domain with no modifiers by default. To override this behavior, specify the filename parameter to the resource.

Actions:

• create
• delete

Examples:

ulimit_domain 'my_user' do
  rule do
    item :nofile
    type :hard
    value 10000
  end
  rule do
    item :nofile
    type :soft
    value 5000
  end
end