# Process limits
Limits are a per-process resource enforcement mechanism. This system provides a rudimentary backstop against runaway processes. cgroup is intended for account-wide resource limits.
Process limits are applied using a PAM wrapper on PAM-aware applications, which include any login service (FTP, mail, SSH, crond).
Limits may be overridden in Bootstrapper or by including a lexicographically higher file than
10-apnscp-system.conf (opens new window) in
FST/siteinfo/etc/security/limits.d (see Filesystem.md. Files published within this location are inherited by all sites.
Settings take the following form:
#DOMAIN TYPE RESOURCE VALUE # Disable coredumps for everyone * - core 0 # Enable coredumps for users under "site12" @foobar soft core unlimited # Restrict number of files opened by PHP-FPM nobody soft nfiles 2048 # Limit any account with a user "phil" from running more than 25 processes phil hard nproc 25
User resolution is completed inside the virtual environment. In the above example "phil" applies to any account with a user named "phil". Often it is inappropriate to publish limits within the FST except as stopgap limits for runaway resource consumption for all users (
*) or the unprivileged PHP-FPM user,
A domain may be of the form:
- username, resolved within the vfs.
- group name using
*for default entry
%, can be also used with
The following table summarizes available resource limits.
|core||KB†||Limits core file size. |
|data||KB†||Maximum data segment size.|
|memlock||KB||Maximum locked-in-memory address space.|
|nofile||[0,2^20]†||Maximum number of open file descriptors.|
|stack||KB||Maximum stack size.|
|cpu||minutes||Maximum CPU time.|
|nproc||[0,2^63)||Max number of processes.|
|as||KB†||Address space limit (vmem).|
|maxlogins||—||Max number of logins for this user.|
|maxsyslogins||—||Max number of global logins for system.|
|priority||[0,2^63)||Real-time process priority.|
|locks||[0,2^63)†||Max number of locks.|
|sigpending||[0,2^63)||Max number of pending signals.|
|msgqueue||B||Max memory used by POSIX message queues.|
|nice||[-20, 19]||Max nice priority allowed to raise.|
|rtprio||[0,2^63)||Max real-time priority.|
† values specified accept
unlimited as a value.
# Hard and soft
Type may either be "hard" or "soft". A hard limit is the maximal value allowed for a resource. Only root may change this. Soft values may be changed by a user up to the hard limit.
Consider the following in
* soft nice 0 * hard nice -5
su site1 whoami # Reports admin renice 0 $$ # 30307 (process ID) old priority 19, new priority 0 renice -1 $$ # renice: failed to set priority for 30307 (process ID): permission denied
A user is able to increase process priority from 19 down to 0 but may not specify a negative process priority, which preempts other processes on the system. A priority of 0 gives equal weighting to all system processes while a value greater than 0 would deprioritize.