Coder Social home page Coder Social logo

limits's Introduction

Limits Cookbook

This cookbook is used to configure limits for the pam_limits module. By default, the configuration file is located at /etc/security/limits.conf. It can also configure limits in any arbitrary path such as files in the directory /etc/security/limit.d. It is available on the Chef Supermarket or GitHub.

Usage

This cookbook does not provide any recipes. Instead, it should be added as a dependency of another cookbook. This will make the custom resources provided by the limits cookbook available to be used in another cookbook's recipes.

Here is an example of managing the system's limit.conf file, adding two limits, managing a limits.d file, deleting any manually-added limits, and adding one limit:

# System limits.conf example

limits_file '/etc/security/limits.conf' do
  action :create
end

limit 'example-1' do
  domain '*'
  type 'hard'
  item 'nofile'
  value 512
end

limit 'example-2' do
  domain '@student'
  type 'soft'
  item 'nproc'
  value 20
end

# Separate limits.d example

limits_file '/etc/security/limits.d/001_vader.conf' do
  action [:create, :purge]
end

limit 'example-3' do
  path '/etc/security/limits.d/001_vader.conf'
  domain 'vader'
  type 'hard'
  item 'nofile'
  value 1000
end

Custom Resource: limits_file

This resource is used to manage a limits file. It is not required in order to use the limit resource, but it is required to purge limits that were not set via Chef. It can also be used without any limit resources to just maintain the formatting of a limits file.

Property Type Default Required
path String (name property) No
owner String, Integer root No
group String, Integer root No
mode String, Integer 0644 No
backup Integer, FalseClass false No

Action: create (default)

This action will create the desired limits file. The file will be formatted to a known style. Any comments not attached to limits or lines that are not limits will be removed from the file. Existing limits and attached comments will remain. File owner, group, and mode will be maintained by Chef.

Action: purge

This action will remove any limits in the limits file that were not configured via Chef. This is useful if you want to ensure that a limits file is completely managed by Chef and any manually-added limits are removed.

Action: delete

This action will delete the desired limits file.

Examples

limits_file '/etc/security/limits.conf' do
  action :create
end

limits_file '/etc/security/limits.d/001_vader.conf' do
  action [:create, :purge]
end

limits_file '/etc/security/limits.d/002_anakin.conf' do
  action :delete
end

Custom Resource: limit

This resource is used to manage a specific limit in a limits file. The limits_file resource is not required to be used in conjunction with this resource, but they do compliment each other.

Property Type Default Required
path String /etc/security/limits.conf No
domain String none Yes
type see note below none Yes
item see note below none Yes
value Integer, String none Yes
comment String none No

Please see libraries/constants.rb for valid types and limits. More documentation on domain, type, item, and value can be found at the following man page.

Action: create (default)

This action will create the desired limit inside the limits file. This will also have the affect of reformatting the limits file. Any comments not attached to limits or lines that are not limits will be removed from the file. Existing limits and attached comments will remain.

If the limit already exists in the file, any out-of-sync properties will be updated. A limit is identified by the combination of domain, type, and item.

Action: delete

This action will delete the desired limit inside the limits file. A limit is identified by the combination of domain, type, and item.

Examples

limit 'create example' do
  domain 'ftp'
  type 'hard'
  item 'nproc'
  value 0
  action :create
end

limit 'delete example' do
  path '/etc/security/limits.d/001_vader.conf'
  domain 'vader'
  type 'hard'
  item 'nofile'
  action :delete
end

limits's People

Contributors

jrwesolo avatar kleini avatar timurb avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

timurb brin100 brandocorp coletivoeita jkyoung0 dwashko gannettdigital altiscale clodocorp dayne prabhu34 bcorner13 tc5746

limits's Issues

Cookbook file definitions/default.rb has a ruby syntax error

I did a knife cookbook site install limits, then tried to upload to my hosted chef server. It failed with error:

knife cookbook upload limits
Uploading limits [1.0.0]
FATAL: Cookbook file definitions/default.rb has a ruby syntax error:
FATAL: /common/opt/provisioning-hex/chef-repo/cookbooks/limits/definitions/default.rb:1: syntax error, unexpected ':', expecting $end
FATAL: define :set_limit, use_system: false, # ~FC015
FATAL: ^

I did not edit this file at all.

Chef 16.2.x support

Looks like Chef 16.2 introduced a backwards-incompatible change with Chef < 16 around custom resources.

https://docs.chef.io/release_notes/#whats-new-in-162

In Chef Infra Client 16.0, we changed the way that custom resource names are applied in order to resolve some longstanding edge-cases. This change had several unintended side effects, so we’re further changing how custom names are set in this release of Chef Infra Client.

Previously you could set a custom name for a resource via resource_name and under the hood this would also magically set the provides for the resource. Magic is great when it works, but is confusing when it doesn’t. We’ve decided to remove some of this magic and instead rely on more explicit provides statements in resources. For cookbooks that support just Chef Infra Client 16 and later, you should change any resource_name calls to provides instead. If you need to support older releases of Chef Infra Client as well as 16+, you’ll want to include both resource_name and provides for full compatibility.

Validation Error

As I tested with the instructions on README.md, I experienced validation fail. Chef client version is Chef: 12.19.36. What did I wrong?

#cat recipe.rb
set_limit 'alice' do
type 'hard'
item 'nofile'
value 2048
end

set_limit 'alice' do
type 'soft'
item 'nofile'
value 1024
end

set_limit '*' do
type 'hard'
item 'nofile'
value 4096
use_system true
end

set_limit '*' do
type 'soft'
item 'nofile'
value 1024
use_system true
end

[root@localhost limits.d]# chef-client
[2017-03-09T08:47:41+00:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.19.36
[2017-03-09T08:47:41+00:00] INFO: *** Chef 12.19.36 ***
[2017-03-09T08:47:41+00:00] INFO: Platform: x86_64-linux
[2017-03-09T08:47:41+00:00] INFO: Chef-client pid: 16210
[2017-03-09T08:47:44+00:00] INFO: Run List is [recipe[limits]]
[2017-03-09T08:47:44+00:00] INFO: Run List expands to [limits]
[2017-03-09T08:47:44+00:00] INFO: Starting Chef Run for node03
[2017-03-09T08:47:44+00:00] INFO: Running start handlers
[2017-03-09T08:47:44+00:00] INFO: Start handlers complete.
[2017-03-09T08:47:46+00:00] INFO: HTTP Request Returned 404 Not Found:
[2017-03-09T08:47:46+00:00] INFO: Error while reporting run start to Data Collector. URL: https://api.chef.io/organizations/niclab/data-collector Exception: 404 -- 404 "Not Found" (This is normal if you do not have Chef Automate)
resolving cookbooks for run list: ["limits"]
[2017-03-09T08:47:47+00:00] INFO: Loading cookbooks [[email protected]]
Synchronizing Cookbooks:
[2017-03-09T08:47:50+00:00] INFO: Storing updated cookbooks/limits/recipes/default.rb in the cache.

  • limits (1.0.0)
    Installing Cookbook Gems:
    Compiling Cookbooks...
    Converging 1 resources
    Recipe: limits::default

  • limits_config[alice] action create

    ================================================================================
    Error executing action create on resource 'limits_config[alice]'

    Chef::Exceptions::ValidationFailed

    Option path must be a kind of [String]! You passed {"alice.hard.nofile"=>2048}.

    Cookbook Trace:

    /var/chef/cache/cookbooks/limits/providers/config.rb:12:in block (2 levels) in class_from_file' /var/chef/cache/cookbooks/limits/providers/config.rb:11:in block in class_from_file'

    Resource Declaration:

    In /var/chef/cache/cookbooks/limits/definitions/default.rb

    24: r = limits_config params[:filename] do
    25: limits []
    26: use_system params[:use_system]
    27: action :create
    28: end
    29: end

    Compiled Resource:

    Declared in /var/chef/cache/cookbooks/limits/definitions/default.rb:24:in `rescue in block in from_file'

    limits_config("alice") do
    params {:use_system=>false, :filename=>"alice", :domain=>nil, :type=>"hard", :item=>"nofile", :value=>2048, :name=>"alice"}
    action [:create]
    retries 0
    retry_delay 2
    default_guard_interpreter :default
    declared_type :limits_config
    cookbook_name "limits"
    recipe_name "default"
    limits [{:domain=>"alice", :type=>"hard", :item=>"nofile", :value=>2048}, {:domain=>"alice", :type=>"soft", :item=>"nofile", :value=>1024}]
    use_system false
    filename "alice"
    end

    Platform:

    x86_64-linux

[2017-03-09T08:47:50+00:00] INFO: Running queued delayed notifications before re-raising exception

Running handlers:
[2017-03-09T08:47:50+00:00] ERROR: Running exception handlers
Running handlers complete
[2017-03-09T08:47:50+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 08 seconds
[2017-03-09T08:47:50+00:00] INFO: Sending resource update report (run-id: 8cce39d9-cb23-4f09-9006-c850ef319768)
[2017-03-09T08:47:51+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2017-03-09T08:47:51+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-03-09T08:47:51+00:00] ERROR: limits_config[alice] (limits::default line 24) had an error: Chef::Exceptions::ValidationFailed: Option path must be a kind of [String]! You passed {"alice.hard.nofile"=>2048}.
[2017-03-09T08:47:51+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
[root@localhost limits.d]#

does the lwrp honor notifies?

I tried the following lwrp

limits_config 'system-wide limits' do
  limits [
    { domain: '*', type: 'hard', item: 'nofile', value: 32_768 },
    { domain: '*', type: 'soft', item: 'nofile', value: 32_768 }
  ]
  use_system true
  notifies :restart, 'service[sshd]'
end

but...

my chef-client would bail almost immediately . no error. but none of my resources would run.
when i took the line out, everything was fine.

more examples

Could you please add an example to setting node['limits']['system_limits'] in case one wants to set few system limits. For example: hard nofile, soft nofile, hard nproc and soft nproc.

Thanks,
Liora

Can't set system or user specific noproc settings for Centos 6.5?

I can't set the noproc settings on CentOS 6.5. I need to increase the system wide limits (or at least the user specific limits) for HBase.

I've tried setting the limits both as a starred out user and as hbase specifically.

# Set soft and hard limits system-wide for the number of processes a user can run.
set_limit 'hbase' do
  type 'soft'
  item 'noproc'
  value 65536
  use_system true
end

set_limit '*' do
  type 'hard'
  item 'noproc'
  value 65536
  use_system true
end

The code doesn't throw an error or even a warning out to the terminal. It only adds the following commented line to the /etc/security/limits.conf file:

# The following limits were detected as invalid by Chef
# hbase soft noproc 65536
# hbase hard noproc 65536

# The following limits were detected as invalid by Chef
# * soft noproc 65536
# * hard noproc 65536`

Versions:

chef (12.2.1)
chef-dk (0.5.0.rc.5)
chef-vault (2.4.0)
chef-zero (4.2.1, 1.5.6)

I initially thought it was related to /etc/security/limits.d/90-nproc.conf and wrote code to remove that file. But this appears to be a Chef thing.

How can I resolve this?

Documentation request - what ulimits can cookbook set?

Here are all the available options that can be set with ulimit.

$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
file size               (blocks, -f) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 4864
pipe size            (512 bytes, -p) 1
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 709
virtual memory          (kbytes, -v) unlimited

Looking through the source, I find the list of available items here:

limits/libraries/default.rb

Lines 8 to 10 in 1a2a3ee

ITEMS = %w(core data fsize memlock nofile rss stack
cpu nproc as maxlogins maxsyslogins priority
locks sigpending msgqueue nice rtprio) unless defined?(ITEMS) 

core data fsize memlock nofile rss stack cpu nproc as maxlogins maxsyslogins priority locks sigpending  msgqueue nice rtprio

I can't figure out how some of these match up. For example, core (-c) is easy

set_limit '*' do
  type 'soft'
  item 'core'
  value 'unlimited'
end

What 'item' would max memory size and virtual memory correspond to?

Chef 16.X support

Hi,

Can you please add chef 16.x support?

[2020-05-15T20:29:25+00:00] FATAL: Chef::Exceptions::CookbookChefVersionMismatch: Cookbook 'limits' version '2.0.0' depends on Chef Infra Client version ["< 16", ">= 12"], but the running Chef Infra Client version is 16.1.0

Thank you!

Clarification in README for usage

The README.md needs to be clearer on the fact that this cookbook has no recipes and is intended to be used purely through resources.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.