Bug#838191: marked as done (systemd user units do not honor resource limits set in /etc/security/limits.conf)

Thu, 29 Sep 2016 09:45:47 -0700 

Your message dated Thu, 29 Sep 2016 16:40:49 +0000
with message-id <[email protected]>
and subject line Bug#838191: fixed in systemd 231-8
has caused the Debian Bug report #838191,
regarding systemd user units do not honor resource limits set in 
/etc/security/limits.conf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
838191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838191
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: systemd
Version: 231-6
Severity: normal

Dear Maintainer,

I wanted to set resource limits from a systemd _user_ unit, with:

  LimitRTPRIO=96
  LimitMEMLOCK=infinity


Raising resource limits with ulimit(3) or setrlimit(2) is a privileged
operation, however users are normally allowed to set resource limits
within the boundaries set by hard limits in /etc/security/limits.conf.

Currently this practice does not work with systemd user units.

For example, I have these settings in limits.conf:
-----------------------------------------------------------------------
*   hard  rtprio     96
*   hard  memlock    unlimited
-----------------------------------------------------------------------


The output of running prlimit from a shell is as follows:
-----------------------------------------------------------------------
RESOURCE   DESCRIPTION                             SOFT      HARD UNITS
...
MEMLOCK    max locked-in-memory address space     65536 unlimited bytes
...
RTPRIO     max real-time priority                     0        96 
...
-----------------------------------------------------------------------


And users are able to change the soft limit with ulimit from the shell.

However "systemd --user" seems to ignore the hard limits, see the unit
below (copied to /usr/lib/systemd/user/prlimit_defaults.service):
-----------------------------------------------------------------------
[Unit]
Description=Test setting limits

[Service]
ExecStart=/usr/bin/prlimit
-----------------------------------------------------------------------


Starting the unit with "systemctl --user start prlimit_defaults.service"
results in this output:
-----------------------------------------------------------------------
Started Test setting limits.
RESOURCE   DESCRIPTION                             SOFT      HARD UNITS
...
MEMLOCK    max locked-in-memory address space     65536     65536 bytes
...
RTPRIO     max real-time priority                     0         0
...
-----------------------------------------------------------------------


The limits are ignored and of course raising them does not work either:
-----------------------------------------------------------------------
[Unit]
Description=Test setting limits

[Service]
ExecStart=/usr/bin/prlimit

# These work fine when running the unit as a system service,
# but they don't have effect when using "systemctl --user"
LimitRTPRIO=96
LimitMEMLOCK=infinity
-----------------------------------------------------------------------


After a precious suggestion by Mantas Mikulėnas (grawity in
#debian-systemd) I verified that this is happening because
/etc/pam.d/systemd-user does not load pam_limits.so.

The following change fixes the issue:
-----------------------------------------------------------------------
--- /etc/pam.d/systemd-user.orig        2016-09-17 17:40:19.787522246 +0200
+++ /etc/pam.d/systemd-user     2016-09-17 15:13:17.035405264 +0200
@@ -7,5 +7,6 @@
 session  required pam_selinux.so close
 session  required pam_selinux.so nottys open
 session  required pam_loginuid.so
+session  required pam_limits.so
 @include common-session-noninteractive
 session optional pam_systemd.so
-----------------------------------------------------------------------


After adding pam_limits and the settings in limits.conf, the units from
above have the expected behavior.

The mechanism explained in systemd-user.conf(5) to set default limits
for all user units also works now; before it didn't.

For instance these values in /etc/systemd/user.conf were completely
ignored without the changes from above:
-----------------------------------------------------------------------
DefaultLimitMEMLOCK=infinity
DefaultLimitRTPRIO=96
-----------------------------------------------------------------------


I guess that too was because user.conf limits are meant to be within
some system-wide limits (see the P.S. below).

I can send a patch for /etc/pam.d/systemd-user against the systemd
Debian package to address the issue, but I have a doubt: can this also
be considered a bug in the upstream src/login/systemd-user.m4?

If so I will send a standalone patch which applies _before_
debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it
will be easier to have it merged upstream.

Thanks,
   Antonio


P.S.

After I wrote the report above I found out that another way to solve the
problem is to set system-wide limits in /etc/systemd/system.conf (or
/lib/systemd/system.conf.d/nn_SOMETHING.conf), e.g.:

  [Manager]
  DefaultLimitMEMLOCK=65536:infinity
  DefaultLimitRTPRIO=0:96

and these limits will also apply to "systemd --user" (and so
/etc/systemd/user.conf will work too within these limits); maybe this is
even the "official" systemd way to solve the problem, but it does not
give the ability to set per-user or per-group limits, so I still think
that the report above is valid.


-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3
ii  libapparmor1    2.10.95-4
ii  libaudit1       1:2.6.6-1
ii  libblkid1       2.28.2-1
ii  libc6           2.24-3
ii  libcap2         1:2.25-1
ii  libcap2-bin     1:2.25-1
ii  libcryptsetup4  2:1.7.0-2
ii  libgcrypt20     1.7.3-1
ii  libgpg-error0   1.24-1
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0-3
ii  libkmod2        22-1.1
ii  liblzma5        5.1.1alpha+20120614-2.1
ii  libmount1       2.28.2-1
ii  libpam0g        1.1.8-3.3
ii  libseccomp2     2.3.1-2
ii  libselinux1     2.5-3
ii  libsystemd0     231-6
ii  mount           2.28.2-1
ii  util-linux      2.28.2-1

Versions of packages systemd recommends:
ii  dbus            1.10.10-1
ii  libpam-systemd  231-6

Versions of packages systemd suggests:
ii  policykit-1        0.105-16
ii  systemd-container  231-6
pn  systemd-ui         <none>

Versions of packages systemd is related to:
ii  udev  231-6

-- no debconf information
-- 
Antonio Ospite
http://ao2.it

A: Because it messes up the order in which people normally read text.
   See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?

--- End Message ---
--- Begin Message --- 
Source: systemd
Source-Version: 231-8

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 29 Sep 2016 13:40:21 +0200
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote 
systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines 
libnss-resolve libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb 
libudev1-udeb
Architecture: source
Version: 231-8
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers 
<[email protected]>
Changed-By: Martin Pitt <[email protected]>
Description:
 libnss-myhostname - nss module providing fallback resolution for the current 
hostname
 libnss-mymachines - nss module to resolve hostnames for local container 
instances
 libnss-resolve - nss module to resolve names via systemd-resolved
 libpam-systemd - system and service manager - PAM module
 libsystemd-dev - systemd utility library - development files
 libsystemd0 - systemd utility library
 libudev-dev - libudev development files
 libudev1   - libudev shared library
 libudev1-udeb - libudev shared library (udeb)
 systemd    - system and service manager
 systemd-container - systemd container/nspawn tools
 systemd-coredump - tools for storing and retrieving coredumps
 systemd-journal-remote - tools for sending and receiving remote journal logs
 systemd-sysv - system and service manager - SysV links
 udev       - /dev/ and hotplug management daemon
 udev-udeb  - /dev/ and hotplug management daemon (udeb)
Closes: 838191
Launchpad-Bugs-Fixed: 1588230 1626737 1628687
Changes:
 systemd (231-8) unstable; urgency=medium
 .
   [ Martin Pitt ]
   * Replace remaining systemctl --failed with --state=failed
     "--failed" is deprecated in favor of --state.
   * debian/shlibs.local.in: More precisely define version of internal shared
     lib.
   * debian/tests/upstream: Drop blacklisting
     These tests now work fine without qemu.
   * debian/tests/storage: Avoid rmmod scsi_debug (LP: #1626737)
   * upstream build system: Install libudev, libsystemd, and nss modules to
     ${rootlibdir}. Drop downstream workaround from debian/rules.
   * Ubuntu: Disable resolved's DNSSEC for the final 16.10 release.
     Resolved's DNSSEC support is still not mature enough, and upstream
     recommends to disable it in stable distro releases still.
   * Fix abort/DoS on zero-length notify message triggers (LP: #1628687)
   * resolved: don't query domain-limited DNS servers for other domains
     (LP: #1588230)
 .
   [ Antonio Ospite ]
   * Update systemd-user pam config to require pam_limits.so.
     (Closes: #838191)
Checksums-Sha1:
 ed94f3b6e201046eae2f0ddc4dbbc9c7bd189890 4443 systemd_231-8.dsc
 c3c82305a0a5e53be07d799c99f03b39606a845f 145164 systemd_231-8.debian.tar.xz
Checksums-Sha256:
 a39b5c443d0b976a055a461621f93b49c27897651b096bf3f109684561a7fbfc 4443 
systemd_231-8.dsc
 56a98089b73b93e6e43f6c189f2ce2a26c08942dd725078acf869c6f2d3759ca 145164 
systemd_231-8.debian.tar.xz
Files:
 d09e9efd22d77031a57b5bac23922647 4443 admin optional systemd_231-8.dsc
 d1e165e85851f806126791b3bcc8726a 145164 admin optional 
systemd_231-8.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX7SB7AAoJENFO8V2v4RNH320P/i1zr/UpdnEdEPNg+avN+CZh
lziIsivFC2g/+ebxuMOJw/RrQ+MSUSb0F4bOxymD+K1p44XDQDhpXJNIgGRdLpJR
+QYFHoiXk/+J5RtQDzC2IV5BZfFGruo2S0BAwlH4HsNSD8jOXoid0pmIgqjLwTsG
OwqDKrni8x4Nj2g/x7M262UoOmtn3r3tSDAOT0oxBUOWDHeYWwklfzSf/aAaMHcb
dbQITLZOtKREvLzAHgtY5o8h6umACvJ5iCkXwbNzitkPn/B1SVqf8uHq68oY7TaC
QeBQwi/oMrspANukOsZBZjvnBwq5cxPV707oC0Fxgzz8dBpBdFxMhk5LWs6w43bp
RnmaotJ4xShXjxWVMrKKeUW3BwzxXrum1K8QO0YqOMIqM9Mn8mIAxfMesk1KIF71
Olz9AyLAIHoon70FKF5ZJZgtFknwyXiX6swHIqPdMSArH6FOd9PsQ6Pps12zMrEl
bmoda0hO5nyHNGCkRUmTcEYmsNMMSFYF2fc3vDa5X/GxHDohlAJ5wFDjed3Cz9vP
Ad7ddAggsoTz82/Ii1AQfL5WAejQmPjFUIB6vkgoTUtDF6jbOS6iXfpxqyPd3Sf/
NiTq7Uv6vBYsM+D/BKlJ/4akhs87XaO45J9dL6ISYuqYJIWTyTsWH8fGL14nVrdf
v6TC3fpZafwBr3bOKhIa
=Wk+Y
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to