Master Linux Resource Limits: /etc/security/limits.conf, ulimit, and systemd Explained

1. Detailed Explanation of /etc/security/limits.conf

The file is actually the PAM module pam_limits.so configuration and applies only to individual sessions; it does not affect system service limits. Also note the directory /etc/security/limits.d/ which can override settings.

Configuration format

# /etc/security/limits.conf
# This file sets the resource limits for the users logged in via PAM.
# It does not affect resource limits of the system services.
# Also note that configuration files in /etc/security/limits.d directory,
# which are read in alphabetical order, override the settings in this file
# when the domain is the same or more specific.

# <domain> <type> <item> <value>
# <domain> can be a user name, a group name prefixed with @, * for all users,
# or % for maxlogin limits.
# <type> is "soft" (enforced soft limit) or "hard" (enforced hard limit).
# <item> can be core, data, fsize, memlock, nofile, rss, stack, cpu,
# nproc, as, maxlogins, maxsyslogins, priority, locks, sigpending,
# msgqueue, nice, rtprio, etc.
# Example entries:
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0

/etc/security/limits.d/ directory

The directory contains default files such as *-nproc.conf that limit user processes. You can create additional .conf files here.

CentOS 7 uses /etc/security/limits.d/20-nproc.conf with default * soft nproc 4096 and root soft nproc unlimited.

CentOS 6 uses /etc/security/limits.d/90-nproc.conf.

2. Configuring ulimit

Important notes

Do not set nofile unlimited. The maximum allowed value for nofile is 1 048 576 (2²⁰); exceeding it prevents SSH login and produces an error like “pam_limits(sshd:session): Could not set limit for ‘nofile’: Operation not permitted”.

Basic configuration

Place custom limits in /etc/security/limits.d/ instead of directly editing /etc/security/limits.conf. For example, create /etc/security/limits.d/20-nofile.conf with:

root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535

And /etc/security/limits.d/20-nproc.conf with:

* - nproc 65535
root soft nproc unlimited
root hard nproc unlimited

Override behavior

Specific entries override more generic ones. For example, a root soft nofile 65538 entry takes precedence over a wildcard * soft nofile 65539, but the soft value cannot exceed the hard value.

3. ulimit Effectiveness

Temporary configuration

Set a temporary limit with ulimit -Sn 65536; it is lost after a reboot.

Permanent configuration

Add the same lines to /etc/security/limits.conf or a file under /etc/security/limits.d/, then log out and back in for the changes to take effect.

4. Common ulimit Commands

-S    set soft limit
-H    set hard limit
-a    display all current limits
-n    maximum number of open file descriptors
...

Use ulimit -a to view all limits, ulimit -n for the open‑file limit, and ulimit -Sn 65536 to change it.

5. systemd‑related Limits

Systemd services have their own limits, which can differ from the PAM configuration. The effective limits are taken from three places:

Global system configuration /etc/systemd/system.conf User‑service configuration /etc/systemd/user.conf Per‑service unit files /usr/lib/systemd/system/*.service To view a service’s limits, run systemctl show sshd | grep '^Limit' or inspect /proc/<pid>/limits for a running process.

To modify a service’s limit, either edit the global config and reload the daemon ( systemctl daemon-reexec) or add LimitNOFILE=32768 to the service’s unit file and run systemctl daemon-reload && systemctl restart <service>.

6. Additional Tips

Check a process’s limits with cat /proc/<pid>/limits.

Adjust a running process’s limits with prlimit --pid <pid> --nofile=1024:4096.