Gentoo Archives: gentoo-dev

From: Piotr Karbowski <slashbeast@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] pam: thoughts on modernizing pam_limits configuration that Gentoo ships with
Date: Sun, 11 Dec 2022 08:28:35
1 Hi,
3 I'd like to touch base on the topic of pam_limits and the defaults that
4 we ended up with in Gentoo.
6 Currently on default system installation without any modification to
7 /etc/security/limits.{conf,d/*} user will end up with limit o 1024 of
8 file descriptors and 4096 limit of threads.
10 Most of limits.conf makes a lot of sense on systems that are meant to be
11 used remotely by many people simultaneously and have much less of
12 importance on single user desktop systems.
14 Recently I've been haunted by random and and not reproducible failures
15 of random applications during runs with ffmpeg's libsvtav1 integration.
16 Having a 4 instances of ffmpeg with was enough to get me random
17 failures, terminals not to open, up until I actually seen in shell
18 'cannot allocate resource' while trying to run a script.
20 Turns out, I was running over the limit of 4096 threads, as nproc
21 somewhat suggests this is limit of processes, it is actually a limit of
22 PIDs, and every thread gets its own pid.
24 I have strong opinion on this one, that users that runs multi users
25 systems will be well aware of the need to tune limits.conf of
26 pam_limits, while the users that will actually suffer are the regular
27 Joe that just uses Gentoo as a single user system.
29 What I'd like to do is to bump the limits.conf we ship with pam to following
31 * hard nproc 16384
32 * soft nproc 16384
33 * hard nofile 16384
34 * soft nofile 16384
36 Those are still reasonable defaults that are much more suitable the
37 modern systems. I can only see benefits in it and am unable to think
38 about the potential drawbacks of bumping *defaults*.
40 Any thoughts?
42 Unless there's strong opposition to not bump those 1024/4096 current
43 defaults, I'd like to bump those limits. Normally I'd create a bug and
44 assign it to maintainer, however our sys-libs/pam maintainer has not
45 been seen in last half a year, so I'd end up joining as co-maintainer
46 there in the result.
48 -- Piotr.