Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 Jul 2022 17:04:18 -0500
From:      Larry Rosenman <ler@lerctr.org>
To:        Freebsd current <freebsd-current@freebsd.org>
Subject:   limits.conf/stacksize doesn't seem to work?
Message-ID:  <d997dadc5e1b09fa6af0419f6641ed7f@lerctr.org>

next in thread | raw e-mail | index | archive | help
I'm using the following kernel config:
โฏ cat LER-MINIMAL
# LER-MINIMAL  -- kernel config based on MINIMAL

include		MINIMAL
ident		LER-MINIMAL

nooptions 	WITNESS			# Enable checks to detect deadlocks and cycles
nooptions 	WITNESS_SKIPSPIN	# Don't run witness on spinlocks for speed
options		KDB_UNATTENDED
#options		DEBUG_MEMGUARD
#options		DEBUG_REDZONE
makeoptions 	WITH_EXTRA_TCP_STACKS=1
options 	TCPHPTS
device		mfi
options		TCP_RFC7413
# Kernel dump features.
options         EKCD                    # Support for encrypted kernel 
dumps
options         GZIO                    # gzip-compressed kernel and 
user dumps
options         ZSTDIO                  # zstd-compressed kernel and 
user dumps
options         NETDUMP                 # netdump(4) client support
# ipsec support
options		IPSEC_SUPPORT
device		crypto

#netgraph debug
options		NETGRAPH_DEBUG

#tcp ratelimit
options		RATELIMIT

## INVARIANTS
options		INVARIANT_SUPPORT
options		INVARIANTS

ler in ๐ŸŒ borg in sys/amd64/conf๐Ÿ”’ on ๎‚  ler/freebsd-main-changes:main on 
โ˜๏ธ  (us-east-1)
โฏ

and the following login.conf:
โฏ cat /etc/login.conf
# login.conf - login class capabilities database.
#
# Remember to rebuild the database after each change to this file:
#
#	cap_mkdb /etc/login.conf
#
# This file controls resource limits, accounting limits and
# default user environment settings.
#
# $FreeBSD$
#

# Default settings effectively disable resource limits, see the
# examples below for a starting point to enable them.

# defaults
# These settings are used by login(1) by default for classless users
# Note that entries like "cputime" set both "cputime-cur" and 
"cputime-max"
#
# Note that since a colon ':' is used to separate capability entries,
# a \c escape sequence must be used to embed a literal colon in the
# value or name of a capability (see the ``CGETNUM AND CGETSTR SYNTAX
# AND SEMANTICS'' section of getcap(3) for more escape sequences).

default:\
	:passwd_format=sha512:\
	:copyright=/etc/COPYRIGHT:\
	:welcome=/var/run/motd:\
	:setenv=BLOCKSIZE=K:\
	:mail=/var/mail/$:\
	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin 
~/bin:\
	:nologin=/var/run/nologin:\
	:cputime=unlimited:\
	:datasize=unlimited:\
	:stacksize=unlimited:\
	:memorylocked=64K:\
	:memoryuse=unlimited:\
	:filesize=unlimited:\
	:coredumpsize=unlimited:\
	:openfiles=unlimited:\
	:maxproc=unlimited:\
	:sbsize=unlimited:\
	:vmemoryuse=unlimited:\
	:swapuse=unlimited:\
	:pseudoterminals=unlimited:\
	:kqueues=unlimited:\
	:umtxp=unlimited:\
	:priority=0:\
	:ignoretime@:\
	:umask=022:\
	:charset=UTF-8:\
	:lang=C.UTF-8:

#
# A collection of common class names - forward them all to 'default'
# (login would normally do this anyway, but having a class name
#  here suppresses the diagnostic)
#
standard:\
	:tc=default:
xuser:\
	:tc=default:
staff:\
	:tc=default:

# This PATH may be clobbered by individual applications.  Notably, by 
default,
# rc(8), service(8), and cron(8) will all override it with a default 
PATH that
# may not include /usr/local/sbin and /usr/local/bin when starting 
services or
# jobs.
daemon:\
	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\
	:mail@:\
	:memorylocked=128M:\
	:tc=default:
news:\
	:tc=default:
dialer:\
	:tc=default:

#
# Root can always login
#
# N.B.  login_getpwclass(3) will use this entry for the root account,
#       in preference to 'default'.
root:\
	:ignorenologin:\
	:memorylocked=unlimited:\
	:tc=default:

#
# Russian Users Accounts. Setup proper environment variables.
#
russian|Russian Users Accounts:\
	:charset=UTF-8:\
	:lang=ru_RU.UTF-8:\
	:tc=default:

bacula_dir:\
	:stacksize-max=68719476736:\
	:stacksize-cur=68719476736:\
	:tc=daemon:
######################################################################
######################################################################
##
## Example entries
##
######################################################################
######################################################################

## Example defaults
## These settings are used by login(1) by default for classless users
## Note that entries like "cputime" set both "cputime-cur" and 
"cputime-max"
#
#default:\
#	:cputime=infinity:\
#	:datasize-cur=22M:\
#	:stacksize-cur=8M:\
#	:memorylocked-cur=10M:\
#	:memoryuse-cur=30M:\
#	:filesize=infinity:\
#	:coredumpsize=infinity:\
#	:maxproc-cur=64:\
#	:openfiles-cur=64:\
#	:priority=0:\
#	:requirehome@:\
#	:umask=022:\
#	:tc=auth-defaults:
#
#
##
## standard - standard user defaults
##
#standard:\
#	:copyright=/etc/COPYRIGHT:\
#	:welcome=/var/run/motd:\
#	:setenv=BLOCKSIZE=K:\
#	:mail=/var/mail/$:\
#	:path=~/bin /bin /usr/bin /usr/local/bin:\
#	:manpath=/usr/share/man /usr/local/man:\
#	:nologin=/var/run/nologin:\
#	:cputime=1h30m:\
#	:datasize=8M:\
#	:vmemoryuse=100M:\
#	:stacksize=2M:\
#	:memorylocked=4M:\
#	:memoryuse=8M:\
#	:filesize=8M:\
#	:coredumpsize=8M:\
#	:openfiles=24:\
#	:maxproc=32:\
#	:priority=0:\
#	:requirehome:\
#	:passwordtime=90d:\
#	:umask=002:\
#	:ignoretime@:\
#	:tc=default:
#
#
##
## users of X (needs more resources!)
##
#xuser:\
#	:manpath=/usr/share/man /usr/local/man:\
#	:cputime=4h:\
#	:datasize=12M:\
#	:vmemoryuse=infinity:\
#	:stacksize=4M:\
#	:filesize=8M:\
#	:memoryuse=16M:\
#	:openfiles=32:\
#	:maxproc=48:\
#	:tc=standard:
#
#
##
## Staff users - few restrictions and allow login anytime
##
#staff:\
#	:ignorenologin:\
#	:ignoretime:\
#	:requirehome@:\
#	:accounted@:\
#	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin 
/usr/local/sbin:\
#	:umask=022:\
#	:tc=standard:
#
#
##
## root - fallback for root logins
##
#root:\
#	:path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin 
/usr/local/sbin:\
#	:cputime=infinity:\
#	:datasize=infinity:\
#	:stacksize=infinity:\
#	:memorylocked=infinity:\
#	:memoryuse=infinity:\
#	:filesize=infinity:\
#	:coredumpsize=infinity:\
#	:openfiles=infinity:\
#	:maxproc=infinity:\
#	:memoryuse-cur=32M:\
#	:maxproc-cur=64:\
#	:openfiles-cur=1024:\
#	:priority=0:\
#	:requirehome@:\
#	:umask=022:\
#	:tc=auth-root-defaults:
#
#
##
## Settings used by /etc/rc
##
#daemon:\
#	:coredumpsize@:\
#	:coredumpsize-cur=0:\
#	:datasize=infinity:\
#	:datasize-cur@:\
#	:maxproc=512:\
#	:maxproc-cur@:\
#	:memoryuse-cur=64M:\
#	:memorylocked-cur=64M:\
#	:openfiles=1024:\
#	:openfiles-cur@:\
#	:stacksize=16M:\
#	:stacksize-cur@:\
#	:tc=default:
#
#
##
## Settings used by news subsystem
##
#news:\
#	:path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin 
/usr/local/sbin:\
#	:cputime=infinity:\
#	:filesize=128M:\
#	:datasize-cur=64M:\
#	:stacksize-cur=32M:\
#	:coredumpsize-cur=0:\
#	:maxmemorysize-cur=128M:\
#	:memorylocked=32M:\
#	:maxproc=128:\
#	:openfiles=256:\
#	:tc=default:
#
#
##
## The dialer class should be used for a dialup PPP account
## Welcome messages/news suppressed
##
#dialer:\
#	:hushlogin:\
#	:requirehome@:\
#	:cputime=unlimited:\
#	:filesize=2M:\
#	:datasize=2M:\
#	:stacksize=4M:\
#	:coredumpsize=0:\
#	:memoryuse=4M:\
#	:memorylocked=1M:\
#	:maxproc=16:\
#	:openfiles=32:\
#	:tc=standard:
#
#
##
## Site full-time 24/7 PPP connection
## - no time accounting, restricted to access via dialin lines
##
#site:\
#	:ignoretime:\
#	:passwordtime@:\
#	:refreshtime@:\
#	:refreshperiod@:\
#	:sessionlimit@:\
#	:autodelete@:\
#	:expireperiod@:\
#	:graceexpire@:\
#	:gracetime@:\
#	:warnexpire@:\
#	:warnpassword@:\
#	:idletime@:\
#	:sessiontime@:\
#	:daytime@:\
#	:weektime@:\
#	:monthtime@:\
#	:warntime@:\
#	:accounted@:\
#	:tc=dialer:\
#	:tc=staff:
#
#
##
## Example standard accounting entries for subscriber levels
##
#
#subscriber|Subscribers:\
#	:accounted:\
#	:refreshtime=180d:\
#	:refreshperiod@:\
#	:sessionlimit@:\
#	:autodelete=30d:\
#	:expireperiod=180d:\
#	:graceexpire=7d:\
#	:gracetime=10m:\
#	:warnexpire=7d:\
#	:warnpassword=7d:\
#	:idletime=30m:\
#	:sessiontime=4h:\
#	:daytime=6h:\
#	:weektime=40h:\
#	:monthtime=120h:\
#	:warntime=4h:\
#	:tc=standard:
#
#
##
## Subscriber accounts. These accounts have their login times
## accounted and have access limits applied.
##
#subppp|PPP Subscriber Accounts:\
#	:tc=dialer:\
#	:tc=subscriber:
#
#
#subshell|Shell Subscriber Accounts:\
#	:tc=subscriber:
#
##
## If you want some of the accounts to use traditional UNIX DES based
## password hashes.
##
#des_users:\
#	:passwd_format=des:\
#	:tc=default:

ler in ๐ŸŒ borg in sys/amd64/conf๐Ÿ”’ on ๎‚  ler/freebsd-main-changes:main on 
โ˜๏ธ  (us-east-1)
โฏ

I've updated my (ler) password entry to reference bacula_dir:
ler:<elided>:1001:1001:bacula_dir:0:0:Larry 
Rosenman:/home/ler:/usr/local/bin/zsh


when I ssh in, the stacklimit is still:
โฏ ulimit -H -s
2097152

ler in ๐ŸŒ borg in sys/amd64/conf๐Ÿ”’ on ๎‚  ler/freebsd-main-changes:main on 
โ˜๏ธ  (us-east-1)
โฏ ulimit -S -s
2097152

ler in ๐ŸŒ borg in sys/amd64/conf๐Ÿ”’ on ๎‚  ler/freebsd-main-changes:main on 
โ˜๏ธ  (us-east-1)
โฏ

Where does this number come from?  What am I missing here?


-- 
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 214-642-9640                 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d997dadc5e1b09fa6af0419f6641ed7f>