su:无法设置用户ID:资源暂时不可用 看centos6与centos7的变化


收到报错,说无法SSH登录,使用root用户发现可以正常登录,初步发现OS资源使用也没有特别之处。

后确认是非root用户登录受阻,su - xx切换时,报资源不可用。应该和ulimit设置有关,查看对应的用户进程信息,发现有大量的java进程。

验证limits.conf中的相关设置,最终发现是linux 6与linux 7中有一点变化。


1. 先看centos 6上的默认设置:

[root@gezi security]# su - zabbix
[zabbix@gezi ~]$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 117315
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65534
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 1024
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
[zabbix@gezi ~]$ ulimit -Su
1024
[zabbix@gezi ~]$ ulimit -Hu
65534
[zabbix@gezi ~]$ 




在centos6上,存在一个文件:

/etc/security/limits.d/90-nproc.conf

此文件里的设置,优化级低于:/etc/security/limits.conf 文件中的设置。
如果/etc/security/limits.conf没有设置nprof,则会使用/etc/security/limits.d/90-nproc.conf中的值

此时90-nproc.conf里的nprof的值为1024,而在limit.conf中没有显式对非root用户设置此属性。因此上面的值显示为1024



如下测试,将其调整为4099:

[root@gezi limits.d]# vi 90-nproc.conf 
*          soft    nproc     4099

[root@gezi limits.d]# su - zabbix
[zabbix@gezi ~]$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 117315
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65534
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 4099
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
[zabbix@gezi ~]$ ulimit -Hu
65534
[zabbix@gezi ~]$ ulimit -Su
4099
[zabbix@gezi ~]$ 

如我们设置,显示为4099。


下面设置limits.conf文件:
[root@gezi security]# vi limits.conf 
zabbix  soft nproc 3099

设置一个特殊的值3099

[root@gezi security]# su - zabbix
[zabbix@gezi ~]$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 117315
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65534
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 3099
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
[zabbix@gezi ~]$ ulimit -Hu
65534
[zabbix@gezi ~]$ ulimit -Su
3099
[zabbix@gezi ~]$ 

此时,使用我们设置的3099,虽然90-nproc.conf文件的值为4099,也不会生效。



下面说下Centos7上的变化:

查看limits.conf文件,发现比centos6上,多出一些注释,如下:

#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.

##Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.


注意上面的Also note,当domain相同或更特别的时候,/etc/security/limits.d目录下的配置文件,会override此文件(/etc/security/limits.conf)中的设置

Centos 7上的不再演示,有兴趣的可以自测一下。另外,文件名也发生了变化 ,变成了20-nproc.conf。

这是Centos 6与Centos7中的差别,同样适应于Oracle Linux这样的变体OS。

所以,我们发现,针对非root用户,设置的值并没有生效,导致本文中的错误。

在安装,配置Oracle的时候,也要注意此问题。

--鸽子--