<div dir="ltr"><div class="gmail_default" style="font-size:small">This is an important issue. <br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 25, 2015 at 10:54 AM, Harald Dunkel <span dir="ltr"><<a href="mailto:harald.dunkel@aixigo.de" target="_blank">harald.dunkel@aixigo.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/25/2015 02:27 PM, Tamas Papp wrote:<br>
><br>
><br>
> On 11/25/2015 02:07 PM, Harald Dunkel wrote:<br>
>> On 11/25/2015 12:33 PM, Tamas Papp wrote:<br>
>>> Check out /etc/security/limits.d/ too.<br>
>>><br>
>> Very helpful hint, but there is just a file<br>
>> 20-nproc.conf. Its all commented out:<br>
>><br>
>> #* soft nproc 4096<br>
>> #root soft nproc unlimited<br>
>><br>
>><br>
><br>
> Why are you sure, that it's something about the limits?<br>
> What do you see actually?<br>
><br>
<br>
</span>Very easy: Using<br>
<br>
#* hard nofile 65536<br>
<br>
in limits.conf I can login as root via ssh. With<br>
<br>
* hard nofile 65536<br>
<br>
ssh logins as root don't work. Sample session:<br>
<br>
# ssh lxc1<br>
Last login: Wed Nov 25 11:00:21 2015 from <a href="http://linux.example.com" rel="noreferrer" target="_blank">linux.example.com</a><br>
Connection to lxc1 closed.<br>
#<br>
<br>
The system log shows<br>
<span class=""><br>
Nov 25 11:08:58 <a href="http://lxc1.example.com" rel="noreferrer" target="_blank">lxc1.example.com</a> sshd[186]: pam_limits(sshd:session): Could not set limit for 'nofile': Operation not permitted<br>
Nov 25 11:08:58 <a href="http://lxc1.example.com" rel="noreferrer" target="_blank">lxc1.example.com</a> sshd[186]: pam_unix(sshd:session): session opened for user root by (uid=0)<br>
Nov 25 11:08:58 <a href="http://lxc1.example.com" rel="noreferrer" target="_blank">lxc1.example.com</a> sshd[186]: error: PAM: pam_open_session(): Permission denied<br>
<br>
</span>The documentation for limits.conf states clearly that a wildcard<br>
construct like<br>
<br>
* hard nofile 65536<br>
<br>
does *not* apply to root. IMHO it shouldn't fail.<br>
<br>
<br>
:-{<br>
Harri<br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br></div>