System Limits Optimization (ulimit, limits.conf)
Introduction
System resource limits in Linux control how much of a given resource a process or user can consume. These limits are critical for system stability, security, and performance. By default, Linux distributions set conservative limits that protect the system from resource exhaustion but often restrict the performance of production applications. Understanding and optimizing these limits is essential for running high-performance applications, databases, web servers, and other resource-intensive services.
The two primary mechanisms for managing resource limits in Linux are the ulimit command (for temporary, shell-specific limits) and the /etc/security/limits.conf file (for persistent, user or group-specific limits). Improper configuration of these limits can lead to common production issues such as "Too many open files," "Cannot fork," or "Out of processes" errors that can severely impact application availability.
This comprehensive guide will explain Linux resource limits in depth, show you how to diagnose limit-related issues, demonstrate proper configuration techniques, and provide optimized settings for various use cases. You'll learn how to eliminate resource bottlenecks and allow your applications to perform at their full potential.
Understanding Linux Resource Limits
What Are Resource Limits?
Resource limits prevent individual users or processes from consuming excessive system resources. They serve two purposes:
- System Protection: Prevent runaway processes from crashing the entire system
- Fair Resource Allocation: Ensure multiple users or services share resources equitably
Types of Limits
Linux provides two categories of limits:
- Soft Limits: Current limit enforced by the kernel; can be increased by the user up to the hard limit
- Hard Limits: Maximum value that can be set for soft limits; can only be raised by root
Common Resource Limits
| Resource | Description | Common Issue |
|---|---|---|
| nofile | Number of open file descriptors | "Too many open files" |
| nproc | Number of processes | "Cannot fork" |
| stack | Stack size in KB | Stack overflow crashes |
| memlock | Locked memory in KB | Database performance issues |
| as | Address space (virtual memory) | Memory allocation failures |
| cpu | CPU time in seconds | Runaway process protection |
| fsize | Maximum file size | File write failures |
Checking Current Limits
Using ulimit Command
# View all current limits (soft)
ulimit -a
# View all hard limits
ulimit -Ha
# View specific limits
ulimit -n # Open files
ulimit -u # Max processes
ulimit -l # Max locked memory
ulimit -s # Stack size
Example Output:
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 15738
max locked memory (kbytes, -l) 65536
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 15738
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Checking Process-Specific Limits
# View limits for a specific process
cat /proc/$(pidof nginx)/limits
# View limits for current shell
cat /proc/$$/limits
# For a specific PID
cat /proc/12345/limits
Example Output:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size 0 unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 15738 15738 processes
Max open files 1024 4096 files
Max locked memory 65536 65536 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 15738 15738 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Identifying Limit-Related Issues
Common Error Messages
# Monitor system logs for limit errors
tail -f /var/log/syslog | grep -i "too many\|cannot fork\|resource"
journalctl -f | grep -i "too many\|cannot fork"
# Common errors:
# "Too many open files"
# "Cannot allocate memory"
# "Cannot fork: Resource temporarily unavailable"
# "Too many processes"
Diagnosing File Descriptor Issues
# Count open file descriptors system-wide
cat /proc/sys/fs/file-nr
# Output: 2048 0 4096
# ^used ^free ^max
# Find processes using most file descriptors
lsof | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
# Count FDs for a specific process
ls -l /proc/$(pidof nginx)/fd | wc -l
# Monitor FD usage in real-time
watch -n 1 'cat /proc/sys/fs/file-nr'
Diagnosing Process Limit Issues
# Check current process count by user
ps -eo user= | sort | uniq -c | sort -rn
# Check against user limits
su - username -c "ulimit -u"
# Monitor process creation failures
dmesg | grep -i "fork failed"
Benchmarking Before Optimization
Baseline Measurements
# Test file descriptor limits
# Create test script
cat > /tmp/fd-test.sh << 'EOF'
#!/bin/bash
count=0
while true; do
exec {fd}<> <(:)
((count++))
if [ $count -eq 1000 ]; then
echo "Successfully opened $count file descriptors"
fi
done
EOF
chmod +x /tmp/fd-test.sh
./tmp/fd-test.sh
# With default limits (1024), this fails quickly:
# Error: ./tmp/fd-test.sh: line 4: <(:): Too many open files
Application-Specific Tests
# Web server concurrency test (Nginx/Apache)
ab -n 10000 -c 5000 http://localhost/
# Default limits result:
# apr_socket_recv: Connection reset by peer (104)
# Completed requests: 3847
# Failed requests: 6153
# Database connection test
mysqlslap --concurrency=1000 --iterations=1 --auto-generate-sql
# Default limits result:
# Error: Can't create a new thread
# Connections established: 214/1000
Temporary Limit Configuration with ulimit
Setting Temporary Limits
# These changes affect only the current shell session
# Increase open file limit
ulimit -n 65536
# Increase max processes
ulimit -u 32768
# Increase stack size to 16MB
ulimit -s 16384
# Set unlimited core dump size
ulimit -c unlimited
# Set multiple limits
ulimit -n 65536 -u 32768 -l unlimited
Testing Temporary Changes
# Set higher limit
ulimit -n 65536
# Verify
ulimit -n
# Output: 65536
# Run your application and test
./your-application
# Revert (or just exit shell and start new one)
ulimit -n 1024
Applying to Running Services
# For systemd services, limits must be set in service file
# Temporary ulimit changes don't affect already-running daemons
# Example: Temporarily increase limits for Nginx
systemctl edit nginx
# Add to override file:
[Service]
LimitNOFILE=65536
LimitNPROC=32768
# Reload and restart
systemctl daemon-reload
systemctl restart nginx
Persistent Configuration with limits.conf
Understanding /etc/security/limits.conf
The main configuration file for persistent resource limits:
# View current configuration
cat /etc/security/limits.conf
# Format:
# <domain> <type> <item> <value>
#
# domain: username, @groupname, or *
# type: soft, hard, or -
# item: resource (nofile, nproc, etc.)
# value: limit value
Basic Configuration Examples
# Edit limits configuration
vim /etc/security/limits.conf
# Add at the end:
# Increase file descriptors for all users
* soft nofile 65536
* hard nofile 65536
# Increase processes for all users
* soft nproc 32768
* hard nproc 32768
# Set unlimited core dumps
* soft core unlimited
* hard core unlimited
# Increase stack size
* soft stack 16384
* hard stack 32768
User-Specific Configuration
# Limits for specific user
username soft nofile 100000
username hard nofile 100000
username soft nproc 50000
username hard nproc 50000
# Limits for group members
@developers soft nofile 65536
@developers hard nofile 65536
# Database user needs large locked memory for performance
mysql soft memlock unlimited
mysql hard memlock unlimited
mysql soft nofile 65536
mysql hard nofile 65536
Using limits.d Directory
Modern systems support /etc/security/limits.d/ for modular configuration:
# Create application-specific limits file
cat > /etc/security/limits.d/99-webserver.conf << 'EOF'
# Web server resource limits
nginx soft nofile 100000
nginx hard nofile 100000
nginx soft nproc 32768
nginx hard nproc 32768
www-data soft nofile 100000
www-data hard nofile 100000
www-data soft nproc 32768
www-data hard nproc 32768
EOF
Applying Changes
# Changes take effect for NEW sessions only
# Existing sessions keep their original limits
# Test with new session
su - username
ulimit -a
# For services, restart is required
systemctl restart nginx
systemctl restart mysql
# Verify limits for running process
cat /proc/$(pidof nginx)/limits
System-Wide Limits Configuration
Kernel-Level Limits
# Maximum number of file descriptors system-wide
sysctl fs.file-max
# Default: typically 98304 or similar
# Increase system-wide file descriptor limit
sysctl -w fs.file-max=2097152
# Make persistent
echo "fs.file-max = 2097152" >> /etc/sysctl.conf
# Or use sysctl.d
cat > /etc/sysctl.d/99-limits.conf << 'EOF'
# System-wide resource limits
fs.file-max = 2097152
fs.inode-max = 2097152
fs.aio-max-nr = 1048576
kernel.pid_max = 4194304
vm.max_map_count = 262144
EOF
sysctl -p /etc/sysctl.d/99-limits.conf
PAM Configuration
Ensure PAM is configured to apply limits:
# Check PAM configuration
grep -r pam_limits /etc/pam.d/
# Should see lines like:
# session required pam_limits.so
# If missing, add to /etc/pam.d/common-session or specific service files:
echo "session required pam_limits.so" >> /etc/pam.d/common-session
Systemd Service Limits
Configuring Service Limits
Systemd services have their own limit mechanism:
# View current limits for service
systemctl show nginx | grep -i limit
# Edit service file
systemctl edit nginx
# Add limit directives
[Service]
LimitNOFILE=100000
LimitNPROC=32768
LimitMEMLOCK=infinity
LimitCORE=infinity
# Available limit directives:
# LimitCPU, LimitFSIZE, LimitDATA, LimitSTACK, LimitCORE
# LimitRSS, LimitNOFILE, LimitAS, LimitNPROC, LimitMEMLOCK
# LimitLOCKS, LimitSIGPENDING, LimitMSGQUEUE, LimitNICE, LimitRTPRIO
Complete Service Configuration Example
# Create override file for Nginx
mkdir -p /etc/systemd/system/nginx.service.d
cat > /etc/systemd/system/nginx.service.d/limits.conf << 'EOF'
[Service]
# File descriptor limits
LimitNOFILE=100000
# Process limits
LimitNPROC=32768
# Core dumps for debugging
LimitCORE=infinity
# Memory limits (if needed)
# LimitAS=8G
# LimitRSS=4G
# Stack size
LimitSTACK=16M
EOF
# Reload and restart
systemctl daemon-reload
systemctl restart nginx
# Verify
systemctl show nginx | grep -E "LimitNOFILE|LimitNPROC"
cat /proc/$(pidof nginx)/limits
Optimized Configurations by Use Case
High-Performance Web Server (Nginx/Apache)
# /etc/security/limits.d/99-webserver.conf
cat > /etc/security/limits.d/99-webserver.conf << 'EOF'
# Web server user limits
nginx soft nofile 100000
nginx hard nofile 100000
nginx soft nproc 32768
nginx hard nproc 32768
nginx soft memlock unlimited
nginx hard memlock unlimited
www-data soft nofile 100000
www-data hard nofile 100000
www-data soft nproc 32768
www-data hard nproc 32768
EOF
# System-wide settings
cat > /etc/sysctl.d/99-webserver.conf << 'EOF'
fs.file-max = 2097152
fs.inode-max = 2097152
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 8192
EOF
sysctl -p /etc/sysctl.d/99-webserver.conf
# Systemd service limits
cat > /etc/systemd/system/nginx.service.d/limits.conf << 'EOF'
[Service]
LimitNOFILE=100000
LimitNPROC=32768
LimitMEMLOCK=infinity
EOF
systemctl daemon-reload
systemctl restart nginx
Performance Results:
Before optimization:
ab -n 100000 -c 10000 http://localhost/
# Failed requests: 6,234 (Too many open files)
# Requests per second: 8,452
After optimization:
ab -n 100000 -c 10000 http://localhost/
# Failed requests: 0
# Requests per second: 43,127 (5x improvement)
Database Server (MySQL/PostgreSQL)
# /etc/security/limits.d/99-database.conf
cat > /etc/security/limits.d/99-database.conf << 'EOF'
# MySQL user limits
mysql soft nofile 65536
mysql hard nofile 65536
mysql soft nproc 32768
mysql hard nproc 32768
mysql soft memlock unlimited
mysql hard memlock unlimited
mysql soft stack 16384
mysql hard stack 32768
# PostgreSQL user limits
postgres soft nofile 65536
postgres hard nofile 65536
postgres soft nproc 32768
postgres hard nproc 32768
postgres soft memlock unlimited
postgres hard memlock unlimited
EOF
# System-wide kernel settings
cat > /etc/sysctl.d/99-database.conf << 'EOF'
fs.file-max = 2097152
fs.aio-max-nr = 1048576
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
vm.max_map_count = 262144
EOF
sysctl -p /etc/sysctl.d/99-database.conf
# MySQL systemd service
cat > /etc/systemd/system/mysql.service.d/limits.conf << 'EOF'
[Service]
LimitNOFILE=65536
LimitNPROC=32768
LimitMEMLOCK=infinity
LimitSTACK=16M
EOF
systemctl daemon-reload
systemctl restart mysql
Performance Results:
Before optimization:
mysqlslap --concurrency=500 --iterations=10 --auto-generate-sql
# Failed connections: 147
# Queries per second: 3,842
After optimization:
mysqlslap --concurrency=500 --iterations=10 --auto-generate-sql
# Failed connections: 0
# Queries per second: 12,634 (3.3x improvement)
Application Server (Node.js, Python, Ruby)
# /etc/security/limits.d/99-appserver.conf
cat > /etc/security/limits.d/99-appserver.conf << 'EOF'
# Application server limits
appuser soft nofile 65536
appuser hard nofile 65536
appuser soft nproc 16384
appuser hard nproc 16384
appuser soft stack 16384
appuser hard stack 32768
# Node.js specific
node soft nofile 65536
node hard nofile 65536
node soft nproc 32768
node hard nproc 32768
EOF
# Systemd service for Node.js app (example with PM2)
cat > /etc/systemd/system/nodeapp.service.d/limits.conf << 'EOF'
[Service]
LimitNOFILE=65536
LimitNPROC=16384
LimitSTACK=16M
EOF
systemctl daemon-reload
systemctl restart nodeapp
Container Host (Docker/Kubernetes)
# /etc/security/limits.d/99-container-host.conf
cat > /etc/security/limits.d/99-container-host.conf << 'EOF'
# Container runtime limits
root soft nofile 1048576
root hard nofile 1048576
root soft nproc unlimited
root hard nproc unlimited
root soft memlock unlimited
root hard memlock unlimited
# All users (for container processes)
* soft nofile 1048576
* hard nofile 1048576
* soft nproc unlimited
* hard nproc unlimited
EOF
# System-wide settings for containers
cat > /etc/sysctl.d/99-containers.conf << 'EOF'
fs.file-max = 2097152
fs.inode-max = 2097152
fs.aio-max-nr = 1048576
kernel.pid_max = 4194304
vm.max_map_count = 262144
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.d/99-containers.conf
# Docker daemon configuration
cat > /etc/docker/daemon.json << 'EOF'
{
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 65536,
"Soft": 65536
},
"nproc": {
"Name": "nproc",
"Hard": 32768,
"Soft": 32768
}
}
}
EOF
systemctl restart docker
Testing and Validation
Comprehensive Testing Script
#!/bin/bash
# Save as /usr/local/bin/test-limits.sh
echo "=== Resource Limits Test Suite ==="
echo
# Test 1: File descriptor limits
echo "Test 1: File Descriptor Limit"
ulimit -n
echo "Opening 50000 file descriptors..."
count=0
for i in {1..50000}; do
exec {fd}<> <(:) 2>/dev/null && ((count++))
done
echo "Successfully opened: $count file descriptors"
echo
# Test 2: Process limits
echo "Test 2: Process Limit"
ulimit -u
echo "Current process count:"
ps -u $(whoami) | wc -l
# Test 3: Memory lock limits
echo "Test 3: Memory Lock Limit"
ulimit -l
echo "Locked memory limit: $(ulimit -l) KB"
echo
# Test 4: Stack size
echo "Test 4: Stack Size"
ulimit -s
echo "Stack size: $(ulimit -s) KB"
echo
# Test 5: Check system-wide limits
echo "Test 5: System-Wide Limits"
echo "Max file descriptors: $(cat /proc/sys/fs/file-max)"
echo "Current open files: $(cat /proc/sys/fs/file-nr | awk '{print $1}')"
echo "Max processes: $(cat /proc/sys/kernel/pid_max)"
echo
# Test 6: Service limits (if running as service)
if [ -n "$1" ]; then
echo "Test 6: Service Limits for $1"
systemctl show $1 | grep ^Limit
fi
chmod +x /usr/local/bin/test-limits.sh
./usr/local/bin/test-limits.sh nginx
Load Testing After Optimization
# Web server load test
echo "Testing web server with optimized limits..."
wrk -t 12 -c 10000 -d 60s --latency http://localhost/
# Before optimization:
# Errors: 4,234 connect errors
# Requests/sec: 8,452
# Latency: 1.2s average
# After optimization:
# Errors: 0
# Requests/sec: 43,127
# Latency: 232ms average
Monitoring Limit Usage
#!/bin/bash
# Continuous limit monitoring script
while true; do
clear
echo "=== Resource Limits Monitor ==="
echo "Time: $(date)"
echo
# System-wide FD usage
echo "System File Descriptors:"
cat /proc/sys/fs/file-nr | awk '{printf "Used: %s | Free: %s | Max: %s\n", $1, $2, $3}'
echo
# Per-process FD usage (top 5)
echo "Top 5 Processes by File Descriptors:"
for pid in $(ps aux | awk '{print $2}' | tail -n +2 | head -5); do
if [ -d /proc/$pid ]; then
cmd=$(ps -p $pid -o comm=)
fds=$(ls /proc/$pid/fd 2>/dev/null | wc -l)
echo "$cmd (PID $pid): $fds FDs"
fi
done
echo
# Process count by user
echo "Process Count by User:"
ps -eo user= | sort | uniq -c | sort -rn | head -5
echo
sleep 5
done
Troubleshooting Common Issues
Issue 1: "Too Many Open Files" Error
# Diagnose
dmesg | grep -i "too many open files"
journalctl -xe | grep -i "too many"
# Check current usage vs limits
cat /proc/sys/fs/file-nr
ulimit -n
# Solution 1: Increase user limits
cat >> /etc/security/limits.d/99-custom.conf << 'EOF'
* soft nofile 65536
* hard nofile 65536
EOF
# Solution 2: Increase system-wide limit
sysctl -w fs.file-max=2097152
echo "fs.file-max = 2097152" >> /etc/sysctl.conf
# Solution 3: For systemd service
systemctl edit myservice
# Add:
# [Service]
# LimitNOFILE=65536
# Restart and verify
systemctl daemon-reload
systemctl restart myservice
cat /proc/$(pidof myservice)/limits | grep "Max open files"
Issue 2: "Cannot Fork: Resource Temporarily Unavailable"
# Diagnose
ulimit -u
ps aux | wc -l
cat /proc/sys/kernel/pid_max
# Check per-user process count
ps -eo user= | sort | uniq -c | sort -rn
# Solution 1: Increase user process limit
cat >> /etc/security/limits.d/99-custom.conf << 'EOF'
* soft nproc 32768
* hard nproc 32768
EOF
# Solution 2: Increase system PID max
sysctl -w kernel.pid_max=4194304
echo "kernel.pid_max = 4194304" >> /etc/sysctl.conf
# Solution 3: For systemd service
systemctl edit myservice
# Add:
# [Service]
# LimitNPROC=32768
systemctl daemon-reload
systemctl restart myservice
Issue 3: Limits Not Applied
# Verify PAM configuration
grep -r pam_limits /etc/pam.d/
# Should contain:
# session required pam_limits.so
# If missing, add it:
echo "session required pam_limits.so" >> /etc/pam.d/common-session
# Check limits are loaded
ulimit -a
# For services, verify systemd limits
systemctl show nginx | grep Limit
# Test with fresh session
su - username
ulimit -a
Issue 4: Systemd Service Limits Not Working
# Verify override directory exists
ls -la /etc/systemd/system/nginx.service.d/
# Check service file syntax
systemctl cat nginx
# Reload after changes
systemctl daemon-reload
# Verify limits are applied
systemctl show nginx | grep Limit
# Check actual process limits
cat /proc/$(pidof nginx)/limits
# If still not working, check DefaultLimitNOFILE in system.conf
grep DefaultLimit /etc/systemd/system.conf
grep DefaultLimit /etc/systemd/user.conf
Monitoring and Alerting
Automated Monitoring Script
#!/bin/bash
# /usr/local/bin/monitor-limits.sh
LOG_FILE="/var/log/resource-limits.log"
ALERT_EMAIL="[email protected]"
# Thresholds
FD_THRESHOLD=80 # Alert at 80% usage
PROC_THRESHOLD=80
# Get current usage
CURRENT_FD=$(cat /proc/sys/fs/file-nr | awk '{print $1}')
MAX_FD=$(cat /proc/sys/fs/file-max)
FD_PERCENT=$(awk "BEGIN {printf \"%.0f\", ($CURRENT_FD/$MAX_FD)*100}")
# Check and alert
if [ $FD_PERCENT -gt $FD_THRESHOLD ]; then
MSG="WARNING: File descriptor usage at ${FD_PERCENT}% (${CURRENT_FD}/${MAX_FD})"
echo "$(date): $MSG" >> $LOG_FILE
echo "$MSG" | mail -s "Resource Limit Alert" $ALERT_EMAIL
fi
# Log current status
echo "$(date): FD Usage: ${FD_PERCENT}%, Processes: $(ps aux | wc -l)" >> $LOG_FILE
chmod +x /usr/local/bin/monitor-limits.sh
# Add to crontab
crontab -e
# */5 * * * * /usr/local/bin/monitor-limits.sh
Best Practices
1. Start with Conservative Values
# Don't immediately set to maximum
# Start with moderate increases and test
# Initial optimization (safe for most systems)
* soft nofile 65536
* hard nofile 65536
* soft nproc 16384
* hard nproc 16384
2. Monitor Before and After
# Always establish baseline
# Before changes:
cat /proc/sys/fs/file-nr > /tmp/baseline-fd.txt
ps aux | wc -l > /tmp/baseline-proc.txt
# After changes:
# Compare and verify improvement
3. Document All Changes
# Add comments to configuration files
cat > /etc/security/limits.d/99-custom.conf << 'EOF'
# Resource limit optimization
# Date: 2026-01-11
# Author: Admin Team
# Reason: High-traffic web application requires increased file descriptors
# Tested: Successfully handled 10,000 concurrent connections
* soft nofile 65536
* hard nofile 65536
EOF
4. Use Modular Configuration
# Separate limits by service/purpose
/etc/security/limits.d/90-webserver.conf
/etc/security/limits.d/91-database.conf
/etc/security/limits.d/92-application.conf
/etc/security/limits.d/99-general.conf
5. Test in Staging First
# Never apply directly to production
# Test configuration in staging environment
# Monitor for 24-48 hours before production deployment
Conclusion
Proper configuration of system resource limits is fundamental to running high-performance Linux servers. The optimizations covered in this guide can eliminate common bottlenecks and dramatically improve application performance:
Typical Improvements:
- Connection capacity: 5-10x increase
- Application stability: Eliminates resource exhaustion errors
- Database performance: 2-4x more concurrent connections
- Container density: 50-100% more containers per host
Key Takeaways:
- Default limits are too low for production workloads
- Multiple configuration layers must align (ulimit, limits.conf, sysctl, systemd)
- Different applications require different limit profiles
- Monitoring is essential to detect and prevent limit-related issues
- Test thoroughly before deploying to production
Configuration Hierarchy (order of precedence):
- Systemd service limits (LimitNOFILE, etc.)
- /etc/security/limits.conf and limits.d/
- ulimit commands (temporary)
- System-wide kernel limits (sysctl)
By implementing these resource limit optimizations systematically and monitoring their impact, you can ensure your applications run at peak performance without encountering frustrating limit-related errors. Remember to tailor configurations to your specific workload requirements and continuously monitor resource usage to adjust limits as your application scales.