Jephe Wu - http://linuxtechres.blogspot.com
Objective: understand the concept of ulimit nofile and nproc settings for oracle under ssh environment
Environment: RHEL 5, CentOS 5, Oracle 11g
Concept:
Bash shell can set maximum allowable number of open file descriptors (handles) or the maximum number of processes available to a user.
To see all limits settings for a current user under bash shell, login to CentOS 5, run 'ulimit -a' to check.
1. Setting file descriptors/handles for entire Linux operating system
The maximum number of file handles denotes the maximum number of open files on a Linux system.
to see the setting , run
cat /proc/sys/fs/file-max
to check the current usage: run
cat /proc/sys/fs/file-nr
1154 133 65536
it shows the total allocated file handles, the number of currently unused file handles, the maximum file handles that can be allocated (also found in /proc/sys/fs/file-max).
To configure it:
# echo 65536 > /proc/sys/fs/file-max
or
# sysctl -w fs.file-max=65536
To make it permanent:
echo "fs.file-max=65536" >> /etc/sysctl.conf
2. set Maximum Number of Open File Descriptors for the Oracle User:
There's still per user limit after above file-max. It is not recommend to set hard limit for nofile for the oracle user equal to /proc/sys/fs/file-max, otherwise, once oracle user used up the file handles, the whole system also used up the file handles, so, the system cannot assign any more file handles for login process.
Modify the /etc/security/limits.conf file as root and make it like this: (use 63536 instead of 65536)
oracle soft nofile 63536
oracle hard nofile 63536
In order to make it work, pam_limits should be configured in the /etc/pam.d/
system-auth as follows, or in /etc/pam.d/sshd for ssh, /etc/pam.d/su for su, or /etc/pam.d/
login for local access and telnet
session required pam_limits.so
session required pam_unix.so
Same thing we can use for the number of processes:
oracle soft nproc 16384
oracle hard nproc 16384
3. How many file descriptors are being used in your Linux system
File Descriptors
File descriptors are allocated dynamically by the kernel for performance reasons. usesysctl fs.file-nr
to check all 3 values.
Open Files
lsof | wc -l
8124
This tells you that there are 8124 files by applications on the system. The same file opened by two applications will be counted twice. Normally, this value is bigger than fs.file-max.
lsof lists all open files, including files which are not using file descriptors - such as current working directories, memory mapped library files, and executable text files.
How to check file descriptors and open files for pid 1234:
file descriptor:
ls -l /proc/1234/fd/
open files:
lsof | grep 1234
4. FAQ:
a.
I tried to setup the soft and hard nofile limits for root. But when I
tried to ssh as root user, the limits set do not take into effect. Why?
According to redhat knowledge base you can
specify the nofile ulimit values in /etc/init.d/sshd init script such as ulimit -n 4096
For other similiar issues, you might need to disable
UsePrivilegeSeparation
Why it happens?
some openssh version has problem like below:
Due to the manner in which SSH logins are implemented.
When a user logs in via SSH, the SSH daemon process forks a separate
process to handle that specific connection. As such, the context this
forked process runs in is owned by the user who logged in. Since regular
users are not allowed to modify their ulimit upwards, the higher value
specified in /etc/security/limits.conf fails to take effect.
This is because the calling program, i.e. the forked sshd process,
lacks the permissions to perform the upward modification.