You want to manage your systems limits configuration
# install the limits module
$ sudo /opt/puppetlabs/bin/puppet module install saz-limits
...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/site
saz-limits (v3.0.3)
...
# without this all existing files in
# /etc/security/limits.d/ will be removed
class { 'limits':
purge_limits_d_dir => false,
}
# add our simple limit
# * means apply to all users on the system
limits::limits { '*/core':
both => 0,
}
cat /etc/security/limits.d/default_core.conf
# Managed by Puppet
#<domain> <type> <item> <value>
* - core 0
Linux systems provide a number of configuration options that grant control over properties such as "how many processes a user can run", "how much CPU time they can use", and "if it's possible for a user to create core dumps". Using the saz/limits module from the PuppetForge you can manage these settings via puppet. First install the module from the Puppet Forge:
# install the limits module
$ sudo /opt/puppetlabs/bin/puppet module install saz-limits
...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/site
saz-limits (v3.0.3)
...
Once that's installed we can begin to manage our limits. Firstly a warning. By
default the limits module will remove all existing configuration from
/etc/security/limits.d/. To preserve them, and allow multiple modules to work
together nicely, you should set the purge_limits_d_dir property to false.
# without this all existing files in
# /etc/security/limits.d/ will be removed
class { 'limits':
purge_limits_d_dir => false,
}
There are a few approaches to managing limits in the puppet DSL. The simplest is the 'title pattern'. This embeds the user and limit type in the resources title:
# add our simple limit
# * means apply to all users on the system
limits::limits { '*/core':
both => 0,
}
Once run this will create a configuration file under the limits.d directory.
cat /etc/security/limits.d/default_core.conf
# Managed by Puppet
#<domain> <type> <item> <value>
* - core 0
If you require more in depth control of the limit you can use the full set of properties, as shown in this example:
limits::limits{ 'build_nproc':
ensure => present,
user => 'build',
limit_type => 'nproc',
hard => 512,
soft => 256,
}
cat /etc/security/limits.d/build_nproc.conf
# Managed by Puppet
#<domain> <type> <item> <value>
build hard nproc 512
build soft nproc 256
In this more comprehensive example we're restricting the number of
processes the build user can use to a soft limit of 256 (which will
generate a warning) and a hard limit (which cannot be exceeded) of 512.
To see the possible limit_type values consult your systems
limit.conf manpage.
An item worth noting is that this module does not manage the base
/etc/security/limits.conf configuration file, only those in the
limits.d directory.
man 5 limits.conf