Chapter 11. Setting Shell Limits for the Oracle User
Most shells like Bash provide control over various resources like the maximum allowable number of open file descriptors or the maximum number of processes available to a user.
To see all shell limits, run:
ulimit -a
For more information on
ulimit
for the Bash shell, see man bash and search for ulimit
.
Note
On some Linux systems setting "hard" and "soft" limits in the following examples might not work properly when you log in as user oracle via SSH. It might work if you log in as root and
su
to oracle
. If you have this problem try to set UsePrivilegeSeparation
to "no" in /etc/ssh/sshd_config
and restart the SSH daemon by executing service sshd restart
. The privilege separation does not work properly with PAM on some Linux systems. Make sure to talk to the people in charge of security before disabling the SSH security feature "Privilege Separation".
11.1. Limiting Maximum Number of Open File Descriptors for the Oracle User
After
/proc/sys/fs/file-max
has been changed, see Chapter 9, Setting File Handles, there is still a per user limit of maximum open file descriptors:
$ su - oracle $ ulimit -n 1024 $
To change this limit, edit the
/etc/security/limits.conf
file as root and make the following changes or add the following lines, respectively:
oracle soft nofile 4096 oracle hard nofile 63536
The "soft limit" in the first line defines the number of file handles or open files that the Oracle user will have after they log in. If the Oracle user gets error messages about running out of file handles, then the Oracle user can increase the number of file handles like in this example up to 63536 ("hard limit") by executing the following command:
ulimit -n 63536
You can set the "soft" and "hard" limits higher if necessary.
Note
It is not recommend to set the "hard" limit for nofile for the oracle user equal to
/proc/sys/fs/file-max
. If you do that and the user uses up all the file handles, then the entire system will run out of file handles. This may prevent users logging in as the system cannot open any PAM modules that are required for the login process. That is why the hard limit should be set to 63536 and not 65536.
That these limits work you also need to ensure that
pam_limits
is configured in the /etc/pam.d/system-auth
file, or in /etc/pam.d/sshd
for ssh
, /etc/pam.d/su
for su
, or /etc/pam.d/login
for local access and telnet
and disable telnet for all log in methods. Here are examples of the two session entries in the /etc/pam.d/system-auth
file:
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
Log in to the oracle user account since the changes will become effective for new login sessions only. Note the
ulimit
options are different for other shells.
$ su - oracle $ ulimit -n 4096 $
The default limit for oracle is now 4096 and the oracle user can increase the number of file handles up to 63536:
$ su - oracle $ ulimit -n 4096 $ ulimit -n 63536 $ ulimit -n 63536 $
To make this change permanent, you could add "
ulimit -n 63536
" ,for bashbash
, to the ~oracle/.bash_profile
file which is the user start up file for the bash
shell on Red Hat Enterprise Linux (to verify your shell execute echo $SHELL
). To do this you could simply copy and paste the following commands for oracle's bash
shell:
su - oracle cat >> ~oracle/.bash_profile << EOF ulimit -n 63536 EOF
To make the above changes permanent, you could also set the soft limit equal to the hard limit in
/etc/security/limits.conf
:
oracle soft nofile 63536 oracle hard nofile 63536