On Mo, 15.10.18 18:00, Kamil Paral (kparal@xxxxxxxxxx) wrote: > On Tue, Oct 9, 2018 at 6:15 PM Lennart Poettering <mzerqung@xxxxxxxxxxx> > wrote: > > > On Di, 09.10.18 14:45, Anderson, Charles R (cra@xxxxxxx) wrote: > > > > > > It would be nice if somebody managed to find where this is patched in > > > > Debian. Because I somewhat doubt that they made this change without a > > > > proper discussion. And Debian is very much server oriented. > > > > > > Can we not have the RPM package drop a file in /etc/security/limits.d > > > to set the limit only when that package is installed? That way it > > > only affects users of that package. > > > > That only affects stuff that goes through PAM (specifically, all PAM > > stacks that include pam_limits.so). > > > > It is my intention to change this system wide, i.e. for system > > services (which do not go through PAM) too. > > > > Lennart, what is the path forward here? Should we pull in some security > experts to give us recommendations on the best default value? Or are those > conversations already happening somewhere else? Also, do you need any more > information regarding the Wine esync use case, or has Zebediah provided > sufficient data? Please follow the current state of this here: https://github.com/systemd/systemd/pull/10244 I have been discussing with some upstream kernel folks, and some more obstacles showed up (specifically, I was advised that we really should bump fs.file-max and fs.nr_open sysctls to their maximums these days, as these limits are not really useful anymore given that fd memory is properly tracked by memcg anyways these days), which I have now covered in the PR above. This is waiting for review, but should enter systemd upstream soon, and will then eventually trickle into Fedora. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
