System resource boundaries are primarily managed through /etc/security/limits.conf. This file allows administrators to define thresholds that prevent resource starvation or support high-concurrency services.

Configuration Structure

# Global resource boundaries
*               soft    nofile          1048576
*               hard    nofile          1048576
*               soft    nproc           65535
*               hard    nproc           131072
*               soft    memlock         -1
*               hard    memlock         -1

The nofile directive controls the maximum count of open file descriptors per session. The nproc parameter caps the number of simultaneous processes or threads a user may spawn. Memory locking constraints are handled by memlock, which determines the upper boundary for RAM pages pinned by the kernel, a common requirement for database systems and real-time applications.

Soft vs Hard Boundaries

Constraints operate on two enforcement levels:

• soft: The active operational threshold. Exceeding this generates kernel warnings, but the process continues until it attempts to exceed the hard limit. Users can adjust soft limits dynamically up to the hard ceiling.
• hard: The absolute maximum enforced by the kernel. Any operation attempting to breach this boundary fails immediately with resource exhaustion errors. The soft value must always be equal to or less than the hard value.

Precedence Rules

Individual files placed in side /etc/security/limits.d/ override matching entries in the base limits.conf configuration. Placing custom parameters in the .d directory prevents configuration conflicts during OS updates and package management operations.

Activation and Verification

Modified limits apply automatically to new login sessions and interactive shells. Existing processes retain their original constraints until they are restarted. A full system reboot is only required if critical background daemons cannot be safely restarted to inherit the new parameters.

Validation is performed using the built-in ulimit command. Querying specific limits reduces output noise:

$ ulimit -Sa | grep -E 'open files|user processes|max locked'
open files                      (-n) 1048576
max user processes              (-u) 65535
max locked memory               (-l) unlimited

$ ulimit -Ha | grep -E 'open files|user processes|max locked'
open files                      (-n) 1048576
max user processes              (-u) 131072
max locked memory               (-l) unlimited

PAM Integration Requirements

The limits framwork relies on the Pluggable Authentication Modules architecture to parse configuration files during session initialization. Modern Linux distributions automatically load pam_limits.so via default authentication profiles. Manually appending session required pam_limits.so to /etc/pam.d/login or /etc/pam.d/sshd is unnecessary on distributions such as CentOS 7, RHEL, and their derivatives, where the PAM stack integrates limit processing natively.