From fe174622c03105aa48bfe3ac61fd8cecc7aca7bd Mon Sep 17 00:00:00 2001 From: Phil Dibowitz Date: Mon, 27 Mar 2023 18:16:43 -0700 Subject: [PATCH] sync fb_limits with upstream Summary: Test Plan: --- cookbooks/fb_limits/attributes/default.rb | 10 ++++++++++ cookbooks/fb_limits/metadata.rb | 1 - cookbooks/fb_limits/recipes/default.rb | 23 +++++++++++++++-------- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/cookbooks/fb_limits/attributes/default.rb b/cookbooks/fb_limits/attributes/default.rb index 01c98fb..3d40721 100644 --- a/cookbooks/fb_limits/attributes/default.rb +++ b/cookbooks/fb_limits/attributes/default.rb @@ -16,6 +16,16 @@ # limitations under the License. # +# Allow locking 1/1024th of total system memory +total_system_memory_kbytes = node['memory']['total'].to_i +memlock_limit_kbytes = total_system_memory_kbytes / 1024 +default['fb_limits']['*'] = { + 'memlock' => { + 'soft' => memlock_limit_kbytes, + 'hard' => memlock_limit_kbytes, + }, +} + default['fb_limits']['root'] = { 'nofile' => { 'hard' => '65535', diff --git a/cookbooks/fb_limits/metadata.rb b/cookbooks/fb_limits/metadata.rb index dcdc160..967527c 100644 --- a/cookbooks/fb_limits/metadata.rb +++ b/cookbooks/fb_limits/metadata.rb @@ -5,7 +5,6 @@ license 'Apache-2.0' description 'Installs/Configures /etc/security/limits.conf' source_url 'https://github.com/facebook/chef-cookbooks/' -long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version '0.0.1' supports 'centos' supports 'debian' diff --git a/cookbooks/fb_limits/recipes/default.rb b/cookbooks/fb_limits/recipes/default.rb index 0c59d0c..694cd86 100644 --- a/cookbooks/fb_limits/recipes/default.rb +++ b/cookbooks/fb_limits/recipes/default.rb @@ -20,15 +20,22 @@ template '/etc/security/limits.conf' do source 'limits.conf.erb' - owner 'root' - group 'root' + owner node.root_user + group node.root_group mode '0644' end -# We want to manage all limits config via /etc/security/limits.conf so -# clean out limits.d -directory '/etc/security/limits.d' do - only_if { Dir.exists?('/etc/security/limits.d') } - action :delete - recursive true +# We want to manage all limits config via /etc/security/limits.conf, so clean +# out limits.d/*.conf. Instead of deleting the directory, just overwrite the +# files with a comment indicating they were disabled by Chef. This is important +# so that upgrading or reinstalling an RPM that ships one such config file will +# not end up creating the file back again. +Dir.glob '/etc/security/limits.d/*.conf' do |i| + file "overwrite #{i} in /etc/security/limits.d" do + path i + content "# Disabled by Chef\n" + owner node.root_user + group node.root_group + mode '0644' + end end