Hi,
Since systemd v246 RLIMIT_MEMLOCK, on a clean installation, is set to
1/8th of memory (before that, since v240 it was set to 64MB, instead
of the previous 64KB) for anything going through pam_limit. That's too
high.
The reason for that is that https://salsa.debian.org/vorlon/pam/-/blob/master/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root#L66
causes rlimits to be copied from the pid 1 whenever pam_limits is used,
and /etc/security/limits.{conf,d} doesn't specify it. The one exception to that is
RLIMIT_NOFILE that's clamped to FD_SETSIZE via
https://salsa.debian.org/vorlon/pam/-/blob/master/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
The systemd changes leading to this are
https://github.com/systemd/systemd/commit/04d1ee0f7ec7a280136ddf5f3f34d6282a50846d
https://github.com/systemd/systemd/commit/c8884aceefc85245b9bdfb626e2daf27521259bd
Clearly this is very related to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917374 but the
consequences are different enough (particularly because the clamping
makes the NOFILE issue fairly harmless).
Regards,
Andres Freund