Niceness level, sshd on system reboot and grubby --args

Hello Team,

Several questions from a new user:

  1. How to set up user niceness permanently?
    usually they set it in /etc/security/limits.conf
    user1 - priority -20
    user2 - priority -20

  2. sshd service upon restart is not automatically started. How to make “systemctl start sshd” permamently executed after system boot? (of course I executed “systemctl enable sshd”)

  3. I want to inject “mitigations=off isolcpus=2-4,7-19” into kernel cmd line params conveniently.
    Do you have something like “grubby --args=“mitigations=off isolcpus=2-4,7-19” …” for this?


1 Like
  1. nice is a part of coreutils. I cannot find anything in the spec file that changed the default path. So I will give it a try.
  2. man stateless has a section for sshd, right below the section for systemd, which says to enable services to start at boot time, use systemctl enable <unit>. And I don’t understand why it doesn’t start even after you executed systemctl enabled sshd.
    Before you manually start it, does systemctl status sshd mentioned any error?
  3. Clear Linux uses systemd-boot instead of GRUB. You can add permanent boot parameters to /etc/kernel/cmdline.d/FOO.conf. Check this:
  1. Do not need to change the default path. I am saying that other Linux distributives contain a file: /etc/security/limits.conf. In this file on other Linux distributives I can set up default niceness for different users.
    Question is: how to set up default nive value = “-20” for clear-linux users?

  2. ball is on my side, will look further

  3. will give it a try, thank you!

please advise how to disable L1tf mitigation (PTE Inversion)? See the screenshot attached. “mitigations=off” did NOT turn it off.

Check “Mitigation control on the kernel command line” of this

1 Like

I mean Clear Linux doesn’t seem to change the default sysconfig path of coreutils, I will try modifying /etc/security/limits.conf .

Also stated in ‘man stateless’, Clear Linux does not have any default configurations in /etc, with a few exceptions, so it’s normal that file is not already there. But it doesn’t mean you cannot create one.

1 Like

We don’t do this by default. Instead, we enable sshd.socket. This means that sshd.service is not started until someone actually connects to the system.

If you have installed the openssh-server bundle, then sshd.socket will be enabled by default. There is nothing left to do - SSH will just work.

To verify, inspect systemctl status sshd.socket instead.

Just create the file and it will be used. Note: I haven’t actually tested this, but, if it doesn’t work it’s a bug and I’ll gladly fix that - this should work.

Yes, Bundle “openssh-server” is already installed. After restart it listens on default port (22). In my /etc/ssh/sshd_config I have set up another port.
To fix this I created dropin file at /etc/systemd/system/sshd.socket.d/10-sshd-listen-ports.conf and put there

# /etc/systemd/system/sshd.socket.d/10-sshd-listen-ports.conf

Then I executed

$ sudo systemctl daemon-reload
$ sudo systemctl restart sshd.socket

And this helped. Now systemctl status sshd.socket shows sshd.socket listening on a proper/custom port. No more issues here.


This one did not work. I created /etc/security/limits.conf, added there two lines as above with proper user names, rebooted.


Please help.

#3 kernel parameters added! supercool one command. Thank you!

The “l1tf=off” parameter does not work as expected Please find a screenshot with correct kernel line param: l1tf=off highlighted, but mitigation is still “on”.

Sorry I forgot to mention that you need to run

    clr-boot-manager update

to update boot entries. I wish this solves your problem.

Kernel parameters are added with no issues. Just the “l1tf=off” parameter does not work as expected. Please see the screenshot above.

have you run ‘clr-boot-manager udpate’ ?

Yes, of-course yes. The screenshot I presented is after I rebooted. To be exactly precise I executed:

    sudo mkdir -p /etc/kernel/cmdline.d && \
    echo "mitigations=off l1tf=off" | sudo tee -a /etc/kernel/cmdline.d/SOMEFILE.conf && \
    sudo clr-boot-manager update
    sudo reboot