Limiting
System Resources in Linux
Because
hardware resources are finite it is necessary to limit the system
resources in order to provide equal quality of services to all system
users. Limits can be implemented in CPU/memory usage via pam_limits
or in disk usage via quota.
PAM Limits
The PAM module pam_limits, activated by
default for all users, sets limits on the system resources in a
user/group session. These limits are configured on
/etc/security/limits.conf file :
$ cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#[domain] [type] [item] [value]
#
#Where:
#[domain] can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#[type] can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#[item] can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#[value] All items support the values '-1', 'unlimited' or 'infinity' indicating no limit, except for priority and nice
#[domain] [type] [item] [value]
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
The file content is self explanatory: limits are applied in users/groups or everybody '*' session in 'soft'/'hard' mode to different items like cpu_time, maxlogins, resident memory, etc. with different values.
* As first example configure the maximum number of running processes for user 'john' to 5 :
$ echo "john hard nproc 5" >> /etc/securety/limits.conf
* As user 'john' test the limit :
$ su - john
john-$ for i in `seq 1 15`; do sleep 30 & done
[1] 5352
[2] 5353
[3] 5354
[4] 5355
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
After the limit of 5 running process has reached no more process are allowed be executed by john : 'fork: retry: Resource temporarily unavailable'
* As second example configure a limit of memory address space 'as' of 100000KB :
$ echo "john hard as 100000" >> /etc/securety/limits.conf
* As user 'john' test the limit. Executes a perl script that allocates memory forever :
$ su - john
john-$ cat membomb.pl
#!/usr/bin/perl -w
my %hash=();
my $i=0;
my $string="::";
while (1 == 1) {
$i++;
$string=$string."::".$i;
$hash{$string}=$string;
}
john-$ ./membomb.pl
Out of memory!
The memory limit does not allow membomb.pl to allocate all memory.
$ cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#[domain] [type] [item] [value]
#
#Where:
#[domain] can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#[type] can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#[item] can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#[value] All items support the values '-1', 'unlimited' or 'infinity' indicating no limit, except for priority and nice
#[domain] [type] [item] [value]
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
The file content is self explanatory: limits are applied in users/groups or everybody '*' session in 'soft'/'hard' mode to different items like cpu_time, maxlogins, resident memory, etc. with different values.
* As first example configure the maximum number of running processes for user 'john' to 5 :
$ echo "john hard nproc 5" >> /etc/securety/limits.conf
* As user 'john' test the limit :
$ su - john
john-$ for i in `seq 1 15`; do sleep 30 & done
[1] 5352
[2] 5353
[3] 5354
[4] 5355
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
After the limit of 5 running process has reached no more process are allowed be executed by john : 'fork: retry: Resource temporarily unavailable'
* As second example configure a limit of memory address space 'as' of 100000KB :
$ echo "john hard as 100000" >> /etc/securety/limits.conf
* As user 'john' test the limit. Executes a perl script that allocates memory forever :
$ su - john
john-$ cat membomb.pl
#!/usr/bin/perl -w
my %hash=();
my $i=0;
my $string="::";
while (1 == 1) {
$i++;
$string=$string."::".$i;
$hash{$string}=$string;
}
john-$ ./membomb.pl
Out of memory!
The memory limit does not allow membomb.pl to allocate all memory.
Disk Quotas
Another important resource to be limited is the disk
usage because full disk partitions can bring down the system. Quotas
on disk space can be applied in different filesystems for
users/groups by used inodes (number of files) and/or used disk blocks
(total size).
Quota configuration
* Just before starting to use quota make sure that
quota rpm is installed on the system :
$ rpm -qa | grep quota
quota-3.17-10.el6.i686
* Also make sure that the running Kernel has been compiled with quota support :
$ grep CONFIG_QUOTA /boot/config-`uname -r`
CONFIG_QUOTA=y
...
1.- Configure quota parameters on the filesystem where the quota is going to be applied. For example if quotas are going to be setup on /home partition (/dev/VolGroup01/VolGroup01Home), quotas must be setup on /home when the partition is mounted adding the parameters 'usrquota,grpquota' on mount parameters in /etc/fstab. Then remount the partition to activate quota :
/dev/VolGroup01/VolGroup01Home /home ext4 defaults,usrquota,grpquota 1 2
$ mount -o remount /home
$ mount
...
/dev/mapper/VolGroup01-VolGroup01Home on /home type ext4 (rw,usrquota,grpquota)
2.- Generate the partition quota database :
$ quotacheck -cugm /home
It generates the files /home/aquota.user and /home/aquota.group used to manage the quota status on /home.
3.- Edit the quota for user/group :
$ edquota -u john
Disk quotas for user john (uid 500):
Filesystem blocks soft hard inodes soft hard
/dev/mapper/VolGroup01-VolGroup01Home 12 80000 100000 10 15 20
:wq!
Quotas can be set for the number of files (inodes) and storage capacity used (blocks) for user 'john' on /home partition :
* It has been setup a soft limit of 80000 blocks of 1Kb (=80M) and a hard limit of 100000 blocks (=100M). User 'john' will not be allowed to use more that 100M on /home and he will be warned when more than 80M will be used.
* It has been setup a soft limit of 15 files (inodes) and a hard limit of 20 files (inodes). User 'john' will not be allowed to create more than 20 files on /home and he will be warned when more than 15 files will be used.
4.- Activate quotas :
$ quotaon -aug
This command will be executed automatically by init so at boot time quotas will be applied.
5.- Verify quotas :
$ su - john
john-$ dd if=/dev/zero of=/home/john/file bs=1024 count=1000000
dd: writing `/home/john/file': Disk quota exceeded
99989+0 records in
99988+0 records out
102387712 bytes (102 MB) copied, 3.85976 s, 26.5 MB/s
Only 100M has been written on file /home/john/file : 'Disk quota exceeded'
john-$ for i in `seq 1 30`; do touch $i.txt; done
touch: cannot touch `14.txt': Disk quota exceeded
...
touch: cannot touch `30.txt': Disk quota exceeded
Only 13 files has been allowed to create by user 'john' because of 'john' already own 7 files : 'Disk quota exceeded'
Quotas can be reported using the repquota command :
$ repquota -a
$ rpm -qa | grep quota
quota-3.17-10.el6.i686
* Also make sure that the running Kernel has been compiled with quota support :
$ grep CONFIG_QUOTA /boot/config-`uname -r`
CONFIG_QUOTA=y
...
1.- Configure quota parameters on the filesystem where the quota is going to be applied. For example if quotas are going to be setup on /home partition (/dev/VolGroup01/VolGroup01Home), quotas must be setup on /home when the partition is mounted adding the parameters 'usrquota,grpquota' on mount parameters in /etc/fstab. Then remount the partition to activate quota :
/dev/VolGroup01/VolGroup01Home /home ext4 defaults,usrquota,grpquota 1 2
$ mount -o remount /home
$ mount
...
/dev/mapper/VolGroup01-VolGroup01Home on /home type ext4 (rw,usrquota,grpquota)
2.- Generate the partition quota database :
$ quotacheck -cugm /home
It generates the files /home/aquota.user and /home/aquota.group used to manage the quota status on /home.
3.- Edit the quota for user/group :
$ edquota -u john
Disk quotas for user john (uid 500):
Filesystem blocks soft hard inodes soft hard
/dev/mapper/VolGroup01-VolGroup01Home 12 80000 100000 10 15 20
:wq!
Quotas can be set for the number of files (inodes) and storage capacity used (blocks) for user 'john' on /home partition :
* It has been setup a soft limit of 80000 blocks of 1Kb (=80M) and a hard limit of 100000 blocks (=100M). User 'john' will not be allowed to use more that 100M on /home and he will be warned when more than 80M will be used.
* It has been setup a soft limit of 15 files (inodes) and a hard limit of 20 files (inodes). User 'john' will not be allowed to create more than 20 files on /home and he will be warned when more than 15 files will be used.
4.- Activate quotas :
$ quotaon -aug
This command will be executed automatically by init so at boot time quotas will be applied.
5.- Verify quotas :
$ su - john
john-$ dd if=/dev/zero of=/home/john/file bs=1024 count=1000000
dd: writing `/home/john/file': Disk quota exceeded
99989+0 records in
99988+0 records out
102387712 bytes (102 MB) copied, 3.85976 s, 26.5 MB/s
Only 100M has been written on file /home/john/file : 'Disk quota exceeded'
john-$ for i in `seq 1 30`; do touch $i.txt; done
touch: cannot touch `14.txt': Disk quota exceeded
...
touch: cannot touch `30.txt': Disk quota exceeded
Only 13 files has been allowed to create by user 'john' because of 'john' already own 7 files : 'Disk quota exceeded'
Quotas can be reported using the repquota command :
$ repquota -a
No comments :
Post a Comment