os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Editorial review of Resource Limits.

Browse source 
rctl(8) does not mention its kernel config options.

Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-03-31 18:52:57 +00:00
parent 37b66f2f5e
commit bf598f94a3
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44401
1 changed files with 55 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

105
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -3553,95 +3553,99 @@ UWWemqWuz3lAZuORQ9KX
<primary>Resource limits</primary>
</indexterm>
<para>For years, &os; has used a resource limits database
<para>Traditionally, &os; used a resource limits database
controlled through a flat file,
<filename>/etc/login.conf</filename>. While it has been
discussed previously and is still supported, it is not the most
optimal method of controlling resources. The flat file requires
users to be divided into various group labels known as classes,
which require changes not only to this flat file but also the
password database. Potentially a single, more constrained user
would require an additional label to be added, the resource
database rebuilt using <command>cap_mkdb</command>, and edits
made to <filename>/etc/master.passwd</filename>. In addition,
the password database must be rebuilt using
<command>pwd_mkdb</command>. This multi-step process could be
very time consuming depending on how many users must be
singled out.</para>
<filename>/etc/login.conf</filename>. While this method
is still supported, any changes require a multi-step process of
editing this file in order to divide users into various group labels known as classes,
rebuilding the resource database using
<command>cap_mkdb</command>, making necessary changes
to <filename>/etc/master.passwd</filename>, and rebuilding
the password database using
<command>pwd_mkdb</command>. This could be
time consuming, depending upon the number of users to
configure.</para>
<para>A new command in &os;, &man.rctl.8;, allows for a more fine
grained method of controlling resources limits for users. This
command will support much more than users, it will also set
<para>Beginning with &os;&nbsp;9.0-RELEASE,
<command>rctl</command> can be used to provide a more fine-grained
method of controlling resources limits for users. This
command supports much more than users as it can be used to set
resource constraints on processes, jails, and the original login
class. These advanced features provide administrators and users
with methods to control resources through the command line and
set rules on system initialization using a configuration
to set rules on system initialization using a configuration
file.</para>
<para>To enable this feature, add these lines to
<filename>GENERIC</filename>, or the custom kernel
configuration file, and rebuild.:</para>
<sect2>
<title>Enabling and Configuring Resource Limits</title>
<para>By default, kernel support for <command>rctl</command> is
not built-in, meaning that the kernel will first need to be
recompiled using the instructions in <xref
linkend="kernelconfig"/>. Add these lines to either
<filename>GENERIC</filename> or a custom kernel
configuration file, then rebuild the kernel:</para>
<programlisting>options RACCT
options RCTL</programlisting>
<para>The entire system will need rebuilt. See <xref
linkend="kernelconfig"/>, which will provide instructions for
the process. Once this is complete,
<para>Once the system has rebooted into the new kernel,
<command>rctl</command> may be used to set rules for the
system.</para>
<para>Rule syntax is simple, controlled through the use of
a <emphasis>subject</emphasis>, a
<emphasis>subject-id</emphasis>, <emphasis>resource</emphasis>,
and <emphasis>action</emphasis>. Take the following example
<para>Rule syntax is controlled through the use of
a subject,
subject-id, resource,
and action, as seen in this example
rule:</para>
<programlisting>user:trhodes:<literal>maxproc</literal>:<literal>deny</literal>=10/user</programlisting>
<programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
<para>This rule shows a basic premise of a rule, here the subject
is <literal>user</literal> and the subject-id is
<literal>trhodes</literal>. The maxproc is, of course, max
number of processes, which is considered the resource. The
action here is set to <literal>deny</literal>, which blocks any
new processes from being created. In the previous example, the
user, <literal>trhodes</literal> will be constrained to
<literal>10</literal> (ten) processes and no greater. Other
actions are available and could be log to the console, pass a
notification to &man.devd.8;, or send a sigterm to the
<para>In this rule, the subject
is <literal>user</literal>, the subject-id is
<literal>trhodes</literal>, the resource,
<literal>maxproc</literal>, is the maximum
number of processes, and the
action is <literal>deny</literal>, which blocks any
new processes from being created. This means that the
user, <literal>trhodes</literal>, will be constrained to no greater than
<literal>10</literal> processes. Other possible
actions include logging to the console, passing a
notification to &man.devd.8;, or sending a sigterm to the
process.</para>
<para>Some care must be taken while adding rules. The one above
will unfortunately block my user from doing the most simple
tasks after I have logged in and executed a
<command>screen</command> session. When a resource limit has
<para>Some care must be taken when adding rules. Since this user
is constrained to <literal>10</literal> processes, this example
will prevent the user from performing other
tasks after logging in and executing a
<command>screen</command> session. Once a resource limit has
been hit, an error will be printed, as in this example:</para>
<screen>&prompt.user; <userinput>man test</userinput>
/usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailable</screen>
<para>For another example, &man.rctl.8; can be used to prevent
a jail from exceeding a memory limit. This rule could be
<para>As another example,
a jail can be prevented from exceeding a memory limit. This rule could be
written as:</para>
<screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
<para>Rules may also persist across reboots if they have been
<para>Rules will persist across reboots if they have been
added to <filename>/etc/rctl.conf</filename>. The format is a
rule, without the preceding command. For example, the previous
rule could be added like the following:</para>
rule could be added as:</para>
<programlisting># Block jail from using more than 2G memory:
jail:httpd:memoryuse:deny=2G/jail</programlisting>
<para>To remove a rule, just ask <command>rctl</command> to
<para>To remove a rule, use <command>rctl</command> to
remove it from the list:</para>
<screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
<para>The manual page shows a method for removing all rules;
however, if removing all rules for a single user is required,
<para>A method for removing all rules is documented in &man.rctl.8;.
However, if removing all rules for a single user is required,
this command may be issued:</para>
<screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
@ -3649,5 +3653,6 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting>
<para>Many other resources exist which can be used to exert
additional control over various <literal>subjects</literal>.
See &man.rctl.8; to learn about them.</para>
</sect2>
</sect1>
</chapter>