For years, FreeBSD has used a resource limits
database controlled through a flat file,
/etc/login.conf
. While it has
been discussed previously and is still supported, it
is not the most optimal method of controlling resources.
The flat file requires users to be divided into various
group labels known as classes, which require changes not
only to this flat file but also the password database.
Potentially a single, more constrained user would require
an additional label added, the resource database needs to be
built using cap_mkdb
, edits made to
the /etc/master.passwd
file. In
addition, the password database must be rebuilt using
pwd_mkdb
. This multi-step process could be
very time consuming depending on how many users must be
singled out.
A new command in FreeBSD, rctl(8), allows for a more fine grained method of controlling resources limits for users. This command will support much more than users, it will also set resource constraints on processes, jails, and the original login class. These advanced features provide administrators and users with methods to control resources through the command line and set rules on system initialization using a configuration file.
To enable this feature, add these lines to
GENERIC
, or the custom kernel
configuration file, and rebuild.:
The entire system will need rebuilt. See Chapter 9, Configuring the FreeBSD Kernel, which will provide instructions for
the process. Once this is complete, the rctl
may be used to set rules for the system.
Rule syntax is simple, controlled through the use of a subject, a subject-id, resource, and action. Take the following example rule:
maxproc
:deny
=10/userThis rule shows a basic premise of a rule, here the
subject is user
and the subject-id
is trhodes
. The maxproc is, of course,
max number of processes, which is considered the action.
The action here is set to deny
, which blocks
any new processes from being created. In the previous example,
the user, trhodes
will be constrained
to 10
(ten) processes and no greater.
Other actions are available and could be log to the console,
pass a notification to devd(8), or
send a sigterm to the process.
Some care must be taken while adding rules. The one above
will unfortunately block my user from doing the most simple tasks
after I have logged in and executed a screen
session. When a resource limit has been hit, an error will
be printed, as in this example:
%
man test
/usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailableFor another example, rctl(8) can be used to prevent a jail from exceeding a memory limit. This rule could be written as:
#
rctl -a jail:httpd:memoryuse:deny=2G/jail
Rules may also persist across reboots if they have been
added to /etc/rctl.conf
file. The
format is a rule, without the preceding command. For example,
the previous rule could be added like the following:
To remove a rule, just ask rctl
to
remove it from the list:
#
rctl -r user:trhodes:maxproc:deny=10/user
The manual page shows a method for removing all rules; however, if removing all rules for a single user is required, this command may be issued:
#
rctl -r user:trhodes
Many other resources exist which can be used to excert
additional control over various subjects
.
See rctl(8) to learn about them.
This, and other documents, can be downloaded from http://ftp.FreeBSD.org/pub/FreeBSD/doc/
For questions about FreeBSD, read the
documentation before
contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.