For years, FreeBSD has used a resource limits
database controlled through a flat file,
/etc/login.conf
. While it has
been discussed previously and is still supported, it
is not the most optimal method of controlling resources.
The flat file requires users to be divided into various
group labels known as classes, which require changes not
only to this flat file but also the password database.
Potentially a single, more constrained user would require
an additional label to be added, the resource database
rebuilt using cap_mkdb
, and edits made to
/etc/master.passwd
. In
addition, the password database must be rebuilt using
pwd_mkdb
. This multi-step process could be
very time consuming depending on how many users must be
singled out.
A new command in FreeBSD, rctl(8), allows for a more fine grained method of controlling resources limits for users. This command will support much more than users, it will also set resource constraints on processes, jails, and the original login class. These advanced features provide administrators and users with methods to control resources through the command line and set rules on system initialization using a configuration file.
To enable this feature, add these lines to
GENERIC
, or the custom kernel
configuration file, and rebuild.:
The entire system will need rebuilt. See
Chapter 9, Configuring the FreeBSD Kernel, which will provide instructions
for the process. Once this is complete,
rctl
may be used to set rules for the
system.
Rule syntax is simple, controlled through the use of a subject, a subject-id, resource, and action. Take the following example rule:
maxproc
:deny
=10/userThis rule shows a basic premise of a rule, here the subject
is user
and the subject-id is
trhodes
. The maxproc is, of course, max
number of processes, which is considered the resource. The
action here is set to deny
, which blocks any
new processes from being created. In the previous example, the
user, trhodes
will be constrained to
10
(ten) processes and no greater. Other
actions are available and could be log to the console, pass a
notification to devd(8), or send a sigterm to the
process.
Some care must be taken while adding rules. The one above
will unfortunately block my user from doing the most simple
tasks after I have logged in and executed a
screen
session. When a resource limit has
been hit, an error will be printed, as in this example:
%
man test
/usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailableFor another example, rctl(8) can be used to prevent a jail from exceeding a memory limit. This rule could be written as:
#
rctl -a jail:httpd:memoryuse:deny=2G/jail
Rules may also persist across reboots if they have been
added to /etc/rctl.conf
. The format is a
rule, without the preceding command. For example, the previous
rule could be added like the following:
To remove a rule, just ask rctl
to
remove it from the list:
#
rctl -r user:trhodes:maxproc:deny=10/user
The manual page shows a method for removing all rules; however, if removing all rules for a single user is required, this command may be issued:
#
rctl -r user:trhodes
Many other resources exist which can be used to exert
additional control over various subjects
.
See rctl(8) to learn about them.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.