From owner-svn-doc-projects@FreeBSD.ORG Fri May 17 17:27:34 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 12BD729C; Fri, 17 May 2013 17:27:34 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 0595FCDB; Fri, 17 May 2013 17:27:34 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4HHRXuB043191; Fri, 17 May 2013 17:27:33 GMT (envelope-from trhodes@svn.freebsd.org) Received: (from trhodes@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4HHRXB7043190; Fri, 17 May 2013 17:27:33 GMT (envelope-from trhodes@svn.freebsd.org) Message-Id: <201305171727.r4HHRXB7043190@svn.freebsd.org> From: Tom Rhodes Date: Fri, 17 May 2013 17:27:33 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41641 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 17:27:34 -0000 Author: trhodes Date: Fri May 17 17:27:33 2013 New Revision: 41641 URL: http://svnweb.freebsd.org/changeset/doc/41641 Log: Add a section on rctl(8). Requested by: someone (bcr? dru?) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 17 17:26:20 2013 (r41640) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 17 17:27:33 2013 (r41641) @@ -89,6 +89,11 @@ What Process Accounting is and how to enable it on &os;. + + + Understand the resource limits database and + how to utilize it to control user resources. + Before reading this chapter, you should: @@ -3691,4 +3696,119 @@ VII. References + + + + + + Tom + Rhodes + Contributed by + + + + + Resource Limits + + + Resource limits + + + For years, &os; has used a resource limits + database controlled through a flat file, + /etc/login.conf. While it has + been discussed previously and is still supported, it + is not the most optimal method of controlling resources. + The flat file requires users to be divided into various + group labels known as classes, which require changes not + only to this flat file but also the password database. + Potentially a single, more constrained user would require + an additional label added, the resource database needs to be + built using cap_mkdb, edits made to + the /etc/master.passwd file. In + addition, the password database must be rebuilt using + pwd_mkdb. This multi-step process could be + very time consuming depending on how many users must be + singled out. + + A new command in &os;, &man.rctl.8;, allows for a more + fine grained method of controlling resources limits for + users. This command will support much more than users, + it will also set resource constraints on processes, jails, + and the original login class. These advanced features + provide administrators and users with methods to control + resources through the command line and set rules on + system initialization using a configuration + file. + + To enable this feature, add these lines to + GENERIC, or the custom kernel + configuration file, and rebuild.: + + options RACCT +options RCTL + + The entire system will need rebuilt. See , which will provide instructions for + the process. Once this is complete, the rctl + may be used to set rules for the system. + + Rule syntax is simple, controlled through the use of + a subject, a subject-id, + resource, and action. + Take the following example rule: + + user:trhodes:maxproc:deny=10/user + + This rule shows a basic premise of a rule, here the + subject is user and the subject-id + is trhodes. The maxproc is, of course, + max number of processes, which is considered the action. + The action here is set to deny, which blocks + any new processes from being created. In the previous example, + the user, trhodes will be constrained + to 10 (ten) processes and no greater. + Other actions are available and could be log to the console, + pass a notification to &man.devd.8;, or + send a sigterm to the process. + + Some care must be taken while adding rules. The one above + will unfortunately block my user from doing the most simple tasks + after I have logged in and executed a screen + session. When a resource limit has been hit, an error will + be printed, as in this example: + + &prompt.user; man test + /usr/bin/man: Cannot fork: Resource temporarily unavailable +eval: Cannot fork: Resource temporarily unavailable + + For another example, &man.rctl.8; can be used to prevent + a jail from exceeding a memory limit. This rule could be + written as: + + &prompt.root; rctl -a jail:httpd:memoryuse:deny=2G/jail + + Rules may also persist across reboots if they have been + added to /etc/rctl.conf file. The + format is a rule, without the preceding command. For example, + the previous rule could be added like the following: + + # Block jail from using more than 2G memory: +jail:httpd:memoryuse:deny=2G/jail + + To remove a rule, just ask rctl to + remove it from the list: + + &prompt.root; rctl -r user:trhodes:maxproc:deny=10/user + + The manual page shows a method for removing all rules; + however, if removing all rules for a single user is required, + this command may be issued: + + &prompt.root; rctl -r user:trhodes + + Many other resources exist which can be used to excert + additional control over various subjects. + See &man.rctl.8; to learn about them. +