Date: Mon, 31 Mar 2014 18:52:57 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44401 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201403311852.s2VIqvtk031768@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Mon Mar 31 18:52:57 2014 New Revision: 44401 URL: http://svnweb.freebsd.org/changeset/doc/44401 Log: Editorial review of Resource Limits. rctl(8) does not mention its kernel config options. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Mar 31 17:56:12 2014 (r44400) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Mar 31 18:52:57 2014 (r44401) @@ -3553,95 +3553,99 @@ UWWemqWuz3lAZuORQ9KX <primary>Resource limits</primary> </indexterm> - <para>For years, &os; has used a resource limits database + <para>Traditionally, &os; used a resource limits database controlled through a flat file, - <filename>/etc/login.conf</filename>. While it has been - discussed previously and is still supported, it is not the most - optimal method of controlling resources. The flat file requires - users to be divided into various group labels known as classes, - which require changes not only to this flat file but also the - password database. Potentially a single, more constrained user - would require an additional label to be added, the resource - database rebuilt using <command>cap_mkdb</command>, and edits - made to <filename>/etc/master.passwd</filename>. In addition, - the password database must be rebuilt using - <command>pwd_mkdb</command>. This multi-step process could be - very time consuming depending on how many users must be - singled out.</para> - - <para>A new command in &os;, &man.rctl.8;, allows for a more fine - grained method of controlling resources limits for users. This - command will support much more than users, it will also set + <filename>/etc/login.conf</filename>. While this method + is still supported, any changes require a multi-step process of + editing this file in order to divide users into various group labels known as classes, + rebuilding the resource database using + <command>cap_mkdb</command>, making necessary changes + to <filename>/etc/master.passwd</filename>, and rebuilding + the password database using + <command>pwd_mkdb</command>. This could be + time consuming, depending upon the number of users to + configure.</para> + + <para>Beginning with &os; 9.0-RELEASE, + <command>rctl</command> can be used to provide a more fine-grained + method of controlling resources limits for users. This + command supports much more than users as it can be used to set resource constraints on processes, jails, and the original login class. These advanced features provide administrators and users with methods to control resources through the command line and - set rules on system initialization using a configuration + to set rules on system initialization using a configuration file.</para> - <para>To enable this feature, add these lines to - <filename>GENERIC</filename>, or the custom kernel - configuration file, and rebuild.:</para> + <sect2> + <title>Enabling and Configuring Resource Limits</title> + + <para>By default, kernel support for <command>rctl</command> is + not built-in, meaning that the kernel will first need to be + recompiled using the instructions in <xref + linkend="kernelconfig"/>. Add these lines to either + <filename>GENERIC</filename> or a custom kernel + configuration file, then rebuild the kernel:</para> <programlisting>options RACCT options RCTL</programlisting> - <para>The entire system will need rebuilt. See <xref - linkend="kernelconfig"/>, which will provide instructions for - the process. Once this is complete, + <para>Once the system has rebooted into the new kernel, <command>rctl</command> may be used to set rules for the system.</para> - <para>Rule syntax is simple, controlled through the use of - a <emphasis>subject</emphasis>, a - <emphasis>subject-id</emphasis>, <emphasis>resource</emphasis>, - and <emphasis>action</emphasis>. Take the following example + <para>Rule syntax is controlled through the use of + a subject, + subject-id, resource, + and action, as seen in this example rule:</para> - <programlisting>user:trhodes:<literal>maxproc</literal>:<literal>deny</literal>=10/user</programlisting> + <programlisting>user:trhodes:maxproc:deny=10/user</programlisting> - <para>This rule shows a basic premise of a rule, here the subject - is <literal>user</literal> and the subject-id is - <literal>trhodes</literal>. The maxproc is, of course, max - number of processes, which is considered the resource. The - action here is set to <literal>deny</literal>, which blocks any - new processes from being created. In the previous example, the - user, <literal>trhodes</literal> will be constrained to - <literal>10</literal> (ten) processes and no greater. Other - actions are available and could be log to the console, pass a - notification to &man.devd.8;, or send a sigterm to the + <para>In this rule, the subject + is <literal>user</literal>, the subject-id is + <literal>trhodes</literal>, the resource, + <literal>maxproc</literal>, is the maximum + number of processes, and the + action is <literal>deny</literal>, which blocks any + new processes from being created. This means that the + user, <literal>trhodes</literal>, will be constrained to no greater than + <literal>10</literal> processes. Other possible + actions include logging to the console, passing a + notification to &man.devd.8;, or sending a sigterm to the process.</para> - <para>Some care must be taken while adding rules. The one above - will unfortunately block my user from doing the most simple - tasks after I have logged in and executed a - <command>screen</command> session. When a resource limit has + <para>Some care must be taken when adding rules. Since this user + is constrained to <literal>10</literal> processes, this example + will prevent the user from performing other + tasks after logging in and executing a + <command>screen</command> session. Once a resource limit has been hit, an error will be printed, as in this example:</para> <screen>&prompt.user; <userinput>man test</userinput> /usr/bin/man: Cannot fork: Resource temporarily unavailable eval: Cannot fork: Resource temporarily unavailable</screen> - <para>For another example, &man.rctl.8; can be used to prevent - a jail from exceeding a memory limit. This rule could be + <para>As another example, + a jail can be prevented from exceeding a memory limit. This rule could be written as:</para> <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen> - <para>Rules may also persist across reboots if they have been + <para>Rules will persist across reboots if they have been added to <filename>/etc/rctl.conf</filename>. The format is a rule, without the preceding command. For example, the previous - rule could be added like the following:</para> + rule could be added as:</para> <programlisting># Block jail from using more than 2G memory: jail:httpd:memoryuse:deny=2G/jail</programlisting> - <para>To remove a rule, just ask <command>rctl</command> to + <para>To remove a rule, use <command>rctl</command> to remove it from the list:</para> <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen> - <para>The manual page shows a method for removing all rules; - however, if removing all rules for a single user is required, + <para>A method for removing all rules is documented in &man.rctl.8;. + However, if removing all rules for a single user is required, this command may be issued:</para> <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen> @@ -3649,5 +3653,6 @@ jail:httpd:memoryuse:deny=2G/jail</progr <para>Many other resources exist which can be used to exert additional control over various <literal>subjects</literal>. See &man.rctl.8; to learn about them.</para> + </sect2> </sect1> </chapter>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403311852.s2VIqvtk031768>