From owner-svn-doc-all@FreeBSD.ORG Mon Mar 31 18:52:57 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C579DA05; Mon, 31 Mar 2014 18:52:57 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A5B9C7E2; Mon, 31 Mar 2014 18:52:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2VIqvJ2031769; Mon, 31 Mar 2014 18:52:57 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2VIqvtk031768; Mon, 31 Mar 2014 18:52:57 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403311852.s2VIqvtk031768@svn.freebsd.org> From: Dru Lavigne Date: Mon, 31 Mar 2014 18:52:57 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44401 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 18:52:57 -0000 Author: dru Date: Mon Mar 31 18:52:57 2014 New Revision: 44401 URL: http://svnweb.freebsd.org/changeset/doc/44401 Log: Editorial review of Resource Limits. rctl(8) does not mention its kernel config options. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Mar 31 17:56:12 2014 (r44400) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Mar 31 18:52:57 2014 (r44401) @@ -3553,95 +3553,99 @@ UWWemqWuz3lAZuORQ9KX Resource limits - For years, &os; has used a resource limits database + Traditionally, &os; used a resource limits database controlled through a flat file, - /etc/login.conf. While it has been - discussed previously and is still supported, it is not the most - optimal method of controlling resources. The flat file requires - users to be divided into various group labels known as classes, - which require changes not only to this flat file but also the - password database. Potentially a single, more constrained user - would require an additional label to be added, the resource - database rebuilt using cap_mkdb, and edits - made to /etc/master.passwd. In addition, - the password database must be rebuilt using - pwd_mkdb. This multi-step process could be - very time consuming depending on how many users must be - singled out. - - A new command in &os;, &man.rctl.8;, allows for a more fine - grained method of controlling resources limits for users. This - command will support much more than users, it will also set + /etc/login.conf. While this method + is still supported, any changes require a multi-step process of + editing this file in order to divide users into various group labels known as classes, + rebuilding the resource database using + cap_mkdb, making necessary changes + to /etc/master.passwd, and rebuilding + the password database using + pwd_mkdb. This could be + time consuming, depending upon the number of users to + configure. + + Beginning with &os; 9.0-RELEASE, + rctl can be used to provide a more fine-grained + method of controlling resources limits for users. This + command supports much more than users as it can be used to set resource constraints on processes, jails, and the original login class. These advanced features provide administrators and users with methods to control resources through the command line and - set rules on system initialization using a configuration + to set rules on system initialization using a configuration file. - To enable this feature, add these lines to - GENERIC, or the custom kernel - configuration file, and rebuild.: + + Enabling and Configuring Resource Limits + + By default, kernel support for rctl is + not built-in, meaning that the kernel will first need to be + recompiled using the instructions in . Add these lines to either + GENERIC or a custom kernel + configuration file, then rebuild the kernel: options RACCT options RCTL - The entire system will need rebuilt. See , which will provide instructions for - the process. Once this is complete, + Once the system has rebooted into the new kernel, rctl may be used to set rules for the system. - Rule syntax is simple, controlled through the use of - a subject, a - subject-id, resource, - and action. Take the following example + Rule syntax is controlled through the use of + a subject, + subject-id, resource, + and action, as seen in this example rule: - user:trhodes:maxproc:deny=10/user + user:trhodes:maxproc:deny=10/user - This rule shows a basic premise of a rule, here the subject - is user and the subject-id is - trhodes. The maxproc is, of course, max - number of processes, which is considered the resource. The - action here is set to deny, which blocks any - new processes from being created. In the previous example, the - user, trhodes will be constrained to - 10 (ten) processes and no greater. Other - actions are available and could be log to the console, pass a - notification to &man.devd.8;, or send a sigterm to the + In this rule, the subject + is user, the subject-id is + trhodes, the resource, + maxproc, is the maximum + number of processes, and the + action is deny, which blocks any + new processes from being created. This means that the + user, trhodes, will be constrained to no greater than + 10 processes. Other possible + actions include logging to the console, passing a + notification to &man.devd.8;, or sending a sigterm to the process. - Some care must be taken while adding rules. The one above - will unfortunately block my user from doing the most simple - tasks after I have logged in and executed a - screen session. When a resource limit has + Some care must be taken when adding rules. Since this user + is constrained to 10 processes, this example + will prevent the user from performing other + tasks after logging in and executing a + screen session. Once a resource limit has been hit, an error will be printed, as in this example: &prompt.user; man test /usr/bin/man: Cannot fork: Resource temporarily unavailable eval: Cannot fork: Resource temporarily unavailable - For another example, &man.rctl.8; can be used to prevent - a jail from exceeding a memory limit. This rule could be + As another example, + a jail can be prevented from exceeding a memory limit. This rule could be written as: &prompt.root; rctl -a jail:httpd:memoryuse:deny=2G/jail - Rules may also persist across reboots if they have been + Rules will persist across reboots if they have been added to /etc/rctl.conf. The format is a rule, without the preceding command. For example, the previous - rule could be added like the following: + rule could be added as: # Block jail from using more than 2G memory: jail:httpd:memoryuse:deny=2G/jail - To remove a rule, just ask rctl to + To remove a rule, use rctl to remove it from the list: &prompt.root; rctl -r user:trhodes:maxproc:deny=10/user - The manual page shows a method for removing all rules; - however, if removing all rules for a single user is required, + A method for removing all rules is documented in &man.rctl.8;. + However, if removing all rules for a single user is required, this command may be issued: &prompt.root; rctl -r user:trhodes @@ -3649,5 +3653,6 @@ jail:httpd:memoryuse:deny=2G/jailMany other resources exist which can be used to exert additional control over various subjects. See &man.rctl.8; to learn about them. +