From owner-freebsd-questions@FreeBSD.ORG Sun Sep 22 15:52:06 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 074577D6 for ; Sun, 22 Sep 2013 15:52:06 +0000 (UTC) (envelope-from demelier.david@gmail.com) Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 972AC280F for ; Sun, 22 Sep 2013 15:52:05 +0000 (UTC) Received: by mail-we0-f181.google.com with SMTP id p61so2122039wes.26 for ; Sun, 22 Sep 2013 08:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=h70q9zEXzmpo+FiVO4T+4d6mN+MiU5e4EGgiyJTPwiY=; b=qUZPgP+mxb4ZPBY9/loBNBXvtc8OYPbVLXPTm0fMeME5Wkk346BsbXSIuJaG/9/wdz 2jiDWs94jiHLAscUBNdmYVqky6iTE/oM6M+9oMidVQer3GWJ7tA6w1sNb46vpze/OFV4 BMHvBngYoNGSmnXUMA2BT7kK3U1N3Sme2uq9HmljeIi48luE3NhXnZlGxSkDANkrX/UL hTXVUDjlscOPVLWtWfnXYfxGsp4yyN9NIWhMjVpxhqVsAfyZoBGmrO2+cGYvNmlRFdrE yXVDP/MhUbwrA+34ZUr9a7kg8lPbD9LPxB8E2q3cYbBTCwfH5aO8YEsj6+DctU+X04FC nJDg== X-Received: by 10.180.19.169 with SMTP id g9mr197806wie.39.1379865123977; Sun, 22 Sep 2013 08:52:03 -0700 (PDT) Received: from [192.168.0.10] (182.66.91.91.rev.sfr.net. [91.91.66.182]) by mx.google.com with ESMTPSA id d11sm19014669wic.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 22 Sep 2013 08:52:03 -0700 (PDT) Message-ID: <523F121F.50407@gmail.com> Date: Sun, 22 Sep 2013 17:51:59 +0200 From: David Demelier User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130830 Thunderbird/17.0.8 MIME-Version: 1.0 To: Fbsd8 Subject: Re: rctl within jail References: <5236B4A2.4000103@gmail.com> <523EF48A.9090007@a1poweruser.com> In-Reply-To: <523EF48A.9090007@a1poweruser.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Sep 2013 15:52:06 -0000 On 22.09.2013 15:45, Fbsd8 wrote: > David Demelier wrote: >> Hello there, >> >> I wanted to use rctl within a jail to add more fine grained setting for >> some users, and default ones to. But it does not seem to work. Is it >> supported? Do we need to add a special flag to the jail creation? >> >> # rctl -a loginclass:default:maxproc:deny=30 >> rctl: rctl_add_rule: Operation not permitted >> >> Regards, >> >> David > > The rctl command is brand new. It does not have a group of users yet, so > that is why you have not received any replies to your post. > > As far as I know you can not issue the "rctl" command from within the > running jail. > > The "rctl" command is issued on the HOST only. > > You can apply rules to an entire jail if you want to, for example; to > limit the amount of memory a jail can use: > > # rctl -a jail::memoryuse:deny=1G > > (where is the name of your jail). This would make sure the > jail can't use more than (approximately) 1 gigabyte of memory. > > To enable rctl on the host, you need to compile a custom kernel that > contains the following 2 parameters; > options RACCT > options RCTL > Yes, I will also post a PR for this because no manpage is saying that you requires this on your kernel. I will provide a new manpage and a bit more documentation. > I think your rctl command would look like this when issued from the host > rctl -a jail::loginclass:default:maxproc:deny=30 > What I really want, is to avoid users to spawn too much processes (aka fork bombs). But if I apply to the jail directly, it also apply to the services jails, which is a bit not wanted. Regards, David