Date: Tue, 12 Feb 2019 16:53:45 +0000 From: Norman Gray <norman.gray@glasgow.ac.uk> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Adjusting resource limits Message-ID: <FFAC6B9A-40DA-4171-9502-6216047EE58B@glasgow.ac.uk>
next in thread | raw e-mail | index | archive | help
Greetings,
I'm trying to work out how to manage resource limits for processes, and
I'm clearly not understanding something.
I can apply a resource limit using rctl (after adding
`kern.racct.enable=1` to /boot/loader.conf and rebooting), and use it to
limit the number of open files with a command such as:
# rctl -a user:ldap:openfiles:deny=1024
restricting user ldap to at most 1024 open files. I can see the effect
of that with
# rctl
user:ldap:openfiles:deny=1024
I can then restart my LDAP server (in this case), identify its PID, and
query the limits on that process:
# procstat -l 1130
...
1130 slapd openfiles 232299
232299
...
rather than the 1024 I expected to see. What am I misunderstanding?
All I can think of is that the resource limits apply at the point when a
process is created. In this case, the process will be created by root
and only later change owner to ldap -- does that mean that it's too late
for any user:ldap limit to apply? That wouldn't surprise me, but the
text at
<https://www.freebsd.org/doc/handbook/security-resourcelimits.html>;
doesn't make any mention of this.
If that is the case, what is the best way of imposing resource limits on
a service such as this? I can see how one could potentially do this by
adjusting `command` in the appropriate rc.d script, to use `limits -n
1024 command`, but that hardly seems the right thing to do. Should I
put such a service into a jail purely on the grounds that rctl could set
limits for that?
I'd have expected to see some guidance on this in Chapter 11 of the
manual ('Configuration and Tuning'), but can't.
Thanks for any pointers,
Norman
--
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FFAC6B9A-40DA-4171-9502-6216047EE58B>