Portal Home > Knowledgebase > Articles Database > CentOS 7 cgroups: restrict per user
CentOS 7 cgroups: restrict per user
| Posted by jesucarr, 01-04-2016, 08:21 AM |
| I'm trying to set up resource limits per user in Centos 7, but I can't find the right commands for the new implementation of cgroups using systemd. libcgroup-tools is considered deprecated. (I did read the documentation access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Resource_Management_Guide/index.html but it talks about restricting services not users).
Specifically I want to restrict the CPU shares and memory per user.
I also posted the steps in CentOS 6 that I want to reproduce in ServerFault: serverfault.com/questions/742752/centos-6-to-centos-7-cgroups
Does anyone know how to do this? Thanks
|
| Posted by gnusys, 01-04-2016, 08:54 AM |
| See if http://unix.stackexchange.com/questi...s-with-systemd helps
|
| Posted by jesucarr, 01-04-2016, 09:22 AM |
| looks like cgmanager is for linux containers. I'm looking for the new way to do it using CentOS 7 systemd.
|
| Posted by Srv24x7, 01-16-2016, 09:14 AM |
| Hi,
Check the below link if it is of some help.
certdepot.net/rhel7-get-started-cgroups/
|
| Posted by jesucarr, 01-16-2016, 09:38 AM |
| Thanks for the link. But still it talks about processes not users. For example it says that for assigning cpu shares to http you run:
systemctl set-property httpd CPUShares=500
How to do the same for user xxx?
|
| Posted by HelpOps, 01-16-2016, 11:36 AM |
| Everything you need to know about cgroups:
https://access.redhat.com/documentat...uide-en-US.pdf
https://access.redhat.com/documentat...uide/ch01.html
|
| Posted by jesucarr, 01-16-2016, 03:40 PM |
| Maybe I'm overlooking, because I'm not too familiar with the matter, but I read that links and also the current official documentation here: access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Resource_Management_Guide/index.html, but I can't find the section where it talks about restricting users instead of services. If someone can point me to that specific section, or just translate the command above (systemctl set-property httpd CPUShares=500) for an user instead of a service, that would be really helpful.
|
| Posted by HelpOps, 01-16-2016, 05:03 PM |
| Cgroups are for restricted resources for processes not users or groups. If you want to restrict resource usage for users you should look into pam_limit: http://www.linux-pam.org/Linux-PAM-h...am_limits.html / http://www.linuxtopia.org/online_boo...ing_Users.html settings
If you want even more control please look into SELinux Policies - https://wiki.centos.org/HowTos/SELinux and CloudLinux if it able to be structured for your needs.
|
| Posted by jesucarr, 01-16-2016, 05:16 PM |
| What I want to do is possible with cgroups as detailed in serverfault.com/questions/742752/centos-6-to-centos-7-cgroups, I just wonder how to do it the new way in CentOS 7 with systemctl.
|
| Posted by HelpOps, 01-16-2016, 05:39 PM |
| Give the following a try after you have the groups setup. Read it all the way through to see if it works for you.
https://access.redhat.com/documentat...ol_Groups.html
|
| Posted by jesucarr, 01-16-2016, 05:50 PM |
| I think that's the same documentation I linked to, just with a paginated format, and unfortunately I can only find how to restrict services not users. In other words, how to set CPUShares=500 for users?
|
| Posted by HelpOps, 01-16-2016, 07:21 PM |
| Appears you would need to insure that the services for the specific user are within a user slice associated with their UID. For instance if they are running fast cgi programs or other applications as their userid you should be able to then restrict it. For system services like the regular httpd, postfix, etc. these cannot be restricted to the user unless they are running their own version of the process since the slices are inherited by their parent processes.
Take a look in the documentation on the types of slices available then use the following to create the appropriate groups. You should be able to do this by insuring that the UID and GID match up with the user's that you want to restrict resources for:
https://access.redhat.com/documentat...libcgroup.html
Once you have the groups and it's permissions setup appropriately start moving processes into the groups for the userid and groupid you defined:
https://access.redhat.com/documentat...rol_Group.html
You can then use the following to set the parameters for the groups you have created: https://access.redhat.com/documentat...arameters.html
To test out, insure you are properly launching the processes as the user and you should then see they are restricted, where before being added into a control group there were no restrictions.
If you are still having issues I would recommend spending a couple of hours testing in a Virtual Machine with the documentation until you fully understand how configure cgroups in RHEL7 or take an official RHEL Training Course, specifically https://www.redhat.com/en/services/t...ormance-tuning which goes over what you are trying to do and you can have the instructor go into the details on it even further.
|
| Posted by jesucarr, 01-17-2016, 07:53 AM |
| Thanks for your help, but your steps are using the libcgroups tools, which are considered deprecated in RHEL 7, and my question is how to do that with the new systemd. Unfortunately I can't afford a training course at the moment.
|
| Posted by brianoz, 01-18-2016, 08:22 AM |
| Just checking; is this for use with cPanel? Sounds like it's not, but just in case it is, this is usually accomplished with the "CloudLinux" product which does exactly this.
|
| Posted by jesucarr, 01-18-2016, 08:26 AM |
| No it's not for cPanel, and I'm interested in a cgroups solution, not CloudLinux.
|
| Posted by gnusys, 01-18-2016, 08:40 AM |
| Please try for example
systemctl set-property user-1000.slice CPUShares=100
Assuming you wish to limit the resource for UID 1000 and limit the CPUShares.
|
| Posted by jesucarr, 01-18-2016, 09:02 AM |
| Oh, I see, yeah that seems to be the right direction, however when executing the command I get: Failed to set unit properties on user-xxx.slice: Unit user-xxx.slice is not loaded. (xxx is my UID)
|
| Posted by gnusys, 01-18-2016, 09:08 AM |
| Can you check
r2d2@R2D2:~$ systemctl status user-1000.slice
● user-1000.slice
Loaded: loaded
Drop-In: /etc/systemd/system/user-1000.slice.d
└─50-CPUShares.conf
Active: active since Mon 2016-01-18 07:30:40 IST; 11h ago
CGroup: /user.slice/user-1000.slice
The above output is from an Ubuntu 15.10 OS i am running on my laptop and the Drop-in - 50-CPUShares.conf came from executing the above command I mentioned
|
| Posted by jesucarr, 01-18-2016, 10:02 AM |
| I get:
systemctl status user-xxx.slice
● user-xxx.slice
Loaded: loaded
Active: inactive (dead)
Because the user is not logged in. Is there a way to add the property without the user being logged in?
|
| Posted by gnusys, 01-18-2016, 10:08 AM |
| Check - http://systemd-devel.freedesktop.nar...ce-memorylimit
Perhaps the systemd ML's are a better place to ask this question .
Update here what you find ..
|
| Posted by gnusys, 01-18-2016, 10:25 AM |
| I think if you set the resource limit in user.slice it will be inherited by user-xxx.slice when something under the user ownership runs.
As I see like this in systemd-cgls
└─user.slice
└─user-1000.slice
├─user@1000.service
│ ├─835 /lib/systemd/systemd --user
│ └─836 (sd-pam)
└─session-c1.scope
├─ 830 lightdm --session-child 12 15
├─ 839 /sbin/upstart --user
Or perhaps you can do this with pam
Will let you know if I find anything
|
| Posted by HelpOps, 01-18-2016, 04:00 PM |
| You have to set the user.slice up properly, once you have done this it should work fine as noted in the documentation.
|
| Posted by jesucarr, 01-19-2016, 06:27 AM |
| I ended up loggin in with the user, so I can execute set-property. Then I can see the files generated in /etc/systemd/system and from there I can replicate for other users. @gnusys thanks so much for your hints. If you are in ServerFault and want to answer my question there, please do and I'll be happy to accept your answer.
|
| Posted by gnusys, 01-19-2016, 07:55 AM |
| Just answered it in SF.
Glad I could help and the googling helped me too
|
Add to Favourites 
Print this Article
Also Read
