Limiting CPU usage per user/process

den_RDC

i have been searching really hard for something to limit cpu (memory would be nice too) usage on several server systems. I know about ulimit, but it isn't what i want. I have seen malicous scripts bypass that protection very effectivly by just forking a child , letting it consume it's alloted time and then just fork a new one. I would like to be capable of setting procential limits (ie user X can never use more then 40% cpu) so people can't devour all resources (or at least not enough to spike the system load so high an ssh login becomes impossible).

So far i have found nothing usefull except CKRM ( http://ckrm.sf.net ) , but it's still in beta/testing.

Any hints or ideas? There must be some sysadmins who have encountered this problem before...
_________________
Fan of the "Survivor Warriors of the Evil Empire of Bloody Destruction and Bloody Darkness"

wmgoree · Posted: Fri Jan 21, 2005 11:11 pm Post subject: nice

I use /etc/profile to nice their login shell. Since normal users can't make a process less nice, all their child processes inherit whatever niceness you set.
_________________
vi? *snicker* it doesn't even include a mail reader...

hardcampa · n00b Joined: 11 Oct 2002 Posts: 58

Do it the proper unix way instead and use pams security which is a standard.
Here's a small guide for you:
http://www.userlocal.com/security/secpam.php
_________________
http://gibbage.mine.nu

den_RDC · Posted: Mon Jan 24, 2005 8:46 am Post subject:

Thanks, but like i said i already know about ulimt (which is exactly what pam does), and like i already explained it's simply not good enough for a modern webserver/mail/vhost server. Problems are :
- PHP and other script exploits know about limited execution times, so they spin-off their cpu-intensive processes in an other process. Granted, this process will get killed after xx secs if you set PAM limits, but the "main" program will just fork a new one. The result will still be 100% cpu load.
- Killing your process is not always what you want. While you might want to kill a runaway apache, proftpd, mysql or postfix, but you don't want them to get killed because they have been running for a very long time and they accumulated to much cpu time over the days/months/years and thus get killed because they reached a hard cpu limit. You still want to stop each one of them from gobbling up all resources (or simply more then you want them too).
- When you get slashdotted, you still want to make sure some cputime goes to your mailserver/ftp server. While renicing everything to fit your ideal resources configuration should, in theory, work, i have found out that in reality, nice values only seem to "prioritize" cpu time, and not all other resources ( I/O being the most important, and also being the most likely candidate for a bottleneck ).

While pam's limits on numbers of open files/processes/max memory usages are usefull in these situations, cpu time restrictions are not adequate and there's no way to limit or throttle I/O (or no way to prevent other dirty tricks such as fork-kill-fork-kill-etc)

I know i am asking for a lot, but who knows somebody might just have encountered the seem "itching" and decided to "scratch" it.
_________________
Fan of the "Survivor Warriors of the Evil Empire of Bloody Destruction and Bloody Darkness"

Gherald · Posted: Mon Jan 24, 2005 8:49 am Post subject:

I have a related question, but would settle for a way to monitor I/O effectively.

den_RDC · Posted: Mon Jan 24, 2005 10:13 am Post subject:

crazycat · Posted: Tue Mar 29, 2005 5:49 am Post subject:

I have the same issue , some process runs away and gets lots of ram and hogs ressources and i cant do anything while its happening and dont want to kill X cause other programs are running. On win xp its mostly not a problem for me cause i just press ctrl-alt-del and kill a process , on gentoo however id dont have such a facility , neither can i use some normal program cause this borked programs eats memory/cpu and prevents me from starting other programs, like task manager. I also cannot prevent my user to use 100% cpu. I also know about /etc/limits and /etc/security/* but think that they are too primitive and i would like something that could, for example, as logn as I (root or other user) move my mouse/press keys , the other user gets max 95% cpu , as long as i dont use keyb/mouse (what means i'm away) , it can use 99% cpu.