Re: Resource limits getting enforced only for processes in user's terminal not for su [user] from root's terminal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Apr 24, 2023 at 7:04 AM jaimin bhaduri <jaimin@xxxxxxxxxx> wrote:
Cgroups v2 is enabled in almalinux 9.1 with 5.14.0-70.22.1.el9_0.x86_64 kernel and systemd 250 (250-12.el9_1.3).

Content of /etc/systemd/system/user-1002.slice.d/override.conf:
[Unit]
Description=User Slice for UID 1002

[Slice]
CPUAccounting=1
MemoryAccounting=1
IOAccounting=1
TasksAccounting=1
CPUQuota=70%
MemoryMax=1G
MemoryHigh=1G
IOReadBandwidthMax=/ 1G
IOWriteBandwidthMax=/ 1G
IOReadIOPSMax=/ 1000
IOWriteIOPSMax=/ 1000
TasksMax=200

[Install]
WantedBy=multi-user.target

I execute systemctl daemon-reload after saving the slice file.
Every value is getting enforced for the user when I test them by running some commands from the user's terminal.
But they dont work after I run the same commands from the root's terminal after doing su to that user.
They also dont work when a user's process is started from a php script using putenv('user_uid');.
How do I make them work for all the user's processes no matter how they start?

Using cgroup-based limits means that something needs to actually *move* the process into the appropriate cgroup. (They are not uid-based limits!)

As php-fpm does not support cgroup management on its own, you might need to run multiple instances of php-fpm@.service (not just multiple pools in the same instance), each instance specifying "Slice=user-%i.slice" similar to how user@.service does it.

For `su`, you would need to configure its PAM stack to invoke pam_systemd, but this is usually *deliberately* not done, as doing so would cause other issues, especially for scripts that use `su` for non-interactive purposes. (Besides that, systemd-logind does not allow creating a new session from within another one, so the only time `su` would be allowed to do this is exactly the time when it would be undesirable...)

Instead, `machinectl shell foo@` or `systemd-run --user -M foo@.host --pty ...` could be used if you need to manually run something as another user (but as soon you need to do it twice, you should just make a .service with Slice=, or even a --user service).

--
Mantas Mikulėnas
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux