Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Limiting Linux Server

Because hardware resources are finite it is necessary to limit the system resources in order to provide equal quality of services to all system users. Limits can be implemented in CPU/memory usage via pam_limits or in disk usage via quota.

PAM Limits

The PAM module pam_limits, activated by default for all users, sets limits on the system resources in a user/group session. These limits are configured on /etc/security/limits.conf file :

$ cat /etc/security/limits.conf

# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#[domain]          [type]      [item]      [value]
#
#Where:
#[domain] can be:
#          - an user name
#          - a group name, with @group syntax
#          - the wildcard *, for default entry
#          - the wildcard %, can be also used with %group syntax,
#          for maxlogin limit
#
#[type] can have the two values:
#          - "soft" for enforcing the soft limits
#          - "hard" for enforcing hard limits
#
#[item] can be one of the following:
#          - core - limits the core file size (KB)
#          - data - max data size (KB)
#          - fsize - maximum filesize (KB)
#          - memlock - max locked-in-memory address space (KB)
#          - nofile - max number of open files
#          - rss - max resident set size (KB)
#          - stack - max stack size (KB)
#          - cpu - max CPU time (MIN)
#          - nproc - max number of processes
#          - as - address space limit (KB)
#          - maxlogins - max number of logins for this user
#          - maxsyslogins - max number of logins on the system
#          - priority - the priority to run user process with
#          - locks - max number of file locks the user can hold
#          - sigpending - max number of pending signals
#          - msgqueue - max memory used by POSIX message queues (bytes)
#          - nice - max nice priority allowed to raise to values: [-20, 19]
#          - rtprio - max realtime priority
#
#[value] All items support the values '-1', 'unlimited' or 'infinity' indicating no limit, except for priority and nice
#[domain]                  [type]          [item]          [value]
#

#*                                  soft           core             0
#*                                  hard          rss          10000
#@student                  hard          nproc          20
#@faculty                   soft           nproc          20
#@faculty                   hard          nproc          50
#ftp                              hard          nproc          0
#@student                  -          maxlogins        4

# End of file


The file content is self explanatory: limits are applied in users/groups or everybody '*' session in 'soft'/'hard' mode to different items like cpu_time, maxlogins, resident memory, etc. with different values.

* As first example configure the maximum number of running processes for user 'john' to 5 :

$ echo "john          hard      nproc      5" >> /etc/securety/limits.conf

* As user 'john' test the limit :

$ su - john
john-$ for i in `seq 1 15`; do sleep 30 & done

[1] 5352
[2] 5353
[3] 5354
[4] 5355
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable

After the limit of 5 running process has reached no more process are allowed be executed by john : 'fork: retry: Resource temporarily unavailable'

* As second example configure a limit of memory address space 'as' of 100000KB :

$ echo "john          hard      as      100000" >> /etc/securety/limits.conf

* As user 'john' test the limit. Executes a perl script that allocates memory forever :

$ su - john
john-$ cat membomb.pl

#!/usr/bin/perl -w

my %hash=();
my $i=0;
my $string="::";

while (1 == 1) {
     $i++;
     $string=$string."::".$i;
     $hash{$string}=$string;
}

john-$ ./membomb.pl
Out of memory!


The memory limit does not allow membomb.pl to allocate all memory.

Disk Quotas

Another important resource to be limited is the disk usage because full disk partitions can bring down the system. Quotas on disk space can be applied in different filesystems for users/groups by used inodes (number of files) and/or used disk blocks (total size).

Quota configuration

* Just before starting to use quota make sure that quota rpm is installed on the system :

$ rpm -qa | grep quota
quota-3.17-10.el6.i686


* Also make sure that the running Kernel has been compiled with quota support :

$ grep CONFIG_QUOTA /boot/config-`uname -r`
CONFIG_QUOTA=y
...


1.- Configure quota parameters on the filesystem where the quota is going to be applied. For example if quotas are going to be setup on /home partition (/dev/VolGroup01/VolGroup01Home), quotas must be setup on /home when the partition is mounted adding the parameters 'usrquota,grpquota' on mount parameters in /etc/fstab. Then remount the partition to activate quota :

/dev/VolGroup01/VolGroup01Home      /home          ext4      defaults,usrquota,grpquota      1 2

$ mount -o remount /home
$ mount
...
/dev/mapper/VolGroup01-VolGroup01Home      on /home      type ext4      (rw,usrquota,grpquota)


2.- Generate the partition quota database :

$ quotacheck -cugm /home
It generates the files /home/aquota.user and /home/aquota.group used to manage the quota status on /home.

3.- Edit the quota for user/group :

$ edquota -u john

Disk quotas for user john (uid 500):
Filesystem      blocks      soft      hard      inodes      soft      hard
/dev/mapper/VolGroup01-VolGroup01Home      12      80000      100000      10      15      20
:wq!


Quotas can be set for the number of files (inodes) and storage capacity used (blocks) for user 'john' on /home partition :

* It has been setup a soft limit of 80000 blocks of 1Kb (=80M) and a hard limit of 100000 blocks (=100M). User 'john' will not be allowed to use more that 100M on /home and he will be warned when more than 80M will be used.

* It has been setup a soft limit of 15 files (inodes) and a hard limit of 20 files (inodes). User 'john' will not be allowed to create more than 20 files on /home and he will be warned when more than 15 files will be used.

4.- Activate quotas :

$ quotaon -aug
This command will be executed automatically by init so at boot time quotas will be applied.

5.- Verify quotas :

$ su - john
john-$ dd if=/dev/zero of=/home/john/file bs=1024 count=1000000

dd: writing `/home/john/file': Disk quota exceeded
99989+0 records in
99988+0 records out
102387712 bytes (102 MB) copied, 3.85976 s, 26.5 MB/s

Only 100M has been written on file /home/john/file : 'Disk quota exceeded'

john-$ for i in `seq 1 30`; do touch $i.txt; done

touch: cannot touch `14.txt': Disk quota exceeded
...
touch: cannot touch `30.txt': Disk quota exceeded

Only 13 files has been allowed to create by user 'john' because of 'john' already own 7 files : 'Disk quota exceeded'

Quotas can be reported using the repquota command :

$ repquota -a

Questions

1.- Before using limits on /etc/securety/limits.conf file the PAM module pam_limits must be activated (true/false)

2.- Limits from pam_limits pam module are applied in user session (true/false)

3.- Limits from pam_limits pam module are applied system wide (true/false)

4.- File size limit can be applied from pam_limits module or using quotas ?

5.- Which command must be used in order to create the quota database on /tmp partition ?

6.- Which command must be used in order to edit quotas for group 'engr' ?

7.- Which command must be used in order to activate quotas on the system ?

8.- Which line must be added on /etc/securety/limits.conf file in order to limit to 10min cpu time total for group engr ?

9.- Different quotas can be applied in different directories on the same filesystem ? (true/false)

10.- Which command must be used in order see the status of all quotas applied on the system ?

Labs

1.- Limit to one login at a time to user 'john'. Also limit to user 'john' the number of running process to 10. Check the result

2.- Create a LV partition, create an ext4 filesystem and mount it on /home/engr. Make the owner of /home/engr to engr group. Setup a hard disk quota of 100M for group engr on /home/engr . Check the result

3.- Create a quota in order to limit to 60 the file number on "/" to user 'john'. Check the result.

-- This page is part of Linux Server online tutorial --