From feef63b6b6605a151aabab6c1d77734cc5b2b594 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 11 May 2020 14:37:25 +0200 Subject: [PATCH 1/3] Limit user resources on *geniux* By ignorance and inattention, users run calculations on our gateway server *geniux*, affecting all other users. Prevent that technically, by limitting the resources to one CPU and ten percent of the memory. See systemd.resource-control(5) for more details. The current resource limits for user id 133 can be checked With `systemd-cgls` and `systemctl status user-133.slice`. Users can still cripple the system with high IO and network load. --- install.sh | 3 +++ .../20-resource-limits-geniux.conf | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 misc_systemd_units/20-resource-limits-geniux.conf diff --git a/install.sh b/install.sh index ff2cc168..2e758461 100755 --- a/install.sh +++ b/install.sh @@ -146,6 +146,9 @@ install_data misc_systemd_units/user@.service.d/depend-on-remote-homes.conf \ mkdir -p "$DESTDIR$sysconfdir/systemd/logind.conf.d" install_data misc_etc_files/systemd/logind.conf.d/disable_RemoveIPC.conf \ "$DESTDIR$sysconfdir/systemd/logind.conf.d/disable_RemoveIPC.conf" +mkdir -p "$DESTDIR$systemdunitdir/user-.slice.d" +install_data misc_systemd_units/20-resource-limits-geniux.conf \ + "$DESTDIR$systemdunitdir/user-.slice.d/20-resource-limits-geniux.conf" install_data logrotate/logrotate.conf "$DESTDIR$sysconfdir/logrotate.conf" install_data logrotate/logrotate.service "$DESTDIR$systemdunitdir/logrotate.service" install_data logrotate/logrotate.timer "$DESTDIR$systemdunitdir/logrotate.timer" diff --git a/misc_systemd_units/20-resource-limits-geniux.conf b/misc_systemd_units/20-resource-limits-geniux.conf new file mode 100644 index 00000000..a84980cc --- /dev/null +++ b/misc_systemd_units/20-resource-limits-geniux.conf @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=User Slice of UID %j +Documentation=man:user@.service(5) +After=systemd-user-sessions.service +StopWhenUnneeded=yes +ConditionHost=geniux.molgen.mpg.de + +[Slice] +CPUQuota=100% +MemoryMax=10% From 97380afd0764a571a70c0ddb6862619dba72cb72 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 11 May 2020 16:09:53 +0200 Subject: [PATCH 2/3] systemd: Exclude *root* from resource limits application Do not apply the user resource limits to user *root*. --- misc_systemd_units/20-resource-limits-geniux.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/misc_systemd_units/20-resource-limits-geniux.conf b/misc_systemd_units/20-resource-limits-geniux.conf index a84980cc..69e2680a 100644 --- a/misc_systemd_units/20-resource-limits-geniux.conf +++ b/misc_systemd_units/20-resource-limits-geniux.conf @@ -13,6 +13,7 @@ Documentation=man:user@.service(5) After=systemd-user-sessions.service StopWhenUnneeded=yes ConditionHost=geniux.molgen.mpg.de +ConditionUser=!0 [Slice] CPUQuota=100% From c98c88658f16998696a73cfd07a64f41b164e940 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 11 May 2020 16:12:26 +0200 Subject: [PATCH 3/3] systemd: Fix maximum memory usage to 3G for users on *geniux* Absolute values are preferred by some, so arbitrarily choose 3 GB. (Before it would have been around 6 GB on *geniux*, which seems excessive.) --- misc_systemd_units/20-resource-limits-geniux.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc_systemd_units/20-resource-limits-geniux.conf b/misc_systemd_units/20-resource-limits-geniux.conf index 69e2680a..408a7767 100644 --- a/misc_systemd_units/20-resource-limits-geniux.conf +++ b/misc_systemd_units/20-resource-limits-geniux.conf @@ -17,4 +17,4 @@ ConditionUser=!0 [Slice] CPUQuota=100% -MemoryMax=10% +MemoryMax=3G