linux – 使用cgroups作为用户设置用户创建的systemd范围的MemoryLimit

前端之家收集整理的这篇文章主要介绍了linux – 使用cgroups作为用户设置用户创建的systemd范围的MemoryLimit前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
相关: LImiting overall memory usage for child processes

有没有办法让非特权用户或root用户允许非特权用户创建系统范围(或systemd管理的其他控制组),以便范围的内存使用受到限制,并且限制可由用户

或者,为什么这不能达到上述效果

$systemd-run --scope --user --unit=limit-test.scope bash
Running as unit limit-test.scope.
$systemctl show --user limit-test.scope |grep Mem
MemoryAccounting=no
MemoryLimit=18446744073709551615
$systemctl set-property --user limit-test.scope MemoryAccounting=yes
$systemctl set-property --user limit-test.scope MemoryLimit=100M
$systemctl show --user limit-test.scope |grep Mem
MemoryAccounting=yes
MemoryLimit=104857600
$python
>>> a = [1]*1000000000    # happily eats 7.4G of RAM

我正在使用systemd 215在Debian unstable上测试它.内核是3.18.2并使用所需的支持进行编译,我相信:

$zgrep -E 'CGROUP|MEMCG' /proc/config.gz 
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_cpuACCT=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_SWAP_ENABLED=y
CONFIG_MEMCG_KMEM=y
# CONFIG_CGROUP_HUGETLB is not set
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CGROUP_NET_CLASSID=y

/etc/systemd.system.conf设置这些参数,但没有别的:

DefaultcpuAccounting=yes
DefaultBlockIOAccounting=yes
DefaultMemoryAccounting=yes

我真正想要实现的是一种RSS限制,作为一个非特权用户,一个进程(或一组进程),而不限制虚拟内存,即ulimit -v out.

解决方法

好的,所以正确答案是您无法为用户进程设置cgroup限制(无论如何,在撰写此答案时).

Ref from systemd-devel mailing list

We simply do not support this right now. Unprivileged users do not get
access to the cgroup properties of the varIoUs controllers right
now,simply because this is unsafe.

We can open this up one day,bit by bit but this requires some kernel
work,and an OK from Tejun that this is safe.

这是2015年4月,我假设从那以后没有任何改变.

猜你在找的Linux相关文章