Sample Header Ad - 728x90

systemd resource control -- all users/root

2 votes
0 answers
2313 views
systemd limit multiuser
I'm using Debian Bullseye with systemd 247. I have more than a hundred of users and I would like to enforce some limits using cgroups. I use set-property, which works as expected, for example for the memory and AllowedCPUs properties: 
systemctl set-property user.slice MemoryHigh=300G
systemctl set-property user.slice MemoryMax=305G
systemctl set-property user.slice AllowedCPUs=9-64
The idea is to allow ordinary users to use 80-90% of the memory and most of the CPUs. The other 10-20% of the resources should always be available for other slices *and* for the root user (we were very liberal with setting the limits and recently we accidentally were fork-bombed by a student). But the limits seems to also affect the root user and I cannot find a user@0.slice or anything like that. The idea is to allow the root to use the spare resources if thigs go wrong and always have some spare I/O, memory and CPU aside. cgroups seems like a good idea, because all switches are there. Could someone help and tell how to achieve this goal or give some general best practices with systemd/cgroups in multiuser environment? Or am I doing this completely wrong and this should be done differently? ### Proposed answer (June 19th, 2022): I think I managed to do it as described below, but I do not know if this is a "right" way to do it. * systemd has a hierarchy within drop-in directories. In general, the more specific drop-in directories definitions override the less specific ones. (https://www.freedesktop.org/software/systemd/man/systemd.unit.html#) * /etc/systemd/system/user-.slice.d/somethin.conf will be overriden by /etc/systemd/system/user-0.slice.d/something.conf. Limits set in the former directory will apply to all users including root, but the definitions in the latter directory will override them and apply *only* to root. (https://www.freedesktop.org/software/systemd/man/user@.service.html) * Using spare resources reserved for the root user requires a proper root login, for example on a TTY or through a console in case of a virtual machine. sudo or su are methods of elevating privileges, but do not hook into cgroup system (or at least I do not know how to do this). Using sudo or su the user is still bound by the user-UID@ slice limits. Kind Regards ~~ K.
Asked by Kamil (1501 rep)
Jun 18, 2022, 11:56 AM
Last activity: Jun 19, 2022, 05:27 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "systemd"
More questions tagged "limit"
More questions tagged "multiuser"
Footer Ad - 728x90