System resource limits per system user?


#1

Whilst most linux repos feature the PAM limit module I could not trace such for OWRT/TOS, at least https://github.com/openwrt/packages/tree/master/libs/libpam/files does not seem to cater it.

And ulimit does not feature per user settings.

Is there perhaps another way, that I have missed, to define resource limits per user?


#2

cgroups also allow to define resource limits.


#3

Thanks for the pointer. There seems to be some caveat though

  • version 1 is not maintained any more since it moved to version 2 as of kernel 4.5
  • except for lxc-cgroup there appears no user-land implementation in OpenWRT
  • compare to the PAM limit module cgroups are more complex to configure and provide a lesser feature set

#4

Actually in the larger context (not only OpenWRT), cgroups are far, far more powerful than whatever pam_limits can provide. But we’d get off-topic.


#5

Suppose it depends on the context, considering the feature sets which are only partially overlapping and otherwise vastly differ

PAM limit
  • domain

    • a username
    • a groupname, with @group syntax. This should not be confused with netgroups.
    • the wildcard *, for default entry.
    • the wildcard %, for maxlogins limit only, can also be used with %group syntax. If the % wildcard is used alone it is identical to us* with maxsyslogins limit. With a group specified after % it limits the total number of logins of all users that are member of the group.
    • an uid range specified as <min_uid>:<max_uid>. If min_uid is omitted, the match is exact for the max_uid. If max_uid is omitted, all uids greater than or equal min_uid match.
    • a gid range specified as @<min_gid>:<max_gid>. If min_gid is omitted, the match is exact for the max_gid. If max_gid is omitted, all gids greater than or equal min_gid match. For the exact match all groups including the user’s supplementary groups are examined. For the range matches only the user’s primary group is examined.
    • a gid specified as %: applicable to maxlogins limit only. It limits the total number of logins of all users that are member of the group with the specified gid.
  • type

    • hard - for enforcing hard resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
    • soft - for enforcing soft resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-existing hard limits. The values specified with this token can be thought of as default values, for normal system usage.
        • for enforcing both soft and hard resource limits together.
  • item

    • core - limits the core file size (KB)
    • data - maximum data size (KB)
    • fsize - maximum filesize (KB)
    • memlock - maximum locked-in-memory address space (KB)
    • nofile - maximum number of open files
    • rss - maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)
    • stack - maximum stack size (KB)
    • cpu - maximum CPU time (minutes)
    • nproc - maximum number of processes
    • as - address space limit (KB)
    • maxlogins - maximum number of logins for this user except for this with uid=0
    • maxsyslogins - maximum number of all logins on system
    • priority - the priority to run user process with (negative values boost process priority)
    • lock - maximum locked files (Linux 2.4 and higher)
    • sigpending - maximum number of pending signals (Linux 2.6 and higher)
    • msgqueue - maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
    • nice - maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]
    • rtprio - maximum realtime priority allowed for non-privileged processes (Linux 2.6.12 and higher)
cgroups
  • blkio β€” this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB).
  • cpu β€” this subsystem uses the scheduler to provide cgroup tasks access to the CPU.
  • cpuacct β€” this subsystem generates automatic reports on CPU resources used by tasks in a cgroup.
  • cpuset β€” this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup.
  • devices β€” this subsystem allows or denies access to devices by tasks in a cgroup.
  • freezer β€” this subsystem suspends or resumes tasks in a cgroup.
  • memory β€” this subsystem sets limits on memory use by tasks in a cgroup and generates automatic reports on memory resources used by those tasks.
  • net_cls β€” this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task.
  • net_prio β€” this subsystem provides a way to dynamically set the priority of network traffic per network interface.
  • ns β€” the namespace subsystem.
  • perf_event β€” this subsystem identifies cgroup membership of tasks and can be used for performance analysis.