[systemd-devel] Cgroup limits for user processes

Mikhail Morfikov mmorfikov at gmail.com
Wed Feb 18 03:48:16 PST 2015 

What is the best way to set cgroup limits for user processes? I mean the
individual processes. I know that you can set limits for user.slice, but
how to set limits for, let's say, firefox?

I tried to make a service file for firefox, it looks like this:

[Unit]
Description=Firefox Web Browser
Documentation=https://www.mozilla.org/
After=graphical.target
Before=shutdown.target

[Service]
Environment="DISPLAY=:0"
User=morfik
Type=simple
ExecStart=/opt/firefox/firefox -new-instance -ProfileManager
Restart=no
RemainAfterExit=no
Nice=5
IOSchedulingClass=best-effort
IOSchedulingPriority=3
OOMScoreAdjust=500
CPUShares=512
MemoryLimit=300M
BlockIOWeight=256

The parameters are just for testing purposes, and of course the unit is
a system unit. I tested it with:

morfik:~$ systemctl start firefox.service
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: morfik
Password:
==== AUTHENTICATION COMPLETE ===

and the service starts. The "nice" parameters are set, so are the
cgroups:

morfik:~$ systemctl status firefox
● firefox.service - Firefox Web Browser
   Loaded: loaded (/etc/systemd/system/firefox.service; static; vendor preset: enabled)
   Active: active (running) since Wed 2015-02-18 12:11:49 CET; 1min 46s ago
     Docs: https://www.mozilla.org/
 Main PID: 60773 (firefox)
   Memory: 259.2M (limit: 300.0M)
   CGroup: /system.slice/firefox.service
           └─60773 /opt/firefox/firefox -new-instance -ProfileManager

I didn't really like the way I stared the firefox, so I tried to move
the service from the system to the user dir. I also changed a little bit
the unit file -- the user and env lines were removed. After the change,
I started the service in order to test whether it works or not:

morfik:~$ systemctl --user daemon-reload
morfik:~$ systemctl --user start firefox.service
morfik:~$ systemctl --user status firefox.service
● firefox.service - Firefox Web Browser
   Loaded: loaded (/etc/systemd/user/firefox.service; static; vendor preset: enabled)
   Active: active (running) since Wed 2015-02-18 12:20:56 CET; 19s ago
     Docs: https://www.mozilla.org/
 Main PID: 64082 (firefox)
   CGroup: /user.slice/user-1000.slice/user at 1000.service/firefox.service
           └─64082 /opt/firefox/firefox -new-instance -ProfileManager

It works, but as you can see, there's no cgroup limits. The "nice"
parameters are set correctly, but it looks like the cgroup ones are
ignored for some reason.

Here are some additional commands:

# cat /proc/`pidof firefox`/cgroup
9:blkio:/
8:cpuset:/
7:freezer:/
6:cpu,cpuacct:/
5:perf_event:/
4:devices:/user.slice
3:memory:/
2:net_cls,net_prio:/
1:name=systemd:/user.slice/user-1000.slice/user at 1000.service/firefox.service

root:~# systemd-cgls
├─1 /sbin/init splash
├─system.slice
│ ├─dbus.service
│ │ └─1529 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
...
└─user.slice
  ├─user-1000.slice
  │ ├─session-1.scope
  │ │ ├─ 2027 lightdm --session-child 12 19
...
  │ └─user at 1000.service
  │   ├─2031 /lib/systemd/systemd --user
  │   ├─2032 (sd-pam)
  │   └─firefox.service
  │     └─64082 /opt/firefox/firefox -new-instance -ProfileManager
  └─user-108.slice
    ├─session-c1.scope
    │ ├─2013 /usr/bin/dbus-launch --autolaunch 159815709bbc46c29ef786cfc497afd4 --binary-syntax --close-stderr
    │ ├─2014 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
    │ ├─2016 /usr/lib/at-spi2-core/at-spi-bus-launcher
    │ ├─2020 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
    │ └─2023 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
    └─user at 108.service
      ├─1992 /lib/systemd/systemd --user
      └─1993 (sd-pam)

root:~# ls -al /sys/fs/cgroup/systemd/user.slice/user-1000.slice/user at 1000.service/firefox.service/
total 0
drwxr-xr-x  2 morfik morfik 0 2015-02-18 12:20:56 ./
drwxr-xr-x 24 morfik morfik 0 2015-02-18 12:20:56 ../
-rw-r--r--  1 morfik morfik 0 2015-02-18 12:20:56 cgroup.clone_children
-rw-r--r--  1 morfik morfik 0 2015-02-18 12:20:56 cgroup.procs
-rw-r--r--  1 morfik morfik 0 2015-02-18 12:20:56 notify_on_release
-rw-r--r--  1 morfik morfik 0 2015-02-18 12:20:56 tasks


BTW, one more thing. Is there a way to set a mark for network packets
using unit services? I really need this feature, but I couldn't find
any useful information on this subject.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150218/1d13b105/attachment.sig>

More information about the systemd-devel mailing list