[systemd-devel] Controlling user processes with systemd+cgroups

Benjamin Rose benrose at math.princeton.edu
Thu Sep 3 11:57:09 PDT 2015 

Hello all,

I am in an academic environment here, and lots of poor code gets written 
and then run. Memory leaks are a constant problem. So with RHEL6, I used 
cgconfig and cgred to create 3 cgroups partitions:

/students: 80 CPU ticks, 80% of available memory total
/staff: 10 CPU ticks
/system: 10 CPU ticks

Everyone in groups "grad", "ugrad", "visitor", etc all got put into 
/students. Anyone in @staff got put into the staff cgroup, and all the 
rest went into /system.

The main goal was that no single user can hog all of the memory and kill 
off system/sysadmin processes. I believe I have achieved this with systemd:

[root at example ~]# cat 
/etc/systemd/system/system.slice.d/systemcpureserve.conf
[Slice]
CPUShares=10
[root at example ~]# cat /etc/systemd/system/user.slice.d/limitusers.conf
[Slice]
CPUShares=80
MemoryLimit=14G

But the other benefit that my cgred setup had was that no single user 
could also use more than 50% of the available memory, so that one user 
was less likely to kill other people's processes if the OOM was invoked. 
This is in addition to the group constraint. Said another way - I don't 
want one bad apple user in user.slice to be able to kill off every other 
process in user.slice. I also want anyone in the group @staff to be 
exempt from these memory limits, like in my setup for 6. It was nice to 
be able to SSH in to an otherwise overloaded machine as myself and see 
what was going on. In this solution above, root is put into user.slice 
and is bound by the same resource limits as the students.

As far as I can tell, systemd-logind when included through PAM, only 
makes a cgroup like "user-<uid>" under the user slice. But I am looking 
to make this based not only on user ID, but also group ID. Is there any 
way to achieve all of this within systemd? I guess there is an option of 
doing something like this:

[root at prometheus system]# cat /etc/systemd/system/user-0.slice
[Slice]
CPUShares=10
MemoryLimit=16G

But I'm not even sure that would work (since user.slice limit is only 
14G), let alone that I would need to create one of them for every UID of 
every sysadmin on our network? And still, how to make sure that each 
person can never use more than 50% of total system memory, while still 
reserving 10%-20% of the overall resources for system/sysadmin functions.

Any help would be appreciated!

Thanks,
Ben

More information about the systemd-devel mailing list