[systemd-devel] Enforce limitations on portable services

Lennart Poettering lennart at poettering.net
Thu Oct 4 11:38:10 UTC 2018


On Mi, 03.10.18 22:06, Gervais, Francois (FGervais at distech-controls.com) wrote:

> Hi,
> 
> I'd like to know if the system administrator that attaches the portable
> service is able to enforce limits like cpu and memory usage over the service?
> 
> A bit like when specifying the profile.

You can change the limits after attaching them, as Jeremy explained,
like for any other service ("systemctl set-property foo.service MemoryMax=2G"…)

You can also define your own profile, and specify it when attaching a
service, if you like.

I mean, I named the profile concept just "profile" instead of
"security profile", precisely to allow and encourage use for other
purposes than just security restrictions, for example resource
management, even though security is the main application for it.

To add a new profile just place an appropriately named file in
/etc/systemd/portable/profile/. For inspiration see the ones installed
to /usr/lib/systemd/portable/profile/.

A profile in that dir should be a directory with the name of the
profile, and then for each unit type (i.e. for service, socket,
target, timer, …) one .conf file. In most cases it is probably
sufficient to just define a profile for the service unit type, hence
usually you just have
/etc/systemd/portable/profile/<name>/service.conf.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list