[systemd-devel] Resource limits getting enforced only for processes in user's terminal not for su [user] from root's terminal

Mon Apr 24 06:23:55 UTC 2023

On Mon, Apr 24, 2023 at 7:04 AM jaimin bhaduri <jaimin at webuzo.com> wrote:

> Cgroups v2 is enabled in almalinux 9.1 with 5.14.0-70.22.1.el9_0.x86_64
> kernel and systemd 250 (250-12.el9_1.3).
>
> Content of /etc/systemd/system/user-1002.slice.d/override.conf:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[Unit]Description=User Slice for UID
> 1002[Slice]CPUAccounting=1MemoryAccounting=1IOAccounting=1TasksAccounting=1CPUQuota=70%MemoryMax=1GMemoryHigh=1GIOReadBandwidthMax=/
> 1GIOWriteBandwidthMax=/ 1GIOReadIOPSMax=/ 1000IOWriteIOPSMax=/
> 1000TasksMax=200[Install]WantedBy=multi-user.target*
>
> I execute systemctl daemon-reload after saving the slice file.
> Every value is getting enforced for the user when I test them by running
> some commands from the user's terminal.
> But they dont work after I run the same commands from the root's terminal
> after doing su to that user.
> They also dont work when a user's process is started from a php script
> using putenv('user_uid');.
> How do I make them work for all the user's processes no matter how they
> start?
>

Using cgroup-based limits means that something needs to actually *move* the
process into the appropriate cgroup. (They are not uid-based limits!)

As php-fpm does not support cgroup management on its own, you might need to
run multiple instances of php-fpm at .service (not just multiple pools in the
same instance), each instance specifying "Slice=user-%i.slice" similar to
how user at .service does it.

For `su`, you would need to configure its PAM stack to invoke pam_systemd,
but this is usually *deliberately* not done, as doing so would cause other
issues, especially for scripts that use `su` for non-interactive purposes.
(Besides that, systemd-logind does not allow creating a new session from
within another one, so the only time `su` would be allowed to do this is
exactly the time when it would be undesirable...)

Instead, `machinectl shell foo@` or `systemd-run --user -M foo at .host --pty
...` could be used if you need to manually run something as another user
(but as soon you need to do it twice, you should just make a .service with
Slice=, or even a --user service).

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230424/02f70a75/attachment.htm>