相关:
LImiting overall memory usage for child processes
有没有办法让非特权用户或root用户允许非特权用户创建系统范围(或systemd管理的其他控制组),以便范围的内存使用受到限制,并且限制可由用户?
或者,为什么这不能达到上述效果:
$systemd-run --scope --user --unit=limit-test.scope bash Running as unit limit-test.scope. $systemctl show --user limit-test.scope |grep Mem MemoryAccounting=no MemoryLimit=18446744073709551615 $systemctl set-property --user limit-test.scope MemoryAccounting=yes $systemctl set-property --user limit-test.scope MemoryLimit=100M $systemctl show --user limit-test.scope |grep Mem MemoryAccounting=yes MemoryLimit=104857600 $python >>> a = [1]*1000000000 # happily eats 7.4G of RAM
我正在使用systemd 215在Debian unstable上测试它.内核是3.18.2并使用所需的支持进行编译,我相信:
$zgrep -E 'CGROUP|MEMCG' /proc/config.gz CONFIG_CGROUPS=y # CONFIG_CGROUP_DEBUG is not set CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_cpuACCT=y CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_KMEM=y # CONFIG_CGROUP_HUGETLB is not set CONFIG_CGROUP_PERF=y CONFIG_CGROUP_SCHED=y CONFIG_BLK_CGROUP=y # CONFIG_DEBUG_BLK_CGROUP is not set CONFIG_NETFILTER_XT_MATCH_CGROUP=m CONFIG_NET_CLS_CGROUP=y CONFIG_CGROUP_NET_PRIO=y CONFIG_CGROUP_NET_CLASSID=y
/etc/systemd.system.conf设置这些参数,但没有别的:
DefaultcpuAccounting=yes DefaultBlockIOAccounting=yes DefaultMemoryAccounting=yes
我真正想要实现的是一种RSS限制,作为一个非特权用户,一个进程(或一组进程),而不限制虚拟内存,即ulimit -v out.
解决方法
好的,所以正确答案是您无法为用户进程设置cgroup限制(无论如何,在撰写此答案时).
Ref from systemd-devel mailing list:
We simply do not support this right now. Unprivileged users do not get
access to the cgroup properties of the varIoUs controllers right
now,simply because this is unsafe.We can open this up one day,bit by bit but this requires some kernel
work,and an OK from Tejun that this is safe.
这是2015年4月,我假设从那以后没有任何改变.