centos7 如何在用户级对资源进行限制

我们已经知道,centos7上建议使用sytemd进行资源限制。

本文主要介绍如何使用systemd进行用户级资源限制。
以orange用户为例。

方案一 临时有效

配置如下:

# systemctl set-property user-1000.slice MemoryLimit=200M
# systemctl daemon-reload

一般情况下,以上设置就可以了。
但有时还是会遇到以下问题:

# systemctl set-property user-1000.slice MemoryLimit=200M

Failed to set unit properties on user-1000.slice: Unit user-1000.slice is not loaded.

User with id 1007 not logged in. First login as that user then set limits

解决办法
首先使用

# systemctl start user-1000.slice

再进行设置

# systemctl set-property user-1000.slice MemoryLimit=200M
# systemctl daemon-reload

方案二 永久生效

首先,编写slice文件user-1000.slice

其中1000是orange用户的uid,可用命令查看

# id -u username

文件内容如下

[Unit]
Description=orange user.slice

[Slice]
MemoryAccounting=true
MemoryLimit=200M

其次,拷贝到指定位置

# cp user-1000.slice  /usr/lib/systemd/system

启用

# systemctl start user-1000.slice

重新加载配置

# systemctl daemon-reload

查看系统中的slice

# systemctl -t slice
UNIT                                                          LOAD   ACTIVE SUB    DESCRIPTION
-.slice                                                       loaded active active Root Slice
system-getty.slice                                            loaded active active system-getty.slice
system-selinux\x2dpolicy\x2dmigrate\x2dlocal\x2dchanges.slice loaded active active system-selinux\x2dpolicy\x2dmigrate\x2dlocal\x2dchanges.slice
system.slice                                                  loaded active active System Slice
user-0.slice                                                  loaded active active User Slice of root
user-1000.slice                                               loaded active active orange user.slice
user.slice                                                    loaded active active User and Session Slice

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

7 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

查看某个具体的slice

# systemctl status user-1000.slice -l
● user-1000.slice - orange user.slice
   Loaded: loaded (/usr/lib/systemd/system/user-1000.slice; static; vendor preset: disabled)
  Drop-In: /etc/systemd/system/user-1000.slice.d
           └─50-MemoryLimit.conf
   Active: active since 四 2018-08-02 15:17:01 CST; 1min 40s ago
   Memory: 1.5M (limit: 200.0M)
   CGroup: /user.slice/user-1000.slice
           └─session-14973.scope
             └─56361 /export/servers/orange-agent/orange-guard/orange-guard -c cfg.json

802 15:17:01 A02-R05-I79-201-3V98WK2.ORANGE.LOCAL systemd[1]: Created slice orange user.slice.
802 15:17:01 A02-R05-I79-201-3V98WK2.ORANGE.LOCAL systemd[1]: Starting orange user.slice.
802 15:17:01 A02-R05-I79-201-3V98WK2.ORANGE.LOCAL CROND[56324]: (orange) CMD (`which taskset` -c `source /export/servers/orange-agent/run_cpus.sh && cpus` /export/servers/orange-agent/super_guard.sh >> /export/servers/orange-agent/orange-agent/var/app.log 2>&1 &)
802 15:18:01 A02-R05-I79-201-3V98WK2.ORANGE.LOCAL CROND[56925]: (orange) CMD (`which taskset` -c `source /export/servers/orange-agent/run_cpus.sh && cpus` /export/servers/orange-agent/super_guard.sh >> /export/servers/orange-agent/orange-agent/var/app.log 2>&1 &)

经过以上设置后,orange用户启动的所有进程占用的物理内存之和不能超过200M,如果超过,进程机会被kill。

如果进程因为OOM被kill,会在/var/log/message中发现记录。

如何查看某个进程受哪些资源限制条件

# cat /proc/PID/cgroup
11:memory:/user-1000.slice
10:perf_event:/
9:devices:/user.slice
8:hugetlb:/
7:blkio:/user.slice
6:cpuset:/
5:freezer:/
4:pids:/
3:cpuacct,cpu:/user.slice
2:net_prio,net_cls:/
1:name=systemd:/user.slice/user-1000.slice/session-8569.scope

参考

centos7 user.slice
https://stackoverflow.com/questions/47367886/cgroup-configuration-in-centos-7

centos 7 systemd资源限制举例
https://www.certdepot.net/rhel7-get-started-cgroups/

Table 10.1. Available systemd Unit Types
Table 10.2. Systemd Unit Files Locations
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/chap-managing_services_with_systemd

service文件参考
/usr/lib/systemd/system/ssh.service

你可能感兴趣的:(操作系统,运维)