13.7. 使用者資源限制

若您擁有許多使用者,接下會想到該如何限制使用的資源。 FreeBSD 提供管理者許多方法來限制系統的資源給每個人使用。 這些限制分為兩個部份: 磁碟限額,以及其他資源限制。

磁碟限額可以限制使用者的磁碟用量, 它提供了一種方法可以快速的檢查並計算用量 而不需每次重新計算, 關於磁碟限額將於 µÚ 18.15 節 會討論。

其他資源限制包含了 CPU、記憶體、以及其他每個使用者可使用 的資源做限制,這些限制可使用 Login class 來定義並於在本章討論。

Login class 定義於 /etc/login.conf。 明確語意不會在本節說明 但詳細的描述會在 login.conf(5) 文件中。 每使用者預設被 分配到一個 Login class 中 (預設為 default), 而每個 Login class 都有其資源的限制(Login capabilitiy)。 Login capabilitiy 以 名稱= 成對, 名稱 代表資源的種類,而 為任意的字串,為對應名稱的參數。 設定 Login class 及 Login capability 相當簡單,並同樣在 login.conf(5) 中詳細說明。

注: 系統不會直接讀取 /etc/login.conf 的組態 而是讀取提供查詢較快的 /etc/login.conf.db 資料庫檔。 要從 /etc/login.conf 產生 /etc/login.conf.db 需要執行以下指令:

# cap_mkdb /etc/login.conf

資源限制於一般的 Login capability 有兩點不同。 第一,每種限制分為軟性限制及硬性限制。 軟性限制可由使用者或應用程式調整,但不能高於硬性限制。 後者限制可被使用者降低,但無法再提高。 第二,多數資源限制是針對每個使用者的個別行程限制,而不是使用者的所有行程。 注意,這些差異是由指定的限制程式托管,並非實作於 Login capability 的架構 (例如,這些不是 真正 登入容量的特例)。

另外,為了避免麻煩,以下為幾個常用的資源限制 (剩下及其他的 Login capability 可在 login.conf(5) 中找到說明)。

coredumpsize

The limit on the size of a core file generated by a program is, for obvious reasons, subordinate to other limits on disk usage (e.g., filesize, or disk quotas). Nevertheless, it is often used as a less-severe method of controlling disk space consumption: since users do not generate core files themselves, and often do not delete them, setting this may save them from running out of disk space should a large program (e.g., emacs) crash.

cputime

This is the maximum amount of CPU time a user's process may consume. Offending processes will be killed by the kernel.

注: This is a limit on CPU time consumed, not percentage of the CPU as displayed in some fields by top(1) and ps(1). A limit on the latter is, at the time of this writing, not possible, and would be rather useless: a compiler——probably a legitimate task——can easily use almost 100% of a CPU for some time.

filesize

This is the maximum size of a file the user may possess. Unlike disk quotas, this limit is enforced on individual files, not the set of all files a user owns.

maxproc

This is the maximum number of processes a user may be running. This includes foreground and background processes alike. For obvious reasons, this may not be larger than the system limit specified by the kern.maxproc sysctl(8). Also note that setting this too small may hinder a user's productivity: it is often useful to be logged in multiple times or execute pipelines. Some tasks, such as compiling a large program, also spawn multiple processes (e.g., make(1), cc(1), and other intermediate preprocessors).

memorylocked

This is the maximum amount a memory a process may have requested to be locked into main memory (e.g., see mlock(2)). Some system-critical programs, such as amd(8), lock into main memory such that in the event of being swapped out, they do not contribute to a system's trashing in time of trouble.

memoryuse

This is the maximum amount of memory a process may consume at any given time. It includes both core memory and swap usage. This is not a catch-all limit for restricting memory consumption, but it is a good start.

openfiles

This is the maximum amount of files a process may have open. In FreeBSD, files are also used to represent sockets and IPC channels; thus, be careful not to set this too low. The system-wide limit for this is defined by the kern.maxfiles sysctl(8).

sbsize

This is the limit on the amount of network memory, and thus mbufs, a user may consume. This originated as a response to an old DoS attack by creating a lot of sockets, but can be generally used to limit network communications.

stacksize

This is the maximum size a process' stack may grow to. This alone is not sufficient to limit the amount of memory a program may use; consequently, it should be used in conjunction with other limits.

There are a few other things to remember when setting resource limits. Following are some general tips, suggestions, and miscellaneous comments.

For further information on resource limits and login classes and capabilities in general, please consult the relevant manual pages: cap_mkdb(1), getrlimit(2), login.conf(5).

本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/

若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢 <questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。