Using control groups to protect core services

Latest response

What I'd like to do is guarantee certain minimum resources to core/critical services like sshd, maybe prioritize root user processes over non-root, etc. Most docs and examples have the opposite approach and explain how to compartmentalize applications.

I've just had enough of the 'a bug in my code has run amok with the mem/cpu, now I can't log in to kill it - please reboot' type incidents.


Can anyone point me to config examples or tutorials that cover this?


Hi Fred,


It sounds to me like you'll want to investigate ulimit. I have done a bit of a search on the knowledge solutions database here, but unfortunately can't find exactly what you're looking for. What I have found, though is an article explaining how to set ulimit values for oracle. One of the main things this suggests doing is checking out '# man limits.conf'. This has examples, explanations of different options and should be a good step in the right direction. I have also linked you to an article which discusses how to check current limits against a running process.


Once you've had a chance to look at all this feel free to let me know if you have any questions. I am sure either myself or someone else checking these groups will be able to help.





Thanks for the reply. I have been using ulimits to some extent until now, but they have the issue of being more about limiting specific processes/users as opposed to guaranteeing resources.


The thing is if you have hundreds of servers doing hundreds of different things, it's not very practical to set up ulimits for everything. Whereas if it worked the other way around, one single default config could protect sshd and other core processes.


I've also found that the traditional cpu 'nice' priorities just don't work much, and likewise controlling network bandwidth usage with tc is very painful and very tricky to make process/user-specific, since that's not really its intended use.


cgroups are really very impressive and do it all in one place. It's just a bit cryptic to configure and maybe still lacks some of the features I'm looking for. I'm sure it'll improve, and hopefully gain a nicer interface. I guess I just need to wait a bit more.