14.13. Resource Limits

Contributed by Tom Rhodes.

Traditionally, FreeBSD used a resource limits database controlled through a flat file, /etc/login.conf. While this method is still supported, any changes require a multi-step process of editing this file in order to divide users into various group labels known as classes, rebuilding the resource database using cap_mkdb, making necessary changes to /etc/master.passwd, and rebuilding the password database using pwd_mkdb. This could be time consuming, depending upon the number of users to configure.

Beginning with FreeBSD 9.0-RELEASE, rctl can be used to provide a more fine-grained method of controlling resources limits for users. This command supports much more than users as it can be used to set resource constraints on processes, jails, and the original login class. These advanced features provide administrators and users with methods to control resources through the command line and to set rules on system initialization using a configuration file.

14.13.1. Enabling and Configuring Resource Limits

By default, kernel support for rctl is not built-in, meaning that the kernel will first need to be recompiled using the instructions in Chapter 9, Configuring the FreeBSD Kernel. Add these lines to either GENERIC or a custom kernel configuration file, then rebuild the kernel:

options         RACCT
options         RCTL

Once the system has rebooted into the new kernel, rctl may be used to set rules for the system.

Rule syntax is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule:

user:trhodes:maxproc:deny=10/user

In this rule, the subject is user, the subject-id is trhodes, the resource, maxproc, is the maximum number of processes, and the action is deny, which blocks any new processes from being created. This means that the user, trhodes, will be constrained to no greater than 10 processes. Other possible actions include logging to the console, passing a notification to devd(8), or sending a sigterm to the process.

Some care must be taken when adding rules. Since this user is constrained to 10 processes, this example will prevent the user from performing other tasks after logging in and executing a screen session. Once a resource limit has been hit, an error will be printed, as in this example:

% man test
    /usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailable

As another example, a jail can be prevented from exceeding a memory limit. This rule could be written as:

# rctl -a jail:httpd:memoryuse:deny=2G/jail

Rules will persist across reboots if they have been added to /etc/rctl.conf. The format is a rule, without the preceding command. For example, the previous rule could be added as:

# Block jail from using more than 2G memory:
jail:httpd:memoryuse:deny=2G/jail

To remove a rule, use rctl to remove it from the list:

# rctl -r user:trhodes:maxproc:deny=10/user

A method for removing all rules is documented in rctl(8). However, if removing all rules for a single user is required, this command may be issued:

# rctl -r user:trhodes

Many other resources exist which can be used to exert additional control over various subjects. See rctl(8) to learn about them.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.