做法如下:
1、root修改limits.conf文件,as是address space的缩写,应该就是Linux的Virtual Memory(后面有代码)。修改完成后用wuhaiwei用户登录敲如下命令查看:
[wuhaiwei@mail ~]$ cat /etc/security/limits.conf |grep wuhaiwei
wuhaiwei soft as 512000
wuhaiwei hard as 800000
[wuhaiwei@mail ~]$ id
uid=504(wuhaiwei) gid=505(wuhaiwei) groups=505(wuhaiwei)
[wuhaiwei@mail ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 62842
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65536
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 4096
virtual memory (kbytes, -v) 512000 (用ulimit -v 512000 零时设置也可以吧?)
file locks (-x) unlimited
2、如何测试呢? 这个限制是针对wuhaiwei用户下单应用程序(单进程)的{BANNED}最佳大内存使用量控制。
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null
bs=600M count=100000 &
[1] 21977
[wuhaiwei@mail ~]$
dd: memory exhausted
[1]+ Exit 1 dd if=/dev/zero of=/dev/null bs=600M count=100000
测试生效。 600M内存的用量不允许。
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null
bs=400M count=100000 &
[1] 22000
[wuhaiwei@mail ~]$ dd: memory exhausted
[1]+ Exit 1 dd if=/dev/zero of=/dev/null bs=400M count=100000
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$ ps aux |egrep 'USER|^wuhaiwei'
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
wuhaiwei 21305 0.0 0.0 108320 1344 pts/3 S 10:09 0:00 -bash
wuhaiwei 22005 0.0 0.0 110244 1164 pts/3 R+ 10:27 0:00 ps aux
wuhaiwei 22006 0.0 0.0 108320 788 pts/3 D+ 10:27 0:00 -bash
400M也超标??? 说明400M做dd 的 bs size的时候,配置完系统虚拟内存后应该是大于512M的限制的。
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null
bs=350M count=100000 &
[1] 22041
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$ ps aux |egrep 'USER|^wuhaiwei'
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
wuhaiwei 21305 0.0 0.0 108320 1344 pts/3 S 10:09 0:00 -bash
wuhaiwei 22041 88.7 4.4
463604 359128 pts/3 R 10:29 0:07 dd if=/dev/zero of=/dev/null bs=350M count=100000
wuhaiwei 22042 0.0 0.0 110248 1168 pts/3 R+ 10:29 0:00 ps aux
wuhaiwei 22043 0.0 0.0 101036 876 pts/3 S+ 10:29 0:00 egrep USER|^wuhaiwei
350M的bs size没问题。 ps中可以看到匹配的虚拟内存是463604K,小于512000。 没问题。
3、再观察一下有关这个内存消耗进程的相关限制:
[wuhaiwei@mail ~]$ cd /proc/22041
[wuhaiwei@mail 22041]$ more limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 10485760 unlimited bytes
Max core file size 0 unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 4096 4096 processes
Max open files 65536 131072 files
Max locked memory 65536 65536 bytes
Max address space 524288000 819200000 bytes
Max file locks unlimited unlimited locks
Max pending signals 62842 62842 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
4、吴海伟用户临时再用命令来修改一下自己的虚拟内存-256M:
[wuhaiwei@mail 22041]$
ulimit -v 256000
[wuhaiwei@mail 22041]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 62842
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65536
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 4096
virtual memory (kbytes, -v) 256000
file locks (-x) unlimited
[wuhaiwei@mail 22041]$
[wuhaiwei@mail 22041]$ cat limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 10485760 unlimited bytes
Max core file size 0 unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 4096 4096 processes
Max open files 65536 131072 files
Max locked memory 65536 65536 bytes
Max address space 524288000 819200000 bytes
Max file locks unlimited unlimited locks
Max pending signals 62842 62842 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
[wuhaiwei@mail 22041]$ cd
[wuhaiwei@mail ~]$ kill 22041
[wuhaiwei@mail ~]$
[1]+ Terminated dd if=/dev/zero of=/dev/null bs=350M count=100000
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null bs=300M count=100000 &
[1] 22161
[wuhaiwei@mail ~]$ dd: memory exhausted
[1]+ Exit 1 dd if=/dev/zero of=/dev/null bs=300M count=100000
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null
bs=200M count=100000 &
[1] 22166
[wuhaiwei@mail ~]$ dd: memory exhausted
[1]+ Exit 1 dd if=/dev/zero of=/dev/null bs=200M count=100000
[wuhaiwei@mail ~]$
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null
bs=150M count=100000 &
[1] 22169
[wuhaiwei@mail ~]$ dd: memory exhausted
[wuhaiwei@mail ~]$ dd if=/dev/zero of=/dev/null bs=100M count=100000 &
[1] 22174
[wuhaiwei@mail ~]$
[wuhaiwei@mail 22174]$ cat limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 10485760 unlimited bytes
Max core file size 0 unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 4096 4096 processes
Max open files 65536 131072 files
Max locked memory 65536 65536 bytes
Max address space 262144000 262144000 bytes (相当于“-”字符,soft=hard)
Max file locks unlimited unlimited locks
Max pending signals 62842 62842 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
5、迷惑之处:
[wuhaiwei@mail 22174]$ uname -a
Linux mail.juponing.com 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[wuhaiwei@mail 22174]$ cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
找不到pam_limits.so 模块的调用。 不调用这个模块,那么limits.conf 是如何起作用的?
[root@mail ~]# rpm -qf /etc/security/limits.conf
pam-1.1.1-17.el6.x86_64
[root@mail ~]# rpm -ql pam-1.1.1-17.el6.x86_64 |grep '.so'
/etc/security/console.apps
/etc/security/console.handlers
/etc/security/console.perms
/etc/security/console.perms.d
/lib64/libpam.so.0
/lib64/libpam.so.0.82.2
/lib64/libpam_misc.so.0
/lib64/libpam_misc.so.0.82.0
/lib64/libpamc.so.0
/lib64/libpamc.so.0.82.1
/lib64/security/pam_access.so
/lib64/security/pam_chroot.so
/lib64/security/pam_console.so
/lib64/security/pam_cracklib.so
/lib64/security/pam_debug.so
/lib64/security/pam_deny.so
/lib64/security/pam_echo.so
/lib64/security/pam_env.so
/lib64/security/pam_exec.so
/lib64/security/pam_faildelay.so
/lib64/security/pam_faillock.so
/lib64/security/pam_filter.so
/lib64/security/pam_ftp.so
/lib64/security/pam_group.so
/lib64/security/pam_issue.so
/lib64/security/pam_keyinit.so
/lib64/security/pam_lastlog.so
/lib64/security/pam_limits.so 看到了吧? 有这个模块,登录时确不调用。limits.conf就是它的配置文件。。
/lib64/security/pam_listfile.so
/lib64/security/pam_localuser.so
/lib64/security/pam_loginuid.so
/lib64/security/pam_mail.so
/lib64/security/pam_mkhomedir.so
/lib64/security/pam_motd.so
/lib64/security/pam_namespace.so
/lib64/security/pam_nologin.so
/lib64/security/pam_permit.so
/lib64/security/pam_postgresok.so
/lib64/security/pam_pwhistory.so
/lib64/security/pam_rhosts.so
/lib64/security/pam_rootok.so
/lib64/security/pam_securetty.so
/lib64/security/pam_selinux.so
/lib64/security/pam_selinux_permit.so
/lib64/security/pam_sepermit.so
/lib64/security/pam_shells.so
/lib64/security/pam_stress.so
/lib64/security/pam_succeed_if.so
/lib64/security/pam_tally2.so
/lib64/security/pam_time.so
/lib64/security/pam_timestamp.so
/lib64/security/pam_tty_audit.so
/lib64/security/pam_umask.so
/lib64/security/pam_unix.so
/lib64/security/pam_unix_acct.so
/lib64/security/pam_unix_auth.so
/lib64/security/pam_unix_passwd.so
/lib64/security/pam_unix_session.so
/lib64/security/pam_userdb.so
/lib64/security/pam_warn.so
/lib64/security/pam_wheel.so
/lib64/security/pam_xauth.so
/sbin/pam_console_apply
/usr/share/doc/pam-1.1.1/html/sag-see-also.html
/usr/share/doc/pam-1.1.1/txts/README.pam_console
/usr/share/doc/pam-1.1.1/txts/README.pam_postgresok
/usr/share/man/man5/console.apps.5.gz
/usr/share/man/man5/console.handlers.5.gz
/usr/share/man/man5/console.perms.5.gz
/usr/share/man/man8/pam_console.8.gz
/usr/share/man/man8/pam_console_apply.8.gz
/usr/share/man/man8/pam_postgresok.8.gz
6、limits.conf中的as(address space)、ulimit -v (virtual memory size)都是针对用户下的所有进程
设置的。如果只针对用户下的某一个进程设置,该如何实现呢? 据说可以用cgroup。未测试。
7、写在{BANNED}最佳后:
一个测试内存调用的malloc C语言小程序:
[wuhaiwei@mail ~]$ cat test.c
#include
#include
size_t maximum=0;
int main(int argc,char *argv[])
{
void * block;
void * tmpblock;
size_t blocksize[]={1024*1024, 1024, 1};
int i,count;
for(i=0;i<3;i++){
for(count=1;;count++){
block = malloc(maximum+blocksize[i]*count);
if(block){
tmpblock = block;
maximum += blocksize[i]*count;
free(block);
}else{
break;
}
}
}
printf("maximum malloc size = %lf GB\n",maximum*1.0 / 1024.0 / 1024.0 / 1024.0);
printf("the address is %x\n",tmpblock);
printf("the address end is %x\n", tmpblock + maximum);
//while(1);
}
[wuhaiwei@mail ~]$ gcc -o malloc.c test.c
[wuhaiwei@mail ~]$ ./malloc.c
maximum malloc size = 0.484375 GB
the address is 38fa7010
the address end is 57fa7010
[wuhaiwei@mail ~]$
