Limiting resources (CPU, memory) for Jails - rctl

I'd say rctl(8) is the way to go, the other methods require kernel/userland patch and recompile, that will most likely break when you upgrade and the patches will probably only work on the revision of the code they were created for.

This quarterly report suggests the code is basically considered to be stable, http://www.freebsd.org/news/status/report-2011-01-2011-03.html#RCTL,-aka-Resource-Containers I don't think %cpu time made it in time for 9.0-RELEASE, but maybe soon?

Most of the code has already been merged into CURRENT. There are two remaining problems I would like to solve before 9.0-RELEASE - see below - but otherwise, the code is stable; please test and report any problems. You will need to rebuild the kernel with "options RACCT" and "options RCTL". The rctl(8) manual page should be a good introduction on how to use it.

Also have a look at cpuset(1), it will let you assign one or more cpu core to a jail. For example, to assign CPU0 and CPU2 to jailid 3:

# cpuset -l 0,2 -j 3

More examples in the man page, let us know how you get on!
 
Hi,

I've just installed FreeBSD 9.0 and noticed that when I did a [cmd=]which rctl[/cmd] it replies with the path
Code:
/usr/bin/rctl

Please clarify if I really need to rebuild the kernel to use rctl.

Thanks!

Kevin.
 
Yes, you will need to rebuild your kernel with the relevant options. There doesn't seem to be a way to load it as a module via kldloadyet.

The userland tool /usr/bin/rctl is included in the default install, but it will not work with out modification to GENERIC kernel. If you do attempt to use it you will get an error with an exit code of 1:
# /usr/bin/rctl ; echo $?
Code:
rctl: rctl_get_rules: Function not implemented
1
For completeness the steps needed to do this:

Create a new kernel config file containing something like this.
# cat /usr/src/sys/amd64/conf/RCTL
Code:
include         GENERIC
ident           RCTL

options         RACCT
options         RCTL
# cd /usr/src
# make buildkernel KERNCONF=RCTL
# make installkernel KERNCONF=RCTL
# reboot

After reboot /usr/bin/rctl will function as intended.
 
As we are nearing the release of FreeBSD version 9.1, are there any improvements over rctl in this release?
 
Yes, there were some important fixes. No new functionality, though. And 9-STABLE should get CPU percentage limits in a month or so (they are already there in 10-CURRENT).
 
trasz@:

Thanks for the update, you said "9-STABLE should get CPU percentage limits in a month or so"... do you mean I can expect this is the 9.1 release expected in December (or soon)? I'll happily rejoice if so... :)

Thanks!

Kevin.
 
Does not work in 9.1

jake said:
Yes, you will need to rebuild your kernel with the relevant options. There doesn't seem to be a way to load it as a module via kldloadyet.

The userland tool /usr/bin/rctl is included in the default install, but it will not work with out modification to GENERIC kernel. If you do attempt to use it you will get an error with an exit code of 1:
# /usr/bin/rctl ; echo $?
Code:
rctl: rctl_get_rules: Function not implemented
1
For completeness the steps needed to do this:

Create a new kernel config file containing something like this.
# cat /usr/src/sys/amd64/conf/RCTL
Code:
include         GENERIC
ident           RCTL

options         RACCT
options         RCTL
# cd /usr/src
# make buildkernel KERNCONF=RCTL
# make installkernel KERNCONF=RCTL
# reboot

After reboot /usr/bin/rctl will function as intended.

Well, I tried to do the same thing in FreeBSD 9.1 and it failed:

Code:
/usr/src/sys/amd64/acpica/acpi_switch.S: Assembler messages: 
/usr/src/sys/amd64/acpica/acpi_switch.S:146: Error: no such instruction: 'xsetbv'
/usr/src/sys/amd64/acpica/acpi_switch.S:147: Error: no such instruction: 'xrstor (%rbx)'
*** [acpi_switch.o] Error code 1

Stop in /usr/obj/usr/src/sys/RCTL.
*** [buildkernel] Error code 1

Stop in /usr/src
*** [buildkernel] Error code 1

Stop in /usr/src.

Note: I was trying to test it by installing under VMware Fusion on OS X.
 
This doesn't seem to be related to RACCT/RCTL, but rather to some newer ACPI code being incompatible with older (9.0?) compiler. Please rebuild the world and then the kernel.
 
any update RCTL patch to FreeBSD 9.1?

@trasz@: Great work!

Is there any update on the RCTL patch to FreeBSD 9.1?

Resource allocation is the main reason that prevented me to adopt jails from OpenVZ. BTW, is there someone using RCTL+jails in a production? Any use-case?

Thanks!
 
@trasz@,

One question, the pcpu limit works only on one core. Will there be a way to limit CPU cores also? Or maybe make the pcpu limit with a sum of all cores (8x100 - 800%)?
 
Last edited by a moderator:
@trasz@,

I found one problem with rctl and I don't know how to go around it.

See, I have sshd with chroot, and of course it hits the limit that is set for service users (pcpulimit deny=10/proc). This heavily deteriorates the performance of sshd. So what I wanted to know if either you could match a specific process name or better to just ignore rules for particular process names?

I really don't know how to figure this out: if I set racct limit only for the user - it breaks SSH performance because. if I don't set the limits, users go havoc in Apache chroot jails...
 
Last edited by a moderator:
ikevin8me said:
How is the status of rctl in FreeBSD 10? Is it built in, or do we need to rebuild the kernel?

This page http://www.freebsd.org/doc/handbook/security-resourcelimits.html seems to be describing that it can limit memory usage for jails. Anyone using this (or plan to use it) for production mode?

A custom kernelbuild with

Code:
options         RACCT
options         RCTL
is still needed to use rctl.

We already using cpuset to limit number of cpu cores per jail and we'll try to limit the memory usage by using rctl soon.
 
Back
Top