Solved Rctl not working

Azrael · Aug 30, 2024

I have some jails working, but I can't seem to get rctl to apply any settings with them. I looked at the handbook on this and it suggested configuring /etc/login.conf. So I did this on one of my jails, which now contains this:

Code:

# egrep -v "^#|^$" /etc/login.conf
default:\
    :passwd_format=sha512:\
    :copyright=/etc/COPYRIGHT:\
    :welcome=/var/run/motd:\
    :setenv=BLOCKSIZE=K:\
    :mail=/var/mail/$:\
    :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
    :nologin=/var/run/nologin:\
    :cputime=1h:\
    :datasize=2G:\
    :stacksize=unlimited:\
    :memorylocked=64K:\
    :memoryuse=512M:\
    :filesize=unlimited:\
    :coredumpsize=unlimited:\
    :openfiles=unlimited:\
    :maxproc=50:\
    :sbsize=unlimited:\
    :vmemoryuse=512M:\
    :swapuse=unlimited:\
    :pseudoterminals=unlimited:\
    :kqueues=unlimited:\
    :umtxp=unlimited:\
    :priority=0:\
    :ignoretime@:\
    :umask=022:\
    :charset=UTF-8:\
    :lang=C.UTF-8:
standard:\
    :tc=default:
xuser:\
    :tc=default:
staff:\
    :tc=default:
daemon:\
    :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\
    :mail@:\
    :memorylocked=128M:\
    :tc=default:
news:\
    :tc=default:
dialer:\
    :tc=default:
root:\
    #:ignorenologin:\
    #:memorylocked=unlimited:\
        :datasize=2G:\
        :stacksize=512M:\
        :maxproc=50:\
        :cputime=1h:\
        :memoryuse=512M:\
        :vmemoryuse=2G:
    :tc=default:
russian|Russian Users Accounts:\
    :charset=UTF-8:\
    :lang=ru_RU.UTF-8:\
    :tc=default:

Basically I just set up these for both root and default hoping one or both would work:

Code:

:maxproc=50:\
        :cputime=1h:\
        :memoryuse=512M:\
        :vmemoryuse=2G:

I configured rctl on the host:

Code:

# sysrc rctl_enable="YES"
rctl_enable: YES -> YES

Then I added to /boot/loader.conf and rebooted to apply it:

Code:

kern.racct.enable="1"

I also configured this in the /etc/rctl.conf of the host:

Code:

$ cat /etc/rctl.conf
jail:www2:memoryuse:deny=512M
jail:www2:vmemoryuse:deny=2G
jail:www2:maxproc:deny=50

If I run rctl by itself, its seems to pick that up:

Code:

$ rctl
jail:www2:maxproc:deny=50
jail:www2:vmemoryuse:deny=2147483648
jail:www2:memoryuse:deny=536870912

However, if I do a restart, it does not show that rctl is running in ps faux:

Code:

# service rctl restart
# ps faux | grep restart
root   7917   0.0  0.1  12812  2280  0  S+   21:11      0:00.08 grep restart

I don't see a module for it in the kernel and can't seem to load one:

Code:

# kldstat | grep -c rctl
0
# kldload rctl
kldload: can't load rctl: No such file or directory

The limits shown in the output from the rctl command are also not getting applied on the jail in question. Anyone know what I might be missing?

RypPn · Aug 31, 2024

Close, but you put the entries in /etc/rctl.conf after enabling it in /etc/rc.conf as you say, then you can query it with the rctl command with the appropriate switches you'll find in the man page.

I used to use it to control memory use of jails but found it tended to lock out the jail with an OOM if memory limits were hit so stopped using it...

Code:

# Block jail from using more than 1G memory:
jail:ZNC:vmemoryuse:deny=1024M
jail:ZNC:vmemoryuse:log=768M
# Block jail from using more than 6G memory:
jail:IntraNet:vmemoryuse:deny=6144M
jail:IntraNet:vmemoryuse:log=5888M
# Block jail from using more than 6G memory:
jail:OwnCloud:vmemoryuse:deny=6144M
jail:OwnCloud:vmemoryuse:log=5888M
# Block jail from using more than 6G memory:
jail:NewzNab:vmemoryuse:deny=6144M
jail:NewzNab:vmemoryuse:log=5888M
# Block jail from using more than 6G memory:
jail:NextCloud:vmemoryuse:deny=6144M
jail:NextCloud:vmemoryuse:log=5888M

Heres an example of my rctl.conf file.

Azrael · Aug 31, 2024

RypPn said:
Close, but you put the entries in /etc/rctl.conf after enabling it in /etc/rc.conf as you say, then you can query it with the rctl command with the appropriate switches you'll find in the man page.

I used to use it to control memory use of jails but found it tended to lock out the jail with an OOM if memory limits were hit so stopped using it...

Code:

# Block jail from using more than 1G memory: jail:ZNC:vmemoryuse:deny=1024M jail:ZNC:vmemoryuse:log=768M # Block jail from using more than 6G memory: jail:IntraNet:vmemoryuse:deny=6144M jail:IntraNet:vmemoryuse:log=5888M # Block jail from using more than 6G memory: jail:OwnCloud:vmemoryuse:deny=6144M jail:OwnCloud:vmemoryuse:log=5888M # Block jail from using more than 6G memory: jail:NewzNab:vmemoryuse:deny=6144M jail:NewzNab:vmemoryuse:log=5888M # Block jail from using more than 6G memory: jail:NextCloud:vmemoryuse:deny=6144M jail:NextCloud:vmemoryuse:log=5888M

Heres an example of my rctl.conf file.

Appreciate it, but I don't think that's it. If it was just the order of enabling /etc/rctl.conf and /etc/rc.conf, I would assume that after rebooting things would work, but they do not.

Your entries from rctl.conf don't seem different from mine other than I used 2G for one. I tried changing it to 2048M, but that didn't change anything either.

Are you able to restart the rctl process? See it running? Or see the module for it in kldstat? If so, it must be something else.

gotnull · Aug 31, 2024

Hi,

I don't use rctl, so I took a look at the handbook and if I got it right it seems that you should pick one method, either through configuring /etc/login.conf
or using rctl, you used both, this could be the issue.
An idea, in order to know if it works you can create a jail that will on purpose exceed RAM, change the action deny to log, leaving some evidence to look at.

Azrael · Aug 31, 2024

gotnull said:
Hi,

I don't use rctl, so I took a look at the handbook and if I got it right it seems that you should pick one method, either through configuring /etc/login.conf
or using rctl, you used both, this could be the issue.
An idea, in order to know if it works you can create a jail that will on purpose exceed RAM, change the action deny to log, leaving some evidence to look at.

Maybe I misread the handbook. I thought it said I needed both. If I do as you say and remove the /etc/login.conf, where will I see evidence if I change 'deny' to 'log'? Will this show up in a particular log file or somewhere else?

Hiroo Ono · Aug 31, 2024

rctl is not a daemon. If you have written /etc/rctl.conf, you can see that it is enabled by runnning rctl command after reboot.

Azrael · Aug 31, 2024

Hiroo Ono said:
rctl is not a daemon. If you have written /etc/rctl.conf, you can see that it is enabled by runnning rctl command after reboot.

Well, the rctl command does work after boot. Does it need a module loaded in the kernel? Or is that wrong too?

Hiroo Ono · Sep 1, 2024

It is included in GENERIC kernel.

Azrael · Sep 1, 2024

Hiroo Ono said:
It is included in GENERIC kernel.

I suspected that, but could not find it when just looking for rctl:

 # grep -c rctl /usr/src/sys/amd64/conf/GENERIC

0

Is this maybe listed as something else?

fraxamo · Sep 1, 2024

Try uppercasing the search string: grep -c RCTL /usr/src/sys/amd64/conf/GENERIC
You can also use this command: sysctl kern.conftxt | grep RCTL

gotnull · Sep 1, 2024

Azrael said:
where will I see evidence if I change 'deny' to 'log'? Will this show up in a particular log file or somewhere else?

I did some tests and it works as expected, when triggered rctl gives some warnings in the log file /var/log/messages (the host not the jail).
Here it's configured to get triggered when the number of running processes in the jail exceeds 5.

# see rctl.conf

Code:

toor@fbsd > cat /etc/rctl.conf
jail:j2:maxproc:log=5

# check running process when the jail starts and does nothing

Code:

toor@fbsd > ps -J j2 | wc -l
  4

# now run a command from the jail

Code:

toor@fbsd > jexec -l -U root j2 ping -c3 freebsd.org

# then check the log file

Code:

toor@fbsd > grep rctl /var/log/messages
Sep  1 11:10:07 fbsd kernel: rctl: rule "jail:j2:maxproc:log=5" matched by pid 9297 (ping), uid 0, jail j2
Sep  1 11:10:07 fbsd kernel: rctl: rule "jail:j2:maxproc:log=5" matched by pid 9298 (ping), uid 0, jail j2

I noticed that the service rctl needs to be stopped and then started when some changes are done in /etc/rctl.conf, restarted it did not work strangely.

Azrael said:
Are you able to restart the rctl process? See it running?

Apparently the service rctl doesn't have the status option ( service rctl status), I can't expain why but yes it seems to work differently than other usual services, but that's beyond my knowledge.

Hiroo Ono · Sep 1, 2024

Azrael said:
I suspected that, but could not find it when just looking for rctl:
# grep -c rctl /usr/src/sys/amd64/conf/GENERIC 0
Is this maybe listed as something else?

Code:

options         RCTL                    # Resource limits

is that.

Azrael · Sep 2, 2024

Hiroo Ono said:
Code:

options RCTL # Resource limits

is that.

Well, it was in the kernel config, but something strange happened. Despite rebooting between almost every change, I had not seen anything work. I took a break didn't change anything. Rebooted for something else a few hours later and suddenly the limits were applied. I don't know why. Sometimes I have to just chalk somethings in IT up to gremlins or magic. Hopefully if someone else has troubles with rctl they can come here and use some of these steps. For now, thanks everyone and I'll mark this solved.