5. Advanced Host Configuration

5.1. Setting User and Group Limits

One of the dangers associated with the thin client model is that a runaway process might eat up all of the available system memory and/or CPU on the host system. When this happens, the performance on that system can degrade resulting in system hangs, freezes, and a range of other generally undesirable consequences.

Fortunately, Linux comes with a set of facilities to mitigate these kinds of problems. The first tool that we will look at is the limits.conf file located in /etc/security. limits.conf provides the ability to specify user and group level limits to certain types of system resources, including memory. Limits set in this file are set on a per user or per group basis. Though there are many limits that can be set in this file, we will address only a few in this tutorial.

The basic syntax for limits.conf consists of individual lines with values of the following types: (domain) (type) (item) (value) where domain is user or group, type refers to a hard or soft limit, item refers to the resource being limited and value referring to the value associated with the limit being set. For example, setting the following value:

guest           hard     priority        19

places a hard limit on the priority with which jobs are scheduled for a user named "guest". In this case, guest is always scheduled at the lowest possible priority.

As another example, to set a max cpu time of 10 minutes for user guest, set the following value:

guest           hard     cpu             10

As a final example, to set a limit of 3 failed logins for a group called guest, set the following value:

@guest	hard 	maxlogins	3

5.2. More Limits

A second method for limiting the potential impact of runaway proceses is to set limits on a per-process basis. This can be achieved by setting the ulimit command in /etc/profile.

To set a soft limit on the maximum amount of memory available to a given process to a value that is less than the total amount of memory on the system on a system with 1 GB of real memory and 500 MB of virtual memory you would set the following values in /etc/profile:

ulimit -S -m 1000000
ulimit -S -v  500000

With this value set, the system will kill any process that tries to take up more resources than you have set as a limit.