rctl within jail
David Demelier
demelier.david at gmail.com
Sun Sep 22 15:52:06 UTC 2013
On 22.09.2013 15:45, Fbsd8 wrote:
> David Demelier wrote:
>> Hello there,
>>
>> I wanted to use rctl within a jail to add more fine grained setting for
>> some users, and default ones to. But it does not seem to work. Is it
>> supported? Do we need to add a special flag to the jail creation?
>>
>> # rctl -a loginclass:default:maxproc:deny=30
>> rctl: rctl_add_rule: Operation not permitted
>>
>> Regards,
>>
>> David
>
> The rctl command is brand new. It does not have a group of users yet, so
> that is why you have not received any replies to your post.
>
> As far as I know you can not issue the "rctl" command from within the
> running jail.
>
> The "rctl" command is issued on the HOST only.
>
> You can apply rules to an entire jail if you want to, for example; to
> limit the amount of memory a jail can use:
>
> # rctl -a jail:<jailname>:memoryuse:deny=1G
>
> (where <jailname> is the name of your jail). This would make sure the
> jail can't use more than (approximately) 1 gigabyte of memory.
>
> To enable rctl on the host, you need to compile a custom kernel that
> contains the following 2 parameters;
> options RACCT
> options RCTL
>
Yes, I will also post a PR for this because no manpage is saying that
you requires this on your kernel.
I will provide a new manpage and a bit more documentation.
> I think your rctl command would look like this when issued from the host
> rctl -a jail:<jailname>:loginclass:default:maxproc:deny=30
>
What I really want, is to avoid users to spawn too much processes (aka
fork bombs). But if I apply to the jail directly, it also apply to the
services jails, which is a bit not wanted.
Regards,
David
More information about the freebsd-questions
mailing list