Jail limits control
jrctl, jrctl-tui commands
% cbsd jrctl
% cbsd jrctl-tui
CBSD supports many of FreeBSD's mechanisms for enforcing limits on a jail's resource usage.
File quotas
Floating file quotas are only possible for jails residing on ZFS-file system. For systems stored on UFS a similar restrictions can be enforced using an md(4)-based vnode file/image and making use of mdsize for the jail).
Renice prioritization
CBSD uses renice(8) to prioritize each jail's access to the CPU. This makes it possible to select different priorities on a per jail basis and give the most important jails the highest share of CPU time. For example, you may want to have your distcc jail set to a low priority, give your web server medium and the jail hosting the database the highest priority. The actual prioritization is taken care of by nice(1) which gets the value for each jail from jail rctl. The values set here correspond to the behavior of nice(1) — the lowest integer resulting in the highest priority.
Renice example:
1) Let's create an AMP jail and have it run a php script that performs some work (such as bench.zip taken from php-benchmark-script). We then clone the jail, calling the first highprio1 and the second lowprio1. Using cbsd jrctl-tui we give the first the highest possible priority -20, and set the second jail to the lowest priority of 20. In addition we limit the jail to one core through cpuset with cbsd jconfig (single-core systems are hard to come by these days and smart schedulers do not allow for a clean experiment without taking this step ;-).
% cbsd jls display=jid,jname,ip4_addr,cpuset
16 highprio1 10.0.0.121/24 4
17 lowprio1 10.0.0.122/24 4
make poll top state congestion php-fpm with JID output:
% export iter=1
% while [ 1 ]; do
printf "Iter: $iter" ;
iter=$((iter+1))
top -jab | grep php
sleep 1
done
% fetch -T 300 -o /dev/stdout http://10.0.0.121 & fetch -T 300 -o /dev/stdout http://10.0.0.122 &
[1] 65985
[2] 65986
--------------------------------------
| PHP BENCHMARK SCRIPT |
--------------------------------------
Start : 2014-01-06 16:28:59
Server : @10.0.0.121
PHP version : 5.4.23
Platform : FreeBSD
--------------------------------------
test_math : 12.870 sec.
test_stringmanipulation : 15.896 sec.
test_loops : 8.968 sec.
test_ifelse : 7.864 sec.
--------------------------------------
Total time: : 45.598 sec.
--------------------------------------
| PHP BENCHMARK SCRIPT |
--------------------------------------
Start : 2014-01-06 16:29:02
Server : @10.0.0.122
PHP version : 5.4.23
Platform : FreeBSD
--------------------------------------
test_math : 32.632 sec.
test_stringmanipulation : 18.053 sec.
test_loops : 6.323 sec.
test_ifelse : 5.504 sec.
--------------------------------------
Total time: : 62.512 sec.
[2] Done fetch -T 300 -o /dev/stdout http://10.0.0.122
[1] + Done fetch -T 300 -o /dev/stdout http://10.0.0.121
Iter: 1
65101 16 www 1 35 -20 32548K 11456K CPU4 4 0:35 20.56% php-fpm: pool www (php-fpm)
65587 17 www 1 52 20 32548K 11456K RUN 4 0:32 0.00% php-fpm: pool www (php-fpm)
Iter: 2
65101 16 www 1 60 -20 32548K 11456K RUN 4 0:36 25.98% php-fpm: pool www (php-fpm)
65587 17 www 1 42 20 32548K 11456K CPU4 4 0:33 2.10% php-fpm: pool www (php-fpm)
Iter: 3
65101 16 www 1 60 -20 32548K 11456K CPU4 4 0:36 26.27% php-fpm: pool www (php-fpm)
65587 17 www 1 94 20 32548K 11456K RUN 4 0:33 8.59% php-fpm: pool www (php-fpm)
Iter: 4
65101 16 www 1 61 -20 32548K 11456K CPU4 4 0:37 31.69% php-fpm: pool www (php-fpm)
65587 17 www 1 95 20 32548K 11456K RUN 4 0:34 9.47% php-fpm: pool www (php-fpm)
Iter: 5
65101 16 www 1 62 -20 32548K 11456K CPU4 4 0:37 35.60% php-fpm: pool www (php-fpm)
65587 17 www 1 95 20 32548K 11456K RUN 4 0:34 11.18% php-fpm: pool www (php-fpm)
Iter: 6
65101 16 www 1 64 -20 32548K 11456K CPU4 4 0:38 38.96% php-fpm: pool www (php-fpm)
65587 17 www 1 96 20 32548K 11456K RUN 4 0:34 12.79% php-fpm: pool www (php-fpm)
...
The jail with jid 16 is getting a larger share of the available CPU cycles and executes almost 1.5 times faster.
RACCT/RCTL framework
If your kernel has support RACCT/RCTL, you can set limits on the jail and watch the current statistics for jail resources. To do this, there is a command cbsd jrctl, which arguments
% cbsd jrctl mode=apply ...
% cbsd jrctl mode=unset ...
% cbsd jrctl mode=show
By command:
% cbsd jrctl
$workdir/$jname/jail.limits
By jrctl you can set the following limits jail:
a) All you can do a framework FreeBSD rctl(8):
cputime | CPU time, in seconds |
---|---|
datasize | data size, in bytes |
stacksize | stack size, in bytes |
coredumpsize | core dump size, in bytes |
memoryuse | resident set size, in bytes |
memorylocked | locked memory, in bytes |
maxproc | number of processes |
openfiles | file descriptor table size |
vmemoryuse | address space limit, in bytes |
pseudoterminals | number of PTYs |
swapuse | swap usage, in bytes |
nthr | number of threads |
msgqqueued | number of queued SysV messages |
msgqsize | SysV message queue size, in bytes |
nmsgq | number of SysV message queues |
nsem | number of SysV semaphores |
nsemop | number of SysV semaphores modified in a single semop(2) call |
nshm | number of SysV shared memory segments |
shmsize | SysV shared memory size, in bytes |
wallclock | wallclock time, in seconds |