CGroup configuration in CentOS 7

centos7cgroupconfigurationmemorysystemd

I am using CentOS 7 and I have several users registered in system (UIDs: 1000, 1001, 1002, etc)

I want to restrict memory consumption for each user using cgroup and systemd.

The following commands work pretty well but the user with UID=1000 must be logged in.

systemctl set-property user-1000.slice MemoryLimit=3000M
systemctl daemon-reload

If the user is not login I receive the following error message

Failed to set unit properties on user-1000.slice: Unit user-1000.slice is not loaded.

Imagine I have 20 users and I want to set up memory restrictions for them. Should I log in manually or write some workaround script to do it in order to run systemctl set-property command for each user? Or some elegant and straightforward solution exists?

Best Answer

There is a similar question answered here: https://unix.stackexchange.com/questions/34334/how-to-create-a-user-with-limited-ram-usage

The limits imposed by ulimit and limits.conf is per process. I definitely wasn't clear on that point.

If you want to limit the total amount of memory a users uses (which is what you asked). You want to use cgroups.

In /etc/cgconfig.conf:
group memlimit {
    memory {
        memory.limit_in_bytes = 4294967296;
    }
}
This creates a cgroup that has a max memory limit of 4GiB.

In /etc/cgrules.conf:
luser   memory   memlimit/
This will cause all processes run by luser to be run inside the memlimit cgroups created in cgconfig.conf.

Related Solutions

Cgroups memory 16GB ceiling

**Note: Undeleting for posterity **

Your problem is here

# No alternate memory nodes if the system is not NUMA
# On computenodes use all available cores
    cpuset {
        cpuset.mems="0";
        cpuset.cpus="0-47";
    }
}

You are only ever using one node of memory. You need to set this to use all nodes of memory.

I also think the below applies too, and you'll see the problem still unless you know about the below. So leaving in for posterity.

This issue basically boils down to the hardware being used. The kernel has a heuristic to determine the value of this switch. This alters how the kernel determines memory pressure on a NUMA system.

zone_reclaim_mode:

Zone_reclaim_mode allows someone to set more or less aggressive approaches to
reclaim memory when a zone runs out of memory. If it is set to zero then no
zone reclaim occurs. Allocations will be satisfied from other zones / nodes
in the system.

This is value ORed together of

1   = Zone reclaim on
2   = Zone reclaim writes dirty pages out
4   = Zone reclaim swaps pages

zone_reclaim_mode is set during bootup to 1 if it is determined that pages
from remote zones will cause a measurable performance reduction. The
page allocator will then reclaim easily reusable pages (those page
cache pages that are currently not used) before allocating off node pages.

It may be beneficial to switch off zone reclaim if the system is
used for a file server and all of memory should be used for caching files
from disk. In that case the caching effect is more important than
data locality.

Allowing zone reclaim to write out pages stops processes that are
writing large amounts of data from dirtying pages on other nodes. Zone
reclaim will write out dirty pages if a zone fills up and so effectively
throttle the process. This may decrease the performance of a single process
since it cannot use all of system memory to buffer the outgoing writes
anymore but it preserve the memory on other nodes so that the performance
of other processes running on other nodes will not be affected.

Allowing regular swap effectively restricts allocations to the local
node unless explicitly overridden by memory policies or cpuset
configurations.

To give you some idea here of what is going on, memory is broken up into zones, this is specifically useful on NUMA systems which RAM is tied to specific CPUs. In these hosts memory locality can be an important factor in performance. If for example memory banks 1 and 2 are assigned to physical CPU 0, CPU 1 can access this but at the cost of locking that RAM from CPU 0, which causes a performance degradation.

On linux, the zoning reflects the NUMA layout of the physical machine. Each zone is 16GB in size.

What is happening at the moment with zone reclaim on is the kernel is opting to reclaim (write dirty pages to disk, evict file cache, swap out memory) in a full zone (16 GB) rather than permit the process to allocate memory in another zone (which will impact performance on that CPU. This is why you notice swapping after 16GB.

If you switch off this value this should alter the behaviour of the kernel not aggressively reclaim zone data and instead allocate from another node.

Try switching off zone_reclaim_mode by running sysctl -w vm.zone_reclaim_mode=0 on your system and then re-running your test.

Note, long running high memory processes running on a configuration like this with zone_reclaim_mode off will become increasingly expensive over time.

If you allow lots of disparate processes running on many different CPUs all using lots of memory to use any node with free pages, you can effectively render the performance of the host to something akin to it only having 1 physical CPU.

Cannot create symlink from /var/tmp to /tmp. Cannot delete /var/tmp – CentOS 7

Based on the output provided, /var/tmp is mounted under / (root) filesystem. /tmp filesystem is your swap. Not sure why you need to symlink swap to /var/tmp.

Best Answer

Related Solutions

Cgroups memory 16GB ceiling

Cannot create symlink from /var/tmp to /tmp. Cannot delete /var/tmp – CentOS 7

Related Topic