Linux: Cgroups Resource Limiting

From Define Wiki
Jump to navigation Jump to search

This document describes the process of a basic installation of the arbiter2 tool, that can be used to apply CPU & Memory limits on logged-in Linux users, using cgroups accounting. The official documentation can be found at https://github.com/subfission/arbiter2/blob/master/INSTALL.md

Installing Python

$ sudo yum install python36

Installing external modules

$ python3 -m ensurepip --default-pip
$ pip3 install matplotlib toml requests  # requests may not be necessary

Acquiring the Arbiter2 source files

$ sudo yum install git

# Recommended : Clone arbiter2 to /etc/arbiter2
$ git clone https://gitlab.chpc.utah.edu/arbiter2/arbiter2.git optional-destination-directory

Setting up 'arbiter' user to run the script

$ useradd -M -N -r -s /bin/false -c "System account for Arbiter2" arbiter

# Create group arbiter
$ groupadd arbiter 

# Add user arbiter to group arbiter
$ usermod -a -G arbiter arbiter

Allowing cgroup files to be edited without root via sudo

$ sudo python3 tools/make_sudoers.py -u arbiter -g arbiter > /etc/sudoers.d/arbiter2

Create logs directory

$ mkdir -p /etc/arbiter2/logs/`hostname`/plots
$ chmod 773 arbiter2/logs/`hostname`

# Make arbiter the owner of cloned arbiter2 directory
$ chown -R arbiter /etc/arbiter2

Setup arbiter2 service file

Modify /etc/arbiter2/arbiter2.service file 

[Service]

# Username to run the arbiter2 service as. Recommended to run as arbiter.
User=arbiter

# Find arbiter uid with `id -u arbiter`
Slice=user-<ARBITER UID>.slice

# Set arbiter2 directory path
Environment=ARBITER_DIR=/etc/arbiter2
WorkingDirectory=/etc/arbiter2

ExecStart=<python-absolute-path>/python3.6 ${ARBITER_DIR}/arbiter/arbiter.py -g /etc/arbiter2/etc/config.toml -s  



# Copy service file to systemd dir
$ cp /etc/arbiter2/arbiter2.service /etc/systemd/system/

Edit arbiter2 config file

[self]
# Arbiter's groupname (used for sudoers permissions and the --exit-file flag)
groupname = "arbiter"

[email]
plot_location = '/etc/arbiter2/logs/%H/plots'  

[database]
log_location = '/etc/arbiter2/logs/%H'

[processes]
whitelist_file = '/etc/arbiter2/etc/whitelist.txt'

Optional: Assign users to status groups. By default each non-service user(uid greater than min_uid) is by default allocated to the 'normal' status group. If required, each user can be explicitly assigned to a 'normal', 'admin' or 'invincible' user groups by adding the concerned uid in the 'uids' list below. 

[general]
# All processes owned by uids <=1000 will not be tracked by arbiter2
min_uid = 1000  # i.e. non-service accounts

[status.normal]
cpu_quota = 800  # 8 virtual cores
mem_quota = 2  # Gigabyte

[status.admin]
uids = [1000]
cpu_quota = 1600  # 16 virtual cores
mem_quota = 6   # Gigabyte

[status.invincible]
cpu_quota = 1e5
mem_quota = 1e5   # Gigabyte

Run arbiter2 service

# systemctl daemon-reload
# systemctl start arbiter2

Corralling processes

Start monitoring already running processes.


Modify allusers_corraller.sh 

$  sed -i "s/w -h/who/g" /etc/arbiter2/tools/allusers_corraller.sh




$ /etc/arbiter2/tools/allusers_corraller.sh
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Linux:_Cgroups_Resource_Limiting&oldid=30524"