[apparmor] rlimit # of cores
John Johansen
john.johansen at canonical.com
Thu Feb 2 01:02:34 UTC 2012
On 02/01/2012 04:39 PM, Jeroen Ooms wrote:
> Is there a way to rlimit the number of cores and proc time that can be
> used *per incoming http request* in libapache2-mod-apparmor? E.g. I
> have a profile in /etc/apparmor.d/apache2.d/mysite, and I would like
> jobs that are posted to mysite to be able to fork or start
> subprocesses, but not to use more than n cores so that a single job
> cannot consume all system resources. E.g:
>
> ^mysite {
> set rlimit data <= 1G,
> set rlimit fsize <= 1G,
> set rlimit memlock <= 1G,
>
> #include <abstractions/apache2-common>
> #include <abstractions/base>
> #include <abstractions/bash>
> #include <abstractions/fonts>
> #include <abstractions/mysql>
> #include <abstractions/nameservice>
> #include <abstractions/openssl>
> #include <abstractions/ssl_certs>
> #include <abstractions/ssl_keys>
> }
>
> I looked into the docs for rlimit cpu and rlimit nproc, but I am not
> sure that is what I am looking for.
>
Not at this time, the apparmor rlimit controls are just a way of setting
the systems ulimits (man ulimit).
We have looked at, and have played with adding extended resource controls
leveraging cgroups, but this is not available yet.
More information about the AppArmor
mailing list