Per User Process Limit and Thread Limits?

I run a fairly large (32 CPU core, 64 GB memory) multi-user system that
is used for everything from teaching programming classes to being a web
server. In our environment, where people will be learning to use “fork”
for the first time, a per-user process limit is necessary.

I have set a limit of 96 processes per user in
/etc/security/limits.conf.

Unfortunately, this seems to have the side-effect of limiting the
number of threads that a user can run to 53 (when the only other
processes run by that user are sshd and a shell).

If I increase the per-user process limit to 128, the user can then run
85 threads. The number of thread that a single user can run seems to be
43 less than their process limit.

This breaks a number of java applications, such as matlab, because they
attempt to launch a large number of threads.

Does anyone know how to separate the two limits or do I have to choose
between letting java applications run and being vulerable to fork
bombs?

TIA

Scott


schaffin

schaffin’s Profile: http://forums.opensuse.org/member.php?userid=11069
View this thread: http://forums.opensuse.org/showthread.php?t=404532

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With that much power on the box have you considered throwing on a tiny,
console-only, VM in which they can run all day long until they blow it
up? This would probably provide a significant barrier of protection for
your host system and, with a small VM, won’t impact performance too much
if at all. Worst case scenario you could set the nice value of your VM
to be really, really high so even if they do bomb that machine and it
starts working hard and it’s working the processor for some reason you
could easily sneak into the host and just nuke the VM machine’s process
without affecting anybody else.

Good luck.

schaffin wrote:
> I run a fairly large (32 CPU core, 64 GB memory) multi-user system that
> is used for everything from teaching programming classes to being a web
> server. In our environment, where people will be learning to use “fork”
> for the first time, a per-user process limit is necessary.
>
> I have set a limit of 96 processes per user in
> /etc/security/limits.conf.
>
> Unfortunately, this seems to have the side-effect of limiting the
> number of threads that a user can run to 53 (when the only other
> processes run by that user are sshd and a shell).
>
> If I increase the per-user process limit to 128, the user can then run
> 85 threads. The number of thread that a single user can run seems to be
> 43 less than their process limit.
>
> This breaks a number of java applications, such as matlab, because they
> attempt to launch a large number of threads.
>
> Does anyone know how to separate the two limits or do I have to choose
> between letting java applications run and being vulerable to fork
> bombs?
>
> TIA
>
> Scott
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJZ7e63s42bA80+9kRAoZJAJ4rGKDQnnXvNOLFQ7JMrTrzIFj2cwCfZT5h
MzavwSwIObtwU1y2vQRwWhk=
=R4Gh
-----END PGP SIGNATURE-----

ab@novell.com;1924733 Wrote:
>
> With that much power on the box have you considered throwing on a
> tiny,
> console-only, VM in which they can run all day long until they blow it
> up? This would probably provide a significant barrier of protection
> for
> your host system and, with a small VM, won’t impact performance too
> much
> if at all. Worst case scenario you could set the nice value of your
> VM
> to be really, really high so even if they do bomb that machine and it
> starts working hard and it’s working the processor for some reason you
> could easily sneak into the host and just nuke the VM machine’s
> process
> without affecting anybody else.
>
> Good luck.
>

Thanks for the suggestion, but I prefer keeping things simple for our
students. Furthermore, I’d still need to have a per-user processs limit
on the master machine to prevent fork bombs when someone accidentally
(or intentionally) runs their program on that box.

I think that I’m going to ask the same question in a kernel support
forum or mailing list–I’d like to figure out why you can run so few
threads and if threads are actually processes.

Thanks again for the suggestion.


schaffin

schaffin’s Profile: http://forums.opensuse.org/member.php?userid=11069
View this thread: http://forums.opensuse.org/showthread.php?t=404532