I run a fairly large (32 CPU core, 64 GB memory) multi-user system that is used for everything from teaching programming classes to being a web server. In our environment, where people will be learning to use “fork” for the first time, a per-user process limit is necessary.
I have set a limit of 96 processes per user in /etc/security/limits.conf.
Unfortunately, this seems to have the side-effect of limiting the number of threads that a user can run to 53 (when the only other processes run by that user are sshd and a shell).
If I increase the per-user process limit to 128, the user can then run 85 threads. The number of thread that a single user can run seems to be 43 less than their process limit.
This breaks a number of java applications, such as matlab, because they attempt to launch a large number of threads.
Does anyone know how to separate the two limits or do I have to choose between letting java applications run and being vulerable to fork bombs?
With that much power on the box have you considered throwing on a tiny,
console-only, VM in which they can run all day long until they blow it
up? This would probably provide a significant barrier of protection for
your host system and, with a small VM, won’t impact performance too much
if at all. Worst case scenario you could set the nice value of your VM
to be really, really high so even if they do bomb that machine and it
starts working hard and it’s working the processor for some reason you
could easily sneak into the host and just nuke the VM machine’s process
without affecting anybody else.
Good luck.
schaffin wrote:
> I run a fairly large (32 CPU core, 64 GB memory) multi-user system that
> is used for everything from teaching programming classes to being a web
> server. In our environment, where people will be learning to use “fork”
> for the first time, a per-user process limit is necessary.
>
> I have set a limit of 96 processes per user in
> /etc/security/limits.conf.
>
> Unfortunately, this seems to have the side-effect of limiting the
> number of threads that a user can run to 53 (when the only other
> processes run by that user are sshd and a shell).
>
> If I increase the per-user process limit to 128, the user can then run
> 85 threads. The number of thread that a single user can run seems to be
> 43 less than their process limit.
>
> This breaks a number of java applications, such as matlab, because they
> attempt to launch a large number of threads.
>
> Does anyone know how to separate the two limits or do I have to choose
> between letting java applications run and being vulerable to fork
> bombs?
>
> TIA
>
> Scott
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Thanks for the suggestion, but I prefer keeping things simple for our students. Furthermore, I’d still need to have a per-user processs limit on the master machine to prevent fork bombs when someone accidentally (or intentionally) runs their program on that box.
I think that I’m going to ask the same question in a kernel support forum or mailing list–I’d like to figure out why you can run so few threads and if threads are actually processes.