in older days we use to set the kernel tuneable parameters through /etc/system in Solaris Boxes.But from Solaris 10 on-wards,we set those parameters using resource control mechanism.The rctladm command allows you to make runtime interrogations of and modifications to the resource controls facility, with global scope. The prctl command allows you to make runtime interrogations of and modifications to the resource controls facility, with local scope.
Many kernel parameters have been replaced by so called resource controls in Solaris 10. It is possible to change resource controls using the prctl command. All shared memory and semaphore settings are now handled via resource controls, so any entries regarding shared memory or semaphores (shm & sem) in /etc/system will be ignored.
Here we will see how to control the resource for “process” by using project and newtask.
For example, I am creating the new project called “test” and setting maximum lwps process to 2.So from this project, system cannot generate more than two lwp process.
bash-3.00# projadd -K 'task.max-lwps=(privileged,2,deny)' test
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::
limitedusers:100::linges::process.max-file-descriptor=(privileged,8192,deny)
test:101::::task.max-lwps=(privileged,2,deny)
As a test,
bash-3.00# newtask -p test bash ------------>First lwp process
bash-3.00# id -p
uid=0(root) gid=0(root) projid=101(test)
bash-3.00# ps -o project,taskid -p $$
PROJECT TASKID
test 98
bash-3.00# bash ------------------------------------>Second lwp process
bash-3.00# bash
bash: fork: Resource temporarily unavailable
bash-3.00# bash
bash: fork: Resource temporarily unavailable
Logging:
Global logging can be enabled by setting syslog=level with rctladm, where level is one of the usual syslog levels: debug, info, notice, warning, err, crit, alert or emerge.
We can enable syslog notice using the below command.If the system is crossed the limit ,it will log in messages file.
bash-3.00# rctladm -e syslog process.max-file-descriptor
bash-3.00# rctladm
process.max-port-events syslog=off [ deny count ]
process.max-msg-messages syslog=off [ deny count ]
process.max-msg-qbytes syslog=off [ deny bytes ]
process.max-sem-ops syslog=off [ deny count ]
process.max-sem-nsems syslog=off [ deny count ]
process.max-address-space syslog=off [ lowerable deny no-signal bytes ]
process.max-file-descriptor syslog=notice [ lowerable deny count ]
process.max-core-size syslog=off [ lowerable deny no-signal bytes ]
process.max-stack-size syslog=off [ lowerable deny no-signal bytes ]
process.max-data-size syslog=off [ lowerable deny no-signal bytes ]
process.max-file-size syslog=off [ lowerable deny file-size bytes ]
process.max-cpu-time syslog=off [ lowerable no-deny cpu-time inf seconds ]
task.max-cpu-time syslog=off [ no-deny cpu-time no-obs inf seconds ]
task.max-lwps syslog=off [ count ]
project.max-contracts syslog=off [ no-basic deny count ]
project.max-device-locked-memory syslog=off [ no-basic deny bytes ]
project.max-locked-memory syslog=off [ no-basic deny bytes ]
project.max-port-ids syslog=off [ no-basic deny count ]
project.max-shm-memory syslog=off [ no-basic deny bytes ]
project.max-shm-ids syslog=off [ no-basic deny count ]
project.max-msg-ids syslog=off [ no-basic deny count ]
project.max-sem-ids syslog=off [ no-basic deny count ]
project.max-crypto-memory syslog=off [ no-basic deny bytes ]
project.max-tasks syslog=off [ no-basic count ]
project.max-lwps syslog=off [ no-basic count ]
project.cpu-cap syslog=off [ no-basic deny no-signal inf count ]
project.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ]
zone.max-swap syslog=off [ no-basic deny bytes ]
zone.max-locked-memory syslog=off [ no-basic deny bytes ]
zone.max-shm-memory syslog=off [ no-basic deny bytes ]
zone.max-shm-ids syslog=off [ no-basic deny count ]
zone.max-sem-ids syslog=off [ no-basic deny count ]
zone.max-msg-ids syslog=off [ no-basic deny count ]
zone.max-lwps syslog=off [ no-basic count ]
zone.cpu-cap syslog=off [ no-basic deny no-signal inf count ]
zone.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ]
By default syslog,will be enabled as “notice”. If you want to set the syslog level to debug ,you can use below command.
bash-3.00# rctladm -e syslog=debug task.max-lwps
bash-3.00# rctladm |grep task.max-lwps
task.max-lwps syslog=debug [ count ]
For testing purpose,Here i am setting the max-lwps to 5 for sshd .so your sshd daemon allow the system to create 5lwps.once its reached the limit,you cannot to the system using ssh.
# prctl -n task.max-lwps -v 5 -t privileged -d all `pgrep sshd`
I tried to ssh this machine using putty and it allowed 4 session,when try to take a 5th one, got error “connected terminated unexpectedly “ .It means ,system is not allowing ssh process to create more than 5lwp process.You can see this error is logged in messages file.
# tail -f /var/adm/messages
Jul 2 07:47:20 sfos e1000g: [ID 801725 kern.info] NOTICE: pci8086,100f - e1000g[0] : link up, 1000 Mbps, full duplex
Jul 2 07:47:20 sfos in.routed[1212]: [ID 300549 daemon.warning] interface e1000g0 to 192.168.10.29 restored
Jul 2 09:31:14 sfos genunix: [ID 748619 kern.notice] privileged rctl task.max-lwps (value 5) exceeded by process 28555 in task 71.
^C
To Disable to syslog ,
bash-3.00# rctladm -d syslog process.max-file-descriptor
bash-3.00# rctladm
process.max-port-events syslog=off [ deny count ]
process.max-msg-messages syslog=off [ deny count ]
process.max-msg-qbytes syslog=off [ deny bytes ]
process.max-sem-ops syslog=off [ deny count ]
process.max-sem-nsems syslog=off [ deny count ]
process.max-address-space syslog=off [ lowerable deny no-signal bytes ]
process.max-file-descriptor syslog=off [ lowerable deny count ]
process.max-core-size syslog=off [ lowerable deny no-signal bytes ]
process.max-stack-size syslog=off [ lowerable deny no-signal bytes ]
process.max-data-size syslog=off [ lowerable deny no-signal bytes ]
process.max-file-size syslog=off [ lowerable deny file-size bytes ]
process.max-cpu-time syslog=off [ lowerable no-deny cpu-time inf seconds ]
task.max-cpu-time syslog=off [ no-deny cpu-time no-obs inf seconds ]
task.max-lwps syslog=off [ count ]
project.max-contracts syslog=off [ no-basic deny count ]
project.max-device-locked-memory syslog=off [ no-basic deny bytes ]
project.max-locked-memory syslog=off [ no-basic deny bytes ]
project.max-port-ids syslog=off [ no-basic deny count ]
project.max-shm-memory syslog=off [ no-basic deny bytes ]
project.max-shm-ids syslog=off [ no-basic deny count ]
project.max-msg-ids syslog=off [ no-basic deny count ]
project.max-sem-ids syslog=off [ no-basic deny count ]
project.max-crypto-memory syslog=off [ no-basic deny bytes ]
project.max-tasks syslog=off [ no-basic count ]
project.max-lwps syslog=off [ no-basic count ]
project.cpu-cap syslog=off [ no-basic deny no-signal inf count ]
project.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ]
zone.max-swap syslog=off [ no-basic deny bytes ]
zone.max-locked-memory syslog=off [ no-basic deny bytes ]
zone.max-shm-memory syslog=off [ no-basic deny bytes ]
zone.max-shm-ids syslog=off [ no-basic deny count ]
zone.max-sem-ids syslog=off [ no-basic deny count ]
zone.max-msg-ids syslog=off [ no-basic deny count ]
zone.max-lwps syslog=off [ no-basic count ]
zone.cpu-cap syslog=off [ no-basic deny no-signal inf count ]
zone.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ]
To check the task value,
bash-3.00# prctl -n task.max-lwps $$
process: 29525: bash
NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
task.max-lwps
privileged 5 - deny -
privileged 40 - none -
system 2.15G max deny -
Using pid also we can check the resource control limit for that process.
# prctl 29513
process: 29513: /usr/lib/ssh/sshd
NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
process.max-port-events
privileged 65.5K - deny -
system 2.15G max deny -
process.max-msg-messages
privileged 8.19K - deny -
system 4.29G max deny -
process.max-msg-qbytes
privileged 64.0KB - deny -
system 16.0EB max deny -
process.max-sem-ops
privileged 512 - deny -
system 2.15G max deny -
process.max-sem-nsems
privileged 512 - deny -
system 32.8K max deny -
process.max-address-space
privileged 16.0EB max deny -
system 16.0EB max deny -
process.max-file-descriptor
basic 256 - deny 29513
privileged 65.5K - deny -
system 2.15G max deny -
process.max-core-size
privileged 8.00EB max deny -
system 8.00EB max deny -
process.max-stack-size
basic 10.0MB - deny 29513
privileged 125TB - deny -
system 125TB max deny -
process.max-data-size
privileged 16.0EB max deny -
system 16.0EB max deny -
process.max-file-size
privileged 8.00EB max deny,signal=XFSZ -
system 8.00EB max deny -
process.max-cpu-time
privileged 18.4Es inf signal=XCPU -
system 18.4Es inf none -
task.max-cpu-time
system 18.4Es inf none -
task.max-lwps
privileged 5 - deny -
privileged 40 - none -
system 2.15G max deny -
project.max-contracts
privileged 10.0K - deny -
system 2.15G max deny -
project.max-device-locked-memory
privileged 63.5MB - deny -
system 16.0EB max deny -
project.max-locked-memory
system 16.0EB max deny -
project.max-port-ids
privileged 8.19K - deny -
system 65.5K max deny -
project.max-shm-memory
privileged 254MB - deny -
system 16.0EB max deny -
project.max-shm-ids
privileged 128 - deny -
system 16.8M max deny -
project.max-msg-ids
privileged 128 - deny -
system 16.8M max deny -
project.max-sem-ids
privileged 128 - deny -
system 16.8M max deny -
project.max-crypto-memory
privileged 254MB - deny -
system 16.0EB max deny -
project.max-tasks
system 2.15G max deny -
project.max-lwps
system 2.15G max deny -
project.cpu-cap
system 4.29G inf deny -
project.cpu-shares
privileged 1 - none -
system 65.5K max none -
zone.max-swap
system 16.0EB max deny -
zone.max-locked-memory
system 16.0EB max deny -
zone.max-shm-memory
system 16.0EB max deny -
zone.max-shm-ids
system 16.8M max deny -
zone.max-sem-ids
system 16.8M max deny -
zone.max-msg-ids
system 16.8M max deny -
zone.max-lwps
system 2.15G max deny -
zone.cpu-cap
system 4.29G inf deny -
zone.cpu-shares
privileged 1 - none -
system 65.5K max none
Thank you for reading this article.Please leave a comment if you have any doubt. I will get back to you.
Leave a Reply