Setting Resource Controls

How to Set the Maximum Number of LWPs for Each Task in a Project

This procedure adds a project named x-files to the /etc/project file and sets a maximum number of LWPs for a task created in the project.

1. Become superuser or assume an equivalent role.
   Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
2. Use the projadd command with the -K option to create a project called x-files. Set the maximum number of LWPs for each task created in the project to 3.
   

   # projadd -K 'task.max-lwps=(privileged,3,deny)' x-files

3. View the entry in the /etc/project file by using one of the following methods:
   
   • Type:
     

     # projects -l system projid : 0 comment: "" users : (none) groups : (none) attribs: . . . x-files projid : 100 comment: "" users : (none) groups : (none) attribs: task.max-lwps=(privileged,3,deny)

   • Type:
     

     # cat /etc/project system:0:System::: . . . x-files:100::::task.max-lwps=(privileged,3,deny)

---

Example 7–1 Sample Session

After implementing the steps in this procedure, when superuser creates a new task in project x-files by joining the project with newtask, superuser will not be able to create more than three LWPs while running in this task. This is shown in the following annotated sample session.

# newtask -p x-files csh # prctl -n task.max-lwps $$ process: 111107: csh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT task.max-lwps privileged 3 - deny - system 2.15G max deny - # id -p uid=0(root) gid=1(other) projid=100(x-files) # ps -o project,taskid -p $$ PROJECT TASKID x-files 73 # csh /* creates second LWP */ # csh /* creates third LWP */ # csh /* cannot create more LWPs */ Vfork failed #

---

How to Set Multiple Controls on a Project

The /etc/project file can contain settings for multiple resource controls for each project as well as multiple threshold values for each control. Threshold values are defined in action clauses, which are comma-separated for multiple values.

1. Become superuser or assume an equivalent role.
   Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
2. Use the projmod command with the -s and -K options to set resource controls on project x-files:
   

   # projmod -s -K 'task.max-lwps=(basic,10,none),(privileged,500,deny); process.max-file-descriptor=(basic,128,deny)' x-filesone line in file

   The following controls are set:
   
   • A basic control with no action on the maximum LWPs per task.
   • A privileged deny control on the maximum LWPs per task. This control causes any LWP creation that exceeds the maximum to fail, as shown in the previous example How to Set the Maximum Number of LWPs for Each Task in a Project.
   • A limit on the maximum file descriptors per process at the basic level, which forces the failure of any open call that exceeds the maximum.
3. View the entry in the file by using one of the following methods:
   
   • Type:
     

     # projects -l . . . x-files projid : 100 comment: "" users : (none) groups : (none) attribs: process.max-file-descriptor=(basic,128,deny) task.max-lwps=(basic,10,none),(privileged,500,deny) one line in file

   • Type:
     

     # cat etc/project . . . x-files:100::::process.max-file-descriptor=(basic,128,deny); task.max-lwps=(basic,10,none),(privileged,500,deny) one line in file

Using the prctl Command

Use the prctl command to make runtime interrogations of and modifications to the resource controls associated with an active process, task, or project on the system. See the prctl(1) man page for more information.

How to Use the prctl Command to Display Default Resource Control Values

This procedure must be used on a system on which no resource controls have been set or changed. There can be only non-default entries in the /etc/system file or in the project database.

1. Use the prctl command on any process, such as the current shell that is running.
   

   # prctl $$ process: 100337: -sh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT process.max-port-events privileged 65.5K - deny - system 2.15G max deny - process.crypto-buffer-limit system 16.0EB max deny - process.max-crypto-sessions system 18.4E max deny - process.add-crypto-sessions privileged 100 - deny - system 18.4E max deny - process.min-crypto-sessions privileged 20 - deny - system 18.4E max deny - process.max-msg-messages privileged 8.19K - deny - system 4.29G max deny - process.max-msg-qbytes privileged 64.0KB - deny - system 16.0EB max deny - process.max-sem-ops privileged 512 - deny - system 2.15G max deny - process.max-sem-nsems privileged 512 - deny - system 32.8K max deny - process.max-address-space privileged 16.0EB max deny - system 16.0EB max deny - process.max-file-descriptor basic 256 - deny 100337 privileged 65.5K - deny - system 2.15G max deny - process.max-core-size privileged 8.00EB max deny - system 8.00EB max deny - process.max-stack-size basic 8.00MB - deny 100337 privileged 8.00EB - deny - system 8.00EB max deny - process.max-data-size privileged 16.0EB max deny - system 16.0EB max deny - process.max-file-size privileged 8.00EB max deny,signal=XFSZ - system 8.00EB max deny - process.max-cpu-time privileged 18.4Es inf signal=XCPU - system 18.4Es inf none - task.max-cpu-time system 18.4Es inf none - task.max-lwps system 2.15G max deny - project.max-contracts privileged 10.0K - deny - system 2.15G max deny - project.max-device-locked-memory privileged 499MB - deny - system 16.0EB max deny - project.max-port-ids privileged 8.19K - deny - system 65.5K max deny - project.max-shm-memory privileged 1.95GB - deny - system 16.0EB max deny - project.max-shm-ids privileged 128 - deny - system 16.8M max deny - project.max-msg-ids privileged 128 - deny - system 16.8M max deny - project.max-sem-ids privileged 128 - deny - system 16.8M max deny - project.max-tasks system 2.15G max deny - project.max-lwps system 2.15G max deny - project.cpu-shares privileged 1 - none - system 65.5K max none - zone.max-lwps system 2.15G max deny - zone.cpu-shares privileged 1 - none - system 65.5K max none -

How to Use the prctl Command to Display Information for a Given Resource Control

1. Display the maximum file descriptor for the current shell that is running.
   

   # prctl -n process.max-file-descriptor $$ process: 110453: -sh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT process.max-file-descriptor basic 256 - deny 110453 privileged 65.5K - deny - system 2.15G max deny

How to Use prctl to Temporarily Change a Value

This example procedure uses the prctl command to temporarily add a new privileged value to deny the use of more than three LWPs per project for the x-files project. The result is comparable to the result in How to Set the Maximum Number of LWPs for Each Task in a Project.

1. Become superuser or assume an equivalent role.
   Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
2. Use newtask to join the x-files project.
   

   # newtask -p x-files

3. Use the id command with the -p option to verify that the correct project has been joined.
   

   # id -p uid=0(root) gid=1(other) projid=101(x-files)

4. Add a new privileged value for project.max-lwps that limits the number of LWPs to three.
   

   # prctl -n project.max-lwps -t privileged -v 3 -e deny -i project x-files

5. Verify the result.
   

   # prctl -n project.max-lwps -i project x-files process: 111108: csh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-lwps privileged 3 - deny - system 2.15G max deny -

How to Use prctl to Lower a Resource Control Value

1. Become superuser or assume an equivalent role.
   Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
2. Use the prctl command with the -r option to change the lowest value of the process.max-file-descriptor resource control.
   

   # prctl -n process.max-file-descriptor -r -v 128 $$

How to Use prctl to Display, Replace, and Verify the Value of a Control on a Project

1. Become superuser or assume an equivalent role.
   Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
2. Display the value of project.cpu-shares in the project group.staff.
   

   # prctl -n project.cpu-shares -i project group.staff project: 2: group.staff NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.cpu-shares privileged 1 - none - system 65.5K max none

3. Replace the current project.cpu-shares value 1 with the value 10.
   

   # prctl -n project.cpu-shares -v 10 -r -i project group.staff

4. Display the value of project.cpu-shares in the project group.staff.
   

   # prctl -n project.cpu-shares -i project group.staff project: 2: group.staff NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.cpu-shares privileged 10 - none - system 65.5K max none

Using rctladm

How to Use rctladm

Use the rctladm command to make runtime interrogations of and modifications to the global state of the resource controls facility. See the rctladm(1M) man page for more information.
For example, you can use rctladm with the -e option to enable the global syslog attribute of a resource control. When the control is exceeded, notification is logged at the specified syslog level. To enable the global syslog attribute of process.max-file-descriptor, type the following:

# rctladm -e syslog process.max-file-descriptor

When used without arguments, the rctladm command displays the global flags, including the global type flag, for each resource control.

# rctladm process.max-port-events syslog=off [ deny count ] process.max-msg-messages syslog=off [ deny count ] process.max-msg-qbytes syslog=off [ deny bytes ] process.max-sem-ops syslog=off [ deny count ] process.max-sem-nsems syslog=off [ deny count ] process.max-address-space syslog=off [ lowerable deny no-signal bytes ] process.max-file-descriptor syslog=off [ lowerable deny count ] process.max-core-size syslog=off [ lowerable deny no-signal bytes ] process.max-stack-size syslog=off [ lowerable deny no-signal bytes ] . . .

Using ipcs

How to Use ipcs

Use the ipcs utility to display information about active interprocess communication (IPC) facilities. See the ipcs(1) man page for more information.
You can use ipcs with the -J option to see which project's limit an IPC object is allocated against.

# ipcs -J IPC status from as of Wed Mar 26 18:53:15 PDT 2003 T ID KEY MODE OWNER GROUP PROJECT Message Queues: Shared Memory: m 3600 0 --rw-rw-rw- uname staff x-files m 201 0 --rw-rw-rw- uname staff x-files m 1802 0 --rw-rw-rw- uname staff x-files m 503 0 --rw-rw-rw- uname staff x-files m 304 0 --rw-rw-rw- uname staff x-files m 605 0 --rw-rw-rw- uname staff x-files m 6 0 --rw-rw-rw- uname staff x-files m 107 0 --rw-rw-rw- uname staff x-files Semaphores: s 0 0 --rw-rw-rw- uname staff x-files

Capacity Warnings

A global action on a resource control enables you to receive notice of any entity that is tripping over a resource control value that is set too low.
For example, assume you want to determine whether a web server possesses sufficient CPUs for its typical workload. You could analyze sar data for idle CPU time and load average. You could also examine extended accounting data to determine the number of simultaneous processes that are running for the web server process.
However, an easier approach is to place the web server in a task. You can then set a global action, using syslog, to notify you whenever a task exceeds a scheduled number of LWPs appropriate for the machine's capabilities.
See the sar(1) man page for more information.

How to Determine Whether a Web Server Is Allocated Enough CPU Capacity

1. Use the prctl command to place a privileged (superuser-owned) resource control on the tasks that contain an httpd process. Limit each task's total number of LWPs to 40, and disable all local actions.
   

   # prctl -n task.max-lwps -v 40 -t privileged -d all `pgrep httpd`

2. Enable a system log global action on the task.max-lwps resource control.
   

   # rctladm -e syslog task.max-lwps

3. Observe whether the workload trips the resource control.
   If it does, you will see /var/adm/messages such as:
   

   Jan 8 10:15:15 testmachine unix: [ID 859581 kern.notice] NOTICE: privileged rctl task.max-lwps exceeded by task 19