The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to Limit server resources ?

Discussion in 'General Discussion' started by deploy, Oct 26, 2009.

  1. deploy

    deploy Member

    Joined:
    Oct 26, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    We have several servers using Cpanel/WHM. We use a typical LAMP setup and have apace 2 with php 5. We are using mod_php (SU PHP) so that individual files can be owned by the user account. But the problem we are running into is some of our hosting account users, are crashing the server because they are using up all of the system resources.

    How can I limit a user from being able to use 99% of the cpu and memory of the server?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Once you've tracked down which user is using the resouces, you might check the scripts on that account for problems. Out of date or hacked scripts can cause this sort of problem.
     
  3. deploy

    deploy Member

    Joined:
    Oct 26, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I have tracked it down to the problem hosting accounts, if they install a cms such as drupal or joomla most php scripts will be pushed through their index.php so this is the only script that will be logged under process monitors like top or mysql memory usage, correct ? At that point it would be hard to determine which add on inside the cms is causing the problem, but mostly its poorly written code and non optimized database.

    If I have tracked it down to the user level. Is there not a way to say ex: this account can utilize 256mb memory and 12% cpu max so that way they can not crash the server?
     
  4. deploy

    deploy Member

    Joined:
    Oct 26, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I found /etc/profile.d/limit.sh to be used by the ulimit command.

    It looks like it will do what I want it to do, output of (as the user) ulimit -a

    core file size (blocks, -c) 200000
    data seg size (kbytes, -d) 200000
    file size (blocks, -f) unlimited
    pending signals (-i) 1024
    max locked memory (kbytes, -l) 32
    max memory size (kbytes, -m) 200000
    open files (-n) 100
    pipe size (512 bytes, -p) 8
    POSIX message queues (bytes, -q) 819200
    stack size (kbytes, -s) 8192
    cpu time (seconds, -t) unlimited
    max user processes (-u) 20
    virtual memory (kbytes, -v) 200000
    file locks (-x) unlimited



    The output of the limits.sh:

    #cPanel Added Limit Protections -- BEGIN

    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
    LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" != "root" ]; then
    ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
    else
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    fi
    #cPanel Added Limit Protections -- END



    Since this seems to be a cPanel added section, if I make changes such as change the -n 100 to -n 50 how would I trigger cPanel to run this script on all the user accounts or will it only apply to newly created accounts ?
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    #5 cPanelDon, Oct 27, 2009
    Last edited: Oct 27, 2009
  6. deploy

    deploy Member

    Joined:
    Oct 26, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1

    Thank you, I found this limit file, But from what I can tell it is used with PAM and the other is used with ulimit is that correct ?

    however I am still confused on if I make changes in theses files, especially the /etc/profile.d/limit.sh When will these setting go into effect and will I need to do anything to apply them to current users ?
     
  7. deploy

    deploy Member

    Joined:
    Oct 26, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanelDon Thank you for the documentation. I read through the links and installed the patch for easyApache. Because we are using su_php it stated that we needed to apply a patch to Apache inorder for PAM to work.

    I have not recompiled Apache with this patch enabled due to the warning from the patch description inside easyApache.

    "This patch allows users to be authorized to use suphp with pam. It also allows /etc/security/*.conf to be used in conjunction with suPHP. This patch does not properly close its PAM sessions, does not do any verification or checks when linking against PAM and will probably make suPHP slower if it happens to work on your box. See the 'More Info' link for the patch's origin This option will make the following changes to your profile prior to the build:

    Enables:
    Mod SuPHP"

    I am not sure if I can use the documents or /etc/security/limits.conf if they are utilizing PAM.

    Do you suggest using this patch despite the messages?
     
  8. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I would not use the custom patch to the Apache source. At most I would consider using EasyApache to have the build include SuPHP (if it's not included already), and once the build is finished, ensure both SuExec and SuPHP are enabled.

    After ensuring your Apache build has SuPHP included, the following menu path in WHM may be used to ensure both SuPHP and SuExec are enabled:
    WHM: Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration
     
  9. LinuxFreaky

    LinuxFreaky Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanelDon, you would not recommend installing that patch? But you had mentioned using /etc/security/limits.conf earlier. How would that apply to web users if this patch isn't even enabled?

    Btw, I've installed the patch and compiled it via EasyApache. But it doesn't seem to be working. There were no errors reported and Apache still works fine. The limit works when I use ssh and log in as the user though, just not via the web.

    This is what I put in /etc/security/limits.conf :
    bobble hard nproc 1

    bobble is the username I want to restrict.
     
    #9 LinuxFreaky, Jun 18, 2010
    Last edited: Oct 12, 2010
  10. ReiJu

    ReiJu Well-Known Member

    Joined:
    Mar 14, 2008
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    6
    I use the patch mentioned by LinuxFreaky on my server, but the limit for suphp is not working. I even made /etc/pam.d/{suphp,su_PHP,php,httpd} with the suggested content, but nothing happened. It's unusable, I guess. CMIIW.
     
Loading...

Share This Page