I want to run more jails for things like web server, but want to assure it will not consume too much OS resources. I found that freebsd has resource limits implemented using "rctl"
https://www.freebsd.org/doc/handbook/security-resourcelimits.html
On latest freenas 9.10 when trying to use rctl I got:
[root@freenas] ~# rctl
rctl: RACCT/RCTL present, but disabled; enable using kern.racct.enable=1 tunable
But after adding "loader" tunable kern.racct.enable=1, rctl works!
I can add resource limits for memory use, max processes, pcpu used and similar for specific jail. Tested it and it works, limiting max processes gives "no more processes" message in jail when trying to start new shell, limiting CPU caused to control cpu used around specified limit for processes in jail.
To enable automatic loading of resource limits, I can add this into jail-post-start script for specific jail.
I want to ask here, if you see any risk enabling resource limits by kern.racct.enable=1 on freenas 9.10.
Is it safe to use it with jails and plugins, when setting only jail:xxx resource limits?
Thanks
https://www.freebsd.org/doc/handbook/security-resourcelimits.html
On latest freenas 9.10 when trying to use rctl I got:
[root@freenas] ~# rctl
rctl: RACCT/RCTL present, but disabled; enable using kern.racct.enable=1 tunable
But after adding "loader" tunable kern.racct.enable=1, rctl works!
I can add resource limits for memory use, max processes, pcpu used and similar for specific jail. Tested it and it works, limiting max processes gives "no more processes" message in jail when trying to start new shell, limiting CPU caused to control cpu used around specified limit for processes in jail.
To enable automatic loading of resource limits, I can add this into jail-post-start script for specific jail.
I want to ask here, if you see any risk enabling resource limits by kern.racct.enable=1 on freenas 9.10.
Is it safe to use it with jails and plugins, when setting only jail:xxx resource limits?
Thanks
Last edited: