subject:"\[systemd\-devel\] user slice changes for uid ranges"

Re: [systemd-devel] user slice changes for uid ranges

2019-10-31 Thread Lennart Poettering

On Fr, 27.09.19 15:56, Stijn De Weirdt (stijn.dewei...@ugent.be) wrote:

> hi all,
>
> i'm looking for an "easy" way to set resource limits on a group of users.
>
> we are lucky enough that this group of users is within a (although
> large) high enough range, so a range of uids is ok for us.
>
> generating a user-.slice file for every user (or symlink them or
> whatever) looks a bit cumbersome, and probably not really performance
> friendly if the range is in eg 100k (possible) uids.
>
> e.g. if this range was 100k-200k, i was more looking for a way to do
> e.g. user-1X.slice or user-10:20.slice
>
> (i think this is different from/not covered by the templated/prefix user
> slice patch
> https://github.com/systemd/systemd/commit/5396624506e155c4bc10c0ee65b939600860ab67)

I am not sure this helps you very much right now. But ultimately the
plan is to allow resource limits to be configured in detail as part of
each user record. This is implemented here already:

https://github.com/poettering/systemd/commits/homed

But this hasn't been merged upstream yet, but will hopefully be merged
soon.

Lennart

--
Lennart Poettering, Berlin
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] user slice changes for uid ranges

2019-10-01 Thread Mantas Mikulėnas

On Tue, Oct 1, 2019 at 11:19 AM Stijn De Weirdt 
wrote:

> hello mantas, jeremy, all,
>
>
> wrt the pam script magic, i'm not a big fan, esp because it is optional.
> i'd rather have those users not login than that they don't have the
> constraints. (but obvioulsy, i really don't want to lock myself out, so
> i totally see what you need the optional keyword)
>

It's as optional as you make it. If the script exits with non-0, pam_exec
returns PAM_SYSTEM_ERR and you can treat this as a fatal error.

To avoid locking yourself out, either always make it exit 0 for root, or
"session [success=1 default=ignore] pam_succeed_if.so user ingroup wheel",
etc.

-- 
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] user slice changes for uid ranges

2019-10-01 Thread Stijn De Weirdt

hello mantas, jeremy, all,


wrt the pam script magic, i'm not a big fan, esp because it is optional.
i'd rather have those users not login than that they don't have the
constraints. (but obvioulsy, i really don't want to lock myself out, so
i totally see what you need the optional keyword)

wrt the generators, i'll have a look how those really work and what i
could do with them. i like the idea that the user slice settings are
only generated when needed (and maybe even cleaned upwhen there are too
many old ones to avoid performance issues)

searching for info on generators and user slices, i stumbled on
https://github.com/systemd/systemd/issues/2556 where this was also
mentioned. unfortunaltey, no examples, so if someone can share some
examples, that would be great !


anyway, thanks a lot,

stijn

On 9/29/19 4:07 PM, Jérémy ROSEN wrote:
> I don't have a complete solutions, but here are a couple of tools that you
> might be able to assemble into something that work
> * dropins,  you could do a dropin for every existing UID that sets the
> Slice= field
> * generators : could be used to generate those dropins
> * also note that if a unit is named a-b-c.service, systemd will look for
> dropins named a-b-.service and a-.service... there might be something to do
> with that, but I havn't given it much thought
> 
> Le ven. 27 sept. 2019 à 18:28, Mantas Mikulėnas  a
> écrit :
> 
>> On Fri, Sep 27, 2019 at 5:03 PM Stijn De Weirdt 
>> wrote:
>>
>>> hi all,
>>>
>>> i'm looking for an "easy" way to set resource limits on a group of users.
>>>
>>> we are lucky enough that this group of users is within a (although
>>> large) high enough range, so a range of uids is ok for us.
>>>
>>> generating a user-.slice file for every user (or symlink them or
>>> whatever) looks a bit cumbersome, and probably not really performance
>>> friendly if the range is in eg 100k (possible) uids.
>>>
>>> e.g. if this range was 100k-200k, i was more looking for a way to do
>>> e.g. user-1X.slice or user-10:20.slice
>>>
>>
>> As far as I know there isn't a good systemd-native method for this, but
>> you can dynamically set slice parameters during PAM processing, as in this
>> blog post:
>> https://utcc.utoronto.ca/~cks/space/blog/linux/Ubuntu1804SystemdUserLimits
>>
>> --
>> Mantas Mikulėnas
>> ___
>> systemd-devel mailing list
>> systemd-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> 
> 
> 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] user slice changes for uid ranges

2019-09-29 Thread Jérémy ROSEN

I don't have a complete solutions, but here are a couple of tools that you
might be able to assemble into something that work
* dropins,  you could do a dropin for every existing UID that sets the
Slice= field
* generators : could be used to generate those dropins
* also note that if a unit is named a-b-c.service, systemd will look for
dropins named a-b-.service and a-.service... there might be something to do
with that, but I havn't given it much thought

Le ven. 27 sept. 2019 à 18:28, Mantas Mikulėnas  a
écrit :

> On Fri, Sep 27, 2019 at 5:03 PM Stijn De Weirdt 
> wrote:
>
>> hi all,
>>
>> i'm looking for an "easy" way to set resource limits on a group of users.
>>
>> we are lucky enough that this group of users is within a (although
>> large) high enough range, so a range of uids is ok for us.
>>
>> generating a user-.slice file for every user (or symlink them or
>> whatever) looks a bit cumbersome, and probably not really performance
>> friendly if the range is in eg 100k (possible) uids.
>>
>> e.g. if this range was 100k-200k, i was more looking for a way to do
>> e.g. user-1X.slice or user-10:20.slice
>>
>
> As far as I know there isn't a good systemd-native method for this, but
> you can dynamically set slice parameters during PAM processing, as in this
> blog post:
> https://utcc.utoronto.ca/~cks/space/blog/linux/Ubuntu1804SystemdUserLimits
>
> --
> Mantas Mikulėnas
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel



-- 
[image: SMILE]  

20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique

[image: email] jeremy.ro...@smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter]  [image: Facebook]
 [image: LinkedIn]
 [image: Github]


[image: Découvrez l’univers Smile, rendez-vous sur smile.eu]

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] user slice changes for uid ranges

2019-09-27 Thread Mantas Mikulėnas

On Fri, Sep 27, 2019 at 5:03 PM Stijn De Weirdt 
wrote:

> hi all,
>
> i'm looking for an "easy" way to set resource limits on a group of users.
>
> we are lucky enough that this group of users is within a (although
> large) high enough range, so a range of uids is ok for us.
>
> generating a user-.slice file for every user (or symlink them or
> whatever) looks a bit cumbersome, and probably not really performance
> friendly if the range is in eg 100k (possible) uids.
>
> e.g. if this range was 100k-200k, i was more looking for a way to do
> e.g. user-1X.slice or user-10:20.slice
>

As far as I know there isn't a good systemd-native method for this, but you
can dynamically set slice parameters during PAM processing, as in this blog
post:
https://utcc.utoronto.ca/~cks/space/blog/linux/Ubuntu1804SystemdUserLimits

-- 
Mantas Mikulėnas
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] user slice changes for uid ranges

2019-09-27 Thread Stijn De Weirdt

hi all,

i'm looking for an "easy" way to set resource limits on a group of users.

we are lucky enough that this group of users is within a (although
large) high enough range, so a range of uids is ok for us.

generating a user-.slice file for every user (or symlink them or
whatever) looks a bit cumbersome, and probably not really performance
friendly if the range is in eg 100k (possible) uids.

e.g. if this range was 100k-200k, i was more looking for a way to do
e.g. user-1X.slice or user-10:20.slice

(i think this is different from/not covered by the templated/prefix user
slice patch
https://github.com/systemd/systemd/commit/5396624506e155c4bc10c0ee65b939600860ab67)

many thanks for any suggestion,

stijn
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] user slice changes for uid ranges

Re: [systemd-devel] user slice changes for uid ranges

Re: [systemd-devel] user slice changes for uid ranges

Re: [systemd-devel] user slice changes for uid ranges

Re: [systemd-devel] user slice changes for uid ranges

[systemd-devel] user slice changes for uid ranges

6 matches

Site Navigation

Mail list logo

Footer information