Management and Repository for FreeBSD Jails

Attention! Current pages describe CBSD version 10.1.4. If you are using an older version, please update first.

Attention! I apologize for the automatic translation of this text. You can improve it by sending me a more correct version of the text or fix html pages via GITHUB repository.

Jail limits control

jrctl, jrctl-tui commands

                        % cbsd jrctl
                        % cbsd jrctl-tui
Description:

CBSD support various subsystems FreeBSD for setting limits on the jail resource.

File quotas

Floating file quota is only possible for jail placed on ZFS-file system. For system on UFS something like this can be realized via md(4)-based vnode file/image (parameter mdsize in the jail).

Renice prioritization

For prioritization jail CBSD use renice(8) subsystem. You can specify different priorities for different jails to get the most important jails most CPU-time by jails that CPU time can yield. For example, you may want to give the lowest priority distcc jail, sets jail with WEB server medium and give database jail maximum of priority. For this behavior is responsible for setting nice in jail rctl setting, and its value corresponds to the behavior of nice(1) — the lower ratio for priority jail. renice demonstration:

1) Lets create AMP jail and placing in the docroot .php script performs some mathematical operations, such as bench.zip taken from http://www.php-benchmark-script.com/ with increased tenfold iteration cycles. Cloning jail, giving the first highprio1 name and lowprio1 for second. Through cbsd jrctl-tui specify the first highest priority -20, and minimum for second, 20. In addition, hang jail per core through cpuset via cbsd jconfig (single-core systems are now hard to find, and smart scheduler OS does not allow for a clean experimental without these actions ;-).

                        % cbsd jls display=jid,jname,ip4_addr,cpuset
                        16   highprio1   10.0.0.121/24  4
                        17   lowprio1    10.0.0.122/24  4

— jid 16 is priority jail and jid 17 — not priority, both on the fourth core.

make poll top state congestion php-fpm with JID output:

                % export iter=1
                % while [ 1 ]; do
                        printf "Iter: $iter" ;
                        iter=$((iter+1))
                        top -jab | grep php
                        sleep 1
                done

Run the script at the same time in both IP:

        % fetch -T 300 -o /dev/stdout http://10.0.0.121 & fetch -T 300 -o /dev/stdout http://10.0.0.122 & 
        [1] 65985
        [2] 65986
        
        --------------------------------------
        |        PHP BENCHMARK SCRIPT        |
        --------------------------------------
        Start : 2014-01-06 16:28:59
        Server : @10.0.0.121
        PHP version : 5.4.23
        Platform : FreeBSD
        --------------------------------------
        test_math                 : 12.870 sec.
        test_stringmanipulation   : 15.896 sec.
        test_loops                : 8.968 sec.
        test_ifelse               : 7.864 sec.
        --------------------------------------
        Total time:               : 45.598 sec.
        
        --------------------------------------
        |        PHP BENCHMARK SCRIPT        |
        --------------------------------------
        Start : 2014-01-06 16:29:02
        Server : @10.0.0.122
        PHP version : 5.4.23
        Platform : FreeBSD
        --------------------------------------
        test_math                 : 32.632 sec.
        test_stringmanipulation   : 18.053 sec.
        test_loops                : 6.323 sec.
        test_ifelse               : 5.504 sec.
        --------------------------------------
        Total time:               : 62.512 sec.
        
        [2]    Done                          fetch -T 300 -o /dev/stdout http://10.0.0.122
        [1]  + Done                          fetch -T 300 -o /dev/stdout http://10.0.0.121

during which observe the following picture from top:

        Iter: 1
        65101  16 www           1  35  -20 32548K 11456K CPU4    4   0:35  20.56% php-fpm: pool www (php-fpm)
        65587  17 www           1  52   20 32548K 11456K RUN     4   0:32   0.00% php-fpm: pool www (php-fpm)
        Iter: 2
        65101  16 www           1  60  -20 32548K 11456K RUN     4   0:36  25.98% php-fpm: pool www (php-fpm)
        65587  17 www           1  42   20 32548K 11456K CPU4    4   0:33   2.10% php-fpm: pool www (php-fpm)
        Iter: 3
        65101  16 www           1  60  -20 32548K 11456K CPU4    4   0:36  26.27% php-fpm: pool www (php-fpm)
        65587  17 www           1  94   20 32548K 11456K RUN     4   0:33   8.59% php-fpm: pool www (php-fpm)
        Iter: 4
        65101  16 www           1  61  -20 32548K 11456K CPU4    4   0:37  31.69% php-fpm: pool www (php-fpm)
        65587  17 www           1  95   20 32548K 11456K RUN     4   0:34   9.47% php-fpm: pool www (php-fpm)
        Iter: 5
        65101  16 www           1  62  -20 32548K 11456K CPU4    4   0:37  35.60% php-fpm: pool www (php-fpm)
        65587  17 www           1  95   20 32548K 11456K RUN     4   0:34  11.18% php-fpm: pool www (php-fpm)
        Iter: 6
        65101  16 www           1  64  -20 32548K 11456K CPU4    4   0:38  38.96% php-fpm: pool www (php-fpm)
        65587  17 www           1  96   20 32548K 11456K RUN     4   0:34  12.79% php-fpm: pool www (php-fpm)
        ..

Jail with 16 jid get more priority and executed in almost 1.5 times faster.

RACCT/RCTL framework

If your kernel has support RACCT/RCTL, you can set limits on the jail and watch the current statistics for jail resources. To do this, there is a command cbsd jrctl, which arguments

                        % cbsd jrctl mode=apply  ...

and

                        % cbsd jrctl mode=unset  ...

automatically called for the install or removal of limits when working jstart or jstop respectively. By command:

                        % cbsd jrctl mode=show

you can see current statistics on the jail resources consumed, which can be used to generate reports and graphs for loading jail, as well as the CBSD daemon used to generate recommendations on the need to add new resources and for overload warnings.

By command:

                        % cbsd jrctl

without arguments you cat see default limits on all jails. Through argument display you can specify the fields for output data. If display is not specified, the value takes from $workdir/etc/defaults/jrctl.conf file, which you can change at its discretion via $workdir/etc/jrctl.conf

You can edit the limits through

                        % cbsd jrctl-tui jname=jname

or, if you build a hosting and want to create limits on non-interactively, you can generate a file $workdir/$jname/jail.limits

By jrctl you can set the following limits jail:

a) All you can do a framework FreeBSD rctl(8):

        cputime            CPU time, in seconds
        datasize           data size, in bytes
        stacksize          stack size, in bytes
        coredumpsize       core dump size, in bytes
        memoryuse          resident set size, in bytes
        memorylocked       locked memory, in bytes
        maxproc            number of processes
        openfiles          file descriptor table size
        vmemoryuse         address space limit, in bytes
        pseudoterminals    number of PTYs
        swapuse            swap usage, in bytes
        nthr               number of threads
        msgqqueued         number of queued SysV messages
        msgqsize           SysV message queue size, in bytes
        nmsgq              number of SysV message queues
        nsem               number of SysV semaphores
        nsemop             number of SysV semaphores modified in a single semop(2) call
        nshm               number of SysV shared memory segments
        shmsize            SysV shared memory size, in bytes
        wallclock          wallclock time, in seconds

Copyright © 2013—2015 CBSD Team.