This chapter describes how to administer the resource controls facility.For an overview of the resource controls facility, see Chapter 6, Resource Controls (Overview). Task Description For Instructions Set resource controls. Set resource controls for a project in the /etc/project file. Setting Resource Controls Get or revise the resource control values for active processes, tasks, or projects, with local scope. Make runtime interrogations of and modifications to the resource controls associated with an active process, task, or project on the system. Using the prctl Command On a running system, view or update the global state of resource controls. View the global logging state of each resource control on a system-wide basis. Also set up the level of syslog logging when controls are exceeded. Using rctladm Report status of active interprocess communication (IPC) facilities. Display information about active interprocess communication (IPC) facilities. Observe which IPC objects are contributing to a project's usage. Using ipcs Determine whether a web server is allocated sufficient CPU capacity. Set a global action on a resource control. This action enables you to receive notice of any entity that has a resource control value that is set too low. How to Determine Whether a Web Server Is Allocated Enough CPU Capacity This procedure adds a project named x-files to the /etc/project file and sets a maximum number of LWPs for a task created in the project. Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use the projadd command with the K option to create a project called x-files. Set the maximum number of LWPs for each task created in the project to 3.# projadd -K 'task.max-lwps=(privileged,3,deny)' x-files View the entry in the /etc/project file by using one of the following methods:Type:# projects -l system projid : 0 comment: "" users : (none) groups : (none) attribs: . . . x-files projid : 100 comment: "" users : (none) groups : (none) attribs: task.max-lwps=(privileged,3,deny) Type:# cat /etc/project system:0:System::: . . . x-files:100::::task.max-lwps=(privileged,3,deny) After implementing the steps in this procedure, when superuser creates a new task in project x-files by joining the project with newtask, superuser will not be able to create more than three LWPs while running in this task. This is shown in the following annotated sample session.# newtask -p x-files csh # prctl -n task.max-lwps $$ process: 111107: csh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT task.max-lwps privileged 3 - deny - system 2.15G max deny - # id -p uid=0(root) gid=1(other) projid=100(x-files) # ps -o project,taskid -p $$ PROJECT TASKID x-files 73 # csh /* creates second LWP */ # csh /* creates third LWP */ # csh /* cannot create more LWPs */ Vfork failed # The /etc/project file can contain settings for multiple resource controls for each project as well as multiple threshold values for each control. Threshold values are defined in action clauses, which are comma-separated for multiple values. Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use the projmod command with the s and K options to set resource controls on project x-files:# projmod -s -K 'task.max-lwps=(basic,10,none),(privileged,500,deny); process.max-file-descriptor=(basic,128,deny)' x-filesone line in fileThe following controls are set:A basic control with no action on the maximum LWPs per task. A privileged deny control on the maximum LWPs per task. This control causes any LWP creation that exceeds the maximum to fail, as shown in the previous example How to Set the Maximum Number of LWPs for Each Task in a Project. A limit on the maximum file descriptors per process at the basic level, which forces the failure of any open call that exceeds the maximum. View the entry in the file by using one of the following methods:Type:# projects -l . . . x-files projid : 100 comment: "" users : (none) groups : (none) attribs: process.max-file-descriptor=(basic,128,deny) task.max-lwps=(basic,10,none),(privileged,500,deny) one line in file Type:# cat etc/project . . . x-files:100::::process.max-file-descriptor=(basic,128,deny); task.max-lwps=(basic,10,none),(privileged,500,deny) one line in file Use the prctl command to make runtime interrogations of and modifications to the resource controls associated with an active process, task, or project on the system. See the prctl1 man page for more information.This procedure must be used on a system on which no resource controls have been set or changed. There can be only non-default entries in the /etc/system file or in the project database. Use the prctl command on any process, such as the current shell that is running.# prctl $$ process: 100337: -sh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT process.max-port-events privileged 65.5K - deny - system 2.15G max deny - process.crypto-buffer-limit system 16.0EB max deny - process.max-crypto-sessions system 18.4E max deny - process.add-crypto-sessions privileged 100 - deny - system 18.4E max deny - process.min-crypto-sessions privileged 20 - deny - system 18.4E max deny - process.max-msg-messages privileged 8.19K - deny - system 4.29G max deny - process.max-msg-qbytes privileged 64.0KB - deny - system 16.0EB max deny - process.max-sem-ops privileged 512 - deny - system 2.15G max deny - process.max-sem-nsems privileged 512 - deny - system 32.8K max deny - process.max-address-space privileged 16.0EB max deny - system 16.0EB max deny - process.max-file-descriptor basic 256 - deny 100337 privileged 65.5K - deny - system 2.15G max deny - process.max-core-size privileged 8.00EB max deny - system 8.00EB max deny - process.max-stack-size basic 8.00MB - deny 100337 privileged 8.00EB - deny - system 8.00EB max deny - process.max-data-size privileged 16.0EB max deny - system 16.0EB max deny - process.max-file-size privileged 8.00EB max deny,signal=XFSZ - system 8.00EB max deny - process.max-cpu-time privileged 18.4Es inf signal=XCPU - system 18.4Es inf none - task.max-cpu-time system 18.4Es inf none - task.max-lwps system 2.15G max deny - project.max-contracts privileged 10.0K - deny - system 2.15G max deny - project.max-device-locked-memory privileged 499MB - deny - system 16.0EB max deny - project.max-port-ids privileged 8.19K - deny - system 65.5K max deny - project.max-shm-memory privileged 1.95GB - deny - system 16.0EB max deny - project.max-shm-ids privileged 128 - deny - system 16.8M max deny - project.max-msg-ids privileged 128 - deny - system 16.8M max deny - project.max-sem-ids privileged 128 - deny - system 16.8M max deny - project.max-tasks system 2.15G max deny - project.max-lwps system 2.15G max deny - project.cpu-shares privileged 1 - none - system 65.5K max none - zone.max-lwps system 2.15G max deny - zone.cpu-shares privileged 1 - none - system 65.5K max none - Display the maximum file descriptor for the current shell that is running.# prctl -n process.max-file-descriptor $$ process: 110453: -sh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT process.max-file-descriptor basic 256 - deny 110453 privileged 65.5K - deny - system 2.15G max deny This example procedure uses the prctl command to temporarily add a new privileged value to deny the use of more than three LWPs per project for the x-files project. The result is comparable to the result in How to Set the Maximum Number of LWPs for Each Task in a Project. Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use newtask to join the x-files project.# newtask -p x-files Use the id command with the p option to verify that the correct project has been joined.# id -p uid=0(root) gid=1(other) projid=101(x-files) Add a new privileged value for project.max-lwps that limits the number of LWPs to three.# prctl -n project.max-lwps -t privileged -v 3 -e deny -i project x-files Verify the result.# prctl -n project.max-lwps -i project x-files process: 111108: csh NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.max-lwps privileged 3 - deny - system 2.15G max deny - Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Use the prctl command with the r option to change the lowest value of the process.max-file-descriptor resource control.# prctl -n process.max-file-descriptor -r -v 128 $$ Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Display the value of project.cpu-shares in the project group.staff.# prctl -n project.cpu-shares -i project group.staff project: 2: group.staff NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.cpu-shares privileged 1 - none - system 65.5K max none Replace the current project.cpu-shares value 1 with the value 10.# prctl -n project.cpu-shares -v 10 -r -i project group.staff Display the value of project.cpu-shares in the project group.staff.# prctl -n project.cpu-shares -i project group.staff project: 2: group.staff NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT project.cpu-shares privileged 10 - none - system 65.5K max none Use the rctladm command to make runtime interrogations of and modifications to the global state of the resource controls facility. See the rctladm1M man page for more information.For example, you can use rctladm with the e option to enable the global syslog attribute of a resource control. When the control is exceeded, notification is logged at the specified syslog level. To enable the global syslog attribute of process.max-file-descriptor, type the following:# rctladm -e syslog process.max-file-descriptorWhen used without arguments, the rctladm command displays the global flags, including the global type flag, for each resource control.# rctladm process.max-port-events syslog=off [ deny count ] process.max-msg-messages syslog=off [ deny count ] process.max-msg-qbytes syslog=off [ deny bytes ] process.max-sem-ops syslog=off [ deny count ] process.max-sem-nsems syslog=off [ deny count ] process.max-address-space syslog=off [ lowerable deny no-signal bytes ] process.max-file-descriptor syslog=off [ lowerable deny count ] process.max-core-size syslog=off [ lowerable deny no-signal bytes ] process.max-stack-size syslog=off [ lowerable deny no-signal bytes ] . . . Use the ipcs utility to display information about active interprocess communication (IPC) facilities. See the ipcs1 man page for more information.You can use ipcs with the J option to see which project's limit an IPC object is allocated against.# ipcs -J IPC status from <running system> as of Wed Mar 26 18:53:15 PDT 2003 T ID KEY MODE OWNER GROUP PROJECT Message Queues: Shared Memory: m 3600 0 --rw-rw-rw- uname staff x-files m 201 0 --rw-rw-rw- uname staff x-files m 1802 0 --rw-rw-rw- uname staff x-files m 503 0 --rw-rw-rw- uname staff x-files m 304 0 --rw-rw-rw- uname staff x-files m 605 0 --rw-rw-rw- uname staff x-files m 6 0 --rw-rw-rw- uname staff x-files m 107 0 --rw-rw-rw- uname staff x-files Semaphores: s 0 0 --rw-rw-rw- uname staff x-files A global action on a resource control enables you to receive notice of any entity that is tripping over a resource control value that is set too low.For example, assume you want to determine whether a web server possesses sufficient CPUs for its typical workload. You could analyze sar data for idle CPU time and load average. You could also examine extended accounting data to determine the number of simultaneous processes that are running for the web server process.However, an easier approach is to place the web server in a task. You can then set a global action, using syslog, to notify you whenever a task exceeds a scheduled number of LWPs appropriate for the machine's capabilities.See the sar1 man page for more information.Use the prctl command to place a privileged (superuser-owned) resource control on the tasks that contain an httpd process. Limit each task's total number of LWPs to 40, and disable all local actions.# prctl -n task.max-lwps -v 40 -t privileged -d all `pgrep httpd` Enable a system log global action on the task.max-lwps resource control.# rctladm -e syslog task.max-lwps Observe whether the workload trips the resource control.If it does, you will see /var/adm/messages such as:Jan 8 10:15:15 testmachine unix: [ID 859581 kern.notice] NOTICE: privileged rctl task.max-lwps exceeded by task 19