[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limit memory consumption of an ad hoc process

Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 11:01:25PM -0400, The Wanderer wrote:
> > On 2021-07-05 at 22:42, Victor Sudakov wrote:
> > 
> > > Greg Wooledge wrote:
> > 
> > >> And in any case, when you test this stuff, use the subshells.  
> > > 
> > > Well, my goal is to find a way to limit programs run from cron, PHP's
> > > proc_open() etc., not from the interactive shell. What would you advise?
> > 
> > Is there any reason to think that the ulimit approach wouldn't work in
> > that type of context, as well as when invoked from within a shell?
> Depends on how the cron job is set up.  If the cron job never calls
> bash (but rather, sh) then you can't use bash's ulimit.
> Likewise, I would guess that PHP's proc_open() calls /bin/sh, not bash,
> but you'd have to ask a (more experienced) PHP user.

I suppose PHP's proc_open() does not call any shell at all, it executes
the binary directly. To execute command in a shell, there is
shell_exec() but it does not give access to the executed program's

I think I can call the prlimit wrapper from proc_open() and that should do.

> > > The equivalent of FreeBSD's `/usr/bin/limits` wrapper seems to be
> > > `/usr/bin/prlimit` but I'm really at a loss what limit to specify for
> > > testing (the equivalent of `ulimit -v`). Should be RLIMIT_AS but --as 
> > > crashes prlimit:
> > > 
> > > $ prlimit --as=1048576 /bin/ls
> > > /bin/ls: error while loading shared libraries: libselinux.so.1: failed to map segment from shared object
> Sounds like you set it too low.  Remember, setrlimit(2) and prlimit(2)
> say that RLIMIT_DATA is specified in bytes.  This is not the same as
> bash's ulimit.

I've never thought 1MB would be too low for /bin/ls, but it seems you are
right. Over 2MB required for a simple /bin/true!

$ prlimit --as=2000000 /bin/true
/bin/true: error while loading shared libraries: libc.so.6: failed to map segment from shared object
$ prlimit --as=2500000 /bin/true

But prlimit works mostly as expected:

$ prlimit --as=1073741824 stress-ng stress-ng --vm 1 --vm-bytes 2G
stress-ng: info:  [19042] defaulting to a 86400 second (1 day, 0.00 secs) run per stressor
stress-ng: info:  [19042] dispatching hogs: 1 vm
stress-ng: error: [19044] stress-ng-vm: gave up trying to mmap, no available memory
stress-ng: info:  [19042] successful run completed in 10.01s

Victor Sudakov VAS4-RIPE

Attachment: signature.asc
Description: PGP signature

Reply to: