This chapter describes how to administer the resource controls facility.
For an overview of the resource controls facility, see Chapter 6, Resource Controls (Overview).
| Task | Description | For Instructions | 
|---|---|---|
| Set resource controls. | Set resource controls for a project in the /etc/project file. | |
| Get or revise the resource control values for active processes, tasks, or projects, with local scope. | Make runtime interrogations of and modifications to the resource controls associated with an active process, task, or project on the system. | |
| On a running system, view or update the global state of resource controls. | View the global logging state of each resource control on a system-wide basis. Also set up the level of syslog logging when controls are exceeded. | |
| Report status of active interprocess communication (IPC) facilities. | Display information about active interprocess communication (IPC) facilities. Observe which IPC objects are contributing to a project's usage. | |
| Determine whether a web server is allocated sufficient CPU capacity. | Set a global action on a resource control. This action enables you to receive notice of any entity that has a resource control value that is set too low. | How to Determine Whether a Web Server Is Allocated Enough CPU Capacity | 
 How to Set the Maximum Number of LWPs for
Each Task in a Project
How to Set the Maximum Number of LWPs for
Each Task in a ProjectThis procedure adds a project named x-files to the /etc/project file and sets a maximum number of LWPs for a task created in the project.
Become superuser or assume an equivalent role.
Use the projadd command with the -K option to create a project called x-files. Set the maximum number of LWPs for each task created in the project to 3.
| # projadd -K 'task.max-lwps=(privileged,3,deny)' x-files | 
View the entry in the /etc/project file by using one of the following methods:
Type:
| # projects -l
system
        projid : 0
        comment: ""
        users  : (none)
        groups : (none)
        attribs: 
.
.
.
x-files
        projid : 100
        comment: ""
        users  : (none)
        groups : (none)
        attribs: task.max-lwps=(privileged,3,deny) | 
Type:
| # cat /etc/project system:0:System::: . . . x-files:100::::task.max-lwps=(privileged,3,deny) | 
After implementing the steps in this procedure, when superuser creates a new task in project x-files by joining the project with newtask, superuser will not be able to create more than three LWPs while running in this task. This is shown in the following annotated sample session.
| # newtask -p x-files csh
# prctl -n task.max-lwps $$
process: 111107: csh
NAME    PRIVILEGE    VALUE    FLAG   ACTION            RECIPIENT
task.max-lwps
        privileged       3       -   deny                      -
        system       2.15G     max   deny                      -
# id -p
uid=0(root) gid=1(other) projid=100(x-files)
# ps -o project,taskid -p $$
 PROJECT TASKID
 x-files    73
# csh        /* creates second LWP */
# csh        /* creates third LWP */
# csh        /* cannot create more LWPs */
Vfork failed
# | 
 How to Set Multiple Controls on a Project
How to Set Multiple Controls on a ProjectThe /etc/project file can contain settings for multiple resource controls for each project as well as multiple threshold values for each control. Threshold values are defined in action clauses, which are comma-separated for multiple values.
Become superuser or assume an equivalent role.
Use the projmod command with the -s and -K options to set resource controls on project x-files:
| # projmod -s -K 'task.max-lwps=(basic,10,none),(privileged,500,deny); process.max-file-descriptor=(basic,128,deny)' x-filesone line in file | 
The following controls are set:
A basic control with no action on the maximum LWPs per task.
A privileged deny control on the maximum LWPs per task. This control causes any LWP creation that exceeds the maximum to fail, as shown in the previous example How to Set the Maximum Number of LWPs for Each Task in a Project.
A limit on the maximum file descriptors per process at the basic level, which forces the failure of any open call that exceeds the maximum.
View the entry in the file by using one of the following methods:
Type:
| # projects -l
.
.
.
x-files
        projid : 100
        comment: ""
        users  : (none)
        groups : (none)
        attribs: process.max-file-descriptor=(basic,128,deny)
                 task.max-lwps=(basic,10,none),(privileged,500,deny) one line in file
 | 
Type:
| # cat etc/project . . . x-files:100::::process.max-file-descriptor=(basic,128,deny); task.max-lwps=(basic,10,none),(privileged,500,deny) one line in file | 
Use the prctl command to make runtime interrogations of and modifications to the resource controls associated with an active process, task, or project on the system. See the prctl(1) man page for more information.
 How to Use the prctl Command to
Display Default Resource Control Values
How to Use the prctl Command to
Display Default Resource Control ValuesThis procedure must be used on a system on which no resource controls have been set or changed. There can be only non-default entries in the /etc/system file or in the project database.
Use the prctl command on any process, such as the current shell that is running.
| 
# prctl $$
process: 100337: -sh
NAME    PRIVILEGE       VALUE    FLAG   ACTION                   RECIPIENT
process.max-port-events
        privileged      65.5K       -   deny                             -
        system          2.15G     max   deny                             -
process.crypto-buffer-limit
        system          16.0EB    max   deny                             -
process.max-crypto-sessions
        system          18.4E     max   deny                             -
process.add-crypto-sessions
        privileged        100       -   deny                             -
        system          18.4E     max   deny                             -
process.min-crypto-sessions
        privileged         20       -   deny                             -
        system          18.4E     max   deny                             -
process.max-msg-messages
        privileged      8.19K       -   deny                             -
        system          4.29G     max   deny                             -
process.max-msg-qbytes
        privileged      64.0KB      -   deny                             -
        system          16.0EB    max   deny                             -
process.max-sem-ops
        privileged        512       -   deny                             -
        system          2.15G     max   deny                             -
process.max-sem-nsems
        privileged        512       -   deny                             -
        system          32.8K     max   deny                             -
process.max-address-space
        privileged      16.0EB    max   deny                             -
        system          16.0EB    max   deny                             -
process.max-file-descriptor
        basic             256       -   deny                        100337
        privileged      65.5K       -   deny                             -
        system          2.15G     max   deny                             -
process.max-core-size
        privileged      8.00EB    max   deny                             -
        system          8.00EB    max   deny                             -
process.max-stack-size
        basic           8.00MB      -   deny                        100337
        privileged      8.00EB      -   deny                             -
        system          8.00EB    max   deny                             -
process.max-data-size
        privileged      16.0EB    max   deny                             -
        system          16.0EB    max   deny                             -
process.max-file-size
        privileged      8.00EB    max   deny,signal=XFSZ                 -
        system          8.00EB    max   deny                             -
process.max-cpu-time
        privileged      18.4Es    inf   signal=XCPU                      -
        system          18.4Es    inf   none                             -
task.max-cpu-time
        system          18.4Es    inf   none                             -
task.max-lwps
        system          2.15G     max   deny                             -
project.max-contracts
        privileged      10.0K       -   deny                             -
        system          2.15G     max   deny                             -
project.max-device-locked-memory
        privileged       499MB      -   deny                             -
        system          16.0EB    max   deny                             -
project.max-port-ids
        privileged      8.19K       -   deny                             -
        system          65.5K     max   deny                             -
project.max-shm-memory
        privileged      1.95GB      -   deny                             -
        system          16.0EB    max   deny                             -
project.max-shm-ids
        privileged        128       -   deny                             -
        system          16.8M     max   deny                             -
project.max-msg-ids
        privileged        128       -   deny                             -
        system          16.8M     max   deny                             -
project.max-sem-ids
        privileged        128       -   deny                             -
        system          16.8M     max   deny                             -
project.max-tasks
        system          2.15G     max   deny                             -
project.max-lwps
        system          2.15G     max   deny                             -
project.cpu-shares
        privileged          1       -   none                             -
        system          65.5K     max   none                             -
zone.max-lwps
        system          2.15G     max   deny                             -
zone.cpu-shares
        privileged          1       -   none                             -
        system          65.5K     max   none                             - | 
 How to Use the prctl Command to
Display Information for a Given Resource Control
How to Use the prctl Command to
Display Information for a Given Resource ControlDisplay the maximum file descriptor for the current shell that is running.
| # prctl -n process.max-file-descriptor $$
process: 110453: -sh
NAME    PRIVILEGE       VALUE    FLAG   ACTION       RECIPIENT
process.max-file-descriptor
        basic             256       -   deny            110453
        privileged      65.5K       -   deny                 -
        system          2.15G     max   deny      | 
 How to Use prctl to Temporarily
Change a Value
How to Use prctl to Temporarily
Change a ValueThis example procedure uses the prctl command to temporarily add a new privileged value to deny the use of more than three LWPs per project for the x-files project. The result is comparable to the result in How to Set the Maximum Number of LWPs for Each Task in a Project.
Become superuser or assume an equivalent role.
Use newtask to join the x-files project.
| # newtask -p x-files | 
Use the id command with the -p option to verify that the correct project has been joined.
| # id -p uid=0(root) gid=1(other) projid=101(x-files) | 
Add a new privileged value for project.max-lwps that limits the number of LWPs to three.
| # prctl -n project.max-lwps -t privileged -v 3 -e deny -i project x-files | 
Verify the result.
| # prctl -n project.max-lwps -i project x-files
process: 111108: csh
NAME    PRIVILEGE    VALUE    FLAG   ACTION            RECIPIENT
project.max-lwps
        privileged       3       -   deny                      -
        system       2.15G     max   deny                      - | 
 How to Use prctl to Lower
a Resource Control Value
How to Use prctl to Lower
a Resource Control ValueBecome superuser or assume an equivalent role.
Use the prctl command with the -r option to change the lowest value of the process.max-file-descriptor resource control.
| # prctl -n process.max-file-descriptor -r -v 128 $$ | 
 How to Use prctl to Display,
Replace, and Verify the Value of a Control on a Project
How to Use prctl to Display,
Replace, and Verify the Value of a Control on a ProjectBecome superuser or assume an equivalent role.
Display the value of project.cpu-shares in the project group.staff.
| # prctl -n project.cpu-shares -i project group.staff
project: 2: group.staff
NAME    PRIVILEGE       VALUE    FLAG   ACTION     RECIPIENT
project.cpu-shares
        privileged          1       -   none               -
        system          65.5K     max   none  | 
Replace the current project.cpu-shares value 1 with the value 10.
| # prctl -n project.cpu-shares -v 10 -r -i project group.staff | 
Display the value of project.cpu-shares in the project group.staff.
| # prctl -n project.cpu-shares -i project group.staff
project: 2: group.staff
NAME    PRIVILEGE       VALUE    FLAG   ACTION     RECIPIENT
project.cpu-shares
        privileged         10       -   none               -
        system          65.5K     max   none  | 
Use the rctladm command to make runtime interrogations of and modifications to the global state of the resource controls facility. See the rctladm(1M) man page for more information.
For example, you can use rctladm with the -e option to enable the global syslog attribute of a resource control. When the control is exceeded, notification is logged at the specified syslog level. To enable the global syslog attribute of process.max-file-descriptor, type the following:
| # rctladm -e syslog process.max-file-descriptor | 
When used without arguments, the rctladm command displays the global flags, including the global type flag, for each resource control.
| # rctladm process.max-port-events syslog=off [ deny count ] process.max-msg-messages syslog=off [ deny count ] process.max-msg-qbytes syslog=off [ deny bytes ] process.max-sem-ops syslog=off [ deny count ] process.max-sem-nsems syslog=off [ deny count ] process.max-address-space syslog=off [ lowerable deny no-signal bytes ] process.max-file-descriptor syslog=off [ lowerable deny count ] process.max-core-size syslog=off [ lowerable deny no-signal bytes ] process.max-stack-size syslog=off [ lowerable deny no-signal bytes ] . . . | 
Use the ipcs utility to display information about active interprocess communication (IPC) facilities. See the ipcs(1) man page for more information.
You can use ipcs with the -J option to see which project's limit an IPC object is allocated against.
| # ipcs -J
    IPC status from <running system> as of Wed Mar 26 18:53:15 PDT 2003
T         ID      KEY        MODE       OWNER    GROUP    PROJECT
Message Queues:
Shared Memory:
m       3600      0       --rw-rw-rw-   uname    staff    x-files
m        201      0       --rw-rw-rw-   uname    staff    x-files
m       1802      0       --rw-rw-rw-   uname    staff    x-files
m        503      0       --rw-rw-rw-   uname    staff    x-files
m        304      0       --rw-rw-rw-   uname    staff    x-files
m        605      0       --rw-rw-rw-   uname    staff    x-files
m          6      0       --rw-rw-rw-   uname    staff    x-files
m        107      0       --rw-rw-rw-   uname    staff    x-files
Semaphores:
s          0      0       --rw-rw-rw-   uname    staff    x-files | 
A global action on a resource control enables you to receive notice of any entity that is tripping over a resource control value that is set too low.
For example, assume you want to determine whether a web server possesses sufficient CPUs for its typical workload. You could analyze sar data for idle CPU time and load average. You could also examine extended accounting data to determine the number of simultaneous processes that are running for the web server process.
However, an easier approach is to place the web server in a task. You can then set a global action, using syslog, to notify you whenever a task exceeds a scheduled number of LWPs appropriate for the machine's capabilities.
See the sar(1) man page for more information.
 How to Determine Whether a Web Server Is
Allocated Enough CPU Capacity
How to Determine Whether a Web Server Is
Allocated Enough CPU CapacityUse the prctl command to place a privileged (superuser-owned) resource control on the tasks that contain an httpd process. Limit each task's total number of LWPs to 40, and disable all local actions.
| # prctl -n task.max-lwps -v 40 -t privileged -d all `pgrep httpd` | 
Enable a system log global action on the task.max-lwps resource control.
| # rctladm -e syslog task.max-lwps | 
Observe whether the workload trips the resource control.
If it does, you will see /var/adm/messages such as:
| Jan 8 10:15:15 testmachine unix: [ID 859581 kern.notice] NOTICE: privileged rctl task.max-lwps exceeded by task 19 |