Editing UBC auxiliary parameters
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 19: | Line 19: | ||
Another example. Each object such as opened file or established network | Another example. Each object such as opened file or established network | ||
− | connection consume certain resources. When the | + | connection consume certain resources. When the Virtual Environment |
is close to exhaustion of the resources allowed to him, it is | is close to exhaustion of the resources allowed to him, it is | ||
usually better to refuse creation of new object than to allow it but deny | usually better to refuse creation of new object than to allow it but deny | ||
Line 28: | Line 28: | ||
<li> | <li> | ||
These parameters improve fault isolation between applications in the | These parameters improve fault isolation between applications in the | ||
− | same | + | same Virtual Environment. Failures or misbehavior of one application |
− | inside a | + | inside a Virtual Environment is more likely to cause hitting a |
limit on some auxiliary parameter and normal termination of this mis- | limit on some auxiliary parameter and normal termination of this mis- | ||
behaving application, rather than abnormal termination of some other | behaving application, rather than abnormal termination of some other | ||
− | long-running application inside the same | + | long-running application inside the same Virtual Environment. |
</li> | </li> | ||
<li> | <li> | ||
These parameters may be used to impose some administrative limits | These parameters may be used to impose some administrative limits | ||
− | on the | + | on the Virtual Environment (for example, to not allow the user to run |
database servers by limiting the amount of [[shmpages]], or limiting the | database servers by limiting the amount of [[shmpages]], or limiting the | ||
number of simultaneous shell sessions through [[numpty]]). | number of simultaneous shell sessions through [[numpty]]). | ||
Line 64: | Line 64: | ||
The configuration of this parameter doesn't affect security and | The configuration of this parameter doesn't affect security and | ||
− | stability of the whole system or isolation between | + | stability of the whole system or isolation between Virtual Environments. |
Its configuration affects functionality and resource shortage reaction | Its configuration affects functionality and resource shortage reaction | ||
− | of applications in the given | + | of applications in the given Virtual Environment only. |
== shmpages == | == shmpages == | ||
Line 76: | Line 76: | ||
The <code>barrier</code> should be set equal to the <code>limit</code>. | The <code>barrier</code> should be set equal to the <code>limit</code>. | ||
The configuration of this parameter doesn't affect security and | The configuration of this parameter doesn't affect security and | ||
− | stability of the whole system or isolation between | + | stability of the whole system or isolation between Virtual Environments. |
Its configuration affects functionality and resource shortage reaction | Its configuration affects functionality and resource shortage reaction | ||
− | of applications in the given | + | of applications in the given Virtual Environment only. |
== physpages == | == physpages == | ||
− | Total number of RAM pages used by processes in | + | Total number of RAM pages used by processes in this Virtual Environment. |
− | For memory pages used by several different | + | For memory pages used by several different Virtual Environments (mappings of |
shared libraries, for example), only a fraction of a page is charged to each | shared libraries, for example), only a fraction of a page is charged to each | ||
− | + | Virtual Environment. | |
− | The sum of the <code>physpages</code> usage for all | + | The sum of the <code>physpages</code> usage for all Virtual Environments |
corresponds to the total number of pages used in the system by all | corresponds to the total number of pages used in the system by all | ||
− | + | Virtual Environments. | |
− | + | <code>Physpages</code> is an accounting-only parameter currently. | |
− | + | In future OpenVZ releases, this parameter will allow to provide guaranteed | |
− | + | amount of application memory, residing in RAM and not swappable. | |
− | For | + | For compatibility with future versions, the <code>barrier</code> of this |
− | + | parameter should be set to <code>0</code> and the <code>limit</code> to | |
− | <code>limit</code> to | + | the maximal allowed value ([[MAX_ULONG]]). |
== numfile == | == numfile == | ||
Line 102: | Line 102: | ||
The <code>barrier</code> should be set equal to the <code>limit</code>. | The <code>barrier</code> should be set equal to the <code>limit</code>. | ||
The configuration of this parameter doesn't affect security and | The configuration of this parameter doesn't affect security and | ||
− | stability of the whole system or isolation between | + | stability of the whole system or isolation between Virtual Environments. |
Its configuration affects functionality and resource shortage reaction | Its configuration affects functionality and resource shortage reaction | ||
− | of applications in the given | + | of applications in the given Virtual Environment only. |
− | |||
− | |||
== numflock == | == numflock == | ||
Line 128: | Line 126: | ||
The <code>barrier</code> should be set equal to the <code>limit</code>. | The <code>barrier</code> should be set equal to the <code>limit</code>. | ||
The configuration of this parameter doesn't affect security and | The configuration of this parameter doesn't affect security and | ||
− | stability of the whole system or isolation between | + | stability of the whole system or isolation between Virtual Environments. |
Its configuration affects functionality and resource shortage reaction | Its configuration affects functionality and resource shortage reaction | ||
− | of applications in the given | + | of applications in the given Virtual Environment only. |
However, in OpenVZ systems, the actual number of pseudo-terminals allowed | However, in OpenVZ systems, the actual number of pseudo-terminals allowed | ||
− | for one | + | for one Virtual Environment is limited to <code>256</code>. |
== numsiginfo == | == numsiginfo == | ||
Line 141: | Line 139: | ||
to <code>1024</code> for the whole system. | to <code>1024</code> for the whole system. | ||
In OpenVZ installations, <code>numsiginfo</code> limit applies to each | In OpenVZ installations, <code>numsiginfo</code> limit applies to each | ||
− | + | Virtual Environment individually. | |
The <code>barrier</code> should be set equal to the <code>limit</code>. | The <code>barrier</code> should be set equal to the <code>limit</code>. | ||
Very high settings of the <code>limit</code> of this parameter may reduce | Very high settings of the <code>limit</code> of this parameter may reduce | ||
responsiveness of the system. | responsiveness of the system. | ||
− | It is unlikely that any | + | It is unlikely that any Virtual Environment will need the limit greater than |
the Linux default — <code>1024</code>. | the Linux default — <code>1024</code>. | ||
Line 166: | Line 164: | ||
[[UBC configuration examples]]. | [[UBC configuration examples]]. | ||
The configuration of this parameter doesn't affect security and | The configuration of this parameter doesn't affect security and | ||
− | stability of the whole system or isolation between | + | stability of the whole system or isolation between Virtual Environments. |
Its configuration affects functionality and resource shortage reaction | Its configuration affects functionality and resource shortage reaction | ||
− | of applications in the given | + | of applications in the given Virtual Environment only. |
== numiptent == | == numiptent == | ||
Line 179: | Line 177: | ||
Violation of this restriction may cause failures of operations with | Violation of this restriction may cause failures of operations with | ||
IP packet filter tables (execution of <code>iptables(8)</code>) | IP packet filter tables (execution of <code>iptables(8)</code>) | ||
− | in any | + | in any Virtual Environment or the host system, |
− | or failures of | + | or failures of Virtual Environment starts. |
− | |||
Also, large <code>numiptent</code> cause considerable slowdown of processing | Also, large <code>numiptent</code> cause considerable slowdown of processing | ||
− | of network packets. It is not recommended to allow | + | of network packets. It is not recommended to allow Virtual Environments |
to create more than 200–300 <code>numiptent</code>. | to create more than 200–300 <code>numiptent</code>. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |