SSH – Limit CPU and Memory Resources in Session

cgroupsssh

I have a server with 4 GPUs/128 cores where I use a workload manager (slurm) to manage resource allocation between users for computation.

The issue is that the scheduler server (for job submission) runs on the same machine⁽¹⁾, where users connect through ssh to submit jobs.

I would like to restrict the resource allocation (cpu/mem) for all users only inside their ssh session, so that they will not run heavy computations outside the scheduling system (but they can inside jobs).

I know I can use cgroups to implement such limit, e.g.:

cgcreate -g memory,cpu:cpulimited
cgset -r cpu.shares=100 cpulimited # limit to ~10% of cpu use
cgset -r memory.limit_in_bytes=$((10*1024*1024*1024)) # limit to 10 GB

How can I ensure that any ssh session will be run in this cgroup cpulimited? but in the same time, when slurm lauches a job, I don't want to bypass the limit set by the scheduler (for any user).

(1) I need a workload manager because I have several users and it can be chaotic without it, however I don't have any other machine that could be the scheduling server (like on any standard cluster).

Best Answer

I found a solution to my problem so I share it.

I defined a cgroup customssh/limit using the cgconfig service from the libcgroup. Here is an extract of my cgconfig.conf file:

group customssh/limit {
  perm {
    admin {
      uid=root;
      gid=root;
    }
    task {
      uid=myuser;
      gid=mygroup;
      fperm=775;
    }
  }
  cpu {
    cpu.shares=50;
  }
  memory {
    memory.limit_in_bytes="10G";
    memory.memsw.limit_in_bytes="10G";
    memory.soft_limit_in_bytes="2G";
  }
  devices {
    devices.deny="c 195:* rwm";
  }
}

fperm = 775 allows users of the group mygroup to use this cgroup
I enforce limit on CPU and memory usage, and deny access to GPUs with devices.deny="c 195:* rwm";

I created the file /etc/profile.d/ssh.sh which is run on every login with the following contents:

# check if the user is in a ssh session
if [[ -n $SSH_CONNECTION ]]; then
    # shell PID 
    SESSIONPID=$$
    # attach the shell to the `customssh/limit` cgroup
    cgclassify -g memory,cpu,devices:customssh/limit $SESSIONPID
    # all processes run by this shell will be affected
fi

Edit

As derobert pointed out, X session scope number is not guarantied to be the same. More robust solution is to determine this number at runtime.

File /usr/local/bin/resource_limit.sh:

#!/bin/bash

for s in $(systemd-cgls --no-pager --user-unit \
           | grep --extended-regexp --only-matching \
              'session-.{1,3}\.scope');do
    systemctl set-property --runtime "$s" MemoryLimit="$1"
done

File /etc/systemd/system/resource_limit.service:

[Unit]
Description=Limit resources
Requires=multi-user.target
After=multi-user.target

[Service]
Type=oneshot
ExecStartPre=/bin/sleep 5
ExecStart=/usr/local/bin/resource_limit.sh 14G
ExecStop=/usr/local/bin/resource_limit.sh 20G
RemainAfterExit=true

[Install]
WantedBy=graphical.target

Copy files above to your system and issue command

systemctl daemon-reload

After this you may set specified limit (in this case 14G) using command

systemctl start resource_limit.service

and unset it (setting some higher limit value) using command

systemctl stop resource_limit.service

In order to run this script on reboot automatically, issue command

systemctl enable resource_limit.service

Note 1

If your X session does not start fast enough, you may want to increase service delay via ExecStartPre or enable service manually.

Note 2

It is a good idea to also add restrictions to user@1000.service (where 1000 - is a UID) with slightly bigger limit. This way you will always have resources available for system daemons.

Linux – How to Limit Processes to All But One CPU

For simple cases, you don't cgroups, it is simpler just using the taskset command:

taskset --cpu-list 1-7 my_command args ...

The first cpu core is 0, this omits 0 from the list. To omit some other core you could do something like: --cpu-list 0,1,3,4,5,6,7

Best Answer

Related Solutions

Limit cpu and memory consumption of all X applications

Edit

Note 1

Note 2

Linux – How to Limit Processes to All But One CPU

Related Question