How to limit an entire user to less than 10% of cpu, not just process?

Solution 1:

You are correct that you can't limit your friend using a process (PID), Apache spawns a new process (Worker) for every request it receives, assigning a new PID each time.

Depending on what PHP handler you setup in WHM -> MultiPHP Manager -> PHP Handlers, Apache will either run PHP scripts as itself, or run them as the user that owns the file. If you use suPHP as handler, the PHP process will be executed as by the account that owns the file.

If the script is executed by the owner, you can limit cpu usage to an account by adding it to the /etc/security/limits.conf file. While you can't use this to limit cpu percentage exactly, you can modify their 'nice' value so their processes take a lower priority than other processes on the server. As such, other processes won't have to wait as long.

I've never used this myself (I run CloudLinux), but I believe the following entry should help with the problem:

username    hard    priority    30

This sets the maximum priority for processes executed by the user to 30. From what I understand, a higher priority actually means that other processes (with a lower priority) get more CPU time.

On my server running cPanel, most processes have a priority of 20, so following the above logic, setting the priority for that user to 30 should allow other processes to execute before these processes.

Solution 2:

Have you tried Cgroups?


  • Install the service sudo yum install libcgroup and start it sudo service cgconfig start.
  • After which view the subsystem configuration for the cgroups by running sudo ls /cgroup

Create a cgroup named limitcpu. Lines that start with group create cgroups and set subsystem parameters.

Example /etc/cgconfig.conf:

group limitcpu{

        cpu {
                cpu.shares = 200;
                # cpu.cfs_period_us
                # cpu.cfs_quota_us
        }
        memory {

        }
}

For CPU limiting there are a couple of tunable parameters that you can use to limit blatant CPU usage

If tasks in a cgroup should be able to access a single CPU for 0.1 (10%) seconds out of every 1 second, set cpu.cfs_quota_us to 100000 and cpu.cfs_period_us to 1000000.


Cgred is a service (which starts the cgrulesengd service) that moves tasks into cgroups according to parameters set in the /etc/cgrules.conf file. Entries in the /etc/cgrules.conf file can take one of these two forms:

user subsystems control_group
user:command subsystems control_group

Where user with a user name or a group name prefixed with the "@" character. Replace subsystems with a comma‑separated list of subsystem names, control_group represents a path to the cgroup, and command stands for a process name or a full command path of a process.

Example etc/cgrules.conf:

*:firefox      cpu,memory      browsers/
@admin:memhog  memory          limitmem/
cpuhog         cpu             limitcpu/
  • firefox processes run by any user will be automatically added to the browsers cgroup and limited in cpu and memory subsystems.

  • memhog processes run by anyone in the admin group will be added to the cgroup limitmem and limited in memory subsystem.

    - Your user, cpuhog, will be added to cgroup 'limitcpu' and limited in cpu subsystems.


In advance use cases, you can try utilizing a template instead.

For example, specify the following template in /etc/cgconfig.conf:

template users/%g/%u {
                     cpuacct{
                     }
                     cpu {
                        cpu.shares = "1000";
                     }
          }

Then use the users/%g/%u template in the third row of a /etc/cgrules.conf entry, which can look as follows:

peter:ftp       cpu     users/%g/%u

The %g and %u variables used above are automatically replaced with group and user name depending on the owner of the ftp process.

If the process belongs to peter from the adminstaff group, the above path is translated to users/adminstaff/peter.

The cgred service then searches for this directory, and if it does not exist, cgred creates it and assigns the process to users/adminstaff/peter/tasks.

Note that template rules apply only to definitions of templates in configuration files, so even if "group users/adminstaff/peter" was defined in /etc/cgconfig.conf, it would be ignored in favor of "template users/%g/%u".

Tutorial by Digital Ocean.

Introduction to Control Groups.