How to stop users from running CPU heavy programs on a server?

linux copy

I have a 24 core server, which users connect to through SSH.

It is not meant for them to run CPU heavy programs like MATLAB, R or their own scripts that perform simulations or things like that.

Are there ways to detect and kill -9 CPU heavy processes automatically?


Solution 1:

You should use cgroups to do this.

See "man cgrules.conf" and "man cgconfig.conf".

Later versions of systemctl on fedora should support sticking users directly into a cgroup so you can do it better that way.

This wont limit CPU in the sense that if there is available CPU resources (which nobody is using) it will use all the CPU however it something else is also demanding CPU it will allocate a share of the CPU based off of the configured "cpu.shares" value.

Also as suggested sticking a ulimit on CPU time will ensure a running process is given a cumalative number of jiffies before being killed for using too much CPU. This might negatively impact long running processes a user is using which over a long period of time have accumulated a certain number of jiffies naturally.

You could also use cgroups to enforce that all a users processes live on one of your cores only, so that you can at least guarantee if one CPU is being overwhelmed it has no negative impact on the rest of the operating systems processes.

CGroups is also a awesome way to limit memory usage. You can combine it with pam_limits to prevent fork bombing.

Edit: I should also point out what I think your asking for is not necessarily relevant. Having 1 process use up 100% of the CPU is not necessarily bad, providing time is given for other processes to run. The completely fair scheduler on linux guarantees this behaviour anyway.

If the CPU is just idling theres nothing wrong with one process using up all the CPU. Your problem only comes where multiple processes are demanding CPU time and one of the processes is hogging the CPU. This is where cgroups should be of benefit as it permits you control how much cpu time you'll allocate different process in the event of CPU contention.

Solution 2:

You can limit users resources usage with PAM.

I never tried it so I have no clue if it works properly or not...

Related

Is OpenLDAP a viable alternative to Windows LDAP?
How to log every login (SSH) on FreeBSD
Mass delete mapped & local printers
What Group Policy settings MUST be set within the Default Domain Policy?
Why VPN when I can just use SSH keys?
how to check connectivity to server by windows tools?
Why does chef list my node name as "localhost"?
How do I Increase the log level of Fetchmail?
kvm low io performance
SAN or NAS 100-200TB - where to start looking? [closed]
SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
CentOS disable filesystem check: superblock last mount time is in the future