How to stop users from running CPU heavy programs on a server?
I have a 24 core server, which users connect to through SSH.
It is not meant for them to run CPU heavy programs like MATLAB, R or their own scripts that perform simulations or things like that.
Are there ways to detect and kill -9
CPU heavy processes automatically?
Solution 1:
You should use cgroups to do this.
See "man cgrules.conf" and "man cgconfig.conf".
Later versions of systemctl on fedora should support sticking users directly into a cgroup so you can do it better that way.
This wont limit CPU in the sense that if there is available CPU resources (which nobody is using) it will use all the CPU however it something else is also demanding CPU it will allocate a share of the CPU based off of the configured "cpu.shares" value.
Also as suggested sticking a ulimit on CPU time will ensure a running process is given a cumalative number of jiffies before being killed for using too much CPU. This might negatively impact long running processes a user is using which over a long period of time have accumulated a certain number of jiffies naturally.
You could also use cgroups to enforce that all a users processes live on one of your cores only, so that you can at least guarantee if one CPU is being overwhelmed it has no negative impact on the rest of the operating systems processes.
CGroups is also a awesome way to limit memory usage. You can combine it with pam_limits to prevent fork bombing.
Edit: I should also point out what I think your asking for is not necessarily relevant. Having 1 process use up 100% of the CPU is not necessarily bad, providing time is given for other processes to run. The completely fair scheduler on linux guarantees this behaviour anyway.
If the CPU is just idling theres nothing wrong with one process using up all the CPU. Your problem only comes where multiple processes are demanding CPU time and one of the processes is hogging the CPU. This is where cgroups should be of benefit as it permits you control how much cpu time you'll allocate different process in the event of CPU contention.
Solution 2:
You can limit users resources usage with PAM.
I never tried it so I have no clue if it works properly or not...