[CentOS] Using Cgroups in CentOS-7

Tue May 18 12:49:27 UTC 2021
Jonathan Billings <billings at negate.org>

On Tue, May 18, 2021 at 08:33:37AM +0000, Gestió Servidors wrote:
> I want to limit CPUQuota and Memory using "Cgroups". After reading
> some documents, it seems I need to modify "user.slice" systemd file
> adding "CPUQuota=25%" (for example) but, after it, if I run a
> "stress" with other user (not "root"), stress process takes 100%
> CPU. I have noticed that rebooting system non-root user has % CPU
> limited... but also root... so is it possible to configure that
> limits to all users but non root? 

Make sure you also turn on CPUAccounting=true.

Unfortunately, if you put any CPUQuota settings in user.slice, it will
apply it as a group to all users (including root).  So, every logged
in user, in total, will not be able to use more than 25%, not
per-user.  (so, if two users start stressing the CPU, they'll each
only be able to get around 12.5% each)

CentOS 7 doesn't have a mechanism to set per-user CPU quota, that
functionality wasn't introduced into a later version of systemd (it
does work in CentOS 8, use user-.slice which is a "template" for
user-1000.slice, user-1001.slice, user-9999999.slice, etc.)

You can always set the resource control settings per-user by
specifically writing a user-1000.slice, user-1001.slice, etc.  
What I did was write a systemd service that subscribed to the dbus
messages for logins and activated the CPUQuota as the user logged in
using systemctl --runtime.  I had tens of thousands of users logging
in via Active Directory, which changed constantly, so I couldn't
hard-code anything.

I suggest using the 'systemd-cgtop' command to look at what unit is
using resources, it is helpful for debugging.

Jonathan Billings <billings at negate.org>