Resource limits (RACCT/RCTL)
AppJail can limit jail resources using rctl(4)
. To use it, you need to enable it in loader.conf(5)
and reboot your system.
kern.racct.enable=1
Like many AppJail commands, limits can be set using appjail-quick(1)
or its own command to apply rctl(4)
rules to an existing jail.
# Using appjail quick:
appjail quick nginx \
virtualnet="web:nginx default" \
nat \
expose=80 \
limits="vmemoryuse:deny=512m" \
limits="vmemoryuse:log=450m" \
limits="maxproc:log=30" \
start \
overwrite
# Manually:
appjail quick nginx virtualnet="web:nginx default" nat expose=80 overwrite
appjail limits set nginx vmemoryuse:deny=512m
appjail limits set nginx vmemoryuse:log=450m
appjail limits set nginx maxproc:log=30
appjail-config set -Ij nginx exec.created='appjail limits on ${name}'
appjail-config set -Ij nginx exec.created='appjail limits off ${name}'
appjail start nginx
To display the current rules of a jail, run appjail-limits(1)
list
.
# appjail limits list nginx
NRO ENABLED NAME RULE LOADED
0 1 - vmemoryuse:deny=512m jail:nginx:vmemoryuse:deny=512M
1 1 - vmemoryuse:log=450m jail:nginx:vmemoryuse:log=450M
2 1 - maxproc:log=30 jail:nginx:maxproc:log=30
In addition, we can use AppJail to display resource usage in a table-like interface.
# appjail limits stats myjail
MAXPROC CPUTIME PCPU VMEMORYUSE READIOPS WRITEIOPS
7 13 0 99M 0 0
AppJail only shows a few keywords by default, but you can get all keywords defined in rctl(8)
.
# appjail limits stats myjail openfiles cputime datasize stacksize
OPENFILES CPUTIME DATASIZE STACKSIZE
1576 13 1008K 0
See also: