Shell Limits
When providing free shells, it is very important to place resource limits on shell accounts. These limits restrict how many files (and hence network connections) and processes, and how much memory, a single user can take up.
WARNING: If free shell account limits are not enforced, your users will likely cause your system to freeze. When all the system's available memory is used up, your system will inexplicably freeze.
Before you begin: please get familiar with /etc/login.conf. There is a guide for how to configure login.conf for system services.
Create a new login class
Add the following class at the bottom of /etc/login.conf
:
freeshell:\ :maxproc-cur=50:\ :maxproc-max=100:\ :openfiles-cur=256:\ :openfiles-max=512:\ :memoryuse-cur=64M:\ :memoryuse-max=128M:\ :datasize-cur=64M:\ :datasize-max=128M:\ :vmemoryuse-cur=64M:\ :vmemoryuse-max=128M:\ :memorylocked-cur=64M:\ :memorylocked-max=128M:\ :stacksize-cur=64M:\ :stacksize-max=128M:\ :localcipher=blowfish,a:\ :requirehome@:\ :umask=022:
WARNING: Make sure to use tabs and not spaces before the colon (:). Otherwise, login.conf
will not be parsed properly.
This freeshell class will be limited to a maximum of 100 processes, 512 file descriptors, and 128M of memory. You will want to test if this is sufficient for handling some more resource intensive tasks like compiling eggdrops or running more complex python scripts and web apps.
After enforcing these new limits, your users may complain they are unable to run their old software. This may be due to the resource limits! You can ask him to pay to purchase an upgrade to a shell account with higher resource limits.
paidshell:\ :maxproc-cur=500:\ :maxproc-max=1000:\ :openfiles-cur=1024:\ :openfiles-max=2048:\ :memoryuse-cur=256M:\ :memoryuse-max=512M:\ :datasize-cur=256M:\ :datasize-max=512M:\ :vmemoryuse-cur=256M:\ :vmemoryuse-max=512M:\ :memorylocked-cur=256M:\ :memorylocked-max=512M:\ :stacksize-cur=256M:\ :stacksize-max=512M:\ :localcipher=blowfish,a:\ :requirehome@:\ :umask=022:
The paidshell login class will allow up to 1000 processes, 2048 open file descriptors, and 512M of memory.
Set the user's login class
After defining a login class, it is necessary to set a particular user's account to the new login class. This can be done with the command:
$ doas usermod -L freeshell $USERNAME
Replace $USERNAME
.
A quick way to collect all the users on your shell account is:
$ ls /home | sed -e 's/^/doas usermod -L freeshell &/'
Before you begin:: Don't execute those commands blindly. First double check that those users are indeed correct. Then apply the new login class.