Restricting resource for a Virtual Server

Submitted by rjrsinc on Thu, 04/26/2012 - 09:28 Pro Licensee

I think I have found the possible resource hog on our server. I am researching further, but we have three clients that were given access to Virtualmin and mysql for their virtual servers (and sub servers). Is there a way to configure their accounts/processes in Virtualmin so if they do something stupid (which I can't prevent, but expect they will do), it does not compromise the entire server? I know there are quotas for size, but not sure if there is a way to say limit their connections if I find that they are the problem?

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Thu, 04/26/2012 - 09:38

Howdy -- you can tweak their options in Administrative Options -> Edit Resource Limits.

You can set process, cpu, and memory limits.

I personally prefer just using process limits, which limits how many processes they can launch.

However, you can set the other two, but it's hard to come up with cpu and memory limits that don't cause legitimate processes to be killed off.

Submitted by rjrsinc on Thu, 04/26/2012 - 10:46 Pro Licensee

Is there a command or way to "see" the resources used by this virtual server to help determine their normal usage and spikes? I need to set these limits, but don't want to stifle it too much. Without knowing their pattern, it's hard to guess the proper setting.

Submitted by andreychek on Thu, 04/26/2012 - 10:59

Sorry, there isn't an automated/quick way to track that at the moment.

You'd have to manually review the processes they're running, to get an idea of their usage.

Submitted by rjrsinc on Thu, 04/26/2012 - 11:20 Pro Licensee

Thanks. I'm going to research how best to apply the settings you described. That needs to be done.

Submitted by rjrsinc on Thu, 04/26/2012 - 14:44 Pro Licensee

I've been searching for some benchmark or way to determine an appropriate setting for the Maximum number of processes setting. The client receives pretty decent traffic, probably the most on our server. Is there some way to determine a safe number? their site is njar.com and a state Realtor association. We have a Xeon quad core with 10GB ram. Any idea or guideline?

Submitted by andreychek on Thu, 04/26/2012 - 15:09

Determining the best numbers to use is trial and error -- there isn't a rule for how to choose them.

What you can do is run "ps auxw | grep USERNAME | wc -l", and see how many processes they're running at any given point.

After awhile, you'll start to get a feel for how many they're using.

Then, you need to determine how many processes they can run before it begins impacting other users on your system.

This again is trial, error, and probably some guessing :-)

Remember that if their site hits this limit, their site will start throwing "500 Internal Server Error" to anyone browsing it until they're back under the limit. So it's a harsh limit, but the idea here is that you're picking a limit for them in order to protect the rest of your server.

Submitted by rjrsinc on Thu, 04/26/2012 - 15:17 Pro Licensee

I've been watching the server non-stop for the past week or more and will run this periodically to get a gauge. Thanks.

Submitted by rjrsinc on Thu, 04/26/2012 - 15:17 Pro Licensee

Anyway to get the error to state something like "Too Many Connections, please try back later"?

Submitted by andreychek on Thu, 04/26/2012 - 15:22

Sorry, there's not currently a way to do that.

ronald's picture
Submitted by ronald on Fri, 04/27/2012 - 04:15 Pro Licensee

I thought this could be done via .htaccess if AllowOverride FileInfo is set to the Directory directive?
ErrorDocument 500 /error-docs/500.shtml

then create the directory error-docs and the file 500.shtml ?

Submitted by andreychek on Fri, 04/27/2012 - 08:31

You can indeed set a custom error message for "Internal Server Server" (500) messages, that would work with no problem.

The issue would just be that it can't discern the cause of the internal server error -- so that custom error would display when his user runs out of resources, but also if PHP threw an error, or if a dependency was missing or mis-configured.

This did get me wondering if there's anything at all that can be done here to improve the error reporting for a case where resources had run out; I don't have an answer yet, but I think it's a great idea if we can manage to come up with something :-)

Submitted by rjrsinc on Mon, 04/30/2012 - 07:05 Pro Licensee

I've been researching it a bit as well. Aside from running 'ps auxw | grep USERNAME | wc -l' for individual users, I've seen a bunch of users called www-data that may be a result from work my old developer had done. This makes it difficult to determine the originating virtual domain. If I set Resource Limits for a virtual domain, does it include all processes launched by that domain regardless of the name? Meaning, if a restricted domain launches a process with user www-data, then does this process get included in it's limit?

We're still trying to find out where all our resources are going that is basically locking up the server.

Submitted by andreychek on Mon, 04/30/2012 - 08:09

Setting per-user limits only works when using CGI and FCGID modes -- meaning that the processes are run as the Virtual Server owner.

The user "www-data" is the Apache user, and you might be seeing that if a given domain is running under mod_php.

If I set Resource Limits for a virtual domain, does it include all processes launched by that domain regardless of the name? Meaning, if a restricted domain launches a process with user www-data, then does this process get included in it's limit?

It's not actually possible for a process owned by a Virtual Server owner to launch another process as a different user.

That is, a Virtual Server owner can't run processes as another user.

If you're seeing processes owned by the user "www-data", that means that Virtual Server is likely setup to run under mod_php.

Submitted by rjrsinc on Tue, 08/14/2012 - 17:38 Pro Licensee

Reopening this ticket. We are trying to control the mysql load on our server and need to know how the resources limits are controlled. Is the "Maximum number of processes" setting tied to the user account in the Edit Database section of the virtual server? I need to know which process owner it is looking to when restricting the resource. Thanks

Submitted by andreychek on Tue, 08/14/2012 - 18:11

Howdy -- MySQL is a single process, and runs as the "mysql" user.

It's not possible to limit it's resources without causing the MySQL process to crash.

However, by limiting the number of PHP processes a given Virtual Server can run, that should also assist in limiting the MySQL load.

When a PHP process is launched, it's owned by the Virtual Server owner.

When you setup limits in "Edit Resource Limits", you're setting up limits for the Virtual Server owner.

Submitted by rjrsinc on Tue, 08/14/2012 - 18:19 Pro Licensee

Great. So, if I set the "Maximum number of processes" to 5, then does that mean that only up to 5 PHP processes can be launched for that server? Does that also mean that only 5 people can access the site at any one given time?

We just had a site attacked and found dozens of mysql calls causing a DOS type attack. I've blocked the IP and have seen the cause, but want to make sure an attack does not bring the entire server to its knees.

Submitted by andreychek on Tue, 08/14/2012 - 18:58

if I set the "Maximum number of processes" to 5, then does that mean that only up to 5 PHP processes can be launched for that server?

That means that Virtual Server could only launch 5 total processes (including PHP processes).

Does that also mean that only 5 people can access the site at any one given time?

Well, something roughly similar to that... it's a little more complex when dealing with FCGID and caching, but it's close to that :-)

Another thing you may want to do is edit your Apache config, and set MaxClients to a smaller number. That will limit how many Apache processes can be running at once.