Update systemd limits #30

Open
opened 2023-06-05 15:14:56 +03:00 by inex · 5 comments
Owner
No description provided.
NaiJi added the
enhancement
label 2023-06-05 15:15:28 +03:00
Member

If resources/limits.nix file is meant, ironically it's currently fully broken, since no directives from it are recognized by systemd in fact. systemd show output proves full ignorance (despite systemd cat confirms systemd service configuration is generated by Nix as expected). It was investigated as part of this task.

There are 2 kinds of typos:

  1. first letters of each directive are not upper-case (must be upper-case)
  2. blockIOWeigth must be written as BlockIOWeight (the last 2 letters are swapped)
If [resources/limits.nix](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/src/commit/65b5a1977756549240eae05005d1f6b5feef126d/resources/limits.nix) file is meant, ironically it's currently fully broken, since **no** directives from it are recognized by systemd in fact. `systemd show` output proves full ignorance (despite `systemd cat` confirms systemd service configuration is generated by Nix as expected). It was investigated as part of [this task](https://app.teamgantt.com/discussions/my-tasks/task/135773835/#comment-17218575). There are 2 kinds of typos: 1. first letters of each directive are not upper-case (must be upper-case) 2. `blockIOWeigth` must be written as `BlockIOWeight` (the last 2 letters are swapped)
Member

As for the limit values themselves, the strategy is not clear, especially for the CPU quota. Maybe benchmarks or tests are needed to determine. And it's hard to say whether BlockIOWeight = 10 is suitable for expected nginx loads or not (assuming the default weight is 1000).

As for the limit values themselves, the strategy is not clear, especially for the CPU quota. Maybe benchmarks or tests are needed to determine. And it's hard to say whether `BlockIOWeight = 10` is suitable for expected nginx loads or not (assuming the default weight is `1000`).
alexoundos added reference systemd-limits 2023-06-28 18:27:22 +03:00
Member

Also, systemd-journald consumes around 500 MiB of RAM, according to netdata (when uptime was 2 weeks). Perhaps, this should be due to:

services.journald.extraConfig = "SystemMaxUse=500M";

in configuration.nix.
Maybe RuntimeMaxUse limit can be set to something lower, but journald.conf manpage doesn't claim its correlation with RAM consumption (but instead with /run/log/journal filesystem space usage).

Also, `systemd-journald` consumes around 500 MiB of RAM, according to netdata (when uptime was 2 weeks). Perhaps, this should be due to: ```nix services.journald.extraConfig = "SystemMaxUse=500M"; ``` in [`configuration.nix`](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/src/commit/65b5a1977756549240eae05005d1f6b5feef126d/configuration.nix#L100). Maybe `RuntimeMaxUse` limit can be set to something lower, but `journald.conf` manpage doesn't claim its correlation with RAM consumption (but instead with `/run/log/journal` filesystem space usage).
Member

As for RAM limits, MemoryMax is the absolute limit. It is recommended to use MemoryHigh as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation.

As for RAM limits, `MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to [systemd documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options).
Member

There are 2 kinds of typos:

  1. first letters of each directive are not upper-case (must be upper-case)
  2. blockIOWeigth must be written as BlockIOWeight (the last 2 letters are swapped)

I fixed the typos (e45224d67f), but do not import this part of configuration until load tests get developed.

> There are 2 kinds of typos: > > 1. first letters of each directive are not upper-case (must be upper-case) > 2. `blockIOWeigth` must be written as `BlockIOWeight` (the last 2 letters are swapped) I fixed the typos (https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/commit/e45224d67f31d9745204afb307b3739ba79f22b1), but do not import this part of configuration until load tests get developed.
inex added this to the Security hardening and audit, monitoring project 2024-06-19 16:46:19 +03:00
Sign in to join this conversation.
No milestone
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: SelfPrivacy/selfprivacy-nixos-config#30
No description provided.