Translation

(itstool) path: sect2/para
Rule syntax is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule:
31/1190
Context English Chinese (Simplified) (zh_CN) State
The maximum number of files a process may have open. In FreeBSD, files are used to represent sockets and <acronym>IPC</acronym> channels, so be careful not to set this too low. The system-wide limit for this is defined by <varname>kern.maxfiles</varname>. 这是一个进程可以打开的最大文件数。 在FreeBSD中, 文件可以被表现为套接字和IPC通道; 注意不要把这个数设置的太小。 系统级的限制是由 <varname>kern.maxfiles</varname> 定义的, 详情参见 <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>。
sbsize sbsize
The limit on the amount of network memory a user may consume. This can be generally used to limit network communications. 这是网络内存数量的限制, 这主要是针对通过创建许多套接字的老式 DoS 攻击的, 但也可以用来限制网络通信。
stacksize stacksize
The maximum size of a process stack. This alone is not sufficient to limit the amount of memory a program may use, so it should be used in conjunction with other limits. 这是一个进程堆栈可能达到的最大值。 它不能单独的限制一个程序可能使用的内存数量; 所以, 需要与其它的限制手段配合使用。
There are a few other things to remember when setting resource limits: 在设置资源限制时, 有一些其他的事需要注意。 下面是一些通常的技巧、 建议和注意事项:
Processes started at system startup by <filename>/etc/rc</filename> are assigned to the <literal>daemon</literal> login class. 系统启动的进程<filename>/etc/rc</filename>会被指派给 <literal>守护程序</literal> 的登录类.
Although the default <filename>/etc/login.conf</filename> is a good source of reasonable values for most limits, they may not be appropriate for every system. Setting a limit too high may open the system up to abuse, while setting it too low may put a strain on productivity. 虽然 <filename>/etc/login.conf</filename> 文件是一个对绝大多数限制做合理配置的资源文件, 但只有您也就是系统管理员,才知道什么最适合您的系统。 设置的太高可能会因为过于开放而导致系统被滥用, 而设置过低, 则可能降低效率。
<application>Xorg</application> takes a lot of resources and encourages users to run more programs simultaneously. 使用 <application>Xorg</application> 的用户可能要比其他用户使用更多的资源。 因为X11本身就使用很多资源, 而且它鼓励用户同时运行更多的程序。
Many limits apply to individual processes, not the user as a whole. For example, setting <varname>openfiles</varname> to <literal>50</literal> means that each process the user runs may open up to <literal>50</literal> files. The total amount of files a user may open is the value of <literal>openfiles</literal> multiplied by the value of <literal>maxproc</literal>. This also applies to memory consumption. 务必注意, 许多限制措施是针对单个进程来实施的, 它们并不限制某一用户所能用到的总量。 例如, 将 <varname>openfiles</varname> 设置为 50 表示以该用户身份运行的进程最多只能打开 50 个文件。 因而, 用户实际可以打开的文件总数就应该是 <varname>maxproc</varname> 和 <varname>openfiles</varname> 值的乘积。 对内存用量的限额与此类似。
For further information on resource limits and login classes and capabilities in general, refer to <citerefentry><refentrytitle>cap_mkdb</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and <citerefentry><refentrytitle>login.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. 有关资源限制,登录类的更深入信息可以查看相关联机手册: <citerefentry><refentrytitle>cap_mkdb</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry><refentrytitle>login.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Enabling and Configuring Resource Limits 启用和配置资源限制
The <varname>kern.racct.enable</varname> tunable must be set to a non-zero value. Custom kernels require specific configuration: <varname>kern.racct.enable</varname> 需要设置成非零值,若需自定义内核请将以下参数加入内核配置文件:
options RACCT
options RCTL
options RACCT
options RCTL
Once the system has rebooted into the new kernel, <command>rctl</command> may be used to set rules for the system. 重启到新的内核之后 <command>rctl</command> 可用于为系统设置规则。
Rule syntax is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule: 语法规则:主体:主体-ID:要限制的资源:动作。示例规则如下:
user:trhodes:maxproc:deny=10/user user:trhodes:maxproc:deny=10/user
In this rule, the subject is <literal>user</literal>, the subject-id is <literal>trhodes</literal>, the resource, <literal>maxproc</literal>, is the maximum number of processes, and the action is <literal>deny</literal>, which blocks any new processes from being created. This means that the user, <literal>trhodes</literal>, will be constrained to no greater than <literal>10</literal> processes. Other possible actions include logging to the console, passing a notification to <citerefentry><refentrytitle>devd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or sending a sigterm to the process. 本例中主体是<literal>user</literal>;主体 ID 是<literal>trhodes</literal>;要限制的资源是<literal>maxproc</literal>,最大进程数;动作是<literal>deny</literal>,禁止创建新进程。这条规则表示<literal>trhodes</literal>最多能创建<literal>10</literal>个进程。其他可用的动作包裹登入控制台,发送通知到<citerefentry><refentrytitle>devd</refentrytitle><manvolnum>8</manvolnum></citerefentry>或向进程发送信号(sigterm)。
Some care must be taken when adding rules. Since this user is constrained to <literal>10</literal> processes, this example will prevent the user from performing other tasks after logging in and executing a <command>screen</command> session. Once a resource limit has been hit, an error will be printed, as in this example: 创建规则时请注意:因为此用户被限制只能创建10个进程,因此本示例将阻止用户在登录并执行<command>screen</command>会话后执行其他任务 。一旦出发资源限制规则,系统会打印错误,像下面这样:
<prompt>%</prompt> <userinput>man test</userinput>
/usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailable
<prompt>%</prompt> <userinput>man test</userinput>
/usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailable
As another example, a jail can be prevented from exceeding a memory limit. This rule could be written as: 另一个例子:限制 jail 的最大使用内存。该规则可以写为:
<prompt>#</prompt> <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput> <prompt>#</prompt> <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput>
Rules will persist across reboots if they have been added to <filename>/etc/rctl.conf</filename>. The format is a rule, without the preceding command. For example, the previous rule could be added as: 如果已将规则添加到<filename>/etc/rctl.conf</filename>中,则它们在重启后仍然有效。格式是规则,没有前面的命令。例如,上一条规则可以添加为:
# Block jail from using more than 2G memory:
jail:httpd:memoryuse:deny=2G/jail
# Block jail from using more than 2G memory:
jail:httpd:memoryuse:deny=2G/jail
To remove a rule, use <command>rctl</command> to remove it from the list: 要删除规则,请使用<command>rctl</command>将其从列表中删除:
<prompt>#</prompt> <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput> <prompt>#</prompt> <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput>
A method for removing all rules is documented in <citerefentry><refentrytitle>rctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. However, if removing all rules for a single user is required, this command may be issued: 删除所有规则的方法记录在<citerefentry><refentrytitle>rctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>中。但是,如果需要删除单个用户的所有规则,则可以使用以下命令:
<prompt>#</prompt> <userinput>rctl -r user:trhodes</userinput> <prompt>#</prompt> <userinput>rctl -r user:trhodes</userinput>
Many other resources exist which can be used to exert additional control over various <literal>subjects</literal>. See <citerefentry><refentrytitle>rctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> to learn about them. 还有许多用于限制主体行为的参数,详情请参阅<citerefentry><refentrytitle>rctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>。
Shared Administration with Sudo 使用Sudo分享管理权限
<primary>Security</primary> <secondary>Sudo</secondary> <primary>安全</primary><secondary>sudo</secondary>

Loading…

Rule syntax is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule:
语法规则:主体:主体 -ID:要限制的资源:动作。示例规则如下:
a month ago
Rule syntax is controlled through the use of a subject, subject-id, resource, and action, as seen in this example rule:
语法规则:主体:主体 ID:要限制的资源:动作。示例规则如下:
a year ago
Browse all component changes

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/para
Source string location
book.translate.xml:29571
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 4774