Limit CPU and RAM for Each User Using cgroup

codebyoul · codebyoul · commit 81146ecb6073 · 2024-02-23T22:38:18.000+01:00
diff --git a/bin/v-add-user b/bin/v-add-user
@@ -266,6 +266,11 @@ if [ "$DISK_QUOTA" = 'yes' ]; then
 	$BIN/v-update-user-quota "$user"
 fi
 
+# Update cgroup
+if [ "$RESOURCES_LIMIT" = 'yes' ]; then
+	$BIN/v-update-user-cgroup "$user"
+fi
+
 # Updating admin counter
 if [ "$user" != "$ROOT_USER" ]; then
 	increase_user_value "$ROOT_USER" '$U_USERS'
diff --git a/bin/v-add-user-package b/bin/v-add-user-package
@@ -55,6 +55,18 @@ is_package_consistent() {
 	if [ "$DISK_QUOTA" != 'unlimited' ]; then
 		is_int_format_valid "$DISK_QUOTA" 'DISK_QUOTA'
 	fi
+	if [ "$CPU_QUOTA" != 'unlimited' ]; then
+		is_valid_cpu_quota "$CPU_QUOTA" 'CPU_QUOTA'
+	fi
+	if [ "$CPU_QUOTA_PERIOD" != 'unlimited' ]; then
+		is_valid_cpu_quota_period "$CPU_QUOTA_PERIOD" 'CPU_QUOTA_PERIOD'
+	fi
+	if [ "$MEMORY_LIMIT" != 'unlimited' ]; then
+		is_valid_memory_size "$MEMORY_LIMIT" 'MEMORY_LIMIT'
+	fi
+	if [ "$SWAP_LIMIT" != 'unlimited' ]; then
+		is_valid_swap_size "$SWAP_LIMIT" 'SWAP_LIMIT'
+	fi
 	if [ "$BANDWIDTH" != 'unlimited' ]; then
 		is_int_format_valid "$BANDWIDTH" 'BANDWIDTH'
 	fi
@@ -130,6 +142,10 @@ RATE_LIMIT='$RATE_LIMIT'
 DATABASES='$DATABASES'
 CRON_JOBS='$CRON_JOBS'
 DISK_QUOTA='$DISK_QUOTA'
+CPU_QUOTA='$CPU_QUOTA'
+CPU_QUOTA_PERIOD='$CPU_QUOTA_PERIOD'
+MEMORY_LIMIT='$MEMORY_LIMIT'
+SWAP_LIMIT='$SWAP_LIMIT'
 BANDWIDTH='$BANDWIDTH'
 NS='$NS'
 SHELL='$SHELL'
diff --git a/bin/v-change-user-package b/bin/v-change-user-package
@@ -96,6 +96,10 @@ RATE_LIMIT='$RATE_LIMIT'
 DATABASES='$DATABASES'
 CRON_JOBS='$CRON_JOBS'
 DISK_QUOTA='$DISK_QUOTA'
+CPU_QUOTA='$CPU_QUOTA'
+CPU_QUOTA_PERIOD='$CPU_QUOTA_PERIOD'
+MEMORY_LIMIT='$MEMORY_LIMIT'
+SWAP_LIMIT='$SWAP_LIMIT'
 BANDWIDTH='$BANDWIDTH'
 NS='$NS'
 SHELL='$SHELL'
@@ -185,6 +189,10 @@ if [ "$DISK_QUOTA" = 'yes' ]; then
 	$BIN/v-update-user-quota "$user"
 fi
 
+# Update cgroup
+if [ "$RESOURCES_LIMIT" = 'yes' ]; then
+	$BIN/v-update-user-cgroup "$user"
+fi
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
diff --git a/bin/v-delete-sys-cgroup b/bin/v-delete-sys-cgroup
@@ -0,0 +1,53 @@
+#!/bin/bash
+# info: delete all cgroup
+# options: NONE
+#
+# example: v-delete-sys-cgroup
+#
+# This function disables cgroup
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Revert cgroup for all users
+for user in $("$BIN/v-list-users" list); do
+	user_id=$(id -u "$user")
+	user_slice="user-${user_id}.slice"
+	systemctl revert "$user_slice"
+done
+
+# Reload daemon
+systemctl daemon-reload
+
+# Updating hestia.conf value
+$BIN/v-change-sys-config-value "RESOURCES_LIMIT" "no"
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+$BIN/v-log-action "system" "Info" "Plugins" "System cgroup Enforcement disabled."
+log_event "$OK" "$ARGUMENTS"
+
+exit
diff --git a/bin/v-list-user-package b/bin/v-list-user-package
@@ -38,6 +38,10 @@ json_list() {
         "DATABASES": "'$DATABASES'",
         "CRON_JOBS": "'$CRON_JOBS'",
         "DISK_QUOTA": "'$DISK_QUOTA'",
+        "CPU_QUOTA":"'$CPU_QUOTA'",
+        "CPU_QUOTA_PERIOD":"'$CPU_QUOTA_PERIOD'",
+        "MEMORY_LIMIT":"'$MEMORY_LIMIT'",
+        "SWAP_LIMIT":"'$SWAP_LIMIT'",
         "BANDWIDTH": "'$BANDWIDTH'",
         "NS": "'$NS'",
         "SHELL": "'$SHELL'",
@@ -66,6 +70,10 @@ shell_list() {
 	echo "DATABASES:        	$DATABASES"
 	echo "CRON JOBS:        	$CRON_JOBS"
 	echo "DISK QUOTA:       	$DISK_QUOTA"
+	echo "CPU_QUOTA: 					$CPU_QUOTA"
+	echo "CPU_QUOTA_PERIOD:		$CPU_QUOTA_PERIOD"
+	echo "MEMORY_LIMIT:				$MEMORY_LIMIT"
+	echo "SWAP_LIMIT: 				$SWAP_LIMIT"
 	echo "BANDWIDTH:        	$BANDWIDTH"
 	echo "NS:               	$NS"
 	echo "SHELL:            	$SHELL"
@@ -80,6 +88,7 @@ plain_list() {
 	echo -ne "$PACKAGE\t$WEB_TEMPLATE\t$BACKEND_TEMPLATE\t$PROXY_TEMPLATE\t$DNS_TEMPLATE\t"
 	echo -ne "$WEB_DOMAINS\t$WEB_ALIASES\t$DNS_DOMAINS\t$DNS_RECORDS\t"
 	echo -ne "$MAIL_DOMAINS\t$MAIL_ACCOUNTS\t$RATE_LIMIT\t$DATABASES\t$CRON_JOBS\t"
+	echo -ne "$CPU_QUOTA\t$CPU_QUOTA_PERIOD\t$MEMORY_LIMIT\t$SWAP_LIMIT\t"
 	echo -e "$DISK_QUOTA\t$BANDWIDTH\t$NS\t$SHELL\t$SHELL_JAIL_ENABLED\t$BACKUPS\t$TIME\t$DATE"
 }
 
@@ -88,11 +97,11 @@ csv_list() {
 	echo -n "PACKAGE,WEB_TEMPLATE,BACKEND_TEMPLATE,PROXY_TEMPLATE,DNS_TEMPLATE,"
 	echo -n "WEB_DOMAINS,WEB_ALIASES,DNS_DOMAINS,DNS_RECORDS,"
 	echo -n "MAIL_DOMAINS,MAIL_ACCOUNTS,RATE_LIMIT,DATABASES,CRON_JOBS,"
-	echo "DISK_QUOTA,BANDWIDTH,NS,SHELL,SHELL_JAIL_ENABLED,BACKUPS,TIME,DATE"
+	echo "DISK_QUOTA,CPU_QUOTA,CPU_QUOTA_PERIOD,MEMORY_LIMIT,SWAP_LIMIT,BANDWIDTH,NS,SHELL,SHELL_JAIL_ENABLED,BACKUPS,TIME,DATE"
 	echo -n "$PACKAGE,$WEB_TEMPLATE,$BACKEND_TEMPLATE,$PROXY_TEMPLATE,$DNS_TEMPLATE,"
 	echo -n "$WEB_DOMAINS,$WEB_ALIASES,$DNS_DOMAINS,$DNS_RECORDS,"
 	echo -n "$MAIL_DOMAINS,$MAIL_ACCOUNTS,$RATE_LIMIT,$DATABASES,$CRON_JOBS,"
-	echo "$DISK_QUOTA,$BANDWIDTH,\"$NS\",$SHELL,$BACKUPS,$TIME,$DATE"
+	echo "$DISK_QUOTA,$CPU_QUOTA,$CPU_QUOTA_PERIOD,$MEMORY_LIMIT,$SWAP_LIMIT,$BANDWIDTH,\"$NS\",$SHELL,$BACKUPS,$TIME,$DATE"
 }
 
 #----------------------------------------------------------#
diff --git a/bin/v-rebuild-user b/bin/v-rebuild-user
@@ -54,6 +54,11 @@ if [ "$DISK_QUOTA" = 'yes' ]; then
 	$BIN/v-update-user-quota "$user"
 fi
 
+# Update cgroup
+if [ "$RESOURCES_LIMIT" = 'yes' ]; then
+	$BIN/v-update-user-cgroup "$user"
+fi
+
 # Rebuild user
 rebuild_user_conf
 
diff --git a/bin/v-update-user-cgroup b/bin/v-update-user-cgroup
@@ -0,0 +1,83 @@
+#!/bin/bash
+# info: update user disk quota
+# options: USER
+#
+# example: v-update-user-cgroup admin
+#
+# The functions upates cgroup, cpu, ram ,... for specific user
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '0' "$#" 'USER'
+is_format_valid 'user'
+is_object_valid 'user' 'USER' "$user"
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+user_id=$(id -u "$user")
+user_slice="user-${user_id}.slice"
+# get user resources values
+cpu_quota=$(get_user_value '$CPU_QUOTA')
+cpu_quota_period=$(get_user_value '$CPU_QUOTA_PERIOD')
+memory_limit=$(get_user_value '$MEMORY_LIMIT')
+swap_limit=$(get_user_value '$SWAP_LIMIT')
+
+# Set CPU quota for CFS:
+if [ "$cpu_quota" != 'unlimited' ]; then
+	systemctl set-property "$user_slice" CPUQuota="$cpu_quota"
+else
+	systemctl set-property "$user_slice" CPUQuota=
+fi
+
+# Set CPU period for CFS:
+if [ "$cpu_quota_period" != 'unlimited' ]; then
+	systemctl set-property "$user_slice" CPUQuotaPeriodSec="$cpu_quota_period"
+else
+	systemctl set-property "$user_slice" CPUQuotaPeriodSec=
+fi
+
+# Set memory limits:
+if [ "$memory_limit" != 'unlimited' ]; then
+	systemctl set-property "$user_slice" MemoryMax="$memory_limit"
+else
+	systemctl set-property "$user_slice" MemoryMax=
+fi
+
+# Set memory swap limits:
+if [ "$swap_limit" != 'unlimited' ]; then
+	systemctl set-property "$user_slice" MemorySwapMax="$swap_limit"
+else
+	systemctl set-property "$user_slice" MemorySwapMax=
+fi
+
+# Apply change immediately: not needed for now
+#systemctl restart "$user_slice"
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit
diff --git a/bin/v-update-user-package b/bin/v-update-user-package
@@ -32,9 +32,10 @@ is_package_valid
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
-
 for user in $("$BIN/v-list-users" list); do
-	check_package=$(grep "PACKAGE='$package'" $USER_DATA/$user/user.conf)
+	# Fix Bug User Data contain path to the root user
+	USER_DATA="$HESTIA/data/users/$user"
+	check_package=$(grep "PACKAGE='$package'" $USER_DATA/user.conf)
 	if [ -n "$check_package" ]; then
 		"$BIN/v-change-user-package" "$user" "$package" 'yes'
 	fi
diff --git a/func/main.sh b/func/main.sh
@@ -1150,6 +1150,34 @@ is_cron_format_valid() {
 	fi
 }
 
+# Validate CPU Quota:
+is_valid_cpu_quota() {
+	if [[ ! "$1" =~ ^[0-9]+%$ ]]; then
+		check_result "$E_INVALID" "Invalid CPU Quota format :: $1"
+	fi
+}
+
+# Validate CPU Quota Period:
+is_valid_cpu_quota_period() {
+	if [[ ! "$1" =~ ^[0-9]+(ms|s)$ ]]; then
+		check_result "$E_INVALID" "Invalid CPU Quota Period format :: $1"
+	fi
+}
+
+# Validate Memory Size:
+is_valid_memory_size() {
+	if [[ ! "$1" =~ ^[0-9]+[KMGTK]?$ ]]; then
+		check_result "$E_INVALID" "Invalid Memory Size format :: $1"
+	fi
+}
+
+# Validate Swap Size:
+is_valid_swap_size() {
+	if [[ ! "$1" =~ ^[0-9]+[KMGTK]?$ ]]; then
+		check_result "$E_INVALID" "Invalid Swap Size format :: $1"
+	fi
+}
+
 is_object_name_format_valid() {
 	if ! [[ "$1" =~ ^[-|\ |\.|_[:alnum:]]{0,50}$ ]]; then
 		check_result "$E_INVALID" "invalid $2 format :: $1"
diff --git a/install/common/packages/default.pkg b/install/common/packages/default.pkg
@@ -12,6 +12,10 @@ RATE_LIMIT='200'
 DATABASES='unlimited'
 CRON_JOBS='unlimited'
 DISK_QUOTA='unlimited'
+CPU_QUOTA='unlimited'
+CPU_QUOTA_PERIOD='unlimited'
+MEMORY_LIMIT='unlimited'
+SWAP_LIMIT='unlimited'
 BANDWIDTH='unlimited'
 NS='ns1.domain.tld,ns2.domain.tld'
 SHELL='nologin'
diff --git a/install/common/packages/system.pkg b/install/common/packages/system.pkg
@@ -12,6 +12,10 @@ RATE_LIMIT='200'
 DATABASES='0'
 CRON_JOBS='unlimited'
 DISK_QUOTA='unlimited'
+CPU_QUOTA='unlimited'
+CPU_QUOTA_PERIOD='unlimited'
+MEMORY_LIMIT='unlimited'
+SWAP_LIMIT='unlimited'
 BANDWIDTH='unlimited'
 NS='ns1.domain.tld,ns2.domain.tld'
 SHELL='nologin'
diff --git a/install/upgrade/versions/1.9.0.sh b/install/upgrade/versions/1.9.0.sh
@@ -78,6 +78,12 @@ for package in $packages; do
 	if [ -z "$(grep -e 'SHELL_JAIL_ENABLED' $HESTIA/data/packages/$package)" ]; then
 		echo "SHELL_JAIL_ENABLED='no'" >> $HESTIA/data/packages/$package
 	fi
+	# Add additional key-value pairs if they don't exist
+	for key in DISK_QUOTA CPU_QUOTA CPU_QUOTA_PERIOD MEMORY_LIMIT SWAP_LIMIT; do
+		if [ -z "$(grep -e "$key" $HESTIA/data/packages/$package)" ]; then
+			echo "$key='unlimited'" >> $HESTIA/data/packages/$package
+		fi
+	done
 done
 
 $BIN/v-add-user-notification 'admin' 'Hestia securirty has been upgraded' 'Here should come a nice message about the upgrade and how to change the user name of the admin user!'
diff --git a/package.json b/package.json
@@ -15,7 +15,8 @@
 		"lint-staged": "lint-staged",
 		"format": "prettier --cache --write .",
 		"preinstall": "npx only-allow npm",
-		"prepare": "husky"
+		"prepare": "husky",
+		"hestia": "cd src && ./hst_autocompile.sh --hestia --install '~localsrc'"
 	},
 	"dependencies": {
 		"@fortawesome/fontawesome-free": "^6.5.1",
diff --git a/web/add/package/index.php b/web/add/package/index.php
diff --git a/web/edit/package/index.php b/web/edit/package/index.php
diff --git a/web/templates/pages/add_package.php b/web/templates/pages/add_package.php
diff --git a/web/templates/pages/edit_package.php b/web/templates/pages/edit_package.php
