systemd provides a powerful tool, systemd-run
which can constrain how many system resources an application started by it can use. It can limit (non-exhaustive list) use of CPU, memory and disk. However, this powerful too is too complicated to use on the command line. A wrapper is required to make it easily accessible. Use case: running resource intensive tasks (such as backups, compression) without making the system (almost) unusable by the load generated by that task.
limit-low
design goals:
- Do one thing and do it well.
- The one thing is to be a wrapper that limits system resources for wrapped
applications.- Support being run as:
- user
- root
- in shell or script in pipes
- stdout, stderr, stdin interactive shell input/output
- graphical (GUI) applications
- Being as non-intrusive as possible. For example, not adding extraneous
output to stdout such as
“Running scope as unit: run-r0d607a8f35dc4dea909b830f9d922b99.scope”.
limit-low
is a around systemd-run
setting systemd-run
parameters to run an
application with limited system resources. systemd-run
itself is using Linux cgroups
.
systemd upstream feature request:
To start graphical (GUI) applications such as Tor Browser it requires installation of package dbus-user-session
. The (non-)security impact of this is being discussed here: dbus - user vs system session.
sudo apt update
sudo apt install dbus-user-session
Depending on the outcome of that discussion, dbus-user-session
will be installed by default in Kicksecure and Whonix or perhaps systemd-run
can be run with different parameters such as --scope
not requiring dbus-user-session
. --scope
as alternative works but systemd tells:
--pty/--pipe
is not compatible in timer or--scope
mode
Which would break limit-low
design goals.