The invention to be described hereinafter was implemented in a version of the UNIX.sup.1 operating system. The UNIX operating system was developed by Bell Telephone Laboratories, Inc., for use on a Digital Equipment Corporation minicomputer, but has become a popular operating system for a wide range of minicomputers and, more recently, microcomputers and workstations. For more information on the UNIX operating system, the reader is referred to UNIX System, User's Manual, System V, published by Western Electric Co., January 1983, are hereby incorporated by reference as background material. A good overview of the UNIX operating system is provided by Brian W. Kernighan and Rob Pike in their book entitled The UNIX Programming Environment, published by Prentice-Hall (1984) and a book by Maurice J. Bach, Design of the UNIX Operating System, published by Prentice-Hall (1986), both hereby incorporated by reference as background material. Other versions of the UNIX operating system have been developed by others, including one developed by the Univ. of California at Berkeley known as the Berkeley version, and one developed by IBM Corporation known as AIX.sup.2.
Resource access and accounting controls allow system administrators to grant resource access and to audit resource usage in UNIX compatible operating systems. Resources can be either physical or logical. Physical resources include disk space, communication lines and processing time. Logical resources include communications buffers, file system buffers, processes and paging space. Note that all logical resources ultimately are implemented in terms of physical resources.
It is important in many systems to control or audit resource usage. Resource usage needs to be controlled if the system administrator wishes to guarantee system availability. For instance, critical processes such as a process controlling reactor parameters in a nuclear Dower plant must run at a certain time or certain safety rules will be violated. A malicious process running on the same system could use up all of the process table slots in the system and prevent the initiation of the critical process. Controls which limit the amount of a resource which can be consumed by some entity (process/user/project) are usually termed quotas.
Normally, UNIX systems offer little, if anything, in terms of a quota system to control resource usage. The Berkeley Software Distribution (BSD) version of UNIX provides disk quotas which allow system administrators to allocate disk space to specified users. BSD UNIX also process a way to limit resource consumption by a process. These controls limit processing time, maximum file size, core file size, memory usage, process stack size and process data segment size. These controls, however, are not really quotas. Since there is usually no limit on the number of processes which can be created by a user, a user can consume unlimited amounts of these resources simply by creating a lot of processes. Even when there is a limit on the number of processes, it is usually not effective in controlling resource consumption. UNIX is a "process-based" system where most tasks are accomplished with separate processes, so that a user who "multi-tasks" requires a lot of concurrent processes. This tends to make per-process limits ineffective.
Resource usage needs to be audited if the system administrator wishes to charge for the use of the system. For instance, many organizations maintain centralized computers serving many different departments. These computers are often specialized machines such as supercomputers. The cost of purchasing, maintaining and operating these computers is recovered from the individual departments according to their usage. The auditing of resource usage in a computer system is usually termed accounting.
UNIX systems include a complete accounting subsystem which allows resource usage to be tracked on a per user basis. Audited resources include processing time, input/output subsystem utilization, memory usage and printer usage.
A central problem with both the UNIX quota and accounting subsystems is that the unit of allocation and accountability is the user. This reflects the research and academic environment where UNIX originated. In these cases, people work more on an individual basis, so it is natural that resource controls would be done in this same unit. But commercial and industrial organizations normally work on a group or project basis, and so the UNIX facilities are inadequate in these environments.
Quota systems, in general, have the unfortunate characteristic that they tend to partition the system resources. For instance, if there are 10,000 process table slots (determining the maximum number of processes) and there are 100 resource accounts on the system, then an obvious approach is to grant 100 process table slots to each account. However, most resource accounts are not used all the time, and so the system would be underutilized except at peak times. The system administrator could grant more than 100 processes to each account, of course, but then there would be no effective guarantee that the resource would be available.
One approach to this problem is to allow processes to exceed their quotas if there is no contention for the requested resource, but to relinquish such resources once contention exists. For instance, a process could be granted as many of the communication buffers as it requested as long as buffer usage was less than 50%. This scheme has two problems. First, it does not work with persistent resources, such as filesystem space. Second, there is no clean way for a process to simply relinquish resources in a UNIX system (e.g. communication buffers are requested on behalf of the process, and not directly by the process, and cannot be freed at some arbitrary point). As a result, the resources can only be regained by terminating the process.