Slashdot Mirror
Throttle Shared Users With OS X — Is It Possible?
whisper_jeff writes "I work in a design studio where the production director is also the owner's son (translation = he can do no wrong). He is fond of accessing a designer's computer via filesharing and working directly on files off of the designer's computers rather than transferring the files to his computer to work on them there. In so doing, he causes the designer's computer to grind to a near-halt as the harddrive is now tasked with his open/save requests along with whatever the designer is doing. Given that there is no way he's going to change his ways (since he doesn't see anything wrong with it...), I was wondering if there was a way to throttle a user's shared access to a computer (Mac OSX 10.5.8) so that his remote working would have minimal impact on our work. Google searches have revealed nothing helpful (maybe I should Bing it... :) so I was hoping someone with more technical expertise on Slashdot could offer a suggestion."
Well, I don't think you want to mess with how the operating system handles its network and file system so you have two options. You can either throttle at the router or throttle at the neck. The router option requires you have a capable enough network router connecting you two in order to be able to write a rule for his machine (by IP address or machine name usually) that limits the amount of information he can transfer (I believe this is possible in DD-WRT and is called throttling or traffic shaping). This will cause his experience to become slow and he will most likely complain and bitch to daddy if he knows you did something.
The other option is throttling the neck of the user. This requires somewhat strong hands and forearms applying a pressure to the neck of the user until he stops moving or goes limp. It may result a decreased experience for the user, difficulty breathing, death and in some cases an erection. Use with caution and have an alibi.
My work here is dung.
chmod the files so that only the appropriate user has read/write, and that the boss' son has read access. only allow him to replace the files in a different directory, so that you can evaluate the changes.
Who cares about throttling. Why isn't your data on a file server? Especially if there's intentions to share it.
Store all the files on the offendor's computer. Let the other designers work off of his computer. Done!
But seriously, why should anyone be able to access anyone else's files? Secure everyone's computer. You should put shared files on a shared file server.
And why not use revision control?
-Peter
Why not just set the file permissions to not allow write access - then said director will be forced to work on and save files locally..
You can configure a firewall rate limiting statement based on source ip address using ipfw. Then just have an applescript that toggles this than can be run as soon as you notice the computer getting slow.
Try using the advice in this tip: http://www.macosxhints.com/article.php?story=20080119112509736 which demonstrates bandwidth throttling by port number
but add a rule that limits by ip address as well as port number
see http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html for details of the ipfw rules
I haven't tried this combination myself but I can't see why it wouldn't work.
I'm glad that someone got a chuckle out of it before it was modded into oblivion. Those OSX users sure are a sensitive bunch.
OS X uses ipfw as its firewall. Look up 'ipfw throttling' in google. If you don't want to edit ipfw files by hand, hunt out WaterRoof as well.
You have to throttle the port the file sharing is running on. Probably 548 or/and 427. To throttle these ports you have to go into terminal and type this:
sudo ipfw pipe 1 config bw 15KByte/s
sudo ipfw add 1 pipe 1 src-port 548
To remove the throttling just type:
sudo ipfw delete 1
Source: http://www.macosxhints.com/article.php?story=20080119112509736
http://homepage.mac.com/car1son/static_port_fwd_firewall.html
Say NO to unpaid Internships!
Intermittently disconnect him, and tell him that his connection is working fine. If he insists that he had been disconnected, offer him your preferred solution, as it would not result in any more disconnections.
Well, when it comes to people working with graphics they often use local storage as their primary "work storage" because it's faster (and when you're working with lots of large files this becomes critical if you want to retain your sanity) and then they just use the server for saving backups at the end of the day and for final production work. So a lot of times the actual work copy is always stored on the local workstation, this is especially true when dealing with video/animation as you can easily end up with insane amounts of data, if you're working on uncompressed 1080p video rendered as independent targa images (so you can easily re-render specific short runs of frames, very common when working with software like Maya and 3dsmax) you may be looking at roughly 7 GiB of data for 30 seconds of video (8 bit color with alpha and 30 fps), not the kind of thing you want to be pushing back and forth across the network all the time (even if you're just copying the data that's changed it ends up being pretty heavy).
tl;dr: People who work with CGI have datasets and a workflow that don't work well with using servers for data storage other than as an easy way to backup data.
/Mikael
Greylisting is to SMTP as NAT is to IPv4
Check the nice manual page
Increment it slowly and he won't know whats going on (mu-ha ha)
My ism, it's full of beliefs.
You've never worked in a company with nepotism disease. I can tell. The OP said that getting the kid to do it the right way isn't going to happen.
All the 'throttle the process/port/ip' answers are wrong. I'm surprised people here can't see that.
The issue is that the idio^H^H^H^H user in question is using AFP/SMB/whatever to open the file, but that's the same process he would use to transfer the file over the network.
If you throttle the file server daemon to 10kbps/nice 20/whatever, all that will serve is to make network transfers excruciatingly slow to the point where he'll be complaining "but it takes _hours_ to copy the file over the network, which is why I work on it remotely".
If there is a throttling solution it is in allowing fast file copies while maintaining slow open/writes. I don't know that exists (at least at the user-manageable level). Read-only shares might help (that way he can't save his edits back) but will end up with fragmented file stores (and someone has to keep track of where the latest version of any file is).
You might be able to craft a possible solution via Mac OS X's ACLs - maybe write/add_file on the directory, but read-only files so he can create new files but not edit/save/overwrite existing files.
At the end of the day, though, without a network infrastructure change (e.g. a central file server) this problem isn't going to go away.
-- Always borrow money from a pessimist; they don't expect to be paid back.
IN Leopard Apple went from ipfw to an application firewall. But ipfw is still there and can be run. you can configure ipfw to limit the bandwidth to specific IP addresses. Your problem is exactly what this is for.
http://www.macgeekery.com/hacks/software/traffic_shaping_in_mac_os_x
THere is probably some way to do this with the application firewall too but I don't know how.
Some drink at the fountain of knowledge. Others just gargle.
how to set up ipfw in leopard:
see here and here:
http://www.netmojo.ca/2007/10/31/fixing-leopards-firewall/
http://securosis.com/blog/help-build-the-best-ipfw-firewall-rules-sets-ever
or use the GUI tool wateroof to configure the firewall.
add the rules decribed here:
http://www.macgeekery.com/hacks/software/traffic_shaping_in_mac_os_x
then turn it on at boot like this:
http://lists.macosforge.org/pipermail/macports-users/2008-May/010337.html
and then turn off the application firewall in system preferences.
Some drink at the fountain of knowledge. Others just gargle.
I could have sworn that hot dogs were precooked before packaging.
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
First, the Mac Mini server has 2 drives capable of RAID1. Second, "laptop" hard drives are good enough for high end HP Integrity servers at 100k$ a pop, they're good enough for a small design shop. A lot of high end servers are moving to 2.5" drives for space reasons. Nothing inherently wrong with them.
"Not to mention all the idiots who use words like boxen."
Anonymous Coward on Monday August 04, @06:49PM
On linux, there is ionice which solves this problem conveniently. Just run the file-share program (e.g. ftp server, CIFS server etc.) with a lower IO priority, and there is no effect on the person working on it. Isn't there anything comparable for Macs?
Bingo Dictionary - Pragmatist, n. A myopic idealist.