From owner-freebsd-jail@FreeBSD.ORG Mon Aug 27 11:07:12 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C78B1106566C for ; Mon, 27 Aug 2012 11:07:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B18378FC08 for ; Mon, 27 Aug 2012 11:07:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7RB7CQb085891 for ; Mon, 27 Aug 2012 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7RB7B3n085889 for freebsd-jail@FreeBSD.org; Mon, 27 Aug 2012 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Aug 2012 11:07:11 GMT Message-Id: <201208271107.q7RB7B3n085889@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2012 11:07:12 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o docs/156853 jail [patch] Update docs: jail(8) security issues with worl o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 14 problems total. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 30 20:52:39 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F7E71065674 for ; Thu, 30 Aug 2012 20:52:39 +0000 (UTC) (envelope-from fafaforza@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id CCFFF8FC18 for ; Thu, 30 Aug 2012 20:52:38 +0000 (UTC) Received: by wicr5 with SMTP id r5so643766wic.13 for ; Thu, 30 Aug 2012 13:52:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8AiZKHYtPez29/qBXOJ7FRS4UEaYUyIaEebEOD2ZX6U=; b=Qivaa8aNlhXbegBXjHE0PYs+MZr5mVpAm+/RUaeGVUxB7KFrcXbmDJui8aYVfYHHUH BMvSAPrTsN31QvpomQeg8ccSJKezRseRKnYd2mOrz9THIMqoZwzYgbDkpxjcA81zN3h/ XeuCBqUMZzqoPnZgYh6z5B+fY4OohVPZoIWKPPjI5LOtqgtjwsSTEGZJp/4u/greIa3I FYAXD8MH5Qul2jpCsDbHSijj7svbCMY20qV7xNCRQ4XALaABuHesjWQY1mbvSKnoqlPk XClvBytMtV9wgSUaIlNimQ1v0ssSOVq2a1E2DcQq4q5OmLmyJv+hW1MQ+A7Kk03MLBBv JBwQ== MIME-Version: 1.0 Received: by 10.216.134.11 with SMTP id r11mr3267832wei.177.1346359952150; Thu, 30 Aug 2012 13:52:32 -0700 (PDT) Received: by 10.217.2.204 with HTTP; Thu, 30 Aug 2012 13:52:32 -0700 (PDT) Date: Thu, 30 Aug 2012 16:52:32 -0400 Message-ID: From: Darek M To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2012 20:52:39 -0000 Hi list, playing around with setting quotas inside a jail. Configured and tested them on the host, configured a quota for a jail user, but it isn't being enforced. I attempted to set security.jail.param.allow.quotas to 1, from command line, from /etc/sysctl.conf, and from /boot/loader.conf, but it remains set to '0'. Am I looking at the right sysctl? If not, where should I be looking? If yes, why does it appear to be immutable? I'm doing this on a 9.0-RELEASE system Thanks From owner-freebsd-jail@FreeBSD.ORG Thu Aug 30 21:32:07 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88ECF106564A for ; Thu, 30 Aug 2012 21:32:07 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from ns1.jnielsen.net (secure.freebsdsolutions.net [69.55.234.48]) by mx1.freebsd.org (Postfix) with ESMTP id 69A608FC1C for ; Thu, 30 Aug 2012 21:32:06 +0000 (UTC) Received: from [10.10.1.32] (office.betterlinux.com [199.58.199.60]) (authenticated bits=0) by ns1.jnielsen.net (8.14.4/8.14.4) with ESMTP id q7ULW3Vl016011 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 30 Aug 2012 17:32:04 -0400 (EDT) (envelope-from lists@jnielsen.net) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: John Nielsen In-Reply-To: Date: Thu, 30 Aug 2012 15:32:18 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> References: To: Darek M X-Mailer: Apple Mail (2.1486) X-DCC-sonic.net-Metrics: ns1.jnielsen.net 1117; Body=2 Fuz1=2 Fuz2=2 X-Virus-Scanned: clamav-milter 0.97.5 at ns1.jnielsen.net X-Virus-Status: Clean Cc: freebsd-jail@freebsd.org Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2012 21:32:07 -0000 On Aug 30, 2012, at 2:52 PM, Darek M wrote: > playing around with setting quotas inside a jail. Configured and > tested them on the host, configured a quota for a jail user, but it > isn't being enforced. I attempted to set > security.jail.param.allow.quotas to 1, from command line, from > /etc/sysctl.conf, and from /boot/loader.conf, but it remains set to > '0'. >=20 > Am I looking at the right sysctl? If not, where should I be looking? > If yes, why does it appear to be immutable? I'm assuming you have basically one UFS filesystem for all your jails. = Is that the case? If so, do you have quotas enabled on the host? See the = handbook if you haven't already: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html > I'm doing this on a 9.0-RELEASE system Another way to set hard quotas for jails is to give each one its own = filesystem of fixed size. This is trivially easy with zfs--just create a = zfs for each jail and set the quota property. To use UFS you can create = image files of whatever size you want, make them md(4) devices, and then = newfs(8) and mount(8) them. Unlike the method in the handbook, neither = of these options requires kernel quota support. JN From owner-freebsd-jail@FreeBSD.ORG Thu Aug 30 23:05:31 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CAAF01065670 for ; Thu, 30 Aug 2012 23:05:31 +0000 (UTC) (envelope-from fafaforza@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 5A4A78FC16 for ; Thu, 30 Aug 2012 23:05:30 +0000 (UTC) Received: by wicr5 with SMTP id r5so727585wic.13 for ; Thu, 30 Aug 2012 16:05:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=YoOFs+wClvM0I9ByQj1eeVquKVrMegzR+ZqSJeDPgPs=; b=afpG65IpZ+vOPlrOcFU1ObNfQOIPZxhoGR+D6m+KqSL2N9pydu+Mc5d92AEecJg5VJ mHCu5+rgDS7DAG9AeRBc7rKx8YJz1vw498mFH/FhgLMxGRFru/TuZVl4yn5oU/LDgq7X rng4eCkgd9pcHO9WqpZ6vqrUbhZC7YivdRPt9D4R2RIGdcbsRc4Ne22Ds7a6cxWWZpua IbMIPkfP4y+JcpL8/QR7vLrLZ/rIcrS0UwUUwKxo7hOHajXz1UspID4IBnhuiL0r9l7R Tdzw9X18HrFxZbac4QaJ7Vo25XxVg4aYta55kLE1MShS54eI92/c+R7BQtDhlHSqBx+L xbMQ== MIME-Version: 1.0 Received: by 10.180.81.165 with SMTP id b5mr215056wiy.17.1346367930059; Thu, 30 Aug 2012 16:05:30 -0700 (PDT) Received: by 10.217.2.204 with HTTP; Thu, 30 Aug 2012 16:05:30 -0700 (PDT) In-Reply-To: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> References: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> Date: Thu, 30 Aug 2012 19:05:30 -0400 Message-ID: From: Darek M To: John Nielsen Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2012 23:05:31 -0000 On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen wrote: > On Aug 30, 2012, at 2:52 PM, Darek M wrote: > >> playing around with setting quotas inside a jail. Configured and >> tested them on the host, configured a quota for a jail user, but it >> isn't being enforced. I attempted to set >> security.jail.param.allow.quotas to 1, from command line, from >> /etc/sysctl.conf, and from /boot/loader.conf, but it remains set to >> '0'. >> >> Am I looking at the right sysctl? If not, where should I be looking? >> If yes, why does it appear to be immutable? > > I'm assuming you have basically one UFS filesystem for all your jails. Is= that the case? If so, do you have quotas enabled on the host? See the hand= book if you haven't already: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html Yup, verified that quotas on the host work fine. >> I'm doing this on a 9.0-RELEASE system > > Another way to set hard quotas for jails is to give each one its own file= system of fixed size. This is trivially easy with zfs--just create a zfs fo= r each jail and set the quota property. To use UFS you can create image fil= es of whatever size you want, make them md(4) devices, and then newfs(8) an= d mount(8) them. Unlike the method in the handbook, neither of these option= s requires kernel quota support. But these would be a quota for the entire jail. I'm interested in having per-user quotas for users inside a jail. I'm curious whether the "security.jail.param.allow.quotas" sysctl is my missing link, and if so, why it is immutable. --=20 Darek > JN > From owner-freebsd-jail@FreeBSD.ORG Fri Aug 31 19:20:09 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35146106564A for ; Fri, 31 Aug 2012 19:20:09 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id C97E88FC18 for ; Fri, 31 Aug 2012 19:20:08 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q7VJ5xWK006254; Fri, 31 Aug 2012 13:06:00 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <50410B12.6050606@FreeBSD.org> Date: Fri, 31 Aug 2012 13:05:54 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: FreeBSD-Jail References: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2012 19:20:09 -0000 On 08/30/12 17:05, Darek M wrote: > On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen wrote: >> On Aug 30, 2012, at 2:52 PM, Darek M wrote: >> >>> playing around with setting quotas inside a jail. Configured and >>> tested them on the host, configured a quota for a jail user, but it >>> isn't being enforced. I attempted to set >>> security.jail.param.allow.quotas to 1, from command line, from >>> /etc/sysctl.conf, and from /boot/loader.conf, but it remains set to >>> '0'. >>> >>> Am I looking at the right sysctl? If not, where should I be looking? >>> If yes, why does it appear to be immutable? >> >> I'm assuming you have basically one UFS filesystem for all your jails. Is that the case? If so, do you have quotas enabled on the host? See the handbook if you haven't already: >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html > > Yup, verified that quotas on the host work fine. > >>> I'm doing this on a 9.0-RELEASE system >> >> Another way to set hard quotas for jails is to give each one its own filesystem of fixed size. This is trivially easy with zfs--just create a zfs for each jail and set the quota property. To use UFS you can create image files of whatever size you want, make them md(4) devices, and then newfs(8) and mount(8) them. Unlike the method in the handbook, neither of these options requires kernel quota support. > > But these would be a quota for the entire jail. I'm interested in > having per-user quotas for users inside a jail. > > I'm curious whether the "security.jail.param.allow.quotas" sysctl is > my missing link, and if so, why it is immutable. The security.jail.param.* sysctls are part of the jail_get/set system calls, and are all immutable; they server only to define the available jail parameters. So the question now comes to the allow.quotas parameter. If you set this on a jail, then you will indeed be able to manipulate quotas inside the jail. But the quotas still aren't per-jail - they're keyed only on UID/GID, and would share with anyone outside the jail using the same UID/GID. That's fine if the jail has its own filesystem, but not if it shares with other jails or (especially) with the host system. - Jamie From owner-freebsd-jail@FreeBSD.ORG Fri Aug 31 20:49:42 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 793C0106566B for ; Fri, 31 Aug 2012 20:49:42 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from www.jail.lambertfam.org (atom1.lambertfam.org [69.153.112.46]) by mx1.freebsd.org (Postfix) with ESMTP id 53FB98FC12 for ; Fri, 31 Aug 2012 20:49:42 +0000 (UTC) Received: by www.jail.lambertfam.org (Postfix, from userid 999) id CA447B821; Fri, 31 Aug 2012 20:41:29 +0000 (UTC) Date: Fri, 31 Aug 2012 20:41:29 +0000 From: Scott Lambert To: freebsd-jail@freebsd.org Message-ID: <20120831204129.GP30681@www.jail.lambertfam.org> References: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@freebsd.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2012 20:49:42 -0000 On Thu, Aug 30, 2012 at 07:05:30PM -0400, Darek M wrote: > On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen wrote: > > > > Another way to set hard quotas for jails is to give each one its > > own filesystem of fixed size. This is trivially easy with zfs--just > > create a zfs for each jail and set the quota property. To use UFS > > you can create image files of whatever size you want, make them > > md(4) devices, and then newfs(8) and mount(8) them. Unlike the > > method in the handbook, neither of these options requires kernel > > quota support. > > But these would be a quota for the entire jail. I'm interested in > having per-user quotas for users inside a jail. > > I'm curious whether the "security.jail.param.allow.quotas" sysctl is > my missing link, and if so, why it is immutable. If using ZFS, you *could* create a file system with quota for each user's home directory in the jail. I'm not saying it would be pretty.... With UFS, I think you would have to ensure that UID/GIDs do not overlap between jails, at least for the users you want to be affected by quotas. That could be as ugly as the thousands of ZFS file systems. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org