Date: Fri, 31 Aug 2012 13:05:54 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: FreeBSD-Jail <freebsd-jail@FreeBSD.org> Subject: Re: Quotas inside jails Message-ID: <50410B12.6050606@FreeBSD.org> In-Reply-To: <CANDt73e92Kewx7KsXaCmZaRPO%2BCNsXBmT4T3Adt8A3wCOVWv5A@mail.gmail.com> References: <CANDt73drFBbfmNN8ZYkn9VdUuDO60JEn8Ks1ZFgsaiDqnbpxLA@mail.gmail.com> <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> <CANDt73e92Kewx7KsXaCmZaRPO%2BCNsXBmT4T3Adt8A3wCOVWv5A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/30/12 17:05, Darek M wrote: > On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen<lists@jnielsen.net> wrote: >> On Aug 30, 2012, at 2:52 PM, Darek M<fafaforza@gmail.com> wrote: >> >>> playing around with setting quotas inside a jail. Configured and >>> tested them on the host, configured a quota for a jail user, but it >>> isn't being enforced. I attempted to set >>> security.jail.param.allow.quotas to 1, from command line, from >>> /etc/sysctl.conf, and from /boot/loader.conf, but it remains set to >>> '0'. >>> >>> Am I looking at the right sysctl? If not, where should I be looking? >>> If yes, why does it appear to be immutable? >> >> I'm assuming you have basically one UFS filesystem for all your jails. Is that the case? If so, do you have quotas enabled on the host? See the handbook if you haven't already: >> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html > > Yup, verified that quotas on the host work fine. > >>> I'm doing this on a 9.0-RELEASE system >> >> Another way to set hard quotas for jails is to give each one its own filesystem of fixed size. This is trivially easy with zfs--just create a zfs for each jail and set the quota property. To use UFS you can create image files of whatever size you want, make them md(4) devices, and then newfs(8) and mount(8) them. Unlike the method in the handbook, neither of these options requires kernel quota support. > > But these would be a quota for the entire jail. I'm interested in > having per-user quotas for users inside a jail. > > I'm curious whether the "security.jail.param.allow.quotas" sysctl is > my missing link, and if so, why it is immutable. The security.jail.param.* sysctls are part of the jail_get/set system calls, and are all immutable; they server only to define the available jail parameters. So the question now comes to the allow.quotas parameter. If you set this on a jail, then you will indeed be able to manipulate quotas inside the jail. But the quotas still aren't per-jail - they're keyed only on UID/GID, and would share with anyone outside the jail using the same UID/GID. That's fine if the jail has its own filesystem, but not if it shares with other jails or (especially) with the host system. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50410B12.6050606>