Date: Thu, 27 Apr 2006 00:51:12 -0400 (EDT) From: Charles Sprickman <spork@bway.net> To: "Michael R. Wayne" <wayne@staff.msen.com> Cc: hackers@freebsd.org Subject: Re: Jail Quotas - quota.user hard link Message-ID: <Pine.OSX.4.61.0604270045170.364@gee5.nat.fasttrackmonkey.com> In-Reply-To: <20060427041041.GM20420@manor.msen.com> References: <20060426182348.O4513@sporker.bway.net> <20060427041041.GM20420@manor.msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Apr 2006, Michael R. Wayne wrote: > On Wed, Apr 26, 2006 at 06:23:59PM -0400, Charles Sprickman wrote: >> >> I have a question about using quotas in a jail with FreeBSD 6.x. So far I >> have had no problems on a test box with setting quotas from the host using >> a numeric UID (ie: edquota -u 20000 where UID 20000 is a user that only >> exists in a jail). That seems to "just work". > > Just a heads up: quotas in jails on FreeBSD 6 are pretty broken. I'll > include some workarounds. > > Basic operation can be done by specifying a filename, available in the jail, > which contains the quotas. So, on the base system, /etc/fstab contains: > > /dev/twed0s2f /usr/jails/foo.bar.com ufs rw,userquota=/usr/jails/foo.bar.com/usr/quotas/shell.root 2 2 > > and on the foo.bar.com jail, /etc/fstab contains: > > /dev/twed0s2f / ufs rw,userquota=/usr/quotas/shell.root,noauto 2 2 That's pretty nifty. "man fstab" confirms (at least the first part). I'm still curious if there's any harm in the symlink solution. > Now the problems begin. > > You either do > chmod a+r /usr/quotas/shell.root > which permits everyone on the machine to read all quotas (both > quota and repquota) or > chmod o-r /usr/quotas/shell.root > which permits ONLY root to read any quotas. Normal users can > not see their own quotas (I filed a PR on this quite some time back, > nobody seems interested). This seems to be new breakage since 4.x See, now back in 6.0, I could have sworn that I saw this. Even with the quota command setuid root inside the jail, I was getting "permission denied" errors. I'm now running a 6.1-RC from late last week and this seems to be working now. I'm not sure where to look in the kernel source to find if something changed, but my guess is someone did "fix" it. > Also, if you edquota from within the jail, it does not really take > effect. You can stick an hourly cron script on the base system containing > quotaoff -a > quotacheck -a > quotaon -a > which will "fixup" the mess. Alternately, you can only use edquota > from the base system which seems to mostly work. That's fine, I plan to do most work from the host and only become root in the jail when necessary. > ISTR that there was something else that was odd but I'm sure somebody > else will jump in and mention it. The above was the main stumbling block for me. I know keeping UIDs unique across the host and all jails is probably a royal pain for some, but my use here (shell server inside a jail) really doesn't have any issues with that. Thanks, Charles > /\/\ \/\/ > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSX.4.61.0604270045170.364>