Date: Tue, 04 Sep 2012 12:47:09 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: Darek M <fafaforza@gmail.com> Cc: FreeBSD-Jail <freebsd-jail@FreeBSD.org> Subject: Re: Quotas inside jails Message-ID: <50464CAD.8080108@FreeBSD.org> In-Reply-To: <CANDt73d3Ywu0_xMOftT4yEz%2BvWvf9nU8PfkYO1aMk_118yVNrQ@mail.gmail.com> References: <CANDt73drFBbfmNN8ZYkn9VdUuDO60JEn8Ks1ZFgsaiDqnbpxLA@mail.gmail.com> <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> <CANDt73e92Kewx7KsXaCmZaRPO%2BCNsXBmT4T3Adt8A3wCOVWv5A@mail.gmail.com> <50410B12.6050606@FreeBSD.org> <CANDt73d3Ywu0_xMOftT4yEz%2BvWvf9nU8PfkYO1aMk_118yVNrQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/12 12:40, Darek M wrote: > On Fri, Aug 31, 2012 at 3:05 PM, Jamie Gritton<jamie@freebsd.org> wrote: >> On 08/30/12 17:05, Darek M wrote: > >>> I'm curious whether the "security.jail.param.allow.quotas" sysctl is >>> my missing link, and if so, why it is immutable. >> >> >> The security.jail.param.* sysctls are part of the jail_get/set system >> calls, and are all immutable; they server only to define the available >> jail parameters. >> >> So the question now comes to the allow.quotas parameter. If you set this >> on a jail, then you will indeed be able to manipulate quotas inside the >> jail. But the quotas still aren't per-jail - they're keyed only on >> UID/GID, and would share with anyone outside the jail using the same >> UID/GID. That's fine if the jail has its own filesystem, but not if it >> shares with other jails or (especially) with the host system. >> >> - Jamie > > Indeed, this looks to be my missing piece. Using distinct UIDs on > each jail should be easily doable, and would be cleaner than using > zfs, etc.. > > However, I tried setting "security.jail.param.allow.quotas" to 1 > inside the jail via /etc/sysctl.conf and /boot/loader.conf and it > remains at 0. Am I trying to enable it the wrong way? Yes. You need to set the "allow.quotas" parameter in the jail. There's not a good way to do that from rc at this moment, but a "jail -m jid=<jid> allow.quotas" should do the trick after the jail is up and running. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50464CAD.8080108>