From owner-freebsd-jail@FreeBSD.ORG  Tue Sep  4 18:47:16 2012
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 92A9F106564A
	for <freebsd-jail@FreeBSD.org>; Tue,  4 Sep 2012 18:47:16 +0000 (UTC)
	(envelope-from jamie@FreeBSD.org)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
	by mx1.freebsd.org (Postfix) with ESMTP id 5ABAA8FC14
	for <freebsd-jail@FreeBSD.org>; Tue,  4 Sep 2012 18:47:15 +0000 (UTC)
Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net
	[198.65.168.24]) (authenticated bits=0)
	by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q84IlEUg078119;
	Tue, 4 Sep 2012 12:47:15 -0600 (MDT)
	(envelope-from jamie@FreeBSD.org)
Message-ID: <50464CAD.8080108@FreeBSD.org>
Date: Tue, 04 Sep 2012 12:47:09 -0600
From: Jamie Gritton <jamie@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:9.0) Gecko/20120126 Thunderbird/9.0
MIME-Version: 1.0
To: Darek M <fafaforza@gmail.com>
References: <CANDt73drFBbfmNN8ZYkn9VdUuDO60JEn8Ks1ZFgsaiDqnbpxLA@mail.gmail.com>
	<6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net>
	<CANDt73e92Kewx7KsXaCmZaRPO+CNsXBmT4T3Adt8A3wCOVWv5A@mail.gmail.com>
	<50410B12.6050606@FreeBSD.org>
	<CANDt73d3Ywu0_xMOftT4yEz+vWvf9nU8PfkYO1aMk_118yVNrQ@mail.gmail.com>
In-Reply-To: <CANDt73d3Ywu0_xMOftT4yEz+vWvf9nU8PfkYO1aMk_118yVNrQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD-Jail <freebsd-jail@FreeBSD.org>
Subject: Re: Quotas inside jails
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2012 18:47:16 -0000

On 09/04/12 12:40, Darek M wrote:
> On Fri, Aug 31, 2012 at 3:05 PM, Jamie Gritton<jamie@freebsd.org>  wrote:
>> On 08/30/12 17:05, Darek M wrote:
>
>>> I'm curious whether the "security.jail.param.allow.quotas" sysctl is
>>> my missing link, and if so, why it is immutable.
>>
>>
>> The security.jail.param.* sysctls are part of the jail_get/set system
>> calls, and are all immutable; they server only to define the available
>> jail parameters.
>>
>> So the question now comes to the allow.quotas parameter. If you set this
>> on a jail, then you will indeed be able to manipulate quotas inside the
>> jail. But the quotas still aren't per-jail - they're keyed only on
>> UID/GID, and would share with anyone outside the jail using the same
>> UID/GID. That's fine if the jail has its own filesystem, but not if it
>> shares with other jails or (especially) with the host system.
>>
>> - Jamie
>
> Indeed, this looks to be my missing piece.  Using distinct UIDs on
> each jail should be easily doable, and would be cleaner than using
> zfs, etc..
>
> However, I tried setting "security.jail.param.allow.quotas" to 1
> inside the jail via /etc/sysctl.conf and /boot/loader.conf and it
> remains at 0.  Am I trying to enable it the wrong way?

Yes. You need to set the "allow.quotas" parameter in the jail. There's
not a good way to do that from rc at this moment, but a "jail -m
jid=<jid> allow.quotas" should do the trick after the jail is up and
running.

- Jamie