Date: Fri, 23 Aug 2013 13:05:24 -0500 (CDT) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Konstantin Belousov" <kostikbel@gmail.com> Cc: freebsd-jail@freebsd.org Subject: Re: per user quotas inside jail? Message-ID: <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> In-Reply-To: <20130823160549.GD4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote:
> On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote:
>> Dear Experts,
>> After searching the web, reading FreeBSD Docs, trying some hacks found on
>> some discussion boards... I feel it is not easily possible. Yet, as always
>> there may be some expert who knows how to do it:
>> How can one have per user quotas inside jail?
>> Basically, I would like to give users shell access to some server, but
that I prefer to have in jail, where I will mount all filesystems they
need access to... and the only question is: how do I restrict them so
one
>> (or few) user doesn't fill up the whole filesystem. My mind is not married
>> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I
would
>> stay away from is NFS exporting on host and then NFS mounting in jail
(which may be easiest if not the only way quota wise).
>
> UFS quotas work regardless of jailed/non-jailed user. The only
confusing
> issue is that quotas are per host uid. In other words, if host and jail
user, or two users from different jails has the same uid, you get one
quota setting applied and accounted for them.
>
> Usual mitigation is to ensure that user uids are globally unique.
>
Thanks, Konstantin.
Still it doesn't work for me. My system is:
9.1-RELEASE-p5 amd64
Kernel: the same as GENERIC, with one option added:
options QUOTA # Add disk quota support
filesystem with quota enabled is directly mounted (UFS; rw,userquota) into
directory inside jail. User (with the same username and UID) exists on the
host system and in jail. Quotas work on the host system. Quotas don't work
inside jail, so this user can fill up the whole filesystem when logged
into jail (jail accepts ssh connections with different hostname...)
Apart from that I tried a hack which I lifted from someone's FreeBSD 7
hack (only the variable name changed since then), namely:
in kernel, in:
/usr/src/sys/kern/vfs_syscalls.c
I kicked out two lines:
if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS))
return (EPERM);
(which basically obliterate that if done from inside jail as far as I
understand),
rebuilt and installed this kernel; in file
/etc/rc.d/quota
removed line
# KEYWORD: nojail
Yet, I'm still where I was: quotas work outside jail, not inside jail...
So, I'm at loss. I guess I will have to dive into zfs following Aaron
Kaufman's suggestion... Sigh.
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17536.128.135.70.2.1377281124.squirrel>