From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 18:05:25 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A75E7FCE for ; Fri, 23 Aug 2013 18:05:25 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 74346282A for ; Fri, 23 Aug 2013 18:05:25 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id C89AACB8C8D; Fri, 23 Aug 2013 13:05:24 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 13:05:24 -0500 (CDT) Message-ID: <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> Date: Fri, 23 Aug 2013 13:05:24 -0500 (CDT) Subject: Re: per user quotas inside jail? From: "Valeri Galtsev" To: "Konstantin Belousov" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> In-Reply-To: <20130823160549.GD4972@kib.kiev.ua> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 18:05:25 -0000 On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: >> Dear Experts, >> After searching the web, reading FreeBSD Docs, trying some hacks found on >> some discussion boards... I feel it is not easily possible. Yet, as always >> there may be some expert who knows how to do it: >> How can one have per user quotas inside jail? >> Basically, I would like to give users shell access to some server, but that I prefer to have in jail, where I will mount all filesystems they need access to... and the only question is: how do I restrict them so one >> (or few) user doesn't fill up the whole filesystem. My mind is not married >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I would >> stay away from is NFS exporting on host and then NFS mounting in jail (which may be easiest if not the only way quota wise). > > UFS quotas work regardless of jailed/non-jailed user. The only confusing > issue is that quotas are per host uid. In other words, if host and jail user, or two users from different jails has the same uid, you get one quota setting applied and accounted for them. > > Usual mitigation is to ensure that user uids are globally unique. > Thanks, Konstantin. Still it doesn't work for me. My system is: 9.1-RELEASE-p5 amd64 Kernel: the same as GENERIC, with one option added: options QUOTA # Add disk quota support filesystem with quota enabled is directly mounted (UFS; rw,userquota) into directory inside jail. User (with the same username and UID) exists on the host system and in jail. Quotas work on the host system. Quotas don't work inside jail, so this user can fill up the whole filesystem when logged into jail (jail accepts ssh connections with different hostname...) Apart from that I tried a hack which I lifted from someone's FreeBSD 7 hack (only the variable name changed since then), namely: in kernel, in: /usr/src/sys/kern/vfs_syscalls.c I kicked out two lines: if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) return (EPERM); (which basically obliterate that if done from inside jail as far as I understand), rebuilt and installed this kernel; in file /etc/rc.d/quota removed line # KEYWORD: nojail Yet, I'm still where I was: quotas work outside jail, not inside jail... So, I'm at loss. I guess I will have to dive into zfs following Aaron Kaufman's suggestion... Sigh. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++