From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 18:24:06 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5F4E3812 for ; Fri, 23 Aug 2013 18:24:06 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C4894299E for ; Fri, 23 Aug 2013 18:24:05 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7NINuUU074561; Fri, 23 Aug 2013 21:23:56 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7NINuUU074561 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7NINuxE074560; Fri, 23 Aug 2013 21:23:56 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 23 Aug 2013 21:23:56 +0300 From: Konstantin Belousov To: Valeri Galtsev Subject: Re: per user quotas inside jail? Message-ID: <20130823182356.GH4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="N1Yq6DLL3siT9/7n" Content-Disposition: inline In-Reply-To: <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 18:24:06 -0000 --N1Yq6DLL3siT9/7n Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote: > On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: > > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: > >> Dear Experts, > >> After searching the web, reading FreeBSD Docs, trying some hacks found= on > >> some discussion boards... I feel it is not easily possible. Yet, as al= ways > >> there may be some expert who knows how to do it: > >> How can one have per user quotas inside jail? > >> Basically, I would like to give users shell access to some server, but > that I prefer to have in jail, where I will mount all filesystems they > need access to... and the only question is: how do I restrict them so > one > >> (or few) user doesn't fill up the whole filesystem. My mind is not mar= ried > >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I > would > >> stay away from is NFS exporting on host and then NFS mounting in jail > (which may be easiest if not the only way quota wise). > > > > UFS quotas work regardless of jailed/non-jailed user. The only > confusing > > issue is that quotas are per host uid. In other words, if host and jail > user, or two users from different jails has the same uid, you get one > quota setting applied and accounted for them. > > > > Usual mitigation is to ensure that user uids are globally unique. > > >=20 > Thanks, Konstantin. >=20 > Still it doesn't work for me. My system is: >=20 > 9.1-RELEASE-p5 amd64 >=20 > Kernel: the same as GENERIC, with one option added: >=20 > options QUOTA # Add disk quota support >=20 > filesystem with quota enabled is directly mounted (UFS; rw,userquota) into > directory inside jail. User (with the same username and UID) exists on the > host system and in jail. Quotas work on the host system. Quotas don't work > inside jail, so this user can fill up the whole filesystem when logged > into jail (jail accepts ssh connections with different hostname...) >=20 > Apart from that I tried a hack which I lifted from someone's FreeBSD 7 > hack (only the variable name changed since then), namely: >=20 > in kernel, in: >=20 > /usr/src/sys/kern/vfs_syscalls.c >=20 > I kicked out two lines: >=20 > if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) > return (EPERM); >=20 > (which basically obliterate that if done from inside jail as far as I > understand), >=20 > rebuilt and installed this kernel; in file >=20 > /etc/rc.d/quota >=20 > removed line >=20 > # KEYWORD: nojail >=20 > Yet, I'm still where I was: quotas work outside jail, not inside jail... >=20 > So, I'm at loss. I guess I will have to dive into zfs following Aaron > Kaufman's suggestion... Sigh. UFS quotas work per mount. So if jail root is on a filesystem which has no quotas configured, obviously the thing cannot work. You did not provided any details of your configuration, which makes a diagnostic impossible. --N1Yq6DLL3siT9/7n Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSF6i7AAoJEJDCuSvBvK1Bc5kP/iqP8Jt3nzHdr5LTrSO13DBx 1xflrNIQSZCvxijzK9NItjjV7Ze2/7Y4o4J0Uq1jocGnpEGhDBgpKSqnmY0SLPDG RvVBItQvW7VlnB1Uzw7WP1nm5qDtXeTc14oFaHP0AztuRGTxDtRMasVvjlsFsUHm dc9Zrfj4MZx1xjkiX4nglbyxGYLh/F/fr5dW7RomS1ianMa12pTQIuELHUHjLiMx mH3jgqM1JskyEC0cAiemKfzR0WSIB49MDOmo/8DxZz5MCJtiM0A8dpOivGxaXEws bvPGxibOGHue5sur3Tu8aDXqYW7rmcLmvTn4YFKyF2SW45NiOIzJ+IWazFgADifm jd1x+LxEPbej4pAzgtK1TWlrB36GSizYLLKJt2G6oPY7GHf6VTQPeE7M4LvEgsNr zw3/6p8sYrtR4vIX9K1DrOvjDnt1JU1U6TFfwsGq5iU5I5OS14OpYPxAci0kpuTd D7ePUNsP/5NUxvZ1RGGO3JdXjPn1OS/9oj2PEURBK71HNEy46dxgWhNqjozqDknP T5SgHB99qDt/VwDPDP7xmkAihQZ2OrfCAuLFzFOCGP5M+1QYfbJjSq9upuVB/dJN NxmsKI9YBw88mJLApNT2C8mFWCPwJd3nKVtCHWNCj22j03xU8ESqw2q81Mg0sNgJ KCLK5azFMz0NA4kEolwR =v/n9 -----END PGP SIGNATURE----- --N1Yq6DLL3siT9/7n--