per user quotas inside jail?

Fri Aug 23 18:24:06 UTC 2013

On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote:
> On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote:
> > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote:
> >> Dear Experts,
> >> After searching the web, reading FreeBSD Docs, trying some hacks found on
> >> some discussion boards... I feel it is not easily possible. Yet, as always
> >> there may be some expert who knows how to do it:
> >> How can one have per user quotas inside jail?
> >> Basically, I would like to give users shell access to some server, but
> that I prefer to have in jail, where I will mount all filesystems they
> need access to... and the only question is: how do I restrict them so
> one
> >> (or few) user doesn't fill up the whole filesystem. My mind is not married
> >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I
> would
> >> stay away from is NFS exporting on host and then NFS mounting in jail
> (which may be easiest if not the only way quota wise).
> >
> > UFS quotas work regardless of jailed/non-jailed user.  The only
> confusing
> > issue is that quotas are per host uid.  In other words, if host and jail
> user, or two users from different jails has the same uid, you get one
> quota setting applied and accounted for them.
> >
> > Usual mitigation is to ensure that user uids are globally unique.
> >
> 
> Thanks, Konstantin.
> 
> Still it doesn't work for me. My system is:
> 
> 9.1-RELEASE-p5 amd64
> 
> Kernel: the same as GENERIC, with one option added:
> 
> options         QUOTA                   # Add disk quota support
> 
> filesystem with quota enabled is directly mounted (UFS; rw,userquota) into
> directory inside jail. User (with the same username and UID) exists on the
> host system and in jail. Quotas work on the host system. Quotas don't work
> inside jail, so this user can fill up the whole filesystem when logged
> into jail (jail accepts ssh connections with different hostname...)
> 
> Apart from that I tried a hack which I lifted from someone's FreeBSD 7
> hack (only the variable name changed since then), namely:
> 
> in kernel, in:
> 
> /usr/src/sys/kern/vfs_syscalls.c
> 
> I kicked out two lines:
> 
>         if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS))
>                 return (EPERM);
> 
> (which basically obliterate that if done from inside jail as far as I
> understand),
> 
> rebuilt and installed this kernel; in file
> 
> /etc/rc.d/quota
> 
> removed line
> 
> # KEYWORD: nojail
> 
> Yet, I'm still where I was: quotas work outside jail, not inside jail...
> 
> So, I'm at loss. I guess I will have to dive into zfs following Aaron
> Kaufman's suggestion... Sigh.

UFS quotas work per mount. So if jail root is on a filesystem which
has no quotas configured, obviously the thing cannot work.

You did not provided any details of your configuration, which makes
a diagnostic impossible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20130823/39f7d95e/attachment.sig>