On 08/30/12 17:05, Darek M wrote:
On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen<[email protected]> wrote:
On Aug 30, 2012, at 2:52 PM, Darek M<[email protected]> wrote:
playing around with setting quotas inside a jail. Configured and
tested them on the host, configured a quota for a jail user, but it
isn't being enforced. I attempted to set
security.jail.param.allow.quotas to 1, from command line, from
/etc/sysctl.conf, and from /boot/loader.conf, but it remains set to
'0'.
Am I looking at the right sysctl? If not, where should I be looking?
If yes, why does it appear to be immutable?
I'm assuming you have basically one UFS filesystem for all your jails. Is that
the case? If so, do you have quotas enabled on the host? See the handbook if
you haven't already:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html
Yup, verified that quotas on the host work fine.
I'm doing this on a 9.0-RELEASE system
Another way to set hard quotas for jails is to give each one its own filesystem
of fixed size. This is trivially easy with zfs--just create a zfs for each jail
and set the quota property. To use UFS you can create image files of whatever
size you want, make them md(4) devices, and then newfs(8) and mount(8) them.
Unlike the method in the handbook, neither of these options requires kernel
quota support.
But these would be a quota for the entire jail. I'm interested in
having per-user quotas for users inside a jail.
I'm curious whether the "security.jail.param.allow.quotas" sysctl is
my missing link, and if so, why it is immutable.
The security.jail.param.* sysctls are part of the jail_get/set system
calls, and are all immutable; they server only to define the available
jail parameters.
So the question now comes to the allow.quotas parameter. If you set this
on a jail, then you will indeed be able to manipulate quotas inside the
jail. But the quotas still aren't per-jail - they're keyed only on
UID/GID, and would share with anyone outside the jail using the same
UID/GID. That's fine if the jail has its own filesystem, but not if it
shares with other jails or (especially) with the host system.
- Jamie
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"
