On Sat, Dec 23, 2006 at 10:23:25PM +0100, Thorsten Büker wrote: > Dear folks, > > tumbling through the list's archive didn't lead to any effort, so here's > a question on quota support, once again... > > The system is based on the latest stable patch (vs2.0.2.1-grsec2.1.9), > while sarge is used as distribution (kernel configuration below). The > setup was done according to the following sources: > > http://oldwiki.linux-vserver.org/Standard+non-shared+quota > http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Linux-Vserver_With_LVM_And_Quotas > http://www.debianhowto.de/doku.php/de:howtos:sarge:linux-vserver > > All four LVM partitions used inside the guest (named "web") are attached > to a vroot-device.
how, and what partition is related to what vroot device? > HOST:/# mount > [...] > /dev/mapper/lvm-vweb on /vservers/web type ext3 (rw) > /dev/mapper/lvm-vweb_home on /vservers/web/home type ext3 (rw,noexec,nosuid) > /dev/mapper/lvm-vweb_log on /vservers/web/var/log type ext3 > (rw,noexec,nosuid) > /dev/mapper/lvm-vweb_tmp on /vservers/web/tmp type ext3 (rw,noexec,nosuid) > > HOST:/dev/vroot# l > total 0 > brw-r--r-- 1 root root 4, 2 Dec 23 19:15 vweb1 > brw-r--r-- 1 root root 4, 3 Dec 23 19:15 vweb2 > brw-r--r-- 1 root root 4, 4 Dec 23 19:15 vweb3 > brw-r--r-- 1 root root 4, 5 Dec 23 19:15 vweb4 > > Right now, quota support is intended to be used on /dev/hdv4 only: does /dev/hdv4 exist and is it the proper vroot device? > web:/# mount > /dev/hdv1 on / type ufs (defaults) > /dev/hdv2 on /tmp type ufs (defaults,noexec,nosuid) > /dev/hdv3 on /var/log type ufs (defaults,noexec,nosuid) > /dev/hdv4 on /home type ufs (defaults,noexec,nosuid,usrquota) > none on /proc type proc (defaults) > none on /dev/pts type devpts (gid=5,mode=620) > tmpfs on /dev/shm type tmpfs (defaults,noexec,nosuid) > Entering the guest and starting to setup quotas, the initial "quotacheck > -maugv" works fine, not unexpected, as this doesn't even need quota support in the kernel ... > but then "quotaon -a" leads to: quotaon: using /home/aquota.user > on /dev/hdv4 [/home]: Operation not permitted most likely means one of the folling: - you didn't give the quota capability to the guest - you didn't mount the filesystem with quota support > As no related message appears in syslog I'm somehow in the dark > searching for the reason. yeah, unfortunately the entire quota system is very cryptic and does not provide useable clues at all > Has anybody a hint where to fix this behaviour? > > Herbert, in a previous post you asked for somebody willing to > spend more than a few hours on quotas inside guests. > As the problem described above already took hours > (maybe I'm just too blind and it might be solved in > seconds ;-)), I might do some testing on a productive system. well, I think it would require some dedication, but I also think that the demand is not really there ATM a few weeks ago, somebody started to test context quota and AFAIK, the entire testing was put on hold again ... so unless somebody (or even better, a bunch of folks) starts to do serious testing there, I'm still inclined to removing the entire context quota stuff from the kernel patches ... note: that will still allow to have per partition quota as you described it above, only shared quota on a common partition (shared between guests) will not work merry xmas, Herbert > The (as far as I think) relevant lines of the 2.6.17.14-kernel config > look as follows: > > # > # Linux VServer > # > > CONFIG_VSERVER_LEGACY=y > # CONFIG_VSERVER_LEGACY_VERSION is not set > # CONFIG_VSERVER_NGNET is not set > CONFIG_VSERVER_PROC_SECURE=y > # CONFIG_VSERVER_HARDCPU is not set > # CONFIG_INOXID_NONE is not set > # CONFIG_INOXID_UID16 is not set > # CONFIG_INOXID_GID16 is not set > CONFIG_INOXID_UGID24=y > # CONFIG_INOXID_INTERN is not set > # CONFIG_INOXID_RUNTIME is not set > # CONFIG_XID_TAG_NFSD is not set > CONFIG_VSERVER_DEBUG=y > CONFIG_VSERVER_HISTORY=y > CONFIG_VSERVER_HISTORY_SIZE=64 > CONFIG_VSERVER=y > CONFIG_VSERVER_LEGACYNET=y > > # > # Grsecurity > # > CONFIG_GRKERNSEC=y > # CONFIG_GRKERNSEC_LOW is not set > # CONFIG_GRKERNSEC_MEDIUM is not set > # CONFIG_GRKERNSEC_HIGH is not set > CONFIG_GRKERNSEC_CUSTOM=y > > # > # Address Space Protection > # > # CONFIG_GRKERNSEC_KMEM is not set > # CONFIG_GRKERNSEC_IO is not set > CONFIG_GRKERNSEC_PROC_MEMMAP=y > CONFIG_GRKERNSEC_BRUTE=y > CONFIG_GRKERNSEC_HIDESYM=y > > # > # Role Based Access Control Options > # > # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set > CONFIG_GRKERNSEC_ACL_MAXTRIES=3 > CONFIG_GRKERNSEC_ACL_TIMEOUT=30 > > # > # Filesystem Protections > # > CONFIG_GRKERNSEC_PROC=y > CONFIG_GRKERNSEC_PROC_USER=y > CONFIG_GRKERNSEC_PROC_ADD=y > CONFIG_GRKERNSEC_LINK=y > CONFIG_GRKERNSEC_FIFO=y > CONFIG_GRKERNSEC_CHROOT=y > # CONFIG_GRKERNSEC_CHROOT_MOUNT is not set > # CONFIG_GRKERNSEC_CHROOT_DOUBLE is not set > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > # CONFIG_GRKERNSEC_CHROOT_CHMOD is not set > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > # CONFIG_GRKERNSEC_CHROOT_CAPS is not set > > # > # Kernel Auditing > # > # CONFIG_GRKERNSEC_AUDIT_GROUP is not set > # CONFIG_GRKERNSEC_EXECLOG is not set > CONFIG_GRKERNSEC_RESLOG=y > # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set > # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set > CONFIG_GRKERNSEC_AUDIT_MOUNT=y > # CONFIG_GRKERNSEC_AUDIT_IPC is not set > CONFIG_GRKERNSEC_SIGNAL=y > CONFIG_GRKERNSEC_FORKFAIL=y > CONFIG_GRKERNSEC_TIME=y > CONFIG_GRKERNSEC_PROC_IPADDR=y > # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set > > # > # Executable Protections > # > CONFIG_GRKERNSEC_EXECVE=y > CONFIG_GRKERNSEC_SHM=y > CONFIG_GRKERNSEC_DMESG=y > CONFIG_GRKERNSEC_RANDPID=y > # CONFIG_GRKERNSEC_TPE is not set > > # > # Network Protections > # > CONFIG_GRKERNSEC_RANDNET=y > # CONFIG_GRKERNSEC_SOCKET is not set > > # > # Sysctl support > # > CONFIG_GRKERNSEC_SYSCTL=y > CONFIG_GRKERNSEC_SYSCTL_ON=y > > > Have a merry X'mas, thanks in advance, > Thorsten > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
