Quotas inside jails
Jamie Gritton
jamie at FreeBSD.org
Tue Sep 4 18:47:16 UTC 2012
On 09/04/12 12:40, Darek M wrote:
> On Fri, Aug 31, 2012 at 3:05 PM, Jamie Gritton<jamie at freebsd.org> wrote:
>> On 08/30/12 17:05, Darek M wrote:
>
>>> I'm curious whether the "security.jail.param.allow.quotas" sysctl is
>>> my missing link, and if so, why it is immutable.
>>
>>
>> The security.jail.param.* sysctls are part of the jail_get/set system
>> calls, and are all immutable; they server only to define the available
>> jail parameters.
>>
>> So the question now comes to the allow.quotas parameter. If you set this
>> on a jail, then you will indeed be able to manipulate quotas inside the
>> jail. But the quotas still aren't per-jail - they're keyed only on
>> UID/GID, and would share with anyone outside the jail using the same
>> UID/GID. That's fine if the jail has its own filesystem, but not if it
>> shares with other jails or (especially) with the host system.
>>
>> - Jamie
>
> Indeed, this looks to be my missing piece. Using distinct UIDs on
> each jail should be easily doable, and would be cleaner than using
> zfs, etc..
>
> However, I tried setting "security.jail.param.allow.quotas" to 1
> inside the jail via /etc/sysctl.conf and /boot/loader.conf and it
> remains at 0. Am I trying to enable it the wrong way?
Yes. You need to set the "allow.quotas" parameter in the jail. There's
not a good way to do that from rc at this moment, but a "jail -m
jid=<jid> allow.quotas" should do the trick after the jail is up and
running.
- Jamie
More information about the freebsd-jail
mailing list