Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

setting quotas _inside_ a jail for users _inside_ a jail

19 views
Skip to first unread message

Patrick Thomas

unread,
Aug 30, 2002, 3:41:54 AM8/30/02
to

Hello,

I realize the difficulties in trying to use quotas on the _host_ system to
limit the size of jails on the host system - userid mapping, etc. This is
not what I am asking.

I wonder, is it possible for the root user of a jail to set quotas
_inside_ her jail for users _inside_ her jail ? Can anyone simply confirm
or deny that this is possible ?

Simply following normal protocol does not work, because if you place
filesystem entries into /etc/fstab inside the jail, the jail will no
longer start, as it does not have permission to mount or otherwise
manipulate those filesystems.

Comments ? Thoughts ? Confirmations or denials ?

thnaks!


To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Alexey Zakirov

unread,
Aug 30, 2002, 4:02:22 AM8/30/02
to
On Fri, 30 Aug 2002, Patrick Thomas wrote:

> I wonder, is it possible for the root user of a jail to set quotas
> _inside_ her jail for users _inside_ her jail ? Can anyone simply confirm
> or deny that this is possible ?

You can't. You have to set quota from the host machine over something like
ssh and customized tool.

*** WBR, Alexey Zakirov (fr...@unshadow.net)

Michael R. Wayne

unread,
Aug 30, 2002, 1:19:15 PM8/30/02
to
On Fri, Aug 30, 2002 at 12:41:54AM -0700, Patrick Thomas wrote:
>
> I wonder, is it possible for the root user of a jail to set quotas
> _inside_ her jail for users _inside_ her jail ? Can anyone simply confirm
> or deny that this is possible ?

Yes, it is possible. The following procedure (assuming I documented
it properly here) works fine. We make the following assumptions:
We want quotas within the jail.
We don't care about matching userids from the jail to the server
This is not undoable but it means synccing the password file
which we consider pointless.
We do not try to apply quotas to the jailed server by running
any quota tools on the main server. To administer quotas on
the jail, we log into the jail to do it.
If you find something wrong in here, please let me know. Now that I've
taken the time to write it all down, I will make some noise about getting
it into the documentation.


This REALLY, REALLY should be in the handbook. Was a bear to figure out
the first time.

For this example server (S) runs a jail (J) with a mount point of /J.
So J:/foo is the same file as S:/J/foo.


In S:/etc/fstab, for the filesystems to be quotaed, you must specify
a location which will be available to the jail. Assuming we will
start J with a mount point of /J, this example will work for user
home directories within the jail (the nosuid,nodev is optional)

/dev/da0s1d /J/home ufs rw,nosuid,nodev,userquota=/J/usr/quotas/J.home 2 2

Copy only the lines that have quotas from S:/etc/fstab to J:/etc/fstab
On each of these lines, add the option noauoto and remove the original
mount point. So, the example would put into J:/etc/fstab:

/dev/da0s1d /home ufs rw,nosuid,nodev,userquota=/usr/quotas/J.home,noauto 2 2
^ ^ ^^^^^^
| | |-MUST have no auto here!
| |
Removed the jail mount point |-Removed the jail mount point

in S:/etc/rc.conf:
enable_quotas="YES" # turn on quotas on startup

Now there are some problems in /etc/rc. The following patch deals with these,
if in a somewhat inelegant way. Ideally, /etc/rc would use "if jail" around
these, making /etc/rc usable inside as well as outside of jails.

Note that the instructions continue FOLLOWING the patch!


*** rc.ORIG Fri Aug 30 12:56:34 2002
--- rc Fri Aug 30 12:56:59 2002
***************
*** 38,44 ****
# first before contemplating any changes here. If you do need to change
# this file for some reason, we would like to know about it.

! # Msen off for jails stty status '^T'

# Set shell to ignore SIGINT (2), but not children;
# shell catches SIGQUIT (3) and returns to single user after fsck.
--- 38,44 ----
# first before contemplating any changes here. If you do need to change
# this file for some reason, we would like to know about it.

! stty status '^T'

# Set shell to ignore SIGINT (2), but not children;
# shell catches SIGQUIT (3) and returns to single user after fsck.
***************
*** 179,185 ****
set -T
trap "echo 'Reboot interrupted'; exit 1" 3

- if [ "" ]; then # Msen shuts off ALL mount/umount activity for jails
# root normally must be read/write, but if this is a BOOTP NFS
# diskless boot it does not have to be.
#
--- 179,184 ----
***************
*** 214,220 ****
;;
esac

- fi # Msen shuts off ALL mount/umount activity for jails

adjkerntz -i

--- 213,218 ----


Insure you have quotas in your kernel.
Reboot S.
Log into J and ues edquota to apply one quota to one account.
Reboot S again.

At this point, you should be able to log into J and use all the normal
quota tools as desired.

Robert Watson

unread,
Sep 1, 2002, 11:52:12 AM9/1/02
to

On Fri, 30 Aug 2002, Patrick Thomas wrote:

> I realize the difficulties in trying to use quotas on the _host_
> system to limit the size of jails on the host system - userid mapping,
> etc. This is not what I am asking.
>
> I wonder, is it possible for the root user of a jail to set quotas
> _inside_ her jail for users _inside_ her jail ? Can anyone simply
> confirm or deny that this is possible ?
>
> Simply following normal protocol does not work, because if you place
> filesystem entries into /etc/fstab inside the jail, the jail will no
> longer start, as it does not have permission to mount or otherwise
> manipulate those filesystems.

Other than the access control checks in the quota code being influenced by
the jail, there really is no relationship between jails and quotas.
Jails are solely a property of processes and other credential-bearing
kernel objects. Persistent and transient quota information is stored
relative to uids and gids, and quotas are enforced based on those elements
of the process credential, and are not impacted by the jail field. This
means that if a file system is shared by two jails, and a particular uid
is in use in both jails, both sets of processes will be impacted by the
same quota.

Privileged users can perform quota management calls on any file system
they can name via a visible file object. If quota management calls were
permitted from jail, they could likewise be performed on any file system
visible in the jail. If only appropriate file systems are visible from
the jail, you could add PRISON_ROOT to the flags field of the relevant
suser call. If you expose file systems to the jail that you don't want
the root user in the jail to set quotas on, you may be out of luck. I
take it from your description that you're interested in imposing quotas on
the users in the jail, not quotas on the jail itself?

Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
rob...@fledge.watson.org Network Associates Laboratories

Patrick Thomas

unread,
Sep 1, 2002, 9:14:45 PM9/1/02
to

No, sorry I think that I was misunderstood - here is my situation:

- I have a host machine with no users - just root.
- on that host machine I have a vn-backed FS 500 megs in size
- on that vn-backed FS, I run a jail - and no other jails share that
vn-backed FS (although other jails may share the underlying actual disk FS
that the vn is on...)

Now, I die in a car accident and nobody ever logs into the host system
again or touches anything on the _host system_.

Can the root user of the _jail running on the host system_ set up quotas
for her users ? Let's assume the root user and all her other users don't
even know it is a jail - as far as they are concerned, it's just their
freebsd machine.

So the question is, can this root user set up quotas ? And if so, some
hints on exactly what needs to go into /etc/fstab _inside their jail_,
since specifying anything in there seems to have the side effects of:

a) not working as expected
b) causing the jail not to be startable.

thanks,

PT

Terry Lambert

unread,
Sep 2, 2002, 12:58:25 AM9/2/02
to
Patrick Thomas wrote:
> No, sorry I think that I was misunderstood - here is my situation:
>
> - I have a host machine with no users - just root.
> - on that host machine I have a vn-backed FS 500 megs in size
> - on that vn-backed FS, I run a jail - and no other jails share that
> vn-backed FS (although other jails may share the underlying actual disk FS
> that the vn is on...)

This is the magic part: quotas are per-UID, per-FS, but Robert is
correct about their relationship to jails.

What you failed to communicate to Robert is that you have also
arbitrarily defined FS's to be per-jail, which, in the limit,
will (effectively) make quota per-UID, per-jail.

Most people don't use vn-backed FSs for jails.


> Now, I die in a car accident and nobody ever logs into the host system
> again or touches anything on the _host system_.
>
> Can the root user of the _jail running on the host system_ set up quotas
> for her users ? Let's assume the root user and all her other users don't
> even know it is a jail - as far as they are concerned, it's just their
> freebsd machine.

The answer is "yes". The method of doing this was already posted
in this thread. You have to do evil things to the fstab within the
jail itself, and outside the jail, but if you wave the correct dead
chicken, it works.

-- Terry

0 new messages