[nycbug-talk] 6.0 jails and quotas

Charles Sprickman spork
Mon Jan 9 22:18:55 EST 2006 

Hi all,

I'm trying to wrap my head around getting functioning quotas in a jail and 
I've got most of it figured out.  There's very little information on this 
out there (that I could find) and nothing in the Handbook or in the 
associated manpages.

My current plan is this:

-jails all live on one partition since it's not practical for me to have a 
partition for each jail.  I don't have an inkling as to how much each of 
these will grow over time.

-I will allocate unique uids for each jail.  ie: host uses 1000-2000 for 
any user accounts, jail1 uses 2001-20000, jail2 20001-30000, etc.  This 
allows the host to manipulate quotas with edquota and for each user 
systemwide to have a totally unique id.

The above works - I can do "edquota -u 2001" on the host and that user is 
not able to go over the alloted quota.  From the host, I am able to do 
"quota -u 2001" and see current usage.

However, once I enter the jail environment, the quota utility always 
reports no quota in effect and no usage.  Reading up a bit I found that a 
few things have to happen for the quota command to work:

-there must be an entry in fstab *in the jail* with the userquota and or 
groupquota mount options set.  Without this, the tools seem to be unaware 
that quotas are enabled.

-additionally, a quota.user and quota.group file must exist in the root of 
the jail.

That's where things get messy.  The jail is not chrooted down to the root 
of the /jails partition, so no such file exists.  This is where I'm stuck. 
I have hard-linked the file into the jails, and that kind of works:

jail1# quota -u atestguy
Disk quotas for user atestguy (uid 20000):
  Filesystem   usage   quota   limit   grace   files   quota   limit  grace
          /      20    1000    2000              10       0       0

Note that I'm root there...

Now exit out of the root shell and try as an ordinary user:

> quota
quota: //quota.user: Permission denied
Disk quotas for user atestguy (uid 20000): none

Do something bad, like making the /jails/quota.user world-readable:

> quota
Disk quotas for user atestguy (uid 20000):
  Filesystem   usage   quota   limit   grace   files   quota   limit   grace
          /      20    1000    2000              10       0       0

What's really puzzling here is that both in the jail and on the host, the 
quota program is NOT setuid/setgid:

root at newida[/jails/jail1]# ls -l `which quota`
-r-xr-xr-x  1 root  wheel  11092 Jan  4 22:40 /usr/bin/quota

AND the quota file is NOT world-read, but the command does work for an 
ordinary user on the host:

spork at ida[~]$ quota
Disk quotas for user spork (uid 1001): none

The only ugly and hackish thing I can come up with is to periodically 
rsync the /jails/quota.user file to /jails/jail1/ and then chmod it 
world-read.  I'm not sure what info I'm really exposing there (users can 
read each other's quotas?  Not a big concern).

I'm also not handing over root in any of these jails, just trying to put a 
few services in seperate containers for a bit more safety and 
organization.

Any ideas?

jailing.net seems to have gone away, but I did look for it first.  :)

Thanks,

Charles

More information about the talk mailing list