From owner-freebsd-jail@FreeBSD.ORG Mon Aug 19 02:13:31 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7E11BC2D for ; Mon, 19 Aug 2013 02:13:31 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-pa0-f48.google.com (mail-pa0-f48.google.com [209.85.220.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5A1522A3A for ; Mon, 19 Aug 2013 02:13:31 +0000 (UTC) Received: by mail-pa0-f48.google.com with SMTP id kp13so3970769pab.7 for ; Sun, 18 Aug 2013 19:13:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=rmI4HIvUG020a5q3xIPTVxFcousBpkRifw6lHTeVOLw=; b=WnH9zIvJN2ubbni7rZA/3Y6xe8wrO5cwN6aqxGV4aOzofHMISvnW8Pw+BxWcIV6ak4 EexNUiwhAfGVWR06RKfxwGiCe6mRQ4qrwTfyGD9/WUY0LtUeixoF/fyJ+t7w1WFvfr+U 0Lqn8lCSTMX6TySYneY7QehM5UJNeF8pFuxn5cPketysHu92OZwC7W+qHVSf01Y33C4L fycJefnQK9ACCGXaCda4G4IKqh/iUsyfuuXPmBdOR/TlwAMwly5FvqrIHxAEri7WqLhV CxXDPQdBGeY6YU0Z7ZmX8a4q2dWqBbK6ywiNYy1X0KK2OylbrHaVoI+KViVv1cnrdtPr iA6g== X-Gm-Message-State: ALoCoQl0ftV89czg7CfayTcUcxxe/+k/5CvsXCF2xNxGqQqleU8HbjamW1GZDTD+gNuwPv5omfi5 MIME-Version: 1.0 X-Received: by 10.66.162.136 with SMTP id ya8mr10691585pab.110.1376878410762; Sun, 18 Aug 2013 19:13:30 -0700 (PDT) Received: by 10.66.182.226 with HTTP; Sun, 18 Aug 2013 19:13:30 -0700 (PDT) In-Reply-To: References: Date: Sun, 18 Aug 2013 22:13:30 -0400 Message-ID: Subject: Re: Crontab don't work From: Alejandro Imass To: Yoann Gini Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2013 02:13:31 -0000 On Sat, Aug 17, 2013 at 4:51 PM, Yoann Gini wrote: > Hello, > > I=E2=80=99ve a problems with my FreeBSD jails (made with ezjails), contra= b inside jails aren=E2=80=99t run. > > Is that normal=E2=80=89? What should I check for troubleshooting? > They should run just fine and we run crons extensively with our EzJail jail= s. Double check the environment and all the usual stuff typical of cron problems (paths, permissions, etc.) Best, --=20 Alejandro Imass From owner-freebsd-jail@FreeBSD.ORG Mon Aug 19 11:06:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F0F79D5D for ; Mon, 19 Aug 2013 11:06:45 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DDB822516 for ; Mon, 19 Aug 2013 11:06:45 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7JB6jQw006056 for ; Mon, 19 Aug 2013 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7JB6jct006054 for freebsd-jail@FreeBSD.org; Mon, 19 Aug 2013 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Aug 2013 11:06:45 GMT Message-Id: <201308191106.r7JB6jct006054@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 18 problems total. From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 14:13:51 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 028E16FB for ; Fri, 23 Aug 2013 14:13:51 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-ea0-x22b.google.com (mail-ea0-x22b.google.com [IPv6:2a00:1450:4013:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8C5A22A87 for ; Fri, 23 Aug 2013 14:13:50 +0000 (UTC) Received: by mail-ea0-f171.google.com with SMTP id n15so317662ead.16 for ; Fri, 23 Aug 2013 07:13:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=TDJVPhZZOtKnXh04cBQ9RTG/pGksSkOxb9QIM11qmpQ=; b=vN4LCNoFUYoh+9LxuuCAnIRekDosm029ZOKCWuEjcJYoQIdyFH8ZhZ3vWR0jgl0wE0 s+IVhOJqgzc8Obu/ozwBXfZfsCd+R/XMZaKB+5726osaGyM/3WoH7JRmIsvApImAjdn4 lSvjFdcWjJER6uCgTJPW6bMyHcYh8LkI6th1iltYZEN80H1dvZU4GcoVkRNvFlim9I/E WysqbrmPnQBG+bf5rO5hR6UDqRwMAm6C+GU4/aqEWqNp7WJVPZtmFanJyNtbYsaL5hyh EWfdM5Eiz4ebb9a3qZwjBNaBoCKrTgkbQxh8KXt45uQ/Nlp+DW5GhTePmnufrn/D732L 1jtA== X-Received: by 10.15.100.198 with SMTP id bn46mr32720eeb.11.1377267228360; Fri, 23 Aug 2013 07:13:48 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id a6sm15565eei.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 07:13:47 -0700 (PDT) Message-ID: <52177C19.6040909@gmail.com> Date: Fri, 23 Aug 2013 15:13:29 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: connect -1 errno 1 Operation not permitted with specific user (nagios) X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 14:13:51 -0000 I'm having a problem with nagios under a jail... commands works has root and another normal user I created (its not even in the wheel group) running commands such has "check_http" get me a Operation not permited, with ktrace I was able to confirm the probelm: connect -1 errno 1 Operation not permitted The thing is this only happens with the user nagios and I can not figure out why! I'm very new to jails, so I'm user I'm possibly missing something trivial, but I would appreciate an help! What could be different about the user to not allow "connect" ? Many thanks From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 14:35:44 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6B780225 for ; Fri, 23 Aug 2013 14:35:44 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 48D372BB1 for ; Fri, 23 Aug 2013 14:35:44 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 87477CB8C91; Fri, 23 Aug 2013 09:35:43 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 09:35:43 -0500 (CDT) Message-ID: <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu> In-Reply-To: <52177C19.6040909@gmail.com> References: <52177C19.6040909@gmail.com> Date: Fri, 23 Aug 2013 09:35:43 -0500 (CDT) Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: "Valeri Galtsev" To: "Mike C." User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 14:35:44 -0000 To the best of my knowledge, raw sockets are not allowed inside jail by default. This might be your problem (as far as I know how nagios works). To allow raw sockets you can do sysctl security.jail.allow_raw_sockets=1 then you need to restart at least the jail inside which your nagios instance lives. To make the above enabled at boot time you can add the following line into /etc/sysctl.conf security.jail.allow_raw_sockets=1 BTW, beware: this affects all jails. I hope, this helps. Thanks. Valeri On Fri, August 23, 2013 10:13 am, Mike C. wrote: > > I'm having a problem with nagios under a jail... commands works has root > and another normal user I created (its not even in the wheel group) > > running commands such has "check_http" get me a Operation not permited, > with ktrace I was able to confirm the probelm: > connect -1 errno 1 Operation not permitted > > > The thing is this only happens with the user nagios and I can not figure > out why! > > I'm very new to jails, so I'm user I'm possibly missing something > trivial, but I would appreciate an help! > > What could be different about the user to not allow "connect" ? > > Many thanks > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 14:50:59 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 288D997B for ; Fri, 23 Aug 2013 14:50:59 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 08F3D2C8F for ; Fri, 23 Aug 2013 14:50:58 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id EB5FDCB8C8F; Fri, 23 Aug 2013 09:24:32 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 09:24:32 -0500 (CDT) Message-ID: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> Date: Fri, 23 Aug 2013 09:24:32 -0500 (CDT) Subject: per user quotas inside jail? From: "Valeri Galtsev" To: freebsd-jail@freebsd.org User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 14:50:59 -0000 Dear Experts, After searching the web, reading FreeBSD Docs, trying some hacks found on some discussion boards... I feel it is not easily possible. Yet, as always there may be some expert who knows how to do it: How can one have per user quotas inside jail? Basically, I would like to give users shell access to some server, but that I prefer to have in jail, where I will mount all filesystems they need access to... and the only question is: how do I restrict them so one (or few) user doesn't fill up the whole filesystem. My mind is not married to any particular filesystem, UFS2, XFS, ZFS... - the only thing I would stay away from is NFS exporting on host and then NFS mounting in jail (which may be easiest if not the only way quota wise). Thanks. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 14:59:55 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 38723D6D for ; Fri, 23 Aug 2013 14:59:55 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from www.jail.lambertfam.org (atom1.lambertfam.org [69.153.112.46]) by mx1.freebsd.org (Postfix) with ESMTP id 170162CE6 for ; Fri, 23 Aug 2013 14:59:54 +0000 (UTC) Received: by www.jail.lambertfam.org (Postfix, from userid 999) id EEB1746225; Fri, 23 Aug 2013 09:53:05 -0500 (CDT) Date: Fri, 23 Aug 2013 09:53:05 -0500 From: Scott Lambert To: freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) Message-ID: <20130823145305.GZ99960@www.jail.lambertfam.org> Mail-Followup-To: freebsd-jail@freebsd.org References: <52177C19.6040909@gmail.com> <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53156.128.135.70.2.1377268543.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 14:59:55 -0000 On Fri, Aug 23, 2013 at 09:35:43AM -0500, Valeri Galtsev wrote: > To the best of my knowledge, raw sockets are not allowed inside jail by > default. This might be your problem (as far as I know how nagios works). > > To allow raw sockets you can do > > sysctl security.jail.allow_raw_sockets=1 > > then you need to restart at least the jail inside which your nagios > instance lives. > > To make the above enabled at boot time you can add the following line into > /etc/sysctl.conf > > security.jail.allow_raw_sockets=1 > > BTW, beware: this affects all jails. All correct. Putting this in /etc/rc.conf: jail_${JailName}_parameters="allow.raw_sockets=1" does not allow every jail access to raw sockets. There is an example in /etc/defaults/rc.conf. If you are using ezjails, just add that with a leading "export " the to the end of your /usr/local/etc/ezjail/${JailName} config file. > On Fri, August 23, 2013 10:13 am, Mike C. wrote: > > > > I'm having a problem with nagios under a jail... commands works has root > > and another normal user I created (its not even in the wheel group) > > > > running commands such has "check_http" get me a Operation not permited, > > with ktrace I was able to confirm the probelm: > > connect -1 errno 1 Operation not permitted > > > > > > The thing is this only happens with the user nagios and I can not figure > > out why! > > > > I'm very new to jails, so I'm user I'm possibly missing something > > trivial, but I would appreciate an help! > > > > What could be different about the user to not allow "connect" ? > > > > Many thanks > > > > _______________________________________________ > > freebsd-jail@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org How to be a "computer expert," http://www.xkcd.com/627/ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 15:00:58 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id DE175DE5 for ; Fri, 23 Aug 2013 15:00:58 +0000 (UTC) (envelope-from aaron@aaronkaufman.com) Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A43A22D1F for ; Fri, 23 Aug 2013 15:00:58 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id k14so974585iea.33 for ; Fri, 23 Aug 2013 08:00:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jIJp9n1aBtC/wNRPeCz6GtnU/QREqMBp4pNaDtb4Kuc=; b=JZjpa2yD1oZjz1hWdhAvt0KpKo/XcAh1LCtsZNpExALAB8ZpB5Gy1dxtw9qdGs5VtZ xbmSAVYAJItQbk4X1ejdFpfieEoQ59+PXr3ZFIiXSw/Xss5dcDdrog/5qFkmA7li7/Rh jsf/K6XftIvYEhrxOqJYuPEPGfoZUNchsY+bmuT5ysYz64vNYr0je42RimdngQ+/KQpm ok2fFmKxfovg3DZTTck71O1jp0KKHv+YI3aQNEHTZNyBwoJt0XCC9QVA543kbPCD/7s+ TfxrmCtxu0w+/DzG6PhEjkbbht1IrVYbk6mSgADR4EkGFcR7lzOw0xx1JsVZEe6dJTpY NMTQ== X-Gm-Message-State: ALoCoQn79VKhBi+SWyzrf0yZfMcLfnsB/dnD6cbQUYVxHZFjQROl5Fm5E57XG2Yql2FeHVP2+O7R MIME-Version: 1.0 X-Received: by 10.50.43.170 with SMTP id x10mr41106igl.45.1377270057826; Fri, 23 Aug 2013 08:00:57 -0700 (PDT) Received: by 10.50.126.103 with HTTP; Fri, 23 Aug 2013 08:00:57 -0700 (PDT) Received: by 10.50.126.103 with HTTP; Fri, 23 Aug 2013 08:00:57 -0700 (PDT) In-Reply-To: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> Date: Fri, 23 Aug 2013 08:00:57 -0700 Message-ID: Subject: Re: per user quotas inside jail? From: Aaron Kaufman To: galtsev@kicp.uchicago.edu Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 15:00:58 -0000 ZFS has native quota and reservation options. Example: "zfs set quota=10G tank/jailname" On Aug 23, 2013 7:51 AM, "Valeri Galtsev" wrote: > Dear Experts, > > After searching the web, reading FreeBSD Docs, trying some hacks found on > some discussion boards... I feel it is not easily possible. Yet, as always > there may be some expert who knows how to do it: > > How can one have per user quotas inside jail? > > Basically, I would like to give users shell access to some server, but > that I prefer to have in jail, where I will mount all filesystems they > need access to... and the only question is: how do I restrict them so one > (or few) user doesn't fill up the whole filesystem. My mind is not married > to any particular filesystem, UFS2, XFS, ZFS... - the only thing I would > stay away from is NFS exporting on host and then NFS mounting in jail > (which may be easiest if not the only way quota wise). > > Thanks. > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 15:35:09 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 286A1E25 for ; Fri, 23 Aug 2013 15:35:09 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B2A9B2F47 for ; Fri, 23 Aug 2013 15:35:08 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id m15so698051wgh.5 for ; Fri, 23 Aug 2013 08:35:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=yd9x1fHNbtfdC5Qmkk6rkTFkBi/FEM859MDAsLV82Zo=; b=OLFme/tq/6tNcuc3xFfXEyaZSh64RCPigZToN6ld4FsKMBXjDvhfDzsrRFJS1StDgF cc2lvDTyd1XRtf321W1k54HPOX0NvNqMZIZHtnMtvKcCDYZwUk8Wdk3ZV/YFMwqBuSGy O89mAh+ynIUWOB4cJhMgN+IidcU49waZjcPYLUn5Ee+Dvp5GgMyRSwU5eGmUwk3iLcfL Q8LY0r8OBrNBquw15M6Uee3fHqLxvq3dl1P/taaPlI+oLZ31uFcybTOHX1QxDSUYFRYL cnH5LjSc1pSJ080KcCCJ8sitWXYLWpYqaDpg8yDmH7GzjHPi6wXAVx2AfPoYwOr/JJG/ edPA== X-Received: by 10.194.122.168 with SMTP id lt8mr148067wjb.76.1377272106998; Fri, 23 Aug 2013 08:35:06 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id iz19sm563173wic.9.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 08:35:06 -0700 (PDT) Message-ID: <52178F28.9010108@gmail.com> Date: Fri, 23 Aug 2013 16:34:48 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: lambert@lambertfam.org, freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) References: <20130823145305.GZ99960@www.jail.lambertfam.org> In-Reply-To: <20130823145305.GZ99960@www.jail.lambertfam.org> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 15:35:09 -0000 Yes I know about > security.jail.allow_raw_sockets=1 Like I said I can do this with "root" just not with the user nagios, I guess If raw_sockets was set to 0 on the host, I would have problems with any user! ---- Putting this in /etc/rc.conf: jail_${JailName}_parameters="allow.raw_sockets=1" does not allow every jail access to raw sockets. There is an example in /etc/defaults/rc.conf. Now this is something I wasn't aware of this one... very nice and thanks for the tip on ez-jails, I'm indeed using ez-jails! Yes there any other setting that would forbid non root users to use raw sockets? Thanks From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 15:42:14 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 866D9FA3 for ; Fri, 23 Aug 2013 15:42:14 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1B7B02F9C for ; Fri, 23 Aug 2013 15:42:13 +0000 (UTC) Received: by mail-wg0-f54.google.com with SMTP id e12so678526wgh.21 for ; Fri, 23 Aug 2013 08:42:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=74Wkv872qfOZkj32y3slffuNkcgqFmyp8CUF0ec74qs=; b=jWcclGfi2SSdDQKG9Or246Pg808MCIO2rHlvZQ5HXcLgA3f6CXlHyZIeJCv7ugtJse 3tEgkgz9sOUiN6VWWpVu+yJzLaT4nYuteC4NlLYO1I5cCEGAmjRuRiX1Es2dMM8Adp22 bNvIpxrjj6dWYJpgWRB9Ujq8/xzs94iNBDgpPVRtHL0VFGFuss7SBj3sf9xNAyn2lD35 iBaVgWN8WzHJ4cFSGhyF7kV9DuQIOL40r9vw+VNxLXVTG3JG7O/raF2mrNMyR1O2tDcr FtVJKZa5Sc92P/6YkQw2T7gR3Mu4IdYjoeyg8s8EolXWwex/x0APSag8XYQ+tS2+FQZh aHUw== X-Received: by 10.180.73.103 with SMTP id k7mr2649195wiv.24.1377272532411; Fri, 23 Aug 2013 08:42:12 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id eb3sm4829663wic.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 08:42:11 -0700 (PDT) Message-ID: <521790D1.8020705@gmail.com> Date: Fri, 23 Aug 2013 16:41:53 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: lambert@lambertfam.org, freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> In-Reply-To: <52178F28.9010108@gmail.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 15:42:14 -0000 On 08/23/13 16:34, Mike C. wrote: > Yes I know about > >> security.jail.allow_raw_sockets=1 > > Like I said I can do this with "root" just not with the user nagios, I guess If raw_sockets was set to 0 on the host, I would have problems with any user! > > > > ---- > Putting this in /etc/rc.conf: > > jail_${JailName}_parameters="allow.raw_sockets=1" > > does not allow every jail access to raw sockets. There is an example in > /etc/defaults/rc.conf. > > [EDIT: better englih... sorry typing on smartphones sucks] Now this is something I wasn't aware of... very nice and thanks for the tip on ez-jails, I'm indeed using ez-jails! Is there any other setting that would forbid non root users to use raw sockets? Thanks From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 16:06:00 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2993430E for ; Fri, 23 Aug 2013 16:06:00 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 39E8420F6 for ; Fri, 23 Aug 2013 16:05:59 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7NG5njV041728; Fri, 23 Aug 2013 19:05:49 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7NG5njV041728 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7NG5nEg041727; Fri, 23 Aug 2013 19:05:49 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 23 Aug 2013 19:05:49 +0300 From: Konstantin Belousov To: Valeri Galtsev Subject: Re: per user quotas inside jail? Message-ID: <20130823160549.GD4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QHaTRyzd7ZvLr5Ce" Content-Disposition: inline In-Reply-To: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 16:06:00 -0000 --QHaTRyzd7ZvLr5Ce Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: > Dear Experts, >=20 > After searching the web, reading FreeBSD Docs, trying some hacks found on > some discussion boards... I feel it is not easily possible. Yet, as always > there may be some expert who knows how to do it: >=20 > How can one have per user quotas inside jail? >=20 > Basically, I would like to give users shell access to some server, but > that I prefer to have in jail, where I will mount all filesystems they > need access to... and the only question is: how do I restrict them so one > (or few) user doesn't fill up the whole filesystem. My mind is not married > to any particular filesystem, UFS2, XFS, ZFS... - the only thing I would > stay away from is NFS exporting on host and then NFS mounting in jail > (which may be easiest if not the only way quota wise). UFS quotas work regardless of jailed/non-jailed user. The only confusing issue is that quotas are per host uid. In other words, if host and jail user, or two users from different jails has the same uid, you get one quota setting applied and accounted for them. Usual mitigation is to ensure that user uids are globally unique. --QHaTRyzd7ZvLr5Ce Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSF4hcAAoJEJDCuSvBvK1B2QcQAJJoKZD6fvBKJwiYlnVglEbK +bF2Gd9DKV5Zae9IlPAhsset7oE9FcPjwwNiezQaxYYsNq/7+c6zANO4MmcE227O m/+HFJpwC4vKgZlVq5lLKpY/A362HktmW3H2bu2B7dYgCKZWVGJheJDHB8O/2Q3z 1ABiD53sNYnxzXWwsvxi+pH+cL6+02rEtTuS4wsdf3eL+i0nHzWJEdkRqJtv1sVr en2VFPWxFcY17nxu5bJitbLqAE/e93NzzQMYsW/7ooN0xwM4WcMZP/fSqkeEMir8 MwYBsOvDGwgc0J6pPRxee6BcKWHmMpD5JxVYN1WE49kule5gBstlMtjb1OCnVgZ+ VOIYTo+DJmg58E8OaTEsvJHYhXoIl26YNN3rvYyY1QY4V02qDWzDjx/qaN1gpF7v M3tlwVylk8eHqixqVQy0v65hzcSEyvBMDWsX9VWIgJcI3xcwcfXKJc5lsznK2vhq yUl3UJOR6mg8q2AC8EkwOaxi08GWcwORhi7zi++qIitoQQRtQYvg0ExvOZaD3Onn EVzt/U3UX5u35tY8Cd2PTcTcuGObDQBL+/9YY9hgZDRkZOaBWH2W2GKE/AQeNg4n 7Ki0yy4EUrmdmcLBCdWFbZsk+AvzHi+WTEb9ocMkvLzINRvgqBpxnuD9o8IlNLJz DIEqUORFwHe3z48Ji6bM =4AWU -----END PGP SIGNATURE----- --QHaTRyzd7ZvLr5Ce-- From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 16:31:18 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3189A7FD for ; Fri, 23 Aug 2013 16:31:18 +0000 (UTC) (envelope-from josh@signalboxes.net) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E92D62265 for ; Fri, 23 Aug 2013 16:31:17 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id tb18so893272obb.30 for ; Fri, 23 Aug 2013 09:31:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+5TpitJQIUm6iwaUJqolrNuve/5Cp2+Bq0ZPL80Nev8=; b=Gyg1soEfghLuYqkwZHxpeoUohNedHnDEQbOYQdCKZ7OaRgxtT/OuIHfHacnoH2hCXo +wYWZyNtubWkh8OHrnBM+Cyo2BHVrM/+y6SVJY13hwn7Wti1HNJ6wvAg5GFspb+8mT2Y GchIxB5wX8aW63uoiMcJivy6/8gq+5faMJBcyW64dvhnY3+JhbNo1ZhtTCq70G8ofrcY vaRXhUuz8HxFUKZMQTeedr5KpY8fGDwhzTzxgrRZ8KEIyGTJkP0aExE3RwSrpVmExKY+ wodb9iDt6vIJFXKzt6aOuTUo9z3hPRURBTvCGZQMj5O7FbxeuznLG11BcqcN7CNFCJ3w rFmg== X-Gm-Message-State: ALoCoQmXgCepC0HxYPMSeh9VWgeMuY09BmHH/vl9FioWpOGLnry6IEuyj6LDaFUDIQCqgfZImQbu X-Received: by 10.60.134.14 with SMTP id pg14mr403559oeb.66.1377275471123; Fri, 23 Aug 2013 09:31:11 -0700 (PDT) Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [2607:f8b0:4003:c01::234]) by mx.google.com with ESMTPSA id ps5sm551424oeb.8.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 09:31:10 -0700 (PDT) Received: by mail-ob0-f180.google.com with SMTP id v19so895024obq.11 for ; Fri, 23 Aug 2013 09:31:10 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.46.193 with SMTP id x1mr460696oem.36.1377275470296; Fri, 23 Aug 2013 09:31:10 -0700 (PDT) Received: by 10.60.70.135 with HTTP; Fri, 23 Aug 2013 09:31:10 -0700 (PDT) In-Reply-To: <521790D1.8020705@gmail.com> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> Date: Fri, 23 Aug 2013 10:31:10 -0600 Message-ID: Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: Josh Beard To: "Mike C." Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 16:31:18 -0000 On Fri, Aug 23, 2013 at 10:41 AM, Mike C. wrote: > > On 08/23/13 16:34, Mike C. wrote: > > Yes I know about > > > >> security.jail.allow_raw_sockets=1 > > > > Like I said I can do this with "root" just not with the user nagios, I > guess If raw_sockets was set to 0 on the host, I would have problems with > any user! > > > > > > > > ---- > > Putting this in /etc/rc.conf: > > > > jail_${JailName}_parameters="allow.raw_sockets=1" > > > > does not allow every jail access to raw sockets. There is an example in > > /etc/defaults/rc.conf. > > > > > > [EDIT: better englih... sorry typing on smartphones sucks] > > Now this is something I wasn't aware of... very nice and thanks for the > tip on ez-jails, I'm indeed using ez-jails! > > Is there any other setting that would forbid non root users to use raw > sockets? > > Thanks > > > > Mike, Doesn't sound to me like an issue with the jail's configuration, but I'm no expert. I'm running NRPE on many jails without issue there and without any special jail configuration. Are you getting "Operation not permitted" output from the "check_http" plugin on the local system or over something like NRPE our through the Nagios configurations? Josh From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 16:35:40 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 855F7960 for ; Fri, 23 Aug 2013 16:35:40 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 5092022B7 for ; Fri, 23 Aug 2013 16:35:40 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 7DCDFCB8C8D; Fri, 23 Aug 2013 11:35:39 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 11:35:39 -0500 (CDT) Message-ID: <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> In-Reply-To: References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> Date: Fri, 23 Aug 2013 11:35:39 -0500 (CDT) Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: "Valeri Galtsev" To: "Josh Beard" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 16:35:40 -0000 On Fri, August 23, 2013 11:31 am, Josh Beard wrote: > On Fri, Aug 23, 2013 at 10:41 AM, Mike C. wrote: > >> >> On 08/23/13 16:34, Mike C. wrote: >> > Yes I know about >> > >> >> security.jail.allow_raw_sockets=1 >> > >> > Like I said I can do this with "root" just not with the user nagios, I >> guess If raw_sockets was set to 0 on the host, I would have problems >> with >> any user! >> > >> > >> > >> > ---- >> > Putting this in /etc/rc.conf: >> > >> > jail_${JailName}_parameters="allow.raw_sockets=1" >> > >> > does not allow every jail access to raw sockets. There is an example >> in >> > /etc/defaults/rc.conf. >> > >> > >> >> [EDIT: better englih... sorry typing on smartphones sucks] >> >> Now this is something I wasn't aware of... very nice and thanks for the >> tip on ez-jails, I'm indeed using ez-jails! >> >> Is there any other setting that would forbid non root users to use raw >> sockets? >> >> Thanks >> >> >> >> > Mike, > > Doesn't sound to me like an issue with the jail's configuration, but I'm > no > expert. > > I'm running NRPE on many jails without issue there and without any special > jail configuration. > > Are you getting "Operation not permitted" output from the "check_http" > plugin on the local system or over something like NRPE our through the > Nagios configurations? > > Josh Also, try to do something simple like ping or traceroute as user nagios (user for whom check_http fails) in that jail, - does that give any error? Thanks. Valeri > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 17:13:42 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7BDAF71C for ; Fri, 23 Aug 2013 17:13:42 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0E5FB251F for ; Fri, 23 Aug 2013 17:13:41 +0000 (UTC) Received: by mail-wi0-f179.google.com with SMTP id hr7so834747wib.6 for ; Fri, 23 Aug 2013 10:13:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=poftJagfFpDLlllMcxieflpKjvZJKDFLsmYO+h6iVgk=; b=hj9ZreBMt9YBAy0mq5Bsucbf4SkTBTlYp88ntqHKYIDKuqIBg0FExaXjbIdQjNxnxD R4uoqCpXVv8NU9IpeHfEZqviFeYwoQYu78tfKi3TWBaT2xp7C6NbaX0lopNA4vgR5U49 9QWQp+bX5QMxId3vWR6KQOK9rpE6zVuLwK47zcSVZuqhew6g1JCwytL7GhG9V8k1GDQ2 NcJbOXuQjmZxgBlbjoL6FwwhCuDKf2/t97mNKBpNkVry6EAmRAVuRjvHK6qguoACXKN8 VcBFWvjDtFkI//FjfqDQmR3bo+SLhw8axG+vuDWCb72c9NVfio+ukz6Q0jf4ZyYZrO0O nnVw== X-Received: by 10.180.8.133 with SMTP id r5mr428915wia.57.1377278019068; Fri, 23 Aug 2013 10:13:39 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id bt8sm1198264wib.8.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 10:13:38 -0700 (PDT) Message-ID: <5217A640.6070903@gmail.com> Date: Fri, 23 Aug 2013 18:13:20 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: galtsev@kicp.uchicago.edu Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> In-Reply-To: <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 17:13:42 -0000 On 08/23/13 16:35, Valeri Galtsev wrote: > > On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. wrote: >> >>> >>> On 08/23/13 16:34, Mike C. wrote: >>>> Yes I know about >>>> >>>>> security.jail.allow_raw_sockets=1 >>>> >>>> Like I said I can do this with "root" just not with the user nagios, I >>> guess If raw_sockets was set to 0 on the host, I would have problems >>> with >>> any user! >>>> >>>> >>>> >>>> ---- >>>> Putting this in /etc/rc.conf: >>>> >>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>> >>>> does not allow every jail access to raw sockets. There is an example >>> in >>>> /etc/defaults/rc.conf. >>>> >>>> >>> >>> [EDIT: better englih... sorry typing on smartphones sucks] >>> >>> Now this is something I wasn't aware of... very nice and thanks for the >>> tip on ez-jails, I'm indeed using ez-jails! >>> >>> Is there any other setting that would forbid non root users to use raw >>> sockets? >>> >>> Thanks >>> >>> >>> >>> >> Mike, >> >> Doesn't sound to me like an issue with the jail's configuration, but I'm >> no >> expert. >> >> I'm running NRPE on many jails without issue there and without any special >> jail configuration. >> >> Are you getting "Operation not permitted" output from the "check_http" >> plugin on the local system or over something like NRPE our through the >> Nagios configurations? >> >> Josh Local and remote but not wiht nrpe yet... I guess If I can't use check_http, I will hae problems with nrpe too. > > Also, try to do something simple like ping or traceroute as user nagios > (user for whom check_http fails) in that jail, - does that give any error? > Iteresting I see: traceroute: icmp socket: Operation not permitted Same for ping: socket: Operation not permitted Even with root... so I guess that's the problem, but I wonder now I does check_http work for route? If I can't even ping... > Thanks. > Valeri > >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> > > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > -- Melhores Cumprimentos // Best Regards ------------------------------------------------------------------------ Miguel Clara *nix Sys Admin Freelance http://www.linkedin.com/in/miguelmclara/ Mike_C_PT http://about.me/miguelmclara ------------------------------------------------------------------------ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 17:27:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 9E1FCB93 for ; Fri, 23 Aug 2013 17:27:38 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 682B725D4 for ; Fri, 23 Aug 2013 17:27:38 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id D61CBCB8C8D; Fri, 23 Aug 2013 12:27:37 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 12:27:37 -0500 (CDT) Message-ID: <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> In-Reply-To: <5217A640.6070903@gmail.com> References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> <5217A640.6070903@gmail.com> Date: Fri, 23 Aug 2013 12:27:37 -0500 (CDT) Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: "Valeri Galtsev" To: "Mike C." User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 17:27:38 -0000 On Fri, August 23, 2013 1:13 pm, Mike C. wrote: > On 08/23/13 16:35, Valeri Galtsev wrote: >> >> On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. >>> wrote: >>> >>>> >>>> On 08/23/13 16:34, Mike C. wrote: >>>>> Yes I know about >>>>> >>>>>> security.jail.allow_raw_sockets=1 >>>>> >>>>> Like I said I can do this with "root" just not with the user nagios, >>>>> I >>>> guess If raw_sockets was set to 0 on the host, I would have problems >>>> with >>>> any user! >>>>> >>>>> >>>>> >>>>> ---- >>>>> Putting this in /etc/rc.conf: >>>>> >>>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>>> >>>>> does not allow every jail access to raw sockets. There is an example >>>> in >>>>> /etc/defaults/rc.conf. >>>>> >>>>> >>>> >>>> [EDIT: better englih... sorry typing on smartphones sucks] >>>> >>>> Now this is something I wasn't aware of... very nice and thanks for >>>> the >>>> tip on ez-jails, I'm indeed using ez-jails! >>>> >>>> Is there any other setting that would forbid non root users to use raw >>>> sockets? >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>> Mike, >>> >>> Doesn't sound to me like an issue with the jail's configuration, but >>> I'm >>> no >>> expert. >>> >>> I'm running NRPE on many jails without issue there and without any >>> special >>> jail configuration. >>> >>> Are you getting "Operation not permitted" output from the "check_http" >>> plugin on the local system or over something like NRPE our through the >>> Nagios configurations? >>> >>> Josh > > Local and remote but not wiht nrpe yet... I guess If I can't use > check_http, I will hae problems with nrpe too. > > >> >> Also, try to do something simple like ping or traceroute as user nagios >> (user for whom check_http fails) in that jail, - does that give any >> error? >> > > Iteresting I see: > traceroute: icmp socket: Operation not permitted > > Same for > ping: socket: Operation not permitted > > Even with root... so I guess that's the problem, but I wonder now I does > check_http work for route? If I can't even ping... > Also, for whatever reason nice per jail configuration that Scott Lambert pointed to did not work for me, so I still had to stay with allowing raw sockets in all jails on my boxes... Could you try that less elegant configuration I mentioned: # execute the command: sysctl security.jail.allow_raw_sockets=1 # restart jail in question - and see if you still have raw socket problem for users in that jail. Thanks. Valeri > >> Thanks. >> Valeri >> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>> >> >> >> ++++++++++++++++++++++++++++++++++++++++ >> Valeri Galtsev >> Sr System Administrator >> Department of Astronomy and Astrophysics >> Kavli Institute for Cosmological Physics >> University of Chicago >> Phone: 773-702-4247 >> ++++++++++++++++++++++++++++++++++++++++ >> > > > -- > Melhores Cumprimentos // Best Regards > ------------------------------------------------------------------------ > Miguel Clara > *nix Sys Admin Freelance > > > > http://www.linkedin.com/in/miguelmclara/ > Mike_C_PT > http://about.me/miguelmclara > ------------------------------------------------------------------------ > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 18:05:25 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A75E7FCE for ; Fri, 23 Aug 2013 18:05:25 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 74346282A for ; Fri, 23 Aug 2013 18:05:25 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id C89AACB8C8D; Fri, 23 Aug 2013 13:05:24 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 13:05:24 -0500 (CDT) Message-ID: <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> Date: Fri, 23 Aug 2013 13:05:24 -0500 (CDT) Subject: Re: per user quotas inside jail? From: "Valeri Galtsev" To: "Konstantin Belousov" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> In-Reply-To: <20130823160549.GD4972@kib.kiev.ua> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 18:05:25 -0000 On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: >> Dear Experts, >> After searching the web, reading FreeBSD Docs, trying some hacks found on >> some discussion boards... I feel it is not easily possible. Yet, as always >> there may be some expert who knows how to do it: >> How can one have per user quotas inside jail? >> Basically, I would like to give users shell access to some server, but that I prefer to have in jail, where I will mount all filesystems they need access to... and the only question is: how do I restrict them so one >> (or few) user doesn't fill up the whole filesystem. My mind is not married >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I would >> stay away from is NFS exporting on host and then NFS mounting in jail (which may be easiest if not the only way quota wise). > > UFS quotas work regardless of jailed/non-jailed user. The only confusing > issue is that quotas are per host uid. In other words, if host and jail user, or two users from different jails has the same uid, you get one quota setting applied and accounted for them. > > Usual mitigation is to ensure that user uids are globally unique. > Thanks, Konstantin. Still it doesn't work for me. My system is: 9.1-RELEASE-p5 amd64 Kernel: the same as GENERIC, with one option added: options QUOTA # Add disk quota support filesystem with quota enabled is directly mounted (UFS; rw,userquota) into directory inside jail. User (with the same username and UID) exists on the host system and in jail. Quotas work on the host system. Quotas don't work inside jail, so this user can fill up the whole filesystem when logged into jail (jail accepts ssh connections with different hostname...) Apart from that I tried a hack which I lifted from someone's FreeBSD 7 hack (only the variable name changed since then), namely: in kernel, in: /usr/src/sys/kern/vfs_syscalls.c I kicked out two lines: if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) return (EPERM); (which basically obliterate that if done from inside jail as far as I understand), rebuilt and installed this kernel; in file /etc/rc.d/quota removed line # KEYWORD: nojail Yet, I'm still where I was: quotas work outside jail, not inside jail... So, I'm at loss. I guess I will have to dive into zfs following Aaron Kaufman's suggestion... Sigh. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 18:24:06 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5F4E3812 for ; Fri, 23 Aug 2013 18:24:06 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C4894299E for ; Fri, 23 Aug 2013 18:24:05 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7NINuUU074561; Fri, 23 Aug 2013 21:23:56 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7NINuUU074561 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7NINuxE074560; Fri, 23 Aug 2013 21:23:56 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 23 Aug 2013 21:23:56 +0300 From: Konstantin Belousov To: Valeri Galtsev Subject: Re: per user quotas inside jail? Message-ID: <20130823182356.GH4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="N1Yq6DLL3siT9/7n" Content-Disposition: inline In-Reply-To: <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 18:24:06 -0000 --N1Yq6DLL3siT9/7n Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote: > On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: > > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: > >> Dear Experts, > >> After searching the web, reading FreeBSD Docs, trying some hacks found= on > >> some discussion boards... I feel it is not easily possible. Yet, as al= ways > >> there may be some expert who knows how to do it: > >> How can one have per user quotas inside jail? > >> Basically, I would like to give users shell access to some server, but > that I prefer to have in jail, where I will mount all filesystems they > need access to... and the only question is: how do I restrict them so > one > >> (or few) user doesn't fill up the whole filesystem. My mind is not mar= ried > >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I > would > >> stay away from is NFS exporting on host and then NFS mounting in jail > (which may be easiest if not the only way quota wise). > > > > UFS quotas work regardless of jailed/non-jailed user. The only > confusing > > issue is that quotas are per host uid. In other words, if host and jail > user, or two users from different jails has the same uid, you get one > quota setting applied and accounted for them. > > > > Usual mitigation is to ensure that user uids are globally unique. > > >=20 > Thanks, Konstantin. >=20 > Still it doesn't work for me. My system is: >=20 > 9.1-RELEASE-p5 amd64 >=20 > Kernel: the same as GENERIC, with one option added: >=20 > options QUOTA # Add disk quota support >=20 > filesystem with quota enabled is directly mounted (UFS; rw,userquota) into > directory inside jail. User (with the same username and UID) exists on the > host system and in jail. Quotas work on the host system. Quotas don't work > inside jail, so this user can fill up the whole filesystem when logged > into jail (jail accepts ssh connections with different hostname...) >=20 > Apart from that I tried a hack which I lifted from someone's FreeBSD 7 > hack (only the variable name changed since then), namely: >=20 > in kernel, in: >=20 > /usr/src/sys/kern/vfs_syscalls.c >=20 > I kicked out two lines: >=20 > if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) > return (EPERM); >=20 > (which basically obliterate that if done from inside jail as far as I > understand), >=20 > rebuilt and installed this kernel; in file >=20 > /etc/rc.d/quota >=20 > removed line >=20 > # KEYWORD: nojail >=20 > Yet, I'm still where I was: quotas work outside jail, not inside jail... >=20 > So, I'm at loss. I guess I will have to dive into zfs following Aaron > Kaufman's suggestion... Sigh. UFS quotas work per mount. So if jail root is on a filesystem which has no quotas configured, obviously the thing cannot work. You did not provided any details of your configuration, which makes a diagnostic impossible. --N1Yq6DLL3siT9/7n Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSF6i7AAoJEJDCuSvBvK1Bc5kP/iqP8Jt3nzHdr5LTrSO13DBx 1xflrNIQSZCvxijzK9NItjjV7Ze2/7Y4o4J0Uq1jocGnpEGhDBgpKSqnmY0SLPDG RvVBItQvW7VlnB1Uzw7WP1nm5qDtXeTc14oFaHP0AztuRGTxDtRMasVvjlsFsUHm dc9Zrfj4MZx1xjkiX4nglbyxGYLh/F/fr5dW7RomS1ianMa12pTQIuELHUHjLiMx mH3jgqM1JskyEC0cAiemKfzR0WSIB49MDOmo/8DxZz5MCJtiM0A8dpOivGxaXEws bvPGxibOGHue5sur3Tu8aDXqYW7rmcLmvTn4YFKyF2SW45NiOIzJ+IWazFgADifm jd1x+LxEPbej4pAzgtK1TWlrB36GSizYLLKJt2G6oPY7GHf6VTQPeE7M4LvEgsNr zw3/6p8sYrtR4vIX9K1DrOvjDnt1JU1U6TFfwsGq5iU5I5OS14OpYPxAci0kpuTd D7ePUNsP/5NUxvZ1RGGO3JdXjPn1OS/9oj2PEURBK71HNEy46dxgWhNqjozqDknP T5SgHB99qDt/VwDPDP7xmkAihQZ2OrfCAuLFzFOCGP5M+1QYfbJjSq9upuVB/dJN NxmsKI9YBw88mJLApNT2C8mFWCPwJd3nKVtCHWNCj22j03xU8ESqw2q81Mg0sNgJ KCLK5azFMz0NA4kEolwR =v/n9 -----END PGP SIGNATURE----- --N1Yq6DLL3siT9/7n-- From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 18:49:20 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 86576ED1 for ; Fri, 23 Aug 2013 18:49:20 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4F33E2B49 for ; Fri, 23 Aug 2013 18:49:19 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 9ED52CB8C90; Fri, 23 Aug 2013 13:49:19 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Fri, 23 Aug 2013 13:49:19 -0500 (CDT) Message-ID: <37112.128.135.70.2.1377283759.squirrel@cosmo.uchicago.edu> In-Reply-To: <20130823182356.GH4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> <20130823182356.GH4972@kib.kiev.ua> Date: Fri, 23 Aug 2013 13:49:19 -0500 (CDT) Subject: Re: per user quotas inside jail? From: "Valeri Galtsev" To: "Konstantin Belousov" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 18:49:20 -0000 On Fri, August 23, 2013 1:23 pm, Konstantin Belousov wrote: > On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote: >> On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: >> > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: >> >> Dear Experts, >> >> After searching the web, reading FreeBSD Docs, trying some hacks >> found on >> >> some discussion boards... I feel it is not easily possible. Yet, as >> always >> >> there may be some expert who knows how to do it: >> >> How can one have per user quotas inside jail? >> >> Basically, I would like to give users shell access to some server, >> but >> that I prefer to have in jail, where I will mount all filesystems they >> need access to... and the only question is: how do I restrict them so >> one >> >> (or few) user doesn't fill up the whole filesystem. My mind is not >> married >> >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I >> would >> >> stay away from is NFS exporting on host and then NFS mounting in jail >> (which may be easiest if not the only way quota wise). >> > >> > UFS quotas work regardless of jailed/non-jailed user. The only >> confusing >> > issue is that quotas are per host uid. In other words, if host and >> jail >> user, or two users from different jails has the same uid, you get one >> quota setting applied and accounted for them. >> > >> > Usual mitigation is to ensure that user uids are globally unique. >> > >> >> Thanks, Konstantin. >> >> Still it doesn't work for me. My system is: >> >> 9.1-RELEASE-p5 amd64 >> >> Kernel: the same as GENERIC, with one option added: >> >> options QUOTA # Add disk quota support >> >> filesystem with quota enabled is directly mounted (UFS; rw,userquota) >> into >> directory inside jail. User (with the same username and UID) exists on >> the >> host system and in jail. Quotas work on the host system. Quotas don't >> work >> inside jail, so this user can fill up the whole filesystem when logged >> into jail (jail accepts ssh connections with different hostname...) >> >> Apart from that I tried a hack which I lifted from someone's FreeBSD 7 >> hack (only the variable name changed since then), namely: >> >> in kernel, in: >> >> /usr/src/sys/kern/vfs_syscalls.c >> >> I kicked out two lines: >> >> if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) >> return (EPERM); >> >> (which basically obliterate that if done from inside jail as far as I >> understand), >> >> rebuilt and installed this kernel; in file >> >> /etc/rc.d/quota >> >> removed line >> >> # KEYWORD: nojail >> >> Yet, I'm still where I was: quotas work outside jail, not inside jail... >> >> So, I'm at loss. I guess I will have to dive into zfs following Aaron >> Kaufman's suggestion... Sigh. > > UFS quotas work per mount. So if jail root is on a filesystem which > has no quotas configured, obviously the thing cannot work. > > You did not provided any details of your configuration, which makes > a diagnostic impossible. > Hi Konstantin, Thanks a lot for helping me! Sorry, my usual fault, not sufficient details... Jails are set up pretty much as in: http://www.freebsd.org/doc/handbook/jails-application.html (directory names and locations are slightly different). Someone mentioned, ezjail does virtually the same too - if that helps. In /jail/mroot there is the structure resembling real system (binaries, libraries,...) except for a few things that have to be writable inside jail; those are replaced with symlinks pointing to these inside subdirectory s: ls -l /jail/mroot total 48 drwxr-xr-x 2 root wheel 1024 Aug 19 13:02 bin drwxr-xr-x 7 root wheel 1024 Aug 19 13:03 boot dr-xr-xr-x 2 root wheel 512 Aug 19 13:02 dev lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 etc -> s/etc lrwxr-xr-x 1 root wheel 6 Aug 19 13:11 home -> s/home drwxr-xr-x 3 root wheel 1536 Aug 19 13:03 lib drwxr-xr-x 3 root wheel 512 Aug 19 13:03 libexec drwxr-xr-x 2 root wheel 512 Aug 19 13:02 media drwxr-xr-x 2 root wheel 512 Aug 19 13:02 mnt dr-xr-xr-x 2 root wheel 512 Aug 19 13:02 proc drwxr-xr-x 2 root wheel 2560 Aug 19 13:03 rescue lrwxr-xr-x 1 root wheel 6 Aug 19 13:11 root -> s/root drwxr-xr-x 2 root wheel 512 Aug 19 13:11 s drwxr-xr-x 2 root wheel 2560 Aug 19 13:03 sbin lrwxr-xr-x 1 root wheel 11 Aug 19 13:02 sys -> usr/src/sys lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 tmp -> s/tmp drwxr-xr-x 14 root wheel 512 Aug 19 13:11 usr lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 var -> s/var particular jail lives in its root directory: /jail/shell /jail/mroot is nullfs readonly mounted onto /jail/shell, rw unique for each shell filesystem is mounted into /jail/shell/s (and populated with appropriate /etc, /var ....), filesystem that has to be with quotas is mounted (UFS; rw,userquota) into /jail/shell/s/home This last one is the one in question: quotas on this work when user will ssh to host system and will write to /jail/shell/s/home; quota does not work if user will ssh into jail (which is accessible from network with different hostname). When the user writes into /home in jail (into /s/home actually, symlink points there which on host system is our /jail/shell/s/home), the quotas do not work. I don't quite understand what quota on jail root filesystem (enabled or not enabled) has to do with quota on different filesystem that is mounted inside that filesystem. Outside jail / has no quotas, different filesystem mounted somewhere inside (/jail/shell/s/home or just /home or /var) with quotas and it does honor quotas. Am I missing something trivial or fundamental? Thanks again for helping me! What other details could help? Sincerely yours, Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 23 22:25:41 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 85907479 for ; Fri, 23 Aug 2013 22:25:41 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 15E77289D for ; Fri, 23 Aug 2013 22:25:40 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id hi8so2666491wib.5 for ; Fri, 23 Aug 2013 15:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=sDMVbZe68ymiFjumyujqyLfXEXhNlLdkNRtdVECM47M=; b=XlJ4g50eI2MRswyEE4heNpEdbu9nv5VBqeCOjP1DcDSJAzIKb2Z1TfJO2r61dDsGPA XzElSeG/Myr2N3Y1elMSIFUWKjYXsw6OP7srgM9gfdBDb+MbYo11DgnTi3pWpaqi6uID nPsyfSboLXlESoH2+igueFTAkSlCLzfwApHx/0F4gsUldVS3hsiHkOAJGuzmRZuKS58X XjYAHN5FGNRLq1oSY3zaKe66oT9c6JqhL0sPjYXFCkXcHxy1f+D5tkeDbLRm3ZafYbw7 O9QdKrC22IAEjT4hEP0Va3WyOE0n98lfx1JR4mYGT3+c1UKVAhIiShVqbmbM3WfALmcQ PRkA== X-Received: by 10.180.183.108 with SMTP id el12mr3626563wic.55.1377296739274; Fri, 23 Aug 2013 15:25:39 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id z2sm303262wiv.11.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 15:25:38 -0700 (PDT) Message-ID: <5217EF5F.20507@gmail.com> Date: Fri, 23 Aug 2013 23:25:19 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: galtsev@kicp.uchicago.edu, freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) References: <20130823145305.GZ99960@www.jail.lambertfam.org> <52178F28.9010108@gmail.com> <521790D1.8020705@gmail.com> <21684.128.135.70.2.1377275739.squirrel@cosmo.uchicago.edu> <5217A640.6070903@gmail.com> <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> In-Reply-To: <36768.128.135.70.2.1377278857.squirrel@cosmo.uchicago.edu> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 22:25:41 -0000 On 08/23/13 17:27, Valeri Galtsev wrote: > > On Fri, August 23, 2013 1:13 pm, Mike C. wrote: >> On 08/23/13 16:35, Valeri Galtsev wrote: >>> >>> On Fri, August 23, 2013 11:31 am, Josh Beard wrote: >>>> On Fri, Aug 23, 2013 at 10:41 AM, Mike C. >>>> wrote: >>>> >>>>> >>>>> On 08/23/13 16:34, Mike C. wrote: >>>>>> Yes I know about >>>>>> >>>>>>> security.jail.allow_raw_sockets=1 >>>>>> >>>>>> Like I said I can do this with "root" just not with the user nagios, >>>>>> I >>>>> guess If raw_sockets was set to 0 on the host, I would have problems >>>>> with >>>>> any user! >>>>>> >>>>>> >>>>>> >>>>>> ---- >>>>>> Putting this in /etc/rc.conf: >>>>>> >>>>>> jail_${JailName}_parameters="allow.raw_sockets=1" >>>>>> >>>>>> does not allow every jail access to raw sockets. There is an example >>>>> in >>>>>> /etc/defaults/rc.conf. >>>>>> >>>>>> >>>>> >>>>> [EDIT: better englih... sorry typing on smartphones sucks] >>>>> >>>>> Now this is something I wasn't aware of... very nice and thanks for >>>>> the >>>>> tip on ez-jails, I'm indeed using ez-jails! >>>>> >>>>> Is there any other setting that would forbid non root users to use raw >>>>> sockets? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> >>>> Mike, >>>> >>>> Doesn't sound to me like an issue with the jail's configuration, but >>>> I'm >>>> no >>>> expert. >>>> >>>> I'm running NRPE on many jails without issue there and without any >>>> special >>>> jail configuration. >>>> >>>> Are you getting "Operation not permitted" output from the "check_http" >>>> plugin on the local system or over something like NRPE our through the >>>> Nagios configurations? >>>> >>>> Josh >> >> Local and remote but not wiht nrpe yet... I guess If I can't use >> check_http, I will hae problems with nrpe too. >> >> >>> >>> Also, try to do something simple like ping or traceroute as user nagios >>> (user for whom check_http fails) in that jail, - does that give any >>> error? >>> >> >> Iteresting I see: >> traceroute: icmp socket: Operation not permitted >> >> Same for >> ping: socket: Operation not permitted >> >> Even with root... so I guess that's the problem, but I wonder now I does >> check_http work for route? If I can't even ping... >> > > Also, for whatever reason nice per jail configuration that Scott Lambert > pointed to did not work for me, so I still had to stay with allowing raw > sockets in all jails on my boxes... Could you try that less elegant > configuration I mentioned: > > # execute the command: > > sysctl security.jail.allow_raw_sockets=1 > > # restart jail in question > > - and see if you still have raw socket problem for users in that jail. > I was using that already, but thanks for testing the other config! I haven't tried myself, because I wanted to go one step at a time! I found the problem, well the problem is me actually, the host was not setup by me, but with the use of tcpdump I was able to track this to pf.conf... The a lot of custom config in there since the system is running several jails with different types of services, web, mail etc... I tough I had allowed port 80 and even 5666 por nrpe from the jail to the internet, but I missed the nat rule, which now that I think about it makes perfect sense! I never tough about it because it was working for "root" but that's because there a pf rule for that... since root has always the same ID in every host.... So I added a table for which will be useful to populate later... and allowed port 80 for http check and 5666 for other check on the remote hosts! Sorry to have taken you guys time and thanks for the hints, will try the proposed config for raw sockets and post my results! > Thanks. > Valeri > > >> >>> Thanks. >>> Valeri >>> >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>>> From owner-freebsd-jail@FreeBSD.ORG Sat Aug 24 15:08:43 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 336FD8ED for ; Sat, 24 Aug 2013 15:08:43 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AD29122C1 for ; Sat, 24 Aug 2013 15:08:42 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7OF8VEf063075; Sat, 24 Aug 2013 18:08:31 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7OF8VEf063075 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7OF8Vbl063074; Sat, 24 Aug 2013 18:08:31 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 24 Aug 2013 18:08:31 +0300 From: Konstantin Belousov To: Valeri Galtsev Subject: Re: per user quotas inside jail? Message-ID: <20130824150831.GO4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> <20130823182356.GH4972@kib.kiev.ua> <37112.128.135.70.2.1377283759.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wyheH+OylYa5POrl" Content-Disposition: inline In-Reply-To: <37112.128.135.70.2.1377283759.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 15:08:43 -0000 --wyheH+OylYa5POrl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 23, 2013 at 01:49:19PM -0500, Valeri Galtsev wrote: >=20 > On Fri, August 23, 2013 1:23 pm, Konstantin Belousov wrote: > > On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote: > >> On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: > >> > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: > >> >> Dear Experts, > >> >> After searching the web, reading FreeBSD Docs, trying some hacks > >> found on > >> >> some discussion boards... I feel it is not easily possible. Yet, as > >> always > >> >> there may be some expert who knows how to do it: > >> >> How can one have per user quotas inside jail? > >> >> Basically, I would like to give users shell access to some server, > >> but > >> that I prefer to have in jail, where I will mount all filesystems they > >> need access to... and the only question is: how do I restrict them so > >> one > >> >> (or few) user doesn't fill up the whole filesystem. My mind is not > >> married > >> >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I > >> would > >> >> stay away from is NFS exporting on host and then NFS mounting in ja= il > >> (which may be easiest if not the only way quota wise). > >> > > >> > UFS quotas work regardless of jailed/non-jailed user. The only > >> confusing > >> > issue is that quotas are per host uid. In other words, if host and > >> jail > >> user, or two users from different jails has the same uid, you get one > >> quota setting applied and accounted for them. > >> > > >> > Usual mitigation is to ensure that user uids are globally unique. > >> > > >> > >> Thanks, Konstantin. > >> > >> Still it doesn't work for me. My system is: > >> > >> 9.1-RELEASE-p5 amd64 > >> > >> Kernel: the same as GENERIC, with one option added: > >> > >> options QUOTA # Add disk quota support > >> > >> filesystem with quota enabled is directly mounted (UFS; rw,userquota) > >> into > >> directory inside jail. User (with the same username and UID) exists on > >> the > >> host system and in jail. Quotas work on the host system. Quotas don't > >> work > >> inside jail, so this user can fill up the whole filesystem when logged > >> into jail (jail accepts ssh connections with different hostname...) > >> > >> Apart from that I tried a hack which I lifted from someone's FreeBSD 7 > >> hack (only the variable name changed since then), namely: > >> > >> in kernel, in: > >> > >> /usr/src/sys/kern/vfs_syscalls.c > >> > >> I kicked out two lines: > >> > >> if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) > >> return (EPERM); > >> > >> (which basically obliterate that if done from inside jail as far as I > >> understand), > >> > >> rebuilt and installed this kernel; in file > >> > >> /etc/rc.d/quota > >> > >> removed line > >> > >> # KEYWORD: nojail > >> > >> Yet, I'm still where I was: quotas work outside jail, not inside jail.= =2E. > >> > >> So, I'm at loss. I guess I will have to dive into zfs following Aaron > >> Kaufman's suggestion... Sigh. > > > > UFS quotas work per mount. So if jail root is on a filesystem which > > has no quotas configured, obviously the thing cannot work. > > > > You did not provided any details of your configuration, which makes > > a diagnostic impossible. > > >=20 > Hi Konstantin, >=20 > Thanks a lot for helping me! Sorry, my usual fault, not sufficient detail= s... >=20 > Jails are set up pretty much as in: >=20 > http://www.freebsd.org/doc/handbook/jails-application.html >=20 > (directory names and locations are slightly different). Someone mentioned, > ezjail does virtually the same too - if that helps. >=20 > In /jail/mroot there is the structure resembling real system (binaries, > libraries,...) except for a few things that have to be writable inside > jail; those are replaced with symlinks pointing to these inside > subdirectory s: >=20 > ls -l /jail/mroot > total 48 > drwxr-xr-x 2 root wheel 1024 Aug 19 13:02 bin > drwxr-xr-x 7 root wheel 1024 Aug 19 13:03 boot > dr-xr-xr-x 2 root wheel 512 Aug 19 13:02 dev > lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 etc -> s/etc > lrwxr-xr-x 1 root wheel 6 Aug 19 13:11 home -> s/home > drwxr-xr-x 3 root wheel 1536 Aug 19 13:03 lib > drwxr-xr-x 3 root wheel 512 Aug 19 13:03 libexec > drwxr-xr-x 2 root wheel 512 Aug 19 13:02 media > drwxr-xr-x 2 root wheel 512 Aug 19 13:02 mnt > dr-xr-xr-x 2 root wheel 512 Aug 19 13:02 proc > drwxr-xr-x 2 root wheel 2560 Aug 19 13:03 rescue > lrwxr-xr-x 1 root wheel 6 Aug 19 13:11 root -> s/root > drwxr-xr-x 2 root wheel 512 Aug 19 13:11 s > drwxr-xr-x 2 root wheel 2560 Aug 19 13:03 sbin > lrwxr-xr-x 1 root wheel 11 Aug 19 13:02 sys -> usr/src/sys > lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 tmp -> s/tmp > drwxr-xr-x 14 root wheel 512 Aug 19 13:11 usr > lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 var -> s/var >=20 > particular jail lives in its root directory: >=20 > /jail/shell >=20 > /jail/mroot is nullfs readonly mounted onto /jail/shell, rw unique for > each shell filesystem is mounted into /jail/shell/s (and populated with > appropriate /etc, /var ....), filesystem that has to be with quotas is > mounted (UFS; rw,userquota) into >=20 > /jail/shell/s/home >=20 > This last one is the one in question: quotas on this work when user will > ssh to host system and will write to /jail/shell/s/home; quota does not > work if user will ssh into jail (which is accessible from network with > different hostname). When the user writes into /home in jail (into /s/home > actually, symlink points there which on host system is our > /jail/shell/s/home), the quotas do not work. >=20 > I don't quite understand what quota on jail root filesystem (enabled or > not enabled) has to do with quota on different filesystem that is mounted > inside that filesystem. Outside jail / has no quotas, different filesystem > mounted somewhere inside (/jail/shell/s/home or just /home or /var) with > quotas and it does honor quotas. Am I missing something trivial or > fundamental? >=20 > Thanks again for helping me! What other details could help? I decided that I have no desire to try to understand all the layers of indirections which are only relevant to you anyway. Instead, I demostrate you what I mean by working quotas. Below is the transcript of the simple test. sandy% mount -v /mnt = ~ mount: /dev/ada1p4: Operation not permitted /dev/ada1p4 on /mnt (ufs, local, with quotas, soft-updates, writes: sync 2 = async 37, reads: sync 7 async 0) sandy% sudo repquota -uah | grep kostik = ~ kostik -- 14G 0 0 - 461057 = 0 0 - sandy% sudo jail -u kostik / test1 127.0.0.1 /bin/sh = ~ $ dd if=3D/dev/zero bs=3D1m of=3D/mnt/1/dddd count=3D1024 1024+0 records in 1024+0 records out 1073741824 bytes transferred in 10.765265 secs (99741328 bytes/sec) $ ^D% = sandy% sudo repquota -uah | grep kostik = ~ kostik -- 15G 0 0 - 461058 = 0 0 - You could see that the accounted space and inodes are properly increased after the dd. IMO, you should make sure that the users operate on the filesystem which has quotas enabled. Or, you should provide a simple to reproduce test case, among the lines of the script I pasted above, for me to recreate the issue locally. --wyheH+OylYa5POrl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSGMxuAAoJEJDCuSvBvK1B74kQAJOEuuli0OBlx3Zrslxy7WUg tmTDAZl06sGgKhDotEIZLNOpg+6eJWYWZm/9q51MVHV43u+nmzcWq5Ll+HoEoO7M lDR0Whda17jMZcqKnz+vdZ0ZdMDQU/yMxah2njn11s2od4CvPRb8CgJxH5y0RGej NwaB5cAf/slrF4DMtLYhI7/zcVFzgsVFdeFBugWNESJxi0yfTm5MLf8B+uKO8V3N VpR8gbEyRkub05EhmJ14GiPS/vissCFKMOr46obsy9/w6wOLGTvRwU3/E989tdbQ loNh5xPDiMFFaih0WIEImrgnfW3SC5uxAJiLbRlERfrTOZqi1b0n3zUzvFx/qW9S nPr+JC9lltTz7Kc3KHRAj5Yj8jukfp6HJNshJe2xd1Fd8J1UY6c3X1rYxhz2C/dP xbj+sW4TFzkDB+7+qmXThNREla0kk7f2Kck8/SPGMrDxFjmC7We1EqnhjF19vkdl +A5XZycR9qQAwgSVHVrky0WYUHUGWmjwKjbFdoGoOpdrYKmk4gDYftVm2Q/KzuH1 5IU8MttCqKORKeFpaaBc1gadvJ0d8Nd8rUX82yLE+iVVys/+8lhSkcVPz5BhWhzD mPwroboY46EE2r1QFBNGZnbOkCCJYL5B4dJ5rrmj+aXagwtnMPWl/76yWBOyVO5j fkNntAgkqPH/OlWtzerc =pd8g -----END PGP SIGNATURE----- --wyheH+OylYa5POrl-- From owner-freebsd-jail@FreeBSD.ORG Sat Aug 24 20:35:09 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 264A643D for ; Sat, 24 Aug 2013 20:35:09 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id E21F321D6 for ; Sat, 24 Aug 2013 20:35:08 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id E840ACB8C8B; Sat, 24 Aug 2013 15:35:01 -0500 (CDT) Received: from 68.255.103.36 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Sat, 24 Aug 2013 15:35:01 -0500 (CDT) Message-ID: <55726.68.255.103.36.1377376501.squirrel@cosmo.uchicago.edu> In-Reply-To: <20130824150831.GO4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> <20130823182356.GH4972@kib.kiev.ua> <37112.128.135.70.2.1377283759.squirrel@cosmo.uchicago.edu> <20130824150831.GO4972@kib.kiev.ua> Date: Sat, 24 Aug 2013 15:35:01 -0500 (CDT) Subject: Re: per user quotas inside jail? From: "Valeri Galtsev" To: "Konstantin Belousov" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 20:35:09 -0000 On Sat, August 24, 2013 10:08 am, Konstantin Belousov wrote: > On Fri, Aug 23, 2013 at 01:49:19PM -0500, Valeri Galtsev wrote: >> >> On Fri, August 23, 2013 1:23 pm, Konstantin Belousov wrote: >> > On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote: >> >> On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: >> >> > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: >> >> >> Dear Experts, >> >> >> After searching the web, reading FreeBSD Docs, trying some hacks >> >> found on >> >> >> some discussion boards... I feel it is not easily possible. Yet, >> as >> >> always >> >> >> there may be some expert who knows how to do it: >> >> >> How can one have per user quotas inside jail? >> >> >> Basically, I would like to give users shell access to some server, >> >> but >> >> that I prefer to have in jail, where I will mount all filesystems >> they >> >> need access to... and the only question is: how do I restrict them so >> >> one >> >> >> (or few) user doesn't fill up the whole filesystem. My mind is not >> >> married >> >> >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I >> >> would >> >> >> stay away from is NFS exporting on host and then NFS mounting in >> jail >> >> (which may be easiest if not the only way quota wise). >> >> > >> >> > UFS quotas work regardless of jailed/non-jailed user. The only >> >> confusing >> >> > issue is that quotas are per host uid. In other words, if host and >> >> jail >> >> user, or two users from different jails has the same uid, you get one >> >> quota setting applied and accounted for them. >> >> > >> >> > Usual mitigation is to ensure that user uids are globally unique. >> >> > >> >> >> >> Thanks, Konstantin. >> >> >> >> Still it doesn't work for me. My system is: >> >> >> >> 9.1-RELEASE-p5 amd64 >> >> >> >> Kernel: the same as GENERIC, with one option added: >> >> >> >> options QUOTA # Add disk quota support >> >> >> >> filesystem with quota enabled is directly mounted (UFS; rw,userquota) >> >> into >> >> directory inside jail. User (with the same username and UID) exists >> on >> >> the >> >> host system and in jail. Quotas work on the host system. Quotas don't >> >> work >> >> inside jail, so this user can fill up the whole filesystem when >> logged >> >> into jail (jail accepts ssh connections with different hostname...) >> >> >> >> Apart from that I tried a hack which I lifted from someone's FreeBSD >> 7 >> >> hack (only the variable name changed since then), namely: >> >> >> >> in kernel, in: >> >> >> >> /usr/src/sys/kern/vfs_syscalls.c >> >> >> >> I kicked out two lines: >> >> >> >> if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) >> >> return (EPERM); >> >> >> >> (which basically obliterate that if done from inside jail as far as I >> >> understand), >> >> >> >> rebuilt and installed this kernel; in file >> >> >> >> /etc/rc.d/quota >> >> >> >> removed line >> >> >> >> # KEYWORD: nojail >> >> >> >> Yet, I'm still where I was: quotas work outside jail, not inside >> jail... >> >> >> >> So, I'm at loss. I guess I will have to dive into zfs following Aaron >> >> Kaufman's suggestion... Sigh. >> > >> > UFS quotas work per mount. So if jail root is on a filesystem which >> > has no quotas configured, obviously the thing cannot work. >> > >> > You did not provided any details of your configuration, which makes >> > a diagnostic impossible. >> > >> >> Hi Konstantin, >> >> Thanks a lot for helping me! Sorry, my usual fault, not sufficient >> details... >> >> Jails are set up pretty much as in: >> >> http://www.freebsd.org/doc/handbook/jails-application.html >> >> (directory names and locations are slightly different). Someone >> mentioned, >> ezjail does virtually the same too - if that helps. >> >> In /jail/mroot there is the structure resembling real system (binaries, >> libraries,...) except for a few things that have to be writable inside >> jail; those are replaced with symlinks pointing to these inside >> subdirectory s: >> >> ls -l /jail/mroot >> total 48 >> drwxr-xr-x 2 root wheel 1024 Aug 19 13:02 bin >> drwxr-xr-x 7 root wheel 1024 Aug 19 13:03 boot >> dr-xr-xr-x 2 root wheel 512 Aug 19 13:02 dev >> lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 etc -> s/etc >> lrwxr-xr-x 1 root wheel 6 Aug 19 13:11 home -> s/home >> drwxr-xr-x 3 root wheel 1536 Aug 19 13:03 lib >> drwxr-xr-x 3 root wheel 512 Aug 19 13:03 libexec >> drwxr-xr-x 2 root wheel 512 Aug 19 13:02 media >> drwxr-xr-x 2 root wheel 512 Aug 19 13:02 mnt >> dr-xr-xr-x 2 root wheel 512 Aug 19 13:02 proc >> drwxr-xr-x 2 root wheel 2560 Aug 19 13:03 rescue >> lrwxr-xr-x 1 root wheel 6 Aug 19 13:11 root -> s/root >> drwxr-xr-x 2 root wheel 512 Aug 19 13:11 s >> drwxr-xr-x 2 root wheel 2560 Aug 19 13:03 sbin >> lrwxr-xr-x 1 root wheel 11 Aug 19 13:02 sys -> usr/src/sys >> lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 tmp -> s/tmp >> drwxr-xr-x 14 root wheel 512 Aug 19 13:11 usr >> lrwxr-xr-x 1 root wheel 5 Aug 19 13:11 var -> s/var >> >> particular jail lives in its root directory: >> >> /jail/shell >> >> /jail/mroot is nullfs readonly mounted onto /jail/shell, rw unique for >> each shell filesystem is mounted into /jail/shell/s (and populated with >> appropriate /etc, /var ....), filesystem that has to be with quotas is >> mounted (UFS; rw,userquota) into >> >> /jail/shell/s/home >> >> This last one is the one in question: quotas on this work when user will >> ssh to host system and will write to /jail/shell/s/home; quota does not >> work if user will ssh into jail (which is accessible from network with >> different hostname). When the user writes into /home in jail (into >> /s/home >> actually, symlink points there which on host system is our >> /jail/shell/s/home), the quotas do not work. >> >> I don't quite understand what quota on jail root filesystem (enabled or >> not enabled) has to do with quota on different filesystem that is >> mounted >> inside that filesystem. Outside jail / has no quotas, different >> filesystem >> mounted somewhere inside (/jail/shell/s/home or just /home or /var) with >> quotas and it does honor quotas. Am I missing something trivial or >> fundamental? >> >> Thanks again for helping me! What other details could help? > > I decided that I have no desire to try to understand all the layers of > indirections which are only relevant to you anyway. Instead, I demostrate > you what I mean by working quotas. Below is the transcript of the simple > test. > > sandy% mount -v /mnt > ~ > mount: /dev/ada1p4: Operation not permitted > /dev/ada1p4 on /mnt (ufs, local, with quotas, soft-updates, writes: sync 2 > async 37, reads: sync 7 async 0) > sandy% sudo repquota -uah | grep kostik > ~ > kostik -- 14G 0 0 - 461057 > 0 0 - > sandy% sudo jail -u kostik / test1 127.0.0.1 /bin/sh > ~ > $ dd if=/dev/zero bs=1m of=/mnt/1/dddd count=1024 > 1024+0 records in > 1024+0 records out > 1073741824 bytes transferred in 10.765265 secs (99741328 bytes/sec) > $ ^D% > sandy% sudo repquota -uah | grep kostik > ~ > kostik -- 15G 0 0 - 461058 > 0 0 - > > You could see that the accounted space and inodes are properly increased > after the dd. > > IMO, you should make sure that the users operate on the filesystem which > has quotas enabled. Or, you should provide a simple to reproduce test > case, among the lines of the script I pasted above, for me to recreate > the issue locally. > Thanks again for helping me! I guess, I understand now what the difference is. Apparently, you are much better expert, so correct me if I'm wrong. You run your jail with root of jail filesystems (/) the same as root filesystem of host (/). Therefore, inside your jail you have access to all host's /etc/fstab; /dev, ... I'll try to run jail the same way and will see if in that case quotas will work for me. If yes, then I at least I will know that my problem is not on the kernel level, but in the environment accessible inside jail. I have all jails set up so that one when in jail is not able to access filesystem outside jail's own root, which is something like /jail/{$jailname}... therefore host's /etc /dev are not visible for one inside jail; what they see inside jail as / is /jail/{$jailname} on host. Thanks again for all your efforts in helping me!! Sincerely yours, Valeri PS I like _very_much_ your username on that machine: kostik ;-) !! ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Sat Aug 24 21:17:40 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8BE3893A for ; Sat, 24 Aug 2013 21:17:40 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 265822409 for ; Sat, 24 Aug 2013 21:17:39 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7OLHZA2042022; Sun, 25 Aug 2013 00:17:35 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7OLHZA2042022 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7OLHYUx042021; Sun, 25 Aug 2013 00:17:34 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sun, 25 Aug 2013 00:17:34 +0300 From: Konstantin Belousov To: Valeri Galtsev Subject: Re: per user quotas inside jail? Message-ID: <20130824211734.GT4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> <20130823182356.GH4972@kib.kiev.ua> <37112.128.135.70.2.1377283759.squirrel@cosmo.uchicago.edu> <20130824150831.GO4972@kib.kiev.ua> <55726.68.255.103.36.1377376501.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/uRvsyw+hu2Bjn8E" Content-Disposition: inline In-Reply-To: <55726.68.255.103.36.1377376501.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 21:17:40 -0000 --/uRvsyw+hu2Bjn8E Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 24, 2013 at 03:35:01PM -0500, Valeri Galtsev wrote: >=20 > On Sat, August 24, 2013 10:08 am, Konstantin Belousov wrote: > > > > I decided that I have no desire to try to understand all the layers of > > indirections which are only relevant to you anyway. Instead, I demostr= ate > > you what I mean by working quotas. Below is the transcript of the simp= le > > test. > > > > sandy% mount -v /mnt > > ~ > > mount: /dev/ada1p4: Operation not permitted > > /dev/ada1p4 on /mnt (ufs, local, with quotas, soft-updates, writes: syn= c 2 > > async 37, reads: sync 7 async 0) > > sandy% sudo repquota -uah | grep kostik > > ~ > > kostik -- 14G 0 0 - 461057 > > 0 0 - > > sandy% sudo jail -u kostik / test1 127.0.0.1 /bin/sh > > ~ > > $ dd if=3D/dev/zero bs=3D1m of=3D/mnt/1/dddd count=3D1024 > > 1024+0 records in > > 1024+0 records out > > 1073741824 bytes transferred in 10.765265 secs (99741328 bytes/sec) > > $ ^D% > > sandy% sudo repquota -uah | grep kostik > > ~ > > kostik -- 15G 0 0 - 461058 > > 0 0 - > > > > You could see that the accounted space and inodes are properly increased > > after the dd. > > > > IMO, you should make sure that the users operate on the filesystem which > > has quotas enabled. Or, you should provide a simple to reproduce test > > case, among the lines of the script I pasted above, for me to recreate > > the issue locally. > > >=20 > Thanks again for helping me! I guess, I understand now what the difference > is. Apparently, you are much better expert, so correct me if I'm wrong. >=20 > You run your jail with root of jail filesystems (/) the same as root > filesystem of host (/). Therefore, inside your jail you have access to all > host's /etc/fstab; /dev, ... I'll try to run jail the same way and will > see if in that case quotas will work for me. If yes, then I at least I > will know that my problem is not on the kernel level, but in the > environment accessible inside jail. After the quotas are configured and running, it is purely kernel-side code which handles the limits and accounting. You do not need usermode access to fstab or quota files. The same experiment as was done above, but now I copied /bin/dd and ld-elf.so+libc.so into jail root, to convince you that access to the full host environment does not matter: sandy% ls -la /mnt/1/fsx = ~ -rw-r--r-- 1 kostik kostik 1032128299 Dec 21 2012 /mnt/1/fsx sandy% sudo repquota -uah | grep kostik = ~ kostik -- 15G 0 0 - 461064 = 0 0 - sandy% sudo jail -u kostik /mnt/1 test1 127.0.0.1 ./dd if=3Dfsx of=3Dxsf bs= =3D1m ~ 984+1 records in 984+1 records out 1032128299 bytes transferred in 10.262390 secs (100573871 bytes/sec) sandy% sudo repquota -uah | grep kostik = ~ kostik -- 16G 0 0 - 461065 = 0 0 - >=20 > I have all jails set up so that one when in jail is not able to access > filesystem outside jail's own root, which is something like > /jail/{$jailname}... therefore host's /etc /dev are not visible for one > inside jail; what they see inside jail as / is /jail/{$jailname} on host. Let me repeat, verify that the actions which are supposed to be limited by quotas happen on the filesystem which has quotas configured. Or provide me with the minimal example in style I posted so that I can reproduce the issue locally (I very much doubt that this is the case, and not a misconfiguration). --/uRvsyw+hu2Bjn8E Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSGSLtAAoJEJDCuSvBvK1BQscP/A+HKG8x4gtxXWtpdlyh+NNI Y5DrnDI74NN1hfCDitKPbhRd7zaoUHR0wS6YuBqobUOspQjMxeshNQwFB/ssBxLb oaVqxZcebL68DGxWXFyNpBxQVTIdgXoAGmIVkJxWA30lcCrJykFRKxfYZkEs7YxY WDruk90fDV8s6XaCft1Buh40c5bULkQMvoCsdzyt3vTeaS7BtzQiK9IPuo4gBlgJ qdKGY3ThtUBgabX/P148Abka7/bQc6WWnlz8NzQlVF7gkTCc7Yt/KMAzCFgOTwHC 8EKQ0oqWxqKKlOZYC0UjnZRhKIAKgdiEWv/LvdatJlEM9uEdlQE4u/D4CR7qrbY5 VawSnXCBLoDYWBlCddmpufdA9cKxCGzWwVkS+ThC1DoVO8Q67LVNIGJfYTJ+Ol4Y sDLF0D0aSbG7FTJW4cS65xFxMyOoMwzR4CkcslI/oi+CiN7YtkFOKqBh06cBee6F 4zwt/sjuTpZDWPoNugz21b3HKkRnd3fucoRg8Sa+2563I1UkbhvrXwVPJ0uH8Kdg xVp0gnUOsYrdvrFUTdd8fhpehyaAwelVJdp0zVYDKvVjPgi51QEMtsu7SMkqG0D4 aVHkWWDNy1g9bDLnweiZnl16Q/a9k4q448Mn9IbQ2cAOcsfvEFE6SnxQM3WEv7XM bHO2rfZuNPLEWoDkuVkD =urvw -----END PGP SIGNATURE----- --/uRvsyw+hu2Bjn8E--