Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kickstart: enable prjquota for quota enablement #303

Merged
merged 1 commit into from
Feb 1, 2019
Merged

kickstart: enable prjquota for quota enablement #303

merged 1 commit into from
Feb 1, 2019

Conversation

dustymabe
Copy link
Member

This enables platforms like kubernetes to limit the storage of
containers so malicious actors in a multi-tenant environment
can't eat up a ton of storage.

https://bugzilla.redhat.com/show_bug.cgi?id=1658386

@dustymabe dustymabe added the WIP PR still being worked on label Jan 30, 2019
@dustymabe dustymabe changed the title kickstart: enable prjquota for quota enablement WIP: kickstart: enable prjquota for quota enablement Jan 30, 2019
@dustymabe
Copy link
Member Author

not sure why but the changes as is don't seem to be working for me. They make it into the /etc/fstab but don't make it to the booted system. I need to use rootflags=defaults,prjquota on the kernel command line in order to get it to work.

then project quotas are enabled and I see some output from xfs_quota -x -c state:

[root@coreos ~]# xfs_quota -x -c state
User quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Group quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Project quota state on /sysroot (/dev/vda2)
  Accounting: ON
  Enforcement: ON
  Inode: #99 (1 blocks, 1 extents)
Blocks grace time: [7 days]
Inodes grace time: [7 days]
Realtime Blocks grace time: [7 days]
User quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Group quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Project quota state on /sysroot (/dev/vda2)
  Accounting: ON
  Enforcement: ON
  Inode: #99 (1 blocks, 1 extents)
Blocks grace time: [7 days]
Inodes grace time: [7 days]
Realtime Blocks grace time: [7 days]
User quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Group quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Project quota state on /sysroot (/dev/vda2)
  Accounting: ON
  Enforcement: ON
  Inode: #99 (1 blocks, 1 extents)
Blocks grace time: [7 days]
Inodes grace time: [7 days]
Realtime Blocks grace time: [7 days]
User quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Group quota state on /sysroot (/dev/vda2)
  Accounting: OFF
  Enforcement: OFF
  Inode: N/A
Project quota state on /sysroot (/dev/vda2)
  Accounting: ON
  Enforcement: ON
  Inode: #99 (1 blocks, 1 extents)
Blocks grace time: [7 days]
Inodes grace time: [7 days]
Realtime Blocks grace time: [7 days]

good reference: https://www.thegeekdiary.com/how-to-enable-disk-quotas-on-an-xfs-file-system/

Should we enable group and user quota support in addtion to project quota support?

@mrunalp
Copy link

mrunalp commented Jan 30, 2019

@rhvgoyal @nalind ptal

@dustymabe
Copy link
Member Author

i'm guessing I'll need to go digging into the initrd to find the answer

@cgwalters
Copy link
Member

I need to use rootflags=defaults,prjquota on the kernel command line in order to get it to work.

Yeah, that's a known thing; the problem is the flag needs to be set on the initial mount, and we don't have our /etc/fstab in the initramfs. (We could though for FCOS as our partitioning is fixed)

@dustymabe
Copy link
Member Author

(We could though for FCOS as our partitioning is fixed)

yeah - I can test that. Considering our partitioning is fixed are there any issues with doing that that you know of?

@dustymabe
Copy link
Member Author

we don't have our /etc/fstab in the initramfs

actually this won't work. We generate the initramfs when we generate the ostree, but the fstab gets created by anaconda during initial boot.

I think we should just use the rootflags argument and manage filesystem options for the root filesystem that way?

@cgwalters
Copy link
Member

We generate the initramfs when we generate the ostree, but the fstab gets created by anaconda during initial boot.

Yeah; we could change the ostree to include it though. Which would make more sense once we're not using anaconda.

I think we should just use the rootflags argument and manage filesystem options for the root filesystem that way?

Yeah, fine by me for now. Main downside with that is we don't have a good way to remove/upgrade kargs after shipping right now.

@dustymabe
kickstart: enable prjquota for quota enablement
6103eff 
This enables platforms like kubernetes to limit the storage of
containers so malicious actors in a multi-tenant environment
can't eat up a ton of storage.

We can't do this in the fstab because the option needs to be enabled
on the initial mount (during initramfs) and our initramfs files are
generated during ostree generation so we'll use rootflags kernel arg
for now.

https://bugzilla.redhat.com/show_bug.cgi?id=1658386
@dustymabe
Copy link
Member Author

Main downside with that is we don't have a good way to remove/upgrade kargs after shipping right now.

meaning no way to change them when we ship a new ostree (i.e. upgrade)? With ostreedev/ostree#479 would we be able to keep knowledge about default provided kernel args and allow them to be changed over time when a new ostree gets shipped?

@dustymabe
Copy link
Member Author

pushed ⬆️ using rootflags

@dustymabe dustymabe removed the WIP PR still being worked on label Feb 1, 2019
@dustymabe dustymabe changed the title WIP: kickstart: enable prjquota for quota enablement kickstart: enable prjquota for quota enablement Feb 1, 2019
@cgwalters
Copy link
Member

meaning no way to change them when we ship a new ostree (i.e. upgrade)?

Yeah although a specific issue for this kernel argument is...what are the semantics if e.g. we decide to stop enabling quota? Can we later re-enable it?

But yeah, we need to implement that ostree issue at some point in general.

@cgwalters
Copy link
Member

LGTM

@cgwalters cgwalters merged commit 4bbdbba into coreos:master Feb 1, 2019
@ashcrow
Copy link
Member

ashcrow commented Feb 1, 2019

Backporting the changes.

@dustymabe dustymabe deleted the quota branch February 15, 2019 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dustymabe @mrunalp @cgwalters @ashcrow