Tuesday, March 19, 2013

Enabling Second-Level Quotas for Openvz containers

Enabling Second-Level Quotas for Openvz containers

The parameter that controls the second-level disk quotas is QUOTAUGIDLIMIT in the Container configuration file. By default, the value of this parameter is zero and this corresponds to disabled per-user and per-group quotas.

If you assign a non-zero value to the QUOTAUGIDLIMIT parameter, this action brings about the two following results:

Second-level (per-user and per-group) disk quotas are enabled for the given Container;
The value that you assign to this parameter will be the limit for the number of file owners and groups of this Container, including Linux system users. Note that you will theoretically be able to create extra users of this Container, but if the number of file owners inside the Container has already reached the limit, these users will not be able to own files.
Enabling per-user and per-group quotas for a Container requires restarting the Container. The value for it should be carefully chosen; the bigger value you set, the bigger kernel memory overhead this Container creates. This value must be greater than or equal to the number of entries in the Container /etc/passwd and /etc/group files. Taking into account that a newly created Red Hat Linux-based Container has about 80 entries in total, the typical value would be 100. However, for Containers with a large number of users this value may be increased.

When managing the quotaugidlimit parameter, please keep in mind the following:

If you delete a registered user but some files with their ID continue residing inside your Container, the current number of ugids (user and group identities) inside the Container will not decrease.
If you copy an archive containing files with user and group IDs not registered inside your Container, the number of ugids inside the Container will increase by the number of these new IDs.
The session below turns on second-level quotas for Container 101:

# vzctl set 101 --quotaugidlimit 100 --save
Unable to apply new quota values: ugid quota not initialized
Saved parameters for Container 101

You have to stop the container and start it again to reflect the changes as the values cannot be updated to a running container.

# vzctl stop 101;
Stopping Container ...
Container was stopped
Container is unmounted
#vzctl start 101
Starting Container ...
Container is mounted
Adding IP address(es):
Hostname for Container set: ct101
Container start in progress...

Inorder to check if the parameter is correctly enabled in the container, Issue the command in the hardware node :

grep -i QUOTAUGIDLIMIT /etc/sysconfig/vz-scripts/CT_ID.conf

If you get the respected qoutaaugidlimt value it is enabled
If you get an empty result, or a result of zero, second-level quotas are not supported by this environment.

No comments:

Post a Comment