Use quotactl system call inside docker container

Question

I want to use XFS filesystem quotas inside a docker container to limit the size of some directories. I already put quotactl in the seccomp whitelist (I am fully aware that this is not secure), but now I get a no such file or directory error.

The XFS filesystem is just accessible by a bind mount, so I tried using both the storage device from the host and from the container for the system call (for example /dev/sda2 and /dev/sda5 ), neither of them worked. The exact same program works perfectly fine on the host system.

Edit: This is was strace tells me:

# On host system
quotactl(QCMD(Q_XSETQLIM, PRJQUOTA), "/dev/sda5", 0, {d_version=1, d_flags=XFS_PROJ_QUOTA, d_fieldmask=0x8, d_id=0, d_blk_hardlimit=20480, d_blk_softlimit=0, d_ino_hardlimit=0, d_ino_softlimit=0, d_bcount=0, d_icount=0, d_itimer=0, d_btimer=0, d_iwarns=0, d_bwarns=0, d_rtb_hardlimit=0, d_rtb_softlimit=0, d_rtbcount=0, d_rtbtimer=0, d_rtbwarns=0}) = 0
# Inside container
quotactl(QCMD(Q_XSETQLIM, PRJQUOTA), "/dev/sda5", 0, {d_version=1, d_flags=XFS_PROJ_QUOTA, d_fieldmask=0x8, d_id=0, d_blk_hardlimit=20480, d_blk_softlimit=0, d_ino_hardlimit=0, d_ino_softlimit=0, d_bcount=0, d_icount=0, d_itimer=0, d_btimer=0, d_iwarns=0, d_bwarns=0, d_rtb_hardlimit=0, d_rtb_softlimit=0, d_rtbcount=0, d_rtbtimer=0, d_rtbwarns=0}) = -1 ENOENT (No such file or directory)

Answer 1

With some help from the comments I was able to solve this problem, there are three things you need to do in order to use quotactl inside a docker container:

• Use your own seccomp configuration for the container and whitelist the quotactl system call
• Add the device to the container with the command line option --device=/dev/sdXX:/dev/sdXX
• Run the container in privileged mode with --privileged