@@ -11,8 +11,8 @@ import (

 	"testing"

 	"github.com/docker/docker/daemon/graphdriver"

+	"github.com/docker/docker/daemon/internal/quota"

 	"github.com/docker/docker/pkg/stringid"

-	"github.com/docker/docker/quota"

 	"github.com/docker/go-units"

 	"golang.org/x/sys/unix"

 	"gotest.tools/v3/assert"

@@ -20,9 +20,9 @@ import (

 	"github.com/docker/docker/daemon/graphdriver/overlayutils"

 	"github.com/docker/docker/daemon/internal/fstype"

 	"github.com/docker/docker/daemon/internal/mountref"

+	"github.com/docker/docker/daemon/internal/quota"

 	"github.com/docker/docker/internal/containerfs"

 	"github.com/docker/docker/internal/directory"

-	"github.com/docker/docker/quota"

 	"github.com/docker/go-units"

 	"github.com/moby/go-archive"

 	"github.com/moby/go-archive/chrootarchive"

@@ -6,9 +6,9 @@ import (

 	"path/filepath"

 	"github.com/docker/docker/daemon/graphdriver"

+	"github.com/docker/docker/daemon/internal/quota"

 	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/internal/containerfs"

-	"github.com/docker/docker/quota"

 	"github.com/docker/go-units"

 	"github.com/moby/sys/user"

 	"github.com/opencontainers/selinux/go-selinux/label"

@@ -5,7 +5,7 @@ import (

 	"errors"

 	"github.com/containerd/log"

-	"github.com/docker/docker/quota"

+	"github.com/docker/docker/daemon/internal/quota"

 )

 type driverQuota struct {

@@ -2,7 +2,7 @@

 package vfs

-import "github.com/docker/docker/quota"

+import "github.com/docker/docker/daemon/internal/quota"

 type driverQuota struct{}

new file mode 100644

@@ -0,0 +1,16 @@

+package quota

+

+import "github.com/docker/docker/errdefs"

+

+var _ errdefs.ErrNotImplemented = (*errQuotaNotSupported)(nil)

+

+// ErrQuotaNotSupported indicates if were found the FS didn't have projects quotas available

+var ErrQuotaNotSupported = errQuotaNotSupported{}

+

+type errQuotaNotSupported struct{}

+

+func (e errQuotaNotSupported) NotImplemented() {}

+

+func (e errQuotaNotSupported) Error() string {

+	return "Filesystem does not support, or has not enabled quotas"

+}

new file mode 100644

@@ -0,0 +1,446 @@

+//go:build linux && !exclude_disk_quota && cgo

+

+//

+// projectquota.go - implements XFS project quota controls

+// for setting quota limits on a newly created directory.

+// It currently supports the legacy XFS specific ioctls.

+//

+// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR

+//       for both xfs/ext4 for kernel version >= v4.5

+//

+

+package quota

+

+/*

+#include <stdlib.h>

+#include <dirent.h>

+#include <linux/fs.h>

+#include <linux/quota.h>

+#include <linux/dqblk_xfs.h>

+

+#ifndef FS_XFLAG_PROJINHERIT

+struct fsxattr {

+	__u32		fsx_xflags;

+	__u32		fsx_extsize;

+	__u32		fsx_nextents;

+	__u32		fsx_projid;

+	unsigned char	fsx_pad[12];

+};

+#define FS_XFLAG_PROJINHERIT	0x00000200

+#endif

+#ifndef FS_IOC_FSGETXATTR

+#define FS_IOC_FSGETXATTR		_IOR ('X', 31, struct fsxattr)

+#endif

+#ifndef FS_IOC_FSSETXATTR

+#define FS_IOC_FSSETXATTR		_IOW ('X', 32, struct fsxattr)

+#endif

+

+#ifndef PRJQUOTA

+#define PRJQUOTA	2

+#endif

+#ifndef XFS_PROJ_QUOTA

+#define XFS_PROJ_QUOTA	2

+#endif

+#ifndef Q_XSETPQLIM

+#define Q_XSETPQLIM QCMD(Q_XSETQLIM, PRJQUOTA)

+#endif

+#ifndef Q_XGETPQUOTA

+#define Q_XGETPQUOTA QCMD(Q_XGETQUOTA, PRJQUOTA)

+#endif

+

+const int Q_XGETQSTAT_PRJQUOTA = QCMD(Q_XGETQSTAT, PRJQUOTA);

+*/

+import "C"

+

+import (

+	"context"

+	"os"

+	"path"

+	"path/filepath"

+	"sync"

+	"unsafe"

+

+	"github.com/containerd/log"

+	"github.com/moby/sys/userns"

+	"github.com/pkg/errors"

+	"golang.org/x/sys/unix"

+)

+

+type pquotaState struct {

+	sync.Mutex

+	nextProjectID uint32

+}

+

+var (

+	pquotaStateInst *pquotaState

+	pquotaStateOnce sync.Once

+)

+

+// getPquotaState - get global pquota state tracker instance

+func getPquotaState() *pquotaState {

+	pquotaStateOnce.Do(func() {

+		pquotaStateInst = &pquotaState{

+			nextProjectID: 1,

+		}

+	})

+	return pquotaStateInst

+}

+

+// registerBasePath - register a new base path and update nextProjectID

+func (state *pquotaState) updateMinProjID(minProjectID uint32) {

+	state.Lock()

+	defer state.Unlock()

+	if state.nextProjectID <= minProjectID {

+		state.nextProjectID = minProjectID + 1

+	}

+}

+

+// NewControl - initialize project quota support.

+// Test to make sure that quota can be set on a test dir and find

+// the first project id to be used for the next container create.

+//

+// Returns nil (and error) if project quota is not supported.

+//

+// First get the project id of the home directory.

+// This test will fail if the backing fs is not xfs.

+//

+// xfs_quota tool can be used to assign a project id to the driver home directory, e.g.:

+//

+//	echo 999:/var/lib/docker/overlay2 >> /etc/projects

+//	echo docker:999 >> /etc/projid

+//	xfs_quota -x -c 'project -s docker' /<xfs mount point>

+//

+// In that case, the home directory project id will be used as a "start offset"

+// and all containers will be assigned larger project ids (e.g. >= 1000).

+// This is a way to prevent xfs_quota management from conflicting with docker.

+//

+// Then try to create a test directory with the next project id and set a quota

+// on it. If that works, continue to scan existing containers to map allocated

+// project ids.

+func NewControl(basePath string) (*Control, error) {

+	//

+	// If we are running in a user namespace quota won't be supported for

+	// now since makeBackingFsDev() will try to mknod().

+	//

+	if userns.RunningInUserNS() {

+		return nil, ErrQuotaNotSupported

+	}

+

+	//

+	// create backing filesystem device node

+	//

+	backingFsBlockDev, err := makeBackingFsDev(basePath)

+	if err != nil {

+		return nil, err

+	}

+

+	// check if we can call quotactl with project quotas

+	// as a mechanism to determine (early) if we have support

+	hasQuotaSupport, err := hasQuotaSupport(backingFsBlockDev)

+	if err != nil {

+		return nil, err

+	}

+	if !hasQuotaSupport {

+		return nil, ErrQuotaNotSupported

+	}

+

+	//

+	// Get project id of parent dir as minimal id to be used by driver

+	//

+	baseProjectID, err := getProjectID(basePath)

+	if err != nil {

+		return nil, err

+	}

+	minProjectID := baseProjectID + 1

+

+	//

+	// Test if filesystem supports project quotas by trying to set

+	// a quota on the first available project id

+	//

+	quota := Quota{

+		Size: 0,

+	}

+	if err := setProjectQuota(backingFsBlockDev, minProjectID, quota); err != nil {

+		return nil, err

+	}

+

+	q := Control{

+		backingFsBlockDev: backingFsBlockDev,

+		quotas:            make(map[string]uint32),

+	}

+

+	//

+	// update minimum project ID

+	//

+	state := getPquotaState()

+	state.updateMinProjID(minProjectID)

+

+	//

+	// get first project id to be used for next container

+	//

+	err = q.findNextProjectID(basePath, baseProjectID)

+	if err != nil {

+		return nil, err

+	}

+

+	log.G(context.TODO()).Debugf("NewControl(%s): nextProjectID = %d", basePath, state.nextProjectID)

+	return &q, nil

+}

+

+// SetQuota - assign a unique project id to directory and set the quota limits

+// for that project id

+func (q *Control) SetQuota(targetPath string, quota Quota) error {

+	q.RLock()

+	projectID, ok := q.quotas[targetPath]

+	q.RUnlock()

+	if !ok {

+		state := getPquotaState()

+		state.Lock()

+		projectID = state.nextProjectID

+

+		//

+		// assign project id to new container directory

+		//

+		err := setProjectID(targetPath, projectID)

+		if err != nil {

+			state.Unlock()

+			return err

+		}

+

+		state.nextProjectID++

+		state.Unlock()

+

+		q.Lock()

+		q.quotas[targetPath] = projectID

+		q.Unlock()

+	}

+

+	//

+	// set the quota limit for the container's project id

+	//

+	log.G(context.TODO()).Debugf("SetQuota(%s, %d): projectID=%d", targetPath, quota.Size, projectID)

+	return setProjectQuota(q.backingFsBlockDev, projectID, quota)

+}

+

+// setProjectQuota - set the quota for project id on xfs block device

+func setProjectQuota(backingFsBlockDev string, projectID uint32, quota Quota) error {

+	var d C.fs_disk_quota_t

+	d.d_version = C.FS_DQUOT_VERSION

+	d.d_id = C.__u32(projectID)

+	d.d_flags = C.XFS_PROJ_QUOTA

+

+	d.d_fieldmask = C.FS_DQ_BHARD | C.FS_DQ_BSOFT

+	d.d_blk_hardlimit = C.__u64(quota.Size / 512)

+	d.d_blk_softlimit = d.d_blk_hardlimit

+

+	cs := C.CString(backingFsBlockDev)

+	defer C.free(unsafe.Pointer(cs))

+

+	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XSETPQLIM,

+		uintptr(unsafe.Pointer(cs)), uintptr(d.d_id),

+		uintptr(unsafe.Pointer(&d)), 0, 0)

+	if errno != 0 {

+		return errors.Wrapf(errno, "failed to set quota limit for projid %d on %s",

+			projectID, backingFsBlockDev)

+	}

+

+	return nil

+}

+

+// GetQuota - get the quota limits of a directory that was configured with SetQuota

+func (q *Control) GetQuota(targetPath string, quota *Quota) error {

+	q.RLock()

+	projectID, ok := q.quotas[targetPath]

+	q.RUnlock()

+	if !ok {

+		return errors.Errorf("quota not found for path: %s", targetPath)

+	}

+

+	//

+	// get the quota limit for the container's project id

+	//

+	var d C.fs_disk_quota_t

+

+	cs := C.CString(q.backingFsBlockDev)

+	defer C.free(unsafe.Pointer(cs))

+

+	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XGETPQUOTA,

+		uintptr(unsafe.Pointer(cs)), uintptr(C.__u32(projectID)),

+		uintptr(unsafe.Pointer(&d)), 0, 0)

+	if errno != 0 {

+		return errors.Wrapf(errno, "Failed to get quota limit for projid %d on %s",

+			projectID, q.backingFsBlockDev)

+	}

+	quota.Size = uint64(d.d_blk_hardlimit) * 512

+

+	return nil

+}

+

+// getProjectID - get the project id of path on xfs

+func getProjectID(targetPath string) (uint32, error) {

+	dir, err := openDir(targetPath)

+	if err != nil {

+		return 0, err

+	}

+	defer closeDir(dir)

+

+	var fsx C.struct_fsxattr

+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR,

+		uintptr(unsafe.Pointer(&fsx)))

+	if errno != 0 {

+		return 0, errors.Wrapf(errno, "failed to get projid for %s", targetPath)

+	}

+

+	return uint32(fsx.fsx_projid), nil

+}

+

+// setProjectID - set the project id of path on xfs

+func setProjectID(targetPath string, projectID uint32) error {

+	dir, err := openDir(targetPath)

+	if err != nil {

+		return err

+	}

+	defer closeDir(dir)

+

+	var fsx C.struct_fsxattr

+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR,

+		uintptr(unsafe.Pointer(&fsx)))

+	if errno != 0 {

+		return errors.Wrapf(errno, "failed to get projid for %s", targetPath)

+	}

+	fsx.fsx_projid = C.__u32(projectID)

+	fsx.fsx_xflags |= C.FS_XFLAG_PROJINHERIT

+	_, _, errno = unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSSETXATTR,

+		uintptr(unsafe.Pointer(&fsx)))

+	if errno != 0 {

+		return errors.Wrapf(errno, "failed to set projid for %s", targetPath)

+	}

+

+	return nil

+}

+

+// findNextProjectID - find the next project id to be used for containers

+// by scanning driver home directory to find used project ids

+func (q *Control) findNextProjectID(home string, baseID uint32) error {

+	state := getPquotaState()

+	state.Lock()

+	defer state.Unlock()

+

+	checkProjID := func(path string) (uint32, error) {

+		projid, err := getProjectID(path)

+		if err != nil {

+			return projid, err

+		}

+		if projid > 0 {

+			q.quotas[path] = projid

+		}

+		if state.nextProjectID <= projid {

+			state.nextProjectID = projid + 1

+		}

+		return projid, nil

+	}

+

+	files, err := os.ReadDir(home)

+	if err != nil {

+		return errors.Errorf("read directory failed: %s", home)

+	}

+	for _, file := range files {

+		if !file.IsDir() {

+			continue

+		}

+		path := filepath.Join(home, file.Name())

+		projid, err := checkProjID(path)

+		if err != nil {

+			return err

+		}

+		if projid > 0 && projid != baseID {

+			continue

+		}

+		subfiles, err := os.ReadDir(path)

+		if err != nil {

+			return errors.Errorf("read directory failed: %s", path)

+		}

+		for _, subfile := range subfiles {

+			if !subfile.IsDir() {

+				continue

+			}

+			subpath := filepath.Join(path, subfile.Name())

+			_, err := checkProjID(subpath)

+			if err != nil {

+				return err

+			}

+		}

+	}

+

+	return nil

+}

+

+func free(p *C.char) {

+	C.free(unsafe.Pointer(p))

+}

+

+func openDir(path string) (*C.DIR, error) {

+	Cpath := C.CString(path)

+	defer free(Cpath)

+

+	dir := C.opendir(Cpath)

+	if dir == nil {

+		return nil, errors.Errorf("failed to open dir: %s", path)

+	}

+	return dir, nil

+}

+

+func closeDir(dir *C.DIR) {

+	if dir != nil {

+		C.closedir(dir)

+	}

+}

+

+func getDirFd(dir *C.DIR) uintptr {

+	return uintptr(C.dirfd(dir))

+}

+

+// makeBackingFsDev gets the backing block device of the driver home directory

+// and creates a block device node under the home directory to be used by

+// quotactl commands.

+func makeBackingFsDev(home string) (string, error) {

+	var stat unix.Stat_t

+	if err := unix.Stat(home, &stat); err != nil {

+		return "", err

+	}

+

+	backingFsBlockDev := path.Join(home, "backingFsBlockDev")

+	// Re-create just in case someone copied the home directory over to a new device

+	unix.Unlink(backingFsBlockDev)

+	err := unix.Mknod(backingFsBlockDev, unix.S_IFBLK|0o600, int(stat.Dev))

+	switch {

+	case err == nil:

+		return backingFsBlockDev, nil

+

+	case errors.Is(err, unix.ENOSYS), errors.Is(err, unix.EPERM):

+		return "", ErrQuotaNotSupported

+

+	default:

+		return "", errors.Wrapf(err, "failed to mknod %s", backingFsBlockDev)

+	}

+}

+

+func hasQuotaSupport(backingFsBlockDev string) (bool, error) {

+	cs := C.CString(backingFsBlockDev)

+	defer free(cs)

+	var qstat C.fs_quota_stat_t

+

+	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, uintptr(C.Q_XGETQSTAT_PRJQUOTA), uintptr(unsafe.Pointer(cs)), 0, uintptr(unsafe.Pointer(&qstat)), 0, 0)

+	if errno == 0 && qstat.qs_flags&C.FS_QUOTA_PDQ_ENFD > 0 && qstat.qs_flags&C.FS_QUOTA_PDQ_ACCT > 0 {

+		return true, nil

+	}

+

+	switch errno {

+	// These are the known fatal errors, consider all other errors (ENOTTY, etc.. not supporting quota)

+	case unix.EFAULT, unix.ENOENT, unix.ENOTBLK, unix.EPERM:

+	default:

+		return false, nil

+	}

+

+	return false, errno

+}

new file mode 100644

@@ -0,0 +1,78 @@

+//go:build linux

+

+package quota

+

+import (

+	"errors"

+	"io"

+	"os"

+	"path/filepath"

+	"testing"

+

+	"gotest.tools/v3/assert"

+	is "gotest.tools/v3/assert/cmp"

+)

+

+// 10MB

+const testQuotaSize = 10 * 1024 * 1024

+

+func TestBlockDev(t *testing.T) {

+	if msg, ok := CanTestQuota(); !ok {

+		t.Skip(msg)

+	}

+

+	// get sparse xfs test image

+	imageFileName, err := PrepareQuotaTestImage(t)

+	if err != nil {

+		t.Fatal(err)

+	}

+	defer os.Remove(imageFileName)

+

+	t.Run("testBlockDevQuotaDisabled", WrapMountTest(imageFileName, false, testBlockDevQuotaDisabled))

+	t.Run("testBlockDevQuotaEnabled", WrapMountTest(imageFileName, true, testBlockDevQuotaEnabled))

+	t.Run("testSmallerThanQuota", WrapMountTest(imageFileName, true, WrapQuotaTest(testSmallerThanQuota)))

+	t.Run("testBiggerThanQuota", WrapMountTest(imageFileName, true, WrapQuotaTest(testBiggerThanQuota)))

+	t.Run("testRetrieveQuota", WrapMountTest(imageFileName, true, WrapQuotaTest(testRetrieveQuota)))

+}

+

+func testBlockDevQuotaDisabled(t *testing.T, mountPoint, backingFsDev, testDir string) {

+	hasSupport, err := hasQuotaSupport(backingFsDev)

+	assert.NilError(t, err)

+	assert.Check(t, !hasSupport)

+}

+

+func testBlockDevQuotaEnabled(t *testing.T, mountPoint, backingFsDev, testDir string) {

+	hasSupport, err := hasQuotaSupport(backingFsDev)

+	assert.NilError(t, err)

+	assert.Check(t, hasSupport)

+}

+

+func testSmallerThanQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {

+	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))

+	smallerThanQuotaFile := filepath.Join(testSubDir, "smaller-than-quota")

+	assert.NilError(t, os.WriteFile(smallerThanQuotaFile, make([]byte, testQuotaSize/2), 0o644))

+	assert.NilError(t, os.Remove(smallerThanQuotaFile))

+}

+

+func testBiggerThanQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {

+	// Make sure the quota is being enforced

+	// TODO: When we implement this under EXT4, we need to shed CAP_SYS_RESOURCE, otherwise

+	// we're able to violate quota without issue

+	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))

+

+	biggerThanQuotaFile := filepath.Join(testSubDir, "bigger-than-quota")

+	err := os.WriteFile(biggerThanQuotaFile, make([]byte, testQuotaSize+1), 0o644)

+	assert.ErrorContains(t, err, "")

+	if errors.Is(err, io.ErrShortWrite) {

+		assert.NilError(t, os.Remove(biggerThanQuotaFile))

+	}

+}

+

+func testRetrieveQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {

+	// Validate that we can retrieve quota

+	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))

+

+	var q Quota

+	assert.NilError(t, ctrl.GetQuota(testSubDir, &q))

+	assert.Check(t, is.Equal(uint64(testQuotaSize), q.Size))

+}

new file mode 100644

@@ -0,0 +1,18 @@

+//go:build (linux && exclude_disk_quota) || (linux && !cgo) || !linux

+

+package quota

+

+func NewControl(basePath string) (*Control, error) {

+	return nil, ErrQuotaNotSupported

+}

+

+// SetQuota - assign a unique project id to directory and set the quota limits

+// for that project id

+func (q *Control) SetQuota(targetPath string, quota Quota) error {

+	return ErrQuotaNotSupported

+}

+

+// GetQuota - get the quota limits of a directory that was configured with SetQuota

+func (q *Control) GetQuota(targetPath string, quota *Quota) error {

+	return ErrQuotaNotSupported

+}

new file mode 100644

@@ -0,0 +1,132 @@

+//go:build linux && !exclude_disk_quota && cgo

+

+package quota

+

+import (

+	"os"

+	"os/exec"

+	"testing"

+

+	"golang.org/x/sys/unix"

+)

+

+// CanTestQuota - checks if xfs prjquota can be tested

+// returns a reason if not

+func CanTestQuota() (string, bool) {

+	if os.Getuid() != 0 {

+		return "requires mounts", false

+	}

+	_, err := exec.LookPath("mkfs.xfs")

+	if err != nil {

+		return "mkfs.xfs not found in PATH", false

+	}

+	return "", true

+}

+

+// PrepareQuotaTestImage - prepares an xfs prjquota test image

+// returns the path of the image on success

+func PrepareQuotaTestImage(t *testing.T) (string, error) {

+	// imageSize is the size of the test-image. The minimum size allowed

+	// is 300MB.

+	//

+	// See https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/commit/?id=6e0ed3d19c54603f0f7d628ea04b550151d8a262

+	const imageSize = 300 * 1024 * 1024

+

+	mkfs, err := exec.LookPath("mkfs.xfs")

+	if err != nil {

+		return "", err

+	}

+

+	// create a sparse image

+	imageFile, err := os.CreateTemp("", "xfs-image")

+	if err != nil {

+		return "", err

+	}

+	imageFileName := imageFile.Name()

+	if _, err = imageFile.Seek(imageSize-1, 0); err != nil {

+		os.Remove(imageFileName)

+		return "", err

+	}

+	if _, err = imageFile.Write([]byte{0}); err != nil {

+		os.Remove(imageFileName)

+		return "", err

+	}

+	if err = imageFile.Close(); err != nil {

+		os.Remove(imageFileName)

+		return "", err

+	}

+

+	// The reason for disabling these options is sometimes people run with a newer userspace

+	// than kernelspace

+	out, err := exec.Command(mkfs, "-m", "crc=0,finobt=0", imageFileName).CombinedOutput()

+	if len(out) > 0 {

+		t.Log(string(out))

+	}

+	if err != nil {

+		os.Remove(imageFileName)

+		return "", err

+	}

+

+	return imageFileName, nil

+}

+

+// WrapMountTest - wraps a test function such that it has easy access to a mountPoint and testDir

+// with guaranteed prjquota or guaranteed no prjquota support.

+func WrapMountTest(imageFileName string, enableQuota bool, testFunc func(t *testing.T, mountPoint, backingFsDev, testDir string)) func(*testing.T) {

+	return func(t *testing.T) {

+		mountOptions := "loop"

+

+		if enableQuota {

+			mountOptions = mountOptions + ",prjquota"

+		}

+

+		mountPoint := t.TempDir()

+		out, err := exec.Command("mount", "-o", mountOptions, imageFileName, mountPoint).CombinedOutput()

+		if err != nil {

+			_, err := os.Stat("/proc/fs/xfs")

+			if os.IsNotExist(err) {

+				t.Skip("no /proc/fs/xfs")

+			}

+		}

+

+		if err != nil {

+			t.Fatalf("assertion failed: error is not nil: %v: mount failed: %s", err, out)

+		}

+

+		defer func() {

+			if err := unix.Unmount(mountPoint, 0); err != nil {

+				t.Fatalf("assertion failed: error is not nil: %v", err)

+			}

+		}()

+

+		backingFsDev, err := makeBackingFsDev(mountPoint)

+		if err != nil {

+			t.Fatalf("assertion failed: error is not nil: %v", err)

+		}

+

+		testDir, err := os.MkdirTemp(mountPoint, "per-test")

+		if err != nil {

+			t.Fatalf("assertion failed: error is not nil: %v", err)

+		}

+		defer os.RemoveAll(testDir)

+

+		testFunc(t, mountPoint, backingFsDev, testDir)

+	}

+}

+

+// WrapQuotaTest - wraps a test function such that is has easy and guaranteed access to a quota Control

+// instance with a quota test dir under its control.

+func WrapQuotaTest(testFunc func(t *testing.T, ctrl *Control, mountPoint, testDir, testSubDir string)) func(t *testing.T, mountPoint, backingFsDev, testDir string) {

+	return func(t *testing.T, mountPoint, backingFsDev, testDir string) {

+		ctrl, err := NewControl(testDir)

+		if err != nil {

+			t.Fatalf("assertion failed: error is not nil: %v", err)

+		}

+

+		testSubDir, err := os.MkdirTemp(testDir, "quota-test")

+		if err != nil {

+			t.Fatalf("assertion failed: error is not nil: %v", err)

+		}

+		testFunc(t, ctrl, mountPoint, testDir, testSubDir)

+	}

+}

new file mode 100644

@@ -0,0 +1,16 @@

+package quota

+

+import "sync"

+

+// Quota limit params - currently we only control blocks hard limit

+type Quota struct {

+	Size uint64

+}

+

+// Control - Context to be used by storage driver (e.g. overlay)

+// who wants to apply project quotas to container dirs

+type Control struct {

+	backingFsBlockDev string

+	sync.RWMutex      // protect nextProjectID and quotas map

+	quotas            map[string]uint32

+}

@@ -14,11 +14,11 @@ import (

 	"sync"

 	"github.com/containerd/log"

+	"github.com/docker/docker/daemon/internal/quota"

 	"github.com/docker/docker/daemon/names"

 	"github.com/docker/docker/daemon/volume"

 	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/pkg/idtools"

-	"github.com/docker/docker/quota"

 	"github.com/moby/sys/atomicwriter"

 	"github.com/moby/sys/user"

 	"github.com/pkg/errors"

@@ -10,8 +10,8 @@ import (

 	"testing"

 	cerrdefs "github.com/containerd/errdefs"

+	"github.com/docker/docker/daemon/internal/quota"

 	"github.com/docker/docker/pkg/idtools"

-	"github.com/docker/docker/quota"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

 )

@@ -14,8 +14,8 @@ import (

 	"syscall"

 	"time"

+	"github.com/docker/docker/daemon/internal/quota"

 	"github.com/docker/docker/errdefs"

-	"github.com/docker/docker/quota"

 	"github.com/docker/go-units"

 	"github.com/moby/sys/mount"

 	"github.com/moby/sys/mountinfo"

deleted file mode 100644

@@ -1,16 +0,0 @@

-package quota

-

-import "github.com/docker/docker/errdefs"

-

-var _ errdefs.ErrNotImplemented = (*errQuotaNotSupported)(nil)

-

-// ErrQuotaNotSupported indicates if were found the FS didn't have projects quotas available

-var ErrQuotaNotSupported = errQuotaNotSupported{}

-

-type errQuotaNotSupported struct{}

-

-func (e errQuotaNotSupported) NotImplemented() {}

-

-func (e errQuotaNotSupported) Error() string {

-	return "Filesystem does not support, or has not enabled quotas"

-}

deleted file mode 100644

@@ -1,446 +0,0 @@

-//go:build linux && !exclude_disk_quota && cgo

-

-//

-// projectquota.go - implements XFS project quota controls

-// for setting quota limits on a newly created directory.

-// It currently supports the legacy XFS specific ioctls.

-//

-// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR

-//       for both xfs/ext4 for kernel version >= v4.5

-//

-

-package quota

-

-/*

-#include <stdlib.h>

-#include <dirent.h>

-#include <linux/fs.h>

-#include <linux/quota.h>

-#include <linux/dqblk_xfs.h>

-

-#ifndef FS_XFLAG_PROJINHERIT

-struct fsxattr {

-	__u32		fsx_xflags;

-	__u32		fsx_extsize;

-	__u32		fsx_nextents;

-	__u32		fsx_projid;

-	unsigned char	fsx_pad[12];

-};

-#define FS_XFLAG_PROJINHERIT	0x00000200

-#endif

-#ifndef FS_IOC_FSGETXATTR

-#define FS_IOC_FSGETXATTR		_IOR ('X', 31, struct fsxattr)

-#endif

-#ifndef FS_IOC_FSSETXATTR

-#define FS_IOC_FSSETXATTR		_IOW ('X', 32, struct fsxattr)

-#endif

-