@@ -13,8 +13,8 @@ import (

 	"unsafe"

 	"github.com/docker/docker/daemon/graphdriver"

-	"github.com/docker/docker/daemon/graphdriver/quota"

 	"github.com/docker/docker/pkg/stringid"

+	"github.com/docker/docker/quota"

 	units "github.com/docker/go-units"

 	"golang.org/x/sys/unix"

 	"gotest.tools/v3/assert"

@@ -18,7 +18,6 @@ import (

 	"github.com/containerd/containerd/sys"

 	"github.com/docker/docker/daemon/graphdriver"

 	"github.com/docker/docker/daemon/graphdriver/overlayutils"

-	"github.com/docker/docker/daemon/graphdriver/quota"

 	"github.com/docker/docker/pkg/archive"

 	"github.com/docker/docker/pkg/chrootarchive"

 	"github.com/docker/docker/pkg/containerfs"

@@ -27,6 +26,7 @@ import (

 	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/pkg/parsers"

 	"github.com/docker/docker/pkg/system"

+	"github.com/docker/docker/quota"

 	units "github.com/docker/go-units"

 	"github.com/moby/locker"

 	"github.com/moby/sys/mount"

deleted file mode 100644

@@ -1,19 +0,0 @@

-package quota // import "github.com/docker/docker/daemon/graphdriver/quota"

-

-import "github.com/docker/docker/errdefs"

-

-var (

-	_ errdefs.ErrNotImplemented = (*errQuotaNotSupported)(nil)

-)

-

-// ErrQuotaNotSupported indicates if were found the FS didn't have projects quotas available

-var ErrQuotaNotSupported = errQuotaNotSupported{}

-

-type errQuotaNotSupported struct {

-}

-

-func (e errQuotaNotSupported) NotImplemented() {}

-

-func (e errQuotaNotSupported) Error() string {

-	return "Filesystem does not support, or has not enabled quotas"

-}

deleted file mode 100644

@@ -1,377 +0,0 @@

-// +build linux,!exclude_disk_quota,cgo

-

-//

-// projectquota.go - implements XFS project quota controls

-// for setting quota limits on a newly created directory.

-// It currently supports the legacy XFS specific ioctls.

-//

-// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR

-//       for both xfs/ext4 for kernel version >= v4.5

-//

-

-package quota // import "github.com/docker/docker/daemon/graphdriver/quota"

-

-/*

-#include <stdlib.h>

-#include <dirent.h>

-#include <linux/fs.h>

-#include <linux/quota.h>

-#include <linux/dqblk_xfs.h>

-

-#ifndef FS_XFLAG_PROJINHERIT

-struct fsxattr {

-	__u32		fsx_xflags;

-	__u32		fsx_extsize;

-	__u32		fsx_nextents;

-	__u32		fsx_projid;

-	unsigned char	fsx_pad[12];

-};

-#define FS_XFLAG_PROJINHERIT	0x00000200

-#endif

-#ifndef FS_IOC_FSGETXATTR

-#define FS_IOC_FSGETXATTR		_IOR ('X', 31, struct fsxattr)

-#endif

-#ifndef FS_IOC_FSSETXATTR

-#define FS_IOC_FSSETXATTR		_IOW ('X', 32, struct fsxattr)

-#endif

-

-#ifndef PRJQUOTA

-#define PRJQUOTA	2

-#endif

-#ifndef XFS_PROJ_QUOTA

-#define XFS_PROJ_QUOTA	2

-#endif

-#ifndef Q_XSETPQLIM

-#define Q_XSETPQLIM QCMD(Q_XSETQLIM, PRJQUOTA)

-#endif

-#ifndef Q_XGETPQUOTA

-#define Q_XGETPQUOTA QCMD(Q_XGETQUOTA, PRJQUOTA)

-#endif

-

-const int Q_XGETQSTAT_PRJQUOTA = QCMD(Q_XGETQSTAT, PRJQUOTA);

-*/

-import "C"

-import (

-	"io/ioutil"

-	"path"

-	"path/filepath"

-	"unsafe"

-

-	"github.com/containerd/containerd/sys"

-	"github.com/pkg/errors"

-	"github.com/sirupsen/logrus"

-	"golang.org/x/sys/unix"

-)

-

-// NewControl - initialize project quota support.

-// Test to make sure that quota can be set on a test dir and find

-// the first project id to be used for the next container create.

-//

-// Returns nil (and error) if project quota is not supported.

-//

-// First get the project id of the home directory.

-// This test will fail if the backing fs is not xfs.

-//

-// xfs_quota tool can be used to assign a project id to the driver home directory, e.g.:

-//    echo 999:/var/lib/docker/overlay2 >> /etc/projects

-//    echo docker:999 >> /etc/projid

-//    xfs_quota -x -c 'project -s docker' /<xfs mount point>

-//

-// In that case, the home directory project id will be used as a "start offset"

-// and all containers will be assigned larger project ids (e.g. >= 1000).

-// This is a way to prevent xfs_quota management from conflicting with docker.

-//

-// Then try to create a test directory with the next project id and set a quota

-// on it. If that works, continue to scan existing containers to map allocated

-// project ids.

-//

-func NewControl(basePath string) (*Control, error) {

-	//

-	// If we are running in a user namespace quota won't be supported for

-	// now since makeBackingFsDev() will try to mknod().

-	//

-	if sys.RunningInUserNS() {

-		return nil, ErrQuotaNotSupported

-	}

-

-	//

-	// create backing filesystem device node

-	//

-	backingFsBlockDev, err := makeBackingFsDev(basePath)

-	if err != nil {

-		return nil, err

-	}

-

-	// check if we can call quotactl with project quotas

-	// as a mechanism to determine (early) if we have support

-	hasQuotaSupport, err := hasQuotaSupport(backingFsBlockDev)

-	if err != nil {

-		return nil, err

-	}

-	if !hasQuotaSupport {

-		return nil, ErrQuotaNotSupported

-	}

-

-	//

-	// Get project id of parent dir as minimal id to be used by driver

-	//

-	minProjectID, err := getProjectID(basePath)

-	if err != nil {

-		return nil, err

-	}

-	minProjectID++

-

-	//

-	// Test if filesystem supports project quotas by trying to set

-	// a quota on the first available project id

-	//

-	quota := Quota{

-		Size: 0,

-	}

-	if err := setProjectQuota(backingFsBlockDev, minProjectID, quota); err != nil {

-		return nil, err

-	}

-

-	q := Control{

-		backingFsBlockDev: backingFsBlockDev,

-		nextProjectID:     minProjectID + 1,

-		quotas:            make(map[string]uint32),

-	}

-

-	//

-	// get first project id to be used for next container

-	//

-	err = q.findNextProjectID(basePath)

-	if err != nil {

-		return nil, err

-	}

-

-	logrus.Debugf("NewControl(%s): nextProjectID = %d", basePath, q.nextProjectID)

-	return &q, nil

-}

-

-// SetQuota - assign a unique project id to directory and set the quota limits

-// for that project id

-func (q *Control) SetQuota(targetPath string, quota Quota) error {

-	q.RLock()

-	projectID, ok := q.quotas[targetPath]

-	q.RUnlock()

-	if !ok {

-		q.Lock()

-		projectID = q.nextProjectID

-

-		//

-		// assign project id to new container directory

-		//

-		err := setProjectID(targetPath, projectID)

-		if err != nil {

-			q.Unlock()

-			return err

-		}

-		q.quotas[targetPath] = projectID

-		q.nextProjectID++

-		q.Unlock()

-	}

-

-	//

-	// set the quota limit for the container's project id

-	//

-	logrus.Debugf("SetQuota(%s, %d): projectID=%d", targetPath, quota.Size, projectID)

-	return setProjectQuota(q.backingFsBlockDev, projectID, quota)

-}

-

-// setProjectQuota - set the quota for project id on xfs block device

-func setProjectQuota(backingFsBlockDev string, projectID uint32, quota Quota) error {

-	var d C.fs_disk_quota_t

-	d.d_version = C.FS_DQUOT_VERSION

-	d.d_id = C.__u32(projectID)

-	d.d_flags = C.XFS_PROJ_QUOTA

-

-	d.d_fieldmask = C.FS_DQ_BHARD | C.FS_DQ_BSOFT

-	d.d_blk_hardlimit = C.__u64(quota.Size / 512)

-	d.d_blk_softlimit = d.d_blk_hardlimit

-

-	var cs = C.CString(backingFsBlockDev)

-	defer C.free(unsafe.Pointer(cs))

-

-	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XSETPQLIM,

-		uintptr(unsafe.Pointer(cs)), uintptr(d.d_id),

-		uintptr(unsafe.Pointer(&d)), 0, 0)

-	if errno != 0 {

-		return errors.Wrapf(errno, "failed to set quota limit for projid %d on %s",

-			projectID, backingFsBlockDev)

-	}

-

-	return nil

-}

-

-// GetQuota - get the quota limits of a directory that was configured with SetQuota

-func (q *Control) GetQuota(targetPath string, quota *Quota) error {

-	q.RLock()

-	projectID, ok := q.quotas[targetPath]

-	q.RUnlock()

-	if !ok {

-		return errors.Errorf("quota not found for path: %s", targetPath)

-	}

-

-	//

-	// get the quota limit for the container's project id

-	//

-	var d C.fs_disk_quota_t

-

-	var cs = C.CString(q.backingFsBlockDev)

-	defer C.free(unsafe.Pointer(cs))

-

-	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XGETPQUOTA,

-		uintptr(unsafe.Pointer(cs)), uintptr(C.__u32(projectID)),

-		uintptr(unsafe.Pointer(&d)), 0, 0)

-	if errno != 0 {

-		return errors.Wrapf(errno, "Failed to get quota limit for projid %d on %s",

-			projectID, q.backingFsBlockDev)

-	}

-	quota.Size = uint64(d.d_blk_hardlimit) * 512

-

-	return nil

-}

-

-// getProjectID - get the project id of path on xfs

-func getProjectID(targetPath string) (uint32, error) {

-	dir, err := openDir(targetPath)

-	if err != nil {

-		return 0, err

-	}

-	defer closeDir(dir)

-

-	var fsx C.struct_fsxattr

-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR,

-		uintptr(unsafe.Pointer(&fsx)))

-	if errno != 0 {

-		return 0, errors.Wrapf(errno, "failed to get projid for %s", targetPath)

-	}

-

-	return uint32(fsx.fsx_projid), nil

-}

-

-// setProjectID - set the project id of path on xfs

-func setProjectID(targetPath string, projectID uint32) error {

-	dir, err := openDir(targetPath)

-	if err != nil {

-		return err

-	}

-	defer closeDir(dir)

-

-	var fsx C.struct_fsxattr

-	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR,

-		uintptr(unsafe.Pointer(&fsx)))

-	if errno != 0 {

-		return errors.Wrapf(errno, "failed to get projid for %s", targetPath)

-	}

-	fsx.fsx_projid = C.__u32(projectID)

-	fsx.fsx_xflags |= C.FS_XFLAG_PROJINHERIT

-	_, _, errno = unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSSETXATTR,

-		uintptr(unsafe.Pointer(&fsx)))

-	if errno != 0 {

-		return errors.Wrapf(errno, "failed to set projid for %s", targetPath)

-	}

-

-	return nil

-}

-

-// findNextProjectID - find the next project id to be used for containers

-// by scanning driver home directory to find used project ids

-func (q *Control) findNextProjectID(home string) error {

-	q.Lock()

-	defer q.Unlock()

-	files, err := ioutil.ReadDir(home)

-	if err != nil {

-		return errors.Errorf("read directory failed: %s", home)

-	}

-	for _, file := range files {

-		if !file.IsDir() {

-			continue

-		}

-		path := filepath.Join(home, file.Name())

-		projid, err := getProjectID(path)

-		if err != nil {

-			return err

-		}

-		if projid > 0 {

-			q.quotas[path] = projid

-		}

-		if q.nextProjectID <= projid {

-			q.nextProjectID = projid + 1

-		}

-	}

-

-	return nil

-}

-

-func free(p *C.char) {

-	C.free(unsafe.Pointer(p))

-}

-

-func openDir(path string) (*C.DIR, error) {

-	Cpath := C.CString(path)

-	defer free(Cpath)

-

-	dir := C.opendir(Cpath)

-	if dir == nil {

-		return nil, errors.Errorf("failed to open dir: %s", path)

-	}

-	return dir, nil

-}

-

-func closeDir(dir *C.DIR) {

-	if dir != nil {

-		C.closedir(dir)

-	}

-}

-

-func getDirFd(dir *C.DIR) uintptr {

-	return uintptr(C.dirfd(dir))

-}

-

-// Get the backing block device of the driver home directory

-// and create a block device node under the home directory

-// to be used by quotactl commands

-func makeBackingFsDev(home string) (string, error) {

-	var stat unix.Stat_t

-	if err := unix.Stat(home, &stat); err != nil {

-		return "", err

-	}

-

-	backingFsBlockDev := path.Join(home, "backingFsBlockDev")

-	// Re-create just in case someone copied the home directory over to a new device

-	unix.Unlink(backingFsBlockDev)

-	err := unix.Mknod(backingFsBlockDev, unix.S_IFBLK|0600, int(stat.Dev))

-	switch err {

-	case nil:

-		return backingFsBlockDev, nil

-

-	case unix.ENOSYS, unix.EPERM:

-		return "", ErrQuotaNotSupported

-

-	default:

-		return "", errors.Wrapf(err, "failed to mknod %s", backingFsBlockDev)

-	}

-}

-

-func hasQuotaSupport(backingFsBlockDev string) (bool, error) {

-	var cs = C.CString(backingFsBlockDev)

-	defer free(cs)

-	var qstat C.fs_quota_stat_t

-

-	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, uintptr(C.Q_XGETQSTAT_PRJQUOTA), uintptr(unsafe.Pointer(cs)), 0, uintptr(unsafe.Pointer(&qstat)), 0, 0)

-	if errno == 0 && qstat.qs_flags&C.FS_QUOTA_PDQ_ENFD > 0 && qstat.qs_flags&C.FS_QUOTA_PDQ_ACCT > 0 {

-		return true, nil

-	}

-

-	switch errno {

-	// These are the known fatal errors, consider all other errors (ENOTTY, etc.. not supporting quota)

-	case unix.EFAULT, unix.ENOENT, unix.ENOTBLK, unix.EPERM:

-	default:

-		return false, nil

-	}

-

-	return false, errno

-}

deleted file mode 100644

@@ -1,152 +0,0 @@

-// +build linux

-

-package quota // import "github.com/docker/docker/daemon/graphdriver/quota"

-

-import (

-	"io"

-	"io/ioutil"

-	"os"

-	"os/exec"

-	"path/filepath"

-	"testing"

-

-	"golang.org/x/sys/unix"

-	"gotest.tools/v3/assert"

-	is "gotest.tools/v3/assert/cmp"

-	"gotest.tools/v3/fs"

-)

-

-// 10MB

-const testQuotaSize = 10 * 1024 * 1024

-const imageSize = 64 * 1024 * 1024

-

-func TestBlockDev(t *testing.T) {

-	mkfs, err := exec.LookPath("mkfs.xfs")

-	if err != nil {

-		t.Skip("mkfs.xfs not found in PATH")

-	}

-

-	// create a sparse image

-	imageFile, err := ioutil.TempFile("", "xfs-image")

-	if err != nil {

-		t.Fatal(err)

-	}

-	imageFileName := imageFile.Name()

-	defer os.Remove(imageFileName)

-	if _, err = imageFile.Seek(imageSize-1, 0); err != nil {

-		t.Fatal(err)

-	}

-	if _, err = imageFile.Write([]byte{0}); err != nil {

-		t.Fatal(err)

-	}

-	if err = imageFile.Close(); err != nil {

-		t.Fatal(err)

-	}

-

-	// The reason for disabling these options is sometimes people run with a newer userspace

-	// than kernelspace

-	out, err := exec.Command(mkfs, "-m", "crc=0,finobt=0", imageFileName).CombinedOutput()

-	if len(out) > 0 {

-		t.Log(string(out))

-	}

-	if err != nil {

-		t.Fatal(err)

-	}

-

-	t.Run("testBlockDevQuotaDisabled", wrapMountTest(imageFileName, false, testBlockDevQuotaDisabled))

-	t.Run("testBlockDevQuotaEnabled", wrapMountTest(imageFileName, true, testBlockDevQuotaEnabled))

-	t.Run("testSmallerThanQuota", wrapMountTest(imageFileName, true, wrapQuotaTest(testSmallerThanQuota)))

-	t.Run("testBiggerThanQuota", wrapMountTest(imageFileName, true, wrapQuotaTest(testBiggerThanQuota)))

-	t.Run("testRetrieveQuota", wrapMountTest(imageFileName, true, wrapQuotaTest(testRetrieveQuota)))

-}

-

-func wrapMountTest(imageFileName string, enableQuota bool, testFunc func(t *testing.T, mountPoint, backingFsDev string)) func(*testing.T) {

-	return func(t *testing.T) {

-		mountOptions := "loop"

-

-		if enableQuota {

-			mountOptions = mountOptions + ",prjquota"

-		}

-

-		mountPointDir := fs.NewDir(t, "xfs-mountPoint")

-		defer mountPointDir.Remove()

-		mountPoint := mountPointDir.Path()

-

-		out, err := exec.Command("mount", "-o", mountOptions, imageFileName, mountPoint).CombinedOutput()

-		if err != nil {

-			_, err := os.Stat("/proc/fs/xfs")

-			if os.IsNotExist(err) {

-				t.Skip("no /proc/fs/xfs")

-			}

-		}

-

-		assert.NilError(t, err, "mount failed: %s", out)

-

-		defer func() {

-			assert.NilError(t, unix.Unmount(mountPoint, 0))

-		}()

-

-		backingFsDev, err := makeBackingFsDev(mountPoint)

-		assert.NilError(t, err)

-

-		testFunc(t, mountPoint, backingFsDev)

-	}

-}

-

-func testBlockDevQuotaDisabled(t *testing.T, mountPoint, backingFsDev string) {

-	hasSupport, err := hasQuotaSupport(backingFsDev)

-	assert.NilError(t, err)

-	assert.Check(t, !hasSupport)

-}

-

-func testBlockDevQuotaEnabled(t *testing.T, mountPoint, backingFsDev string) {

-	hasSupport, err := hasQuotaSupport(backingFsDev)

-	assert.NilError(t, err)

-	assert.Check(t, hasSupport)

-}

-

-func wrapQuotaTest(testFunc func(t *testing.T, ctrl *Control, mountPoint, testDir, testSubDir string)) func(t *testing.T, mountPoint, backingFsDev string) {

-	return func(t *testing.T, mountPoint, backingFsDev string) {

-		testDir, err := ioutil.TempDir(mountPoint, "per-test")

-		assert.NilError(t, err)

-		defer os.RemoveAll(testDir)

-

-		ctrl, err := NewControl(testDir)

-		assert.NilError(t, err)

-

-		testSubDir, err := ioutil.TempDir(testDir, "quota-test")

-		assert.NilError(t, err)

-		testFunc(t, ctrl, mountPoint, testDir, testSubDir)

-	}

-

-}

-

-func testSmallerThanQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {

-	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))

-	smallerThanQuotaFile := filepath.Join(testSubDir, "smaller-than-quota")

-	assert.NilError(t, ioutil.WriteFile(smallerThanQuotaFile, make([]byte, testQuotaSize/2), 0644))

-	assert.NilError(t, os.Remove(smallerThanQuotaFile))

-}

-

-func testBiggerThanQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {

-	// Make sure the quota is being enforced

-	// TODO: When we implement this under EXT4, we need to shed CAP_SYS_RESOURCE, otherwise

-	// we're able to violate quota without issue

-	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))

-

-	biggerThanQuotaFile := filepath.Join(testSubDir, "bigger-than-quota")

-	err := ioutil.WriteFile(biggerThanQuotaFile, make([]byte, testQuotaSize+1), 0644)

-	assert.Assert(t, is.ErrorContains(err, ""))

-	if err == io.ErrShortWrite {

-		assert.NilError(t, os.Remove(biggerThanQuotaFile))

-	}

-}

-

-func testRetrieveQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {

-	// Validate that we can retrieve quota

-	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))

-

-	var q Quota

-	assert.NilError(t, ctrl.GetQuota(testSubDir, &q))

-	assert.Check(t, is.Equal(uint64(testQuotaSize), q.Size))

-}

deleted file mode 100644

@@ -1,18 +0,0 @@

-// +build linux,exclude_disk_quota linux,!cgo

-

-package quota // import "github.com/docker/docker/daemon/graphdriver/quota"

-

-func NewControl(basePath string) (*Control, error) {

-	return nil, ErrQuotaNotSupported

-}

-

-// SetQuota - assign a unique project id to directory and set the quota limits

-// for that project id

-func (q *Control) SetQuota(targetPath string, quota Quota) error {

-	return ErrQuotaNotSupported

-}

-

-// GetQuota - get the quota limits of a directory that was configured with SetQuota

-func (q *Control) GetQuota(targetPath string, quota *Quota) error {

-	return ErrQuotaNotSupported

-}

deleted file mode 100644

@@ -1,19 +0,0 @@

-// +build linux

-

-package quota // import "github.com/docker/docker/daemon/graphdriver/quota"

-

-import "sync"

-

-// Quota limit params - currently we only control blocks hard limit

-type Quota struct {

-	Size uint64

-}

-

-// Control - Context to be used by storage driver (e.g. overlay)

-// who wants to apply project quotas to container dirs

-type Control struct {

-	backingFsBlockDev string

-	sync.RWMutex      // protect nextProjectID and quotas map

-	nextProjectID     uint32

-	quotas            map[string]uint32

-}

@@ -6,12 +6,12 @@ import (

 	"path/filepath"

 	"github.com/docker/docker/daemon/graphdriver"

-	"github.com/docker/docker/daemon/graphdriver/quota"

 	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/pkg/containerfs"

 	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/pkg/parsers"

 	"github.com/docker/docker/pkg/system"

+	"github.com/docker/docker/quota"

 	units "github.com/docker/go-units"

 	"github.com/opencontainers/selinux/go-selinux/label"

 	"github.com/pkg/errors"

@@ -1,7 +1,7 @@

 package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"

 import (

-	"github.com/docker/docker/daemon/graphdriver/quota"

+	"github.com/docker/docker/quota"

 	"github.com/sirupsen/logrus"

 )

@@ -2,7 +2,7 @@

 package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"

-import "github.com/docker/docker/daemon/graphdriver/quota"

+import "github.com/docker/docker/quota"

 type driverQuota struct {

 }

new file mode 100644

@@ -0,0 +1,19 @@

+package quota // import "github.com/docker/docker/quota"

+

+import "github.com/docker/docker/errdefs"

+

+var (

+	_ errdefs.ErrNotImplemented = (*errQuotaNotSupported)(nil)

+)

+

+// ErrQuotaNotSupported indicates if were found the FS didn't have projects quotas available

+var ErrQuotaNotSupported = errQuotaNotSupported{}

+

+type errQuotaNotSupported struct {

+}

+

+func (e errQuotaNotSupported) NotImplemented() {}

+

+func (e errQuotaNotSupported) Error() string {

+	return "Filesystem does not support, or has not enabled quotas"

+}

new file mode 100644

@@ -0,0 +1,442 @@

+// +build linux,!exclude_disk_quota,cgo

+

+//

+// projectquota.go - implements XFS project quota controls

+// for setting quota limits on a newly created directory.

+// It currently supports the legacy XFS specific ioctls.

+//

+// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR

+//       for both xfs/ext4 for kernel version >= v4.5

+//

+

+package quota // import "github.com/docker/docker/quota"

+

+/*

+#include <stdlib.h>

+#include <dirent.h>

+#include <linux/fs.h>

+#include <linux/quota.h>

+#include <linux/dqblk_xfs.h>

+

+#ifndef FS_XFLAG_PROJINHERIT

+struct fsxattr {

+	__u32		fsx_xflags;

+	__u32		fsx_extsize;

+	__u32		fsx_nextents;

+	__u32		fsx_projid;

+	unsigned char	fsx_pad[12];

+};

+#define FS_XFLAG_PROJINHERIT	0x00000200

+#endif

+#ifndef FS_IOC_FSGETXATTR

+#define FS_IOC_FSGETXATTR		_IOR ('X', 31, struct fsxattr)

+#endif

+#ifndef FS_IOC_FSSETXATTR

+#define FS_IOC_FSSETXATTR		_IOW ('X', 32, struct fsxattr)

+#endif

+

+#ifndef PRJQUOTA

+#define PRJQUOTA	2

+#endif

+#ifndef XFS_PROJ_QUOTA

+#define XFS_PROJ_QUOTA	2

+#endif

+#ifndef Q_XSETPQLIM

+#define Q_XSETPQLIM QCMD(Q_XSETQLIM, PRJQUOTA)

+#endif

+#ifndef Q_XGETPQUOTA

+#define Q_XGETPQUOTA QCMD(Q_XGETQUOTA, PRJQUOTA)

+#endif

+

+const int Q_XGETQSTAT_PRJQUOTA = QCMD(Q_XGETQSTAT, PRJQUOTA);

+*/

+import "C"

+import (

+	"io/ioutil"

+	"path"

+	"path/filepath"

+	"sync"

+	"unsafe"

+

+	"github.com/containerd/containerd/sys"

+	"github.com/pkg/errors"

+	"github.com/sirupsen/logrus"

+	"golang.org/x/sys/unix"

+)

+

+type pquotaState struct {

+	sync.Mutex

+	nextProjectID uint32

+}

+

+var pquotaStateInst *pquotaState

+var pquotaStateOnce sync.Once

+

+// getPquotaState - get global pquota state tracker instance

+func getPquotaState() *pquotaState {

+	pquotaStateOnce.Do(func() {

+		pquotaStateInst = &pquotaState{

+			nextProjectID: 1,

+		}

+	})

+	return pquotaStateInst

+}

+

+// registerBasePath - register a new base path and update nextProjectID

+func (state *pquotaState) updateMinProjID(minProjectID uint32) {

+	state.Lock()

+	defer state.Unlock()

+	if state.nextProjectID <= minProjectID {

+		state.nextProjectID = minProjectID + 1

+	}

+}

+

+// NewControl - initialize project quota support.

+// Test to make sure that quota can be set on a test dir and find

+// the first project id to be used for the next container create.

+//

+// Returns nil (and error) if project quota is not supported.

+//

+// First get the project id of the home directory.

+// This test will fail if the backing fs is not xfs.

+//

+// xfs_quota tool can be used to assign a project id to the driver home directory, e.g.:

+//    echo 999:/var/lib/docker/overlay2 >> /etc/projects

+//    echo docker:999 >> /etc/projid

+//    xfs_quota -x -c 'project -s docker' /<xfs mount point>

+//

+// In that case, the home directory project id will be used as a "start offset"

+// and all containers will be assigned larger project ids (e.g. >= 1000).

+// This is a way to prevent xfs_quota management from conflicting with docker.

+//

+// Then try to create a test directory with the next project id and set a quota

+// on it. If that works, continue to scan existing containers to map allocated

+// project ids.

+//

+func NewControl(basePath string) (*Control, error) {

+	//

+	// If we are running in a user namespace quota won't be supported for

+	// now since makeBackingFsDev() will try to mknod().

+	//

+	if sys.RunningInUserNS() {

+		return nil, ErrQuotaNotSupported

+	}

+

+	//

+	// create backing filesystem device node

+	//

+	backingFsBlockDev, err := makeBackingFsDev(basePath)

+	if err != nil {

+		return nil, err

+	}

+

+	// check if we can call quotactl with project quotas

+	// as a mechanism to determine (early) if we have support

+	hasQuotaSupport, err := hasQuotaSupport(backingFsBlockDev)

+	if err != nil {

+		return nil, err

+	}

+	if !hasQuotaSupport {

+		return nil, ErrQuotaNotSupported

+	}

+

+	//

+	// Get project id of parent dir as minimal id to be used by driver

+	//

+	baseProjectID, err := getProjectID(basePath)

+	if err != nil {

+		return nil, err

+	}

+	minProjectID := baseProjectID + 1

+

+	//

+	// Test if filesystem supports project quotas by trying to set

+	// a quota on the first available project id

+	//

+	quota := Quota{

+		Size: 0,

+	}

+	if err := setProjectQuota(backingFsBlockDev, minProjectID, quota); err != nil {

+		return nil, err

+	}

+

+	q := Control{

+		backingFsBlockDev: backingFsBlockDev,

+		quotas:            make(map[string]uint32),

+	}

+

+	//

+	// update minimum project ID

+	//

+	state := getPquotaState()

+	state.updateMinProjID(minProjectID)

+

+	//

+	// get first project id to be used for next container

+	//

+	err = q.findNextProjectID(basePath, baseProjectID)

+	if err != nil {

+		return nil, err

+	}

+

+	logrus.Debugf("NewControl(%s): nextProjectID = %d", basePath, state.nextProjectID)

+	return &q, nil

+}

+

+// SetQuota - assign a unique project id to directory and set the quota limits

+// for that project id