Dave Heiland writes:
With 4.1c quotas have improved by allowing restrictions on users in a specific tree - which makes me wonder how people are using quotas.
I can tell you about the customer requests that drove our design. There appear to be very different usage patterns, depending on the customer type:
At technical or engineering sites, quotas tend to cause revolts. These sites often use tree quotas but rarely user or group quotas.
At universities, user quotas are an absolute necessity for students, and sometimes for professors.
Non-technical corporate sites span a broad range between the university and engineering extremes.
Real world requests for the "separate user quotas for each quota tree" feature included:
Universities wanted to set a per-user quota on everyone in the home directory area, but still to allow specific individuals to work on projects in separate quota trees where an individual quota is not appropriate. (One student may be working with a professor whose research involves large data sets, for instance, but still shouldn't get any extra space in the home directory partition.)
Several companies also wanted a home directory area with a quota, along with project areas that don't have a quota.
Someone else wanted one quota in the mail spool, but a separate quota for home directories.
Universities and similar environments also drove the default quotas. We had sites with many thousands of users, and with many users being added each day. Without default quotas or "quota resize", they ended up with quotas being restarted (and hence not enforced) an unacceptable amount of the time as they added new users. Defaults ensure that there will always be a quota for everyone, and "quota resize" lets them change existing quotas without any non-enforcement time.
In this case, what could be useful in addition to an upper limit on directory sizes is having a guaranteed minimum space for a directory.
...
This would add extra complexity and might not even be possible - has anyone else considered this to be possibly useful?
I call a guaranteed space allocation a "reservation". Reservations are possible, but they do impose more complexity and more processing overhead. We've had little if any strong pressure for reservations.
Our philosophy at Network Appliance is to leave features out unless we get strong demand. Sometimes it isn't even worth it to include a feature that a few people demand if it imposes complexity on the rest of the people who don't want it.
Quotas also seem to be a bit confusing [that] you have to create a quota directory via 'quota qtree'.
Applying quotas to an arbitrary subtree is tricky. If there are hard-links to files outside the quota tree, should the file be counted as part of the quota or not? What if the file started outside the quota tree and then got linked in? What if the file started inside the quota tree and then got linked out? (This one is particularly tricky if the inside link later gets deleted, because there is no pointer from an inode back to all the directory entries that point at it. There's no way to know if the still remaining link is from inside the quota tree or not.)
Also, if you rename a subtree from outside the quota tree to inside the quota tree, the quota code would need recursively traverse the contents of the subtree. NFS doesn't like it when a single operation takes a very long time (remember the "large deletes cause NFS timeouts" messages recently!), but finding the size of an arbitrary subtree being renamed could be very slow.
To resolve these issues, we designed quota trees to behave like separate filesystems. You can't do links between quota trees, and you can't do a rename into a quota tree from outside it. If a RENAME tries to move a file into a quota tree, then the NFS code returns EXDEV, which tells the "mv" command to do the copy and remove itself, just as it would between two separate partitions in UNIX. If I had it to do over again, I might design a separate "virtual partition" interface for quota trees instead of mixing them in with user and group quotas, since that does cause some confusion. Then again, that would create a whole new command interface, so maybe it wouldn't really be simpler.
I don't know whether this level of detail in our design process is interesting to people or not, but hopefully it helps explain why quotas work they way they do.
Dave Heiland