Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Linux CLI tool for CCR quota reporting

What is iquota?

iquota is a command line tool and associated server application for reporting quotas for CCR storage systems.

Linux clients mount storage systems over nfs. Users obtain kerberos credentials via knit and run the iquota client command which connects to the iquota-server (proxy) over HTTPS (using GSSAPI/SPNEGO for auth). The iquota-proxy server validates the users kerberos credentials and requests quota information cached in redis.


  • User/Group quota reporting from command line
  • Kerberos based authentication
  • Caching via redis


  • Linux
  • Kerberos
  • sssd-ifp (SSSD InfoPipe responder)

Install and configure iquota-server proxy

Note these docs are for CentOS 7.x. May need adjusting depending on your flavor of Linux

Download the RPM release here:

$ rpm -Uvh iquota-server-0.x.x-x.el7.centos.x86_64.rpm

Setup Kerberos HTTP keytab

The iquota-server uses Kerberos authentication. You'll need to create a HTTP service keytab file. For example:

kadmin: addprinc -randkey HTTP/

If using FreeIPA you can run:

$ ipa service-add HTTP/
$ ipa-getkeytab -s -p HTTP/ -k http.keytab

Configure sssd

iquota-server uses sssd-ifp (SSSD InfoPipe responder) over DBUS to fetch the unix groups for a given user. For more information on sssd-ifp see here.

Ensure the sssd-dbus package is installed:

# yum install sssd-dbus

Configure sssd-ifp. Add the following lines to /etc/sssd/sssd.conf:

services = nss, sudo, pam, ssh, ifp

allowed_uids = iquota, root

Restart sssd to make the changes take effect:

# systemctl restart sssd

You can test to ensure sssd-ifp is configured properly by running the following command. The array of unix groups for the user should be displayed:

# dbus-send --print-reply --system \
  --dest=org.freedesktop.sssd.infopipe \
  /org/freedesktop/sssd/infopipe \
  org.freedesktop.sssd.infopipe.GetUserGroups \

   array [
      string "physics"
      string "compsci"
      string "users"

Configure iquota.yaml

Edit iquota configuration file:

$ vim /etc/iquota/iquota.yaml
keytab: "/path/to/http.keytab"
[ edit to taste ]

It's highly recommended to run iquota-server using HTTPS. You'll need an SSL cert/private_key either using FreeIPA's PKI, self-signed, or from a commercial certificate authority. Creating SSL certs is outside the scope of this document. You can also run iquota-server behind haproxy or Apache/Nginx.

Copy your SSL cert/private_key to the following directories and set correct paths in /etc/iquota/iquota.yaml. The iquota-server binary will run as non-root user (iquota) so need to ensure file perms are set correctly:

$ mkdir /etc/iquota/{cert,private}
$ cp my.crt /etc/iquota/cert/my.crt
$ cp my.key /etc/iquota/private/my.key
$ chmod 640 /etc/iquota/private/my.key
$ chgrp iquota /etc/iquota/private/my.key

Start iquota-server service

Start iquota-server service:

$ systemctl restart iquota-server
$ systemctl enable iquota-server

To view iquota-server system logs run:

$ journalctl -u iquota-server

Install iquota on all client machines mounting storage over nfs

On all client machines mounting storage over nfs install the iquota client. Download the RPM release here:

$ rpm -Uvh iquota-0.x.x-x.el7.centos.x86_64.rpm

Edit iquota configuration file. Add URL for iquota-server:

$ vim /etc/iquota/iquota.yaml
iquota_url: ""
[ edit to taste ]


Check user/group quotas:

$ kinit walterwhite
Password for walterwhite@REALM:
$ iquota -u -g
User quotas:
Filesystem  user               files      used     limit    grace
            (default)                             2.0 GB   1 week
            walterwhite           34    370 kB    2.0 GB   1 week

Group quotas:
Filesystem  group              files      used     limit    grace
            (default)                             520 GB   1 week
            hermanos               4    699 MB    520 GB   1 week

Configure caching

iquota-server should be configured to cache results for a given time period. This helps reduce the load on the storage APIs and provide better iquota performance. To enable caching first install redis then update /etc/iquota/iquota.yaml.

Install Redis (install from EPEL):

$ yum install
$ yum install redis
$ systemctl restart redis
$ systecmtl enable redis

Edit /etc/iquota/iquota.yaml and restart:

$ vi /etc/iquota/iquota.yaml
enable_caching: true

$ systecmtl restart iquota-server


iquota is released under a BSD style license. See the LICENSE file.