Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Nov 2019 23:06:24 +0100
From:      Peter Eriksson <pen@lysator.liu.se>
To:        Jan Behrens <jbe-mlist@magnetkern.de>
Cc:        freebsd-fs@freebsd.org
Subject:   Re: ZFS snapdir readability (Crosspost)
Message-ID:  <FBB088B0-CE5C-45DC-8F2F-0D0AA2703846@lysator.liu.se>
In-Reply-To: <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
References:  <20191107004635.c6d2e7d464d3d556a0d87465@magnetkern.de>
next in thread | previous in thread | raw e-mail | index | archive | help 

The “easy” solution is to give each user (or group / project) their own ZFS filesystem. Then the “.zfs” directory would be inside the users own $HOME and you can set $HOME to 0700….

That is what we are doing. Granted it generates a “few” filesystems (like some 20000 per server (we have around 120k users), and then add hourly snapshots to each as “icing” on the cake). Mounting all those takes a bit of time - but luckily with the latest FreeBSD release things are much faster these days :-)

There are some other issues with that - like 100% full filesystems causing severe system slowdown during writes… So you really wanna have some monitoring system that warns for that.

- Peter


> 
> I recently noticed that all ZFS filesystems in FreeBSD allow access to
> the .zfs directory (snapdir) for all users of the system. It is
> possible to hide that directory using the snapdir option:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FBB088B0-CE5C-45DC-8F2F-0D0AA2703846>