Date: Wed, 28 May 2014 22:17:14 +0200 From: Guillermo Marcus <guillermo.marcus@gmail.com> To: freebsd-questions@FreeBSD.org Subject: Mounting a ZFS snapshot by another user Message-ID: <80D52646-2377-447F-BBC4-BEF642585391@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all,
I am using ZFS in a FreeBSD 10.0-RELEASE (10.0-RELEASE FreeBSD =
10.0-RELEASE #0 r260789). I setup some scripts to create snapshots of my =
ZFS pool at regular intervals, and then another script to mount the =
latest snapshot of each dataset in the pool to a specific location, =
recreating a snapshot of my pool for backup. The goal is to use Bacula =
to always backup the snapshot, to avoid data being in an inconsistent =
state. The mount script is then executed by the bacula user at the =
beginning of the backup job. The scripts work fine, but I have an issue =
with the script being executed by the backup user and not the pool =
owner.
So I set up the delegation of the pool to:
---- Permissions on tank --------------------------------------------
Permission sets:
@bacula =
aclinherit,clone,create,destroy,mount,mountpoint,readonly,sharenfs,userpro=
p
Create time permissions:
clone,create,destroy
Local+Descendent permissions:
user bacula @bacula
I also set up the VFS sysctl:
vfs.usermount: 1
and finally, I grant full ACL access to the bacula user to the pool file =
system:
# file: /tank
# owner: dataowner
# group: dataowner
user:bacula:rwxpDdaARWcCos:fd----:allow
owner@:rwxp--aARWcCos:------:allow
group@:r-x---a-R-c--s:------:allow
everyone@:r-x---a-R-c--s:------:allow
Here is the thing: it works only partially. Apparently, it requires that =
the mount point of the dataset be owned by the bacula user and not =
dataowner, even when the user bacula has full access. Example:
To mount a dataset by user bacula: su -m bacula -c "zfs clone -o =
readonly=3Don -o mountpoint=3D/tank/latest-snapshot =
tank/dataset1@snapN", one of two things will happen: if =
/tank/latest-snapshot does not exist, it will be created, owned by user =
bacula. However, if /tank/latest-snapshot exists in the parent dataset =
(where it is owned by dataowner), it will fail with "Insufficient =
privileges", even when the user bacula is given full access by the ACL. =
If I change the owner of the mount point it works correctly.
Can anyone explain what I am missing?
Thanks in advance.
PS: as why this will be an issue: This will extrapolate to a big issue =
when mounting hierarchical datasets with different owners in my =
snapshots, and I cannot change the ownership of a mountpoint inside a =
snapshot because it is readonly.
Best Regards,
G. Marcus=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?80D52646-2377-447F-BBC4-BEF642585391>