ZFS How to configure ZFS for local user accounts.

11.0-RELEASE-p1

I would like to enable users to create ZFS datasets within their home directory. Furthermore, I would also like to enable users to make snapshots, clones, and transfers (send/recv) of their datasets. The handbook seems to be a little vague on a few points. A detailed how-to would be useful.

The current setup is fairly standard:
zpool status
Code:
  pool: zroot
 state: ONLINE
  scan: scrub repaired 0 in 0h26m with 0 errors on Wed Oct 19 18:37:50 2016
config:

        NAME        STATE     READ WRITE CKSUM
        zroot       ONLINE       0     0     0
          mirror-0  ONLINE       0     0     0
            ada0p3  ONLINE       0     0     0
            ada1p3  ONLINE       0     0     0

errors: No known data errors
zfs list -t all
Code:
NAME                 USED  AVAIL  REFER  MOUNTPOINT
zroot                153G   292G    96K  /zroot
zroot/ROOT          5.03G   292G    96K  none
zroot/ROOT/default  5.03G   292G  5.03G  /
zroot/tmp            124K   292G   124K  /tmp
zroot/usr            148G   292G    96K  /usr
zroot/usr/home       147G   292G   147G  /usr/home
zroot/usr/ports      650M   292G   650M  /usr/ports
zroot/usr/src         96K   292G    96K  /usr/src
zroot/var            784K   292G    96K  /var
zroot/var/audit       96K   292G    96K  /var/audit
zroot/var/crash       96K   292G    96K  /var/crash
zroot/var/log        280K   292G   280K  /var/log
zroot/var/mail       120K   292G   120K  /var/mail
zroot/var/tmp         96K   292G    96K  /var/tmp
And this is set:
sysctl vfs.usermount=1
echo vfs.usermount=1 >> /etc/sysctl.conf

Should a ZFS dataset be created for each user as their home directory?
If so, what's the best way to do that?
For existing users, I am tempted to do this:
zfs create zroot/usr/home/usertmp
chown user1:user1 /usr/home/usertmp
su user1
cp -R /usr/home/user1/* /usr/home/usertmp/
exit
rm -rf /usr/home/user1
zfs rename zroot/usr/home/usertmp zroot/usr/home/user1
Then delegate permissions like this:
zfs allow -u user1 create,destroy,snapshot,rollback,clone,mount,send,receive zroot/usr/home/user1

Is this a reasonable process? Is there a slicker way to go about it? What about new user accounts?
 
Allowing users to have ZFS control is extremely unwise.

I am the only user (except for a trusted sftp-only user account). I have important data that I need to work with on a regular basis - this would be kept in user datasets with regular snapshots. I also have a lot of data that isn't important and might change often or be deleted entirely. So I don't want to snapshot the entire zroot/usr/home. Basically, I want more fine-gained control of the snapshot facility. Also, some datasets might be replicated off-site but I don't want to replicate all of zroot/usr/home. Again, more fine-grained control.

But I am curious, why is it extremely unwise to allow users to have ZFS control? (What are the issues)?
 
Possibly a bit reckless but I went ahead and tried it. The process given in the first post works. I tweaked it a bit (I used mv rather than cp, for example).
 
But I am curious, why is it extremely unwise to allow users to have ZFS control? (What are the issues)?

Sorry I was thinking of ZFS in Linux few years ago when 'zfs allow' wasn't working properly by restricting users to certain zfs commands and I thought FreeBSD could have similar issues. Sorry I was mistaken. What you're suggesting will work as long as you have permission set correctly for each users. I never used 'zfs allow' but it should work.
 
This is curious:
zfs create zroot/usr/home/hanzer/test
echo "foo" >> ~/test/bar
zfs snapshot zroot/usr/home/hanzer/test@2016_10_19
zfs diff zroot/usr/home/hanzer/test@2016_10_19
Code:
internal error: Invalid argument
Abort (core dumped)
zfs snapshot zroot/usr/home/hanzer/test@another_snapshot
zfs diff zroot/usr/home/hanzer/test@2016_10_19 zroot/usr/home/hanzer/test@another_snapshot
Code:
Unable to obtain diffs:
   The sys_mount privilege or diff delegated permission is needed
   to execute the diff ioctl
As root: # zfs allow -u hanzer diff zroot/usr/home/hanzer
Now everything works as expected:
echo "blah" >> ~/test/bar
zfs diff zroot/usr/home/hanzer/test@another_snapshot
Code:
M       /usr/home/hanzer/test/bar
zfs diff zroot/usr/home/hanzer/test@2016_10_19
Code:
M       /usr/home/hanzer/test/bar
I think that maybe it should not have core dumped. It's probably very reproducible if someone wants to file a bug report...
 
Back
Top