Mounting a ZFS snapshot by another user

G

gmarcus

Hi,

I set[]up some scripts to create snapshots of my ZFS pool at regular intervals, and then another script to mount the latest snapshot of each dataset in the pool to a specific location, recreating a snapshot of my pool for backup. The goal is to use Bacula to always back[]up the snapshot, to avoid data being in an inconsistent state. The mount script is then executed by the bacula user at the beginning of the backup job. The scripts work fine, but I have an issue with the script being executed by the backup user and not the pool owner.

So I set up the delegation of the pool to:

Code: 
---- Permissions on tank --------------------------------------------
Permission sets:
	@bacula aclinherit,clone,create,destroy,mount,mountpoint,readonly,sharenfs,userprop
Create time permissions:
	clone,create,destroy
Local+Descendent permissions:
	user bacula @bacula

I also set up the VFS sysctl:

Code: 
vfs.usermount: 1

and finally, I grant full ACL access to the bacula user to the pool file system:

Code: 
# file: /tank
# owner: dataowner
# group: dataowner
       user:bacula:rwxpDdaARWcCos:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow

Here is the thing: it works only partially. Apparently, it requires that the mount point of the dataset be owned by the bacula user and not dataowner, even when the user bacula has full access. Example:

To mount a dataset by user bacula: su -m bacula -c "zfs clone -o readonly=on -o mountpoint=/tank/latest-snapshot tank/dataset1@snapN", one of two things will happen: if /tank/latest-snapshot does not exist, it will be created, owned by user bacula. However, if /tank/latest-snapshot exists in the parent dataset (where it is owned by dataowner), it will fail with "Insufficient privileges", even when the user bacula is given full access by the ACL. If I change the owner of the mount point it works correctly.

Can anyone explain what I am missing?

Thanks in advance.

PS: as why this will be an issue: This will extrapolate to a big issue when mounting hierarchical datasets with different owners in my snapshots, and I cannot change the ownership of a mountpoint inside a snapshot because it is readonly.
 
Hi @gmarcus!

Filesystem ACL's and ZFS ACL's are different in the way that ZFS ACL's propagate down instantly, FS ACL's don´t. You´ll have to copy the "tank" directory´s ACL's and apply them to all descendants before it´ll work. And the clone must be made from a snapshot _after_ this has been applied.

Here´s a few lines of code that accomplishes that. It takes the ACL's from ${SOURCE_DIR} and applies them to ${TARGET_DIR}. In your case SOURCE_DIR="/tank" and TARGET_DIR="/tank/dataset1" (assuming that "tank/dataset1" is mounted at "/tank/dataset1").
Code: 
find ${TARGET_DIR} -type d | sed -e 's/^/"/g' -e 's/$/"/g' -e 's/\`/\\`/' -e 's/\$/\\\$/g' -e "s/^/getfacl ${SOURCE_DIR} \| setfacl -M - /g" > /tmp/dir_list
chmod +x /tmp/dir_list
/tmp/dir_list
rm /tmp/dir_list

HTH
/Sebulon
 
Last edited by a moderator:
Hi @Sebulon!

Thanks for your reply.. Yes, I was already redoing the snapshots/clone whenever I change the permissions. But I do not quite follow your statement that FS ACL do not propagate. That is the meaning of 'd' in the ACL part ':fd' -> files and directories inherit the ACL. As a doublecheck for this, I did:

Code: 
root@hp:/tank # getfacl .
# file: .
# owner: dataowner
# group: dataowner
       user:bacula:rwxpDdaARWcCos:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow
root@hp:/tank # mkdir tempdir
root@hp:/tank # getfacl tempdir
# file: tempdir
# owner: root
# group: dataowner
       user:bacula:rwxpDdaARWcCos:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow
root@hp:/tank # su -m bacula -c 'zfs create tank/tempdir'
cannot mount 'tank/tempdir': Insufficient privileges
filesystem successfully created, but not mounted
root@hp:/zdata # zfs get aclinherit,aclmode /tank/tempdir/
NAME   PROPERTY    VALUE          SOURCE
tank  aclinherit  passthrough    local
tank  aclmode     passthrough    local

so the ZFS ACL is passthrough and the FS ACL sees the user entry, and everything looks right. I do not understand why ZFS focuses in the owner instead of the user ACL for the mount. So if you still see my mistake, I am grateful if you take another moment to explain it...

gmarcus
 
Last edited by a moderator:
Hi @gmarcus!

For new files and directories, yes you are correct. But for stuff that´s already there, e.g. the stuff you presumably want to backup, you need to perform a manual update on the ACL's to add the bacula user to both the directories and files that it´s supposed to back up.

/Sebulon
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top