Friday Feb 13, 2009

I Want My ZFS

If you want to try out ZFS, you'll be glad to learn that when you install OpenSolaris 2008.11, the user you create during installation will have its home directory on a distinct ZFS filesystem. Running zfs list will show you that /export, /export/home, and /export/home/<username> are each ZFS filesystems.

haik@opensolaris:~$ zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                   2.41G  1.50G    72K  /rpool
rpool/ROOT              2.38G  1.50G    18K  legacy
rpool/ROOT/opensolaris  2.38G  1.50G  2.26G  /
rpool/export            21.2M  1.50G    19K  /export
rpool/export/home       21.2M  1.50G    19K  /export/home
rpool/export/home/haik  21.1M  1.50G  19.2M  /export/home/haik

If you enable the Time Slider service, a cron job will run periodically and create snapshots of these filesystems including your home directory. To see these snapshots you would run zfs list -t snapshot. I've limited the output to the name column here:

haik@opensolaris:~$ zfs list -t snapshot -o name
NAME
rpool/ROOT/opensolaris@install
rpool/export/home/haik@zfs-auto-snap:daily-2009-01-14-00:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-00:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-01:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-02:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-03:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-04:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-05:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-06:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-07:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-08:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-09:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-10:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-11:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-12:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-13:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-14:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-15:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-16:00
rpool/export/home/haik@zfs-auto-snap:hourly-2009-01-14-17:00
rpool/export/home/haik@zfs-auto-snap:frequent-2009-01-14-17:00
rpool/export/home/haik@zfs-auto-snap:frequent-2009-01-14-17:15
rpool/export/home/haik@zfs-auto-snap:frequent-2009-01-14-17:30
rpool/export/home/haik@zfs-auto-snap:frequent-2009-01-14-17:45

You can browse these snapshots in Nautilus (the Gnome graphical file browser) by navigating to your home directory and clicking the Time Slider button.


But what is it good for?

I've been using ZFS to backup my laptop home directory. I've created a ZFS fileystem "backup-powerbook" in my home directory on my OpenSolaris workstation. I use rsync over ssh to copy my laptop home directory over from my laptop to my OpenSolaris machine and then I take a snapshot when the rsync completes. For example, on the laptop:

haik@powerbook $ sudo /bin/bash
Password:
root@powerbook # pwd
/Users/haik
root@powerbook # cd ..
root@powerbook # rsync -avz --delete -e ssh \\
    haik haik@opensolaris.local:~/backup-powerbook/
and then on the workstation:
haik@opensolaris:~$ pfexec zfs snapshot \\
    rpool/export/home/haik/backup-powerbook@2009-02-12

You need administrator privileges? That ain't cool.

Note how I prefixed that zfs snapshot command with pfexec. Back in the old days of ZFS, all ZFS operations required root privileges. Since then, ZFS Delegated Administration was introduced. This feature allows the administrator to delegate ZFS privileges to certain users for certain filesystems. As I mentioned, by default OpenSolaris 2008.11 puts the initial user's home directory on a ZFS fileystem, but in order to take snapshots or create filesystems, the user will need to either a) su to the root role, b) use the administrator profile by executing pfexec or c) have been given the necessary ZFS permissions. On a standard 2008.11 fresh install, only the initial user can su to the root role or use the administrator profile.

For example,

haik@opensolaris:~$ pfexec zfs create rpool/export/home/haik/backup-powerbook
haik@opensolaris:~$ 

Without pfexec, the create fails:

haik@opensolaris:~$ zfs create rpool/export/home/haik/backup-powerbook
cannot create 'rpool/export/home/haik/backup-powerbook': permission denied

I like the idea of letting users manage their own filesystems within their home directory so I've used ZFS Delegated Administration to allow that. This is done with the zfs allow command. You can grant ZFS permissions to individual users with one command or you can create permission sets which allow you to easily grant the same permissions to different users on different filesystems. In my case, I create two permission sets. One is for home directories and one is for file systems that are descendents of home directories. I use two different sets because I do not want users to be allowed to rename their home directory, only descendents of their home directory. Here's a script I use after adding a new user. Checkout zfs(1M) for more information.

This script simply looks at the contents of the /export/home directory. For each file or directory within /export/home, it assumes that a user exists with the same username and that a filesystem exists of the form rpool/export/home/<username>. It then gives <username> various permissions on filesystem rpool/export/home/<username>. There are better, more reliable, ways to do this. You would need to execute the script with pfexec.

#!/usr/bin/bash

HOME_FS=rpool/export/home
HOME_PATH=/export/home

HOME_PERMS=create,snapshot,clone,mount,share,send,compression,promote,destroy
HOME_DESCENDENT_PERMS=$HOME_PERMS,rename

HOME_SET_NAME='@home_set'
HOME_DESCENDENT_SET_NAME='@home_descendent_set'

# Create the permission sets
zfs allow -s $HOME_SET_NAME $HOME_PERMS $HOME_FS
zfs allow -s $HOME_DESCENDENT_SET_NAME $HOME_DESCENDENT_PERMS $HOME_FS

# Assign the permission sets
for user in `ls $HOME_PATH`
do
	zfs allow -l $user $HOME_SET_NAME $HOME_FS/$user
	zfs allow -d $user $HOME_DESCENDENT_SET_NAME $HOME_FS/$user
done

You can view the results with the zfs allow command:

haik@opensolaris:~$ zfs allow rpool/export/home/haik
-------------------------------------------------------------
Local permissions on (rpool/export/home/haik)
	user haik @home_set
Descendent permissions on (rpool/export/home/haik)
	user haik @home_descendent_set
-------------------------------------------------------------
Permission sets on (rpool/export/home)
	@home_descendent_set allow,clone,create,destroy,
                mount,promote,rename,send,share,snapshot
	@home_set allow,clone,create,destroy,mount,promote,
                send,share,snapshot
-------------------------------------------------------------

Without the script and without using permission sets, I could accomplish the same thing with the following commands for each user.

haik@opensolaris:~$ pfexec zfs allow -l haik \\
    create,snapshot,clone,mount,share,send,compression,promote,destroy \\
    rpool/export/home/haik
haik@opensolaris:~$ pfexec zfs allow -d haik \\
    create,snapshot,clone,mount,share,send,compression,promote,destroy,rename \\
    rpool/export/home/haik

Now that my user has these permissions, I can create my own filesystems:

haik@opensolaris:~$ zfs create rpool/export/home/haik/music
haik@opensolaris:~$ zfs create rpool/export/home/haik/email
haik@opensolaris:~$ zfs set compression=on rpool/export/home/haik/email
rpool/export/home/haik/email    18K  1.53G    18K  /export/home/haik/email
haik@opensolaris:~$ zfs snapshot -r rpool/export/home/haik@2008-02-10

As expected, I'm still prevented from creating a file system directly on rpool/export/home.

haik@opensolaris:~$ zfs create rpool/export/home/foo
cannot create 'rpool/export/home/foo': permission denied
About

It's a blog.

Search

Top Tags
Categories
  • General
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today