Project

General

Profile

Feature #3283

ZFS: correctly remember device node ownership and ACLs for ZVOLs

Added by Jim Klimov almost 7 years ago. Updated almost 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
zfs - Zettabyte File System
Start date:
2012-10-17
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Device nodes for ZFS volumes (ZVOLs) - symlinks in /dev/zfs/*dsk/poolname/datasetname and corresponding entries in /devices/ - are spawned upon first access to the device nodes in /dev/zfs/..., such as listing of this directory or usage of a ZVOL device for swap or other data storage.
It is then possible to change ownership of the device and delegate access to it to a non-root user; however, this ownership is "forgotten" after pool export/import or OS reboot - the ZVOL becomes root-owned again. This is very inconvenient for ZVOL uses such as backing VM storage for (VirtualBox) VMs executed by unprivileged users.
It is also possible to assign ACLs to /devices/* entries, but these can also be applied incorrectly after a reboot (another bug is posted about this).

This current RFE suggests that ownership UID:GID and ACL definitions for device nodes should be remembered as attributes of the ZVOL itself (hidden or explicitly addressable properties?), like it is done for the root directories of filesystem datasets? and correctly applied for the device filesystem when ZVOL device nodes are automatically created.

A corner-case question is whether to remember access for numeric UIDs and GIDs, or for textual ones (i.e. what happens when the pool is imported by another OS image with different numbering of same-named users and groups)?

Detailed discussion link: http://permalink.gmane.org/gmane.os.openindiana.general/10002

History

#1

Updated by Jim Klimov almost 7 years ago

The mentioned bug about ACL entries for ZVOLs is posted as https://www.illumos.org/issues/3284 and possibly concerns devfs more than ZFS.
Implementation of this RFE and overwriting any existing ownership/ACL info (that is created by devfs itself when spawning the device node) with correct info sourced from ZVOL itself would fix the partial problem as far as remembering ZVOL access rights is concerned.

#2

Updated by Jim Klimov almost 7 years ago

Since this discussion started in connection to VirtualBox (and problems for non-root users running VMs and "owning" zvols), a PoC solution was provided as part of my vboxsvc package which wraps up VMs as SMF instances. My solution is a script (which can be installed as an SMF service) which saves POSIX and ACL settings of ZVOLs into their user-defined ZFS attributes, and can recover and re-apply these settings to ZVOLs after a reboot (upon service startup).
http://vboxsvc.svn.sourceforge.net/viewvc/vboxsvc/lib/svc/method/zfs-zvolrights

Also available in: Atom PDF