ZFS: correctly remember device node ownership and ACLs for ZVOLs
Device nodes for ZFS volumes (ZVOLs) - symlinks in /dev/zfs/*dsk/poolname/datasetname and corresponding entries in /devices/ - are spawned upon first access to the device nodes in /dev/zfs/..., such as listing of this directory or usage of a ZVOL device for swap or other data storage.
It is then possible to change ownership of the device and delegate access to it to a non-root user; however, this ownership is "forgotten" after pool export/import or OS reboot - the ZVOL becomes root-owned again. This is very inconvenient for ZVOL uses such as backing VM storage for (VirtualBox) VMs executed by unprivileged users.
It is also possible to assign ACLs to /devices/* entries, but these can also be applied incorrectly after a reboot (another bug is posted about this).
This current RFE suggests that ownership UID:GID and ACL definitions for device nodes should be remembered as attributes of the ZVOL itself (hidden or explicitly addressable properties?), like it is done for the root directories of filesystem datasets? and correctly applied for the device filesystem when ZVOL device nodes are automatically created.
A corner-case question is whether to remember access for numeric UIDs and GIDs, or for textual ones (i.e. what happens when the pool is imported by another OS image with different numbering of same-named users and groups)?
Detailed discussion link: http://permalink.gmane.org/gmane.os.openindiana.general/10002
Updated by Jim Klimov over 8 years ago
The mentioned bug about ACL entries for ZVOLs is posted as https://www.illumos.org/issues/3284 and possibly concerns devfs more than ZFS.
Implementation of this RFE and overwriting any existing ownership/ACL info (that is created by devfs itself when spawning the device node) with correct info sourced from ZVOL itself would fix the partial problem as far as remembering ZVOL access rights is concerned.
Updated by Jim Klimov about 8 years ago
Since this discussion started in connection to VirtualBox (and problems for non-root users running VMs and "owning" zvols), a PoC solution was provided as part of my vboxsvc package which wraps up VMs as SMF instances. My solution is a script (which can be installed as an SMF service) which saves POSIX and ACL settings of ZVOLs into their user-defined ZFS attributes, and can recover and re-apply these settings to ZVOLs after a reboot (upon service startup).