如何确定用户缺少接收ZFS数据集的权限?

9

我有一台FreeNAS(11.1-U1)和一台FreeBSD(11.1-RELEASE-p6)机器。在FreeNAS上,我想以zfs receive具有委派权限的非root用户身份递归快照。这似乎对大多数子数据集都适用。但是iocage的data数据集可以安装到监狱并从那里进行管理,但它们失败了:

root@freebsd:~> zfs send -RI "dozer@2018-02-21" "dozer@2018-03-08"  | ssh -T -i /root/backup_key backupuser@freenas zfs receive -dvuF neo/backups/freebsd
receiving incremental stream of dozer@2018-03-03 into neo/backups/freebsd@2018-03-03
received 312B stream in 1 seconds (312B/sec)
receiving incremental stream of dozer@2018-03-07 into neo/backups/freebsd@2018-03-07
received 312B stream in 1 seconds (312B/sec)
receiving incremental stream of dozer@2018-03-08 into neo/backups/freebsd@2018-03-08
received 312B stream in 1 seconds (312B/sec)
receiving incremental stream of dozer/ROOT@2018-03-03 into neo/backups/freebsd/ROOT@2018-03-03
.
.
.
receiving incremental stream of dozer/iocage/jails/owncloud/root@2018-03-08 into neo/backups/freebsd/iocage/jails/owncloud/root@2018-03-08
received 578MB stream in 110 seconds (5.25MB/sec)
receiving incremental stream of dozer/iocage/jails/owncloud/root/data@2018-03-03 into neo/backups/freebsd/iocage/jails/owncloud/root/data@2018-03-03
cannot receive incremental stream: permission denied
warning: cannot send 'dozer/iocage/jails/owncloud/root/data@2018-03-03': signal received
warning: cannot send 'dozer/iocage/jails/owncloud/root/data@2018-03-07': Broken pipe
warning: cannot send 'dozer/iocage/jails/owncloud/root/data@2018-03-08': Broken pipe

该特定子级的权限与父级数据集的权限完全相同:

root@freenas:~ # zfs allow neo/backups/freebsd/iocage/jails/owncloud/root/data
---- Permissions on neo/backups/freebsd -----------------------------
Local+Descendent permissions:
        user backupuser atime,compression,create,dedup,exec,jailed,mount,mountpoint,quota,receive,rename,reservation,setuid,userprop

zfs receive以Freeroot身份在FreeNAS上运行可以正常工作。

我的用户需要什么委托特权才能接收iocage的入狱数据集,更一般而言,是否有办法zfs receive给出更详细的错误消息,告诉您缺少什么权限?

freebsd  zfs  freenas  delegation  jail 
lo
source

Answers:

3

zfs命令引起的权限问题进行故障排除时zfs,请按照其组成步骤分析操作。

zfs receive -duvF解压缩的示例命令分为几个步骤。这些标志中的两个与任何特殊权限无关:

-d影响新数据集的命名(如果有)
-v启用详细输出

其他两个做。

-F表示文件系统将在接收开始之前回滚到增量传输的初始快照
-u表示文件系统将在接收完成后不再挂载

我的直觉是您缺少回滚权限。您命令中的-F标志表示zfs rollback将执行a,并且您zfs allow未列出rollback

在一般情况下,可以对给定zfs命令所需的权限进行推断。

手册页zfs指出:

权限名称与ZFS子命令和属性名称相同。

还有...

权限通常是使用ZFS子命令或更改ZFS属性的能力。可以使用以下权限:

   NAME              TYPE          NOTES
   allow             subcommand    Must also have the permission
                                   that is being allowed
   clone             subcommand    Must also have the 'create'
                                   ability and 'mount' ability in
                                   the origin file system
   create            subcommand    Must also have the 'mount'
                                   ability
   destroy           subcommand    Must also have the 'mount'
                                   ability
   diff              subcommand    Allows lookup of paths within a
                                   dataset given an object number,
                                   and the ability to create
                                   snapshots necessary to 'zfs diff'
   hold              subcommand    Allows adding a user hold to a
                                   snapshot
   mount             subcommand    Allows mount/umount of ZFS
                                   datasets
   promote           subcommand    Must also have the 'mount' and
                                   'promote' ability in the origin
                                   file system
   receive           subcommand    Must also have the 'mount' and
                                   'create' ability
   release           subcommand    Allows releasing a user hold
                                   which might destroy the snapshot
   rename            subcommand    Must also have the 'mount' and
                                   'create' ability in the new
                                   parent
   rollback          subcommand    Must also have the 'mount'
                                   ability
   send              subcommand
   share             subcommand    Allows sharing file systems over
                                   the NFS protocol
   snapshot          subcommand    Must also have the 'mount'
                                   ability
   groupquota        other         Allows accessing any
                                   groupquota@... property
   groupused         other         Allows reading any groupused@...
                                   property
   userprop          other         Allows changing any user property
   userquota         other         Allows accessing any
                                   userquota@... property
   userused          other         Allows reading any userused@...
                                   property
   aclinherit        property
   aclmode           property
   atime             property
   canmount          property
   casesensitivity   property
   checksum          property
   compression       property
   copies            property
   dedup             property
   devices           property
   exec              property
   filesystem_limit  property
   logbias           property
   jailed            property
   mlslabel          property
   mountpoint        property
   nbmand            property
   normalization     property
   primarycache      property
   quota             property
   readonly          property
   recordsize        property
   refquota          property
   refreservation    property
   reservation       property
   secondarycache    property
   setuid            property
   sharenfs          property
   sharesmb          property
   snapdir           property
   snapshot_limit    property
   sync              property
   utf8only          property
   version           property
   volblocksize      property
   volsize           property
   vscan             property
   xattr             property

当前的示例包括该-u标志,因此在接收操作结束时不会挂载文件系统。但是,如果-u不存在,文件系统将在接收过程结束时挂载。显然,receive权限需要mount权限。

因为zfs mount操作将自动创建任何必要的安装点,所以用户可能具有zfs安装数据集的权限,但没有文件系统许可来创建安装点。对于zfs mount,安装将失败。在zfs createrename操作中,将创建或重命名文件系统,但是如果用户没有足够的文件系统许可权创建挂载点,它将保持卸载状态。

同样,zfs rename在重命名操作中的多个点上,命令可能会由于缺少权限而失败。松散地说,组成步骤可能是:

1)卸载文件系统(mount权限)
2)创建新的文件系统(create权限)
3)将文件系统元数据映射到新名称(rename权限)

第四步是将新命名的文件系统重新挂载到新的可能更改的挂载点,该挂载点再次使用该mount权限以及可能的文件系统许可来创建新的挂载点。

我还没有测试过这些技巧,但是可以看出,它zfs区分了createrename权限,以及mountmountpoint权限。有人想象可能允许用户创建新的文件系统,但是一旦创建,用户就不能重命名它们。对于具有继承的挂载点的文件系统,重命名文件系统通常还会重命名文件系统的挂载点,如重命名tank/usr/localtank/usr/local.OLD将挂载点从更改/usr/local/usr/local.OLD

的分离mountrenamemountpoint权限意味着用户可能被允许重命名文件系统,但是不允许改变其加载点。反之亦然,以便能够更改文件系统的安装位置,但不能更改文件系统的名称。

其文件系统操作的丰富性和这些操作的委派,再加上权限的细化,可能会带来zfs一些挑战,但也非常强大。

吉姆·L。
source
此答案是原始答案的扩展。我希望它将继续值得其先前的赞扬。
Jim L.
0

看起来您有一个缺少权限的快照。

尝试在上设置receive权限neo/backups/freebsd/iocage/jails/owncloud/root/data@2018-03-03

看起来好像已在卷上正确设置了该快照,但快照上没有该快照。

哈古特
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.