Skip to content

Letting users create ZFS file systems

December 15, 2005

Darren has just posted his fast bringover script that solves some of my desire to be able to have a file system per workspace. I’m not commenting on the script since it manages to trip one of my shell script peeves that of calling a program and then calling exit $?. What is wrong with exec? I’ll keep taking the tablets.

However it does not solve my wanting to be able to let users be able to create their own ZFS file systems below a file system that they own.

Like I said in the email this can mostly be done via an RBAC script, well here it is:

#!/bin/ksh -p  PATH=/usr/bin:/usr/sbin  if [ "$_" != "/usr/bin/pfexec" -a -x /usr/bin/pfexec ]; then         exec /usr/bin/pfexec $0 $@ fi  function get_owner { 	echo $(ls -dln ${PARENT} | nawk ‘{ print $3 }’) }  function create_file_system { 	typeset mpt name  	zfs list -H -t filesystem -o mountpoint,name,quota | \ 		 while read mpt name quota 	do 		if [[ $mpt == $PARENT ]] 		then 			zfs create ${DIR#/} && chown $uid $DIR && \ 				zfs set quota=${quota} ${DIR#/} 			exit $? 		fi 	done 	echo no zfs file system $PARENT >&2 	exit 1 }  function check_quota { 	typeset -i count 	typeset mpt name 	count=0  	zfs list -H -t filesystem -o mountpoint,name | while read mpt name 	do 		if [[ $(get_owner $name) == $uid ]] 		then 			let count=count+1 		fi 	done 	echo $count }  MAX_FILE_SYSTEMS_PER_USER=10  test -f /etc/default/zfs_user_create && . /etc/default/zfs_user_create  if [[ $# -ne 1 ]] then 	echo "Usage: $1 filesystem" >&2 	exit 1 fi  DIR=$1 PARENT=${1%/*}  if ! [[ -d $PARENT ]] then 	echo "$0: Failed to make directory \"$1\"; No such file or directory" >&2 	exit 1 fi  uid=$(id | sed -e s/uid=// -e ‘s/(.*//’) owner=$(get_owner $1)  if [[ $uid != $owner ]] then 	echo "$0: $1 not owner" >&2 	exit 1 fi  if [[ $(check_quota) -gt ${MAX_FILE_SYSTEMS_PER_USER} ]] then 	echo "too many file systems" 	exit 1 fi  create_file_system 

It has a hack in it to limit the number of file systems that a user can create just to stop them being silly. Then you just need the line in /etc/security/exec_attr:


All:suser:cmd:::/usr/local/share/sh/zfs_create:euid=0 

Now any user can create a file system under a file system they already own. The file systems don’t share a single quota which would be nice but for my purposes this will do.


Next trick to let them destroy them and take snapshots of them. The snapshots being the real reason I want all of this.

Tags: topic:[Solaris] topic:[OpenSolaris] topic:[ZFS] topic:[shell script]

Advertisements

From → Solaris

2 Comments
  1. Interesting that you added to the “All” profile, that has the nice side effect of working network wide (assuing exec_attr is comming from the nameserivice) where modifying policy.conf PROFS_GRANTED only works on a single host.

  2. Interesting that you added to the “All” profile, that has the nice side effect of working network wide (assuing exec_attr is comming from the nameserivice) where modifying policy.conf PROFS_GRANTED only works on a single host.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: