Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Experimental: Use zfs permissions instead of zfs shell and sudo #32

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Experimental: Use zfs permissions instead of zfs shell and sudo #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b0a585f
Depend on zfsutils-linux (Debian compatibility)
MichaelHierweck Dec 5, 2020
2dac47f
Remove zfs-shell, zfs user and sudoers rules; use zfs permissions ins…
MichaelHierweck Dec 5, 2020
1d2568b
Merge branch 'master' into experimental-zfs-permissions-instead-of-zf…
Rudd-O Dec 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,18 @@
| <img width="164" height="164" title="" alt="" src="doc/bitcoin.png" /> |
| [1Cw9nZu9ygknussPofMWCzmSMveusTbQvN](bitcoin:1Cw9nZu9ygknussPofMWCzmSMveusTbQvN) |

## Experimental version of zfs-tools:
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to maintain support for zfs-shell since not everyone is ready to migrate to ZFS permissions, and people deploy from this repo.

If needed, we can add to zfs-shell some sort of canary command that the client can then query, and if that fails, revert back to using zfs-shell instead of ZFS permissions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First of all, sorry, the last weeks I was too busy with other things .

I wonder how we could make zfs-shell optional.

Case "zfs-shell":
zfs-shell should be installed and registered as a shell. We might even need the sudo rules.
ztools should invoke zfs-shell as a helper script.

Case "zfs-permissions":
zfs-shell should not be installed (or at least) not registered. Sudo rules should not be installed or at least not activated.
ztools should invoke zpool and zfs directly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about creating two Debian packages out of a single source package, e.g. "zfs-tools" and optional "zfs-shell" (providing zfs-shell and sudo rules). zfs-tools could suggest or even recommend zfs-shell.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attempt to split the binary packages


In this experimential version of zfs-tools the "zfs-shell" was removed.
ZFS permissions should be used instead:

* sender side: zfs allow -u <user> send,snapshot,destroy,mount,hold <source>

* receiver side: zfs allow -u <user> create,mount,receive <destination>


## The following documentation needs to be updated:

The ZFS backup tools will help you graft an entire ZFS pool as a filesystem
into a backup machine, without having to screw around snapshot names or
complicated shell commands or crontabs.
Expand Down
2 changes: 1 addition & 1 deletion bin/zbackup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ def zbackup_properties(tier):
def get_zpools():
"""Return list of zpools."""
zpools = []
zpool_list = subprocess.Popen(["zpool", "list", "-H"], stdout = subprocess.PIPE)
zpool_list = subprocess.Popen(["/sbin/zpool", "list", "-H"], stdout = subprocess.PIPE)
for line in zpool_list.stdout:
zpools.append(line.split()[0])
return zpools
Expand Down
21 changes: 0 additions & 21 deletions bin/zfs-shell
View file
Open in desktop

This file was deleted.

6 changes: 6 additions & 0 deletions debian/changelog
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
zfs-tools (0.6.2) wily; urgency=low

* remove zfs-shell, zfs user and sudoers rules; use zfs permissions instead

-- Michael Hierweck <[email protected]> Thu, 3 Dec 2020 10:14:26 +0000

zfs-tools (0.6.1) wily; urgency=low

* depend on zfsutils-linux
Expand Down
51 changes: 0 additions & 51 deletions debian/postinst
View file
Open in desktop

This file was deleted.

44 changes: 0 additions & 44 deletions debian/postrm
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
]),
classifiers = classifiers,
packages=["zfstools"],
scripts=["bin/zreplicate", 'bin/zfs-shell', 'bin/zsnap', 'bin/zbackup', 'bin/zflock'],
scripts=["bin/zreplicate", 'bin/zsnap', 'bin/zbackup', 'bin/zflock'],
keywords="ZFS filesystems backup synchronization snapshot",
zip_safe=False,
)
16 changes: 8 additions & 8 deletions src/zfstools/connection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,25 +59,25 @@ def __init__(self,host="localhost", trust=False, sshcipher=None, properties=None
def _get_poolset(self):
if self._dirty:
properties = [ 'creation' ] + self._properties
stdout2 = subprocess.check_output(self.command + ["zfs", "list", "-Hpr", "-o", ",".join( ['name'] + properties ), "-t", "all"])
stdout2 = subprocess.check_output(self.command + ["/sbin/zfs", "list", "-Hpr", "-o", ",".join( ['name'] + properties ), "-t", "all"])
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should not encode the path to zfs. Let the PATH resolution find it.

self._poolset.parse_zfs_r_output(stdout2,properties)
self._dirty = False
return self._poolset
pools = property(_get_poolset)

def create_dataset(self,name):
subprocess.check_call(self.command + ["zfs", "create", name])
subprocess.check_call(self.command + ["/sbin/zfs", "create", name])
self._dirty = True
return self.pools.lookup(name)

def destroy_dataset(self, name):
subprocess.check_call(self.command + ["zfs", "destroy", name])
subprocess.check_call(self.command + ["/sbin/zfs", "destroy", name])
self._dirty = True

def destroy_recursively(self, name, returnok=False):
"""If returnok, then simply return success as a boolean."""
ok = True
cmd = self.command + ["zfs", "destroy", '-r', name]
cmd = self.command + ["/sbin/zfs", "destroy", '-r', name]
if returnok:
ok = subprocess.call(cmd) == 0
else:
Expand All @@ -87,7 +87,7 @@ def destroy_recursively(self, name, returnok=False):

def snapshot_recursively(self,name,snapshotname,properties={}):
plist = sum( map( lambda x: ['-o', '%s=%s' % x ], properties.items() ), [] )
subprocess.check_call(self.command + ["zfs", "snapshot", "-r" ] + plist + [ "%s@%s" % (name, snapshotname)])
subprocess.check_call(self.command + ["/sbin/zfs", "snapshot", "-r" ] + plist + [ "%s@%s" % (name, snapshotname)])
self._dirty = True

def send(self,name,opts=None,bufsize=-1,compression=False,lockdataset=None):
Expand All @@ -99,8 +99,8 @@ def send(self,name,opts=None,bufsize=-1,compression=False,lockdataset=None):
if self.verbose:
cmd += ["-v"]
cmd += [lockdataset, "--"]
cmd += ["zfs", "send"] + opts + [name]
p = SpecialPopen(cmd,stdin=file(os.devnull),stdout=subprocess.PIPE,bufsize=bufsize)
cmd += ["/sbin/zfs", "send"] + opts + [name]
p = SpecialPopen(cmd,stdin=open(os.devnull),stdout=subprocess.PIPE,bufsize=bufsize)
return p

def receive(self,name,pipe,opts=None,bufsize=-1,compression=False,lockdataset=None):
Expand All @@ -112,7 +112,7 @@ def receive(self,name,pipe,opts=None,bufsize=-1,compression=False,lockdataset=No
if self.verbose:
cmd += ["-v"]
cmd += [lockdataset, "--"]
cmd = cmd + ["zfs", "receive"] + opts + [name]
cmd = cmd + ["/sbin/zfs", "receive"] + opts + [name]
p = SpecialPopen(cmd,stdin=pipe,bufsize=bufsize)
return p

Expand Down