Neat blogs
Navigation
Editing
statcounter.com
clustrmaps.com
technorati.com
Friday February 02, 2007 We've decided that everything at Connectathon has to be secured by Kerberos - we want the additional testing that we can get. It wasn't clear to me how to invoke a complex share command on a zfs filesystem. In particular, I couldn't find an example which set a security style or had multiple options. So here is what I did.
First I prepare some areas, note I'm pretty explicit about what is available.
# zfs create zoo/home/krb5 # zfs create zoo/home/all # zfs create zoo/home/krb5i # zfs create zoo/home/krb5p # zfs create zoo/home/sys # zfs create zoo/home/krb
And now we let zfs know what we want:
# zfs set sharenfs="sec=krb5:krb5i:krb5p:sys,rw" zoo/home/all # zfs set sharenfs="sec=krb5:krb5i:krb5p,rw" zoo/home/krb # zfs set sharenfs="sec=krb5i,rw" zoo/home/krb5i # zfs set sharenfs="sec=krb5p,rw" zoo/home/krb5p # zfs set sharenfs="sec=krb5,rw" zoo/home/krb5
And to check the properties:
# zfs list -o name,sharenfs NAME SHARENFS zoo off zoo/home on zoo/home/all sec=krb5:krb5i:krb5p:sys,rw zoo/home/krb sec=krb5:krb5i:krb5p,rw zoo/home/krb5 sec=krb5,rw zoo/home/krb5i sec=krb5i,rw zoo/home/krb5p sec=krb5p,rw zoo/home/nfsv2 on zoo/home/nfsv3 on zoo/home/nfsv4 on zoo/home/sys on zoo/home/tdh on zoo/ws off
And since I am testing my bits for the In Kernel Sharetab:
# cat /system/dfs/sharetab /export/zfs/tdh - nfs rw /export/zfs/krb5p - nfs sec=krb5p,rw /export/zfs/nfsv4 - nfs rw /export/zfs/nfsv2 - nfs rw /export/zfs/krb5i - nfs sec=krb5i,rw /export/zfs/krb5 - nfs sec=krb5,rw /export/zfs/sys - nfs rw /export/zfs/nfsv3 - nfs rw /export/zfs/all - nfs sec=krb5,rw,sec=krb5i,rw,sec=krb5p,rw,sec=sys,rw /export/zfs - nfs rw /export/zfs/krb - nfs sec=krb5,rw,sec=krb5i,rw,sec=krb5p,rw
Hmm, I think those entries should be compacted.
By the way, if there is no sec=, then the default is sys.
When I installed a machine, instead of figuring out how to leave a lot of space in a slice, I went ahead and made a slice to be mounted as /zfs. I knew that I wanted to be able to reuse that space later for zfs. When I went to create a pool, this is what I did:
First I found the slice number:
# df -h
Filesystem size used avail capacity Mounted on
/dev/dsk/c1d0s0 20G 6.8G 13G 36% /
/devices 0K 0K 0K 0% /devices
/dev 0K 0K 0K 0% /dev
ctfs 0K 0K 0K 0% /system/contract
proc 0K 0K 0K 0% /proc
mnttab 0K 0K 0K 0% /etc/mnttab
swap 10G 788K 10G 1% /etc/svc/volatile
objfs 0K 0K 0K 0% /system/object
/usr/lib/libc/libc_hwcap2.so.1
20G 6.8G 13G 36% /lib/libc.so.1
fd 0K 0K 0K 0% /dev/fd
swap 10G 52K 10G 1% /tmp
swap 10G 32K 10G 1% /var/run
/dev/dsk/c1d0s3 20G 487M 19G 3% /altroot
/dev/dsk/c1d0s5 163G 64M 161G 1% /zfs
/dev/dsk/c1d0s7 20G 20M 19G 1% /export/home
/dev/dsk/c0t0d0s2 3.6G 3.6G 0K 100% /media/CDROM
/dev/lofi/1 467M 467M 0K 100% /isos/mnt/companion
Next I took the UFS filesystem off the system and out of /etc/vfstab:
# umount /zfs # vi /etc/vfstab ...
Then I tried to create the new pool:
# zpool create zoo /dev/dsk/c1d0s5 invalid vdev specification use '-f' to override the following errors: /dev/dsk/c1d0s5 contains a ufs filesystem.
One of the features I really like about zfs is not only does it tell me exactly what is wrong, it also tells me how to fix it. I don't have to go look something up. So to fix it up:
# zpool create -f zoo /dev/dsk/c1d0s5 #
And here is is later:
[tdh@sunnfsv4-109 ~]> zpool list NAME SIZE USED AVAIL CAP HEALTH ALTROOT zoo 165G 3.10G 162G 1% ONLINE -