Zfs: Support ZFS delegations

Created on 2 Nov 2011 · 8Comments · Source: openzfs/zfs

The 'zfs allow' code which can be used to delegate functionality relies on the zfssecpolicy* hooks being cleanly implemented to limit access accordingly. This work still must be completed in issue #228 before this will work properly.

Secondly, because we are using a mount.zfs helper to mount the filesystem through /bin/mount it's difficult to allow non-root processes to mount. The standard /bin/mount tool expects root and only root to be able to do certain things. A solution needs to be found for this still.

Feature

Source

behlendorf

👍2

Most helpful comment

0.7.0.

behlendorf on 12 Aug 2016

👍2

All 8 comments

One comment: backup tools such as zetaback wouldn't have to run as root if this were implemented.

jgoerzen on 8 Feb 2014

Want this for ability to delegate "snapshot create" ability and to containers :)

pavel-odintsov on 17 Nov 2014

👍1

Since I don't want to open another issue, if it is a duplicate: Would this - if implemented - allow me to effectively "give" a dataset (recursively) to a user?
Essentially the use case would be this:
Given a pool tank with the dataset tank/home mounted to /home, create and give to user foo the dataset tank/home/foo. User foo may now set/get properties ontank/home/foo and create sub datasets like tank/home/foo/lxc (implicitly owned by foo); this goal would be to have unprivileged LXC containers on datasets 'owned' by the user managing the LXC containers, so adding a new unprivileged user and giving him a new dataset as home would immediately enable the user to run unprivileged LXC containers, each on its own dataset, complete with snapshots, deduplication (if enabled), etc.