zfs discuss - Jul 2007 - Read-only (forensic) mounts of ZFS

Hi 

Sorry for the cross-posting, I''d sent this to zfs-code originally.
Wrong
forum.

I''m looking into forensic aspects of ZFS, in particular ways to use ZFS
tools
to investigate ZFS file systems without writing to the pools. I''m
working on
a test suite of file system images within VTOC partitions. At the moment, 
these only have 1 file system per pool per VTOC partition for
simplicity''s
sake, and I''m using Solaris 10 6/06, which may not be the most
up-to-date. At
the bottom are details of the tests.

The problem: I was not able to use a loopback device on a file system image 
(see TEST section). Here are some questions:
* Am I missing a command or something? 
* Is there support for lofiadm in a more recent version of ZFS? 
* Or is there any way to safely mount a file system image?

Thanks for your help.

Regards

Mark

GOOD NEWS
It looks as if the zfs mount options can stop updates of file system metadata 
(ie mount times etc) and file metadata (no writing of file access times). 

Quote from man zfs  25 Apr 2006 p. 11 ("Temporary Mount Point
Properties") :
     ... these options can be set on a  per-mount  basis
     using  the -o option, without affecting the property that is
     stored on disk. The values specified  on  the  command  line
     will  override the values stored in the dataset. The -nosuid
     option is an alias for "nodevices,nosetuid".  These  proper-
     ties  are  reported as "temporary" by the "zfs get"
command.


TEST 

26.07.2007
Forensic mounting of ZFS File Systems.
Loopback device does not seem to work with ZFS using "zfs mount" or 
legacy "mount".
However, temporary command-line options can prevent mounts from writing to a 
file system.

MAKE COPY
root at sol10 /export/home# cp t1_fs1.dd t1_fs1.COPY.dd

CHECKSUMS

root at sol10 /export/home# gsha1sum t1*
5c08a7edfe3d04f5fff6d37c6691e85c3745629f  t1_fs1.COPY.dd
5c08a7edfe3d04f5fff6d37c6691e85c3745629f  t1_fs1.dd

CHECKSUM RAW DEV FOR FS1
root at sol10 /export/home# gsha1sum /dev/dsk/c0t1d0s1
5c08a7edfe3d04f5fff6d37c6691e85c3745629f  /dev/dsk/c0t1d0s1
root at sol10 /export/home#


PREPARE LOOPBACK DEVICE
note need full path for file

root at sol10 /export/home# lofiadm -a /export/home/t1_fs1.COPY.dd /dev/lofi/1
root at sol10 /export/home# lofiadm
Block Device             File
/dev/lofi/1              /export/home/t1_fs1.COPY.dd
root at sol10 /export/home#

ZFS MOUNT OF LOOPBACK DEVICE DOESNT WORK

root at sol10 /export/home# zfs mount -o 
noexec,nosuid,noatime,nodevices,ro /dev/lofi/1 /fs1
too many arguments
usage:
[...]
root at sol10 /export/home# zfs mount -o ro,noatime /dev/lofi/1
cannot open ''/dev/lofi/1'': invalid filesystem name

NOR DOES LEGACY MOUNT

root at sol10 /export/home# mount -F zfs -o 
noexec,nosuid,noatime,nodevices,ro /dev/lofi/1 /fs1
cannot open ''/dev/lofi/1'': invalid filesystem name

TRY MOUNT OF NORMAL FS

root at sol10 /export/home# mount -o noexec,nosuid,noatime,nodevices,ro fs1 /fs1
root at sol10 /export/home# ls -lR /fs1
/fs1:
total 520
-rw-r--r--   1 mark     staff     234179 Jul 17 20:17 
gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
drwxr-xr-x   3 root     root           5 Jul 26 14:12 level_1

/fs1/level_1:
total 1822
-rwxr-xr-x   1 mark     staff     834236 Jul 17 20:16 imgp2219.jpg
-rw-r--r--   1 mark     staff       1388 Jul 17 20:15 
imgp2219.jpg.head.tail.xxd
drwxr-xr-x   2 root     root           5 Jul 26 14:12 level_2

/fs1/level_1/level_2:
total 1038
-rw-r--r--   1 mark     staff     234179 Jul 17 20:17 
gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
-rw-r--r--   1 mark     staff     173713 Jul 17 20:15 imgp2219.small.jpg
-rw-r--r--   1 mark     staff       1388 Jul 17 20:15 
imgp2219.small.jpg.head.tail.xxd

MUCK AROUND A BIT

root at sol10 /export/home# 
file
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt: 
ascii text
root at sol10 /export/home#
root at sol10 /export/home# 
head
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
*****The Project Gutenberg Etext of A treatise on Good Works*****
#2 in our series by Dr. Martin Luther


Copyright laws are changing all over the world, be sure to check
the copyright laws for your country before posting these files!

Please take a look at the important information in this header.
We encourage you to keep this file on your own disk, keeping an
electronic path open for the next readers.  Do not remove this.
root at sol10 /export/home#
root at sol10 /export/home# 
rm
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
rm:
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt:
override protection 644 (yes/no)? y
rm:
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
not removed: Read-only file system
root at sol10 /export/home#

root at sol10 /export/home#
root at sol10 /export/home# ls -la /fs1/
total 543
drwxr-xr-x   3 root     sys            4 Jul 26 14:13 .
drwxr-xr-x  26 mark     staff        512 Jul 26 14:06 ..
-rw-r--r--   1 mark     staff     234179 Jul 17 20:17 
gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
drwxr-xr-x   3 root     root           5 Jul 26 14:12 level_1
root at sol10 /export/home#

UNMOUNT

root at sol10 /export/home# umount /fs1
root at sol10 /export/home#

CHECKSUM RAW DEV AGAIN: MATCHES (NO DATA WRITTEN)

root at sol10 /export/home#
root at sol10 /export/home# gsha1sum /dev/dsk/c0t1d0s1
5c08a7edfe3d04f5fff6d37c6691e85c3745629f  /dev/dsk/c0t1d0s1
root at sol10 /export/home#

Mark Furner wrote:
> Hi 
> 
> Sorry for the cross-posting, I''d sent this to zfs-code originally.
Wrong
> forum.
and I''ve already replied there:

http://mail.opensolaris.org/pipermail/zfs-code/2007-July/000557.html

--
Darren J Moffat