Pavel Heimlich
2010-Feb-16 20:27 UTC
[zfs-discuss] zfs snapshot of zone fails with permission denied (EPERM [sys_mount])
Hi,
when I delegate the zfs roles to a user, the user can create a snapshot of zfs
filesystem, but cannot snapshot a zone contained in that filesystem.
The output is:
$ /usr/sbin/zfs snapshot tank/zones/dashboardbuild/ROOT/zbe at 1install
cannot create snapshot ''tank/zones/dashboardbuild/ROOT/zbe at
1install'': permission denied
The root user can create the snapshot just fine.
This is with OSOL b132/amd64
Am I doing something wrong?
TIA
full session log follows:
# cat /tank/zones/dashboardbuild.cfg
create -b
set zonepath=/tank/zones/dashboardbuild
set autoboot=true
add net
set address=10.10.2.43
set physical=e1000g0
end
add fs
set dir=/home
set special=/export/home
set type=lofs
end
# zfs create tank/zones/dashboardbuild
# chmod 700 /tank/zones/dashboardbuild
# zonecfg -z dashboardbuild -f /tank/zones/dashboardbuild.cfg
# zoneadm -z dashboardbuild install
Publisher: Using opensolaris.org (http://pkg.opensolaris.org/dev/ ).
Publisher: Using contrib.opensolaris.org
(http://pkg.opensolaris.org/contrib/).
Image: Preparing at /tank/zones/dashboardbuild/root.
Cache: Using /var/pkg/download.
Sanity Check: Looking for ''entire'' incorporation.
Installing: Core System (output follows)
DOWNLOAD PKGS FILES XFER (MB)
Completed 43/43 12186/12186 84.7/84.7
PHASE ACTIONS
Install Phase 17622/17622
No updates necessary for this image.
Installing: Additional Packages (output follows)
DOWNLOAD PKGS FILES XFER (MB)
Completed 37/37 3345/3345 21.8/21.8
PHASE ACTIONS
Install Phase 4519/4519
Note: Man pages can be obtained by installing SUNWman
Postinstall: Copying SMF seed repository ... done.
Postinstall: Applying workarounds.
Done: Installation completed in 543.818 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)
to complete the configuration process.
# zfs list |grep dashboard
tank/zones/dashboardbuild 513M 397G 21K
/tank/zones/dashboardbuild
tank/zones/dashboardbuild/ROOT 513M 397G 19K legacy
tank/zones/dashboardbuild/ROOT/zbe 513M 397G 513M legacy
# zfs allow hajma snapshot,rollback,mount tank/zones/dashboardbuild
# zfs allow hajma snapshot,rollback,mount tank/zones/dashboardbuild/ROOT
# zfs allow hajma snapshot,rollback,mount tank/zones/dashboardbuild/ROOT/zbe
# zfs allow tank/zones/dashboardbuild/ROOT/zbe
---- Permissions on tank/zones/dashboardbuild/ROOT/zbe ---------------
Local+Descendent permissions:
user hajma mount,rollback,snapshot
---- Permissions on tank/zones/dashboardbuild/ROOT -------------------
Local+Descendent permissions:
user hajma mount,rollback,snapshot
---- Permissions on tank/zones/dashboardbuild ------------------------
Local+Descendent permissions:
user hajma mount,rollback,snapshot
#
-bash-4.0$ pfexec /usr/sbin/zfs snapshot tank/zones/dashboardbuild/ROOT/zbe at
1install
cannot create snapshot ''tank/zones/dashboardbuild/ROOT/zbe at
1install'': permission denied
-bash-4.0$ pfexec /usr/sbin/zfs snapshot tank/zones/dashboardbuild at test
-bash-4.0$
this is what I see when I run the command in truss:
2116: ioctl(3, ZFS_IOC_OBJSET_STATS, 0x08044930) = 0
2116: brk(0x080D4000) = 0
2116: ioctl(3, ZFS_IOC_POOL_STATS, 0x08043300) = 0
2116: brk(0x080E4000) = 0
2116: ioctl(3, ZFS_IOC_SNAPSHOT, 0x080462C0) Err#1 EPERM [sys_mount]
2116: fstat64(2, 0x08045260)
--
This message posted from opensolaris.org