FreeNAS replication as a normal/unprivileged user

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Anyone know how to do this?...thinking more from multi-tenancy perspective. Tried to create a normal user and get replication going that way but does not work.

Questions that come to mind are:

Do ZFS dataset permissions come into play?
Does the replication user need to own the ZFS dataset?
Do sudo privs need to be engaged or wheel group membership permitted? (would not think so as this kinda defeats the purpose)

I've also tried to create ssh keys via 'ssh-keygen' on the src and append of users on dest FreeNAS box (YES I created same user on both boxes), to authorized_keys, I can see that ssh from src to dest FreeNAS works w/ no auth/prompting of password via ssh PKI but something fishy seems to be happening w/ ssh keyscan that 'seemingly' only reads/hooks to root pub ssh key. I see there is a 'Dedicated User Enabled' and 'Dedicated User' selection/drop-down under replication creation task and I've of course tried to hook my local desired replication user to this job but no luv.

Can anyone help/point me in the right direction or shed some light on possible solutions?

Would be GREATLY appreciated. 6 pack o' virtual beers or real ones if you are local to me for resolution or guidance.

Thx, sorry for the long-rambling response and complex issue...assuming this may be a tough one or not a lot of takers unless you are DEEP w/ FreeNAS experience...I'm at my wits end w/ this.


~whitey
 
Last edited:

Terry Kennedy

Well-Known Member
Jun 25, 2015
1,140
594
113
New York City
www.glaver.org
Anyone know how to do this?...thinking more from multi-tenancy perspective. Tried to create a normal user and get replication going that way but does not work.

Questions that come to mind are:

Do ZFS dataset permissions come into play?
Does the replication user need to own the ZFS dataset?
Do sudo privs need to be engaged or wheel group membership permitted? (would not think so as this kinda defeats the purpose)
I have absolutely zero FreeNAS / NAS4Free experience, but the underlying FreeBSD supports delegating ZFS privileges to users or groups. I suggest using a dedicated backup user and delegating to that user.

Code:
(1:101) gate:~terry# man zfs
ZFS(8)  FreeBSD System Manager's Manual  ZFS(8)

NAME
  zfs -- configures ZFS file systems

SYNOPSIS
...
  zfs allow filesystem|volume
  zfs allow [-ldug] user|group[,user|group]...
  perm|@setname[,perm|@setname]... filesystem|volume
  zfs allow [-ld] -e|everyone perm|@setname[,perm|@setname]...
  filesystem|volume
  zfs allow -c perm|@setname[,perm|@setname]... filesystem|volume
  zfs allow -s @setname perm|@setname[,perm|@setname]... filesystem|volume
  zfs unallow [-rldug] user|group[,user|group]...
  [perm|@setname[,perm|@setname]...] filesystem|volume
  zfs unallow [-rld] -e|everyone [perm|@setname[,perm|@setname]...]
  filesystem|volume
  zfs unallow [-r] -c [perm|@setname[,perm|@setname]...] filesystem|volume
  zfs unallow [-r] -s @setname [perm|@setname[,perm|@setname]...]
  filesystem|volume
...
  zfs allow filesystem|volume

  Displays permissions that have been delegated on the specified
  filesystem or volume. See the other forms of "zfs allow" for more
  information.

  zfs allow [-ldug] user|group[,user|group]...
  perm|@setname[,perm|@setname]... filesystem|volume

  zfs allow [-ld] -e|everyone perm|@setname[,perm|@setname]...
  filesystem|volume

  Delegates ZFS administration permission for the file systems to non-
  privileged users.

  [-ug] user|group[, user|group]...
  Specifies to whom the permissions are delegated. Multiple
  entities can be specified as a comma-separated list. If nei-
  ther of the -ug options are specified, then the argument is
  interpreted preferentially as the keyword everyone, then as a
  user name, and lastly as a group name. To specify a user or
  group named "everyone", use the -u or -g options. To specify
  a group with the same name as a user, use the -g option.

  [-e|everyone]
  Specifies that the permissions be delegated to "everyone".

  perm|@setname[,perm|@setname]...
  The permissions to delegate. Multiple permissions may be
  specified as a comma-separated list. Permission names are the
  same as ZFS subcommand and property names. See the property
  list below. Property set names, which begin with an at sign
  (@), may be specified. See the -s form below for details.

  [-ld] filesystem|volume
  Specifies where the permissions are delegated. If neither of
  the -ld options are specified, or both are, then the permis-
  sions are allowed for the file system or volume, and all of
  its descendents. If only the -l option is used, then is
  allowed "locally" only for the specified file system.  If
  only the -d option is used, then is allowed only for the
  descendent file systems.

  Permissions are generally the ability to use a ZFS subcommand or
  change a ZFS property. The following permissions are available:
  NAME  TYPE  NOTES
  allow  subcommand  Must also have the permission
  that is being allowed
  clone  subcommand  Must also have the 'create'
  ability and 'mount' ability in
  the origin file system
  create  subcommand  Must also have the 'mount'
  ability
  destroy  subcommand  Must also have the 'mount'
  ability
  diff  subcommand  Allows lookup of paths within a
  dataset given an object number,
  and the ability to create snap-
  shots necessary to 'zfs diff'
  hold  subcommand  Allows adding a user hold to a
  snapshot
  mount  subcommand  Allows mount/umount of ZFS
  datasets
  promote  subcommand  Must also have the 'mount' and
  'promote' ability in the origin
  file system
  receive  subcommand  Must also have the 'mount' and
  'create' ability
  release  subcommand  Allows releasing a user hold
  which might destroy the snapshot
  rename  subcommand  Must also have the 'mount' and
  'create' ability in the new
  parent
  rollback  subcommand  Must also have the 'mount'
  ability
  send  subcommand
  share  subcommand  Allows sharing file systems over
  the NFS protocol
  snapshot  subcommand  Must also have the 'mount'
  ability
  groupquota  other  Allows accessing any
  groupquota@... property
  groupused  other  Allows reading any groupused@...
  property
  userprop  other  Allows changing any user property
  userquota  other  Allows accessing any
  userquota@... property
  userused  other  Allows reading any userused@...
  property
...
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
Yeah I tend to concur a 'zfs allow' cmd may be necessary.

Anyone wanna take a stab or test FreeNAS replication using a non-root user end-to-end and give me the dummy manual. Shouldn't take long to test if anyone has had a requirement to implement this or done this before.
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
No one here huh?...bummer. May have to hit the freenode/freenas IRC or forums.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
No time to test this over the next few weeks. Busy around here. If you did want to try this out VM would probably be a quick way to do it.
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
That's what I am attempting to test, two AIO/vt-D FreeNAS setups. VM's would be a quick way for others to test/validate if they are interested in diving in. Tinkered w/ it a bit a few days ago, had to step away, one of those 'step away and maybe you will have an ah-ha moment kinda things'

or...one of the super smart/shapr FreeNAS STH guru's woudl come out of the woodwork and show us newbies a end-to-end guide.

Wishful thinking maybe but this community ALWAYS comes through! :-D
 

Terry Kennedy

Well-Known Member
Jun 25, 2015
1,140
594
113
New York City
www.glaver.org
or...one of the super smart/shapr FreeNAS STH guru's woudl come out of the woodwork and show us newbies a end-to-end guide.

Wishful thinking maybe but this community ALWAYS comes through! :-D
While it doesn't go into using a non-privileged user, I added a section on replication to my RAIDzilla 2.5 article. That should be enough to get fast replication going (as root) on a FreeBSD-based system. Once you have that working, try delegating ZFS privileges to a regular user. It "should" continue to work. On my hardware, I get replication speed of around 700MByte/sec.

Comments and questions welcome - probably best to keep them in this thread here.