adduser(8): support creation of ZFS dataset #881
Conversation
Whoops. Maybe resubmit in a few hours? 😅 |
|
I simplified the code with your suggestions @delphij. This revision just adds a dataset if the parent resides on a dataset like you mentioned. I'll get to work on adding encryption in a later revision. Thanks again! |
|
Discovered bug during installation in chrooted environment. The skeleton data for the user's home directory is copied into the underlying user directory instead of the mounted dataset. Marking this draft until I resolve the issue. |
usr.sbin/adduser/adduser.sh
Outdated
| @@ -202,6 +203,8 @@ save_config() { | |||
| echo "msgfile=$msgfile" >> ${ADDUSERCONF} | |||
| echo "disableflag=$disableflag" >> ${ADDUSERCONF} | |||
| echo "uidstart=$uidstart" >> ${ADDUSERCONF} | |||
| echo "Zflag=$Zflag" >> ${ADDUSERCONF} | |||
There was a problem hiding this comment.
I'd maybe call this zfscreate=no, just to be a little more obvious from the name
There was a problem hiding this comment.
Good call. I changed both Zencrypt and Zcreate to yes/no bools to remove confusion.
usr.sbin/adduser/adduser.sh
Outdated
| @@ -202,6 +203,8 @@ save_config() { | |||
| echo "msgfile=$msgfile" >> ${ADDUSERCONF} | |||
| echo "disableflag=$disableflag" >> ${ADDUSERCONF} | |||
| echo "uidstart=$uidstart" >> ${ADDUSERCONF} | |||
| echo "Zflag=$Zflag" >> ${ADDUSERCONF} | |||
| echo "Zencrypt=$Zencrypt" >> ${ADDUSERCONF} | |||
There was a problem hiding this comment.
I don't see a manpage addition for Zencrypt, but with a more descriptive name for Zflag you could make that instead a tri-state: zfscreate=yes|no|encrypted
There was a problem hiding this comment.
You're right, Zflag is super confusing! I set Zcreate and Zencrypt to yes/no bools but didn't implement the tri-state since the two booleans seem to "flow" better in the script.
| # Determine if homeprefix is located on a ZFS filesystem and if | ||
| # so, enable ZFS home dataset creation. | ||
| # | ||
| get_zfs_home() { |
There was a problem hiding this comment.
This seems like it would override a configured Zflag=no, but I'm also not sure I understand the logic; zfs list would exit 0 if it found a prefix, and -z "${zfs_homeprefix} would flip Zflag on if we didn't detect a prefix.
There's an additional caveat that using zfs will trigger a load of zfs.ko on purely ufs systems; I'd recommend bailing out before calling it if kldstat -q -m zfs indicates that zfs isn't there
There was a problem hiding this comment.
Oh, right, Zflag means "no zfs dataset"... the name is definitely getting me here.
| Zencrypt= | ||
| break | ||
| ;; | ||
| [Yy][Ee][Ss]|[Yy][Ee]|[Yy]) |
There was a problem hiding this comment.
I think accepting "ye" is a little nonstandard; this should probably just be a case-insensitive "yes" or case-insensitive "y"
There was a problem hiding this comment.
I agree, it's a bit strange. However, I followed the user input convention already used in the script.
usr.sbin/adduser/adduser.sh
Outdated
| echo -n "$_prompt" | ||
| read _input | ||
|
|
||
| [ -z "$_input" ] && _input=Zencrypt |
There was a problem hiding this comment.
The prompt describes "no" as the default, but this seems to be trying to use the current value of Zencrypt as the default? (But it should have been $Zencrypt... this should probably be no to match the prompt, though)
There was a problem hiding this comment.
That's a bug, fixed.
usr.sbin/adduser/adduser.sh
Outdated
| # | ||
| create_zfs_chrooted_dataset() { | ||
| ${ZFSCMD} create -u ${zfsopt} "${zhome}" | ||
| if [ "$?" -ne 0 ]; then |
There was a problem hiding this comment.
More concisely written as:
if ! ${ZFSCMD} create ...
usr.sbin/adduser/adduser.sh
Outdated
| # Create ZFS dataset owned by the user that was just added. | ||
| # | ||
| create_zfs_dataset() { | ||
| ${ZFSCMD} create ${zfsopt} "${zhome}" |
There was a problem hiding this comment.
Ditto above; you're not using the exit code otherwise, might as well just test it directly
usr.sbin/adduser/adduser.sh
Outdated
| # Give new user ownership of newly created zfs dataset. | ||
| # | ||
| set_zfs_perms() { | ||
| ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot "${zhome}" |
Thanks Kyle! |
|
@kevans91 and go ahead and commit this? |
| @@ -32,7 +32,7 @@ | |||
| .Nd command for adding new users | |||
| .Sh SYNOPSIS | |||
| .Nm | |||
| .Op Fl CDENShq | |||
| .Op Fl CDENSZhq | |||
| # create ZFS dataset before home directory is created with pw | ||
| if [ "${Zcreate}" = "yes" ]; then | ||
| if [ "${Zencrypt}" = "yes" ]; then | ||
| echo "Enter encryption keyphrase for ZFS dataset (${zhome}):" |
There was a problem hiding this comment.
This doesn't look like it is prompting for anything or passing the results along, why not?
There was a problem hiding this comment.
"zfs create" actually asks for the passphrase when encryption is requested but doesn't give any indication on what it's for. The echo lets the user know what the coming password request is for.
|
Just a nit an a quick question |
On systems utilizing ZFS, default to creating a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. Add a flag that disables this behavior if the administrator explicitly does not want it. If run during installation from within a chroot, set mountpoint to legacy after dataset creation and mount directly into the chroot. Then umount and reset the mountpoint to inherit from parent. Also support ZFS default encryption on user's home directory.
|
merged. Thanks! |
On systems utilizing ZFS, default to creating a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. Add a flag that disables this behavior if the administrator explicitly does not want it. If run during installation from within a chroot, set mountpoint to legacy after dataset creation and mount directly into the chroot. Then umount and reset the mountpoint to inherit from parent. Also support ZFS default encryption on user's home directory. Feedback by: delphij Reviewed by: imp, kevans Pull Request: #881
On systems utilizing ZFS, default to creating a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. Add a flag that disables this behavior if the administrator explicitly does not want it. If run during installation from within a chroot, set mountpoint to legacy after dataset creation and mount directly into the chroot. Then umount and reset the mountpoint to inherit from parent. Also support ZFS default encryption on user's home directory. Feedback by: delphij Reviewed by: imp, kevans Pull Request: #881 (cherry picked from commit 215c0a5)
On systems utilizing ZFS, default to creating a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. Add a flag that disables this behavior if the administrator explicitly does not want it. If run during installation from within a chroot, set mountpoint to legacy after dataset creation and mount directly into the chroot. Then umount and reset the mountpoint to inherit from parent. Also support ZFS default encryption on user's home directory. Feedback by: delphij Reviewed by: imp, kevans Pull Request: #881 (cherry picked from commit 215c0a5)
On systems utilizing ZFS, default to creating a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. Add a flag that disables this behavior if the administrator explicitly does not want it.
If run during installation from within a chroot, set mountpoint to legacy after dataset creation and mount directly into the chroot. Then umount and reset the mountpoint to inherit from parent.
Also support ZFS default encryption on user's home directory.
Requested here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263234