Skip to content
Mac OSX mobile accounts using ZFS snapshots
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Mac OSX mobile accounts using ZFS snapshots

  • Each user account has the home directory on an own ZFS filesystem.
  • A snapshot of the home filesystem is created on logout and transfered to the server.
  • On user login all missing snapshots are transfered from the server to the client so that the home filesystem of the user contains the most recent data.
  • Snapshots are automatically thinned by ZFS-Timemachine.
  • On client, local ZFS oerations happen as root user.
  • Authentication on the server by SSH public key as user 'zfs_mobile_sync'.
  • Remote shell is restricted by lshell for ZFS use only.


Server setup

  • User accounts are stored in LDAP.
  • Create parent filesystem for user profiles on zpool 'data':
zfs create -o canmount=off data/profiles
  • Add local user account 'zfs_mobile_sync' with 'lshell' as login shell:
useradd -m -s /usr/bin/lshell -g users -G lshell zfs_mobile_sync
  • Modify /etc/lshell.conf:
allowed         : ['zfs']
env_path        : ':/usr/local/bin:/usr/sbin:/sbin'
scp             : 0
sftp            : 0
overssh         : ['zfs']

Client setup

  • Configure LDAP server for user authentication.
  • Shrink system partition or use separate disk:
diskutil cs resizeStack disk1 550g jhfs+ ZFS 200g
zpool create data /dev/disk1s4
zfs set compression=lz4 data
zfs set atime=off data
zfs set data
zfs set canmount=off data
zfs create -o canmount=off data/profiles
  • Install ZFS-TimeMachine at /usr/local/ZFS-TimeMachine:
cd /usr/local
git clone
  • Place login hook script at '/usr/local/bin/'
  • Place logout hook script at '/usr/local/bin/'
  • Modify script variables 'ZFS_SRC', 'ZFS_DEST', 'SERVER', 'SYNC_GROUP', 'REMOTE_USER'
  • Activate hooks:
chmod +x /usr/local/bin/
chmod +x /usr/local/bin/
sudo defaults write LogoutHook /usr/local/bin/
sudo defaults write LoginHook /usr/local/bin/
  • Become root user, create SSH public key and import hostkey of server:
sudo -i
ssh-keygen -b 4096
ssh-keyscan SERVER >>.ssh/known_hosts
  • Add SSH public key of root user on server in file '.ssh/authorized_keys' of user 'zfs_mobile_sync'

Creating new mobile users

  • Create user account 'user123' in LDAP and add to group 'zfs_mobile_sync'.
  • Create filesystem 'data/profiles/user123' with mountpoint '/Users/user123' on server:
zfs create -o mountpoint=/Users/user123 -o canmount=noauto data/profiles/user123
  • Add permissions for user 'zfs_mobile_sync' on server:
zfs allow zfs_mobile_sync create,destroy,snapshot,mount,send,receive data/profiles/user123
  • Create filesystem 'data/profiles/user123' with mountpoint '/Users/user123' on client and set ownership:
zfs create -o mountpoint=/Users/user123 -o data/profiles/user123
chown -R user123:staff /Users/user123
  • Log in as user on client.
  • Log out.
  • Check if ZFS snaphosts have been transfered to server.
  • See also logfiles /var/log/zfs_receive_from_server.log and /var/log/zfs_send_to_server.log


  • Home folders are synchronized completely.
  • Use of ZFS features: compression, checksums, snapshots.
  • Transfer of changed data should be faster than file-based approaches like rsync.


  • Specific files / folders can't be excluded from the transfer.
  • No graphical status / progress output on login / logout while transfer is happening, only shell output / syslog.
You can’t perform that action at this time.