mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-25 18:59:33 +03:00
4ed5e25074
This allows ZFS datasets to be delegated to a user/mount namespace Within that namespace, only the delegated datasets are visible Works very similarly to Zones/Jailes on other ZFS OSes As a user: ``` $ unshare -Um $ zfs list no datasets available $ echo $$ 1234 ``` As root: ``` # zfs list NAME ZONED MOUNTPOINT containers off /containers containers/host off /containers/host containers/host/child off /containers/host/child containers/host/child/gchild off /containers/host/child/gchild containers/unpriv on /unpriv containers/unpriv/child on /unpriv/child containers/unpriv/child/gchild on /unpriv/child/gchild # zfs zone /proc/1234/ns/user containers/unpriv ``` Back to the user namespace: ``` $ zfs list NAME USED AVAIL REFER MOUNTPOINT containers 129M 47.8G 24K /containers containers/unpriv 128M 47.8G 24K /unpriv containers/unpriv/child 128M 47.8G 128M /unpriv/child ``` Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Will Andrews <will.andrews@klarasystems.com> Signed-off-by: Allan Jude <allan@klarasystems.com> Signed-off-by: Mateusz Piotrowski <mateusz.piotrowski@klarasystems.com> Co-authored-by: Allan Jude <allan@klarasystems.com> Co-authored-by: Mateusz Piotrowski <mateusz.piotrowski@klarasystems.com> Sponsored-by: Buddy <https://buddy.works> Closes #12263
117 lines
3.6 KiB
Groff
117 lines
3.6 KiB
Groff
.\"
|
|
.\" CDDL HEADER START
|
|
.\"
|
|
.\" The contents of this file are subject to the terms of the
|
|
.\" Common Development and Distribution License (the "License").
|
|
.\" You may not use this file except in compliance with the License.
|
|
.\"
|
|
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
.\" or http://www.opensolaris.org/os/licensing.
|
|
.\" See the License for the specific language governing permissions
|
|
.\" and limitations under the License.
|
|
.\"
|
|
.\" When distributing Covered Code, include this CDDL HEADER in each
|
|
.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
.\" If applicable, add the following below this CDDL HEADER, with the
|
|
.\" fields enclosed by brackets "[]" replaced with your own identifying
|
|
.\" information: Portions Copyright [yyyy] [name of copyright owner]
|
|
.\"
|
|
.\" CDDL HEADER END
|
|
.\"
|
|
.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
|
|
.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
|
|
.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved.
|
|
.\" Copyright (c) 2011, Pawel Jakub Dawidek <pjd@FreeBSD.org>
|
|
.\" Copyright (c) 2012, Glen Barber <gjb@FreeBSD.org>
|
|
.\" Copyright (c) 2012, Bryan Drewery <bdrewery@FreeBSD.org>
|
|
.\" Copyright (c) 2013, Steven Hartland <smh@FreeBSD.org>
|
|
.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
|
|
.\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
|
|
.\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
|
|
.\" Copyright (c) 2014 Integros [integros.com]
|
|
.\" Copyright (c) 2014, Xin LI <delphij@FreeBSD.org>
|
|
.\" Copyright (c) 2014-2015, The FreeBSD Foundation, All Rights Reserved.
|
|
.\" Copyright (c) 2016 Nexenta Systems, Inc. All Rights Reserved.
|
|
.\" Copyright 2019 Richard Laager. All rights reserved.
|
|
.\" Copyright 2018 Nexenta Systems, Inc.
|
|
.\" Copyright 2019 Joyent, Inc.
|
|
.\" Copyright 2021 Klara, Inc.
|
|
.\"
|
|
.Dd June 3, 2022
|
|
.Dt ZFS-ZONE 8
|
|
.Os
|
|
.
|
|
.Sh NAME
|
|
.Nm zfs-zone ,
|
|
.Nm zfs-unzone
|
|
.Nd attach and detach ZFS filesystems to user namespaces
|
|
.Sh SYNOPSIS
|
|
.Nm zfs Cm zone
|
|
.Ar nsfile
|
|
.Ar filesystem
|
|
.Nm zfs Cm unzone
|
|
.Ar nsfile
|
|
.Ar filesystem
|
|
.
|
|
.Sh DESCRIPTION
|
|
.Bl -tag -width ""
|
|
.It Xo
|
|
.Nm zfs
|
|
.Cm zone
|
|
.Ar nsfile
|
|
.Ar filesystem
|
|
.Xc
|
|
Attach the specified
|
|
.Ar filesystem
|
|
to the user namespace identified by
|
|
.Ar nsfile .
|
|
From now on this file system tree can be managed from within a user namespace
|
|
if the
|
|
.Sy zoned
|
|
property has been set.
|
|
.Pp
|
|
You cannot attach a zoned dataset's children to another user namespace.
|
|
You can also not attach the root file system
|
|
of the user namespace or any dataset
|
|
which needs to be mounted before the zfs service
|
|
is run inside the user namespace,
|
|
as it would be attached unmounted until it is
|
|
mounted from the service inside the user namespace.
|
|
.Pp
|
|
To allow management of the dataset from within a user namespace, the
|
|
.Sy zoned
|
|
property has to be set and the user namespaces needs access to the
|
|
.Pa /dev/zfs
|
|
device.
|
|
The
|
|
.Sy quota
|
|
property cannot be changed from within a user namespace.
|
|
.Pp
|
|
After a dataset is attached to a user namespace and the
|
|
.Sy zoned
|
|
property is set,
|
|
a zoned file system cannot be mounted outside the user namespace,
|
|
since the user namespace administrator might have set the mount point
|
|
to an unacceptable value.
|
|
.It Xo
|
|
.Nm zfs
|
|
.Cm unzone
|
|
.Ar nsfile
|
|
.Ar filesystem
|
|
.Xc
|
|
Detach the specified
|
|
.Ar filesystem
|
|
from the user namespace identified by
|
|
.Ar nsfile .
|
|
.El
|
|
.Sh EXAMPLES
|
|
.Ss Example 1 : No Delegating a Dataset to a User Namespace
|
|
The following example delegates the
|
|
.Ar tank/users
|
|
dataset to a user namespace identified by user namespace file
|
|
.Pa /proc/1234/ns/user .
|
|
.Dl # Nm zfs Cm zone Ar /proc/1234/ns/user Ar tank/users
|
|
.
|
|
.Sh SEE ALSO
|
|
.Xr zfsprops 7
|