Can zfssnap role be restricted to specific filesystems? If not, I'd be concerned about allowing too much power...
-----Original Message----- From: Jamon Camisso [mailto:jamonat...@gmail.com] Sent: Sunday, May 01, 2011 11:50 AM To: Discussion list for OpenIndiana Subject: Re: [OpenIndiana-discuss] zfs snapshot script On 5/1/2011 9:46 AM, Matt Connolly wrote: > Hi all, > > I'm putting together a script to create zfs snapshots after a backup has been completed (via Apple TimeMachine or rsync for example). When I'm logged into the machine, I can only access the "zfs snapshot" command as root via "sudo" or "pfexec". Neither of these are available directly from a ssh command. For example: > > client$ ssh user@server > server$ sudo zfs snapshot blah@blah -> works > ..or.. > server$ pfexec zfs snapshot blah@blah -> works > > ..but.. > > client$ ssh user@host zfs snapshot blah -> fails = permission denied > client$ ssh user@host pfexec zfs snapshot blah -> fails = permission denied > client$ ssh user@host sudo zfs snapshot blah -> fails = sudo: no tty present and no askpass program specified > > What would be the best practice for creating a zfs snapshot based on an external trigger (eg: message from client after a successful backup). Allow the backup user to have the zfssnap role with RBAC. With that set you can run something like this: DATE=$(date +%Y-%m-%d-%H:%M) ssh user@10.0.0.x "pfexec /usr/sbin/zfs snapshot BACKUPS/foohost@$DATE" Proof that it works (though I didn't run an actual backup, so there's no new data): ~ # ssh user@10.0.0.x "/usr/sbin/zfs list -H -r -t snapshot BACKUPS/foohost" |tail -n 1 BACKUPS/foohost@2011-05-01-11:38 0 - 13.3G - Jamon _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
