Illumos #1884, #3028, #3048, #3049, #3060, #3061, #3093
1884 Empty "used" field for zfs *space commands
3028 zfs {group,user}space -n prints (null) instead of numeric GID/UID
3048 zfs {user,group}space [-s|-S] is broken
3049 zfs {user,group}space -t doesn't really filter the results
3060 zfs {user,group}space -H output isn't tab-delimited
3061 zfs {user,group}space -o doesn't use specified fields order
3093 zfs {user,group}space's -i is noop
Reviewed by: Garry Mills <gary_mills@fastmail.fm>
Reviewed by: Eric Schrock <eric.schrock@delphix.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
References:
illumos/illumos-gate@89f5d17b06fc4132c983112b24836a779a0ed736
illumos changeset: 13803:b5e49d71ff0e
https://www.illumos.org/issues/1884
https://www.illumos.org/issues/3028
https://www.illumos.org/issues/3048
https://www.illumos.org/issues/3049
https://www.illumos.org/issues/3060
https://www.illumos.org/issues/3061
https://www.illumos.org/issues/3093
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1194
2013-01-10 22:25:47 +00:00
|
|
|
|
.\"
|
|
|
|
|
.\" CDDL HEADER START
|
|
|
|
|
.\"
|
|
|
|
|
.\" The contents of this file are subject to the terms of the
|
|
|
|
|
.\" Common Development and Distribution License (the "License").
|
|
|
|
|
.\" You may not use this file except in compliance with the License.
|
|
|
|
|
.\"
|
|
|
|
|
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
|
|
|
.\" or http://www.opensolaris.org/os/licensing.
|
|
|
|
|
.\" See the License for the specific language governing permissions
|
|
|
|
|
.\" and limitations under the License.
|
|
|
|
|
.\"
|
|
|
|
|
.\" When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
|
.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
|
.\" If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
|
.\" fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
|
.\" information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
|
.\"
|
|
|
|
|
.\" CDDL HEADER END
|
|
|
|
|
.\"
|
|
|
|
|
.\"
|
2009-12-12 00:15:33 +00:00
|
|
|
|
.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
|
Illumos #1884, #3028, #3048, #3049, #3060, #3061, #3093
1884 Empty "used" field for zfs *space commands
3028 zfs {group,user}space -n prints (null) instead of numeric GID/UID
3048 zfs {user,group}space [-s|-S] is broken
3049 zfs {user,group}space -t doesn't really filter the results
3060 zfs {user,group}space -H output isn't tab-delimited
3061 zfs {user,group}space -o doesn't use specified fields order
3093 zfs {user,group}space's -i is noop
Reviewed by: Garry Mills <gary_mills@fastmail.fm>
Reviewed by: Eric Schrock <eric.schrock@delphix.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
References:
illumos/illumos-gate@89f5d17b06fc4132c983112b24836a779a0ed736
illumos changeset: 13803:b5e49d71ff0e
https://www.illumos.org/issues/1884
https://www.illumos.org/issues/3028
https://www.illumos.org/issues/3048
https://www.illumos.org/issues/3049
https://www.illumos.org/issues/3060
https://www.illumos.org/issues/3061
https://www.illumos.org/issues/3093
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1194
2013-01-10 22:25:47 +00:00
|
|
|
|
.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
|
2018-02-08 16:35:09 +00:00
|
|
|
|
.\" Copyright (c) 2011, 2017 by Delphix. All rights reserved.
|
2013-01-23 09:54:30 +00:00
|
|
|
|
.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
|
|
|
|
|
.\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
|
|
|
|
|
.\" Copyright (c) 2014 Integros [integros.com]
|
2016-05-11 13:15:20 +00:00
|
|
|
|
.\" Copyright 2016 Richard Laager. All rights reserved.
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.\" Copyright 2017 Nexenta Systems, Inc.
|
Illumos #1884, #3028, #3048, #3049, #3060, #3061, #3093
1884 Empty "used" field for zfs *space commands
3028 zfs {group,user}space -n prints (null) instead of numeric GID/UID
3048 zfs {user,group}space [-s|-S] is broken
3049 zfs {user,group}space -t doesn't really filter the results
3060 zfs {user,group}space -H output isn't tab-delimited
3061 zfs {user,group}space -o doesn't use specified fields order
3093 zfs {user,group}space's -i is noop
Reviewed by: Garry Mills <gary_mills@fastmail.fm>
Reviewed by: Eric Schrock <eric.schrock@delphix.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
References:
illumos/illumos-gate@89f5d17b06fc4132c983112b24836a779a0ed736
illumos changeset: 13803:b5e49d71ff0e
https://www.illumos.org/issues/1884
https://www.illumos.org/issues/3028
https://www.illumos.org/issues/3048
https://www.illumos.org/issues/3049
https://www.illumos.org/issues/3060
https://www.illumos.org/issues/3061
https://www.illumos.org/issues/3093
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1194
2013-01-10 22:25:47 +00:00
|
|
|
|
.\"
|
2017-12-06 05:19:31 +00:00
|
|
|
|
.Dd January 10, 2018
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Dt ZFS 8 SMM
|
|
|
|
|
.Os Linux
|
|
|
|
|
.Sh NAME
|
|
|
|
|
.Nm zfs
|
|
|
|
|
.Nd configures ZFS file systems
|
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
|
.Nm
|
|
|
|
|
.Fl ?
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm create
|
|
|
|
|
.Op Fl p
|
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm create
|
|
|
|
|
.Op Fl ps
|
|
|
|
|
.Op Fl b Ar blocksize
|
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Fl V Ar size Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm destroy
|
|
|
|
|
.Op Fl Rfnprv
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm destroy
|
|
|
|
|
.Op Fl Rdnprv
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns @ Ns Ar snap Ns
|
|
|
|
|
.Oo % Ns Ar snap Ns Oo , Ns Ar snap Ns Oo % Ns Ar snap Oc Oc Oc Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm destroy
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns # Ns Ar bookmark
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm snapshot
|
|
|
|
|
.Op Fl r
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ar filesystem Ns @ Ns Ar snapname Ns | Ns Ar volume Ns @ Ns Ar snapname Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rollback
|
|
|
|
|
.Op Fl Rfr
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm clone
|
|
|
|
|
.Op Fl p
|
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Ar snapshot Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm promote
|
|
|
|
|
.Ar clone-filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rename
|
|
|
|
|
.Op Fl f
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rename
|
|
|
|
|
.Op Fl fp
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rename
|
|
|
|
|
.Fl r
|
|
|
|
|
.Ar snapshot Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm list
|
|
|
|
|
.Op Fl r Ns | Ns Fl d Ar depth
|
|
|
|
|
.Op Fl Hp
|
|
|
|
|
.Oo Fl o Ar property Ns Oo , Ns Ar property Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar property Oc Ns ...
|
|
|
|
|
.Oo Fl S Ar property Oc Ns ...
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Oo Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Oc Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm set
|
|
|
|
|
.Ar property Ns = Ns Ar value Oo Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm get
|
|
|
|
|
.Op Fl r Ns | Ns Fl d Ar depth
|
|
|
|
|
.Op Fl Hp
|
|
|
|
|
.Oo Fl o Ar field Ns Oo , Ns Ar field Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar source Ns Oo , Ns Ar source Oc Ns ... Oc
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Cm all | Ar property Ns Oo , Ns Ar property Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Ns | Ns Ar bookmark Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm inherit
|
|
|
|
|
.Op Fl rS
|
|
|
|
|
.Ar property Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm upgrade
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm upgrade
|
|
|
|
|
.Fl v
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm upgrade
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Op Fl V Ar version
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm userspace
|
|
|
|
|
.Op Fl Hinp
|
|
|
|
|
.Oo Fl o Ar field Ns Oo , Ns Ar field Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl S Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm groupspace
|
|
|
|
|
.Op Fl Hinp
|
|
|
|
|
.Oo Fl o Ar field Ns Oo , Ns Ar field Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl S Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm mount
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm mount
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Op Fl Olv
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Op Fl o Ar options
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unmount
|
|
|
|
|
.Op Fl f
|
|
|
|
|
.Fl a | Ar filesystem Ns | Ns Ar mountpoint
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm share
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unshare
|
|
|
|
|
.Fl a | Ar filesystem Ns | Ns Ar mountpoint
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm bookmark
|
|
|
|
|
.Ar snapshot bookmark
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm send
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Op Fl DLPRcenpvw
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm send
|
2017-09-08 22:24:31 +00:00
|
|
|
|
.Op Fl LPcenvw
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Op Fl i Ar snapshot Ns | Ns Ar bookmark
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm send
|
|
|
|
|
.Op Fl Penv
|
|
|
|
|
.Fl t Ar receive_resume_token
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm receive
|
|
|
|
|
.Op Fl Fnsuv
|
|
|
|
|
.Op Fl o Sy origin Ns = Ns Ar snapshot
|
|
|
|
|
.Op Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
.Op Fl x Ar property
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm receive
|
|
|
|
|
.Op Fl Fnsuv
|
|
|
|
|
.Op Fl d Ns | Ns Fl e
|
|
|
|
|
.Op Fl o Sy origin Ns = Ns Ar snapshot
|
|
|
|
|
.Op Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
.Op Fl x Ar property
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm receive
|
|
|
|
|
.Fl A
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Op Fl dglu
|
|
|
|
|
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Op Fl dl
|
|
|
|
|
.Fl e Ns | Ns Sy everyone
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Fl c
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Fl s No @ Ns Ar setname
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl dglru
|
|
|
|
|
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl dlr
|
|
|
|
|
.Fl e Ns | Ns Sy everyone
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Fl c
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Fl s @ Ns Ar setname
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm hold
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Ar tag Ar snapshot Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm holds
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Ar snapshot Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm release
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Ar tag Ar snapshot Ns ...
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm diff
|
|
|
|
|
.Op Fl FHt
|
|
|
|
|
.Ar snapshot Ar snapshot Ns | Ns Ar filesystem
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Nm
|
2018-02-08 16:16:23 +00:00
|
|
|
|
.Cm program
|
2018-02-08 16:35:09 +00:00
|
|
|
|
.Op Fl n
|
2018-02-08 16:16:23 +00:00
|
|
|
|
.Op Fl t Ar timeout
|
|
|
|
|
.Op Fl m Ar memory_limit
|
|
|
|
|
.Ar pool script
|
|
|
|
|
.Op Ar arg1 No ...
|
|
|
|
|
.Nm
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Cm load-key
|
|
|
|
|
.Op Fl nr
|
|
|
|
|
.Op Fl L Ar keylocation
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unload-key
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm change-key
|
|
|
|
|
.Op Fl l
|
|
|
|
|
.Op Fl o Ar keylocation Ns = Ns Ar value
|
|
|
|
|
.Op Fl o Ar keyformat Ns = Ns Ar value
|
|
|
|
|
.Op Fl o Ar pbkdf2iters Ns = Ns Ar value
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm change-key
|
|
|
|
|
.Fl i
|
|
|
|
|
.Op Fl l
|
|
|
|
|
.Ar filesystem
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
|
The
|
|
|
|
|
.Nm
|
|
|
|
|
command configures ZFS datasets within a ZFS storage pool, as described in
|
|
|
|
|
.Xr zpool 8 .
|
|
|
|
|
A dataset is identified by a unique path within the ZFS namespace.
|
|
|
|
|
For example:
|
|
|
|
|
.Bd -literal
|
2009-12-12 00:15:33 +00:00
|
|
|
|
pool/{filesystem,volume,snapshot}
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
where the maximum length of a dataset name is
|
|
|
|
|
.Dv MAXNAMELEN
|
|
|
|
|
.Pq 256 bytes .
|
|
|
|
|
.Pp
|
2009-12-12 00:15:33 +00:00
|
|
|
|
A dataset can be one of the following:
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Bl -tag -width "file system"
|
|
|
|
|
.It Sy file system
|
|
|
|
|
A ZFS dataset of type
|
|
|
|
|
.Sy filesystem
|
|
|
|
|
can be mounted within the standard system namespace and behaves like other file
|
|
|
|
|
systems.
|
|
|
|
|
While ZFS file systems are designed to be POSIX compliant, known issues exist
|
|
|
|
|
that prevent compliance in some cases.
|
|
|
|
|
Applications that depend on standards conformance might fail due to non-standard
|
|
|
|
|
behavior when checking file system free space.
|
|
|
|
|
.It Sy volume
|
|
|
|
|
A logical volume exported as a raw or block device.
|
|
|
|
|
This type of dataset should only be used under special circumstances.
|
|
|
|
|
File systems are typically used in most environments.
|
|
|
|
|
.It Sy snapshot
|
|
|
|
|
A read-only version of a file system or volume at a given point in time.
|
|
|
|
|
It is specified as
|
|
|
|
|
.Ar filesystem Ns @ Ns Ar name
|
|
|
|
|
or
|
|
|
|
|
.Ar volume Ns @ Ns Ar name .
|
|
|
|
|
.It Sy bookmark
|
|
|
|
|
Much like a
|
|
|
|
|
.Sy snapshot ,
|
|
|
|
|
but without the hold on on-disk data. It can be used as the source of a send
|
|
|
|
|
(but not for a receive). It is specified as
|
|
|
|
|
.Ar filesystem Ns # Ns Ar name
|
|
|
|
|
or
|
|
|
|
|
.Ar volume Ns # Ns Ar name .
|
|
|
|
|
.El
|
|
|
|
|
.Ss ZFS File System Hierarchy
|
|
|
|
|
A ZFS storage pool is a logical collection of devices that provide space for
|
|
|
|
|
datasets.
|
|
|
|
|
A storage pool is also the root of the ZFS file system hierarchy.
|
|
|
|
|
.Pp
|
|
|
|
|
The root of the pool can be accessed as a file system, such as mounting and
|
|
|
|
|
unmounting, taking snapshots, and setting properties.
|
|
|
|
|
The physical storage characteristics, however, are managed by the
|
|
|
|
|
.Xr zpool 8
|
|
|
|
|
command.
|
|
|
|
|
.Pp
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool 8
|
|
|
|
|
for more information on creating and administering pools.
|
|
|
|
|
.Ss Snapshots
|
|
|
|
|
A snapshot is a read-only copy of a file system or volume.
|
|
|
|
|
Snapshots can be created extremely quickly, and initially consume no additional
|
|
|
|
|
space within the pool.
|
|
|
|
|
As data within the active dataset changes, the snapshot consumes more data than
|
|
|
|
|
would otherwise be shared with the active dataset.
|
|
|
|
|
.Pp
|
|
|
|
|
Snapshots can have arbitrary names.
|
|
|
|
|
Snapshots of volumes can be cloned or rolled back, visibility is determined
|
|
|
|
|
by the
|
|
|
|
|
.Sy snapdev
|
|
|
|
|
property of the parent volume.
|
|
|
|
|
.Pp
|
|
|
|
|
File system snapshots can be accessed under the
|
|
|
|
|
.Pa .zfs/snapshot
|
|
|
|
|
directory in the root of the file system.
|
|
|
|
|
Snapshots are automatically mounted on demand and may be unmounted at regular
|
|
|
|
|
intervals.
|
|
|
|
|
The visibility of the
|
|
|
|
|
.Pa .zfs
|
|
|
|
|
directory can be controlled by the
|
|
|
|
|
.Sy snapdir
|
|
|
|
|
property.
|
|
|
|
|
.Ss Bookmarks
|
|
|
|
|
A bookmark is like a snapshot, a read-only copy of a file system or volume.
|
|
|
|
|
Bookmarks can be created extremely quickly, compared to snapshots, and they
|
|
|
|
|
consume no additional space within the pool. Bookmarks can also have arbitrary
|
|
|
|
|
names, much like snapshots.
|
|
|
|
|
.Pp
|
|
|
|
|
Unlike snapshots, bookmarks can not be accessed through the filesystem in any
|
|
|
|
|
way. From a storage standpoint a bookmark just provides a way to reference
|
|
|
|
|
when a snapshot was created as a distinct object. Bookmarks are initially
|
|
|
|
|
tied to a snapshot, not the filesystem or volume, and they will survive if the
|
|
|
|
|
snapshot itself is destroyed. Since they are very light weight there's little
|
|
|
|
|
incentive to destroy them.
|
|
|
|
|
.Ss Clones
|
|
|
|
|
A clone is a writable volume or file system whose initial contents are the same
|
|
|
|
|
as another dataset.
|
|
|
|
|
As with snapshots, creating a clone is nearly instantaneous, and initially
|
|
|
|
|
consumes no additional space.
|
|
|
|
|
.Pp
|
|
|
|
|
Clones can only be created from a snapshot.
|
|
|
|
|
When a snapshot is cloned, it creates an implicit dependency between the parent
|
|
|
|
|
and child.
|
|
|
|
|
Even though the clone is created somewhere else in the dataset hierarchy, the
|
|
|
|
|
original snapshot cannot be destroyed as long as a clone exists.
|
|
|
|
|
The
|
|
|
|
|
.Sy origin
|
|
|
|
|
property exposes this dependency, and the
|
|
|
|
|
.Cm destroy
|
|
|
|
|
command lists any such dependencies, if they exist.
|
|
|
|
|
.Pp
|
|
|
|
|
The clone parent-child dependency relationship can be reversed by using the
|
|
|
|
|
.Cm promote
|
|
|
|
|
subcommand.
|
|
|
|
|
This causes the
|
|
|
|
|
.Qq origin
|
|
|
|
|
file system to become a clone of the specified file system, which makes it
|
|
|
|
|
possible to destroy the file system that the clone was created from.
|
|
|
|
|
.Ss "Mount Points"
|
|
|
|
|
Creating a ZFS file system is a simple operation, so the number of file systems
|
|
|
|
|
per system is likely to be numerous.
|
|
|
|
|
To cope with this, ZFS automatically manages mounting and unmounting file
|
|
|
|
|
systems without the need to edit the
|
|
|
|
|
.Pa /etc/fstab
|
|
|
|
|
file.
|
|
|
|
|
All automatically managed file systems are mounted by ZFS at boot time.
|
|
|
|
|
.Pp
|
|
|
|
|
By default, file systems are mounted under
|
|
|
|
|
.Pa /path ,
|
|
|
|
|
where
|
|
|
|
|
.Ar path
|
|
|
|
|
is the name of the file system in the ZFS namespace.
|
|
|
|
|
Directories are created and destroyed as needed.
|
|
|
|
|
.Pp
|
|
|
|
|
A file system can also have a mount point set in the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property.
|
|
|
|
|
This directory is created as needed, and ZFS automatically mounts the file
|
|
|
|
|
system when the
|
|
|
|
|
.Nm zfs Cm mount Fl a
|
|
|
|
|
command is invoked
|
|
|
|
|
.Po without editing
|
|
|
|
|
.Pa /etc/fstab
|
|
|
|
|
.Pc .
|
|
|
|
|
The
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property can be inherited, so if
|
|
|
|
|
.Em pool/home
|
|
|
|
|
has a mount point of
|
|
|
|
|
.Pa /export/stuff ,
|
|
|
|
|
then
|
|
|
|
|
.Em pool/home/user
|
|
|
|
|
automatically inherits a mount point of
|
|
|
|
|
.Pa /export/stuff/user .
|
|
|
|
|
.Pp
|
|
|
|
|
A file system
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property of
|
|
|
|
|
.Sy none
|
|
|
|
|
prevents the file system from being mounted.
|
|
|
|
|
.Pp
|
|
|
|
|
If needed, ZFS file systems can also be managed with traditional tools
|
|
|
|
|
.Po
|
|
|
|
|
.Nm mount ,
|
|
|
|
|
.Nm umount ,
|
|
|
|
|
.Pa /etc/fstab
|
|
|
|
|
.Pc .
|
|
|
|
|
If a file system's mount point is set to
|
|
|
|
|
.Sy legacy ,
|
|
|
|
|
ZFS makes no attempt to manage the file system, and the administrator is
|
2017-10-30 20:18:26 +00:00
|
|
|
|
responsible for mounting and unmounting the file system. Because pools must
|
|
|
|
|
be imported before a legacy mount can succeed, administrators should ensure
|
|
|
|
|
that legacy mounts are only attempted after the zpool import process
|
|
|
|
|
finishes at boot time. For example, on machines using systemd, the mount
|
|
|
|
|
option
|
|
|
|
|
.Pp
|
|
|
|
|
.Nm x-systemd.requires=zfs-import.target
|
|
|
|
|
.Pp
|
|
|
|
|
will ensure that the zfs-import completes before systemd attempts mounting
|
|
|
|
|
the filesystem. See systemd.mount(5) for details.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ss Deduplication
|
|
|
|
|
Deduplication is the process for removing redundant data at the block level,
|
|
|
|
|
reducing the total amount of data stored. If a file system has the
|
|
|
|
|
.Sy dedup
|
|
|
|
|
property enabled, duplicate data blocks are removed synchronously. The result
|
|
|
|
|
is that only unique data is stored and common components are shared among files.
|
|
|
|
|
.Pp
|
|
|
|
|
Deduplicating data is a very resource-intensive operation. It is generally
|
|
|
|
|
recommended that you have at least 1.25 GiB of RAM per 1 TiB of storage when
|
|
|
|
|
you enable deduplication. Calculating the exact requirement depends heavily
|
|
|
|
|
on the type of data stored in the pool.
|
|
|
|
|
.Pp
|
|
|
|
|
Enabling deduplication on an improperly-designed system can result in
|
|
|
|
|
performance issues (slow IO and administrative operations). It can potentially
|
|
|
|
|
lead to problems importing a pool due to memory exhaustion. Deduplication
|
|
|
|
|
can consume significant processing power (CPU) and memory as well as generate
|
|
|
|
|
additional disk IO.
|
|
|
|
|
.Pp
|
|
|
|
|
Before creating a pool with deduplication enabled, ensure that you have planned
|
|
|
|
|
your hardware requirements appropriately and implemented appropriate recovery
|
|
|
|
|
practices, such as regular backups. As an alternative to deduplication
|
|
|
|
|
consider using
|
2017-09-08 22:21:58 +00:00
|
|
|
|
.Sy compression=on ,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
as a less resource-intensive alternative.
|
|
|
|
|
.Ss Native Properties
|
|
|
|
|
Properties are divided into two types, native properties and user-defined
|
|
|
|
|
.Po or
|
|
|
|
|
.Qq user
|
|
|
|
|
.Pc
|
|
|
|
|
properties.
|
|
|
|
|
Native properties either export internal statistics or control ZFS behavior.
|
|
|
|
|
In addition, native properties are either editable or read-only.
|
|
|
|
|
User properties have no effect on ZFS behavior, but you can use them to annotate
|
|
|
|
|
datasets in a way that is meaningful in your environment.
|
|
|
|
|
For more information about user properties, see the
|
|
|
|
|
.Sx User Properties
|
|
|
|
|
section, below.
|
|
|
|
|
.Pp
|
|
|
|
|
Every dataset has a set of properties that export statistics about the dataset
|
|
|
|
|
as well as control various behaviors.
|
|
|
|
|
Properties are inherited from the parent unless overridden by the child.
|
|
|
|
|
Some properties apply only to certain types of datasets
|
|
|
|
|
.Pq file systems, volumes, or snapshots .
|
|
|
|
|
.Pp
|
|
|
|
|
The values of numeric properties can be specified using human-readable suffixes
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy k ,
|
|
|
|
|
.Sy KB ,
|
|
|
|
|
.Sy M ,
|
|
|
|
|
.Sy Gb ,
|
|
|
|
|
and so forth, up to
|
|
|
|
|
.Sy Z
|
|
|
|
|
for zettabyte
|
|
|
|
|
.Pc .
|
|
|
|
|
The following are all valid
|
|
|
|
|
.Pq and equal
|
|
|
|
|
specifications:
|
|
|
|
|
.Li 1536M, 1.5g, 1.50GB .
|
|
|
|
|
.Pp
|
|
|
|
|
The values of non-numeric properties are case sensitive and must be lowercase,
|
|
|
|
|
except for
|
|
|
|
|
.Sy mountpoint ,
|
|
|
|
|
.Sy sharenfs ,
|
|
|
|
|
and
|
|
|
|
|
.Sy sharesmb .
|
|
|
|
|
.Pp
|
|
|
|
|
The following native properties consist of read-only statistics about the
|
|
|
|
|
dataset.
|
|
|
|
|
These properties can be neither set, nor inherited.
|
|
|
|
|
Native properties apply to all dataset types unless otherwise noted.
|
|
|
|
|
.Bl -tag -width "usedbyrefreservation"
|
|
|
|
|
.It Sy available
|
|
|
|
|
The amount of space available to the dataset and all its children, assuming that
|
|
|
|
|
there is no other activity in the pool.
|
|
|
|
|
Because space is shared within a pool, availability can be limited by any number
|
|
|
|
|
of factors, including physical pool size, quotas, reservations, or other
|
|
|
|
|
datasets within the pool.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy avail .
|
|
|
|
|
.It Sy compressratio
|
|
|
|
|
For non-snapshots, the compression ratio achieved for the
|
|
|
|
|
.Sy used
|
|
|
|
|
space of this dataset, expressed as a multiplier.
|
|
|
|
|
The
|
|
|
|
|
.Sy used
|
|
|
|
|
property includes descendant datasets, and, for clones, does not include the
|
|
|
|
|
space shared with the origin snapshot.
|
|
|
|
|
For snapshots, the
|
|
|
|
|
.Sy compressratio
|
|
|
|
|
is the same as the
|
|
|
|
|
.Sy refcompressratio
|
|
|
|
|
property.
|
|
|
|
|
Compression can be turned on by running:
|
|
|
|
|
.Nm zfs Cm set Sy compression Ns = Ns Sy on Ar dataset .
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy off .
|
|
|
|
|
.It Sy createtxg
|
|
|
|
|
The transaction group (txg) in which the dataset was created. Bookmarks have
|
|
|
|
|
the same
|
|
|
|
|
.Sy createtxg
|
|
|
|
|
as the snapshot they are initially tied to. This property is suitable for
|
|
|
|
|
ordering a list of snapshots, e.g. for incremental send and receive.
|
|
|
|
|
.It Sy creation
|
2009-12-12 00:15:33 +00:00
|
|
|
|
The time this dataset was created.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy clones
|
|
|
|
|
For snapshots, this property is a comma-separated list of filesystems or volumes
|
|
|
|
|
which are clones of this snapshot.
|
|
|
|
|
The clones'
|
|
|
|
|
.Sy origin
|
|
|
|
|
property is this snapshot.
|
|
|
|
|
If the
|
|
|
|
|
.Sy clones
|
|
|
|
|
property is not empty, then this snapshot can not be destroyed
|
|
|
|
|
.Po even with the
|
|
|
|
|
.Fl r
|
|
|
|
|
or
|
|
|
|
|
.Fl f
|
|
|
|
|
options
|
|
|
|
|
.Pc .
|
|
|
|
|
The roles of origin and clone can be swapped by promoting the clone with the
|
|
|
|
|
.Nm zfs Cm promote
|
|
|
|
|
command.
|
|
|
|
|
.It Sy defer_destroy
|
|
|
|
|
This property is
|
|
|
|
|
.Sy on
|
|
|
|
|
if the snapshot has been marked for deferred destroy by using the
|
|
|
|
|
.Nm zfs Cm destroy Fl d
|
|
|
|
|
command.
|
|
|
|
|
Otherwise, the property is
|
|
|
|
|
.Sy off .
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Sy encryptionroot
|
|
|
|
|
For encrypted datasets, indicates where the dataset is currently inheriting its
|
|
|
|
|
encryption key from. Loading or unloading a key for the
|
|
|
|
|
.Sy encryptionroot
|
|
|
|
|
will implicitly load / unload the key for any inheriting datasets (see
|
|
|
|
|
.Nm zfs Cm load-key
|
|
|
|
|
and
|
|
|
|
|
.Nm zfs Cm unload-key
|
|
|
|
|
for details).
|
|
|
|
|
Clones will always share an
|
|
|
|
|
encryption key with their origin. See the
|
|
|
|
|
.Sx Encryption
|
|
|
|
|
section for details.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy filesystem_count
|
|
|
|
|
The total number of filesystems and volumes that exist under this location in
|
|
|
|
|
the dataset tree.
|
|
|
|
|
This value is only available when a
|
|
|
|
|
.Sy filesystem_limit
|
|
|
|
|
has been set somewhere in the tree under which the dataset resides.
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Sy keystatus
|
|
|
|
|
Indicates if an encryption key is currently loaded into ZFS. The possible
|
|
|
|
|
values are
|
|
|
|
|
.Sy none ,
|
|
|
|
|
.Sy available ,
|
|
|
|
|
and
|
|
|
|
|
.Sy unavailable .
|
|
|
|
|
See
|
|
|
|
|
.Nm zfs Cm load-key
|
|
|
|
|
and
|
|
|
|
|
.Nm zfs Cm unload-key .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy guid
|
|
|
|
|
The 64 bit GUID of this dataset or bookmark which does not change over its
|
|
|
|
|
entire lifetime. When a snapshot is sent to another pool, the received
|
|
|
|
|
snapshot has the same GUID. Thus, the
|
|
|
|
|
.Sy guid
|
|
|
|
|
is suitable to identify a snapshot across pools.
|
|
|
|
|
.It Sy logicalreferenced
|
|
|
|
|
The amount of space that is
|
|
|
|
|
.Qq logically
|
|
|
|
|
accessible by this dataset.
|
|
|
|
|
See the
|
|
|
|
|
.Sy referenced
|
|
|
|
|
property.
|
|
|
|
|
The logical space ignores the effect of the
|
|
|
|
|
.Sy compression
|
|
|
|
|
and
|
|
|
|
|
.Sy copies
|
|
|
|
|
properties, giving a quantity closer to the amount of data that applications
|
|
|
|
|
see.
|
|
|
|
|
However, it does include space consumed by metadata.
|
|
|
|
|
.Pp
|
2013-02-22 09:23:09 +00:00
|
|
|
|
This property can also be referred to by its shortened column name,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sy lrefer .
|
|
|
|
|
.It Sy logicalused
|
|
|
|
|
The amount of space that is
|
|
|
|
|
.Qq logically
|
|
|
|
|
consumed by this dataset and all its descendents.
|
|
|
|
|
See the
|
|
|
|
|
.Sy used
|
|
|
|
|
property.
|
|
|
|
|
The logical space ignores the effect of the
|
|
|
|
|
.Sy compression
|
|
|
|
|
and
|
|
|
|
|
.Sy copies
|
|
|
|
|
properties, giving a quantity closer to the amount of data that applications
|
|
|
|
|
see.
|
2013-02-22 09:23:09 +00:00
|
|
|
|
However, it does include space consumed by metadata.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pp
|
2013-02-22 09:23:09 +00:00
|
|
|
|
This property can also be referred to by its shortened column name,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sy lused .
|
|
|
|
|
.It Sy mounted
|
|
|
|
|
For file systems, indicates whether the file system is currently mounted.
|
|
|
|
|
This property can be either
|
|
|
|
|
.Sy yes
|
|
|
|
|
or
|
|
|
|
|
.Sy no .
|
|
|
|
|
.It Sy origin
|
|
|
|
|
For cloned file systems or volumes, the snapshot from which the clone was
|
|
|
|
|
created.
|
|
|
|
|
See also the
|
|
|
|
|
.Sy clones
|
2011-07-26 19:23:00 +00:00
|
|
|
|
property.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy receive_resume_token
|
|
|
|
|
For filesystems or volumes which have saved partially-completed state from
|
|
|
|
|
.Sy zfs receive -s ,
|
|
|
|
|
this opaque token can be provided to
|
|
|
|
|
.Sy zfs send -t
|
|
|
|
|
to resume and complete the
|
|
|
|
|
.Sy zfs receive .
|
|
|
|
|
.It Sy referenced
|
|
|
|
|
The amount of data that is accessible by this dataset, which may or may not be
|
|
|
|
|
shared with other datasets in the pool.
|
|
|
|
|
When a snapshot or clone is created, it initially references the same amount of
|
|
|
|
|
space as the file system or snapshot it was created from, since its contents are
|
|
|
|
|
identical.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy refer .
|
|
|
|
|
.It Sy refcompressratio
|
|
|
|
|
The compression ratio achieved for the
|
|
|
|
|
.Sy referenced
|
|
|
|
|
space of this dataset, expressed as a multiplier.
|
|
|
|
|
See also the
|
|
|
|
|
.Sy compressratio
|
|
|
|
|
property.
|
|
|
|
|
.It Sy snapshot_count
|
|
|
|
|
The total number of snapshots that exist under this location in the dataset
|
|
|
|
|
tree.
|
|
|
|
|
This value is only available when a
|
|
|
|
|
.Sy snapshot_limit
|
|
|
|
|
has been set somewhere in the tree under which the dataset resides.
|
|
|
|
|
.It Sy type
|
|
|
|
|
The type of dataset:
|
|
|
|
|
.Sy filesystem ,
|
|
|
|
|
.Sy volume ,
|
|
|
|
|
or
|
|
|
|
|
.Sy snapshot .
|
|
|
|
|
.It Sy used
|
|
|
|
|
The amount of space consumed by this dataset and all its descendents.
|
|
|
|
|
This is the value that is checked against this dataset's quota and reservation.
|
|
|
|
|
The space used does not include this dataset's reservation, but does take into
|
|
|
|
|
account the reservations of any descendent datasets.
|
|
|
|
|
The amount of space that a dataset consumes from its parent, as well as the
|
|
|
|
|
amount of space that is freed if this dataset is recursively destroyed, is the
|
|
|
|
|
greater of its space used and its reservation.
|
|
|
|
|
.Pp
|
|
|
|
|
The used space of a snapshot
|
|
|
|
|
.Po see the
|
|
|
|
|
.Sx Snapshots
|
|
|
|
|
section
|
|
|
|
|
.Pc
|
|
|
|
|
is space that is referenced exclusively by this snapshot.
|
|
|
|
|
If this snapshot is destroyed, the amount of
|
|
|
|
|
.Sy used
|
|
|
|
|
space will be freed.
|
|
|
|
|
Space that is shared by multiple snapshots isn't accounted for in this metric.
|
|
|
|
|
When a snapshot is destroyed, space that was previously shared with this
|
|
|
|
|
snapshot can become unique to snapshots adjacent to it, thus changing the used
|
|
|
|
|
space of those snapshots.
|
|
|
|
|
The used space of the latest snapshot can also be affected by changes in the
|
|
|
|
|
file system.
|
|
|
|
|
Note that the
|
|
|
|
|
.Sy used
|
|
|
|
|
space of a snapshot is a subset of the
|
|
|
|
|
.Sy written
|
|
|
|
|
space of the snapshot.
|
|
|
|
|
.Pp
|
|
|
|
|
The amount of space used, available, or referenced does not take into account
|
|
|
|
|
pending changes.
|
|
|
|
|
Pending changes are generally accounted for within a few seconds.
|
|
|
|
|
Committing a change to a disk using
|
|
|
|
|
.Xr fsync 2
|
|
|
|
|
or
|
|
|
|
|
.Dv O_SYNC
|
|
|
|
|
does not necessarily guarantee that the space usage information is updated
|
|
|
|
|
immediately.
|
|
|
|
|
.It Sy usedby*
|
|
|
|
|
The
|
|
|
|
|
.Sy usedby*
|
|
|
|
|
properties decompose the
|
|
|
|
|
.Sy used
|
|
|
|
|
properties into the various reasons that space is used.
|
|
|
|
|
Specifically,
|
|
|
|
|
.Sy used No =
|
|
|
|
|
.Sy usedbychildren No +
|
|
|
|
|
.Sy usedbydataset No +
|
|
|
|
|
.Sy usedbyrefreservation No +
|
|
|
|
|
.Sy usedbysnapshots .
|
|
|
|
|
These properties are only available for datasets created on
|
|
|
|
|
.Nm zpool
|
|
|
|
|
.Qo version 13 Qc
|
|
|
|
|
pools.
|
|
|
|
|
.It Sy usedbychildren
|
|
|
|
|
The amount of space used by children of this dataset, which would be freed if
|
|
|
|
|
all the dataset's children were destroyed.
|
|
|
|
|
.It Sy usedbydataset
|
|
|
|
|
The amount of space used by this dataset itself, which would be freed if the
|
|
|
|
|
dataset were destroyed
|
|
|
|
|
.Po after first removing any
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
and destroying any necessary snapshots or descendents
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Sy usedbyrefreservation
|
|
|
|
|
The amount of space used by a
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
set on this dataset, which would be freed if the
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
was removed.
|
|
|
|
|
.It Sy usedbysnapshots
|
|
|
|
|
The amount of space consumed by snapshots of this dataset.
|
|
|
|
|
In particular, it is the amount of space that would be freed if all of this
|
|
|
|
|
dataset's snapshots were destroyed.
|
|
|
|
|
Note that this is not simply the sum of the snapshots'
|
|
|
|
|
.Sy used
|
|
|
|
|
properties because space can be shared by multiple snapshots.
|
|
|
|
|
.It Sy userused Ns @ Ns Em user
|
|
|
|
|
The amount of space consumed by the specified user in this dataset.
|
|
|
|
|
Space is charged to the owner of each file, as displayed by
|
|
|
|
|
.Nm ls Fl l .
|
|
|
|
|
The amount of space charged is displayed by
|
|
|
|
|
.Nm du
|
|
|
|
|
and
|
|
|
|
|
.Nm ls Fl s .
|
|
|
|
|
See the
|
|
|
|
|
.Nm zfs Cm userspace
|
|
|
|
|
subcommand for more information.
|
|
|
|
|
.Pp
|
|
|
|
|
Unprivileged users can access only their own space usage.
|
|
|
|
|
The root user, or a user who has been granted the
|
|
|
|
|
.Sy userused
|
|
|
|
|
privilege with
|
|
|
|
|
.Nm zfs Cm allow ,
|
|
|
|
|
can access everyone's usage.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy userused Ns @ Ns Em ...
|
|
|
|
|
properties are not displayed by
|
|
|
|
|
.Nm zfs Cm get Sy all .
|
|
|
|
|
The user's name must be appended after the @ symbol, using one of the following
|
|
|
|
|
forms:
|
|
|
|
|
.Bl -bullet -width ""
|
|
|
|
|
.It
|
|
|
|
|
.Em POSIX name
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy joe
|
|
|
|
|
.Pc
|
|
|
|
|
.It
|
|
|
|
|
.Em POSIX numeric ID
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy 789
|
|
|
|
|
.Pc
|
|
|
|
|
.It
|
|
|
|
|
.Em SID name
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy joe.smith@mydomain
|
|
|
|
|
.Pc
|
|
|
|
|
.It
|
|
|
|
|
.Em SID numeric ID
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy S-1-123-456-789
|
|
|
|
|
.Pc
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
2017-03-20 22:14:28 +00:00
|
|
|
|
Files created on Linux always have POSIX owners.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy userobjused Ns @ Ns Em user
|
|
|
|
|
The
|
|
|
|
|
.Sy userobjused
|
|
|
|
|
property is similar to
|
|
|
|
|
.Sy userused
|
|
|
|
|
but instead it counts the number of objects consumed by a user. This property
|
|
|
|
|
counts all objects allocated on behalf of the user, it may differ from the
|
|
|
|
|
results of system tools such as
|
|
|
|
|
.Nm df Fl i .
|
|
|
|
|
.Pp
|
|
|
|
|
When the property
|
|
|
|
|
.Sy xattr=on
|
|
|
|
|
is set on a file system additional objects will be created per-file to store
|
|
|
|
|
extended attributes. These additional objects are reflected in the
|
|
|
|
|
.Sy userobjused
|
|
|
|
|
value and are counted against the user's
|
|
|
|
|
.Sy userobjquota .
|
|
|
|
|
When a file system is configured to use
|
|
|
|
|
.Sy xattr=sa
|
|
|
|
|
no additional internal objects are normally required.
|
|
|
|
|
.It Sy userrefs
|
|
|
|
|
This property is set to the number of user holds on this snapshot.
|
|
|
|
|
User holds are set by using the
|
|
|
|
|
.Nm zfs Cm hold
|
|
|
|
|
command.
|
|
|
|
|
.It Sy groupused Ns @ Ns Em group
|
|
|
|
|
The amount of space consumed by the specified group in this dataset.
|
|
|
|
|
Space is charged to the group of each file, as displayed by
|
|
|
|
|
.Nm ls Fl l .
|
|
|
|
|
See the
|
|
|
|
|
.Sy userused Ns @ Ns Em user
|
|
|
|
|
property for more information.
|
|
|
|
|
.Pp
|
|
|
|
|
Unprivileged users can only access their own groups' space usage.
|
|
|
|
|
The root user, or a user who has been granted the
|
|
|
|
|
.Sy groupused
|
|
|
|
|
privilege with
|
|
|
|
|
.Nm zfs Cm allow ,
|
|
|
|
|
can access all groups' usage.
|
|
|
|
|
.It Sy groupobjused Ns @ Ns Em group
|
|
|
|
|
The number of objects consumed by the specified group in this dataset.
|
|
|
|
|
Multiple objects may be charged to the group for each file when extended
|
|
|
|
|
attributes are in use. See the
|
|
|
|
|
.Sy userobjused Ns @ Ns Em user
|
|
|
|
|
property for more information.
|
|
|
|
|
.Pp
|
|
|
|
|
Unprivileged users can only access their own groups' space usage.
|
|
|
|
|
The root user, or a user who has been granted the
|
|
|
|
|
.Sy groupobjused
|
|
|
|
|
privilege with
|
|
|
|
|
.Nm zfs Cm allow ,
|
|
|
|
|
can access all groups' usage.
|
|
|
|
|
.It Sy volblocksize
|
|
|
|
|
For volumes, specifies the block size of the volume.
|
|
|
|
|
The
|
|
|
|
|
.Sy blocksize
|
|
|
|
|
cannot be changed once the volume has been written, so it should be set at
|
|
|
|
|
volume creation time.
|
|
|
|
|
The default
|
|
|
|
|
.Sy blocksize
|
|
|
|
|
for volumes is 8 Kbytes.
|
|
|
|
|
Any power of 2 from 512 bytes to 128 Kbytes is valid.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy volblock .
|
|
|
|
|
.It Sy written
|
|
|
|
|
The amount of space
|
|
|
|
|
.Sy referenced
|
|
|
|
|
by this dataset, that was written since the previous snapshot
|
|
|
|
|
.Pq i.e. that is not referenced by the previous snapshot .
|
|
|
|
|
.It Sy written Ns @ Ns Em snapshot
|
|
|
|
|
The amount of
|
|
|
|
|
.Sy referenced
|
|
|
|
|
space written to this dataset since the specified snapshot.
|
|
|
|
|
This is the space that is referenced by this dataset but was not referenced by
|
|
|
|
|
the specified snapshot.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Em snapshot
|
|
|
|
|
may be specified as a short snapshot name
|
|
|
|
|
.Po just the part after the
|
|
|
|
|
.Sy @
|
|
|
|
|
.Pc ,
|
|
|
|
|
in which case it will be interpreted as a snapshot in the same filesystem as
|
|
|
|
|
this dataset.
|
|
|
|
|
The
|
|
|
|
|
.Em snapshot
|
|
|
|
|
may be a full snapshot name
|
|
|
|
|
.Po Em filesystem Ns @ Ns Em snapshot Pc ,
|
|
|
|
|
which for clones may be a snapshot in the origin's filesystem
|
|
|
|
|
.Pq or the origin of the origin's filesystem, etc.
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
The following native properties can be used to change the behavior of a ZFS
|
|
|
|
|
dataset.
|
|
|
|
|
.Bl -tag -width ""
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy aclinherit Ns = Ns Sy discard Ns | Ns Sy noallow Ns | Ns
|
|
|
|
|
.Sy restricted Ns | Ns Sy passthrough Ns | Ns Sy passthrough-x
|
|
|
|
|
.Xc
|
|
|
|
|
Controls how ACEs are inherited when files and directories are created.
|
|
|
|
|
.Bl -tag -width "passthrough-x"
|
|
|
|
|
.It Sy discard
|
|
|
|
|
does not inherit any ACEs.
|
|
|
|
|
.It Sy noallow
|
|
|
|
|
only inherits inheritable ACEs that specify
|
|
|
|
|
.Qq deny
|
|
|
|
|
permissions.
|
|
|
|
|
.It Sy restricted
|
|
|
|
|
default, removes the
|
|
|
|
|
.Sy write_acl
|
|
|
|
|
and
|
|
|
|
|
.Sy write_owner
|
|
|
|
|
permissions when the ACE is inherited.
|
|
|
|
|
.It Sy passthrough
|
|
|
|
|
inherits all inheritable ACEs without any modifications.
|
|
|
|
|
.It Sy passthrough-x
|
|
|
|
|
same meaning as
|
|
|
|
|
.Sy passthrough ,
|
|
|
|
|
except that the
|
|
|
|
|
.Sy owner@ ,
|
|
|
|
|
.Sy group@ ,
|
|
|
|
|
and
|
|
|
|
|
.Sy everyone@
|
|
|
|
|
ACEs inherit the execute permission only if the file creation mode also requests
|
|
|
|
|
the execute bit.
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
When the property value is set to
|
|
|
|
|
.Sy passthrough ,
|
|
|
|
|
files are created with a mode determined by the inheritable ACEs.
|
|
|
|
|
If no inheritable ACEs exist that affect the mode, then the mode is set in
|
|
|
|
|
accordance to the requested mode from the application.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy aclinherit
|
|
|
|
|
property does not apply to posix ACLs.
|
|
|
|
|
.It Sy acltype Ns = Ns Sy off Ns | Ns Sy noacl Ns | Ns Sy posixacl
|
|
|
|
|
Controls whether ACLs are enabled and if so what type of ACL to use.
|
|
|
|
|
.Bl -tag -width "posixacl"
|
|
|
|
|
.It Sy off
|
|
|
|
|
default, when a file system has the
|
|
|
|
|
.Sy acltype
|
|
|
|
|
property set to off then ACLs are disabled.
|
|
|
|
|
.It Sy noacl
|
|
|
|
|
an alias for
|
|
|
|
|
.Sy off
|
|
|
|
|
.It Sy posixacl
|
|
|
|
|
indicates posix ACLs should be used. Posix ACLs are specific to Linux and are
|
|
|
|
|
not functional on other platforms. Posix ACLs are stored as an extended
|
|
|
|
|
attribute and therefore will not overwrite any existing NFSv4 ACLs which
|
|
|
|
|
may be set.
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
To obtain the best performance when setting
|
|
|
|
|
.Sy posixacl
|
|
|
|
|
users are strongly encouraged to set the
|
|
|
|
|
.Sy xattr=sa
|
|
|
|
|
property. This will result in the posix ACL being stored more efficiently on
|
|
|
|
|
disk. But as a consequence of this all new extended attributes will only be
|
|
|
|
|
accessible from OpenZFS implementations which support the
|
|
|
|
|
.Sy xattr=sa
|
|
|
|
|
property. See the
|
|
|
|
|
.Sy xattr
|
|
|
|
|
property for more details.
|
|
|
|
|
.It Sy atime Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether the access time for files is updated when they are read.
|
|
|
|
|
Turning this property off avoids producing write traffic when reading files and
|
|
|
|
|
can result in significant performance gains, though it might confuse mailers
|
|
|
|
|
and other similar utilities. The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy atime
|
|
|
|
|
and
|
|
|
|
|
.Sy noatime
|
|
|
|
|
mount options. The default value is
|
|
|
|
|
.Sy on .
|
|
|
|
|
See also
|
|
|
|
|
.Sy relatime
|
|
|
|
|
below.
|
|
|
|
|
.It Sy canmount Ns = Ns Sy on Ns | Ns Sy off Ns | Ns Sy noauto
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy off ,
|
|
|
|
|
the file system cannot be mounted, and is ignored by
|
|
|
|
|
.Nm zfs Cm mount Fl a .
|
|
|
|
|
Setting this property to
|
|
|
|
|
.Sy off
|
|
|
|
|
is similar to setting the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property to
|
|
|
|
|
.Sy none ,
|
|
|
|
|
except that the dataset still has a normal
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property, which can be inherited.
|
|
|
|
|
Setting this property to
|
|
|
|
|
.Sy off
|
|
|
|
|
allows datasets to be used solely as a mechanism to inherit properties.
|
|
|
|
|
One example of setting
|
|
|
|
|
.Sy canmount Ns = Ns Sy off
|
|
|
|
|
is to have two datasets with the same
|
|
|
|
|
.Sy mountpoint ,
|
|
|
|
|
so that the children of both datasets appear in the same directory, but might
|
|
|
|
|
have different inherited characteristics.
|
|
|
|
|
.Pp
|
|
|
|
|
When set to
|
|
|
|
|
.Sy noauto ,
|
|
|
|
|
a dataset can only be mounted and unmounted explicitly.
|
|
|
|
|
The dataset is not mounted automatically when the dataset is created or
|
|
|
|
|
imported, nor is it mounted by the
|
|
|
|
|
.Nm zfs Cm mount Fl a
|
|
|
|
|
command or unmounted by the
|
|
|
|
|
.Nm zfs Cm unmount Fl a
|
|
|
|
|
command.
|
|
|
|
|
.Pp
|
|
|
|
|
This property is not inherited.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy checksum Ns = Ns Sy on Ns | Ns Sy off Ns | Ns Sy fletcher2 Ns | Ns
|
|
|
|
|
.Sy fletcher4 Ns | Ns Sy sha256 Ns | Ns Sy noparity Ns | Ns
|
|
|
|
|
.Sy sha512 Ns | Ns Sy skein Ns | Ns Sy edonr
|
|
|
|
|
.Xc
|
|
|
|
|
Controls the checksum used to verify data integrity.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy on ,
|
|
|
|
|
which automatically selects an appropriate algorithm
|
|
|
|
|
.Po currently,
|
|
|
|
|
.Sy fletcher4 ,
|
|
|
|
|
but this may change in future releases
|
|
|
|
|
.Pc .
|
|
|
|
|
The value
|
|
|
|
|
.Sy off
|
|
|
|
|
disables integrity checking on user data.
|
|
|
|
|
The value
|
|
|
|
|
.Sy noparity
|
|
|
|
|
not only disables integrity but also disables maintaining parity for user data.
|
2016-06-15 22:47:05 +00:00
|
|
|
|
This setting is used internally by a dump device residing on a RAID-Z pool and
|
2017-06-29 16:55:30 +00:00
|
|
|
|
should not be used by any other dataset.
|
|
|
|
|
Disabling checksums is
|
|
|
|
|
.Sy NOT
|
|
|
|
|
a recommended practice.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy sha512 ,
|
|
|
|
|
.Sy skein ,
|
|
|
|
|
and
|
|
|
|
|
.Sy edonr
|
|
|
|
|
checksum algorithms require enabling the appropriate features on the pool.
|
|
|
|
|
Please see
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for more information on these algorithms.
|
|
|
|
|
.Pp
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Changing this property affects only newly-written data.
|
2017-12-06 05:19:31 +00:00
|
|
|
|
.Pp
|
|
|
|
|
Salted checksum algorithms
|
|
|
|
|
.Pq Cm edonr , skein
|
|
|
|
|
are currently not supported for any filesystem on the boot pools.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Sy compression Ns = Ns Sy on Ns | Ns Sy off Ns | Ns Sy gzip Ns | Ns
|
|
|
|
|
.Sy gzip- Ns Em N Ns | Ns Sy lz4 Ns | Ns Sy lzjb Ns | Ns Sy zle
|
|
|
|
|
.Xc
|
2015-07-06 01:55:32 +00:00
|
|
|
|
Controls the compression algorithm used for this dataset.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pp
|
|
|
|
|
Setting compression to
|
|
|
|
|
.Sy on
|
|
|
|
|
indicates that the current default compression algorithm should be used.
|
|
|
|
|
The default balances compression and decompression speed, with compression ratio
|
|
|
|
|
and is expected to work well on a wide variety of workloads.
|
|
|
|
|
Unlike all other settings for this property,
|
|
|
|
|
.Sy on
|
|
|
|
|
does not select a fixed compression type.
|
|
|
|
|
As new compression algorithms are added to ZFS and enabled on a pool, the
|
|
|
|
|
default compression algorithm may change.
|
|
|
|
|
The current default compression algorithm is either
|
|
|
|
|
.Sy lzjb
|
|
|
|
|
or, if the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature is enabled,
|
|
|
|
|
.Sy lz4 .
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy lz4
|
|
|
|
|
compression algorithm is a high-performance replacement for the
|
|
|
|
|
.Sy lzjb
|
|
|
|
|
algorithm.
|
|
|
|
|
It features significantly faster compression and decompression, as well as a
|
|
|
|
|
moderately higher compression ratio than
|
|
|
|
|
.Sy lzjb ,
|
|
|
|
|
but can only be used on pools with the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature set to
|
|
|
|
|
.Sy enabled .
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags and the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy lzjb
|
|
|
|
|
compression algorithm is optimized for performance while providing decent data
|
|
|
|
|
compression.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy gzip
|
|
|
|
|
compression algorithm uses the same compression as the
|
|
|
|
|
.Xr gzip 1
|
|
|
|
|
command.
|
|
|
|
|
You can specify the
|
|
|
|
|
.Sy gzip
|
|
|
|
|
level by using the value
|
|
|
|
|
.Sy gzip- Ns Em N ,
|
|
|
|
|
where
|
|
|
|
|
.Em N
|
|
|
|
|
is an integer from 1
|
|
|
|
|
.Pq fastest
|
|
|
|
|
to 9
|
|
|
|
|
.Pq best compression ratio .
|
|
|
|
|
Currently,
|
|
|
|
|
.Sy gzip
|
|
|
|
|
is equivalent to
|
|
|
|
|
.Sy gzip-6
|
|
|
|
|
.Po which is also the default for
|
|
|
|
|
.Xr gzip 1
|
|
|
|
|
.Pc .
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy zle
|
|
|
|
|
compression algorithm compresses runs of zeros.
|
|
|
|
|
.Pp
|
2015-07-06 01:55:32 +00:00
|
|
|
|
This property can also be referred to by its shortened column name
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sy compress .
|
|
|
|
|
Changing this property affects only newly-written data.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy context Ns = Ns Sy none Ns | Ns
|
|
|
|
|
.Em SELinux_User:SElinux_Role:Selinux_Type:Sensitivity_Level
|
|
|
|
|
.Xc
|
|
|
|
|
This flag sets the SELinux context for all files in the file system under
|
|
|
|
|
a mount point for that file system. See
|
|
|
|
|
.Xr selinux 8
|
|
|
|
|
for more information.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy fscontext Ns = Ns Sy none Ns | Ns
|
|
|
|
|
.Em SELinux_User:SElinux_Role:Selinux_Type:Sensitivity_Level
|
|
|
|
|
.Xc
|
|
|
|
|
This flag sets the SELinux context for the file system file system being
|
|
|
|
|
mounted. See
|
|
|
|
|
.Xr selinux 8
|
|
|
|
|
for more information.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy defcontext Ns = Ns Sy none Ns | Ns
|
|
|
|
|
.Em SELinux_User:SElinux_Role:Selinux_Type:Sensitivity_Level
|
|
|
|
|
.Xc
|
|
|
|
|
This flag sets the SELinux default context for unlabeled files. See
|
|
|
|
|
.Xr selinux 8
|
|
|
|
|
for more information.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy rootcontext Ns = Ns Sy none Ns | Ns
|
|
|
|
|
.Em SELinux_User:SElinux_Role:Selinux_Type:Sensitivity_Level
|
|
|
|
|
.Xc
|
|
|
|
|
This flag sets the SELinux context for the root inode of the file system. See
|
|
|
|
|
.Xr selinux 8
|
|
|
|
|
for more information.
|
|
|
|
|
.It Sy copies Ns = Ns Sy 1 Ns | Ns Sy 2 Ns | Ns Sy 3
|
|
|
|
|
Controls the number of copies of data stored for this dataset.
|
|
|
|
|
These copies are in addition to any redundancy provided by the pool, for
|
|
|
|
|
example, mirroring or RAID-Z.
|
|
|
|
|
The copies are stored on different disks, if possible.
|
|
|
|
|
The space used by multiple copies is charged to the associated file and dataset,
|
|
|
|
|
changing the
|
|
|
|
|
.Sy used
|
|
|
|
|
property and counting against quotas and reservations.
|
|
|
|
|
.Pp
|
2016-05-11 18:19:31 +00:00
|
|
|
|
Changing this property only affects newly-written data.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
Therefore, set this property at file system creation time by using the
|
|
|
|
|
.Fl o Sy copies Ns = Ns Ar N
|
|
|
|
|
option.
|
|
|
|
|
.Pp
|
|
|
|
|
Remember that ZFS will not import a pool with a missing top-level vdev. Do
|
|
|
|
|
.Sy NOT
|
|
|
|
|
create, for example a two-disk striped pool and set
|
|
|
|
|
.Sy copies=2
|
|
|
|
|
on some datasets thinking you have setup redundancy for them. When a disk
|
|
|
|
|
fails you will not be able to import the pool and will have lost all of your
|
|
|
|
|
data.
|
|
|
|
|
.It Sy devices Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether device nodes can be opened on this file system.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy on .
|
|
|
|
|
The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy dev
|
|
|
|
|
and
|
|
|
|
|
.Sy nodev
|
|
|
|
|
mount options.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy dnodesize Ns = Ns Sy legacy Ns | Ns Sy auto Ns | Ns Sy 1k Ns | Ns
|
|
|
|
|
.Sy 2k Ns | Ns Sy 4k Ns | Ns Sy 8k Ns | Ns Sy 16k
|
|
|
|
|
.Xc
|
|
|
|
|
Specifies a compatibility mode or literal value for the size of dnodes in the
|
|
|
|
|
file system. The default value is
|
|
|
|
|
.Sy legacy .
|
|
|
|
|
Setting this property to a value other than
|
|
|
|
|
.Sy legacy
|
|
|
|
|
requires the large_dnode pool feature to be enabled.
|
|
|
|
|
.Pp
|
|
|
|
|
Consider setting
|
|
|
|
|
.Sy dnodesize
|
|
|
|
|
to
|
|
|
|
|
.Sy auto
|
|
|
|
|
if the dataset uses the
|
|
|
|
|
.Sy xattr=sa
|
|
|
|
|
property setting and the workload makes heavy use of extended attributes. This
|
|
|
|
|
may be applicable to SELinux-enabled systems, Lustre servers, and Samba
|
|
|
|
|
servers, for example. Literal values are supported for cases where the optimal
|
|
|
|
|
size is known in advance and for performance testing.
|
|
|
|
|
.Pp
|
|
|
|
|
Leave
|
|
|
|
|
.Sy dnodesize
|
|
|
|
|
set to
|
|
|
|
|
.Sy legacy
|
|
|
|
|
if you need to receive a send stream of this dataset on a pool that doesn't
|
|
|
|
|
enable the large_dnode feature, or if you need to import this pool on a system
|
|
|
|
|
that doesn't support the large_dnode feature.
|
|
|
|
|
.Pp
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 01:25:34 +00:00
|
|
|
|
This property can also be referred to by its shortened column name,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sy dnsize .
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Sy encryption Ns = Ns Sy off Ns | Ns Sy on Ns | Ns Sy aes-128-ccm Ns | Ns
|
|
|
|
|
.Sy aes-192-ccm Ns | Ns Sy aes-256-ccm Ns | Ns Sy aes-128-gcm Ns | Ns
|
|
|
|
|
.Sy aes-192-gcm Ns | Ns Sy aes-256-gcm
|
|
|
|
|
.Xc
|
|
|
|
|
Controls the encryption cipher suite (block cipher, key length, and mode) used
|
|
|
|
|
for this dataset. Requires the
|
|
|
|
|
.Sy encryption
|
|
|
|
|
feature to be enabled on the pool.
|
|
|
|
|
Requires a
|
|
|
|
|
.Sy keyformat
|
|
|
|
|
to be set at dataset creation time.
|
|
|
|
|
.Pp
|
|
|
|
|
Selecting
|
|
|
|
|
.Sy encryption Ns = Ns Sy on
|
|
|
|
|
when creating a dataset indicates that the default encryption suite will be
|
|
|
|
|
selected, which is currently
|
|
|
|
|
.Sy aes-256-ccm .
|
|
|
|
|
In order to provide consistent data protection, encryption must be specified at
|
|
|
|
|
dataset creation time and it cannot be changed afterwards.
|
|
|
|
|
.Pp
|
|
|
|
|
For more details and caveats about encryption see the
|
|
|
|
|
.Sy Encryption
|
|
|
|
|
section.
|
|
|
|
|
.It Sy keyformat Ns = Ns Sy raw Ns | Ns Sy hex Ns | Ns Sy passphrase
|
|
|
|
|
Controls what format the user's encryption key will be provided as. This
|
|
|
|
|
property is only set when the dataset is encrypted.
|
|
|
|
|
.Pp
|
|
|
|
|
Raw keys and hex keys must be 32 bytes long (regardless of the chosen
|
|
|
|
|
encryption suite) and must be randomly generated. A raw key can be generated
|
|
|
|
|
with the following command:
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# dd if=/dev/urandom of=/path/to/output/key bs=32 count=1
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
Passphrases must be between 8 and 512 bytes long and will be processed through
|
|
|
|
|
PBKDF2 before being used (see the
|
|
|
|
|
.Sy pbkdf2iters
|
|
|
|
|
property). Even though the
|
|
|
|
|
encryption suite cannot be changed after dataset creation, the keyformat can be
|
|
|
|
|
with
|
|
|
|
|
.Nm zfs Cm change-key .
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy keylocation Ns = Ns Sy prompt Ns | Ns Sy file:// Ns Em </absolute/file/path>
|
|
|
|
|
.Xc
|
|
|
|
|
Controls where the user's encryption key will be loaded from by default for
|
|
|
|
|
commands such as
|
|
|
|
|
.Nm zfs Cm load-key
|
|
|
|
|
and
|
|
|
|
|
.Nm zfs Cm mount Cm -l . This property is
|
|
|
|
|
only set for encrypted datasets which are encryption roots. If unspecified, the
|
|
|
|
|
default is
|
|
|
|
|
.Sy prompt.
|
|
|
|
|
.Pp
|
|
|
|
|
Even though the encryption suite cannot be changed after dataset creation, the
|
|
|
|
|
keylocation can be with either
|
|
|
|
|
.Nm zfs Cm set
|
|
|
|
|
or
|
|
|
|
|
.Nm zfs Cm change-key .
|
|
|
|
|
If
|
|
|
|
|
.Sy prompt
|
|
|
|
|
is selected ZFS will ask for the key at the command prompt when it is required
|
|
|
|
|
to access the encrypted data (see
|
|
|
|
|
.Nm zfs Cm load-key
|
|
|
|
|
for details). This setting will also allow the key to be passed in via STDIN,
|
|
|
|
|
but users should be careful not to place keys which should be kept secret on
|
|
|
|
|
the command line. If a file URI is selected, the key will be loaded from the
|
|
|
|
|
specified absolute file path.
|
|
|
|
|
.It Sy pbkdf2iters Ns = Ns Ar iterations
|
|
|
|
|
Controls the number of PBKDF2 iterations that a
|
|
|
|
|
.Sy passphrase
|
|
|
|
|
encryption key should be run through when processing it into an encryption key.
|
|
|
|
|
This property is only defined when encryption is enabled and a keyformat of
|
|
|
|
|
.Sy passphrase
|
|
|
|
|
is selected. The goal of PBKDF2 is to significantly increase the
|
|
|
|
|
computational difficulty needed to brute force a user's passphrase. This is
|
|
|
|
|
accomplished by forcing the attacker to run each passphrase through a
|
|
|
|
|
computationally expensive hashing function many times before they arrive at the
|
|
|
|
|
resulting key. A user who actually knows the passphrase will only have to pay
|
|
|
|
|
this cost once. As CPUs become better at processing, this number should be
|
|
|
|
|
raised to ensure that a brute force attack is still not possible. The current
|
|
|
|
|
default is
|
|
|
|
|
.Sy 350000
|
|
|
|
|
and the minimum is
|
|
|
|
|
.Sy 100000 .
|
|
|
|
|
This property may be changed with
|
|
|
|
|
.Nm zfs Cm change-key .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy exec Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether processes can be executed from within this file system.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy on .
|
|
|
|
|
The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy exec
|
|
|
|
|
and
|
|
|
|
|
.Sy noexec
|
|
|
|
|
mount options.
|
|
|
|
|
.It Sy filesystem_limit Ns = Ns Em count Ns | Ns Sy none
|
2015-04-01 13:07:48 +00:00
|
|
|
|
Limits the number of filesystems and volumes that can exist under this point in
|
2017-06-29 16:55:30 +00:00
|
|
|
|
the dataset tree.
|
|
|
|
|
The limit is not enforced if the user is allowed to change the limit.
|
|
|
|
|
Setting a
|
|
|
|
|
.Sy filesystem_limit
|
|
|
|
|
to
|
|
|
|
|
.Sy on
|
|
|
|
|
a descendent of a filesystem that already has a
|
|
|
|
|
.Sy filesystem_limit
|
|
|
|
|
does not override the ancestor's
|
|
|
|
|
.Sy filesystem_limit ,
|
|
|
|
|
but rather imposes an additional limit.
|
|
|
|
|
This feature must be enabled to be used
|
|
|
|
|
.Po see
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Sy mountpoint Ns = Ns Pa path Ns | Ns Sy none Ns | Ns Sy legacy
|
|
|
|
|
Controls the mount point used for this file system.
|
|
|
|
|
See the
|
|
|
|
|
.Sx Mount Points
|
|
|
|
|
section for more information on how this property is used.
|
|
|
|
|
.Pp
|
|
|
|
|
When the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property is changed for a file system, the file system and any children that
|
|
|
|
|
inherit the mount point are unmounted.
|
|
|
|
|
If the new value is
|
|
|
|
|
.Sy legacy ,
|
|
|
|
|
then they remain unmounted.
|
|
|
|
|
Otherwise, they are automatically remounted in the new location if the property
|
|
|
|
|
was previously
|
|
|
|
|
.Sy legacy
|
|
|
|
|
or
|
|
|
|
|
.Sy none ,
|
|
|
|
|
or if they were mounted before the property was changed.
|
|
|
|
|
In addition, any shared file systems are unshared and shared in the new
|
|
|
|
|
location.
|
|
|
|
|
.It Sy nbmand Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether the file system should be mounted with
|
|
|
|
|
.Sy nbmand
|
|
|
|
|
.Pq Non Blocking mandatory locks .
|
|
|
|
|
This is used for SMB clients.
|
|
|
|
|
Changes to this property only take effect when the file system is umounted and
|
|
|
|
|
remounted.
|
|
|
|
|
See
|
|
|
|
|
.Xr mount 8
|
|
|
|
|
for more information on
|
|
|
|
|
.Sy nbmand
|
|
|
|
|
mounts. This property is not used on Linux.
|
|
|
|
|
.It Sy overlay Ns = Ns Sy off Ns | Ns Sy on
|
|
|
|
|
Allow mounting on a busy directory or a directory which already contains
|
|
|
|
|
files or directories. This is the default mount behavior for Linux file systems.
|
|
|
|
|
For consistency with OpenZFS on other platforms overlay mounts are
|
|
|
|
|
.Sy off
|
|
|
|
|
by default. Set to
|
|
|
|
|
.Sy on
|
|
|
|
|
to enable overlay mounts.
|
|
|
|
|
.It Sy primarycache Ns = Ns Sy all Ns | Ns Sy none Ns | Ns Sy metadata
|
|
|
|
|
Controls what is cached in the primary cache
|
|
|
|
|
.Pq ARC .
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy all ,
|
|
|
|
|
then both user data and metadata is cached.
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy none ,
|
|
|
|
|
then neither user data nor metadata is cached.
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy metadata ,
|
|
|
|
|
then only metadata is cached.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy all .
|
|
|
|
|
.It Sy quota Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
Limits the amount of space a dataset and its descendents can consume.
|
|
|
|
|
This property enforces a hard limit on the amount of space used.
|
|
|
|
|
This includes all space consumed by descendents, including file systems and
|
|
|
|
|
snapshots.
|
|
|
|
|
Setting a quota on a descendent of a dataset that already has a quota does not
|
|
|
|
|
override the ancestor's quota, but rather imposes an additional limit.
|
|
|
|
|
.Pp
|
|
|
|
|
Quotas cannot be set on volumes, as the
|
|
|
|
|
.Sy volsize
|
|
|
|
|
property acts as an implicit quota.
|
|
|
|
|
.It Sy snapshot_limit Ns = Ns Em count Ns | Ns Sy none
|
2015-04-01 13:07:48 +00:00
|
|
|
|
Limits the number of snapshots that can be created on a dataset and its
|
2017-06-29 16:55:30 +00:00
|
|
|
|
descendents.
|
|
|
|
|
Setting a
|
|
|
|
|
.Sy snapshot_limit
|
|
|
|
|
on a descendent of a dataset that already has a
|
|
|
|
|
.Sy snapshot_limit
|
|
|
|
|
does not override the ancestor's
|
|
|
|
|
.Sy snapshot_limit ,
|
|
|
|
|
but rather imposes an additional limit.
|
|
|
|
|
The limit is not enforced if the user is allowed to change the limit.
|
|
|
|
|
For example, this means that recursive snapshots taken from the global zone are
|
|
|
|
|
counted against each delegated dataset within a zone.
|
|
|
|
|
This feature must be enabled to be used
|
|
|
|
|
.Po see
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Sy userquota@ Ns Em user Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
Limits the amount of space consumed by the specified user.
|
|
|
|
|
User space consumption is identified by the
|
|
|
|
|
.Sy userspace@ Ns Em user
|
|
|
|
|
property.
|
|
|
|
|
.Pp
|
|
|
|
|
Enforcement of user quotas may be delayed by several seconds.
|
|
|
|
|
This delay means that a user might exceed their quota before the system notices
|
|
|
|
|
that they are over quota and begins to refuse additional writes with the
|
|
|
|
|
.Er EDQUOT
|
|
|
|
|
error message.
|
|
|
|
|
See the
|
|
|
|
|
.Nm zfs Cm userspace
|
|
|
|
|
subcommand for more information.
|
|
|
|
|
.Pp
|
|
|
|
|
Unprivileged users can only access their own groups' space usage.
|
|
|
|
|
The root user, or a user who has been granted the
|
|
|
|
|
.Sy userquota
|
|
|
|
|
privilege with
|
|
|
|
|
.Nm zfs Cm allow ,
|
|
|
|
|
can get and set everyone's quota.
|
|
|
|
|
.Pp
|
|
|
|
|
This property is not available on volumes, on file systems before version 4, or
|
|
|
|
|
on pools before version 15.
|
|
|
|
|
The
|
|
|
|
|
.Sy userquota@ Ns Em ...
|
|
|
|
|
properties are not displayed by
|
|
|
|
|
.Nm zfs Cm get Sy all .
|
|
|
|
|
The user's name must be appended after the
|
|
|
|
|
.Sy @
|
|
|
|
|
symbol, using one of the following forms:
|
|
|
|
|
.Bl -bullet
|
|
|
|
|
.It
|
|
|
|
|
.Em POSIX name
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy joe
|
|
|
|
|
.Pc
|
|
|
|
|
.It
|
|
|
|
|
.Em POSIX numeric ID
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy 789
|
|
|
|
|
.Pc
|
|
|
|
|
.It
|
|
|
|
|
.Em SID name
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy joe.smith@mydomain
|
|
|
|
|
.Pc
|
|
|
|
|
.It
|
|
|
|
|
.Em SID numeric ID
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy S-1-123-456-789
|
|
|
|
|
.Pc
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
2016-05-11 16:11:02 +00:00
|
|
|
|
Files created on Linux always have POSIX owners.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy userobjquota@ Ns Em user Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
The
|
|
|
|
|
.Sy userobjquota
|
|
|
|
|
is similar to
|
|
|
|
|
.Sy userquota
|
|
|
|
|
but it limits the number of objects a user can create. Please refer to
|
|
|
|
|
.Sy userobjused
|
|
|
|
|
for more information about how objects are counted.
|
|
|
|
|
.It Sy groupquota@ Ns Em group Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
Limits the amount of space consumed by the specified group.
|
|
|
|
|
Group space consumption is identified by the
|
|
|
|
|
.Sy groupused@ Ns Em group
|
|
|
|
|
property.
|
|
|
|
|
.Pp
|
|
|
|
|
Unprivileged users can access only their own groups' space usage.
|
|
|
|
|
The root user, or a user who has been granted the
|
|
|
|
|
.Sy groupquota
|
|
|
|
|
privilege with
|
|
|
|
|
.Nm zfs Cm allow ,
|
|
|
|
|
can get and set all groups' quotas.
|
|
|
|
|
.It Sy groupobjquota@ Ns Em group Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
The
|
|
|
|
|
.Sy groupobjquota
|
|
|
|
|
is similar to
|
|
|
|
|
.Sy groupquota
|
|
|
|
|
but it limits number of objects a group can consume. Please refer to
|
|
|
|
|
.Sy userobjused
|
|
|
|
|
for more information about how objects are counted.
|
|
|
|
|
.It Sy readonly Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether this dataset can be modified.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy off .
|
|
|
|
|
The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy ro
|
|
|
|
|
and
|
|
|
|
|
.Sy rw
|
|
|
|
|
mount options.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy rdonly .
|
|
|
|
|
.It Sy recordsize Ns = Ns Em size
|
|
|
|
|
Specifies a suggested block size for files in the file system.
|
|
|
|
|
This property is designed solely for use with database workloads that access
|
|
|
|
|
files in fixed-size records.
|
|
|
|
|
ZFS automatically tunes block sizes according to internal algorithms optimized
|
|
|
|
|
for typical access patterns.
|
|
|
|
|
.Pp
|
|
|
|
|
For databases that create very large files but access them in small random
|
|
|
|
|
chunks, these algorithms may be suboptimal.
|
|
|
|
|
Specifying a
|
|
|
|
|
.Sy recordsize
|
|
|
|
|
greater than or equal to the record size of the database can result in
|
|
|
|
|
significant performance gains.
|
|
|
|
|
Use of this property for general purpose file systems is strongly discouraged,
|
|
|
|
|
and may adversely affect performance.
|
|
|
|
|
.Pp
|
|
|
|
|
The size specified must be a power of two greater than or equal to 512 and less
|
|
|
|
|
than or equal to 128 Kbytes.
|
|
|
|
|
If the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
feature is enabled on the pool, the size may be up to 1 Mbyte.
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags.
|
|
|
|
|
.Pp
|
|
|
|
|
Changing the file system's
|
|
|
|
|
.Sy recordsize
|
|
|
|
|
affects only files created afterward; existing files are unaffected.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy recsize .
|
|
|
|
|
.It Sy redundant_metadata Ns = Ns Sy all Ns | Ns Sy most
|
|
|
|
|
Controls what types of metadata are stored redundantly.
|
|
|
|
|
ZFS stores an extra copy of metadata, so that if a single block is corrupted,
|
|
|
|
|
the amount of user data lost is limited.
|
|
|
|
|
This extra copy is in addition to any redundancy provided at the pool level
|
|
|
|
|
.Pq e.g. by mirroring or RAID-Z ,
|
|
|
|
|
and is in addition to an extra copy specified by the
|
|
|
|
|
.Sy copies
|
|
|
|
|
property
|
|
|
|
|
.Pq up to a total of 3 copies .
|
|
|
|
|
For example if the pool is mirrored,
|
|
|
|
|
.Sy copies Ns = Ns 2 ,
|
|
|
|
|
and
|
|
|
|
|
.Sy redundant_metadata Ns = Ns Sy most ,
|
|
|
|
|
then ZFS stores 6 copies of most metadata, and 4 copies of data and some
|
2014-05-23 16:21:07 +00:00
|
|
|
|
metadata.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pp
|
|
|
|
|
When set to
|
|
|
|
|
.Sy all ,
|
|
|
|
|
ZFS stores an extra copy of all metadata.
|
|
|
|
|
If a single on-disk block is corrupt, at worst a single block of user data
|
|
|
|
|
.Po which is
|
|
|
|
|
.Sy recordsize
|
|
|
|
|
bytes long
|
|
|
|
|
.Pc
|
|
|
|
|
can be lost.
|
|
|
|
|
.Pp
|
|
|
|
|
When set to
|
|
|
|
|
.Sy most ,
|
|
|
|
|
ZFS stores an extra copy of most types of metadata.
|
|
|
|
|
This can improve performance of random writes, because less metadata must be
|
|
|
|
|
written.
|
|
|
|
|
In practice, at worst about 100 blocks
|
|
|
|
|
.Po of
|
|
|
|
|
.Sy recordsize
|
|
|
|
|
bytes each
|
|
|
|
|
.Pc
|
|
|
|
|
of user data can be lost if a single on-disk block is corrupt.
|
|
|
|
|
The exact behavior of which metadata blocks are stored redundantly may change in
|
|
|
|
|
future releases.
|
|
|
|
|
.Pp
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy all .
|
|
|
|
|
.It Sy refquota Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
Limits the amount of space a dataset can consume.
|
|
|
|
|
This property enforces a hard limit on the amount of space used.
|
|
|
|
|
This hard limit does not include space used by descendents, including file
|
|
|
|
|
systems and snapshots.
|
|
|
|
|
.It Sy refreservation Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
The minimum amount of space guaranteed to a dataset, not including its
|
|
|
|
|
descendents.
|
|
|
|
|
When the amount of space used is below this value, the dataset is treated as if
|
|
|
|
|
it were taking up the amount of space specified by
|
|
|
|
|
.Sy refreservation .
|
|
|
|
|
The
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
reservation is accounted for in the parent datasets' space used, and counts
|
|
|
|
|
against the parent datasets' quotas and reservations.
|
|
|
|
|
.Pp
|
|
|
|
|
If
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
is set, a snapshot is only allowed if there is enough free pool space outside of
|
|
|
|
|
this reservation to accommodate the current number of
|
|
|
|
|
.Qq referenced
|
|
|
|
|
bytes in the dataset.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy refreserv .
|
|
|
|
|
.It Sy relatime Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls the manner in which the access time is updated when
|
|
|
|
|
.Sy atime=on
|
|
|
|
|
is set. Turning this property on causes the access time to be updated relative
|
|
|
|
|
to the modify or change time. Access time is only updated if the previous
|
|
|
|
|
access time was earlier than the current modify or change time or if the
|
|
|
|
|
existing access time hasn't been updated within the past 24 hours. The default
|
|
|
|
|
value is
|
|
|
|
|
.Sy off .
|
|
|
|
|
The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy relatime
|
|
|
|
|
and
|
|
|
|
|
.Sy norelatime
|
|
|
|
|
mount options.
|
|
|
|
|
.It Sy reservation Ns = Ns Em size Ns | Ns Sy none
|
|
|
|
|
The minimum amount of space guaranteed to a dataset and its descendants.
|
|
|
|
|
When the amount of space used is below this value, the dataset is treated as if
|
|
|
|
|
it were taking up the amount of space specified by its reservation.
|
|
|
|
|
Reservations are accounted for in the parent datasets' space used, and count
|
|
|
|
|
against the parent datasets' quotas and reservations.
|
|
|
|
|
.Pp
|
|
|
|
|
This property can also be referred to by its shortened column name,
|
|
|
|
|
.Sy reserv .
|
|
|
|
|
.It Sy secondarycache Ns = Ns Sy all Ns | Ns Sy none Ns | Ns Sy metadata
|
|
|
|
|
Controls what is cached in the secondary cache
|
|
|
|
|
.Pq L2ARC .
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy all ,
|
|
|
|
|
then both user data and metadata is cached.
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy none ,
|
|
|
|
|
then neither user data nor metadata is cached.
|
|
|
|
|
If this property is set to
|
|
|
|
|
.Sy metadata ,
|
|
|
|
|
then only metadata is cached.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy all .
|
|
|
|
|
.It Sy setuid Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether the setuid bit is respected for the file system.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy on .
|
|
|
|
|
The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy suid
|
|
|
|
|
and
|
|
|
|
|
.Sy nosuid
|
|
|
|
|
mount options.
|
|
|
|
|
.It Sy sharesmb Ns = Ns Sy on Ns | Ns Sy off Ns | Ns Em opts
|
|
|
|
|
Controls whether the file system is shared by using
|
|
|
|
|
.Sy Samba USERSHARES
|
|
|
|
|
and what options are to be used. Otherwise, the file system is automatically
|
|
|
|
|
shared and unshared with the
|
|
|
|
|
.Nm zfs Cm share
|
|
|
|
|
and
|
|
|
|
|
.Nm zfs Cm unshare
|
|
|
|
|
commands. If the property is set to on, the
|
|
|
|
|
.Xr net 8
|
|
|
|
|
command is invoked to create a
|
|
|
|
|
.Sy USERSHARE .
|
|
|
|
|
.Pp
|
|
|
|
|
Because SMB shares requires a resource name, a unique resource name is
|
|
|
|
|
constructed from the dataset name. The constructed name is a copy of the
|
|
|
|
|
dataset name except that the characters in the dataset name, which would be
|
|
|
|
|
invalid in the resource name, are replaced with underscore (_) characters.
|
|
|
|
|
Linux does not currently support additional options which might be available
|
|
|
|
|
on Solaris.
|
|
|
|
|
.Pp
|
|
|
|
|
If the
|
|
|
|
|
.Sy sharesmb
|
|
|
|
|
property is set to
|
|
|
|
|
.Sy off ,
|
|
|
|
|
the file systems are unshared.
|
|
|
|
|
.Pp
|
|
|
|
|
The share is created with the ACL (Access Control List) "Everyone:F" ("F"
|
|
|
|
|
stands for "full permissions", ie. read and write permissions) and no guest
|
|
|
|
|
access (which means Samba must be able to authenticate a real user, system
|
|
|
|
|
passwd/shadow, LDAP or smbpasswd based) by default. This means that any
|
|
|
|
|
additional access control (disallow specific user specific access etc) must
|
|
|
|
|
be done on the underlying file system.
|
|
|
|
|
.It Sy sharenfs Ns = Ns Sy on Ns | Ns Sy off Ns | Ns Em opts
|
|
|
|
|
Controls whether the file system is shared via NFS, and what options are to be
|
|
|
|
|
used.
|
|
|
|
|
A file system with a
|
|
|
|
|
.Sy sharenfs
|
|
|
|
|
property of
|
|
|
|
|
.Sy off
|
|
|
|
|
is managed with the
|
|
|
|
|
.Xr exportfs 8
|
|
|
|
|
command and entries in the
|
|
|
|
|
.Em /etc/exports
|
|
|
|
|
file.
|
|
|
|
|
Otherwise, the file system is automatically shared and unshared with the
|
|
|
|
|
.Nm zfs Cm share
|
|
|
|
|
and
|
|
|
|
|
.Nm zfs Cm unshare
|
|
|
|
|
commands.
|
|
|
|
|
If the property is set to
|
|
|
|
|
.Sy on ,
|
|
|
|
|
the dataset is shared using the default options:
|
|
|
|
|
.Pp
|
|
|
|
|
.Em sec=sys,rw,crossmnt,no_subtree_check,no_root_squash
|
|
|
|
|
.Pp
|
|
|
|
|
See
|
|
|
|
|
.Xr exports 5
|
|
|
|
|
for the meaning of the default options. Otherwise, the
|
|
|
|
|
.Xr exportfs 8
|
|
|
|
|
command is invoked with options equivalent to the contents of this property.
|
|
|
|
|
.Pp
|
|
|
|
|
When the
|
|
|
|
|
.Sy sharenfs
|
|
|
|
|
property is changed for a dataset, the dataset and any children inheriting the
|
|
|
|
|
property are re-shared with the new options, only if the property was previously
|
|
|
|
|
.Sy off ,
|
|
|
|
|
or if they were shared before the property was changed.
|
|
|
|
|
If the new property is
|
|
|
|
|
.Sy off ,
|
|
|
|
|
the file systems are unshared.
|
|
|
|
|
.It Sy logbias Ns = Ns Sy latency Ns | Ns Sy throughput
|
|
|
|
|
Provide a hint to ZFS about handling of synchronous requests in this dataset.
|
|
|
|
|
If
|
|
|
|
|
.Sy logbias
|
|
|
|
|
is set to
|
|
|
|
|
.Sy latency
|
|
|
|
|
.Pq the default ,
|
|
|
|
|
ZFS will use pool log devices
|
|
|
|
|
.Pq if configured
|
|
|
|
|
to handle the requests at low latency.
|
|
|
|
|
If
|
|
|
|
|
.Sy logbias
|
|
|
|
|
is set to
|
|
|
|
|
.Sy throughput ,
|
|
|
|
|
ZFS will not use configured pool log devices.
|
|
|
|
|
ZFS will instead optimize synchronous operations for global pool throughput and
|
|
|
|
|
efficient use of resources.
|
|
|
|
|
.It Sy snapdev Ns = Ns Sy hidden Ns | Ns Sy visible
|
|
|
|
|
Controls whether the volume snapshot devices under
|
|
|
|
|
.Em /dev/zvol/<pool>
|
|
|
|
|
are hidden or visible. The default value is
|
|
|
|
|
.Sy hidden .
|
|
|
|
|
.It Sy snapdir Ns = Ns Sy hidden Ns | Ns Sy visible
|
|
|
|
|
Controls whether the
|
|
|
|
|
.Pa .zfs
|
|
|
|
|
directory is hidden or visible in the root of the file system as discussed in
|
|
|
|
|
the
|
|
|
|
|
.Sx Snapshots
|
|
|
|
|
section.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy hidden .
|
|
|
|
|
.It Sy sync Ns = Ns Sy standard Ns | Ns Sy always Ns | Ns Sy disabled
|
|
|
|
|
Controls the behavior of synchronous requests
|
|
|
|
|
.Pq e.g. fsync, O_DSYNC .
|
|
|
|
|
.Sy standard
|
|
|
|
|
is the
|
|
|
|
|
.Tn POSIX
|
|
|
|
|
specified behavior of ensuring all synchronous requests are written to stable
|
|
|
|
|
storage and all devices are flushed to ensure data is not cached by device
|
|
|
|
|
controllers
|
|
|
|
|
.Pq this is the default .
|
|
|
|
|
.Sy always
|
2011-11-17 18:14:36 +00:00
|
|
|
|
causes every file system transaction to be written and flushed before its
|
2017-06-29 16:55:30 +00:00
|
|
|
|
system call returns.
|
|
|
|
|
This has a large performance penalty.
|
|
|
|
|
.Sy disabled
|
|
|
|
|
disables synchronous requests.
|
|
|
|
|
File system transactions are only committed to stable storage periodically.
|
|
|
|
|
This option will give the highest performance.
|
2011-11-17 18:14:36 +00:00
|
|
|
|
However, it is very dangerous as ZFS would be ignoring the synchronous
|
2017-06-29 16:55:30 +00:00
|
|
|
|
transaction demands of applications such as databases or NFS.
|
|
|
|
|
Administrators should only use this option when the risks are understood.
|
|
|
|
|
.It Sy version Ns = Ns Em N Ns | Ns Sy current
|
|
|
|
|
The on-disk version of this file system, which is independent of the pool
|
|
|
|
|
version.
|
|
|
|
|
This property can only be set to later supported versions.
|
|
|
|
|
See the
|
|
|
|
|
.Nm zfs Cm upgrade
|
|
|
|
|
command.
|
|
|
|
|
.It Sy volsize Ns = Ns Em size
|
|
|
|
|
For volumes, specifies the logical size of the volume.
|
|
|
|
|
By default, creating a volume establishes a reservation of equal size.
|
|
|
|
|
For storage pools with a version number of 9 or higher, a
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
is set instead.
|
|
|
|
|
Any changes to
|
|
|
|
|
.Sy volsize
|
|
|
|
|
are reflected in an equivalent change to the reservation
|
|
|
|
|
.Po or
|
|
|
|
|
.Sy refreservation
|
|
|
|
|
.Pc .
|
|
|
|
|
The
|
|
|
|
|
.Sy volsize
|
|
|
|
|
can only be set to a multiple of
|
|
|
|
|
.Sy volblocksize ,
|
|
|
|
|
and cannot be zero.
|
|
|
|
|
.Pp
|
|
|
|
|
The reservation is kept equal to the volume's logical size to prevent unexpected
|
|
|
|
|
behavior for consumers.
|
|
|
|
|
Without the reservation, the volume could run out of space, resulting in
|
|
|
|
|
undefined behavior or data corruption, depending on how the volume is used.
|
|
|
|
|
These effects can also occur when the volume size is changed while it is in use
|
|
|
|
|
.Pq particularly when shrinking the size .
|
|
|
|
|
Extreme care should be used when adjusting the volume size.
|
|
|
|
|
.Pp
|
|
|
|
|
Though not recommended, a
|
|
|
|
|
.Qq sparse volume
|
|
|
|
|
.Po also known as
|
|
|
|
|
.Qq thin provisioning
|
|
|
|
|
.Pc
|
|
|
|
|
can be created by specifying the
|
|
|
|
|
.Fl s
|
|
|
|
|
option to the
|
|
|
|
|
.Nm zfs Cm create Fl V
|
|
|
|
|
command, or by changing the reservation after the volume has been created.
|
|
|
|
|
A
|
|
|
|
|
.Qq sparse volume
|
|
|
|
|
is a volume where the reservation is less then the volume size.
|
|
|
|
|
Consequently, writes to a sparse volume can fail with
|
|
|
|
|
.Er ENOSPC
|
|
|
|
|
when the pool is low on space.
|
|
|
|
|
For a sparse volume, changes to
|
|
|
|
|
.Sy volsize
|
|
|
|
|
are not reflected in the reservation.
|
2017-07-12 20:05:37 +00:00
|
|
|
|
.It Sy volmode Ns = Ns Cm default | full | geom | dev | none
|
|
|
|
|
This property specifies how volumes should be exposed to the OS.
|
|
|
|
|
Setting it to
|
|
|
|
|
.Sy full
|
|
|
|
|
exposes volumes as fully fledged block devices, providing maximal
|
|
|
|
|
functionality. The value
|
|
|
|
|
.Sy geom
|
|
|
|
|
is just an alias for
|
|
|
|
|
.Sy full
|
|
|
|
|
and is kept for compatibility.
|
|
|
|
|
Setting it to
|
|
|
|
|
.Sy dev
|
|
|
|
|
hides its partitions.
|
|
|
|
|
Volumes with property set to
|
|
|
|
|
.Sy none
|
|
|
|
|
are not exposed outside ZFS, but can be snapshoted, cloned, replicated, etc,
|
|
|
|
|
that can be suitable for backup purposes.
|
|
|
|
|
Value
|
|
|
|
|
.Sy default
|
|
|
|
|
means that volumes exposition is controlled by system-wide tunable
|
|
|
|
|
.Va zvol_volmode ,
|
|
|
|
|
where
|
|
|
|
|
.Sy full ,
|
|
|
|
|
.Sy dev
|
|
|
|
|
and
|
|
|
|
|
.Sy none
|
|
|
|
|
are encoded as 1, 2 and 3 respectively.
|
|
|
|
|
The default values is
|
|
|
|
|
.Sy full .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy vscan Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether regular files should be scanned for viruses when a file is
|
|
|
|
|
opened and closed.
|
|
|
|
|
In addition to enabling this property, the virus scan service must also be
|
|
|
|
|
enabled for virus scanning to occur.
|
|
|
|
|
The default value is
|
|
|
|
|
.Sy off .
|
2016-05-11 16:11:02 +00:00
|
|
|
|
This property is not used on Linux.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy xattr Ns = Ns Sy on Ns | Ns Sy off Ns | Ns Sy sa
|
|
|
|
|
Controls whether extended attributes are enabled for this file system. Two
|
2013-10-28 18:57:15 +00:00
|
|
|
|
styles of extended attributes are supported either directory based or system
|
|
|
|
|
attribute based.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pp
|
|
|
|
|
The default value of
|
|
|
|
|
.Sy on
|
|
|
|
|
enables directory based extended attributes. This style of extended attribute
|
|
|
|
|
imposes no practical limit on either the size or number of attributes which
|
|
|
|
|
can be set on a file. Although under Linux the
|
|
|
|
|
.Xr getxattr 2
|
|
|
|
|
and
|
|
|
|
|
.Xr setxattr 2
|
|
|
|
|
system calls limit the maximum size to 64K. This is the most compatible
|
|
|
|
|
style of extended attribute and is supported by all OpenZFS implementations.
|
|
|
|
|
.Pp
|
|
|
|
|
System attribute based xattrs can be enabled by setting the value to
|
|
|
|
|
.Sy sa .
|
|
|
|
|
The key advantage of this type of xattr is improved performance. Storing
|
|
|
|
|
extended attributes as system attributes significantly decreases the amount of
|
|
|
|
|
disk IO required. Up to 64K of data may be stored per-file in the space
|
|
|
|
|
reserved for system attributes. If there is not enough space available for
|
|
|
|
|
an extended attribute then it will be automatically written as a directory
|
|
|
|
|
based xattr. System attribute based extended attributes are not accessible
|
|
|
|
|
on platforms which do not support the
|
|
|
|
|
.Sy xattr=sa
|
|
|
|
|
feature.
|
|
|
|
|
.Pp
|
2013-10-28 18:57:15 +00:00
|
|
|
|
The use of system attribute based xattrs is strongly encouraged for users of
|
2017-06-29 16:55:30 +00:00
|
|
|
|
SELinux or posix ACLs. Both of these features heavily rely of extended
|
|
|
|
|
attributes and benefit significantly from the reduced access time.
|
|
|
|
|
.Pp
|
|
|
|
|
The values
|
|
|
|
|
.Sy on
|
|
|
|
|
and
|
|
|
|
|
.Sy off
|
|
|
|
|
are equivalent to the
|
|
|
|
|
.Sy xattr
|
|
|
|
|
and
|
|
|
|
|
.Sy noxattr
|
|
|
|
|
mount options.
|
|
|
|
|
.It Sy zoned Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Controls whether the dataset is managed from a non-global zone. Zones are a
|
|
|
|
|
Solaris feature and are not relevant on Linux. The default value is
|
|
|
|
|
.Sy off .
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
The following three properties cannot be changed after the file system is
|
|
|
|
|
created, and therefore, should be set when the file system is created.
|
|
|
|
|
If the properties are not set with the
|
|
|
|
|
.Nm zfs Cm create
|
|
|
|
|
or
|
|
|
|
|
.Nm zpool Cm create
|
|
|
|
|
commands, these properties are inherited from the parent dataset.
|
|
|
|
|
If the parent dataset lacks these properties due to having been created prior to
|
|
|
|
|
these features being supported, the new file system will have the default values
|
|
|
|
|
for these properties.
|
|
|
|
|
.Bl -tag -width ""
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy casesensitivity Ns = Ns Sy sensitive Ns | Ns
|
|
|
|
|
.Sy insensitive Ns | Ns Sy mixed
|
|
|
|
|
.Xc
|
|
|
|
|
Indicates whether the file name matching algorithm used by the file system
|
|
|
|
|
should be case-sensitive, case-insensitive, or allow a combination of both
|
|
|
|
|
styles of matching.
|
|
|
|
|
The default value for the
|
|
|
|
|
.Sy casesensitivity
|
|
|
|
|
property is
|
|
|
|
|
.Sy sensitive .
|
|
|
|
|
Traditionally,
|
|
|
|
|
.Ux
|
|
|
|
|
and
|
|
|
|
|
.Tn POSIX
|
|
|
|
|
file systems have case-sensitive file names.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy mixed
|
|
|
|
|
value for the
|
|
|
|
|
.Sy casesensitivity
|
|
|
|
|
property indicates that the file system can support requests for both
|
|
|
|
|
case-sensitive and case-insensitive matching behavior.
|
|
|
|
|
Currently, case-insensitive matching behavior on a file system that supports
|
|
|
|
|
mixed behavior is limited to the SMB server product.
|
|
|
|
|
For more information about the
|
|
|
|
|
.Sy mixed
|
|
|
|
|
value behavior, see the "ZFS Administration Guide".
|
|
|
|
|
.It Xo
|
|
|
|
|
.Sy normalization Ns = Ns Sy none Ns | Ns Sy formC Ns | Ns
|
|
|
|
|
.Sy formD Ns | Ns Sy formKC Ns | Ns Sy formKD
|
|
|
|
|
.Xc
|
|
|
|
|
Indicates whether the file system should perform a
|
|
|
|
|
.Sy unicode
|
|
|
|
|
normalization of file names whenever two file names are compared, and which
|
|
|
|
|
normalization algorithm should be used.
|
|
|
|
|
File names are always stored unmodified, names are normalized as part of any
|
|
|
|
|
comparison process.
|
|
|
|
|
If this property is set to a legal value other than
|
|
|
|
|
.Sy none ,
|
|
|
|
|
and the
|
|
|
|
|
.Sy utf8only
|
|
|
|
|
property was left unspecified, the
|
|
|
|
|
.Sy utf8only
|
|
|
|
|
property is automatically set to
|
|
|
|
|
.Sy on .
|
|
|
|
|
The default value of the
|
|
|
|
|
.Sy normalization
|
|
|
|
|
property is
|
|
|
|
|
.Sy none .
|
2016-05-11 18:19:31 +00:00
|
|
|
|
This property cannot be changed after the file system is created.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Sy utf8only Ns = Ns Sy on Ns | Ns Sy off
|
|
|
|
|
Indicates whether the file system should reject file names that include
|
|
|
|
|
characters that are not present in the
|
|
|
|
|
.Sy UTF-8
|
|
|
|
|
character code set.
|
|
|
|
|
If this property is explicitly set to
|
|
|
|
|
.Sy off ,
|
|
|
|
|
the normalization property must either not be explicitly set or be set to
|
|
|
|
|
.Sy none .
|
|
|
|
|
The default value for the
|
|
|
|
|
.Sy utf8only
|
|
|
|
|
property is
|
|
|
|
|
.Sy off .
|
2016-05-11 18:19:31 +00:00
|
|
|
|
This property cannot be changed after the file system is created.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Sy casesensitivity ,
|
|
|
|
|
.Sy normalization ,
|
|
|
|
|
and
|
|
|
|
|
.Sy utf8only
|
|
|
|
|
properties are also new permissions that can be assigned to non-privileged users
|
|
|
|
|
by using the ZFS delegated administration feature.
|
|
|
|
|
.Ss "Temporary Mount Point Properties"
|
|
|
|
|
When a file system is mounted, either through
|
|
|
|
|
.Xr mount 8
|
|
|
|
|
for legacy mounts or the
|
|
|
|
|
.Nm zfs Cm mount
|
|
|
|
|
command for normal file systems, its mount options are set according to its
|
|
|
|
|
properties.
|
|
|
|
|
The correlation between properties and mount options is as follows:
|
|
|
|
|
.Bd -literal
|
2009-12-12 00:15:33 +00:00
|
|
|
|
PROPERTY MOUNT OPTION
|
2017-06-29 16:55:30 +00:00
|
|
|
|
atime atime/noatime
|
|
|
|
|
canmount auto/noauto
|
|
|
|
|
devices dev/nodev
|
|
|
|
|
exec exec/noexec
|
|
|
|
|
readonly ro/rw
|
|
|
|
|
relatime relatime/norelatime
|
|
|
|
|
setuid suid/nosuid
|
|
|
|
|
xattr xattr/noxattr
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
In addition, these options can be set on a per-mount basis using the
|
|
|
|
|
.Fl o
|
|
|
|
|
option, without affecting the property that is stored on disk.
|
|
|
|
|
The values specified on the command line override the values stored in the
|
|
|
|
|
dataset.
|
|
|
|
|
The
|
|
|
|
|
.Sy nosuid
|
|
|
|
|
option is an alias for
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Sy nodevices Ns \&, Ns Sy nosetuid .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
These properties are reported as
|
|
|
|
|
.Qq temporary
|
|
|
|
|
by the
|
|
|
|
|
.Nm zfs Cm get
|
|
|
|
|
command.
|
|
|
|
|
If the properties are changed while the dataset is mounted, the new setting
|
|
|
|
|
overrides any temporary settings.
|
|
|
|
|
.Ss "User Properties"
|
|
|
|
|
In addition to the standard native properties, ZFS supports arbitrary user
|
|
|
|
|
properties.
|
|
|
|
|
User properties have no effect on ZFS behavior, but applications or
|
|
|
|
|
administrators can use them to annotate datasets
|
|
|
|
|
.Pq file systems, volumes, and snapshots .
|
|
|
|
|
.Pp
|
|
|
|
|
User property names must contain a colon
|
|
|
|
|
.Pq Qq Sy \&:
|
|
|
|
|
character to distinguish them from native properties.
|
|
|
|
|
They may contain lowercase letters, numbers, and the following punctuation
|
|
|
|
|
characters: colon
|
|
|
|
|
.Pq Qq Sy \&: ,
|
|
|
|
|
dash
|
|
|
|
|
.Pq Qq Sy - ,
|
|
|
|
|
period
|
|
|
|
|
.Pq Qq Sy \&. ,
|
|
|
|
|
and underscore
|
|
|
|
|
.Pq Qq Sy _ .
|
|
|
|
|
The expected convention is that the property name is divided into two portions
|
|
|
|
|
such as
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Em module Ns \&: Ns Em property ,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
but this namespace is not enforced by ZFS.
|
|
|
|
|
User property names can be at most 256 characters, and cannot begin with a dash
|
|
|
|
|
.Pq Qq Sy - .
|
|
|
|
|
.Pp
|
|
|
|
|
When making programmatic use of user properties, it is strongly suggested to use
|
|
|
|
|
a reversed
|
|
|
|
|
.Sy DNS
|
|
|
|
|
domain name for the
|
|
|
|
|
.Em module
|
|
|
|
|
component of property names to reduce the chance that two
|
|
|
|
|
independently-developed packages use the same property name for different
|
|
|
|
|
purposes.
|
|
|
|
|
.Pp
|
|
|
|
|
The values of user properties are arbitrary strings, are always inherited, and
|
|
|
|
|
are never validated.
|
|
|
|
|
All of the commands that operate on properties
|
|
|
|
|
.Po Nm zfs Cm list ,
|
|
|
|
|
.Nm zfs Cm get ,
|
|
|
|
|
.Nm zfs Cm set ,
|
|
|
|
|
and so forth
|
|
|
|
|
.Pc
|
|
|
|
|
can be used to manipulate both native properties and user properties.
|
|
|
|
|
Use the
|
|
|
|
|
.Nm zfs Cm inherit
|
|
|
|
|
command to clear a user property.
|
|
|
|
|
If the property is not defined in any parent dataset, it is removed entirely.
|
|
|
|
|
Property values are limited to 8192 bytes.
|
|
|
|
|
.Ss ZFS Volumes as Swap
|
|
|
|
|
ZFS volumes may be used as swap devices. After creating the volume with the
|
|
|
|
|
.Nm zfs Cm create Fl V
|
|
|
|
|
command set up and enable the swap area using the
|
|
|
|
|
.Xr mkswap 8
|
|
|
|
|
and
|
|
|
|
|
.Xr swapon 8
|
|
|
|
|
commands. Do not swap to a file on a ZFS file system. A ZFS swap file
|
|
|
|
|
configuration is not supported.
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Ss Encryption
|
|
|
|
|
Enabling the
|
|
|
|
|
.Sy encryption
|
|
|
|
|
feature allows for the creation of encrypted filesystems and volumes.
|
|
|
|
|
.Nm
|
|
|
|
|
will encrypt all user data including file and zvol data, file attributes,
|
|
|
|
|
ACLs, permission bits, directory listings, FUID mappings, and userused /
|
|
|
|
|
groupused data.
|
|
|
|
|
.Nm
|
|
|
|
|
will not encrypt metadata related to the pool structure, including dataset
|
|
|
|
|
names, dataset hierarchy, file size, file holes, and dedup tables. Key rotation
|
|
|
|
|
is managed internally by the kernel module and changing the user's key does not
|
|
|
|
|
require re-encrypting the entire dataset. Datasets can be scrubbed, resilvered,
|
|
|
|
|
renamed, and deleted without the encryption keys being loaded (see the
|
|
|
|
|
.Nm zfs Cm load-key
|
|
|
|
|
subcommand for more info on key loading).
|
|
|
|
|
.Pp
|
|
|
|
|
Creating an encrypted dataset requires specifying the
|
|
|
|
|
.Sy encryption
|
|
|
|
|
and
|
|
|
|
|
.Sy keyformat
|
|
|
|
|
properties at creation time, along with an optional
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Sy keylocation
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
and
|
|
|
|
|
.Sy pbkdf2iters .
|
|
|
|
|
After entering an encryption key, the
|
|
|
|
|
created dataset will become an encryption root. Any descendant datasets will
|
2017-09-12 20:15:11 +00:00
|
|
|
|
inherit their encryption key from the encryption root by default, meaning that
|
|
|
|
|
loading, unloading, or changing the key for the encryption root will implicitly
|
|
|
|
|
do the same for all inheriting datasets. If this inheritance is not desired,
|
|
|
|
|
simply supply a
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Sy keyformat
|
|
|
|
|
when creating the child dataset or use
|
|
|
|
|
.Nm zfs Cm change-key
|
2017-09-12 20:15:11 +00:00
|
|
|
|
to break an existing relationship, creating a new encryption root on the child.
|
|
|
|
|
Note that the child's
|
|
|
|
|
.Sy keyformat
|
|
|
|
|
may match that of the parent while still creating a new encryption root, and
|
|
|
|
|
that changing the
|
|
|
|
|
.Sy encryption
|
|
|
|
|
property alone does not create a new encryption root; this would simply use a
|
|
|
|
|
different cipher suite with the same key as its encryption root. The one
|
|
|
|
|
exception is that clones will always use their origin's encryption key.
|
|
|
|
|
As a result of this exception, some encryption-related properties (namely
|
|
|
|
|
.Sy keystatus ,
|
|
|
|
|
.Sy keyformat ,
|
|
|
|
|
.Sy keylocation ,
|
|
|
|
|
and
|
|
|
|
|
.Sy pbkdf2iters )
|
|
|
|
|
do not inherit like other ZFS properties and instead use the value determined
|
|
|
|
|
by their encryption root. Encryption root inheritance can be tracked via the
|
|
|
|
|
read-only
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Sy encryptionroot
|
|
|
|
|
property.
|
|
|
|
|
.Pp
|
|
|
|
|
Encryption changes the behavior of a few
|
|
|
|
|
.Nm
|
|
|
|
|
operations. Encryption is applied after compression so compression ratios are
|
|
|
|
|
preserved. Normally checksums in ZFS are 256 bits long, but for encrypted data
|
|
|
|
|
the checksum is 128 bits of the user-chosen checksum and 128 bits of MAC from
|
|
|
|
|
the encryption suite, which provides additional protection against maliciously
|
|
|
|
|
altered data. Deduplication is still possible with encryption enabled but for
|
|
|
|
|
security, datasets will only dedup against themselves, their snapshots, and
|
|
|
|
|
their clones.
|
|
|
|
|
.Pp
|
|
|
|
|
There are a few limitations on encrypted datasets. Encrypted data cannot be
|
|
|
|
|
embedded via the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature. Encrypted datasets may not have
|
|
|
|
|
.Sy copies Ns = Ns Em 3
|
|
|
|
|
since the implementation stores some encryption metadata where the third copy
|
|
|
|
|
would normally be. Since compression is applied before encryption datasets may
|
|
|
|
|
be vulnerable to a CRIME-like attack if applications accessing the data allow
|
|
|
|
|
for it. Deduplication with encryption will leak information about which blocks
|
|
|
|
|
are equivalent in a dataset and will incur an extra CPU cost per block written.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sh SUBCOMMANDS
|
|
|
|
|
All subcommands that modify state are logged persistently to the pool in their
|
|
|
|
|
original form.
|
|
|
|
|
.Bl -tag -width ""
|
|
|
|
|
.It Nm Fl ?
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Displays a help message.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm create
|
|
|
|
|
.Op Fl p
|
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a new ZFS file system.
|
|
|
|
|
The file system is automatically mounted according to the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property inherited from the parent.
|
|
|
|
|
.Bl -tag -width "-o"
|
|
|
|
|
.It Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
Sets the specified property as if the command
|
|
|
|
|
.Nm zfs Cm set Ar property Ns = Ns Ar value
|
|
|
|
|
was invoked at the same time the dataset was created.
|
|
|
|
|
Any editable ZFS property can also be set at creation time.
|
|
|
|
|
Multiple
|
|
|
|
|
.Fl o
|
|
|
|
|
options can be specified.
|
|
|
|
|
An error results if the same property is specified in multiple
|
|
|
|
|
.Fl o
|
|
|
|
|
options.
|
|
|
|
|
.It Fl p
|
|
|
|
|
Creates all the non-existing parent datasets.
|
|
|
|
|
Datasets created in this manner are automatically mounted according to the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property inherited from their parent.
|
|
|
|
|
Any property specified on the command line using the
|
|
|
|
|
.Fl o
|
|
|
|
|
option is ignored.
|
|
|
|
|
If the target filesystem already exists, the operation completes successfully.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm create
|
|
|
|
|
.Op Fl ps
|
|
|
|
|
.Op Fl b Ar blocksize
|
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Fl V Ar size Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a volume of the given size.
|
|
|
|
|
The volume is exported as a block device in
|
|
|
|
|
.Pa /dev/zvol/path ,
|
|
|
|
|
where
|
|
|
|
|
.Em path
|
|
|
|
|
is the name of the volume in the ZFS namespace.
|
|
|
|
|
The size represents the logical size as exported by the device.
|
|
|
|
|
By default, a reservation of equal size is created.
|
|
|
|
|
.Pp
|
|
|
|
|
.Ar size
|
|
|
|
|
is automatically rounded up to the nearest 128 Kbytes to ensure that the volume
|
|
|
|
|
has an integral number of blocks regardless of
|
|
|
|
|
.Sy blocksize .
|
|
|
|
|
.Bl -tag -width "-b"
|
|
|
|
|
.It Fl b Ar blocksize
|
|
|
|
|
Equivalent to
|
|
|
|
|
.Fl o Sy volblocksize Ns = Ns Ar blocksize .
|
|
|
|
|
If this option is specified in conjunction with
|
|
|
|
|
.Fl o Sy volblocksize ,
|
|
|
|
|
the resulting behavior is undefined.
|
|
|
|
|
.It Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
Sets the specified property as if the
|
|
|
|
|
.Nm zfs Cm set Ar property Ns = Ns Ar value
|
|
|
|
|
command was invoked at the same time the dataset was created.
|
|
|
|
|
Any editable ZFS property can also be set at creation time.
|
|
|
|
|
Multiple
|
|
|
|
|
.Fl o
|
|
|
|
|
options can be specified.
|
|
|
|
|
An error results if the same property is specified in multiple
|
|
|
|
|
.Fl o
|
|
|
|
|
options.
|
|
|
|
|
.It Fl p
|
|
|
|
|
Creates all the non-existing parent datasets.
|
|
|
|
|
Datasets created in this manner are automatically mounted according to the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property inherited from their parent.
|
|
|
|
|
Any property specified on the command line using the
|
|
|
|
|
.Fl o
|
|
|
|
|
option is ignored.
|
|
|
|
|
If the target filesystem already exists, the operation completes successfully.
|
|
|
|
|
.It Fl s
|
|
|
|
|
Creates a sparse volume with no reservation.
|
|
|
|
|
See
|
|
|
|
|
.Sy volsize
|
|
|
|
|
in the
|
|
|
|
|
.Sx Native Properties
|
|
|
|
|
section for more information about sparse volumes.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm destroy
|
|
|
|
|
.Op Fl Rfnprv
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Destroys the given dataset.
|
|
|
|
|
By default, the command unshares any file systems that are currently shared,
|
|
|
|
|
unmounts any file systems that are currently mounted, and refuses to destroy a
|
|
|
|
|
dataset that has active dependents
|
|
|
|
|
.Pq children or clones .
|
|
|
|
|
.Bl -tag -width "-R"
|
|
|
|
|
.It Fl R
|
|
|
|
|
Recursively destroy all dependents, including cloned file systems outside the
|
|
|
|
|
target hierarchy.
|
|
|
|
|
.It Fl f
|
|
|
|
|
Force an unmount of any file systems using the
|
|
|
|
|
.Nm unmount Fl f
|
|
|
|
|
command.
|
|
|
|
|
This option has no effect on non-file systems or unmounted file systems.
|
|
|
|
|
.It Fl n
|
|
|
|
|
Do a dry-run
|
|
|
|
|
.Pq Qq No-op
|
|
|
|
|
deletion.
|
|
|
|
|
No data will be deleted.
|
|
|
|
|
This is useful in conjunction with the
|
|
|
|
|
.Fl v
|
|
|
|
|
or
|
|
|
|
|
.Fl p
|
|
|
|
|
flags to determine what data would be deleted.
|
|
|
|
|
.It Fl p
|
2011-11-17 18:14:36 +00:00
|
|
|
|
Print machine-parsable verbose information about the deleted data.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl r
|
|
|
|
|
Recursively destroy all children.
|
|
|
|
|
.It Fl v
|
2011-11-17 18:14:36 +00:00
|
|
|
|
Print verbose information about the deleted data.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
Extreme care should be taken when applying either the
|
|
|
|
|
.Fl r
|
|
|
|
|
or the
|
|
|
|
|
.Fl R
|
|
|
|
|
options, as they can destroy large portions of a pool and cause unexpected
|
|
|
|
|
behavior for mounted file systems in use.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm destroy
|
|
|
|
|
.Op Fl Rdnprv
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns @ Ns Ar snap Ns
|
|
|
|
|
.Oo % Ns Ar snap Ns Oo , Ns Ar snap Ns Oo % Ns Ar snap Oc Oc Oc Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
The given snapshots are destroyed immediately if and only if the
|
|
|
|
|
.Nm zfs Cm destroy
|
|
|
|
|
command without the
|
|
|
|
|
.Fl d
|
|
|
|
|
option would have destroyed it.
|
|
|
|
|
Such immediate destruction would occur, for example, if the snapshot had no
|
|
|
|
|
clones and the user-initiated reference count were zero.
|
|
|
|
|
.Pp
|
|
|
|
|
If a snapshot does not qualify for immediate destruction, it is marked for
|
|
|
|
|
deferred deletion.
|
|
|
|
|
In this state, it exists as a usable, visible snapshot until both of the
|
|
|
|
|
preconditions listed above are met, at which point it is destroyed.
|
|
|
|
|
.Pp
|
|
|
|
|
An inclusive range of snapshots may be specified by separating the first and
|
|
|
|
|
last snapshots with a percent sign.
|
2011-11-17 18:14:36 +00:00
|
|
|
|
The first and/or last snapshots may be left blank, in which case the
|
|
|
|
|
filesystem's oldest or newest snapshot will be implied.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pp
|
2011-11-17 18:14:36 +00:00
|
|
|
|
Multiple snapshots
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pq or ranges of snapshots
|
|
|
|
|
of the same filesystem or volume may be specified in a comma-separated list of
|
|
|
|
|
snapshots.
|
|
|
|
|
Only the snapshot's short name
|
|
|
|
|
.Po the part after the
|
|
|
|
|
.Sy @
|
|
|
|
|
.Pc
|
|
|
|
|
should be specified when using a range or comma-separated list to identify
|
|
|
|
|
multiple snapshots.
|
|
|
|
|
.Bl -tag -width "-R"
|
|
|
|
|
.It Fl R
|
2013-09-04 12:00:57 +00:00
|
|
|
|
Recursively destroy all clones of these snapshots, including the clones,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
snapshots, and children.
|
|
|
|
|
If this flag is specified, the
|
|
|
|
|
.Fl d
|
|
|
|
|
flag will have no effect.
|
|
|
|
|
.It Fl d
|
|
|
|
|
Defer snapshot deletion.
|
|
|
|
|
.It Fl n
|
|
|
|
|
Do a dry-run
|
|
|
|
|
.Pq Qq No-op
|
|
|
|
|
deletion.
|
|
|
|
|
No data will be deleted.
|
|
|
|
|
This is useful in conjunction with the
|
|
|
|
|
.Fl p
|
|
|
|
|
or
|
|
|
|
|
.Fl v
|
|
|
|
|
flags to determine what data would be deleted.
|
|
|
|
|
.It Fl p
|
2011-11-17 18:14:36 +00:00
|
|
|
|
Print machine-parsable verbose information about the deleted data.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl r
|
|
|
|
|
Destroy
|
|
|
|
|
.Pq or mark for deferred deletion
|
|
|
|
|
all snapshots with this name in descendent file systems.
|
|
|
|
|
.It Fl v
|
2011-11-17 18:14:36 +00:00
|
|
|
|
Print verbose information about the deleted data.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Pp
|
|
|
|
|
Extreme care should be taken when applying either the
|
|
|
|
|
.Fl r
|
|
|
|
|
or the
|
|
|
|
|
.Fl R
|
2011-11-17 18:14:36 +00:00
|
|
|
|
options, as they can destroy large portions of a pool and cause unexpected
|
|
|
|
|
behavior for mounted file systems in use.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm destroy
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns # Ns Ar bookmark
|
|
|
|
|
.Xc
|
2013-12-11 22:33:41 +00:00
|
|
|
|
The given bookmark is destroyed.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm snapshot
|
|
|
|
|
.Op Fl r
|
2018-01-29 23:05:03 +00:00
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ar filesystem Ns @ Ns Ar snapname Ns | Ns Ar volume Ns @ Ns Ar snapname Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
Creates snapshots with the given names.
|
|
|
|
|
All previous modifications by successful system calls to the file system are
|
|
|
|
|
part of the snapshots.
|
|
|
|
|
Snapshots are taken atomically, so that all snapshots correspond to the same
|
|
|
|
|
moment in time.
|
2018-01-29 23:05:03 +00:00
|
|
|
|
.Nm zfs Cm snap
|
|
|
|
|
can be used as an alias for
|
|
|
|
|
.Nm zfs Cm snapshot.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
See the
|
|
|
|
|
.Sx Snapshots
|
|
|
|
|
section for details.
|
|
|
|
|
.Bl -tag -width "-o"
|
|
|
|
|
.It Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
Sets the specified property; see
|
|
|
|
|
.Nm zfs Cm create
|
|
|
|
|
for details.
|
|
|
|
|
.It Fl r
|
|
|
|
|
Recursively create snapshots of all descendent datasets
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rollback
|
|
|
|
|
.Op Fl Rfr
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
Roll back the given dataset to a previous snapshot.
|
|
|
|
|
When a dataset is rolled back, all data that has changed since the snapshot is
|
|
|
|
|
discarded, and the dataset reverts to the state at the time of the snapshot.
|
|
|
|
|
By default, the command refuses to roll back to a snapshot other than the most
|
|
|
|
|
recent one.
|
|
|
|
|
In order to do so, all intermediate snapshots and bookmarks must be destroyed by
|
|
|
|
|
specifying the
|
|
|
|
|
.Fl r
|
|
|
|
|
option.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Fl rR
|
|
|
|
|
options do not recursively destroy the child snapshots of a recursive snapshot.
|
|
|
|
|
Only direct snapshots of the specified filesystem are destroyed by either of
|
|
|
|
|
these options.
|
|
|
|
|
To completely roll back a recursive snapshot, you must rollback the individual
|
|
|
|
|
child snapshots.
|
|
|
|
|
.Bl -tag -width "-R"
|
|
|
|
|
.It Fl R
|
|
|
|
|
Destroy any more recent snapshots and bookmarks, as well as any clones of those
|
|
|
|
|
snapshots.
|
|
|
|
|
.It Fl f
|
|
|
|
|
Used with the
|
|
|
|
|
.Fl R
|
|
|
|
|
option to force an unmount of any clone file systems that are to be destroyed.
|
|
|
|
|
.It Fl r
|
2013-12-11 22:33:41 +00:00
|
|
|
|
Destroy any snapshots and bookmarks more recent than the one specified.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm clone
|
|
|
|
|
.Op Fl p
|
|
|
|
|
.Oo Fl o Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Ar snapshot Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a clone of the given snapshot.
|
|
|
|
|
See the
|
|
|
|
|
.Sx Clones
|
|
|
|
|
section for details.
|
|
|
|
|
The target dataset can be located anywhere in the ZFS hierarchy, and is created
|
|
|
|
|
as the same type as the original.
|
|
|
|
|
.Bl -tag -width "-o"
|
|
|
|
|
.It Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
Sets the specified property; see
|
|
|
|
|
.Nm zfs Cm create
|
|
|
|
|
for details.
|
|
|
|
|
.It Fl p
|
|
|
|
|
Creates all the non-existing parent datasets.
|
|
|
|
|
Datasets created in this manner are automatically mounted according to the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property inherited from their parent.
|
|
|
|
|
If the target filesystem or volume already exists, the operation completes
|
|
|
|
|
successfully.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm promote
|
|
|
|
|
.Ar clone-filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Promotes a clone file system to no longer be dependent on its
|
|
|
|
|
.Qq origin
|
|
|
|
|
snapshot.
|
|
|
|
|
This makes it possible to destroy the file system that the clone was created
|
|
|
|
|
from.
|
|
|
|
|
The clone parent-child dependency relationship is reversed, so that the origin
|
|
|
|
|
file system becomes a clone of the specified file system.
|
|
|
|
|
.Pp
|
|
|
|
|
The snapshot that was cloned, and any snapshots previous to this snapshot, are
|
|
|
|
|
now owned by the promoted clone.
|
|
|
|
|
The space they use moves from the origin file system to the promoted clone, so
|
|
|
|
|
enough space must be available to accommodate these snapshots.
|
|
|
|
|
No new space is consumed by this operation, but the space accounting is
|
|
|
|
|
adjusted.
|
|
|
|
|
The promoted clone must not have any conflicting snapshot names of its own.
|
|
|
|
|
The
|
|
|
|
|
.Cm rename
|
|
|
|
|
subcommand can be used to rename any conflicting snapshots.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rename
|
|
|
|
|
.Op Fl f
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rename
|
|
|
|
|
.Op Fl fp
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Renames the given dataset.
|
|
|
|
|
The new target can be located anywhere in the ZFS hierarchy, with the exception
|
|
|
|
|
of snapshots.
|
|
|
|
|
Snapshots can only be renamed within the parent file system or volume.
|
|
|
|
|
When renaming a snapshot, the parent file system of the snapshot does not need
|
|
|
|
|
to be specified as part of the second argument.
|
|
|
|
|
Renamed file systems can inherit new mount points, in which case they are
|
|
|
|
|
unmounted and remounted at the new mount point.
|
|
|
|
|
.Bl -tag -width "-a"
|
|
|
|
|
.It Fl f
|
2012-04-27 18:14:46 +00:00
|
|
|
|
Force unmount any filesystems that need to be unmounted in the process.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl p
|
|
|
|
|
Creates all the nonexistent parent datasets.
|
|
|
|
|
Datasets created in this manner are automatically mounted according to the
|
|
|
|
|
.Sy mountpoint
|
|
|
|
|
property inherited from their parent.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm rename
|
|
|
|
|
.Fl r
|
|
|
|
|
.Ar snapshot Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
Recursively rename the snapshots of all descendent datasets.
|
|
|
|
|
Snapshots are the only dataset that can be renamed recursively.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm list
|
|
|
|
|
.Op Fl r Ns | Ns Fl d Ar depth
|
|
|
|
|
.Op Fl Hp
|
|
|
|
|
.Oo Fl o Ar property Ns Oo , Ns Ar property Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar property Oc Ns ...
|
|
|
|
|
.Oo Fl S Ar property Oc Ns ...
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Oo Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Oc Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
Lists the property information for the given datasets in tabular form.
|
|
|
|
|
If specified, you can list property information by the absolute pathname or the
|
|
|
|
|
relative pathname.
|
|
|
|
|
By default, all file systems and volumes are displayed.
|
|
|
|
|
Snapshots are displayed if the
|
|
|
|
|
.Sy listsnaps
|
|
|
|
|
property is
|
|
|
|
|
.Sy on
|
|
|
|
|
.Po the default is
|
|
|
|
|
.Sy off
|
|
|
|
|
.Pc .
|
|
|
|
|
The following fields are displayed,
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Sy name Ns \&, Ns Sy used Ns \&, Ns Sy available Ns \&, Ns Sy referenced Ns \&, Ns
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Sy mountpoint .
|
|
|
|
|
.Bl -tag -width "-H"
|
|
|
|
|
.It Fl H
|
|
|
|
|
Used for scripting mode.
|
|
|
|
|
Do not print headers and separate fields by a single tab instead of arbitrary
|
|
|
|
|
white space.
|
|
|
|
|
.It Fl S Ar property
|
|
|
|
|
Same as the
|
|
|
|
|
.Fl s
|
|
|
|
|
option, but sorts by property in descending order.
|
|
|
|
|
.It Fl d Ar depth
|
|
|
|
|
Recursively display any children of the dataset, limiting the recursion to
|
|
|
|
|
.Ar depth .
|
|
|
|
|
A
|
|
|
|
|
.Ar depth
|
|
|
|
|
of
|
|
|
|
|
.Sy 1
|
|
|
|
|
will display only the dataset and its direct children.
|
|
|
|
|
.It Fl o Ar property
|
|
|
|
|
A comma-separated list of properties to display.
|
|
|
|
|
The property must be:
|
|
|
|
|
.Bl -bullet
|
|
|
|
|
.It
|
|
|
|
|
One of the properties described in the
|
|
|
|
|
.Sx Native Properties
|
|
|
|
|
section
|
|
|
|
|
.It
|
2009-12-12 00:15:33 +00:00
|
|
|
|
A user property
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It
|
|
|
|
|
The value
|
|
|
|
|
.Sy name
|
|
|
|
|
to display the dataset name
|
|
|
|
|
.It
|
|
|
|
|
The value
|
|
|
|
|
.Sy space
|
|
|
|
|
to display space usage properties on file systems and volumes.
|
|
|
|
|
This is a shortcut for specifying
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Fl o Sy name Ns \&, Ns Sy avail Ns \&, Ns Sy used Ns \&, Ns Sy usedsnap Ns \&, Ns
|
|
|
|
|
.Sy usedds Ns \&, Ns Sy usedrefreserv Ns \&, Ns Sy usedchild Fl t
|
|
|
|
|
.Sy filesystem Ns \&, Ns Sy volume
|
2017-06-29 16:55:30 +00:00
|
|
|
|
syntax.
|
|
|
|
|
.El
|
|
|
|
|
.It Fl p
|
|
|
|
|
Display numbers in parsable
|
|
|
|
|
.Pq exact
|
|
|
|
|
values.
|
|
|
|
|
.It Fl r
|
|
|
|
|
Recursively display any children of the dataset on the command line.
|
|
|
|
|
.It Fl s Ar property
|
|
|
|
|
A property for sorting the output by column in ascending order based on the
|
|
|
|
|
value of the property.
|
|
|
|
|
The property must be one of the properties described in the
|
|
|
|
|
.Sx Properties
|
|
|
|
|
section, or the special value
|
|
|
|
|
.Sy name
|
|
|
|
|
to sort by the dataset name.
|
|
|
|
|
Multiple properties can be specified at one time using multiple
|
|
|
|
|
.Fl s
|
|
|
|
|
property options.
|
|
|
|
|
Multiple
|
|
|
|
|
.Fl s
|
|
|
|
|
options are evaluated from left to right in decreasing order of importance.
|
2009-12-12 00:15:33 +00:00
|
|
|
|
The following is a list of sorting criteria:
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Bl -bullet
|
|
|
|
|
.It
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Numeric types sort in numeric order.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It
|
2009-12-12 00:15:33 +00:00
|
|
|
|
String types sort in alphabetical order.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It
|
|
|
|
|
Types inappropriate for a row sort that row to the literal bottom, regardless of
|
|
|
|
|
the specified ordering.
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
If no sorting options are specified the existing behavior of
|
|
|
|
|
.Nm zfs Cm list
|
|
|
|
|
is preserved.
|
|
|
|
|
.It Fl t Ar type
|
|
|
|
|
A comma-separated list of types to display, where
|
|
|
|
|
.Ar type
|
|
|
|
|
is one of
|
|
|
|
|
.Sy filesystem ,
|
|
|
|
|
.Sy snapshot ,
|
|
|
|
|
.Sy volume ,
|
|
|
|
|
.Sy bookmark ,
|
|
|
|
|
or
|
|
|
|
|
.Sy all .
|
|
|
|
|
For example, specifying
|
|
|
|
|
.Fl t Sy snapshot
|
|
|
|
|
displays only snapshots.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm set
|
|
|
|
|
.Ar property Ns = Ns Ar value Oo Ar property Ns = Ns Ar value Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Ns ...
|
|
|
|
|
.Xc
|
2015-07-05 23:11:09 +00:00
|
|
|
|
Sets the property or list of properties to the given value(s) for each dataset.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
Only some properties can be edited.
|
|
|
|
|
See the
|
|
|
|
|
.Sx Properties
|
|
|
|
|
section for more information on what properties can be set and acceptable
|
|
|
|
|
values.
|
|
|
|
|
Numeric values can be specified as exact values, or in a human-readable form
|
|
|
|
|
with a suffix of
|
|
|
|
|
.Sy B , K , M , G , T , P , E , Z
|
|
|
|
|
.Po for bytes, kilobytes, megabytes, gigabytes, terabytes, petabytes, exabytes,
|
|
|
|
|
or zettabytes, respectively
|
|
|
|
|
.Pc .
|
|
|
|
|
User properties can be set on snapshots.
|
|
|
|
|
For more information, see the
|
|
|
|
|
.Sx User Properties
|
|
|
|
|
section.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm get
|
|
|
|
|
.Op Fl r Ns | Ns Fl d Ar depth
|
|
|
|
|
.Op Fl Hp
|
|
|
|
|
.Oo Fl o Ar field Ns Oo , Ns Ar field Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar source Ns Oo , Ns Ar source Oc Ns ... Oc
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Cm all | Ar property Ns Oo , Ns Ar property Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Ns | Ns Ar bookmark Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
Displays properties for the given datasets.
|
|
|
|
|
If no datasets are specified, then the command displays properties for all
|
|
|
|
|
datasets on the system.
|
|
|
|
|
For each property, the following columns are displayed:
|
|
|
|
|
.Bd -literal
|
2009-12-12 00:15:33 +00:00
|
|
|
|
name Dataset name
|
2017-06-29 16:55:30 +00:00
|
|
|
|
property Property name
|
|
|
|
|
value Property value
|
|
|
|
|
source Property source. Can either be local, default,
|
|
|
|
|
temporary, inherited, or none (-).
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
All columns are displayed by default, though this can be controlled by using the
|
|
|
|
|
.Fl o
|
|
|
|
|
option.
|
|
|
|
|
This command takes a comma-separated list of properties as described in the
|
|
|
|
|
.Sx Native Properties
|
|
|
|
|
and
|
|
|
|
|
.Sx User Properties
|
|
|
|
|
sections.
|
|
|
|
|
.Pp
|
|
|
|
|
The special value
|
|
|
|
|
.Sy all
|
|
|
|
|
can be used to display all properties that apply to the given dataset's type
|
|
|
|
|
.Pq filesystem, volume, snapshot, or bookmark .
|
|
|
|
|
.Bl -tag -width "-H"
|
|
|
|
|
.It Fl H
|
|
|
|
|
Display output in a form more easily parsed by scripts.
|
|
|
|
|
Any headers are omitted, and fields are explicitly separated by a single tab
|
|
|
|
|
instead of an arbitrary amount of space.
|
|
|
|
|
.It Fl d Ar depth
|
|
|
|
|
Recursively display any children of the dataset, limiting the recursion to
|
|
|
|
|
.Ar depth .
|
|
|
|
|
A depth of
|
|
|
|
|
.Sy 1
|
|
|
|
|
will display only the dataset and its direct children.
|
|
|
|
|
.It Fl o Ar field
|
|
|
|
|
A comma-separated list of columns to display.
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Sy name Ns \&, Ns Sy property Ns \&, Ns Sy value Ns \&, Ns Sy source
|
2017-06-29 16:55:30 +00:00
|
|
|
|
is the default value.
|
|
|
|
|
.It Fl p
|
|
|
|
|
Display numbers in parsable
|
|
|
|
|
.Pq exact
|
|
|
|
|
values.
|
|
|
|
|
.It Fl r
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Recursively display properties for any children.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl s Ar source
|
|
|
|
|
A comma-separated list of sources to display.
|
|
|
|
|
Those properties coming from a source other than those in this list are ignored.
|
|
|
|
|
Each source must be one of the following:
|
|
|
|
|
.Sy local ,
|
|
|
|
|
.Sy default ,
|
|
|
|
|
.Sy inherited ,
|
|
|
|
|
.Sy temporary ,
|
|
|
|
|
and
|
|
|
|
|
.Sy none .
|
|
|
|
|
The default value is all sources.
|
|
|
|
|
.It Fl t Ar type
|
|
|
|
|
A comma-separated list of types to display, where
|
|
|
|
|
.Ar type
|
|
|
|
|
is one of
|
|
|
|
|
.Sy filesystem ,
|
|
|
|
|
.Sy snapshot ,
|
|
|
|
|
.Sy volume ,
|
|
|
|
|
.Sy bookmark ,
|
|
|
|
|
or
|
|
|
|
|
.Sy all .
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm inherit
|
|
|
|
|
.Op Fl rS
|
|
|
|
|
.Ar property Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
Clears the specified property, causing it to be inherited from an ancestor,
|
|
|
|
|
restored to default if no ancestor has the property set, or with the
|
|
|
|
|
.Fl S
|
|
|
|
|
option reverted to the received value if one exists.
|
|
|
|
|
See the
|
|
|
|
|
.Sx Properties
|
|
|
|
|
section for a listing of default values, and details on which properties can be
|
|
|
|
|
inherited.
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Recursively inherit the given property for all children.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl S
|
2015-01-01 01:44:52 +00:00
|
|
|
|
Revert the property to the received value if one exists; otherwise operate as
|
2017-06-29 16:55:30 +00:00
|
|
|
|
if the
|
|
|
|
|
.Fl S
|
|
|
|
|
option was not specified.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm upgrade
|
|
|
|
|
.Xc
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Displays a list of file systems that are not the most recent version.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm upgrade
|
|
|
|
|
.Fl v
|
|
|
|
|
.Xc
|
|
|
|
|
Displays a list of currently supported file system versions.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm upgrade
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Op Fl V Ar version
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Upgrades file systems to a new on-disk version.
|
|
|
|
|
Once this is done, the file systems will no longer be accessible on systems
|
|
|
|
|
running older versions of the software.
|
|
|
|
|
.Nm zfs Cm send
|
|
|
|
|
streams generated from new snapshots of these file systems cannot be accessed on
|
|
|
|
|
systems running older versions of the software.
|
|
|
|
|
.Pp
|
|
|
|
|
In general, the file system version is independent of the pool version.
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool 8
|
|
|
|
|
for information on the
|
|
|
|
|
.Nm zpool Cm upgrade
|
|
|
|
|
command.
|
|
|
|
|
.Pp
|
|
|
|
|
In some cases, the file system version and the pool version are interrelated and
|
|
|
|
|
the pool version must be upgraded before the file system version can be
|
|
|
|
|
upgraded.
|
|
|
|
|
.Bl -tag -width "-V"
|
|
|
|
|
.It Fl V Ar version
|
|
|
|
|
Upgrade to the specified
|
|
|
|
|
.Ar version .
|
|
|
|
|
If the
|
|
|
|
|
.Fl V
|
|
|
|
|
flag is not specified, this command upgrades to the most recent version.
|
|
|
|
|
This
|
|
|
|
|
option can only be used to increase the version number, and only up to the most
|
|
|
|
|
recent version supported by this software.
|
|
|
|
|
.It Fl a
|
|
|
|
|
Upgrade all file systems on all imported pools.
|
|
|
|
|
.It Ar filesystem
|
|
|
|
|
Upgrade the specified file system.
|
|
|
|
|
.It Fl r
|
|
|
|
|
Upgrade the specified file system and all descendent file systems.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm userspace
|
|
|
|
|
.Op Fl Hinp
|
|
|
|
|
.Oo Fl o Ar field Ns Oo , Ns Ar field Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl S Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
Displays space consumed by, and quotas on, each user in the specified filesystem
|
|
|
|
|
or snapshot.
|
|
|
|
|
This corresponds to the
|
|
|
|
|
.Sy userused@ Ns Em user ,
|
|
|
|
|
.Sy userobjused@ Ns Em user ,
|
|
|
|
|
.Sy userquota@ Ns Em user,
|
|
|
|
|
and
|
|
|
|
|
.Sy userobjquota@ Ns Em user
|
|
|
|
|
properties.
|
|
|
|
|
.Bl -tag -width "-H"
|
|
|
|
|
.It Fl H
|
|
|
|
|
Do not print headers, use tab-delimited output.
|
|
|
|
|
.It Fl S Ar field
|
|
|
|
|
Sort by this field in reverse order.
|
|
|
|
|
See
|
|
|
|
|
.Fl s .
|
|
|
|
|
.It Fl i
|
|
|
|
|
Translate SID to POSIX ID.
|
|
|
|
|
The POSIX ID may be ephemeral if no mapping exists.
|
|
|
|
|
Normal POSIX interfaces
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Xr stat 2 ,
|
|
|
|
|
.Nm ls Fl l
|
|
|
|
|
.Pc
|
|
|
|
|
perform this translation, so the
|
|
|
|
|
.Fl i
|
|
|
|
|
option allows the output from
|
|
|
|
|
.Nm zfs Cm userspace
|
|
|
|
|
to be compared directly with those utilities.
|
|
|
|
|
However,
|
|
|
|
|
.Fl i
|
Illumos #1884, #3028, #3048, #3049, #3060, #3061, #3093
1884 Empty "used" field for zfs *space commands
3028 zfs {group,user}space -n prints (null) instead of numeric GID/UID
3048 zfs {user,group}space [-s|-S] is broken
3049 zfs {user,group}space -t doesn't really filter the results
3060 zfs {user,group}space -H output isn't tab-delimited
3061 zfs {user,group}space -o doesn't use specified fields order
3093 zfs {user,group}space's -i is noop
Reviewed by: Garry Mills <gary_mills@fastmail.fm>
Reviewed by: Eric Schrock <eric.schrock@delphix.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
References:
illumos/illumos-gate@89f5d17b06fc4132c983112b24836a779a0ed736
illumos changeset: 13803:b5e49d71ff0e
https://www.illumos.org/issues/1884
https://www.illumos.org/issues/3028
https://www.illumos.org/issues/3048
https://www.illumos.org/issues/3049
https://www.illumos.org/issues/3060
https://www.illumos.org/issues/3061
https://www.illumos.org/issues/3093
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1194
2013-01-10 22:25:47 +00:00
|
|
|
|
may lead to confusion if some files were created by an SMB user before a
|
2017-06-29 16:55:30 +00:00
|
|
|
|
SMB-to-POSIX name mapping was established.
|
|
|
|
|
In such a case, some files will be owned by the SMB entity and some by the POSIX
|
|
|
|
|
entity.
|
|
|
|
|
However, the
|
|
|
|
|
.Fl i
|
|
|
|
|
option will report that the POSIX entity has the total usage and quota for both.
|
|
|
|
|
.It Fl n
|
|
|
|
|
Print numeric ID instead of user/group name.
|
|
|
|
|
.It Fl o Ar field Ns Oo , Ns Ar field Oc Ns ...
|
|
|
|
|
Display only the specified fields from the following set:
|
|
|
|
|
.Sy type ,
|
|
|
|
|
.Sy name ,
|
|
|
|
|
.Sy used ,
|
|
|
|
|
.Sy quota .
|
|
|
|
|
The default is to display all fields.
|
|
|
|
|
.It Fl p
|
|
|
|
|
Use exact
|
|
|
|
|
.Pq parsable
|
|
|
|
|
numeric output.
|
|
|
|
|
.It Fl s Ar field
|
|
|
|
|
Sort output by this field.
|
|
|
|
|
The
|
|
|
|
|
.Fl s
|
|
|
|
|
and
|
|
|
|
|
.Fl S
|
|
|
|
|
flags may be specified multiple times to sort first by one field, then by
|
|
|
|
|
another.
|
|
|
|
|
The default is
|
|
|
|
|
.Fl s Sy type Fl s Sy name .
|
|
|
|
|
.It Fl t Ar type Ns Oo , Ns Ar type Oc Ns ...
|
|
|
|
|
Print only the specified types from the following set:
|
|
|
|
|
.Sy all ,
|
|
|
|
|
.Sy posixuser ,
|
|
|
|
|
.Sy smbuser ,
|
|
|
|
|
.Sy posixgroup ,
|
|
|
|
|
.Sy smbgroup .
|
|
|
|
|
The default is
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Fl t Sy posixuser Ns \&, Ns Sy smbuser .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
The default can be changed to include group types.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm groupspace
|
|
|
|
|
.Op Fl Hinp
|
|
|
|
|
.Oo Fl o Ar field Ns Oo , Ns Ar field Oc Ns ... Oc
|
|
|
|
|
.Oo Fl s Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl S Ar field Oc Ns ...
|
|
|
|
|
.Oo Fl t Ar type Ns Oo , Ns Ar type Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar snapshot
|
|
|
|
|
.Xc
|
Illumos #1884, #3028, #3048, #3049, #3060, #3061, #3093
1884 Empty "used" field for zfs *space commands
3028 zfs {group,user}space -n prints (null) instead of numeric GID/UID
3048 zfs {user,group}space [-s|-S] is broken
3049 zfs {user,group}space -t doesn't really filter the results
3060 zfs {user,group}space -H output isn't tab-delimited
3061 zfs {user,group}space -o doesn't use specified fields order
3093 zfs {user,group}space's -i is noop
Reviewed by: Garry Mills <gary_mills@fastmail.fm>
Reviewed by: Eric Schrock <eric.schrock@delphix.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
References:
illumos/illumos-gate@89f5d17b06fc4132c983112b24836a779a0ed736
illumos changeset: 13803:b5e49d71ff0e
https://www.illumos.org/issues/1884
https://www.illumos.org/issues/3028
https://www.illumos.org/issues/3048
https://www.illumos.org/issues/3049
https://www.illumos.org/issues/3060
https://www.illumos.org/issues/3061
https://www.illumos.org/issues/3093
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1194
2013-01-10 22:25:47 +00:00
|
|
|
|
Displays space consumed by, and quotas on, each group in the specified
|
2017-06-29 16:55:30 +00:00
|
|
|
|
filesystem or snapshot.
|
|
|
|
|
This subcommand is identical to
|
|
|
|
|
.Nm zfs Cm userspace ,
|
|
|
|
|
except that the default types to display are
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Fl t Sy posixgroup Ns \&, Ns Sy smbgroup .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm mount
|
|
|
|
|
.Xc
|
|
|
|
|
Displays all ZFS file systems currently mounted.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm mount
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Op Fl Olv
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Op Fl o Ar options
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Mounts ZFS file systems.
|
|
|
|
|
.Bl -tag -width "-O"
|
|
|
|
|
.It Fl O
|
|
|
|
|
Perform an overlay mount.
|
|
|
|
|
See
|
|
|
|
|
.Xr mount 8
|
|
|
|
|
for more information.
|
|
|
|
|
.It Fl a
|
|
|
|
|
Mount all available ZFS file systems.
|
|
|
|
|
Invoked automatically as part of the boot process.
|
|
|
|
|
.It Ar filesystem
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Mount the specified filesystem.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl o Ar options
|
|
|
|
|
An optional, comma-separated list of mount options to use temporarily for the
|
|
|
|
|
duration of the mount.
|
|
|
|
|
See the
|
|
|
|
|
.Sx Temporary Mount Point Properties
|
|
|
|
|
section for details.
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Fl l
|
|
|
|
|
Load keys for encrypted filesystems as they are being mounted. This is
|
|
|
|
|
equivalent to executing
|
|
|
|
|
.Nm zfs Cm load-key
|
|
|
|
|
on each encryption root before mounting it. Note that if a filesystem has a
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
of
|
|
|
|
|
.Sy prompt
|
|
|
|
|
this will cause the terminal to interactively block after asking for the key.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl v
|
|
|
|
|
Report mount progress.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unmount
|
|
|
|
|
.Op Fl f
|
|
|
|
|
.Fl a | Ar filesystem Ns | Ns Ar mountpoint
|
|
|
|
|
.Xc
|
|
|
|
|
Unmounts currently mounted ZFS file systems.
|
|
|
|
|
.Bl -tag -width "-a"
|
|
|
|
|
.It Fl a
|
|
|
|
|
Unmount all available ZFS file systems.
|
|
|
|
|
Invoked automatically as part of the shutdown process.
|
|
|
|
|
.It Ar filesystem Ns | Ns Ar mountpoint
|
|
|
|
|
Unmount the specified filesystem.
|
|
|
|
|
The command can also be given a path to a ZFS file system mount point on the
|
|
|
|
|
system.
|
|
|
|
|
.It Fl f
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Forcefully unmount the file system, even if it is currently in use.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm share
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Shares available ZFS file systems.
|
|
|
|
|
.Bl -tag -width "-a"
|
|
|
|
|
.It Fl a
|
|
|
|
|
Share all available ZFS file systems.
|
|
|
|
|
Invoked automatically as part of the boot process.
|
|
|
|
|
.It Ar filesystem
|
|
|
|
|
Share the specified filesystem according to the
|
|
|
|
|
.Sy sharenfs
|
|
|
|
|
and
|
|
|
|
|
.Sy sharesmb
|
|
|
|
|
properties.
|
|
|
|
|
File systems are shared when the
|
|
|
|
|
.Sy sharenfs
|
|
|
|
|
or
|
|
|
|
|
.Sy sharesmb
|
|
|
|
|
property is set.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unshare
|
|
|
|
|
.Fl a | Ar filesystem Ns | Ns Ar mountpoint
|
|
|
|
|
.Xc
|
|
|
|
|
Unshares currently shared ZFS file systems.
|
|
|
|
|
.Bl -tag -width "-a"
|
|
|
|
|
.It Fl a
|
|
|
|
|
Unshare all available ZFS file systems.
|
|
|
|
|
Invoked automatically as part of the shutdown process.
|
|
|
|
|
.It Ar filesystem Ns | Ns Ar mountpoint
|
|
|
|
|
Unshare the specified filesystem.
|
|
|
|
|
The command can also be given a path to a ZFS file system shared on the system.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm bookmark
|
|
|
|
|
.Ar snapshot bookmark
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a bookmark of the given snapshot.
|
|
|
|
|
Bookmarks mark the point in time when the snapshot was created, and can be used
|
|
|
|
|
as the incremental source for a
|
|
|
|
|
.Nm zfs Cm send
|
|
|
|
|
command.
|
|
|
|
|
.Pp
|
2013-12-11 22:33:41 +00:00
|
|
|
|
This feature must be enabled to be used.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags and the
|
|
|
|
|
.Sy bookmarks
|
|
|
|
|
feature.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm send
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Op Fl DLPRcenpvw
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a stream representation of the second
|
|
|
|
|
.Ar snapshot ,
|
|
|
|
|
which is written to standard output.
|
|
|
|
|
The output can be redirected to a file or to a different system
|
|
|
|
|
.Po for example, using
|
|
|
|
|
.Xr ssh 1
|
|
|
|
|
.Pc .
|
|
|
|
|
By default, a full stream is generated.
|
|
|
|
|
.Bl -tag -width "-D"
|
|
|
|
|
.It Fl D, -dedup
|
|
|
|
|
Generate a deduplicated stream.
|
|
|
|
|
Blocks which would have been sent multiple times in the send stream will only be
|
|
|
|
|
sent once.
|
|
|
|
|
The receiving system must also support this feature to receive a deduplicated
|
|
|
|
|
stream.
|
|
|
|
|
This flag can be used regardless of the dataset's
|
|
|
|
|
.Sy dedup
|
|
|
|
|
property, but performance will be much better if the filesystem uses a
|
|
|
|
|
dedup-capable checksum
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Sy sha256
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Fl I Ar snapshot
|
|
|
|
|
Generate a stream package that sends all intermediary snapshots from the first
|
|
|
|
|
snapshot to the second snapshot.
|
|
|
|
|
For example,
|
|
|
|
|
.Fl I Em @a Em fs@d
|
|
|
|
|
is similar to
|
2017-08-24 17:30:42 +00:00
|
|
|
|
.Fl i Em @a Em fs@b Ns \&; Fl i Em @b Em fs@c Ns \&; Fl i Em @c Em fs@d .
|
2017-06-29 16:55:30 +00:00
|
|
|
|
The incremental source may be specified as with the
|
|
|
|
|
.Fl i
|
|
|
|
|
option.
|
|
|
|
|
.It Fl L, -large-block
|
|
|
|
|
Generate a stream which may contain blocks larger than 128KB.
|
|
|
|
|
This flag has no effect if the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
pool feature is disabled, or if the
|
|
|
|
|
.Sy recordsize
|
|
|
|
|
property of this filesystem has never been set above 128KB.
|
|
|
|
|
The receiving system must have the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
pool feature enabled as well.
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags and the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
feature.
|
|
|
|
|
.It Fl P, -parsable
|
2012-12-28 21:53:18 +00:00
|
|
|
|
Print machine-parsable verbose information about the stream package generated.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl R, -replicate
|
|
|
|
|
Generate a replication stream package, which will replicate the specified
|
|
|
|
|
file system, and all descendent file systems, up to the named snapshot.
|
|
|
|
|
When received, all properties, snapshots, descendent file systems, and clones
|
|
|
|
|
are preserved.
|
|
|
|
|
.Pp
|
|
|
|
|
If the
|
|
|
|
|
.Fl i
|
|
|
|
|
or
|
|
|
|
|
.Fl I
|
|
|
|
|
flags are used in conjunction with the
|
|
|
|
|
.Fl R
|
|
|
|
|
flag, an incremental replication stream is generated.
|
|
|
|
|
The current values of properties, and current snapshot and file system names are
|
|
|
|
|
set when the stream is received.
|
|
|
|
|
If the
|
|
|
|
|
.Fl F
|
|
|
|
|
flag is specified when this stream is received, snapshots and file systems that
|
|
|
|
|
do not exist on the sending side are destroyed.
|
|
|
|
|
.It Fl e, -embed
|
|
|
|
|
Generate a more compact stream by using
|
|
|
|
|
.Sy WRITE_EMBEDDED
|
|
|
|
|
records for blocks which are stored more compactly on disk by the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
pool feature.
|
|
|
|
|
This flag has no effect if the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature is disabled.
|
|
|
|
|
The receiving system must have the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature enabled.
|
|
|
|
|
If the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature is active on the sending system, then the receiving system must have
|
2017-09-12 20:15:11 +00:00
|
|
|
|
that feature enabled as well. Datasets that are sent with this flag may not be
|
|
|
|
|
received as an encrypted dataset, since encrypted datasets cannot use the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags and the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature.
|
|
|
|
|
.It Fl c, -compressed
|
2016-07-11 17:45:52 +00:00
|
|
|
|
Generate a more compact stream by using compressed WRITE records for blocks
|
2017-06-29 16:55:30 +00:00
|
|
|
|
which are compressed on disk and in memory
|
|
|
|
|
.Po see the
|
|
|
|
|
.Sy compression
|
|
|
|
|
property for details
|
|
|
|
|
.Pc .
|
|
|
|
|
If the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature is active on the sending system, then the receiving system must have
|
|
|
|
|
that feature enabled as well.
|
|
|
|
|
If the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
feature is enabled on the sending system but the
|
|
|
|
|
.Fl L
|
|
|
|
|
option is not supplied in conjunction with
|
|
|
|
|
.Fl c ,
|
|
|
|
|
then the data will be decompressed before sending so it can be split into
|
|
|
|
|
smaller block sizes.
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Fl w, -raw
|
|
|
|
|
For encrypted datasets, send data exactly as it exists on disk. This allows
|
|
|
|
|
backups to be taken even if encryption keys are not currently loaded. The
|
|
|
|
|
backup may then be received on an untrusted machine since that machine will
|
|
|
|
|
not have the encryption keys to read the protected data or alter it without
|
|
|
|
|
being detected. Upon being received, the dataset will have the same encryption
|
|
|
|
|
keys as it did on the send side, although the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
property will be defaulted to
|
|
|
|
|
.Sy prompt
|
|
|
|
|
if not otherwise provided. For unencrypted datasets, this flag will be
|
|
|
|
|
equivalent to
|
|
|
|
|
.Fl Lec .
|
|
|
|
|
Note that if you do not use this flag for sending encrypted datasets, data will
|
|
|
|
|
be sent unencrypted and may be re-encrypted with a different encryption key on
|
|
|
|
|
the receiving system, which will disable the ability to do a raw send to that
|
|
|
|
|
system for incrementals.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl i Ar snapshot
|
|
|
|
|
Generate an incremental stream from the first
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
.Pq the incremental source
|
|
|
|
|
to the second
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
.Pq the incremental target .
|
|
|
|
|
The incremental source can be specified as the last component of the snapshot
|
|
|
|
|
name
|
|
|
|
|
.Po the
|
|
|
|
|
.Sy @
|
|
|
|
|
character and following
|
|
|
|
|
.Pc
|
|
|
|
|
and it is assumed to be from the same file system as the incremental target.
|
|
|
|
|
.Pp
|
|
|
|
|
If the destination is a clone, the source may be the origin snapshot, which must
|
|
|
|
|
be fully specified
|
|
|
|
|
.Po for example,
|
|
|
|
|
.Em pool/fs@origin ,
|
|
|
|
|
not just
|
|
|
|
|
.Em @origin
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Fl n, -dryrun
|
|
|
|
|
Do a dry-run
|
|
|
|
|
.Pq Qq No-op
|
|
|
|
|
send.
|
|
|
|
|
Do not generate any actual send data.
|
|
|
|
|
This is useful in conjunction with the
|
|
|
|
|
.Fl v
|
|
|
|
|
or
|
|
|
|
|
.Fl P
|
|
|
|
|
flags to determine what data will be sent.
|
|
|
|
|
In this case, the verbose output will be written to standard output
|
|
|
|
|
.Po contrast with a non-dry-run, where the stream is written to standard output
|
|
|
|
|
and the verbose output goes to standard error
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Fl p, -props
|
|
|
|
|
Include the dataset's properties in the stream.
|
|
|
|
|
This flag is implicit when
|
|
|
|
|
.Fl R
|
|
|
|
|
is specified.
|
2017-09-12 20:15:11 +00:00
|
|
|
|
The receiving system must also support this feature. Sends of encrypted datasets
|
|
|
|
|
must use
|
|
|
|
|
.Fl w
|
|
|
|
|
when using this flag.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl v, -verbose
|
|
|
|
|
Print verbose information about the stream package generated.
|
|
|
|
|
This information includes a per-second report of how much data has been sent.
|
|
|
|
|
.Pp
|
|
|
|
|
The format of the stream is committed.
|
2017-09-05 20:45:18 +00:00
|
|
|
|
You will be able to receive your streams on future versions of ZFS.
|
2017-09-08 22:24:31 +00:00
|
|
|
|
.El
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm send
|
2017-09-08 22:24:31 +00:00
|
|
|
|
.Op Fl LPcenvw
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Op Fl i Ar snapshot Ns | Ns Ar bookmark
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
Generate a send stream, which may be of a filesystem, and may be incremental
|
|
|
|
|
from a bookmark.
|
|
|
|
|
If the destination is a filesystem or volume, the pool must be read-only, or the
|
|
|
|
|
filesystem must not be mounted.
|
|
|
|
|
When the stream generated from a filesystem or volume is received, the default
|
|
|
|
|
snapshot name will be
|
|
|
|
|
.Qq --head-- .
|
|
|
|
|
.Bl -tag -width "-L"
|
|
|
|
|
.It Fl L, -large-block
|
|
|
|
|
Generate a stream which may contain blocks larger than 128KB.
|
|
|
|
|
This flag has no effect if the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
pool feature is disabled, or if the
|
|
|
|
|
.Sy recordsize
|
|
|
|
|
property of this filesystem has never been set above 128KB.
|
|
|
|
|
The receiving system must have the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
pool feature enabled as well.
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags and the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
feature.
|
2017-09-08 22:24:31 +00:00
|
|
|
|
.It Fl P, -parsable
|
|
|
|
|
Print machine-parsable verbose information about the stream package generated.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl c, -compressed
|
|
|
|
|
Generate a more compact stream by using compressed WRITE records for blocks
|
|
|
|
|
which are compressed on disk and in memory
|
|
|
|
|
.Po see the
|
|
|
|
|
.Sy compression
|
|
|
|
|
property for details
|
|
|
|
|
.Pc .
|
|
|
|
|
If the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature is active on the sending system, then the receiving system must have
|
|
|
|
|
that feature enabled as well.
|
|
|
|
|
If the
|
|
|
|
|
.Sy large_blocks
|
|
|
|
|
feature is enabled on the sending system but the
|
|
|
|
|
.Fl L
|
|
|
|
|
option is not supplied in conjunction with
|
|
|
|
|
.Fl c ,
|
|
|
|
|
then the data will be decompressed before sending so it can be split into
|
|
|
|
|
smaller block sizes.
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Fl w, -raw
|
|
|
|
|
For encrypted datasets, send data exactly as it exists on disk. This allows
|
|
|
|
|
backups to be taken even if encryption keys are not currently loaded. The
|
|
|
|
|
backup may then be received on an untrusted machine since that machine will
|
|
|
|
|
not have the encryption keys to read the protected data or alter it without
|
|
|
|
|
being detected. Upon being received, the dataset will have the same encryption
|
|
|
|
|
keys as it did on the send side, although the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
property will be defaulted to
|
|
|
|
|
.Sy prompt
|
|
|
|
|
if not otherwise provided. For unencrypted datasets, this flag will be
|
|
|
|
|
equivalent to
|
|
|
|
|
.Fl Lec .
|
|
|
|
|
Note that if you do not use this flag for sending encrypted datasets, data will
|
|
|
|
|
be sent unencrypted and may be re-encrypted with a different encryption key on
|
|
|
|
|
the receiving system, which will disable the ability to do a raw send to that
|
|
|
|
|
system for incrementals.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.It Fl e, -embed
|
|
|
|
|
Generate a more compact stream by using
|
|
|
|
|
.Sy WRITE_EMBEDDED
|
|
|
|
|
records for blocks which are stored more compactly on disk by the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
pool feature.
|
|
|
|
|
This flag has no effect if the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature is disabled.
|
|
|
|
|
The receiving system must have the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature enabled.
|
|
|
|
|
If the
|
|
|
|
|
.Sy lz4_compress
|
|
|
|
|
feature is active on the sending system, then the receiving system must have
|
2017-09-12 20:15:11 +00:00
|
|
|
|
that feature enabled as well. Datasets that are sent with this flag may not be
|
|
|
|
|
received as an encrypted dataset, since encrypted datasets cannot use the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags and the
|
|
|
|
|
.Sy embedded_data
|
|
|
|
|
feature.
|
|
|
|
|
.It Fl i Ar snapshot Ns | Ns Ar bookmark
|
|
|
|
|
Generate an incremental send stream.
|
|
|
|
|
The incremental source must be an earlier snapshot in the destination's history.
|
|
|
|
|
It will commonly be an earlier snapshot in the destination's file system, in
|
|
|
|
|
which case it can be specified as the last component of the name
|
|
|
|
|
.Po the
|
|
|
|
|
.Sy #
|
|
|
|
|
or
|
|
|
|
|
.Sy @
|
|
|
|
|
character and following
|
|
|
|
|
.Pc .
|
|
|
|
|
.Pp
|
|
|
|
|
If the incremental target is a clone, the incremental source can be the origin
|
|
|
|
|
snapshot, or an earlier snapshot in the origin's filesystem, or the origin's
|
|
|
|
|
origin, etc.
|
2017-09-08 22:24:31 +00:00
|
|
|
|
.It Fl n, -dryrun
|
|
|
|
|
Do a dry-run
|
|
|
|
|
.Pq Qq No-op
|
|
|
|
|
send.
|
|
|
|
|
Do not generate any actual send data.
|
|
|
|
|
This is useful in conjunction with the
|
|
|
|
|
.Fl v
|
|
|
|
|
or
|
|
|
|
|
.Fl P
|
|
|
|
|
flags to determine what data will be sent.
|
|
|
|
|
In this case, the verbose output will be written to standard output
|
|
|
|
|
.Po contrast with a non-dry-run, where the stream is written to standard output
|
|
|
|
|
and the verbose output goes to standard error
|
|
|
|
|
.Pc .
|
|
|
|
|
.It Fl v, -verbose
|
|
|
|
|
Print verbose information about the stream package generated.
|
|
|
|
|
This information includes a per-second report of how much data has been sent.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm send
|
|
|
|
|
.Op Fl Penv
|
|
|
|
|
.Fl t
|
|
|
|
|
.Ar receive_resume_token
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a send stream which resumes an interrupted receive.
|
|
|
|
|
The
|
|
|
|
|
.Ar receive_resume_token
|
|
|
|
|
is the value of this property on the filesystem or volume that was being
|
|
|
|
|
received into.
|
|
|
|
|
See the documentation for
|
|
|
|
|
.Sy zfs receive -s
|
|
|
|
|
for more details.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm receive
|
|
|
|
|
.Op Fl Fnsuv
|
|
|
|
|
.Op Fl o Sy origin Ns = Ns Ar snapshot
|
|
|
|
|
.Op Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
.Op Fl x Ar property
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
|
|
|
|
|
.Xc
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm receive
|
|
|
|
|
.Op Fl Fnsuv
|
|
|
|
|
.Op Fl d Ns | Ns Fl e
|
|
|
|
|
.Op Fl o Sy origin Ns = Ns Ar snapshot
|
|
|
|
|
.Op Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
.Op Fl x Ar property
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Creates a snapshot whose contents are as specified in the stream provided on
|
|
|
|
|
standard input.
|
|
|
|
|
If a full stream is received, then a new file system is created as well.
|
|
|
|
|
Streams are created using the
|
|
|
|
|
.Nm zfs Cm send
|
|
|
|
|
subcommand, which by default creates a full stream.
|
|
|
|
|
.Nm zfs Cm recv
|
|
|
|
|
can be used as an alias for
|
|
|
|
|
.Nm zfs Cm receive.
|
|
|
|
|
.Pp
|
|
|
|
|
If an incremental stream is received, then the destination file system must
|
|
|
|
|
already exist, and its most recent snapshot must match the incremental stream's
|
|
|
|
|
source.
|
|
|
|
|
For
|
|
|
|
|
.Sy zvols ,
|
|
|
|
|
the destination device link is destroyed and recreated, which means the
|
|
|
|
|
.Sy zvol
|
|
|
|
|
cannot be accessed during the
|
|
|
|
|
.Cm receive
|
|
|
|
|
operation.
|
|
|
|
|
.Pp
|
|
|
|
|
When a snapshot replication package stream that is generated by using the
|
|
|
|
|
.Nm zfs Cm send Fl R
|
|
|
|
|
command is received, any snapshots that do not exist on the sending location are
|
|
|
|
|
destroyed by using the
|
|
|
|
|
.Nm zfs Cm destroy Fl d
|
|
|
|
|
command.
|
|
|
|
|
.Pp
|
|
|
|
|
If
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Fl o Em property Ns = Ns Ar value
|
2017-06-29 16:55:30 +00:00
|
|
|
|
or
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Fl x Em property
|
2017-06-29 16:55:30 +00:00
|
|
|
|
is specified, it applies to the effective value of the property throughout
|
|
|
|
|
the entire subtree of replicated datasets. Effective property values will be
|
|
|
|
|
set (
|
|
|
|
|
.Fl o
|
|
|
|
|
) or inherited (
|
|
|
|
|
.Fl x
|
|
|
|
|
) on the topmost in the replicated subtree. In descendant datasets, if the
|
|
|
|
|
property is set by the send stream, it will be overridden by forcing the
|
|
|
|
|
property to be inherited from the top‐most file system. Received properties
|
|
|
|
|
are retained in spite of being overridden and may be restored with
|
|
|
|
|
.Nm zfs Cm inherit Fl S .
|
|
|
|
|
Specifying
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Fl o Sy origin Ns = Ns Em snapshot
|
2017-06-29 16:55:30 +00:00
|
|
|
|
is a special case because, even if
|
|
|
|
|
.Sy origin
|
|
|
|
|
is a read-only property and cannot be set, it's allowed to receive the send
|
|
|
|
|
stream as a clone of the given snapshot.
|
|
|
|
|
.Pp
|
2017-09-12 20:15:11 +00:00
|
|
|
|
Raw encrypted send streams (created with
|
|
|
|
|
.Nm zfs Cm send Fl w
|
|
|
|
|
) may only be received as is, and cannot be re-encrypted, decrypted, or
|
|
|
|
|
recompressed by the receive process. Unencrypted streams can be received as
|
|
|
|
|
encrypted datasets, either through inheritance or by specifying encryption
|
|
|
|
|
parameters with the
|
|
|
|
|
.Fl o
|
|
|
|
|
options.
|
|
|
|
|
.Pp
|
2017-06-29 16:55:30 +00:00
|
|
|
|
The name of the snapshot
|
|
|
|
|
.Pq and file system, if a full stream is received
|
|
|
|
|
that this subcommand creates depends on the argument type and the use of the
|
|
|
|
|
.Fl d
|
|
|
|
|
or
|
|
|
|
|
.Fl e
|
|
|
|
|
options.
|
|
|
|
|
.Pp
|
|
|
|
|
If the argument is a snapshot name, the specified
|
|
|
|
|
.Ar snapshot
|
|
|
|
|
is created.
|
|
|
|
|
If the argument is a file system or volume name, a snapshot with the same name
|
|
|
|
|
as the sent snapshot is created within the specified
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
or
|
|
|
|
|
.Ar volume .
|
|
|
|
|
If neither of the
|
|
|
|
|
.Fl d
|
|
|
|
|
or
|
|
|
|
|
.Fl e
|
|
|
|
|
options are specified, the provided target snapshot name is used exactly as
|
|
|
|
|
provided.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Fl d
|
|
|
|
|
and
|
|
|
|
|
.Fl e
|
|
|
|
|
options cause the file system name of the target snapshot to be determined by
|
|
|
|
|
appending a portion of the sent snapshot's name to the specified target
|
|
|
|
|
.Ar filesystem .
|
|
|
|
|
If the
|
|
|
|
|
.Fl d
|
|
|
|
|
option is specified, all but the first element of the sent snapshot's file
|
|
|
|
|
system path
|
|
|
|
|
.Pq usually the pool name
|
|
|
|
|
is used and any required intermediate file systems within the specified one are
|
|
|
|
|
created.
|
|
|
|
|
If the
|
|
|
|
|
.Fl e
|
|
|
|
|
option is specified, then only the last element of the sent snapshot's file
|
|
|
|
|
system name
|
|
|
|
|
.Pq i.e. the name of the source file system itself
|
|
|
|
|
is used as the target file system name.
|
|
|
|
|
.Bl -tag -width "-F"
|
|
|
|
|
.It Fl F
|
|
|
|
|
Force a rollback of the file system to the most recent snapshot before
|
|
|
|
|
performing the receive operation.
|
|
|
|
|
If receiving an incremental replication stream
|
|
|
|
|
.Po for example, one generated by
|
|
|
|
|
.Nm zfs Cm send Fl R Op Fl i Ns | Ns Fl I
|
|
|
|
|
.Pc ,
|
|
|
|
|
destroy snapshots and file systems that do not exist on the sending side.
|
|
|
|
|
.It Fl d
|
|
|
|
|
Discard the first element of the sent snapshot's file system name, using the
|
|
|
|
|
remaining elements to determine the name of the target file system for the new
|
|
|
|
|
snapshot as described in the paragraph above.
|
|
|
|
|
.It Fl e
|
|
|
|
|
Discard all but the last element of the sent snapshot's file system name, using
|
|
|
|
|
that element to determine the name of the target file system for the new
|
|
|
|
|
snapshot as described in the paragraph above.
|
|
|
|
|
.It Fl n
|
|
|
|
|
Do not actually receive the stream.
|
|
|
|
|
This can be useful in conjunction with the
|
|
|
|
|
.Fl v
|
|
|
|
|
option to verify the name the receive operation would use.
|
|
|
|
|
.It Fl o Sy origin Ns = Ns Ar snapshot
|
2016-06-09 18:18:16 +00:00
|
|
|
|
Forces the stream to be received as a clone of the given snapshot.
|
|
|
|
|
If the stream is a full send stream, this will create the filesystem
|
2017-06-29 16:55:30 +00:00
|
|
|
|
described by the stream as a clone of the specified snapshot.
|
|
|
|
|
Which snapshot was specified will not affect the success or failure of the
|
|
|
|
|
receive, as long as the snapshot does exist.
|
|
|
|
|
If the stream is an incremental send stream, all the normal verification will be
|
|
|
|
|
performed.
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.It Fl o Em property Ns = Ns Ar value
|
2017-06-29 16:55:30 +00:00
|
|
|
|
Sets the specified property as if the command
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Nm zfs Cm set Em property Ns = Ns Ar value
|
2017-06-29 16:55:30 +00:00
|
|
|
|
was invoked immediately before the receive. When receiving a stream from
|
|
|
|
|
.Nm zfs Cm send Fl R ,
|
|
|
|
|
causes the property to be inherited by all descendant datasets, as through
|
|
|
|
|
.Nm zfs Cm inherit Em property
|
|
|
|
|
was run on any descendant datasets that have this property set on the
|
|
|
|
|
sending system.
|
|
|
|
|
.Pp
|
|
|
|
|
Any editable property can be set at receive time. Set-once properties bound
|
|
|
|
|
to the received data, such as
|
|
|
|
|
.Sy normalization
|
|
|
|
|
and
|
|
|
|
|
.Sy casesensitivity ,
|
|
|
|
|
cannot be set at receive time even when the datasets are newly created by
|
|
|
|
|
.Nm zfs Cm receive .
|
|
|
|
|
Additionally both settable properties
|
|
|
|
|
.Sy version
|
|
|
|
|
and
|
|
|
|
|
.Sy volsize
|
|
|
|
|
cannot be set at receive time.
|
|
|
|
|
.Pp
|
|
|
|
|
The
|
|
|
|
|
.Fl o
|
|
|
|
|
option may be specified multiple times, for different properties. An error
|
|
|
|
|
results if the same property is specified in multiple
|
|
|
|
|
.Fl o
|
|
|
|
|
or
|
|
|
|
|
.Fl x
|
|
|
|
|
options.
|
|
|
|
|
.It Fl s
|
|
|
|
|
If the receive is interrupted, save the partially received state, rather
|
|
|
|
|
than deleting it.
|
|
|
|
|
Interruption may be due to premature termination of the stream
|
|
|
|
|
.Po e.g. due to network failure or failure of the remote system
|
|
|
|
|
if the stream is being read over a network connection
|
|
|
|
|
.Pc ,
|
|
|
|
|
a checksum error in the stream, termination of the
|
|
|
|
|
.Nm zfs Cm receive
|
|
|
|
|
process, or unclean shutdown of the system.
|
|
|
|
|
.Pp
|
|
|
|
|
The receive can be resumed with a stream generated by
|
|
|
|
|
.Nm zfs Cm send Fl t Ar token ,
|
|
|
|
|
where the
|
|
|
|
|
.Ar token
|
|
|
|
|
is the value of the
|
|
|
|
|
.Sy receive_resume_token
|
|
|
|
|
property of the filesystem or volume which is received into.
|
|
|
|
|
.Pp
|
|
|
|
|
To use this flag, the storage pool must have the
|
|
|
|
|
.Sy extensible_dataset
|
|
|
|
|
feature enabled.
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool-features 5
|
|
|
|
|
for details on ZFS feature flags.
|
|
|
|
|
.It Fl u
|
|
|
|
|
File system that is associated with the received stream is not mounted.
|
|
|
|
|
.It Fl v
|
|
|
|
|
Print verbose information about the stream and the time required to perform the
|
|
|
|
|
receive operation.
|
|
|
|
|
.It Fl x Em property
|
|
|
|
|
Ensures that the effective value of the specified property after the
|
|
|
|
|
receive is unaffected by the value of that property in the send stream (if any),
|
|
|
|
|
as if the property had been excluded from the send stream.
|
|
|
|
|
.Pp
|
|
|
|
|
If the specified property is not present in the send stream, this option does
|
|
|
|
|
nothing.
|
|
|
|
|
.Pp
|
|
|
|
|
If a received property needs to be overridden, the effective value will be
|
|
|
|
|
set or inherited, depending on whether the property is inheritable or not.
|
|
|
|
|
.Pp
|
|
|
|
|
In the case of an incremental update,
|
|
|
|
|
.Fl x
|
|
|
|
|
leaves any existing local setting or explicit inheritance unchanged.
|
|
|
|
|
.Pp
|
|
|
|
|
All
|
|
|
|
|
.Fl o
|
|
|
|
|
restrictions on set-once and special properties apply equally to
|
|
|
|
|
.Fl x .
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm receive
|
|
|
|
|
.Fl A
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Abort an interrupted
|
|
|
|
|
.Nm zfs Cm receive Fl s ,
|
|
|
|
|
deleting its saved partially received state.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Displays permissions that have been delegated on the specified filesystem or
|
|
|
|
|
volume.
|
|
|
|
|
See the other forms of
|
|
|
|
|
.Nm zfs Cm allow
|
|
|
|
|
for more information.
|
|
|
|
|
.Pp
|
|
|
|
|
Delegations are supported under Linux with the exception of
|
|
|
|
|
.Sy mount ,
|
|
|
|
|
.Sy unmount ,
|
|
|
|
|
.Sy mountpoint ,
|
|
|
|
|
.Sy canmount ,
|
|
|
|
|
.Sy rename ,
|
|
|
|
|
and
|
|
|
|
|
.Sy share .
|
|
|
|
|
These permissions cannot be delegated because the Linux
|
|
|
|
|
.Xr mount 8
|
|
|
|
|
command restricts modifications of the global namespace to the root user.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Op Fl dglu
|
|
|
|
|
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
2009-12-12 00:15:33 +00:00
|
|
|
|
.br
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Op Fl dl
|
|
|
|
|
.Fl e Ns | Ns Sy everyone
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Delegates ZFS administration permission for the file systems to non-privileged
|
|
|
|
|
users.
|
|
|
|
|
.Bl -tag -width "-d"
|
|
|
|
|
.It Fl d
|
|
|
|
|
Allow only for the descendent file systems.
|
|
|
|
|
.It Fl e Ns | Ns Sy everyone
|
|
|
|
|
Specifies that the permissions be delegated to everyone.
|
|
|
|
|
.It Fl g Ar group Ns Oo , Ns Ar group Oc Ns ...
|
|
|
|
|
Explicitly specify that permissions are delegated to the group.
|
|
|
|
|
.It Fl l
|
|
|
|
|
Allow
|
|
|
|
|
.Qq locally
|
|
|
|
|
only for the specified file system.
|
|
|
|
|
.It Fl u Ar user Ns Oo , Ns Ar user Oc Ns ...
|
|
|
|
|
Explicitly specify that permissions are delegated to the user.
|
|
|
|
|
.It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
|
|
|
|
|
Specifies to whom the permissions are delegated.
|
|
|
|
|
Multiple entities can be specified as a comma-separated list.
|
|
|
|
|
If neither of the
|
|
|
|
|
.Fl gu
|
|
|
|
|
options are specified, then the argument is interpreted preferentially as the
|
|
|
|
|
keyword
|
|
|
|
|
.Sy everyone ,
|
|
|
|
|
then as a user name, and lastly as a group name.
|
|
|
|
|
To specify a user or group named
|
|
|
|
|
.Qq everyone ,
|
|
|
|
|
use the
|
|
|
|
|
.Fl g
|
|
|
|
|
or
|
|
|
|
|
.Fl u
|
|
|
|
|
options.
|
|
|
|
|
To specify a group with the same name as a user, use the
|
|
|
|
|
.Fl g
|
|
|
|
|
options.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
The permissions to delegate.
|
|
|
|
|
Multiple permissions may be specified as a comma-separated list.
|
|
|
|
|
Permission names are the same as ZFS subcommand and property names.
|
|
|
|
|
See the property list below.
|
|
|
|
|
Property set names, which begin with
|
|
|
|
|
.Sy @ ,
|
|
|
|
|
may be specified.
|
|
|
|
|
See the
|
|
|
|
|
.Fl s
|
|
|
|
|
form below for details.
|
|
|
|
|
.El
|
|
|
|
|
.Pp
|
|
|
|
|
If neither of the
|
|
|
|
|
.Fl dl
|
|
|
|
|
options are specified, or both are, then the permissions are allowed for the
|
|
|
|
|
file system or volume, and all of its descendents.
|
|
|
|
|
.Pp
|
|
|
|
|
Permissions are generally the ability to use a ZFS subcommand or change a ZFS
|
|
|
|
|
property.
|
|
|
|
|
The following permissions are available:
|
|
|
|
|
.Bd -literal
|
2009-12-12 00:15:33 +00:00
|
|
|
|
NAME TYPE NOTES
|
2017-06-29 16:55:30 +00:00
|
|
|
|
allow subcommand Must also have the permission that is
|
|
|
|
|
being allowed
|
|
|
|
|
clone subcommand Must also have the 'create' ability and
|
|
|
|
|
'mount' ability in the origin file system
|
2009-12-12 00:15:33 +00:00
|
|
|
|
create subcommand Must also have the 'mount' ability
|
|
|
|
|
destroy subcommand Must also have the 'mount' ability
|
2012-08-16 17:08:53 +00:00
|
|
|
|
diff subcommand Allows lookup of paths within a dataset
|
2017-06-29 16:55:30 +00:00
|
|
|
|
given an object number, and the ability
|
|
|
|
|
to create snapshots necessary to
|
|
|
|
|
'zfs diff'.
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
load-key subcommand Allows loading and unloading of encryption key
|
|
|
|
|
(see 'zfs load-key' and 'zfs unload-key').
|
|
|
|
|
change-key subcommand Allows changing an encryption key via
|
|
|
|
|
'zfs change-key'.
|
2009-12-12 00:15:33 +00:00
|
|
|
|
mount subcommand Allows mount/umount of ZFS datasets
|
2017-06-29 16:55:30 +00:00
|
|
|
|
promote subcommand Must also have the 'mount' and 'promote'
|
|
|
|
|
ability in the origin file system
|
|
|
|
|
receive subcommand Must also have the 'mount' and 'create'
|
|
|
|
|
ability
|
2009-12-12 00:15:33 +00:00
|
|
|
|
rename subcommand Must also have the 'mount' and 'create'
|
|
|
|
|
ability in the new parent
|
|
|
|
|
rollback subcommand Must also have the 'mount' ability
|
2015-12-17 01:45:15 +00:00
|
|
|
|
send subcommand
|
2017-06-29 16:55:30 +00:00
|
|
|
|
share subcommand Allows sharing file systems over NFS
|
|
|
|
|
or SMB protocols
|
2009-12-12 00:15:33 +00:00
|
|
|
|
snapshot subcommand Must also have the 'mount' ability
|
2017-06-29 16:55:30 +00:00
|
|
|
|
|
|
|
|
|
groupquota other Allows accessing any groupquota@...
|
|
|
|
|
property
|
2009-12-12 00:15:33 +00:00
|
|
|
|
groupused other Allows reading any groupused@... property
|
|
|
|
|
userprop other Allows changing any user property
|
2017-06-29 16:55:30 +00:00
|
|
|
|
userquota other Allows accessing any userquota@...
|
|
|
|
|
property
|
2009-12-12 00:15:33 +00:00
|
|
|
|
userused other Allows reading any userused@... property
|
|
|
|
|
|
2015-12-17 01:45:15 +00:00
|
|
|
|
aclinherit property
|
2017-06-29 16:55:30 +00:00
|
|
|
|
acltype property
|
2015-12-17 01:45:15 +00:00
|
|
|
|
atime property
|
|
|
|
|
canmount property
|
|
|
|
|
casesensitivity property
|
|
|
|
|
checksum property
|
|
|
|
|
compression property
|
|
|
|
|
copies property
|
|
|
|
|
devices property
|
|
|
|
|
exec property
|
2015-04-01 13:07:48 +00:00
|
|
|
|
filesystem_limit property
|
2015-12-17 01:45:15 +00:00
|
|
|
|
mountpoint property
|
|
|
|
|
nbmand property
|
|
|
|
|
normalization property
|
|
|
|
|
primarycache property
|
|
|
|
|
quota property
|
|
|
|
|
readonly property
|
|
|
|
|
recordsize property
|
|
|
|
|
refquota property
|
|
|
|
|
refreservation property
|
|
|
|
|
reservation property
|
|
|
|
|
secondarycache property
|
|
|
|
|
setuid property
|
|
|
|
|
sharenfs property
|
|
|
|
|
sharesmb property
|
|
|
|
|
snapdir property
|
2015-04-01 13:07:48 +00:00
|
|
|
|
snapshot_limit property
|
2015-12-17 01:45:15 +00:00
|
|
|
|
utf8only property
|
|
|
|
|
version property
|
|
|
|
|
volblocksize property
|
|
|
|
|
volsize property
|
|
|
|
|
vscan property
|
|
|
|
|
xattr property
|
|
|
|
|
zoned property
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Fl c
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Sets
|
|
|
|
|
.Qq create time
|
|
|
|
|
permissions.
|
|
|
|
|
These permissions are granted
|
|
|
|
|
.Pq locally
|
|
|
|
|
to the creator of any newly-created descendent file system.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm allow
|
|
|
|
|
.Fl s No @ Ns Ar setname
|
|
|
|
|
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ...
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Defines or adds permissions to a permission set.
|
|
|
|
|
The set can be used by other
|
|
|
|
|
.Nm zfs Cm allow
|
|
|
|
|
commands for the specified file system and its descendents.
|
|
|
|
|
Sets are evaluated dynamically, so changes to a set are immediately reflected.
|
|
|
|
|
Permission sets follow the same naming restrictions as ZFS file systems, but the
|
|
|
|
|
name must begin with
|
|
|
|
|
.Sy @ ,
|
|
|
|
|
and can be no more than 64 characters long.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl dglru
|
|
|
|
|
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
2009-12-12 00:15:33 +00:00
|
|
|
|
.br
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl dlr
|
|
|
|
|
.Fl e Ns | Ns Sy everyone
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
2009-12-12 00:15:33 +00:00
|
|
|
|
.br
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Fl c
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Removes permissions that were granted with the
|
|
|
|
|
.Nm zfs Cm allow
|
|
|
|
|
command.
|
|
|
|
|
No permissions are explicitly denied, so other permissions granted are still in
|
|
|
|
|
effect.
|
|
|
|
|
For example, if the permission is granted by an ancestor.
|
|
|
|
|
If no permissions are specified, then all permissions for the specified
|
|
|
|
|
.Ar user ,
|
|
|
|
|
.Ar group ,
|
|
|
|
|
or
|
|
|
|
|
.Sy everyone
|
|
|
|
|
are removed.
|
|
|
|
|
Specifying
|
|
|
|
|
.Sy everyone
|
|
|
|
|
.Po or using the
|
|
|
|
|
.Fl e
|
|
|
|
|
option
|
|
|
|
|
.Pc
|
|
|
|
|
only removes the permissions that were granted to everyone, not all permissions
|
|
|
|
|
for every user and group.
|
|
|
|
|
See the
|
|
|
|
|
.Nm zfs Cm allow
|
|
|
|
|
command for a description of the
|
|
|
|
|
.Fl ldugec
|
|
|
|
|
options.
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Recursively remove the permissions from this file system and all descendents.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unallow
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Fl s No @ Ns Ar setname
|
|
|
|
|
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
|
|
|
|
|
.Ar setname Oc Ns ... Oc
|
|
|
|
|
.Ar filesystem Ns | Ns Ar volume
|
|
|
|
|
.Xc
|
|
|
|
|
Removes permissions from a permission set.
|
|
|
|
|
If no permissions are specified, then all permissions are removed, thus removing
|
|
|
|
|
the set entirely.
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm hold
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Ar tag Ar snapshot Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
Adds a single reference, named with the
|
|
|
|
|
.Ar tag
|
|
|
|
|
argument, to the specified snapshot or snapshots.
|
|
|
|
|
Each snapshot has its own tag namespace, and tags must be unique within that
|
|
|
|
|
space.
|
|
|
|
|
.Pp
|
|
|
|
|
If a hold exists on a snapshot, attempts to destroy that snapshot by using the
|
|
|
|
|
.Nm zfs Cm destroy
|
|
|
|
|
command return
|
|
|
|
|
.Er EBUSY .
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
|
|
|
|
Specifies that a hold with the given tag is applied recursively to the snapshots
|
|
|
|
|
of all descendent file systems.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm holds
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Ar snapshot Ns ...
|
|
|
|
|
.Xc
|
2009-12-12 00:15:33 +00:00
|
|
|
|
Lists all existing user references for the given snapshot or snapshots.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
|
|
|
|
Lists the holds that are set on the named descendent snapshots, in addition to
|
|
|
|
|
listing the holds on the named snapshot.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm release
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Ar tag Ar snapshot Ns ...
|
|
|
|
|
.Xc
|
|
|
|
|
Removes a single reference, named with the
|
|
|
|
|
.Ar tag
|
|
|
|
|
argument, from the specified snapshot or snapshots.
|
|
|
|
|
The tag must already exist for each snapshot.
|
|
|
|
|
If a hold exists on a snapshot, attempts to destroy that snapshot by using the
|
|
|
|
|
.Nm zfs Cm destroy
|
|
|
|
|
command return
|
|
|
|
|
.Er EBUSY .
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
|
|
|
|
Recursively releases a hold with the given tag on the snapshots of all
|
|
|
|
|
descendent file systems.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm diff
|
|
|
|
|
.Op Fl FHt
|
|
|
|
|
.Ar snapshot Ar snapshot Ns | Ns Ar filesystem
|
|
|
|
|
.Xc
|
2012-08-16 17:08:53 +00:00
|
|
|
|
Display the difference between a snapshot of a given filesystem and another
|
|
|
|
|
snapshot of that filesystem from a later time or the current contents of the
|
2017-06-29 16:55:30 +00:00
|
|
|
|
filesystem.
|
|
|
|
|
The first column is a character indicating the type of change, the other columns
|
|
|
|
|
indicate pathname, new pathname
|
|
|
|
|
.Pq in case of rename ,
|
|
|
|
|
change in link count, and optionally file type and/or change time.
|
2012-08-16 17:08:53 +00:00
|
|
|
|
The types of change are:
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Bd -literal
|
2012-08-16 17:08:53 +00:00
|
|
|
|
- The path has been removed
|
|
|
|
|
+ The path has been created
|
|
|
|
|
M The path has been modified
|
|
|
|
|
R The path has been renamed
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.Bl -tag -width "-F"
|
|
|
|
|
.It Fl F
|
|
|
|
|
Display an indication of the type of file, in a manner similar to the
|
|
|
|
|
.Fl
|
|
|
|
|
option of
|
|
|
|
|
.Xr ls 1 .
|
|
|
|
|
.Bd -literal
|
2012-08-16 17:08:53 +00:00
|
|
|
|
B Block device
|
|
|
|
|
C Character device
|
|
|
|
|
/ Directory
|
|
|
|
|
> Door
|
|
|
|
|
| Named pipe
|
|
|
|
|
@ Symbolic link
|
|
|
|
|
P Event port
|
|
|
|
|
= Socket
|
|
|
|
|
F Regular file
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.It Fl H
|
|
|
|
|
Give more parsable tab-separated output, without header lines and without
|
|
|
|
|
arrows.
|
|
|
|
|
.It Fl t
|
2012-08-16 17:08:53 +00:00
|
|
|
|
Display the path's inode change time as the first column of output.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
2018-02-08 16:16:23 +00:00
|
|
|
|
.Cm program
|
2018-02-08 16:35:09 +00:00
|
|
|
|
.Op Fl n
|
2018-02-08 16:16:23 +00:00
|
|
|
|
.Op Fl t Ar timeout
|
|
|
|
|
.Op Fl m Ar memory_limit
|
|
|
|
|
.Ar pool script
|
|
|
|
|
.Op Ar arg1 No ...
|
|
|
|
|
.Xc
|
|
|
|
|
Executes
|
|
|
|
|
.Ar script
|
|
|
|
|
as a ZFS channel program on
|
|
|
|
|
.Ar pool .
|
|
|
|
|
The ZFS channel
|
|
|
|
|
program interface allows ZFS administrative operations to be run
|
|
|
|
|
programmatically via a Lua script.
|
|
|
|
|
The entire script is executed atomically, with no other administrative
|
|
|
|
|
operations taking effect concurrently.
|
|
|
|
|
A library of ZFS calls is made available to channel program scripts.
|
|
|
|
|
Channel programs may only be run with root privileges.
|
|
|
|
|
.sp
|
|
|
|
|
For full documentation of the ZFS channel program interface, see the manual
|
|
|
|
|
page for
|
|
|
|
|
.Xr zfs-program 8 .
|
|
|
|
|
.Bl -tag -width ""
|
2018-02-08 16:35:09 +00:00
|
|
|
|
.It Fl n
|
|
|
|
|
Executes a read-only channel program, which runs faster.
|
|
|
|
|
The program cannot change on-disk state by calling functions from
|
|
|
|
|
the zfs.sync submodule.
|
|
|
|
|
The program can be used to gather information such as properties and
|
|
|
|
|
determining if changes would succeed (zfs.check.*).
|
|
|
|
|
Without this flag, all pending changes must be synced to disk before
|
|
|
|
|
a channel program can complete.
|
2018-02-08 16:16:23 +00:00
|
|
|
|
.It Fl t Ar timeout
|
|
|
|
|
Execution time limit, in milliseconds.
|
|
|
|
|
If a channel program executes for longer than the provided timeout, it will
|
|
|
|
|
be stopped and an error will be returned.
|
|
|
|
|
The default timeout is 1000 ms, and can be set to a maximum of 10000 ms.
|
|
|
|
|
.It Fl m Ar memory-limit
|
|
|
|
|
Memory limit, in bytes.
|
|
|
|
|
If a channel program attempts to allocate more memory than the given limit,
|
|
|
|
|
it will be stopped and an error returned.
|
|
|
|
|
The default memory limit is 10 MB, and can be set to a maximum of 100 MB.
|
|
|
|
|
.sp
|
|
|
|
|
All remaining argument strings are passed directly to the channel program as
|
|
|
|
|
arguments.
|
|
|
|
|
See
|
|
|
|
|
.Xr zfs-program 8
|
|
|
|
|
for more information.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
|
.Cm load-key
|
|
|
|
|
.Op Fl nr
|
|
|
|
|
.Op Fl L Ar keylocation
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Load the key for
|
|
|
|
|
.Ar filesystem ,
|
|
|
|
|
allowing it and all children that inherit the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
property to be accessed. The key will be expected in the format specified by the
|
|
|
|
|
.Sy keyformat
|
|
|
|
|
and location specified by the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
property. Note that if the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
is set to
|
|
|
|
|
.Sy prompt
|
|
|
|
|
the terminal will interactively wait for the key to be entered. Loading a key
|
|
|
|
|
will not automatically mount the dataset. If that functionality is desired,
|
|
|
|
|
.Nm zfs Cm mount Sy -l
|
|
|
|
|
will ask for the key and mount the dataset. Once the key is loaded the
|
|
|
|
|
.Sy keystatus
|
|
|
|
|
property will become
|
|
|
|
|
.Sy available .
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
|
|
|
|
Recursively loads the keys for the specified filesystem and all descendent
|
|
|
|
|
encryption roots.
|
|
|
|
|
.It Fl a
|
|
|
|
|
Loads the keys for all encryption roots in all imported pools.
|
|
|
|
|
.It Fl n
|
|
|
|
|
Do a dry-run
|
|
|
|
|
.Pq Qq No-op
|
|
|
|
|
load-key. This will cause zfs to simply check that the
|
|
|
|
|
provided key is correct. This command may be run even if the key is already
|
|
|
|
|
loaded.
|
|
|
|
|
.It Fl L Ar keylocation
|
|
|
|
|
Use
|
|
|
|
|
.Ar keylocation
|
|
|
|
|
instead of the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
property. This will not change the value of the property on the dataset. Note
|
|
|
|
|
that if used with either
|
|
|
|
|
.Fl r
|
|
|
|
|
or
|
|
|
|
|
.Fl a ,
|
|
|
|
|
.Ar keylocation
|
|
|
|
|
may only be given as
|
|
|
|
|
.Sy prompt .
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm unload-key
|
|
|
|
|
.Op Fl r
|
|
|
|
|
.Fl a | Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Unloads a key from ZFS, removing the ability to access the dataset and all of
|
|
|
|
|
its children that inherit the
|
|
|
|
|
.Sy keylocation
|
|
|
|
|
property. This requires that the dataset is not currently open or mounted. Once
|
|
|
|
|
the key is unloaded the
|
|
|
|
|
.Sy keystatus
|
|
|
|
|
property will become
|
|
|
|
|
.Sy unavailable .
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl r
|
|
|
|
|
Recursively unloads the keys for the specified filesystem and all descendent
|
|
|
|
|
encryption roots.
|
|
|
|
|
.It Fl a
|
|
|
|
|
Unloads the keys for all encryption roots in all imported pools.
|
|
|
|
|
.El
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm change-key
|
|
|
|
|
.Op Fl l
|
|
|
|
|
.Op Fl o Ar keylocation Ns = Ns Ar value
|
|
|
|
|
.Op Fl o Ar keyformat Ns = Ns Ar value
|
|
|
|
|
.Op Fl o Ar pbkdf2iters Ns = Ns Ar value
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
.It Xo
|
|
|
|
|
.Nm
|
|
|
|
|
.Cm change-key
|
|
|
|
|
.Fl i
|
|
|
|
|
.Op Fl l
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
.Xc
|
|
|
|
|
Allows a user to change the encryption key used to access a dataset. This
|
|
|
|
|
command requires that the existing key for the dataset is already loaded into
|
|
|
|
|
ZFS. This command may also be used to change the
|
|
|
|
|
.Sy keylocation ,
|
|
|
|
|
.Sy keyformat ,
|
|
|
|
|
and
|
|
|
|
|
.Sy pbkdf2iters
|
|
|
|
|
properties as needed. If the dataset was not previously an encryption root it
|
|
|
|
|
will become one. Alternatively, the
|
|
|
|
|
.Fl i
|
|
|
|
|
flag may be provided to cause an encryption root to inherit the parent's key
|
|
|
|
|
instead.
|
|
|
|
|
.Bl -tag -width "-r"
|
|
|
|
|
.It Fl l
|
|
|
|
|
Ensures the key is loaded before attempting to change the key. This is
|
|
|
|
|
effectively equivalent to
|
|
|
|
|
.Qq Nm zfs Cm load-key Ar filesystem ; Nm zfs Cm change-key Ar filesystem
|
|
|
|
|
.It Fl o Ar property Ns = Ns Ar value
|
|
|
|
|
Allows the user to set encryption key properties (
|
|
|
|
|
.Sy keyformat ,
|
|
|
|
|
.Sy keylocation ,
|
|
|
|
|
and
|
|
|
|
|
.Sy pbkdf2iters
|
|
|
|
|
) while changing the key. This is the only way to alter
|
|
|
|
|
.Sy keyformat
|
|
|
|
|
and
|
|
|
|
|
.Sy pbkdf2iters
|
|
|
|
|
after the dataset has been created.
|
|
|
|
|
.It Fl i
|
|
|
|
|
Indicates that zfs should make
|
|
|
|
|
.Ar filesystem
|
|
|
|
|
inherit the key of its parent. Note that this command can only be run on an
|
|
|
|
|
encryption root that has an encrypted parent.
|
|
|
|
|
.El
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.El
|
|
|
|
|
.Sh EXIT STATUS
|
|
|
|
|
The
|
|
|
|
|
.Nm
|
|
|
|
|
utility exits 0 on success, 1 if an error occurs, and 2 if invalid command line
|
|
|
|
|
options were specified.
|
|
|
|
|
.Sh EXAMPLES
|
|
|
|
|
.Bl -tag -width ""
|
|
|
|
|
.It Sy Example 1 No Creating a ZFS File System Hierarchy
|
|
|
|
|
The following commands create a file system named
|
|
|
|
|
.Em pool/home
|
|
|
|
|
and a file system named
|
|
|
|
|
.Em pool/home/bob .
|
|
|
|
|
The mount point
|
|
|
|
|
.Pa /export/home
|
|
|
|
|
is set for the parent file system, and is automatically inherited by the child
|
|
|
|
|
file system.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs create pool/home
|
|
|
|
|
# zfs set mountpoint=/export/home pool/home
|
|
|
|
|
# zfs create pool/home/bob
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 2 No Creating a ZFS Snapshot
|
|
|
|
|
The following command creates a snapshot named
|
|
|
|
|
.Sy yesterday .
|
|
|
|
|
This snapshot is mounted on demand in the
|
|
|
|
|
.Pa .zfs/snapshot
|
|
|
|
|
directory at the root of the
|
|
|
|
|
.Em pool/home/bob
|
|
|
|
|
file system.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs snapshot pool/home/bob@yesterday
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 3 No Creating and Destroying Multiple Snapshots
|
|
|
|
|
The following command creates snapshots named
|
|
|
|
|
.Sy yesterday
|
|
|
|
|
of
|
|
|
|
|
.Em pool/home
|
|
|
|
|
and all of its descendent file systems.
|
|
|
|
|
Each snapshot is mounted on demand in the
|
|
|
|
|
.Pa .zfs/snapshot
|
|
|
|
|
directory at the root of its file system.
|
|
|
|
|
The second command destroys the newly created snapshots.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs snapshot -r pool/home@yesterday
|
|
|
|
|
# zfs destroy -r pool/home@yesterday
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 4 No Disabling and Enabling File System Compression
|
|
|
|
|
The following command disables the
|
|
|
|
|
.Sy compression
|
|
|
|
|
property for all file systems under
|
|
|
|
|
.Em pool/home .
|
|
|
|
|
The next command explicitly enables
|
|
|
|
|
.Sy compression
|
|
|
|
|
for
|
|
|
|
|
.Em pool/home/anne .
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs set compression=off pool/home
|
|
|
|
|
# zfs set compression=on pool/home/anne
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 5 No Listing ZFS Datasets
|
|
|
|
|
The following command lists all active file systems and volumes in the system.
|
|
|
|
|
Snapshots are displayed if the
|
|
|
|
|
.Sy listsnaps
|
|
|
|
|
property is
|
|
|
|
|
.Sy on .
|
|
|
|
|
The default is
|
|
|
|
|
.Sy off .
|
|
|
|
|
See
|
|
|
|
|
.Xr zpool 8
|
|
|
|
|
for more information on pool properties.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs list
|
|
|
|
|
NAME USED AVAIL REFER MOUNTPOINT
|
|
|
|
|
pool 450K 457G 18K /pool
|
|
|
|
|
pool/home 315K 457G 21K /export/home
|
|
|
|
|
pool/home/anne 18K 457G 18K /export/home/anne
|
|
|
|
|
pool/home/bob 276K 457G 276K /export/home/bob
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 6 No Setting a Quota on a ZFS File System
|
|
|
|
|
The following command sets a quota of 50 Gbytes for
|
|
|
|
|
.Em pool/home/bob .
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs set quota=50G pool/home/bob
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 7 No Listing ZFS Properties
|
|
|
|
|
The following command lists all properties for
|
|
|
|
|
.Em pool/home/bob .
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs get all pool/home/bob
|
2009-12-12 00:15:33 +00:00
|
|
|
|
NAME PROPERTY VALUE SOURCE
|
|
|
|
|
pool/home/bob type filesystem -
|
|
|
|
|
pool/home/bob creation Tue Jul 21 15:53 2009 -
|
|
|
|
|
pool/home/bob used 21K -
|
|
|
|
|
pool/home/bob available 20.0G -
|
|
|
|
|
pool/home/bob referenced 21K -
|
|
|
|
|
pool/home/bob compressratio 1.00x -
|
|
|
|
|
pool/home/bob mounted yes -
|
|
|
|
|
pool/home/bob quota 20G local
|
|
|
|
|
pool/home/bob reservation none default
|
|
|
|
|
pool/home/bob recordsize 128K default
|
|
|
|
|
pool/home/bob mountpoint /pool/home/bob default
|
|
|
|
|
pool/home/bob sharenfs off default
|
|
|
|
|
pool/home/bob checksum on default
|
|
|
|
|
pool/home/bob compression on local
|
|
|
|
|
pool/home/bob atime on default
|
|
|
|
|
pool/home/bob devices on default
|
|
|
|
|
pool/home/bob exec on default
|
|
|
|
|
pool/home/bob setuid on default
|
|
|
|
|
pool/home/bob readonly off default
|
|
|
|
|
pool/home/bob zoned off default
|
|
|
|
|
pool/home/bob snapdir hidden default
|
2013-10-28 16:22:15 +00:00
|
|
|
|
pool/home/bob acltype off default
|
2009-12-12 00:15:33 +00:00
|
|
|
|
pool/home/bob aclinherit restricted default
|
|
|
|
|
pool/home/bob canmount on default
|
|
|
|
|
pool/home/bob xattr on default
|
|
|
|
|
pool/home/bob copies 1 default
|
|
|
|
|
pool/home/bob version 4 -
|
|
|
|
|
pool/home/bob utf8only off -
|
|
|
|
|
pool/home/bob normalization none -
|
|
|
|
|
pool/home/bob casesensitivity sensitive -
|
|
|
|
|
pool/home/bob vscan off default
|
|
|
|
|
pool/home/bob nbmand off default
|
|
|
|
|
pool/home/bob sharesmb off default
|
|
|
|
|
pool/home/bob refquota none default
|
|
|
|
|
pool/home/bob refreservation none default
|
|
|
|
|
pool/home/bob primarycache all default
|
|
|
|
|
pool/home/bob secondarycache all default
|
|
|
|
|
pool/home/bob usedbysnapshots 0 -
|
|
|
|
|
pool/home/bob usedbydataset 21K -
|
|
|
|
|
pool/home/bob usedbychildren 0 -
|
|
|
|
|
pool/home/bob usedbyrefreservation 0 -
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
2009-12-12 00:15:33 +00:00
|
|
|
|
The following command gets a single property value.
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs get -H -o value compression pool/home/bob
|
2009-12-12 00:15:33 +00:00
|
|
|
|
on
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
The following command lists all properties with local settings for
|
|
|
|
|
.Em pool/home/bob .
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs get -r -s local -o name,property,value all pool/home/bob
|
2009-12-12 00:15:33 +00:00
|
|
|
|
NAME PROPERTY VALUE
|
|
|
|
|
pool/home/bob quota 20G
|
|
|
|
|
pool/home/bob compression on
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 8 No Rolling Back a ZFS File System
|
|
|
|
|
The following command reverts the contents of
|
|
|
|
|
.Em pool/home/anne
|
|
|
|
|
to the snapshot named
|
|
|
|
|
.Sy yesterday ,
|
|
|
|
|
deleting all intermediate snapshots.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs rollback -r pool/home/anne@yesterday
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 9 No Creating a ZFS Clone
|
|
|
|
|
The following command creates a writable file system whose initial contents are
|
|
|
|
|
the same as
|
|
|
|
|
.Em pool/home/bob@yesterday .
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs clone pool/home/bob@yesterday pool/clone
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 10 No Promoting a ZFS Clone
|
|
|
|
|
The following commands illustrate how to test out changes to a file system, and
|
|
|
|
|
then replace the original file system with the changed one, using clones, clone
|
|
|
|
|
promotion, and renaming:
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs create pool/project/production
|
2009-12-12 00:15:33 +00:00
|
|
|
|
populate /pool/project/production with data
|
2017-06-29 16:55:30 +00:00
|
|
|
|
# zfs snapshot pool/project/production@today
|
|
|
|
|
# zfs clone pool/project/production@today pool/project/beta
|
|
|
|
|
make changes to /pool/project/beta and test them
|
|
|
|
|
# zfs promote pool/project/beta
|
|
|
|
|
# zfs rename pool/project/production pool/project/legacy
|
|
|
|
|
# zfs rename pool/project/beta pool/project/production
|
|
|
|
|
once the legacy version is no longer needed, it can be destroyed
|
|
|
|
|
# zfs destroy pool/project/legacy
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 11 No Inheriting ZFS Properties
|
|
|
|
|
The following command causes
|
|
|
|
|
.Em pool/home/bob
|
|
|
|
|
and
|
|
|
|
|
.Em pool/home/anne
|
|
|
|
|
to inherit the
|
|
|
|
|
.Sy checksum
|
|
|
|
|
property from their parent.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs inherit checksum pool/home/bob pool/home/anne
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 12 No Remotely Replicating ZFS Data
|
|
|
|
|
The following commands send a full stream and then an incremental stream to a
|
|
|
|
|
remote machine, restoring them into
|
|
|
|
|
.Em poolB/received/fs@a
|
|
|
|
|
and
|
|
|
|
|
.Em poolB/received/fs@b ,
|
|
|
|
|
respectively.
|
|
|
|
|
.Em poolB
|
|
|
|
|
must contain the file system
|
|
|
|
|
.Em poolB/received ,
|
|
|
|
|
and must not initially contain
|
|
|
|
|
.Em poolB/received/fs .
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs send pool/fs@a | \e
|
|
|
|
|
ssh host zfs receive poolB/received/fs@a
|
|
|
|
|
# zfs send -i a pool/fs@b | \e
|
|
|
|
|
ssh host zfs receive poolB/received/fs
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 13 No Using the zfs receive -d Option
|
|
|
|
|
The following command sends a full stream of
|
|
|
|
|
.Em poolA/fsA/fsB@snap
|
|
|
|
|
to a remote machine, receiving it into
|
|
|
|
|
.Em poolB/received/fsA/fsB@snap .
|
|
|
|
|
The
|
|
|
|
|
.Em fsA/fsB@snap
|
|
|
|
|
portion of the received snapshot's name is determined from the name of the sent
|
|
|
|
|
snapshot.
|
|
|
|
|
.Em poolB
|
|
|
|
|
must contain the file system
|
|
|
|
|
.Em poolB/received .
|
|
|
|
|
If
|
|
|
|
|
.Em poolB/received/fsA
|
|
|
|
|
does not exist, it is created as an empty file system.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs send poolA/fsA/fsB@snap | \e
|
|
|
|
|
ssh host zfs receive -d poolB/received
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 14 No Setting User Properties
|
|
|
|
|
The following example sets the user-defined
|
|
|
|
|
.Sy com.example:department
|
|
|
|
|
property for a dataset.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs set com.example:department=12345 tank/accounting
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 15 No Performing a Rolling Snapshot
|
|
|
|
|
The following example shows how to maintain a history of snapshots with a
|
|
|
|
|
consistent naming scheme.
|
|
|
|
|
To keep a week's worth of snapshots, the user destroys the oldest snapshot,
|
|
|
|
|
renames the remaining snapshots, and then creates a new snapshot, as follows:
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs destroy -r pool/users@7daysago
|
|
|
|
|
# zfs rename -r pool/users@6daysago @7daysago
|
|
|
|
|
# zfs rename -r pool/users@5daysago @6daysago
|
|
|
|
|
# zfs rename -r pool/users@yesterday @5daysago
|
|
|
|
|
# zfs rename -r pool/users@yesterday @4daysago
|
|
|
|
|
# zfs rename -r pool/users@yesterday @3daysago
|
|
|
|
|
# zfs rename -r pool/users@yesterday @2daysago
|
|
|
|
|
# zfs rename -r pool/users@today @yesterday
|
|
|
|
|
# zfs snapshot -r pool/users@today
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 16 No Setting sharenfs Property Options on a ZFS File System
|
|
|
|
|
The following commands show how to set
|
|
|
|
|
.Sy sharenfs
|
|
|
|
|
property options to enable
|
|
|
|
|
.Sy rw
|
|
|
|
|
access for a set of
|
|
|
|
|
.Sy IP
|
|
|
|
|
addresses and to enable root access for system
|
|
|
|
|
.Sy neo
|
|
|
|
|
on the
|
|
|
|
|
.Em tank/home
|
|
|
|
|
file system.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs set sharenfs='rw=@123.123.0.0/16,root=neo' tank/home
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
If you are using
|
|
|
|
|
.Sy DNS
|
|
|
|
|
for host name resolution, specify the fully qualified hostname.
|
|
|
|
|
.It Sy Example 17 No Delegating ZFS Administration Permissions on a ZFS Dataset
|
|
|
|
|
The following example shows how to set permissions so that user
|
|
|
|
|
.Sy cindys
|
|
|
|
|
can create, destroy, mount, and take snapshots on
|
|
|
|
|
.Em tank/cindys .
|
|
|
|
|
The permissions on
|
|
|
|
|
.Em tank/cindys
|
|
|
|
|
are also displayed.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs allow cindys create,destroy,mount,snapshot tank/cindys
|
|
|
|
|
# zfs allow tank/cindys
|
|
|
|
|
---- Permissions on tank/cindys --------------------------------------
|
|
|
|
|
Local+Descendent permissions:
|
|
|
|
|
user cindys create,destroy,mount,snapshot
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
Because the
|
|
|
|
|
.Em tank/cindys
|
|
|
|
|
mount point permission is set to 755 by default, user
|
|
|
|
|
.Sy cindys
|
|
|
|
|
will be unable to mount file systems under
|
|
|
|
|
.Em tank/cindys .
|
|
|
|
|
Add an ACE similar to the following syntax to provide mount point access:
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# chmod A+user:cindys:add_subdirectory:allow /tank/cindys
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 18 No Delegating Create Time Permissions on a ZFS Dataset
|
|
|
|
|
The following example shows how to grant anyone in the group
|
|
|
|
|
.Sy staff
|
|
|
|
|
to create file systems in
|
|
|
|
|
.Em tank/users .
|
|
|
|
|
This syntax also allows staff members to destroy their own file systems, but not
|
|
|
|
|
destroy anyone else's file system.
|
|
|
|
|
The permissions on
|
|
|
|
|
.Em tank/users
|
|
|
|
|
are also displayed.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs allow staff create,mount tank/users
|
|
|
|
|
# zfs allow -c destroy tank/users
|
|
|
|
|
# zfs allow tank/users
|
|
|
|
|
---- Permissions on tank/users ---------------------------------------
|
|
|
|
|
Permission sets:
|
|
|
|
|
destroy
|
|
|
|
|
Local+Descendent permissions:
|
|
|
|
|
group staff create,mount
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 19 No Defining and Granting a Permission Set on a ZFS Dataset
|
|
|
|
|
The following example shows how to define and grant a permission set on the
|
|
|
|
|
.Em tank/users
|
|
|
|
|
file system.
|
|
|
|
|
The permissions on
|
|
|
|
|
.Em tank/users
|
|
|
|
|
are also displayed.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs allow -s @pset create,destroy,snapshot,mount tank/users
|
|
|
|
|
# zfs allow staff @pset tank/users
|
|
|
|
|
# zfs allow tank/users
|
|
|
|
|
---- Permissions on tank/users ---------------------------------------
|
|
|
|
|
Permission sets:
|
2009-12-12 00:15:33 +00:00
|
|
|
|
@pset create,destroy,mount,snapshot
|
2017-06-29 16:55:30 +00:00
|
|
|
|
Local+Descendent permissions:
|
|
|
|
|
group staff @pset
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 20 No Delegating Property Permissions on a ZFS Dataset
|
|
|
|
|
The following example shows to grant the ability to set quotas and reservations
|
|
|
|
|
on the
|
|
|
|
|
.Em users/home
|
|
|
|
|
file system.
|
|
|
|
|
The permissions on
|
|
|
|
|
.Em users/home
|
|
|
|
|
are also displayed.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs allow cindys quota,reservation users/home
|
|
|
|
|
# zfs allow users/home
|
|
|
|
|
---- Permissions on users/home ---------------------------------------
|
|
|
|
|
Local+Descendent permissions:
|
2009-12-12 00:15:33 +00:00
|
|
|
|
user cindys quota,reservation
|
2017-06-29 16:55:30 +00:00
|
|
|
|
cindys% zfs set quota=10G users/home/marks
|
|
|
|
|
cindys% zfs get quota users/home/marks
|
|
|
|
|
NAME PROPERTY VALUE SOURCE
|
|
|
|
|
users/home/marks quota 10G local
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 21 No Removing ZFS Delegated Permissions on a ZFS Dataset
|
|
|
|
|
The following example shows how to remove the snapshot permission from the
|
|
|
|
|
.Sy staff
|
|
|
|
|
group on the
|
|
|
|
|
.Em tank/users
|
|
|
|
|
file system.
|
|
|
|
|
The permissions on
|
|
|
|
|
.Em tank/users
|
|
|
|
|
are also displayed.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# zfs unallow staff snapshot tank/users
|
|
|
|
|
# zfs allow tank/users
|
|
|
|
|
---- Permissions on tank/users ---------------------------------------
|
|
|
|
|
Permission sets:
|
2009-12-12 00:15:33 +00:00
|
|
|
|
@pset create,destroy,mount,snapshot
|
2017-06-29 16:55:30 +00:00
|
|
|
|
Local+Descendent permissions:
|
|
|
|
|
group staff @pset
|
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 22 No Showing the differences between a snapshot and a ZFS Dataset
|
2012-08-16 17:08:53 +00:00
|
|
|
|
The following example shows how to see what has changed between a prior
|
2017-06-29 16:55:30 +00:00
|
|
|
|
snapshot of a ZFS dataset and its current state.
|
|
|
|
|
The
|
|
|
|
|
.Fl F
|
|
|
|
|
option is used to indicate type information for the files affected.
|
|
|
|
|
.Bd -literal
|
2012-08-16 17:08:53 +00:00
|
|
|
|
# zfs diff -F tank/test@before tank/test
|
|
|
|
|
M / /tank/test/
|
|
|
|
|
M F /tank/test/linked (+1)
|
|
|
|
|
R F /tank/test/oldname -> /tank/test/newname
|
|
|
|
|
- F /tank/test/deleted
|
|
|
|
|
+ F /tank/test/created
|
|
|
|
|
M F /tank/test/modified
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 23 No Creating a bookmark
|
|
|
|
|
The following example create a bookmark to a snapshot. This bookmark
|
|
|
|
|
can then be used instead of snapshot in send streams.
|
|
|
|
|
.Bd -literal
|
2014-10-01 14:24:54 +00:00
|
|
|
|
# zfs bookmark rpool@snapshot rpool#bookmark
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Ed
|
|
|
|
|
.It Sy Example 24 No Setting sharesmb Property Options on a ZFS File System
|
|
|
|
|
The following example show how to share SMB filesystem through ZFS. Note that
|
|
|
|
|
that a user and his/her password must be given.
|
|
|
|
|
.Bd -literal
|
|
|
|
|
# smbmount //127.0.0.1/share_tmp /mnt/tmp \\
|
|
|
|
|
-o user=workgroup/turbo,password=obrut,uid=1000
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
Minimal
|
|
|
|
|
.Em /etc/samba/smb.conf
|
|
|
|
|
configuration required:
|
|
|
|
|
.Pp
|
|
|
|
|
Samba will need to listen to 'localhost' (127.0.0.1) for the ZFS utilities to
|
|
|
|
|
communicate with Samba. This is the default behavior for most Linux
|
|
|
|
|
distributions.
|
|
|
|
|
.Pp
|
|
|
|
|
Samba must be able to authenticate a user. This can be done in a number of
|
|
|
|
|
ways, depending on if using the system password file, LDAP or the Samba
|
|
|
|
|
specific smbpasswd file. How to do this is outside the scope of this manual.
|
|
|
|
|
Please refer to the
|
|
|
|
|
.Xr smb.conf 5
|
|
|
|
|
man page for more information.
|
|
|
|
|
.Pp
|
|
|
|
|
See the
|
|
|
|
|
.Sy USERSHARE section
|
|
|
|
|
of the
|
|
|
|
|
.Xr smb.conf 5
|
|
|
|
|
man page for all configuration options in case you need to modify any options
|
|
|
|
|
to the share afterwards. Do note that any changes done with the
|
|
|
|
|
.Xr net 8
|
|
|
|
|
command will be undone if the share is ever unshared (such as at a reboot etc).
|
|
|
|
|
.El
|
|
|
|
|
.Sh INTERFACE STABILITY
|
|
|
|
|
.Sy Committed .
|
|
|
|
|
.Sh SEE ALSO
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Xr attr 1 ,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Xr gzip 1 ,
|
|
|
|
|
.Xr ssh 1 ,
|
|
|
|
|
.Xr chmod 2 ,
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Xr fsync 2 ,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Xr stat 2 ,
|
|
|
|
|
.Xr write 2 ,
|
|
|
|
|
.Xr acl 5 ,
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Xr attributes 5 ,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Xr exports 5 ,
|
|
|
|
|
.Xr exportfs 8 ,
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Xr mount 8 ,
|
2017-06-29 16:55:30 +00:00
|
|
|
|
.Xr net 8 ,
|
2017-09-16 17:51:24 +00:00
|
|
|
|
.Xr selinux 8 ,
|
|
|
|
|
.Xr zpool 8
|