diff --git a/Ubuntu-18.04-Root-on-ZFS.md b/Ubuntu-18.04-Root-on-ZFS.md index e5819dc..f803999 100644 --- a/Ubuntu-18.04-Root-on-ZFS.md +++ b/Ubuntu-18.04-Root-on-ZFS.md @@ -138,7 +138,7 @@ With ZFS, it is not normally necessary to use a mount command (either `mount` or # zfs create -o mountpoint=/root rpool/home/root # zfs create -o canmount=off -o setuid=off -o exec=off rpool/var # zfs create -o com.sun:auto-snapshot=false rpool/var/cache - # zfs create rpool/var/log + # zfs create -o acltype=posixacl -o xattr=sa rpool/var/log # zfs create rpool/var/spool # zfs create -o com.sun:auto-snapshot=false -o exec=on rpool/var/tmp @@ -155,7 +155,7 @@ With ZFS, it is not normally necessary to use a mount command (either `mount` or # zfs create -o com.sun:auto-snapshot=false \ -o mountpoint=/var/lib/nfs rpool/var/nfs -The primary goal of this dataset layout is to separate the OS from user data. This allows the root filesystem to be rolled back without rolling back user data such as logs (in `/var/log`). This will be especially important if/when a `beadm` or similar utility is integrated. Since we are creating multiple datasets anyway, it is trivial to add some restrictions (for extra security) at the same time. The `com.sun.auto-snapshot` setting is used by some ZFS snapshot utilities to exclude transient data. +The primary goal of this dataset layout is to separate the OS from user data. This allows the root filesystem to be rolled back without rolling back user data such as logs (in `/var/log`). This will be especially important if/when a `beadm` or similar utility is integrated. Since we are creating multiple datasets anyway, it is trivial to add some restrictions (for extra security) at the same time. The `com.sun.auto-snapshot` setting is used by some ZFS snapshot utilities to exclude transient data. [We enable POSIX ACLs on /var/log for journald.](https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported) 3.4 For LUKS installs only: