ZFS and sudo permissions related improvements

[jodlajodla]

Hello,

I made some improvements related to ZFS and sudo permissions. I had a problem on Linux (Proxmox 7) with using a non-root user when creating dataset for sharing via NFS. Specifically on Linux/OpenZFS there is a limitation to allow mounting/sharing only to root as described in the docs. As I don't want to enable global sudo to the user intended for managing storage from k8s, I followed pretty simple workarounds which don't expose too much permissions to it.

In the code/config I introduced new array sudoEnabledCommands which is mapped to the ZFS commands:

• mount
• unmount
• share
• unshare

If one wants to automatically mount/unmount or share/unshare dataset upon creation/deletion, then it must have root permissions as already implemented (sudoEnabled: true). To achieve the same for others (users without global sudo), there is now a solution to enable passwordless sudo specifically on (sudoEnabledCommands):

• zfs mount [name of dataset]/*
• zfs unmount [name of dataset]/*
• zfs share [name of dataset]/*
• zfs unshare [name of dataset]/*

These commands form the basis for changes in code. To overcome errors in case of dataset creation/deletion which happens because user doesn't have enough permissions, there are additional parameters enabled when generating complete zfs command. When this is not possible, code is checking the output after command execution and depends on its message. All listed zfs commands must be executed as root, so the easiest thing is to allow passwordless sudo for the user in the system (/etc/sudoers.d/k8sstorage):

k8sstorage ALL = NOPASSWD: /usr/sbin/zfs mount dataset/*
k8sstorage ALL = NOPASSWD: /usr/sbin/zfs unmount dataset/*
k8sstorage ALL = NOPASSWD: /usr/sbin/zfs share dataset/*
k8sstorage ALL = NOPASSWD: /usr/sbin/zfs unshare dataset/*

The reason to let user specify commands for sudoEnabledCommands in config is because in case of storageClasses.reclaimPolicy: Retain the unmount and unshare commands can remain unlisted to keep those actions manual to admin.

In the code I also extracted parts with setting share properties to separate functions setShareProperty and unsetShareProperty to follow DRY rule, as I think it will make possible future changes easier. Another thing to mention are changes in function setFilesystemMode - when setting driver.config.zfs.datasetPermissionsMode and using non-root user, there would be a need for passwordless sudo chmod, but it is not needed as dataset was already mounted to directory by it and so it is also owned (UID & GID) by it.

I believe the improvements in commit also work for SMB, but didn't test it.

[jodlajodla]

@travisghansen This PR is now opened for quite some time - is there anything I can do in order to speed up the merge process? I would like to use official Docker image of this project instead of building my own after other changes are merged to main branch.

[travisghansen]

My apologies for the long wait, it slipped my mind so thanks for the reminder! I haven’t had a chance to review the design or code yet but will try to get to it soon (next week or 2).

[jodlajodla]

@travisghansen Just a friendly reminder if you could please take a look at this PR in the near future. Thank you!

[jostmart]

@travisghansen this would be helpful