ZFS and sudo permissions related improvements #218
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
I made some improvements related to ZFS and sudo permissions. I had a problem on Linux (Proxmox 7) with using a non-root user when creating dataset for sharing via NFS. Specifically on Linux/OpenZFS there is a limitation to allow mounting/sharing only to root as described in the docs. As I don't want to enable global sudo to the user intended for managing storage from k8s, I followed pretty simple workarounds which don't expose too much permissions to it.
In the code/config I introduced new array
sudoEnabledCommands
which is mapped to the ZFS commands:If one wants to automatically mount/unmount or share/unshare dataset upon creation/deletion, then it must have root permissions as already implemented (
sudoEnabled: true
). To achieve the same for others (users without global sudo), there is now a solution to enable passwordless sudo specifically on (sudoEnabledCommands
):These commands form the basis for changes in code. To overcome errors in case of dataset creation/deletion which happens because user doesn't have enough permissions, there are additional parameters enabled when generating complete zfs command. When this is not possible, code is checking the output after command execution and depends on its message. All listed zfs commands must be executed as root, so the easiest thing is to allow passwordless sudo for the user in the system (
/etc/sudoers.d/k8sstorage
):The reason to let user specify commands for
sudoEnabledCommands
in config is because in case ofstorageClasses.reclaimPolicy: Retain
theunmount
andunshare
commands can remain unlisted to keep those actions manual to admin.In the code I also extracted parts with setting share properties to separate functions
setShareProperty
andunsetShareProperty
to follow DRY rule, as I think it will make possible future changes easier. Another thing to mention are changes in functionsetFilesystemMode
- when settingdriver.config.zfs.datasetPermissionsMode
and using non-root user, there would be a need for passwordless sudochmod
, but it is not needed as dataset was already mounted to directory by it and so it is also owned (UID & GID) by it.I believe the improvements in commit also work for SMB, but didn't test it.