Solaris11: Permission issues with auto-scrub ZFS pool | Unix Linux Forums | Solaris

  Go Back    


Solaris The Solaris Operating System, usually known simply as Solaris, is a Unix-based operating system introduced by Sun Microsystems. The Solaris OS is now owned by Oracle.

Solaris11: Permission issues with auto-scrub ZFS pool

Solaris


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 01-08-2013
taltamir taltamir is offline
Registered User
 
Join Date: Oct 2011
Last Activity: 4 April 2013, 1:45 PM EDT
Posts: 12
Thanks: 2
Thanked 0 Times in 0 Posts
Solaris11: Permission issues with auto-scrub ZFS pool

Short version:

Code:
pfexec zpool scrub rpool

fails saying I do not have permission to perform that action. Apparently scrub is not one of the pfexec allowed actions. Any idea on how to get around it?

Long version:
I got tired of manually running scrubs and am trying to set it to happen automatically.
Seems simple enough to set up a cron job for it (once google informed me of the existance of cron :P).

Wanting to test it out and isolate issues and such, and based on my experience I figured the best way to do so is to use a script.
Simply create a new file /usr/scripts/scrub.sh which contains:

Code:
pfexec zpool scrub rpool
pfexec zpool scrub tank

But that doesn't work, no permissions. I verified it by trying just typing
Code:
pfexec zpool scrub rpool

by itself.

I could modify the script to remove pfexec instances and then I just need to schedule the script to run as an administrator. Which I don't know how to do.

Any ideas / suggestions?
Sponsored Links
    #2  
Old 01-09-2013
GP81 GP81 is offline
Registered User
 
Join Date: Nov 2012
Last Activity: 13 January 2014, 7:20 AM EST
Location: Warsaw, Poland
Posts: 65
Thanks: 0
Thanked 14 Times in 13 Posts
As what user are you trying to execute this command?
If it is regular user, then you must assign appropriate profile to that user account.
The Following User Says Thank You to GP81 For This Useful Post:
taltamir (01-09-2013)
Sponsored Links
    #3  
Old 01-09-2013
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 22 July 2014, 2:33 PM EDT
Location: NM
Posts: 10,152
Thanks: 267
Thanked 780 Times in 730 Posts

Code:
pfexec su - root -c 'zpool scrub rpool'
pfexec su - root -c 'zpool scrub tank'

Change the word root to any suitable admin username. NOTE: cron does not exec /etc/profile nor does it run .profile for the user in question. In other words your environment settings (PATH, etc) in cron are p[robably wrong. For any user. You have to add the environment from inside the script. This one change alone can fix a lot of problems in cron scripts. su - [username] does log the user in correctly.
The Following User Says Thank You to jim mcnamara For This Useful Post:
taltamir (01-09-2013)
    #4  
Old 01-09-2013
taltamir taltamir is offline
Registered User
 
Join Date: Oct 2011
Last Activity: 4 April 2013, 1:45 PM EDT
Posts: 12
Thanks: 2
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by GP81 View Post
As what user are you trying to execute this command?
If it is regular user, then you must assign appropriate profile to that user account.
How do I do that? (Or rather, what terms should I google for to find the correct manuals to read to find the answer; is there a good solaris wiki you can recommend?)

---------- Post updated at 11:19 ---------- Previous update was at 11:06 ----------

Quote:
Originally Posted by jim mcnamara View Post
Code:
pfexec su - root -c 'zpool scrub rpool'
pfexec su - root -c 'zpool scrub tank'

Change the word root to any suitable admin username.
tested by typing this in regular user terminal and got asked for the password for root, I have it of course but it would be unsuitable for automatic scheduling. Is there a way I could, as root, give permissions to a regular user to use a certain normally reserved for root command?

Quote:
NOTE: cron does not exec /etc/profile nor does it run .profile for the user in question. In other words your environment settings (PATH, etc) in cron are p[robably wrong. For any user. You have to add the environment from inside the script. This one change alone can fix a lot of problems in cron scripts. su - [username] does log the user in correctly.
Thank you, I haven't actually even gotten around to using cron yet, my previous errors were in trying to simply run a script I called "scrub.sh". That way I could isolate errors, if I have a script file that I have tested to work when I manually run it, then when I have a scheduler run it and it doesn't work I can be sure the problem is with the scheduler.

So to clarify, I broke down what I wanted to do into steps; my "project" plan was very simple, merely 2 steps:
A. Create file "scrub.sh" which when run starts scrub on all pools. Make a shortcut for it on desktop to double click when I want a scrub.
B. Make a cron job to run that file every 2 weeks.

I got stuck on part A thus far and never even started on part B.

However, my questions in this thread are 2 fold:
1. How do I fix my project so it works.
2. Should I scrap the idea entirely and do something else that actually will work in achieving the goal of automatic scrub every 2 weeks. If so, how and what.

Last edited by taltamir; 01-09-2013 at 12:27 PM..
Sponsored Links
    #5  
Old 01-10-2013
GP81 GP81 is offline
Registered User
 
Join Date: Nov 2012
Last Activity: 13 January 2014, 7:20 AM EST
Location: Warsaw, Poland
Posts: 65
Thanks: 0
Thanked 14 Times in 13 Posts
Here is very usefull blog about RBAC and how you can provide root privileges with pfexec. I'm not an author.
Less known Solaris features: pfexec - c0t0d0s0.org
Less known Solaris features: RBAC and Privileges - c0t0d0s0.org

It's about Solaris10. I didn't use RBAC in s11 but as I can see there is no built-in Primary Administrator profile. I think that you can create profile approprite for your needs for example just with zfs command.

There is profile related to filesystem management.

Code:
root@solaris11:/etc/security/exec_attr.d# grep zfs *
core-os:ZFS File System Management:solaris:cmd:RO::/usr/sbin/zfs:euid=0

You can try if they can meet your needs.

I have tested and it looks ok for creating zfs filesystem.

Code:
user1@solaris11:~$ profiles
          Basic Solaris User
          All
user1@solaris11:~$ pfexec zfs create pula01/test
cannot create 'pula01/test': permission denied


Code:
root@solaris11 # usermod -P +'ZFS File System Management' user1


Code:
user1@solaris11:~$ profiles
          ZFS File System Management
          Basic Solaris User
          All
user1@solaris11:~$ zfs create pula01/test
cannot create 'pula01/test': permission denied
user1@solaris11:~$ pfexec zfs create pula01/test

Another edit
ZFS File System Management works fine for zfs command but for zpool command you should use different profile:

Code:
root@solaris11 # usermod -P +"ZFS Storage Management" user1

And then zpool scrub works fine too

Last edited by GP81; 01-11-2013 at 06:07 AM..
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
ZFS - overfilled pool RychnD Solaris 3 04-20-2012 03:31 AM
zfs pool migration jac Solaris 2 07-25-2010 11:32 PM
ZFS pool question mrlayance Solaris 6 11-09-2009 09:21 AM
zfs - migrate from pool to pool pupp Infrastructure Monitoring 3 08-14-2009 10:27 AM
ZFS Pool Mix-up blicki Solaris 1 06-08-2009 01:42 AM



All times are GMT -4. The time now is 03:34 PM.