I have a FreeNAS (11.1-U1) and a FreeBSD (11.1-RELEASE-p6) machine. On the FreeNAS I’d like to
zfs receive recursive snapshots as a non-root user with delegated privileges. This appears to work well for most of the child-datasets. But iocage’s
data datasets, which can be mounted into the jail and administered from there, they fail:
root@freebsd:~> zfs send -RI "dozer@2018-02-21" "dozer@2018-03-08" | ssh -T -i /root/backup_key backupuser@freenas zfs receive -dvuF neo/backups/freebsd receiving incremental stream of dozer@2018-03-03 into neo/backups/freebsd@2018-03-03 received 312B stream in 1 seconds (312B/sec) receiving incremental stream of dozer@2018-03-07 into neo/backups/freebsd@2018-03-07 received 312B stream in 1 seconds (312B/sec) receiving incremental stream of dozer@2018-03-08 into neo/backups/freebsd@2018-03-08 received 312B stream in 1 seconds (312B/sec) receiving incremental stream of dozer/ROOT@2018-03-03 into neo/backups/freebsd/ROOT@2018-03-03 . . . receiving incremental stream of dozer/iocage/jails/owncloud/root@2018-03-08 into neo/backups/freebsd/iocage/jails/owncloud/root@2018-03-08 received 578MB stream in 110 seconds (5.25MB/sec) receiving incremental stream of dozer/iocage/jails/owncloud/root/data@2018-03-03 into neo/backups/freebsd/iocage/jails/owncloud/root/data@2018-03-03 cannot receive incremental stream: permission denied warning: cannot send 'dozer/iocage/jails/owncloud/root/data@2018-03-03': signal received warning: cannot send 'dozer/iocage/jails/owncloud/root/data@2018-03-07': Broken pipe warning: cannot send 'dozer/iocage/jails/owncloud/root/data@2018-03-08': Broken pipe
The permissions of that particular child are exactly the same as the one of the parent dataset:
root@freenas:~ # zfs allow neo/backups/freebsd/iocage/jails/owncloud/root/data ---- Permissions on neo/backups/freebsd ----------------------------- Local+Descendent permissions: user backupuser atime,compression,create,dedup,exec,jailed,mount,mountpoint,quota,receive,rename,reservation,setuid,userprop
zfs receive on the FreeNAS as root works as expected.
What delegated privileges does my user need to receive the jailed datasets of iocage and, more generally, is there a way to make
zfs receive give out a more detailed error message which tells you what permission is missing?