Feature #3882: Hide snapshot directory name in mount/mtab - CephFS - Ceph

Actions

Copy link

Feature #3882

closed

Hide snapshot directory name in mount/mtab

Added by Ivan Kudryavtsev over 11 years ago. Updated over 9 years ago.

Status:

Rejected

Priority:

Normal

Assignee:

Category:

Target version:

% Done:

Source:

Tags:

Backport:

Reviewed:

Affected Versions:

Component(FS):

Labels (FS):

Pull request ID:

Description

The idea is to avoid users to see what snapshot directory name choosen during mount.

This is useful if we want to prohibit user from creating snapshots and using 'secret'
snapshot directory name instead .snap when mounting FS.

Other way is to implement mount option to prevent uids rather than specified UID=XXX to create snapshots.

Also, may be I missed something in docs, but haven't found any way to prevent from snapshot creation by unprivileged users.

Actions

Copy link

Updated by Sage Weil over 11 years ago

It seems like better (or perhaps just "more important") fix is to restrict access to .snap in the first place.

FWIW, you can trivially patch the kernel to hide the snapname mount option...

diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index 1a14400..a9c0ebb 100644
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -439,8 +439,6 @@ static int ceph_show_options(struct seq_file *m, struct dentry *root)
                seq_printf(m, ",readdir_max_entries=%d", fsopt->max_readdir);
        if (fsopt->max_readdir_bytes != CEPH_MAX_READDIR_BYTES_DEFAULT)
                seq_printf(m, ",readdir_max_bytes=%d", fsopt->max_readdir_bytes);
-       if (strcmp(fsopt->snapdir_name, CEPH_SNAPDIRNAME_DEFAULT))
-               seq_printf(m, ",snapdirname=%s", fsopt->snapdir_name);
        return 0;
 }

That will obscure it in /proc/mounts. Hiding it from /etc/mtab might require changing /sbin/mount... i forget exactly who updates that.

Actions

Copy link