fails saying I do not have permission to perform that action. Apparently scrub is not one of the pfexec allowed actions. Any idea on how to get around it?
Long version:
I got tired of manually running scrubs and am trying to set it to happen automatically.
Seems simple enough to set up a cron job for it (once google informed me of the existance of cron :P).
Wanting to test it out and isolate issues and such, and based on my experience I figured the best way to do so is to use a script.
Simply create a new file /usr/scripts/scrub.sh which contains:
pfexec zpool scrub rpool
pfexec zpool scrub tank
But that doesn't work, no permissions. I verified it by trying just typing
pfexec zpool scrub rpool
by itself.
I could modify the script to remove pfexec instances and then I just need to schedule the script to run as an administrator. Which I don't know how to do.
pfexec su - root -c 'zpool scrub rpool'
pfexec su - root -c 'zpool scrub tank'
Change the word root to any suitable admin username. NOTE: cron does not exec /etc/profile nor does it run .profile for the user in question. In other words your environment settings (PATH, etc) in cron are p[robably wrong. For any user. You have to add the environment from inside the script. This one change alone can fix a lot of problems in cron scripts. su - [username] does log the user in correctly.
How do I do that? (Or rather, what terms should I google for to find the correct manuals to read to find the answer; is there a good solaris wiki you can recommend?)
---------- Post updated at 11:19 ---------- Previous update was at 11:06 ----------
tested by typing this in regular user terminal and got asked for the password for root, I have it of course but it would be unsuitable for automatic scheduling. Is there a way I could, as root, give permissions to a regular user to use a certain normally reserved for root command?
Thank you, I haven't actually even gotten around to using cron yet, my previous errors were in trying to simply run a script I called "scrub.sh". That way I could isolate errors, if I have a script file that I have tested to work when I manually run it, then when I have a scheduler run it and it doesn't work I can be sure the problem is with the scheduler.
So to clarify, I broke down what I wanted to do into steps; my "project" plan was very simple, merely 2 steps:
A. Create file "scrub.sh" which when run starts scrub on all pools. Make a shortcut for it on desktop to double click when I want a scrub.
B. Make a cron job to run that file every 2 weeks.
I got stuck on part A thus far and never even started on part B.
However, my questions in this thread are 2 fold:
How do I fix my project so it works.
Should I scrap the idea entirely and do something else that actually will work in achieving the goal of automatic scrub every 2 weeks. If so, how and what.
It's about Solaris10. I didn't use RBAC in s11 but as I can see there is no built-in Primary Administrator profile. I think that you can create profile approprite for your needs for example just with zfs command.
There is profile related to filesystem management.
root@solaris11:/etc/security/exec_attr.d# grep zfs *
core-os:ZFS File System Management:solaris:cmd:RO::/usr/sbin/zfs:euid=0
You can try if they can meet your needs.
I have tested and it looks ok for creating zfs filesystem.
user1@solaris11:~$ profiles
Basic Solaris User
All
user1@solaris11:~$ pfexec zfs create pula01/test
cannot create 'pula01/test': permission denied
root@solaris11 # usermod -P +'ZFS File System Management' user1
user1@solaris11:~$ profiles
ZFS File System Management
Basic Solaris User
All
user1@solaris11:~$ zfs create pula01/test
cannot create 'pula01/test': permission denied
user1@solaris11:~$ pfexec zfs create pula01/test
Another edit
ZFS File System Management works fine for zfs command but for zpool command you should use different profile:
