Bug 199864 - bsdinstall(8): zfsboot script should create /var/audit dataset
Summary: bsdinstall(8): zfsboot script should create /var/audit dataset
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 10.1-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: Allan Jude
Depends on:
Reported: 2015-05-02 15:11 UTC by Jason Unovitch
Modified: 2015-07-20 16:44 UTC (History)
1 user (show)

See Also:

add /var/audit dataset to usr.sbin/bsdinstall/scripts/zfsboot config (409 bytes, patch)
2015-05-02 15:11 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-05-02 15:11:57 UTC
Created attachment 156238 [details]
add /var/audit dataset to usr.sbin/bsdinstall/scripts/zfsboot config

usr.sbin/bsdinstall/scripts/zfsboot currently creates datasets for /var/log but not /var/audit.  While anyone using auditing would likely make adjustments, the default could be better.  There's no good reason to potentially lose audit logs by keeping them as part of the boot environment instead of on a dedicated dataset.  Additionally, treating logs under /var/log different than audit logs under /var/audit is not an intuitive default configuration.  Attached patch enables configuring /var/audit by default.

Other Implementation References:

PCBSD creates /var/audit by default with just compression, which is already enabled at the pool level on FreeBSD since r266108 on HEAD and r267056 on stable/10.

Oracle Solaris 11 does things differently with a symlink of /var/audit to /var/share/audit to accomplish the same goal of keeping audit logs outside of the boot environment:
Comment 1 Jason Unovitch freebsd_committer 2015-06-19 02:50:59 UTC
CC allanjude@, as r272274 has been including /var/audit in the boot environment root dataset since that commit.  This addresses it for the reasons mentioned in the PR above and this feels like a trivial commit could address it before 10.2-RELEASE.
Comment 2 Allan Jude freebsd_committer 2015-07-12 19:32:00 UTC
The fix for this is pending review: https://reviews.freebsd.org/D2861
Comment 3 commit-hook freebsd_committer 2015-07-14 19:39:14 UTC
A commit references this bug:

Author: allanjude
Date: Tue Jul 14 19:38:27 UTC 2015
New revision: 285553
URL: https://svnweb.freebsd.org/changeset/base/285553

  Have bsdinstall's zfsboot script make /var/audit its own dataset, so it is not part of the OS boot environment

  PR:		199864
  Submitted by:	Jason Unovitch
  Approved by:	brueffer
  MFC after:	3 days
  Relnotes:	yes
  Differential Revision:	https://reviews.freebsd.org/D2861

Comment 4 Jason Unovitch freebsd_committer 2015-07-14 23:34:23 UTC
Thanks Allan!  Good call on the exec=off,setuid=off; I followed PCBSD precedence but those options are certainly for the best.  Hope you didn't mind the gentle prodding to track down a committer since I didn't want this missed for 10.2-RELEASE.
Comment 5 commit-hook freebsd_committer 2015-07-20 16:18:16 UTC
A commit references this bug:

Author: allanjude
Date: Mon Jul 20 16:17:44 UTC 2015
New revision: 285721
URL: https://svnweb.freebsd.org/changeset/base/285721

  MFC:	r285482
  	A variable was misspelled resulting in chmod executing on the installer instead of on the target chroot

  PR:	191402

  MFC:	r285553
  	make /var/audit its own dataset so it is not part of the OS boot environment

  PR:	199864

  MFC:	r285554
  	Set a mountpoint on the root of the pool so user-created datasets have a mountpoint to inherit

  MFC:	r285557
  	Make bsdinstall's zfsboot script align partitions to 4k/1m when the user requests it

  PR:	195174

  Approved by:	re (gjb), brueffer
  Relnotes:	yes
  Sponsored by:	ScaleEngine Inc.

_U  stable/10/