10

In ZFS, you can build your filesystem hiearchy to include different fs-attributes per filesystem. For insance, compression in one area, no-exec/suid in others, noatime.

For example, a HOWTO for FreeBSD suggests creating the following filesystems:

zfs create -o compression=off   -o atime=off                    zroot/root
zfs create -o compression=on    -o setuid=off                   zroot/tmp
zfs create -o                                                   zroot/usr
zfs create -o                                                   zroot/usr/home
zfs create -o compression=lzjb                  -o setuid=off   zroot/usr/ports
zfs create -o compression=off   -o exec=off     -o setuid=off   zroot/usr/ports/distfiles
zfs create -o compression=off   -o exec=off     -o setuid=off   zroot/usr/ports/packages
zfs create -o compression=lzjb  -o exec=off     -o setuid=off   zroot/usr/src
zfs create                                                      zroot/var
zfs create -o compression=lzjb  -o exec=off     -o setuid=off   zroot/var/crash
zfs create                      -o exec=off     -o setuid=off   zroot/var/db
zfs create -o compression=lzjb  -o exec=on      -o setuid=off   zroot/var/db/pkg
zfs create                      -o exec=off     -o setuid=off   zroot/var/empty
zfs create -o compression=lzjb  -o exec=off     -o setuid=off   zroot/var/log
zfs create -o compression=gzip  -o exec=off     -o setuid=off   zroot/var/mail
zfs create                      -o exec=off     -o setuid=off   zroot/var/run
zfs create -o compression=lzjb  -o exec=on      -o setuid=off   zroot/var/tmp

Something I had heard said do not turn on compression or other features with Linux native ZFS on /var, because it will crash. What should ZFS filesystem structure and features (compression, atime, disabling setuid, etc) be on a linux system?

glallen
  • 253
  • 2
  • 9

1 Answers1

1

Something I had heard said do not turn on compression or other features with Linux native ZFS on /var, because it will crash.

I can't think of any reason why enabling compression on /var could lead to a system crash: The compression is done completely transparent on a block level. There is no difference for file level operations whether compression is activated or not.

Using the lz4 algorithm for compression, you'll get pretty decent data compression with very little additional CPU utilization. In fact: I often heard the recommendation to turn on compression on all filesystems and I have enabled per default on all my Pools running stable for years on production systems.

So if you're not working with an edge use case like high performance databases, I would suggest to enable compression all the time.

Regarding the other options:

  • atime=off: Setting atime to off could lead to significant performance improvements, especially when dealing with large quantities of small files. This is not specific to ZFS: Updating the access time for many files does take time.
  • setuid=off: Setuid enables a file to be executed with the file owners permissions, regardless of who is executing the file. If you do not require Setuid it adds to the security level to disable this for a whole pool or dataset.
  • exec=off: This disables the execution of files entirely. This can add to the security level as well. But remember to use this only on datasets where no executable binaries would be placed. A good example would be in a web server environment where an potential attacker could not execute a script, even if he manages to upload it.

I can't see anything bad in the suggestions from the FreeBSD HOWTO you posted, other than I would not use lzjb for compression but instead just set compression=on to make use of the most current default algorithm (probably lz4 as of by the time of writing).

The fact that you specify these options with the zfs create command, does not mean that these settings can only be set once and for all. In fact, you can just do a

zfs get all <dataset>

to view the current settings and update them with zfs set <option> <dataset>.

For example, if you have a dataset with compression=off, you can simply do a

zfs set compression=on <dataset>

to enable it. That would not compress all data in this dataset, but all blocks that are written to the dataset after setting this option would be compressed. You can even switch from one compression algorithm to another, while all data stored in this dataset remains accessible no matter what compression algorithm was used when the blocks have been written or even if compression was enabled at all.

Andreas Piening
  • 173
  • 1
  • 9
  • @symcbean please can you explain? What I wanted to say is that setting atime to off leads to less disk writes since updating the access time is omitted. This can lead to better write performance. – Andreas Piening Jun 01 '23 at 15:29
  • Sorry - misread your comment – symcbean Jun 01 '23 at 20:16
  • 1
    Things may have been a bit different in 2012 for ZFS on Linux vs now, but now I think you're correct openzfs `compression=on` for the whole dataset is the best current practice as you said. – glallen Jun 02 '23 at 14:06