Multilevel datasets are useful containers when you downgrade or upgrade information. For more information, see Multilevel Datasets for Relabeling Files. Multilevel datasets are also useful for multilevel NFS file servers to provide files at many labels to a number of NFS clients.
Before You Begin
To create a multilevel dataset, you must be in the root role in the global zone.
# zfs create -o mountpoint=/multi -o multilevel=on rpool/multi
rpool/multi is a multilevel dataset that is mounted in the global zone at /multi.
To limit the upper label range of the dataset, see Example 10, Creating a Multilevel Dataset With a Highest Label Below ADMIN_HIGH.
# getlabel /multi /multi: ADMIN_LOW
Set the following ZFS properties to off for all file systems in the pool:
# zfs set devices=off rpool/multi # zfs set exec=off rpool/multi # zfs set setuid=off rpool/multi
Typically, compression is set in ZFS at the file system level. However, because all the file systems in this pool are data files, compression is set at the top-level dataset for the pool.
# zfs set compression=on rpool/multi
# cd /multi # mkdir public internal # chmod 777 public internal # setlabel PUBLIC public # setlabel "CNF : INTERNAL" internal
For example, the following series of zonecfg commands mounts the dataset in the public zone.
# zonecfg -z public zonecfg:public> add fs zonecfg:public:fs> set dir=/multi zonecfg:public:fs> set special=/multi zonecfg:public:fs> set type=lofs zonecfg:public:fs> end zonecfg:public> exit
Multilevel datasets permit writing files at the same label as the mounting zone and reading lower-level files. The label of the mounted files can be viewed and set.
# tncfg -z global add mlp_private=2049/tcp # tncfg -z global add mlp_private=111/udp # tncfg -z global add mlp_private=111/tcp
# svcadm restart nfs/server
# share /multi
NFS-mounted multilevel datasets permit writing files at the same label as the mounting zone and reading lower-level files. The label of the mounted files cannot be viewed reliably or set. For more information, see Mounting Multilevel Datasets From Another System.
In this example, the administrator creates a multilevel dataset with a upper bound, or highest label, that is lower than the default, ADMIN_HIGH. At dataset creation, the administrator specifies the upper label bound in the mslabel property. This upper bound prevents global zone processes from creating any files or directories in the multilevel dataset. Only labeled zone processes can create directories and files in the dataset. Because the multilevel property is on, the mlslabel property sets the upper bound, not the label for a single-label dataset.
# zfs create -o mountpoint=/multiIUO -o multilevel=on \ -o mlslabel="CNF : INTERNAL" rpool/multiIUO
Then, the administrator logs in to each labeled zone to create a directory at that label in the mounted dataset.
# zlogin public # mkdir /multiIUO # chmod 777 /multiIUO # zlogin internal # mkdir /multiIUO # chmod 777 /multiIUO
The multilevel datasets are visible at the label of the mounting zone to authorized users after the zone is rebooted.
Next Steps
To enable users to relabel files, see How to Enable Files to Be Relabeled From a Labeled Zone.