Mac OSX mobile accounts using ZFS snapshots

I was trying to get Portable Home Directories (PHD) working on Mac OSX using the Mobile Accounts feature.

The idea is that a network user should be able to login into one computer today and into another tomorrow, while having the same data and configuration synchronized accross all machines. All users have network accounts stored in LDAP.
On each computer the same version of Mac OSX along with the same applications are installed. So the user expects to be able to work on every machine in the same way.

It doesn't matter if you use MCX attributes in LDAP or profiles created by Apple's Profile Manager, the results are more or less poor:

  • Sync on Login doesn't work (Show Stopper!)
  • Sync of ~/Library/IdentityServices/ids.db doesn't work
  • Sync of ~/Library/Application Support/Quick Look/cloudthumbnails.db sometimes doesn't work
  • Password of already configured Calendar accounts is not accepted and asked multiple times. Deactivating/activating Calendar accounts sometimes works. Last resort is recreating accounts.

This has been tested with Mac OSX 10.10 Yosemite (client) with Ubuntu Linux 12.04 (server), and Mac OSX 10.11 El Capitan (client) with Mac OSX 10.11 (server).

So I thought about other possibilities and created a solution called zfs_mobile_sync.

Here is the general idea:

  • Each user account has the home directory on an own ZFS filesystem.
  • A snapshot of the home filesystem is created on logout and transfered to the server.
  • On user login all missing snapshots are transfered from the server to the client so that the home filesystem of the user contains the most recent data.
  • Snapshots are automatically thinned by ZFS-Timemachine.
  • On client, local ZFS operations happen as root user.
  • Authentication on the server by SSH public key as user 'zfs_mobile_sync'.
  • Remote shell is restricted by rssh for ZFS use only.

Pros

  • Home folders are synchronized completely.
  • Use of ZFS features: compression, checksums, snapshots.
  • Transfer of changed data should be faster than file-based approaches like rsync.

Cons

  • Specific files / folders can't be excluded from the transfer.
  • No graphical status / progress output on login / logout while transfer is happening, only shell output / syslog.

For a detailed description, please have a look on the GitHub project.