A Lightweight NAS
All labs need a NAS for storage. Because we already have a ZFS file system, we do not need to run TrueNAS Core or Scale in a VM. We will use Samba with Cockpit as the GUI and run it in a CT. #nas #cockpit
All labs need a NAS for storage. Now, we will build a proper file server on our Proxmox system using a Linux Container. In Proxmox, we use CTs for this, so we can share the hostβs ZFS file system. To manage shares and users using a web GUI, we install Cockpit, as well as some additional modules they have from 45 Drives to deal with Samba and NFS.
Because we already have a ZFS file system, we do not need to add another layer of file system or a virtual machine running TrueNAS Core or Scale. A real NAS has a few benefits, but in a small lab environment this is plenty good.
Using an underprivileged container is safe. The root UID is, 100000 and can't do anything (opposed to the privileged that can do anything, UID 0) on your system. Container memory can be limited to something, and we limit it to 512 k and the disk to 8 G.
Set up an unprivileged CT
We will use the Debian 12 template for this build. On it, we install Cockpit without admin modules (Proxmox do the networking, and we do not need to do other things Cockpit can do). You can also use Cockpit to control other Servers.
You can run this setup without ZFS if you know what you are doing.
What are we using for the NAS
GUI is Cockpit, Samba for the server and CIFS or NFS for the networking.
The GUI
Cockpit is a web-based graphical interface for servers, intended for everyone, beginner to expert. The Cockpit Web Console is extendable by modules from several companies.
About Samba
The standard Windows interoperability suite for Linux and Unix.
Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others.
Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.
SMB Ports Open on Firewall (133/TCP, 445/TCP and 137/UDP, 138/UDP)
Network File System (NFS)
NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files.
Some of the most notable benefits that NFS can provide are:
- Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network.
- There is no need for users to have separate home directories on every network machine. Home directories could be set up on the NFS server and made available throughout the network.
- Storage devices such as floppy disks, CD-ROM drives, and USB Thumb drives can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.
Installing Cockpit
Prepare the CT/VM for Samba and Cockpit
Set up an unprivileged CT with the Debian 12 template, 512k memory and 8G disk (we add data storage later). On it, we will install Cockpit, without admin modules.
- Download the Debian 12 Template (if it's not on your machine yet)
- Create CT: with 2 cores, 512M memory and 8G disk Networking as you need.
- Update the CT
apt update && apt dist-upgrade -y
- Install Cockpit and it's tools
- Add data storage
- Add groups
- Add users
- Add shares and set privileges
- Test
- Release to the family
Create a CT
Create a LXC, call it something like bucket
or bigbox
,
- Ubuntu 22.04 with 1-2 core, 1G RAM and SWAP, a disk 8-16 G.
- The real data will be stored on our mount point.
- Use DHCP, copy the MAC to your DHCP and make a reservation and update the DNS too.
See the documentation: Proxmox Container Toolkit β Container Storage β Using Quotas Inside Containers
π This currently requires the use of legacy
cgroups
π This is only compatible with ext4 image-based storage types and currently only works with privileged containers.
zfspool
. Adding a mount point to a different type of storage when the container has replication configured requires to have Skip replication
enabled for that mount point.The standard Posix Access Control Lists are also available inside containers. ACLs allow you to set more detailed file ownership than the traditional
user/group/others
model.Security in containers is achieved by using mandatory access control
AppArmor restrictions
, seccomp filters
and Linux kernel namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. Thatβs why privileged containers should only be used in trusted environments.Install Cockpit
If you intend to control other host too from this instance of Cockpit, you might like to install the full package. The Cockpit project home page, see what apps they have.
apt-get install --no-install-recommends cockpit -y
βΉοΈ We use the --no-install-recommends
flag to make sure that Cockpit doesn't interfere with stuff that Proxmox handles.
Then we need to allow root login to cockpit
Just remove root from this file and saveβ
nano /etc/cockpit/disallowed-users
Test Cockpit
In your browser, open Cockpit https://<ct-ip>:9090. ββ
Language will default to your PC settings, change if needed.
Add an entry into your DNS
Install the Cockpit Extensions
We add the Extensions from 45 Drives GitHub repository. Find the .deb
file and copy it and download with wget
in the CT console.
Visit 45 Drives on GitHub. Check the files and proceed if you trust them. You should newer ever download files from the internet you don't trust.
Download the packages from 45 Drives
Check out what is the latest stable version from these GitHub pages
Cockpit File Sharing on GitHub
wget https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.3.7/cockpit-file-sharing_3.3.7-1focal_all.deb
Cockpit Identities on GitHub
wget https://github.com/45Drives/cockpit-identities/releases/download/v0.1.12/cockpit-identities_0.1.12-1focal_all.deb
Cockpit Navigator on GitHub
wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator_0.5.10-1focal_all.deb
Install the 3 Add-ons
apt install ./deb*
Delete the installation files rm *deb
as they are not needed any more.
Samba & NFS - File Sharing
A Cockpit plugin for managing Samba and NFS shares.
Check for latest version and copy the .deb link and download by wget
.
wget https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.3.4/cockpit-file-sharing_3.3.4-1focal_all.deb
File System Browser - Navigator
A Feature full File System Browser for Cockpit - remotely browse, manage, edit, upload, and download files on your server through your web browser.
Check for latest version and copy the .deb link and download by wget
.
As you did for File Sharing tool
wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator_0.5.10-1focal_all.deb
User Management - Identities
User and group management plugin for Cockpit
Check for latest version and copy the .deb link and download by wget
.
As you did for File Sharing tool
wget https://github.com/45Drives/cockpit-identities/releases/download/v0.1.12/cockpit-identities_0.1.12-1focal_all.deb
Install the 3 packages from local
apt install ./*.deb -y
Remove the installation files, they are no longer needed
rm *.deb
Configuring the NAS
Login to Cockpit https://<ct-ip>:9090
.
Now we can start configuring our NAS. Cockpit have now 3 more tool in the overview section. And can set up our NAS storage (CIFS and NFS) and the groups with users and their privileges.
Add Storage to the CT
Go to Proxmox CT/Resources and add the storage for this NAS. For CTs, we can do this on the fly by Add Mount point. I have ZFS Pools on SSD and SAS drives.
I choose to add /srv/ssd
with a quota of 50G and /srv/hdd
with a quota of, 2048G. You probably need something different and/or need some sub-folders.
See the documentation: Proxmox Container Toolkit β Container Storage β Using Quotas Inside Containers
π This currently requires the use of legacy
cgroups
π This is only compatible with ext4 image-based storage types and currently only works with privileged containers.
User Management
We need to configure Samba and add the users and groups. Because Windows has its own hashing for passwords, we need to add every user/password twice, once for Linux/Unix systems and once for Windows.
Enter the passwords 2 times
Add Groups
Go to Overview β Identities β Groups and hit [+]
to add a Group
I added ssd-user
(strictly limited users) and nas-user
(for the family).
You can add as many groups you need and can manage.
Add Users
Go to Overview β Identities β Users and hit [+]
to add a User
Passwords need to have 1 lower- and 1 uppercase letter, 1 number, 1 special character and at least 8 characters long, but it's recommended to use 16-20.
I added my self and added me to the groups of nas-user and also to the ssd-user
.
NOTE You need to haveLogin Shell
set to/bin/bash
to be able to login to Cockpit and use Navigator.
Now set the Samba password too!
For using a short and unsafe password, hit Apply twice.
After you've tested, the NAS is working, you can add the rest of your family.
Configure Samba
Set the Global and the Share section and run testpatm -y
in the Terminal to see if the config is valid or not. Overview/File Sharing/Samba:
Global
Give the Server a description and assign it to a Workgroup. Here you can adjust the log level (Samba Wiki) and add Samba some Advanced Settings. If you run macOS, set the Global macOS Shares to on.
Here I added the inherit permissions = yes
to see the UNIX form of set GID to make all files and subdirectories belong to the enclosing group. And the macOS Shares is on.
Shares
Now add the storage you need and the sub-folders needed. Remember the privileges of them - don't create stuff anybody can access.
- is the owner of your data directories,
- and have permissions to read/write by group (default is by user).
β οΈ Don't use the /home due
to the fact that we only have a 8G disk.
Use the NAS
Connect to the NAS and open your files. What I do is that I create the needed folders, like in this. That is then my test "drive".
β οΈ Don't connect to your personal folder - the system disk is only 8G.
References
Cockpit [1] is a GUI for Servers with many features. It's great!
Samba [2]: is the work horse of storage all over the place. Samba is the standard Windows interoperability suite of programs for Linux and Unix.
Samba is serving many clients: Apple, Linux, Windows, Free BSD and Unix.
Network File System (NFS) [3] NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files.
See also this altenative solution. Ultra-lightweight NAS
The Cockpit Project on the home page The documentation page other applicatios they have see Applications β©οΈ
See the home page. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member. How to configure Samba smb.conf man page See the wikipedia β©οΈ
NFS is an Internet Standard, client/server protocol developed in 1984 by Sun Microsystems. NFS enables a client to view, store, and update files on a remote computer as if they were locally stored. The main versions in deployment these days (client and server) are NFSv3, NFSv4, and NFSv4.1. See wiki ubuntu, RFC 5661, IETF.org NFSv4, IBM β©οΈ