A Lightweight NAS

All labs need a NAS for storage. Because we already have a ZFS file system, we do not need to run TrueNAS Core or Scale in a VM. We will use Samba with Cockpit as the GUI and run it in a CT. #nas #cockpit

A Lightweight NAS
Photo by Leo Rivas / Unsplash

All labs need a NAS for storage. Now, we will build a proper file server on our Proxmox system using a Linux Container. In Proxmox, we use CTs for this, so we can share the host’s ZFS file system. To manage shares and users using a web GUI, we install Cockpit, as well as some additional modules they have from 45 Drives to deal with Samba and NFS.
Because we already have a ZFS file system, we do not need to add another layer of file system or a virtual machine running TrueNAS Core or Scale. A real NAS has a few benefits, but in a small lab environment this is plenty good.

Using an underprivileged container is safe. The root UID is, 100000 and can't do anything (opposed to the privileged that can do anything, UID 0) on your system. Container memory can be limited to something, and we limit it to 512 k and the disk to 8 G.

Set up an unprivileged CT

We will use the Debian 12 template for this build. On it, we install Cockpit without admin modules (Proxmox do the networking, and we do not need to do other things Cockpit can do). You can also use Cockpit to control other Servers.

You can run this setup without ZFS if you know what you are doing.
ℹ️
You can use any distro you like. For a smaller size, use Alpine CT.

What are we using for the NAS

GUI is Cockpit, Samba for the server and CIFS or NFS for the networking.

The GUI

Cockpit is a web-based graphical interface for servers, intended for everyone, beginner to expert. The Cockpit Web Console is extendable by modules from several companies.

About Samba

The standard Windows interoperability suite for Linux and Unix.

Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others.

Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

SMB Ports Open on Firewall (133/TCP, 445/TCP and 137/UDP, 138/UDP)

Network File System (NFS)

NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files.

Some of the most notable benefits that NFS can provide are:

  • Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network.
  • There is no need for users to have separate home directories on every network machine. Home directories could be set up on the NFS server and made available throughout the network.
  • Storage devices such as floppy disks, CD-ROM drives, and USB Thumb drives can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.

Technicians installing empty pipes for fast fiber internet across the city
Photo by Mika Baumeister / Unsplash

Installing Cockpit

Prepare the CT/VM for Samba and Cockpit

Set up an unprivileged CT with the Debian 12 template, 512k memory and 8G disk (we add data storage later). On it, we will install Cockpit, without admin modules.

  1. Download the Debian 12 Template (if it's not on your machine yet)
  2. Create CT: with 2 cores, 512M memory and 8G disk Networking as you need.
  3. Update the CT apt update && apt dist-upgrade -y
  4. Install Cockpit and it's tools
  5. Add data storage
  6. Add groups
  7. Add users
  8. Add shares and set privileges
  9. Test
  10. Release to the family

Create a CT

Create a LXC, call it something like bucket or bigbox,

  • Ubuntu 22.04 with 1-2 core, 1G RAM and SWAP, a disk 8-16 G.
  • The real data will be stored on our mount point.
  • Use DHCP, copy the MAC to your DHCP and make a reservation and update the DNS too.
πŸ’‘
Quotas allow setting limits inside a container for the amount of disk space that each user can use.
See the documentation: Proxmox Container Toolkit β†’ Container Storage β†’ Using Quotas Inside Containers
πŸ‘‰ This currently requires the use of legacy cgroups
πŸ‘‰ This is only compatible with ext4 image-based storage types and currently only works with privileged containers.
πŸ’‘
Replication requires a storage of type zfspool. Adding a mount point to a different type of storage when the container has replication configured requires to have Skip replication enabled for that mount point.
πŸ†”
ACL
The standard Posix Access Control Lists are also available inside containers. ACLs allow you to set more detailed file ownership than the traditional user/group/others model.
⚠️
Privileged Containers
Security in containers is achieved by using mandatory access control AppArmor restrictions, seccomp filters and Linux kernel namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. That’s why privileged containers should only be used in trusted environments.

Install Cockpit

If you intend to control other host too from this instance of Cockpit, you might like to install the full package. The Cockpit project home page, see what apps they have.

apt-get install --no-install-recommends cockpit -y
apt-get install --no-install-recommends cockpit wsdd -y

ℹ️ Added wsdd for the case you have Windows users

ℹ️ We use the --no-install-recommends flag to make sure that Cockpit doesn't interfere with stuff that Proxmox handles.

Then we need to allow root login to cockpit

Just remove root from this file and saveβ€Œ

nano /etc/cockpit/disallowed-users

Test Cockpit

In your browser, open Cockpit https://<ct-ip>:9090. β€Œβ€Œ
Language will default to your PC settings, change if needed.

Add an entry into your DNS

Install the Cockpit Extensions

We add the Extensions from 45 Drives GitHub repository. Find the .deb file and copy it and download with wget in the CT console.

Visit 45 Drives on GitHub. Check the files and proceed if you trust them. You should newer ever download files from the internet you don't trust.

Download the packages from 45 Drives

Check out what is the latest stable version from these GitHub pages

Cockpit File Sharing on GitHub
wget https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.3.7/cockpit-file-sharing_3.3.7-1focal_all.deb
Cockpit Identities on GitHub
wget https://github.com/45Drives/cockpit-identities/releases/download/v0.1.12/cockpit-identities_0.1.12-1focal_all.deb
Cockpit Navigator on GitHub
wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator_0.5.10-1focal_all.deb

Install the 3 Add-ons

apt install ./deb*

Delete the installation files rm *deb as they are not needed any more.

Samba & NFS - File Sharing

A Cockpit plugin for managing Samba and NFS shares.

Check for latest version and copy the .deb link and download by wget.

wget https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.3.4/cockpit-file-sharing_3.3.4-1focal_all.deb

Create Samba-share Example

File System Browser - Navigator

A Feature full File System Browser for Cockpit - remotely browse, manage, edit, upload, and download files on your server through your web browser.

Check for latest version and copy the .deb link and download by wget.

As you did for File Sharing tool
wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator_0.5.10-1focal_all.deb

User Management - Identities

User and group management plugin for Cockpit

Check for latest version and copy the .deb link and download by wget.

As you did for File Sharing tool
wget https://github.com/45Drives/cockpit-identities/releases/download/v0.1.12/cockpit-identities_0.1.12-1focal_all.deb

Identities Example

Install the 3 packages from local

apt install ./*.deb -y

Remove the installation files, they are no longer needed

rm *.deb

Configuring the NAS

Login to Cockpit https://<ct-ip>:9090.

Now we can start configuring our NAS. Cockpit have now 3 more tool in the overview section. And can set up our NAS storage (CIFS and NFS) and the groups with users and their privileges.

Add Storage to the CT

Go to Proxmox CT/Resources and add the storage for this NAS. For CTs, we can do this on the fly by Add Mount point. I have ZFS Pools on SSD and SAS drives.

I choose to add /srv/ssd with a quota of 50G and /srv/hdd with a quota of, 2048G. You probably need something different and/or need some sub-folders.

πŸ’‘
Quotas allow setting limits inside a container for the amount of disk space that each user can use.
See the documentation: Proxmox Container Toolkit β†’ Container Storage β†’ Using Quotas Inside Containers
πŸ‘‰ This currently requires the use of legacy cgroups
πŸ‘‰ This is only compatible with ext4 image-based storage types and currently only works with privileged containers.

User Management

We need to configure Samba and add the users and groups. Because Windows has its own hashing for passwords, we need to add every user/password twice, once for Linux/Unix systems and once for Windows.

Enter the passwords 2 times

Add Groups

Go to Overview β†’ Identities β†’ Groups and hit [+] to add a Group

I added ssd-user (strictly limited users) and nas-user (for the family).

You can add as many groups you need and can manage.

Add Users

Go to Overview β†’ Identities β†’ Users and hit [+] to add a User

Passwords need to have 1 lower- and 1 uppercase letter, 1 number, 1 special character and at least 8 characters long, but it's recommended to use 16-20.

I added my self and added me to the groups of nas-user and also to the ssd-user.

NOTE You need to have Login Shell set to /bin/bash to be able to login to Cockpit and use Navigator.

Now set the Samba password too!

For using a short and unsafe password, hit Apply twice.

After you've tested, the NAS is working, you can add the rest of your family.

Configure Samba

Set the Global and the Share section and run testpatm -y in the Terminal to see if the config is valid or not. Overview/File Sharing/Samba:

Global

Give the Server a description and assign it to a Workgroup. Here you can adjust the log level (Samba Wiki) and add Samba some Advanced Settings. If you run macOS, set the Global macOS Shares to on.

Here I added the inherit permissions = yes to see the UNIX form of set GID to make all files and subdirectories belong to the enclosing group. And the macOS Shares is on.

Shares

Now add the storage you need and the sub-folders needed. Remember the privileges of them - don't create stuff anybody can access.

πŸ’‘
Make sure your group:
- is the owner of your data directories,
- and have permissions to read/write by group (default is by user).
⚠️ Don't use the /home due to the fact that we only have a 8G disk.

Use the NAS

Connect to the NAS and open your files. What I do is that I create the needed folders, like in this. That is then my test "drive".

⚠️ Don't connect to your personal folder - the system disk is only 8G.


References

Cockpit [1] is a GUI for Servers with many features. It's great!
Samba [2]: is the work horse of storage all over the place. Samba is the standard Windows interoperability suite of programs for Linux and Unix.
Samba is serving many clients: Apple, Linux, Windows, Free BSD and Unix.
Network File System (NFS) [3] NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files.
See also this altenative solution. Ultra-lightweight NAS


  1. The Cockpit Project on the home page The documentation page other applicatios they have see Applications β†©οΈŽ

  2. See the home page. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member. How to configure Samba smb.conf man page See the wikipedia β†©οΈŽ

  3. NFS is an Internet Standard, client/server protocol developed in 1984 by Sun Microsystems. NFS enables a client to view, store, and update files on a remote computer as if they were locally stored. The main versions in deployment these days (client and server) are NFSv3, NFSv4, and NFSv4.1. See wiki ubuntu, RFC 5661, IETF.org NFSv4, IBM β†©οΈŽ