Thursday, August 11, 2011

Great Private File Server for Medium to Small Environments

Use Open Indiana with ZFS to Create a Somewhat Locked Down File Server


Install OpenIndiana v148 with SSH


You will need a system with at least four(4) disks for this example

  • The system disk
    • This disk is to put the operating system on.
    • I recommend at least 30GB
    • The faster the better
  • The first data disk
    • This the first disk of a pair.
    • Reliablilty is paramount
    • Buy as big as you can afford
  • The second data disk
    • This the second disk of a pair.
    • Reliablilty, again, is paramount
    • And buy as big as you can afford
  • AT LEAST ONE BACKUP DISK
    • RAID, ZFS, OTHER... their purpose is to help with uptime
    • ZFS also assists in somewhat painlessly growing your storage capacity
    • Backup is backup, redundant disk strategies are for use and failure
    • Buy as big as you can afford

Follow the prompts, turn on SSH, use the whole system disk.


Update the system via CLI


pkg image-update --require-new-be

The GUI tools are not working in release 148 upon installation.


Find the disk names


format

Use [CTRL + C] to exit the format command


Create the mirrored zpool


zpool create newpool mirror c2t2d0 c2t3d0

Check out your handiwork


zpool status
df -h

Create a base directory structure


newpool|-business
       |-hobby
       |-books
       |-users|-admin01
       |      |-asmith|-shared
       |      |-lsmith|-shared
       |-misc

mkdir /newpool/business/
mkdir /newpool/hobby/
mkdir /newpool/books/
mkdir /newpool/users/
mkdir /newpool/users/admin01/
mkdir /newpool/users/asmith/
mkdir /newpool/users/asmith/shared/
mkdir /newpool/users/lsmith/
mkdir /newpool/users/lsmith/shared/
mkdir /newpool/misc/

Create any groups if necessary


groupadd admin01
groupadd internal
groupadd external
groupadd common


Add any non-existing initial users


Please note that I am creating two users with two commands, they are long so the text is wrapping.


useradd -d /newpool/users/asmith/ -c "Adam Smith" -G internal,common -s /usr/lib/rsh asmith
useradd -d /newpool/users/lsmith/ -c "Luanne Smith" -G external,common -s /usr/lib/rsh lsmith

The options are as follows:

  • -d is the home directory /newpool/users/username/ in this example.
  • -c is the real name, it can really be anything. But it you want it to contain a space then enclose the value in double quotes.
  • -G list all the groups of the directories you want the people to have access to separated by commas.
    • At the very least I give membership to the common group -G common .
    • But maybe I want to give access to the external directory as well -G external,common .
  • -s /usr/lib/rsh is the 'restricted shell' to prevent a lot of funny business.

Set passwords for any non-existing initial users


passwd lsmith
passwd asmith

passwd username

(Enter password twice-- tada!)

(passwd: password successfully changed for username)


Modify existing users


usermod -G admin01,internal,common admin01

(UX: usermod: admin01 is currently logged in, some changes may not take effect until next login.)


You can verify user information in the plaintext /etc/passwd file

You can verify group creation in the plaintext /etc/group file


Apply proper owner:group properties


chown admin01:admin01 /newpool/business/
chown admin01:peers /newpool/hobby/
chown admin01:peers /newpool/books/
chown admin01:admin01 /newpool/users/
chown admin01:admin01 /newpool/users/admin01/
chown asmith:admin01 /newpool/users/asmith/
chown asmith:admin01 /newpool/users/asmith/shared/
chown lsmith:admin01 /newpool/users/lsmith/
chown lsmith:admin01 /newpool/users/lsmith/shared/
chown admin01:common /newpool/misc/

Apply proper permissions

(4 read 2 write 1 execute)

(! execute required for non-owner:group on directory to traverse file system)


chmod 700 /newpool/business/
chmod 750 /newpool/hobby/
chmod 750 /newpool/books/
chmod 711 /newpool/users/
chmod 770 /newpool/users/admin01/
chmod 770 /newpool/users/asmith/
chmod 770 /newpool/users/asmith/shared/
chmod 770 /newpool/users/lsmith/
chmod 770 /newpool/users/lsmith/shared/
chmod 750 /newpool/misc/

770 gives writability, readability, traversing to owners and group members, and nothing to others - for regular user directories

750 gives writing to the owner, reading and traversing to the owner and group members, and nothing to others - for read only access to regular users

711 gives all access to the owner, and being able to traverse the directory to everyone - allows regular users to descend deeper into the directory tree where they may have access

700 gives no access to anyone but the owner, can't even open the directory - revoke access to regular users entirely


NFS & Samba


Currently, I don't have any NFS or Samba shares set up for this server.

I will update the instructions should that change.


Set quotas


On my file server I don't plan on having many users and even fewer user groups. So far I have no plans for any quotas.


If I did set a quota, I would likely do it on a user by user basis.


zfs set userquota@username=100G newpool/users/username

However, with version 15 of ZFS user group quotas are available as well.


zfs set groupquota@common=250GB newpool/misc

More users?


Add new directories


mkdir in users /newpool/users/username/ and /newpool/users/username/shared/

Add new users


useradd -d /newpool/users/username/ -c "Fname Lname" -G [comma separated list,]common -s /usr/lib/rsh username

Change owner:group properties to new users directories


Same as above


Apply proper permissions to new directories


Same as above


Set new user password


Same as above

5 comments:

  1. As an alternative you could create distinct zfs filesystems for each of the sub-directories you specified. That way you could set compression, de-dupe, and other parameters per user/application, and back them up individually with zfs send and receive.

    ReplyDelete
  2. It's just a pair of mirrored disks for an exceptionally small dataset, a few hundred gigabytes so far. But, this is a starting point.

    ReplyDelete
  3. Hello, what about a directory "Downloads" or "Temporary" accessible to everyone? Would each user sill retain ownership/permissions to the files created or would they get the permissions of the containing folder? Such directory would be used also for file exchange.
    Ad what about remote SSH access? have you implemented 2 factor authentication for SSH?
    Thanks

    ReplyDelete
  4. You can modify the directories as you like. I put a 'misc' directory in there for just that purpose.

    You are going to want to google the terms linux and "sticky bits".

    chmod ug+s directory/file

    A fully fleshed out command as above will set the default ownership and groups for a file. I forgot that when I wrote this-- which I became painfully aware of after I made some command line edits with root privileges.

    You can also set the umask default for user new files in your useradd scripts if the stock permission settings are not to your liking.

    No, I haven't done 2 factor authentication. Login is handled via plain SSH on the standard port of 22. The server has login failed wait times that increase on a logarithmic scale where each wait between failed logins is longer and longer. I can't remember if it is standard or something I added. I did tell people that this is a privately run dropbox alternative without all the nice web GUI features dropbox has. I also told them to encrypt any sensitive files. I feel my responsibility is to set up relatively good security and keep good backups of the data, nothing more.

    ReplyDelete
  5. NFS4 (sys security is based in UIDs, so extremely unsecure, use only on closed networks):
    zfs set newpool/users sharenfs=on sec=sys,rw=@192.168.0.0/24
    SMB:
    zfs set newpool/users sharesmb=on name=home,rw=@192.168.0.0/24
    These are from "zfs get" so the syntax may be erroneous, check from Oracle docs!
    I also HEAVILY recommend ZIL log in SSD for NFS, it increases write performance up to ten fold in my case.
    See http://www.saunalahti.fi/joukhol/openindiana.html

    ReplyDelete

Followers