Unpriviliged LXC file server to share ZFS Pool via CIFS??

T

TheBokke

Member
Jun 18, 2018
17
2
8
44
Hello Team,

I'm relatively new to Proxmox. I'm in the process of rebuilding my proxmox host, this has ZFS storage pool which I need to share to VMs/Containers (linux) and other physical windows machines on the network,

On the previous build I had samba running on the host which worked fine but I read this isn't best practice to modify the hypervisor. To help with portability/redundancy I'd like to have these served from guest instances via CT/VM.

My preference is to use LXC and to ensure security it looked like unprivileged LXC was the way to go, using turnkey file server template and then using bind mounts to the zpool and then configuring uid and gid mappings accordingly.

However I've just read that it is not possible to have the samba server running properly on an unprivileged container?? Is this correct? My preference is to use a container but if needs be I will have to create a VM as I dont want to do priviliged in this instance.

If I need to go down the VM route, does the ZFS share=nfs allow sharing the pool without the need to modify the host?

Thanks
Damon
 
TheBokke said:
this has ZFS storage pool which I need to share to VMs/Containers (linux) and other physical windows machines on the network,

On the previous build I had samba running on the host which worked fine but I read this isn't best practice to modify the hypervisor. To help with portability/redundancy I'd like to have these served from guest instances via CT/VM.
Click to expand...
If the data is stored on the local ZFS pool, you are not really able to have redundancy or portability as you are locked to that node. In that case, why not share it directly from the PVE node again? It is based on Debian, which means that the regular tools / packages for sharing it via samba/cifs apply.

TheBokke said:
My preference is to use LXC and to ensure security it looked like unprivileged LXC was the way to go, using turnkey file server template and then using bind mounts to the zpool and then configuring uid and gid mappings accordingly.
Click to expand...
Turnkey containers are generally meant to be run as privileged containers.

TheBokke said:
However I've just read that it is not possible to have the samba server running properly on an unprivileged container?? Is this correct? My preference is to use a container but if needs be I will have to create a VM as I dont want to do priviliged in this instance.
Click to expand...
Needs to be a privileged container, and even then you need to activate the CIFS feature in the Options->Features panel of the container.
TheBokke said:
If I need to go down the VM route, does the ZFS share=nfs allow sharing the pool without the need to modify the host?
Click to expand...
A VM has no direct access to a file system running on the host. You can create one big disk for the VM and move you data to the VM, but to do so you will have to use a network share on the host or something like rsync.
 
aaron said:
If the data is stored on the local ZFS pool, you are not really able to have redundancy or portability as you are locked to that node. In that case, why not share it directly from the PVE node again? It is based on Debian, which means that the regular tools / packages for sharing it via samba/cifs apply.


Turnkey containers are generally meant to be run as privileged containers.


Needs to be a privileged container, and even then you need to activate the CIFS feature in the Options->Features panel of the container.

A VM has no direct access to a file system running on the host. You can create one big disk for the VM and move you data to the VM, but to do so you will have to use a network share on the host or something like rsync.
Click to expand...

Thanks for taking the time to reply Aaron. What I was hoping for with containers was to have backups so if I ever needed to rebuild the host to a newer version I could just copy back the container to simplify the rebuild. Getting my All in one server up and running last time took some effort, and a lot of reading.

If I go with Privileged LXC, can you make some suggestions on what I could do to make it more secure? It'll run on a home network behind a separate of sense box, as a general all in one file/media/home automation.

Alternatively installing CIFS on the host is the alternative. Which I could always revert back to.

Thanks for the help.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back