Birch Street Computing -

about me

John M is a Linux fan in Lowell, MA.

I work at at a company writing software. I fool around with Free and Open Source software for fun & profit.

I was big into Last.fm and you can still see some of what I listen to there. I can also be found using github and recently sourcehut as well as bitbucket (historically). I don't care for most popular social media sites. If I have an account on one or the other it's probably either old and unused or was created just for tinkering.

promo

Links to things I like, use, or otherwise feel is worth sharing. Things I'd like to see get more popular.

Samba in Kubernetes - Status Update 2

I had hoped to update the wider Samba community with another status report in December but I missed that boat. So January will have to do. This message is part of an ongoing effort to summarize what we've been up to as we work on integration for Samba in containers and Kubernetes 1.

As a reminder: our focus is to enable Samba based services running within Kubernetes clusters, however our container work should be completely independent of the orchestration layer, so you can use docker, podman, or other OCI container based orchestration systems.

Clustering/CTDB

We have continued working on making clustered smbd instances with CTDB a viable option for users. The low level work has not been changing a lot recently, and we've focused on improving the operator and how we create and manage clustered instances. The feature is still experimental but the workflow should not be changing much in the near future. Largely, you just need to create "SmbShare" resources that indicate they should be clustered and the minimum size of the cluster. We've improved our testing coverage but need to improve our infrastructure before we can stabilize the feature. We also have some plans to revisit how we configure the CTDB cluster as the nodes file is a bit of a challenge.

Like I mentioned in my previous message, we want to look into improving behavior with regards to node and container failover. We have not been able to spend much time on this yet, so we are unclear if we can combine CTDB's native IP failover with Kubernetes networking.

We're nearly done adding support for the vfs fileid module to the operator. Sachin Prabhu has a PR open on this topic 2. This change will ensure that the file system we're targeting (cephfs) will not depend on external factors like what order file systems were mounted by the kernel. For now, this is always enabled but we can make it configurable in the future.

ACL Xattr

We still want to run our containers without privileges and therefore being able to store NTACLs outside of "security.NTACL" continues to be a goal. In order to get this functionality, Günther Deschner is continuing work on the open Samba project merge request 3. Günther is working to improve the hooks into the VFS layer to handle performance and layering concerns raised in that PR.

CI and Testing Infrastructure

Currently, all our projects rely entirely on the github actions CI. However, we've hit some limitations with this infrastructure, especially with the ability to run integration tests on multi-node clusters for CTDB Clustered instances. Anoop C S has been working on arranging a new testing infrastructure using the CentOS CI 4. This system will allow us to run VMs in our tests and support virtual multi-node clusters. In addition to setting up this infrastructure for our Samba-in-Containers work, the plan is to also use this for the gluster/samba integration tests, and perhaps other samba integration tests in the future.

AD DC Containers

The samba-containers project generates images for client, server, and AD (DC) servers. However, the AD DC server images today produce containers that can only act as a single DC in a hard-coded domain with hard-coded users and groups. This has been working fine for our team for a while because our needs for the Samba AD is limited: we use it as part of our integration tests and not much else. As part of a general effort to make the samba-containers project more generally useful, I spent some time over the holidays working on making the AD DC container image work with custom settings 5. The new image will be based on the sambacc project, just like the file server image has been for a while. Soon, the image will be configurable, support provisioning a new domain, as well as joining a new DC to an existing domain.

Running an AD DC container continues to require executing the container with SYS_ADMIN capabilities.

Wrap Up

Work continues on many of the projects living under the samba-in-kubernetes umbrella. We're hoping that these (semi-)regular updates help create some additional interest in these efforts. Feel free to reply with questions/comments/concerns. We'd also love it if you drop by our github projects as well. Even feature requests are welcome. :-)

Thanks for reading!

PS. This is a reformatted version of what I sent to the samba mailing lists 6. I'm "blogging" these for easy reference and discoverability.

1https://github.com/samba-in-kubernetes
2https://github.com/samba-in-kubernetes/samba-operator/pull/129
3https://gitlab.com/samba-team/samba/-/merge_requests/1908
4https://jenkins-samba.apps.ocp.ci.centos.org/
5https://github.com/samba-in-kubernetes/sambacc/pull/28
6https://lists.samba.org/archive/samba-technical/2022-January/137072.html

Every blog page or article on this site is available under the CC-BY-SA license unless otherwise noted.