Samba in Containers/Kubernetes Status Update 2
John Mulligan
phlogistonjohn at asynchrono.us
Wed Jan 12 18:42:12 UTC 2022
Samba in Containers/Kubernetes Status Update vol. 2
====================================================
I had hoped to update the wider Samba community with another status report
in December but I missed that boat. So January will have to do. This message
is part of an ongoing effort to summarize what we've been up to as we
work on integration for Samba in containers and Kubernetes [1].
As a reminder: our focus is to enable Samba based services running within
Kubernetes clusters, however our container work should be completely
independent of the orchestration layer, so you can use docker, podman, or
other OCI container based orchestration systems.
Clustering/CTDB
-----------------
We have continued working on making clustered smbd instances with CTDB a
viable option for users. The low level work has not been changing a lot
recently, and we've focused on improving the operator and how we create and
manage clustered instances. The feature is still experimental but the workflow
should not be changing much in the near future. Largely, you just need to
create "SmbShare" resources that indicate they should be clustered and the
minimum size of the cluster. We've improved our testing coverage but need to
improve our infrastructure before we can stabilize the feature. We also have
some plans to revisit how we configure the CTDB cluster as the nodes file is a
bit of a challenge.
Like I mentioned in my previous message, we want to look into improving
behavior with regards to node and container failover. We have not been able to
spend much time on this yet, so we are unclear if we can combine CTDB's native
IP failover with Kubernetes networking.
We're nearly done adding support for the vfs fileid module to the operator.
Sachin Prabhu has a PR open on this topic [2]. This change will ensure that
the file system we're targeting (cephfs) will not depend on external factors
like what order file systems were mounted by the kernel. For now, this is
always enabled but we can make it configurable in the future.
ACL Xattr
----------
We still want to run our containers without privileges and therefore being
able to store NTACLs outside of "security.NTACL" continues to be a goal. In
order to get this functionality, Günther Deschner is continuing work on the
open Samba project merge request [3]. Günther is working to improve the hooks
into the VFS layer to handle performance and layering concerns raised in that
PR.
CI and Testing Infrastructure
-------------------------------
Currently, all our projects rely entirely on the github actions CI. However,
we've hit some limitations with this infrastructure, especially with the
ability to run integration tests on multi-node clusters for CTDB Clustered
instances. Anoop C S has been working on arranging a new testing
infrastructure using the CentOS CI [4]. This system will allow us to run VMs
in our tests and support virtual multi-node clusters. In addition to setting
up this infrastructure for our Samba-in-Containers work, the plan is to also
use this for the gluster/samba integration tests, and perhaps other samba
integration tests in the future.
AD DC Containers
-----------------
The samba-containers project generates images for client, server, and AD (DC)
servers. However, the AD DC server images today produce containers that can
only act as a single DC in a hard-coded domain with hard-coded users and
groups. This has been working fine for our team for a while because our needs
for the Samba AD is limited: we use it as part of our integration tests and
not much else. As part of a general effort to make the samba-containers
project more generally useful, I spent some time over the holidays working on
making the AD DC container image work with custom settings [5]. The new image
will be based on the sambacc project, just like the file server image has been
for a while. Soon, the image will be configurable, support provisioning a new
domain, as well as joining a new DC to an existing domain.
Running an AD DC container continues to require executing the container with
SYS_ADMIN capabilities.
Wrap Up
---------
Work continues on many of the projects living under the samba-in-kubernetes
umbrella. We're hoping that these (semi-)regular updates help create some
additional interest in these efforts. Feel free to reply with
questions/comments/concerns. We'd also love it if you drop by our github
projects as well. Even feature requests are welcome. :-)
Thanks for reading!
[1] - https://github.com/samba-in-kubernetes
[2] - https://github.com/samba-in-kubernetes/samba-operator/pull/129
[3] - https://gitlab.com/samba-team/samba/-/merge_requests/1908
[4] - https://jenkins-samba.apps.ocp.ci.centos.org/
[5] - https://github.com/samba-in-kubernetes/sambacc/pull/28
More information about the samba-technical
mailing list