Samba in Containers/Kubernetes Status Update 2

[John Mulligan]

Samba in Containers/Kubernetes Status Update vol. 2
====================================================

I had hoped to update the wider Samba community with another status report
in December but I missed that boat. So January will have to do. This message
is part of an ongoing effort to summarize what we've been up to as we
work on integration for Samba in containers and Kubernetes [1].

As a reminder: our focus is to enable Samba based services running within
Kubernetes clusters, however our container work should be completely
independent of the orchestration layer, so you can use docker, podman, or 
other OCI container based orchestration systems.


Clustering/CTDB
-----------------

We have continued working on making clustered smbd instances with CTDB a 
viable option for users. The low level work has not been changing a lot 
recently, and we've focused on improving the operator and how we create and 
manage clustered instances. The feature is still experimental but the workflow 
should not be changing much in the near future. Largely, you just need to 
create "SmbShare" resources that indicate they should be clustered and the 
minimum size of the cluster. We've improved our testing coverage but need to 
improve our infrastructure before we can stabilize the feature. We also have 
some plans to revisit how we configure the CTDB cluster as the nodes file is a 
bit of a challenge.

Like I mentioned in my previous message, we want to look into improving
behavior with regards to node and container failover. We have not been able to
spend much time on this yet, so we are unclear if we can combine CTDB's native
IP failover with Kubernetes networking.

We're nearly done adding support for the vfs fileid module to the operator.
Sachin Prabhu has a PR open on this topic [2]. This change will ensure that 
the file system we're targeting (cephfs) will not depend on external factors 
like what order file systems were mounted by the kernel. For now, this is 
always enabled but we can make it configurable in the future.


ACL Xattr
----------

We still want to run our containers without privileges and therefore being 
able to store NTACLs outside of "security.NTACL" continues to be a goal. In 
order to get this functionality, Günther Deschner is continuing work on the 
open Samba project merge request [3]. Günther is working to improve the hooks 
into the VFS layer to handle performance and layering concerns raised in that 
PR.


CI and Testing Infrastructure
-------------------------------

Currently, all our projects rely entirely on the github actions CI. However,
we've hit some limitations with this infrastructure, especially with the 
ability to run integration tests on multi-node clusters for CTDB Clustered 
instances. Anoop C S has been working on arranging a new testing 
infrastructure using the CentOS CI [4]. This system will allow us to run VMs 
in our tests and support virtual multi-node clusters. In addition to setting 
up this infrastructure for our Samba-in-Containers work, the plan is to also 
use this for the gluster/samba integration tests, and perhaps other samba 
integration tests in the future.


AD DC Containers
-----------------

The samba-containers project generates images for client, server, and AD (DC)
servers.  However, the AD DC server images today produce containers that can
only act as a single DC in a hard-coded domain with hard-coded users and
groups. This has been working fine for our team for a while because our needs
for the Samba AD is limited: we use it as part of our integration tests and 
not much else. As part of a general effort to make the samba-containers 
project more generally useful, I spent some time over the holidays working on 
making the AD DC container image work with custom settings [5]. The new image 
will be based on the sambacc project, just like the file server image has been 
for a while. Soon, the image will be configurable, support provisioning a new 
domain, as well as joining a new DC to an existing domain.

Running an AD DC container continues to require executing the container with
SYS_ADMIN capabilities.


Wrap Up
---------

Work continues on many of the projects living under the samba-in-kubernetes
umbrella.  We're hoping that these (semi-)regular updates help create some
additional interest in these efforts. Feel free to reply with
questions/comments/concerns. We'd also love it if you drop by our github
projects as well. Even feature requests are welcome. :-)


Thanks for reading!


[1] - https://github.com/samba-in-kubernetes

[2] - https://github.com/samba-in-kubernetes/samba-operator/pull/129

[3] - https://gitlab.com/samba-team/samba/-/merge_requests/1908

[4] - https://jenkins-samba.apps.ocp.ci.centos.org/

[5] - https://github.com/samba-in-kubernetes/sambacc/pull/28