[Samba] Container setup?

Wed Jul 3 13:21:37 UTC 2019

> *	What are pros and cons of container vs. VMs?

Same as any other containerized setup. We've been running our Samba DCs
and file servers in nspawn containers (similar to LXC) for a couple of
years, no container-specific issues yet.

Though I'm not sure if docker is the right tool for the job; samba as a
fat daemon running a bazillion subprocesses orchestrated by a persistent
database that's very sensitive to instances leaving and joining the
domain seems the antithesis to docker's philosophy.

> *	What is the right distro to start with? 

Probably Debian or Ubuntu stable, as there's community provided samba
builds for them. Distro builds are in general pretty crap.

> *	Don´t know versions for Alpine. But Alpine is reported to have
> problems with DNS resolution, and I don´t know to what extend they are
> relevant with a DC.

Alpine uses musl-libc rather than glibc, and does not utilize NSSwitch.
This is a problem for anything that needs or wants alternate
authentication and/or name service backends, including
winbind/kerberos/ldap.

> *	What are the minimum packages required?

Depends on your distro and what features you want (printer support, e.g.)

> *	I have seen some containers using pam, but who authenticates into a
> container?

Samba's databases need management, and not all of it can be done remotely.

I think docker exec would suffice for samba's use case, though.

> *	What is a good and secure configuration? 

Depends on what you need to be compatible with. If some client software
needs SMB1 support, it's not going to get very secure…

> *	Most of the containers appear to use administrator secrets from a
> configuration file, I´d prefer a prompt during initial startup (probably at
> the expense that only a second start may detach)

Modify their docker files as needed?

> *	What are the pros and cons of using a static IP for the container
> vs. port forwarding?

Kerberos and AD are very sensitive to DNS issues; you're going to go
insane without static IPs.

AD also needs a *lot* of ports open to work.

> *	VPN in the container or on host? Actually I´d go for wireguard
> rather than OpenVPN..

Whatever works better with your network setup, there's nothing
preventing openvpn/wireguard from running on the same instance as samba.

> *	How to include more bind configuration e.g. for an additional DNS
> zone? Or require that on a different DNS server?

Given the continuous issues people have with BIND, I'd recommend using
the internal DNS backend (maybe behind another, external DNS server)
unless you have specific needs only BIND can handle.

> *	What about sysvol?

sysvol needs to be externally replicated to all your instances. I'd
recommend running something like lsyncd inside the container and use its
lua scripting capabilities (or external scripts) to a) make sure it
doesn't run on the wrong instance and b) replicates everything to all DCs.

> *	Ntpd - https://marc.info/?l=samba
> <https://marc.info/?l=samba&m=154695462230809&w=2> &m=154695462230809&w=2 ?

NTP doesn't necessarily have to run inside Samba's container. All that's
necessary is that all domain joined machines have their clocks synced
within at most 5 minutes deviation. In practice, any even remotely sane
NTP setup will be within ±1 second.

> *	How to do updates?
> 
> *	I can imagine using a cron job to tear down the container, then pull
> or rebuild, then up. And schedule this for different work days for different
> instances..

Inside the same major releases that should work, as long as
/var/lib/samba is kept persistent. Between major releases you might need
to migrate config files etc.

For proper availability you probably need to make sure that FSMO roles
are moved off the to be updated machine first, and if necessary seized
back after the update.

> *	How to monitor replication is working?
> 
> *	I have seen some warnings about replication and containers, but I
> can only guess what the root cause really is.

`samba-tool drs showrepl --json` is available with Samba 4.9+, that
should be relatively easy to parse and monitor.

With older versions you'll have to parse the textual output, which is a
pain in the ass, but doable.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190703/3ffc0834/signature.sig>