Bluefin Recommended Settings and Optimizations

[Daisuke]

why it's bad to disable the hostPath safety checks?

In simple terms, "hostPath validation" setting prevents the use of same pool dataset for both apps and shares. From my understanding, there are a lot of apps changing file permissions without any warnings, or they simply don't work with share ACLs. That's the main reason why you should not disable that setting and instead, organize your datasets properly (edit: I'm going to add this info into guide). I'll invite @morganL and @Kris Moore to add more specific details.

I spent quite a lot of time writing clear instructions how to properly organize your datasets, it will be very beneficial for future upgrades. Just following the Linux standard naming conventions when you organize your datasets will automatically solve all your hostPath validation issues. Follow my guide suggestions and you will not be dissapointed. In the long term, things will be so much easier when you will create new datasets.

If you plan to organize your datasets, create new ones and make sure you look at recordsize related information, posted into Pools and Datasets section. It is quite important, many people have no idea how much this setting can impact their system performance, when it comes to read/write speed and latency.

I am also a newbie and don't have a clue how to run your scripts as instructed.

Honestly, the scripts are for someone with Linux knowledge, since Scale is a Linux Debian based OS. So, yes, there is a small learning curve required. I'll add more details how to execute the scripts, thank you for the input.

Edit: I added the Linux Terminal Conventions section, which also demonstrates how to login into your Scale server with ssh.

 

[Leonas]

I was trying to send a very similar response yesterday, but I keep getting an error when I try to reply. I am also a newbie and don't have a clue how to run your scripts as instructed. so dumbing it way down with with some additional instructions would be helpful. I threw in the towel for now and disabled the SMB share which solve the issue, with obvious downsides

Dunno if you have the same issue. For me the Plex app wouldn't run when i had my SMB share mounted as hostpath for my media files.

Searched around a bit and found a way to solve it by dropping my library into a child dataset called "Media" underneath the SMB share directory and plex runs fine now. Apparently underlying datasets are still considered regular data and can be read by applications just fine.

/A complete Scale nublet

 

[K.J]

@Daisuke

I am trying as you have indicated above at: Datasets Structure Organization (zfs rename).
Changing my dataset so plex works again, hostpad problem!
But it says dataset does not exist ? See pictures.

Please your advice.

 

[winnielinnie]

I am trying as you have indicated above at: Datasets Structure Organization (zfs rename).

You need to use the proper case-sensitivity! Check ALL your letters, lowercase and uppercase. (It must be typed exactly the same as the name, every letter, every case.)

Foto.Film.Backup should be Foto.Film.BackUp

 

[K.J]

@winnielinnie

It works. Thanks!

 

[Daisuke]

I am trying as you have indicated above at: Datasets Structure Organization (zfs rename).

Follow the Linux standards for dataset naming conventions and you will never be wrong, e.g. my-dataset. Please stop using spaces, Uppercase, dots or other crazy characters that can confuse regex or OS internal scripts.

 

[anodos]

I don't really have time to review all of the SMB notes here, but a few minor comments:

• Enable Apple SMB2/3 Protocol Extensions, if you connect the shares to a Mac
• Set the Administrators Group to user UID 3000 you created earlier

Apple SMB2/3 protocol extensions are primarily required for case where you use time machine. They aren't required in general for MacOS compatibility. MacOS clients work fine without them.

Setting administrators UID for SMB share makes them de-facto super-user for the SMB share. This should not be advised without qualifications.

You will not encounter any issues or warnings if you make sure the /mnt/software/opt SMB share is not directly accessed by multiple applications, the SMB share user matches the runAsUser UID and the dataset ACL Type is set to POSIX (default option), which is supported by Linux, Mac and Windows

This was potentially a bug in host path validation (if it was not flagging host paths mounting /mnt/software/opt/foo -- and will be fixed in a future release).

SMB clients are not aware generally speaking of the underlying ACL type. So this is incorrect. The best practice for SMB shares is to use the SMB dataset type (we have a special preset for this). That is the reason why the preset exists -- give users best possible configuration for pure SMB shares.

 

[Daisuke]

The best practice for SMB shares is to use the SMB dataset type

That will change the default POSIX to NFS/SMB, which is exactly what I want to avoid. Please let me know if I’m correct.

 

[crk1918]

That will change the default POSIX to NFS/SMB, which is exactly what I want to avoid. Please let me know if I’m correct.

Hello, NFSv4 ACL is easy to set up, but I am a little bit confused about POSIX ACL, How do you set up multiple users to access the same Dataset permission?

 

[Daisuke]

How do you set up multiple users to access the same Dataset permission?

Have you created a test dataset to see how multiple users are associated under default POSIX?

 

[hmak604]

For the Kubernetes apps and changing the runAsUser, my understanding is to NOT modify those values as per Truecharts team.

 

[Daisuke]

For the Kubernetes apps and changing the runAsUser, my understanding is to NOT modify those values as per Truecharts team.

When you post something, you need to explain why and also mention the specific case, instead of just posting a NOT. If you want to make sure there are no file permissions issues between apps and SMB share datasets, you DO need to set the app runAsUser to a specific UID you use to access the SMB share POSIX permissions. This specific case was explained very well into guide and has nothing to do with your above post.

What's the relation of your post with the guide? I personally don't see any, there is "no need" to change the app user permissions or storage type. See UID standards, which explains why UID 568 is used. I quote "no need" because an user owns the server and that user decides how the installed software runs inside, not iXsystems or TrueCharts.

 

[crk1918]

Have you created a test dataset to see how multiple users are associated under default POSIX?

I tried it once before, happened because I upgraded from a TruneNAS core version to TrueNAS Scale and I noticed POSIX in the TrueNAS Scale is their default choice. But I didn’t understand how it worked. Then I switched to another NFv4 ACL method, but the switch will not work, so I have to delete the database and create it again with NFSv4. What is the real difference between those two?

I want to set up POSIX ACL with two users who can have the same permission(W/R) to that dataset.

 

[Daisuke]

Then I switched to another NFv4 ACL method, but the switch will not work, so I have to delete the database and create it again with NFSv4.

That's expected, once you switch to NFSv4, there is no turning back. You get a warning also, is documented into guide. I personally leave everything set as default (POSIX). To have two users, just edit the dataset permissions and set the ACL. There is iXsystems documentation for that.

 

[indivision]

I may be misunderstanding the hostpath safety check advice.

I do not have this setting off. But, I can access hostpaths used by applications via smb shares (without any trouble or warnings that I've seen).

Is this referring to when the hostpath used is the exact same path as the smb share? In other words, you can access the application hostpath provided that its a sub-directory of an smb share?

 

[Daisuke]

Is this referring to when the hostpath used is the exact same path as the smb share?

Yes.

 

[crk1918]

That's expected, once you switch to NFSv4, there is no turning back. You get a warning also, is documented into guide. I personally leave everything set as default (POSIX). To have two users, just edit the dataset permissions and set the ACL. There is iXsystems documentation for that.

Thank you for your reply but I just checked the official documentation and they don't have much information about how this POSIX ACL is configured.
I found this and did not even talk about mask and mask - default.

 

[indivision]

Yes.

Ok. Good. I guess I accidentally set it up the right way to begin with. :)

I never liked the universal "media" dataset-for-everything solution used in many tutorials...

 

[Daisuke]

I found this and even talk about mask and mask

That's the correct info, start from Edit ACLs you will be able to define there the second user and related permissions. Keep in mind I never used multiple users through POSIX ACLs, can you please share your experiences here, for others?

 

[cap]

Apple SMB2/3 protocol extensions are primarily required for case where you use time machine. They aren't required in general for MacOS compatibility. MacOS clients work fine without them.

Apple SMB2/3 protocol extensions means vfs_fruit, doesn't it?!

vfs_fruit

Do you have a Mac? Do you use tags and labels for files (these are stored in the Xattrs)?

I have read several times that macOS behaves better and faster with vfs_fruit activated than without. Apple has extended the SMB protocol. And that is what they are trying to replicate with vfs_fruit. Therefore, I think it is better if vfs_fruit is activated.

Edit:
"These extensions help to increase the browsing speed in the Apple Finder application on network shares by enhancing directory listings and Apple metadata handling. This metadata is Apple specific information on files like coloring for example (in contrast to file system metadata like i-nodes, timestamps, etc. that is not affected). Without these extensions Mac SMB2 clients store their Apple file metadata in accompanying files for each file (resource fork, file names starting with “._”)."

Support of vfs_fruit for the SMB protocol

The vfs_fruit module of the IBM Spectrum Scale SMB server provides enhanced compatibility for Apple SMB2 clients by implementing a set of SMB2 protocol extensions added by Apple to their SMB client and server.

www.ibm.com