From de66e2fa89dffa5a71794075d4834c9491460a64 Mon Sep 17 00:00:00 2001 From: D1StrX Date: Thu, 2 Jun 2022 21:24:02 +0200 Subject: [PATCH] Matching freenas examples from original repo --- examples/api-with-ssh/freenas-iscsi.yaml | 6 ++- examples/api-with-ssh/freenas-nfs.yaml | 6 +-- examples/api-with-ssh/freenas-smb.yaml | 49 +++++++++++++++---- .../api-without-ssh/freenas-api-iscsi.yaml | 9 ++-- examples/api-without-ssh/freenas-api-nfs.yaml | 4 +- examples/api-without-ssh/freenas-api-smb.yaml | 17 ++++--- 6 files changed, 66 insertions(+), 25 deletions(-) diff --git a/examples/api-with-ssh/freenas-iscsi.yaml b/examples/api-with-ssh/freenas-iscsi.yaml index 9db8e8d..6adbeb1 100644 --- a/examples/api-with-ssh/freenas-iscsi.yaml +++ b/examples/api-with-ssh/freenas-iscsi.yaml @@ -43,14 +43,14 @@ zfs: # "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" # "org.freenas:test": "{{ parameters.foo }}" # "org.freenas:test2": "some value" - + # total volume name (zvol//) length cannot exceed 63 chars # https://www.ixsystems.com/documentation/freenas/11.2-U5/storage.html#zfs-zvol-config-opts-tab # standard volume naming overhead is 46 chars # datasetParentName should therefore be 17 chars or less when using TrueNAS 12 or below datasetParentName: tank/k8s/b/vols # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap - # they may be siblings, but neither should be nested in the other + # they may be siblings, but neither should be nested in the other detachedSnapshotsDatasetParentName: tanks/k8s/b/snaps # "" (inherit), lz4, gzip-9, etc zvolCompression: @@ -72,6 +72,7 @@ iscsi: #nameTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}" namePrefix: csi- nameSuffix: "-clustera" + # add as many as needed targetGroups: # get the correct ID from the "portal" section in the UI @@ -84,6 +85,7 @@ iscsi: # only required if using Chap targetGroupAuthGroup: + #extentCommentTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" extentInsecureTpc: true extentXenCompat: false extentDisablePhysicalBlocksize: true diff --git a/examples/api-with-ssh/freenas-nfs.yaml b/examples/api-with-ssh/freenas-nfs.yaml index 3ebe09f..8173cfe 100644 --- a/examples/api-with-ssh/freenas-nfs.yaml +++ b/examples/api-with-ssh/freenas-nfs.yaml @@ -36,7 +36,7 @@ zfs: # zpool: /usr/local/sbin/zpool # sudo: /usr/local/bin/sudo # chroot: /usr/sbin/chroot - + # can be used to set arbitrary values on the dataset/zvol # can use handlebars templates with the parameters from the storage class/CO #datasetProperties: @@ -51,8 +51,8 @@ zfs: datasetEnableQuotas: true datasetEnableReservation: false datasetPermissionsMode: "0777" - datasetPermissionsUser: root - datasetPermissionsGroup: wheel + datasetPermissionsUser: 0 + datasetPermissionsGroup: 0 #datasetPermissionsAcls: #- "-m everyone@:full_set:allow" #- "-m u:kube:full_set:allow" diff --git a/examples/api-with-ssh/freenas-smb.yaml b/examples/api-with-ssh/freenas-smb.yaml index 6d08b7e..700af65 100644 --- a/examples/api-with-ssh/freenas-smb.yaml +++ b/examples/api-with-ssh/freenas-smb.yaml @@ -36,7 +36,7 @@ zfs: # zpool: /usr/local/sbin/zpool # sudo: /usr/local/bin/sudo # chroot: /usr/sbin/chroot - + # can be used to set arbitrary values on the dataset/zvol # can use handlebars templates with the parameters from the storage class/CO #datasetProperties: @@ -46,7 +46,9 @@ zfs: datasetProperties: aclmode: restricted - casesensitivity: mixed + aclinherit: passthrough + acltype: nfsv4 + casesensitivity: insensitive datasetParentName: tank/k8s/a/vols # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap @@ -54,19 +56,48 @@ zfs: detachedSnapshotsDatasetParentName: tank/k8s/a/snaps datasetEnableQuotas: true datasetEnableReservation: false - datasetPermissionsMode: "0777" - datasetPermissionsUser: nobody - datasetPermissionsGroup: nobody + datasetPermissionsMode: "0770" + + # as appropriate create a dedicated user for smb connections + # and set this + datasetPermissionsUser: 65534 + datasetPermissionsGroup: 65534 + + # CORE + #datasetPermissionsAclsBinary: setfacl + + # SCALE + #datasetPermissionsAclsBinary: nfs4xdr_setfacl + + # if using a user other than guest/nobody comment the 'everyone@' acl + # and uncomment the appropriate block below datasetPermissionsAcls: - - "-m everyone@:full_set:allow" - #- "-m u:kube:full_set:allow" + - "-m everyone@:full_set:fd:allow" + + # CORE + # in CORE you cannot have multiple entries for the same principle + # or said differently, they are declarative so using -m will replace + # whatever the current value is for the principle rather than adding a + # entry in the acl list + #- "-m g:builtin_users:full_set:fd:allow" + #- "-m group@:modify_set:fd:allow" + #- "-m owner@:full_set:fd:allow" + + # SCALE + # https://www.truenas.com/community/threads/get-setfacl-on-scale-with-nfsv4-acls.95231/ + # -s replaces everything + # so we put this in specific order to mimic the defaults of SCALE when using the api + #- -s group:builtin_users:full_set:fd:allow + #- -a group:builtin_users:modify_set:fd:allow + #- -a group@:modify_set:fd:allow + #- -a owner@:full_set:fd:allow smb: shareHost: server address nameTemplate: "" namePrefix: "" nameSuffix: "" - + # if any of the shareFoo parameters do not work with your version of FreeNAS # simply comment the param (and use the configuration template if necessary) @@ -77,7 +108,7 @@ smb: shareAllowedHosts: [] shareDeniedHosts: [] #shareDefaultPermissions: true - shareGuestOk: true + shareGuestOk: false #shareGuestOnly: true #shareShowHiddenFiles: true shareRecycleBin: true diff --git a/examples/api-without-ssh/freenas-api-iscsi.yaml b/examples/api-without-ssh/freenas-api-iscsi.yaml index 2dea051..d5fa9b7 100644 --- a/examples/api-without-ssh/freenas-api-iscsi.yaml +++ b/examples/api-without-ssh/freenas-api-iscsi.yaml @@ -33,14 +33,15 @@ zfs: # "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" # "org.freenas:test": "{{ parameters.foo }}" # "org.freenas:test2": "some value" - + # total volume name (zvol//) length cannot exceed 63 chars # https://www.ixsystems.com/documentation/freenas/11.2-U5/storage.html#zfs-zvol-config-opts-tab # standard volume naming overhead is 46 chars - # datasetParentName should therefore be 17 chars or less when using TrueNAS 12 or below + # datasetParentName should therefore be 17 chars or less when using TrueNAS 12 or below (SCALE and 13+ do not have the same limits) + # for work-arounds see https://github.com/democratic-csi/democratic-csi/issues/54 datasetParentName: tank/k8s/b/vols # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap - # they may be siblings, but neither should be nested in the other + # they may be siblings, but neither should be nested in the other detachedSnapshotsDatasetParentName: tanks/k8s/b/snaps # "" (inherit), lz4, gzip-9, etc zvolCompression: @@ -62,6 +63,7 @@ iscsi: #nameTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}" namePrefix: csi- nameSuffix: "-clustera" + # add as many as needed targetGroups: # get the correct ID from the "portal" section in the UI @@ -74,6 +76,7 @@ iscsi: # only required if using Chap targetGroupAuthGroup: + #extentCommentTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" extentInsecureTpc: true extentXenCompat: false extentDisablePhysicalBlocksize: true diff --git a/examples/api-without-ssh/freenas-api-nfs.yaml b/examples/api-without-ssh/freenas-api-nfs.yaml index 68084cb..8fd5c53 100644 --- a/examples/api-without-ssh/freenas-api-nfs.yaml +++ b/examples/api-without-ssh/freenas-api-nfs.yaml @@ -26,7 +26,7 @@ zfs: # zpool: /usr/local/sbin/zpool # sudo: /usr/local/bin/sudo # chroot: /usr/sbin/chroot - + # can be used to set arbitrary values on the dataset/zvol # can use handlebars templates with the parameters from the storage class/CO #datasetProperties: @@ -43,6 +43,8 @@ zfs: datasetPermissionsMode: "0777" datasetPermissionsUser: 0 datasetPermissionsGroup: 0 + + # not supported yet #datasetPermissionsAcls: #- "-m everyone@:full_set:allow" #- "-m u:kube:full_set:allow" diff --git a/examples/api-without-ssh/freenas-api-smb.yaml b/examples/api-without-ssh/freenas-api-smb.yaml index 7b45f4c..15ea17e 100644 --- a/examples/api-without-ssh/freenas-api-smb.yaml +++ b/examples/api-without-ssh/freenas-api-smb.yaml @@ -26,7 +26,7 @@ zfs: # zpool: /usr/local/sbin/zpool # sudo: /usr/local/bin/sudo # chroot: /usr/sbin/chroot - + # can be used to set arbitrary values on the dataset/zvol # can use handlebars templates with the parameters from the storage class/CO #datasetProperties: @@ -34,9 +34,10 @@ zfs: # "org.freenas:test": "{{ parameters.foo }}" # "org.freenas:test2": "some value" - datasetProperties: - aclmode: restricted - casesensitivity: mixed + # these are managed automatically via the volume creation process when flagged as an smb volume + #datasetProperties: + # aclmode: restricted + # casesensitivity: mixed datasetParentName: tank/k8s/a/vols # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap @@ -47,8 +48,10 @@ zfs: datasetPermissionsMode: "0777" datasetPermissionsUser: 0 datasetPermissionsGroup: 0 - datasetPermissionsAcls: - - "-m everyone@:full_set:allow" + + # not supported yet in api + #datasetPermissionsAcls: + #- "-m everyone@:full_set:allow" #- "-m u:kube:full_set:allow" smb: @@ -56,7 +59,7 @@ smb: nameTemplate: "" namePrefix: "" nameSuffix: "" - + # if any of the shareFoo parameters do not work with your version of FreeNAS # simply comment the param (and use the configuration template if necessary)