Best practice for sharing

[tom__w]

In my quest to upgrade my machine (going to be 9.10.2), I need advice on sharing.

I currently have a dataset shared via iscsi. I have a vmware virtual machine that is attached to it. That machine then shares it to my users.

My performance is horrid with 25 meg/sec transfer rates.

I need to make a change.

I have been advised to not use FreeNAS AD/SMB as a share mechanism for the 25+ users who would access the data, even though throughput was 100+ meg/sec in testing. I was told that i might have permission problems in the future as well as other issues (I want to have AD permissions).

I was advised to present a vdmk to the hypervisor directly (via iscsi) and then make the drive visible to the VM, which in turn would share it with my users.

I am relatively new to vmware and FreeNAS (4 year user) but it seems to me that this 'best practice recommended configuration is still doubling traffic through the vmware/FreeNAS connection.

Any advise would be appreciated.

 

[anodos]

I have been advised to not use freenas AD/SMB as a share mechanism for the 25+ users who would access the data, even though throughput was 100+ meg/sec in testing. I was told that i might have permission problems in the future as well as other issues (I want to have AD permissions).

Why would you have permissions issues? That's a pretty vague reason to not use samba. Do you have an AD network? If so, what type of DC? Samba? Windows?

 

[tom__w]

This is a Windows AD. The only redeeming reason I can think of is the ability to do a snapshot of the VM .. if that's even a reason.

Here is his exact message to me:

You can if you like but I do not recommend. (referring to me using smb)
1. You will need to expose your storage to the users (not recommended) (isn't that what I am doing anyway)
2. You will need to integrate AD with your FreeNAS (I already did this and it works fine)
3. Permissions could become an issue (not sure what this means)
4. If you present as a VDMK to the OS through the hypervisor then if there is ever a issue with that VM you can always just attach the VMDK to another server and the permissions will stick and be seamless to the users. (this is a redeeming point)

What I have proposed is best practice if you choose to do something other than this that is up to you.

I am looking for a legitimate reason for not using smb.

I would even consider using ISCSI to share to a physical machine and then share it from a real machine. Seems that this method would also work well, eliminating the double traffic to and from my hypervisor.

I probably should have posted this in the "sharing" forum. Perhaps an admin can move it for me.

 

[anodos]

This is a Windows AD. The only redeeming reason I can think of is the ability to do a snapshot of the VM .. if that's even a reason.

Here is his exact message to me:

You can if you like but I do not recommend. (referring to me using smb)
1. You will need to expose your storage to the users (not recommended) (isn't that what I am doing anyway)
2. You will need to integrate AD with your Freenas (I already did this and it works fine)
3. Permissions could become an issue (not sure what this means)
4. If you present as a VDMK to the OS through the hypervisor then if there is ever a issue with that VM you can always just attach the VMDK to another server and the permissions will stick and be seamless to the users. (this is a redeeming point)

What I have proposed is best practice if you choose to do something other than this that is up to you.

I am looking for a legitimate reason for not using smb.

I would even consider using ISCSI to share to a physical machine and then share it from a real machine. Seems that this method would also work well, eliminating the double traffic to and from my hypervisor.

I probably should have posted this in the "sharing" forum. Perhaps an admin can move it for me.

Is the server exclusively providing windows file shares?

 

[tom__w]

Right now I have an old 2003 server box setup exclusively for sharing.

 

[anodos]

Right now I have an old 2003 server box setup exclusively for sharing.

Perhaps he was thinking in terms of segmenting your local network into discrete security zones. Having your storage network isolated from end-users, who only interact with VMs hosted is ESXI can be useful in several ways:

• You will have a common set of APIs for interacting with your servers (automation, migration, snapshots, backups, etc.)
• It is easier to protect against privilege escalation on your storage network due to misconfiguration of User facing servers.
• Easier to do backups in a consistent way.
• Users won't be able to hammer away at the webui of the FreeNAS server

Security is about more than just protecting a server from getting 'popped'. If you look at the SANS Critical Security Controls, you'll see items like 'have good backups'. To this extent the "best practices" the other guy outlined can really help.... but they're not required.

Since you only have 25 users, you have a fairly small environment. I think there isn't really a significant advantage to using iscsi in the way that you described above, and as you noted there are some disadvantages. I'd personally just join the FreeNAS server to the AD domain, and make some samba shares. The only caveat in a small business environment is that you may want to move the webui and IPMI on the server to a separate management network that users can't access. Also make sure that you have a sound backup strategy.

 

[tom__w]

Would you expect there to be a performance issue by presenting the VDMK to a VM and then sharing it
versus
Present ISCSI to a physical machine and sharing it
versus
Samba sharing directly to users

Just curious...

 

[anodos]

Would you expect there to be a performance issue by presenting the VDMK to a VM and then sharing it
versus
Present ISCSI to a physical machine and sharing it
versus
Samba sharing directly to users

Just curious...

Well, the sort of hardware / storage design decisions that you make for a Samba server are different than ones that you make for a server providing iscsi storage. Typically iSCSI storage has mirrors and you'll want to keep a larger % of your pool free than with a samba server. As I mentioned earlier, I prefer to just use FreeNAS as a samba server.