- Joined
- May 17, 2014
- Messages
- 3,611
Some people think that NAS software should be a OS with a NAS package, (GUI front end, etc...). TrueNAS is more designed as a firmware that happens to use Linux, (or FreeBSD), as the OS. TrueNAS is not intended to be Internet accessible. Though in theory, apps on TrueNAS could be made accessible externally....
My main concern is the customizations of the Debian and the disabled docker usage, e.g. no docker-compose usage. For me fiddeling with k3s and Helm is an overkill and i would prefer sticking to docker. The other 2 issues are ZFS and missing Debian's apt.
What is the experience here: In case of security fixes, how quickly do they come from iX? The worst scenario for any NAS user is in my opinion to loose all data because of malware...
...
Security comes in layers. Firewall from the Internet router, lack of sharing outside the local network, reduction / removal of generic desktop apps, regular updates, and such. Not perfect by any stretch of the imagination.
Going back to the "TrueNAS is NAS firmware", lack of the Debian "apt" program is appropriate. Having random apps and programs, can reduce security and reliability of the NAS. Putting those apps in containers is much safer for the parent OS. Plus, "TrueNAS is NAS firmware" means that an update could / probably will, loose / remove any of the non-standard changes or programs added via "apt".
As for the Docker verses Kubernetes, it is just a choice iXsystems made. Not perfect for some people. But, the main focus was the Enterprise customers, (though some probably would want Docker too or instead of Kubernetes).
Now on to the security updates. I don't recall many reported security problems. However, the one we have seen is client side ransomware encrypting all the user's files. Including files on Samba shares in TrueNAS.
If the user of TrueNAS has setup regular ZFS snapshots, this can mitigate ransomware encryption on the TrueNAS server. (But NOT the client's local files...) Ransomware will cause all accessible files to be encrypted which could fill the NAS, since the unencrypted files are still present in the R/O ZFS snapshot. After the affected PC is removed from using the share, you can roll back a ZFS snapshot to restore the Samba share to exactly as it was at the time of the ZFS snapshot.