ZFSguru NAS fileserver project

[MilesTeg]

I am cross posting this guide from my ZFS Build thread so it can get some more eyes. I would appreciate if some folks could test it out and let me know how it goes:

Here is part one of my ZFSguru software install guides. I managed to set up SABnzbd, CouchPotato, and Sick Beard and they are all running great. I'm still not sure what I'm doing as far running programs under different user accounts in FreeBSD so please note that everything will be running as root. I know that most people advise against this but outside access is blocked through my router and I have password protected access to SABnzbd, CouchPotato, and SickBeard. With that said it would be great if someone more knowledgeable could figure out a more secure way to do this and re-post the guides.

SABnzbd on ZFSguru (FreeBSD 8.2)

1. Set ssh password under Services ---> OpenSSH in ZFSguru

2. SSH in to your server with username: ssh , password: whatever you just set.

3.At the command prompt type “su” without quotes and hit enter to get root access.

4.Install unzip, a required package which is not installed with the port:

pkg_add –r “ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable/archivers/unzip-6.0.tbz”

5. Install SABnzbd FreeBSD port, which also installs all the rest of the required packages:

pkg_add –r “ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable/news/sabnzbdplus-0.5.6.tbz”

6. Edit rc.conf to enable SABnzbd to start automatically:

ee /etc/rc.conf

Add these two lines somewhere at the bottom-
#SABnzbd
sabnzbd_enable="YES"

Press esc key----->leave editor----> save to save changes

7. Run SABnzbd for the first time:

/usr/local/bin/SABnzbd.py

Use a browser to go to http://ip-of-your-ZFSguru-server:8080 and proceed with configuring SABnzbd, after configuring an ini file will be created at /root/.sabnzbd/sabnzbd.ini

8. Edit the SABnzbd rc.d config file

ee /usr/local/etc/rc.d/sabnzbd

Modify the following lines from this:
: ${sabnzbd_user:="_sabnzbd"}
: ${sabnzbd_group:="_sabnzbd"}
: ${sabnzbd_conf_dir:="/usr/local/sabnzbd"}

to this:
: ${sabnzbd_user:="root"}
: ${sabnzbd_group:="wheel"}
: ${sabnzbd_conf_dir:="/root/.sabnzbd"}

9. Add this line just below those you just modified, they will help SABnzbd find the unzip, unrar, and par2 packages:
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"

10. Remove the spaces from around the equal sign in this line under the sabnzbd_stop function:
if [ ${host} = "0.0.0.0" ]

Press esc key----->leave editor----> save to save changes

11. Test things out with the following commands for starting and stopping SABnzbd

/usr/local/etc/rc.d/sabnzbd start

/usr/local/etc/rc.d/sabnzbd stop

That’s it! Just restart your ZFSguru server and SABnzbd should start automatically and you can access it at http://ip-of-your-ZFSguru-server:8080. Remember to change the “Permissions for completed downloads” setting in SABnzbd to 777 to allow you to access,move, and delete files in your download directories. Up next will be the Sick Beard install guide.

 

[kxy]

ooh this is exactly what I wanted to see, I am having issues at the moment when sickbeard finishes a job, while it is unpacking and moving finished downloads, i get stuttering or pausing on video being watched elsewhere in the house. this can be annoying because it often finishes episode downloads every 10-30 mins. the freezes can often last more than 45 seconds. I am hoping that by having these processes run on my ZFSGuru server rather than on a separate laptop accross the network, It might eliminate the issue, as Im not sure if its network limiting or hdd access thats the problem

 

[jtg1993]

8. Modify the following lines from this:
: ${sabnzbd_user:="_sabnzbd"}
: ${sabnzbd_group:="_sabnzbd"}
: ${sabnzbd_conf_dir:="/usr/local/sabnzbd"}

to this:
: ${sabnzbd_user:="root"}
: ${sabnzbd_group:="wheel"}
: ${sabnzbd_conf_dir:="/root/.sabnzbd"}

9. Add this line just below those you just modified, they will help SABnzbd find the unzip, unrar, and par2 packages:
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"

10. Remove the spaces from around the equal sign in this line under the sabnzbd_stop function:
if [ ${host} = "0.0.0.0" ]

Press esc key----->leave editor----> save to save changes

Im currently installing sabnzbd and I am at step 8, but I got stuck. What file do you modify?

 

[darthcloud]

EDIT: Nevermind look like a network issue with one of my streamer, others are fine.

Hi,

I'm running my file server with zfsguru for almost 3 month now without problem until today.

Currently my reading speed are really bad about 1MB/s on both nfs and smb. I don't see anything special in /var/log/meassage. ZFS report as ONLINE.

Their is no traffic at all on my network.

I have no clue what is causing this. Do you think one of the disk is in the process of failling? How could I confirm that? :S

Thanks

 

[MilesTeg]

Im currently installing sabnzbd and I am at step 8, but I got stuck. What file do you modify?

Whoops, sorry about that. I updated my original post with that information. Also added explanation that you can begin configuring SABnzbd after running it in step 7.

 

[Jayden]

Sadly I haven't had time to test ZFSguru, but if I understand correctly all the files are owned by the nfs user and the nfs group.
So my suggestion would be to make a sabnzbd user, add that to the nfs group and set the permissions in sab to 0770. Sab automatically removes the excecute permission from the files.

 

[svar]

HI all

Im using the 2TB WD green disks in my ZFSGuru server, but acording to this info, all the new drives using "Advanced Disc Format" needs to be formatted in an given way to get best preformance.

Can anyone tell me how to do this right in ZFSGuru?

 

[Metaluna]

HI all

Im using the 2TB WD green disks in my ZFSGuru server, but acording to this info, all the new drives using "Advanced Disc Format" needs to be formatted in an given way to get best preformance.

Can anyone tell me how to do this right in ZFSGuru?

It's pretty easy. On the page where you create a new zpool (Pools->Create, I think), use the "Sector Size Override" dropdown to select 4K, then create the pool as normal.

One problem with this is that 4K-aligned pools aren't bootable, at least with FreeBSD 8.1. I'm not sure if this has been fixed in 8.2.

 

[svar]

Thats all?
No need to do anything special in the formating of the discs?
As far as I see, an stand alone disk need to start on sector nr 2048.
Standar in ZFSGuru I see its an 1MB offset in the format, but I dont know what sector that mean.

 

[svar]

delete this post

 

[Loto_Bak]

8. Edit the SABnzbd rc.d config file

ee /usr/local/etc/rc.d/sabnzbd

Modify the following lines from this:
: ${sabnzbd_user:="_sabnzbd"}
: ${sabnzbd_group:="_sabnzbd"}
: ${sabnzbd_conf_dir:="/usr/local/sabnzbd"}

to this:
: ${sabnzbd_user:="root"}
: ${sabnzbd_group:="wheel"}
: ${sabnzbd_conf_dir:="/root/.sabnzbd"}

setting the sabnzbd user to root is NOT a good idea,
I agree making a user for sabnzbd and adding it to the NFS group would be the best...
if you are really lazy you could change it to nfs/nfs

 

[svar]

It's pretty easy. On the page where you create a new zpool (Pools->Create, I think), use the "Sector Size Override" dropdown to select 4K, then create the pool as normal.

One problem with this is that 4K-aligned pools aren't bootable, at least with FreeBSD 8.1. I'm not sure if this has been fixed in 8.2.

To you all:
I tried this on my WD green discs, but I then got more problems.
Unexpected ZPool errors, errors then copy files to the server, and so on.
Went back to the standar 512bit and 1MB offset (reserved space), and everything work mutch better

So if youre on some green discs, keep it standar in ZFSGuru.
---------

One other ting:
Whats the different between "GPT Label" and "GEOM label name"?
Is the one better to use than the other?

 

[Loto_Bak]

Your zpool errors are unrelated to 4k sector size.
I run 4k sectors across 8x2tb green drives and its fine on 8.2-prerelease(2010-10)
Your performance is going to take a huge hit running with 512k sectors.

The issue is that every 512k write requires the following transaction
"read 4k, replace 512k into 4k, write 4k"
where as with 4k you simply
"write 4k"
Thats 3 operations vs 1 per write. MAJOR performance hit

 

[THE JEW (RaVeN)]

Seems like this is coming along nicely. I just checked out the roadmap. If you're still interested in feature requests, mine would be that of a port or the ability, at least, to add ZFSGuru to a stock FreeBSD install ala Webmin.

Cheers and best of luck with the project.

 

[svar]

Loto_Bak: Seems like we use the same drives
I think youre right, yesterday, then I was copying some files, the copy stopped 50% and I got an error in OSX:

Then I checked the server, one drive had fallen out with I/O errors.
If I restart the server, the drive seems ok and is online, but falls out then I copy the files again....

Then I was using FreeNAS, the same thing happend now and then, but I cant remeber if it was the same HDD, but I guess so.
The SMART status show no errors on the disc.
Can you, or anyone, recommand an disc-check tool?
If I going to complain to the shop about this drive (its only some months old), I feel like I need all the proof I can get.

I wil try another disc in its place later today.

 

[sub.mesa]

Im using 0.1.7 rootonzfs (specs in sig) and shut my server off today and when I booted it back up I found something odd.

All but my OS (80GB) and one of my 2TB drives (2TB-3) lost their labels, I had them labeled 2TB-1 through 4 using GEOM. They also lost the 4K sector .nop fix and now say 512 B. I attached another image of my pools page.

Did you format the disks AFTERWARDS of using the Sector Size override? Like you destroyed your pool, then formatted the disk again?

If not, this might be an actual bug in FreeBSD, i've filed this post here with detailed information about it:
http://forums.freebsd.org/showthread.php?t=20941

Could you tell me:
- what exactly you did to achieve this; did you reboot in between and tell me how you formatted and whether you did anything with this disk prior that could have interferred.
- what disks you got, all on the same controller?
- What's your system version? (look on status page)

@sub.mesa things I would like to see added are a backup page, also be able to make samba shares without using the filesystems page. I wanted to make a share of an already existing folder on one of my pools but couldn't figure out how to using the webgui so I used ssh and echo to add one line at a time to smb.conf for a new share.

Sorry for your poor experience! In the future, you can edit files with 'ee' which is an easy editor that works like the name implies. Hint: use escape to pop up the menu to exit and then save the file.

Please explain the backup page idea more though! I would love to receive more input on how you would like to manage moving large stuff from server A to server B or even locally. Where should this functionality be added, should it always use Samba, why not rsync or even zfs send/receive? These are questions i have to figure out, knowing what you guys expect to be able to do would help me in that!

For now, you can just create a samba share on any filesystem, and then go to the Services->Samba page and change the path to the location of your data. Here's a screenshot for reference:
http://zfsguru.com/images/ZFSguru-0.1.6-screenshot-10.png

 

[sub.mesa]

Thats all?
No need to do anything special in the formating of the discs?
As far as I see, an stand alone disk need to start on sector nr 2048.
Standar in ZFSGuru I see its an 1MB offset in the format, but I dont know what sector that mean.

Since sector size is 512 bytes, 2048 times 512 byte sectors equals 1MiB.

But you are still confused, since the 'reserved space' of 1 megabyte, as shown on the formatting page, is space that is reserved at the end of the capacity, not the beginning! Thus, this is not the partition offset which controls whether it is properly aligned or not! It's just about leaving some space unused so small difference in HDD sizes don't cause you to not be able to replace a disk that you thought was the same size (1TB but your new 1TB is a few kilobytes smaller). It's also needed for FakeRAID controllers that require the last sector of each disk to be untouched and unused by ZFSguru/FreeBSD.

ZFSguru never creates badly aligned partitions, it uses two methods when formattings disks:

GEOM: this will create a GEOM_LABEL that is written to the last sector (512 bytes) of your harddrive. This will identify the disk with a given name.
GPT: this will create a GPT partition scheme on the disk, with a FreeBSD boot partition taking up less than a megabyte, and a data partition that consumes the rest, except the reserved space at the end (1MiB default). The alignment of the data partition is 2048 sectors or 1MiB thus properly aligned. The data partition also carries a given label name, to identify that disk from thereon.

Generally using GPT labels is recommended. It is also required if you connect your disks to hardware RAID or FakeRAID (Silicon Image/Promise/JMicron/Marvell) controllers. It should not be required if you use it on normal SAS/SATA HBA or onboard chipset SATA ports operating in AHCI or IDE/LEGACY mode in the system BIOS.

 

[sub.mesa]

To you all:
I tried this on my WD green discs, but I then got more problems.
Unexpected ZPool errors, errors then copy files to the server, and so on.

Please tell me more about this problem, and exactly what hardware you have and what ZFSguru version + system version you use?

 

[sub.mesa]

*takes a deep breath* yes i'm catching up!

Was quite busy past few days, but i've been working hard on the project, rewriting essential parts and changing the way the pages get displayed and processed. This has a lot of advantages when it's complete, such as:

• Translations (each page is just text and can be easily translated without programming knowledge)
• Alternate styles and layouts (more visually appealing web-interface; configurable in the preferences)
• Extensions that add functionality to the web-interface (*poof* and there is your media streaming service )
• Clean separation between HTML-code and programming code
• Much cleaner structure for the code, possibility of catchall, less system-dependent, easier to adapt and modify.

I do understand that these are not the sexy features you've all been waiting for, but nonetheless this is a significant foundation for my project to enable me writing durable code, rather than extending my project into one big bloated piece of code that no one not even me understands anymore. It's also essential for the upcoming new functionality that allows for extensions to plug their 'module' and new functionality arises in the web-interface.

I've just completed the first major step in rewriting essential parts, and have begun to incorporate the existing interface to the new structure. This may still take awhile, but it already works which for me is quite exciting. I just hope to be able to 'ramp up' releases once i sort out the fundamental issues of code durability and software extensions.

Seems like this is coming along nicely. I just checked out the roadmap. If you're still interested in feature requests, mine would be that of a port or the ability, at least, to add ZFSGuru to a stock FreeBSD install ala Webmin.

The roadmap is kind of out-of-date; the project is too fast moving for that! I continue to make drastic changes that require alot of work, but so far i've been happy with these choices since it just improves my project for the long term and prevent me from spending time on things i need to rewrite later on.

Your suggestion of a FreeBSD port is not new, but still a good one. It would be very nice if ZFSguru were to be included in the portstree. However, right now my project uses root privileges on the www user, which could (should) be considered a huge security risk for many FreeBSD systems. Due to the nature of my project (internal LAN NAS) and the fact that no external web-server runs on the same user, the security concerns for those running ZFSguru for just this issue, is rather small. Still, it is preventing me from filing a request to include my project. I would want to work out a different way to achieve root privileges. Once that is done, i would indeed be able to create a port and submit for inclusion.

You can install ZFSguru manually though; just install lighttpd, fcgi, php5, php5-session and sudo, as a bare minimum. You would need to configure sudo, the instructions are on my zfsguru.com website (Documentation/Manual FreeBSD installation).

 

[Khadgar]

@sub.mesa - Sounds like you're making a lot of progress. I know as well as anyone that if your codebase isn't manageable, it's nearly impossible to ever make steps forward.

Looking forward to seeing the results of your efforts!

 

[svar]

sub.mesa: thanks for all the info, now Im getting it
I come back to my errors, right now Im running the WD hdd tool found on the UBCD (Ultimate boot CD).
Looks like the tests gona take 4hours pr drive

 

[vraa]

*takes a deep breath* yes i'm catching up!

Was quite busy past few days, but i've been working hard on the project, rewriting essential parts and changing the way the pages get displayed and processed. This has a lot of advantages when it's complete, such as:

• Translations (each page is just text and can be easily translated without programming knowledge)
• Alternate styles and layouts (more visually appealing web-interface; configurable in the preferences)
• Extensions that add functionality to the web-interface (*poof* and there is your media streaming service )
• Clean separation between HTML-code and programming code
• Much cleaner structure for the code, possibility of catchall, less system-dependent, easier to adapt and modify.

I do understand that these are not the sexy features you've all been waiting for, but nonetheless this is a significant foundation for my project to enable me writing durable code, rather than extending my project into one big bloated piece of code that no one not even me understands anymore. It's also essential for the upcoming new functionality that allows for extensions to plug their 'module' and new functionality arises in the web-interface.

I've just completed the first major step in rewriting essential parts, and have begun to incorporate the existing interface to the new structure. This may still take awhile, but it already works which for me is quite exciting. I just hope to be able to 'ramp up' releases once i sort out the fundamental issues of code durability and software extensions.


The roadmap is kind of out-of-date; the project is too fast moving for that! I continue to make drastic changes that require alot of work, but so far i've been happy with these choices since it just improves my project for the long term and prevent me from spending time on things i need to rewrite later on.

Your suggestion of a FreeBSD port is not new, but still a good one. It would be very nice if ZFSguru were to be included in the portstree. However, right now my project uses root privileges on the www user, which could (should) be considered a huge security risk for many FreeBSD systems. Due to the nature of my project (internal LAN NAS) and the fact that no external web-server runs on the same user, the security concerns for those running ZFSguru for just this issue, is rather small. Still, it is preventing me from filing a request to include my project. I would want to work out a different way to achieve root privileges. Once that is done, i would indeed be able to create a port and submit for inclusion.

You can install ZFSguru manually though; just install lighttpd, fcgi, php5, php5-session and sudo, as a bare minimum. You would need to configure sudo, the instructions are on my zfsguru.com website (Documentation/Manual FreeBSD installation).

Fantastic!!!! When can we expect an update number?
Got a github account?

I've had a horrendous failure I think, two of my drives in one of my home arrays have started to fail

I have attached some screen shots, please advise on how to proceed. I will have 2 new replacement drives within the hour.

Crazy IO

STOP SCRUB, but no scrub status

SMART status

DISK status

Zpool status output

 

[THE JEW (RaVeN)]

Your suggestion of a FreeBSD port is not new, but still a good one. It would be very nice if ZFSguru were to be included in the portstree. However, right now my project uses root privileges on the www user, which could (should) be considered a huge security risk for many FreeBSD systems. Due to the nature of my project (internal LAN NAS) and the fact that no external web-server runs on the same user, the security concerns for those running ZFSguru for just this issue, is rather small. Still, it is preventing me from filing a request to include my project. I would want to work out a different way to achieve root privileges. Once that is done, i would indeed be able to create a port and submit for inclusion.

You can install ZFSguru manually though; just install lighttpd, fcgi, php5, php5-session and sudo, as a bare minimum. You would need to configure sudo, the instructions are on my zfsguru.com website (Documentation/Manual FreeBSD installation).

Any particular reason the www user uses root privileges? nologin won't solve the issue? I realize you probably already know this stuff, but for general knowledge (ie. for schmucks like me):

Using Groups to Avoid Root
In addition to being a security concern, the root password distribution policy can cause dissension in any organization. Many sysadmins refuse to share the root password with people who are responsible for maintaining part of the system, but do not offer an alternative and thereby prevent people from doing their job. Other sysadmins hand out root to dang near anyone who wants it and then complain when the system becomes unstable.

Both attitudes are untenable in the long run. When I’m a user, I insist that the sysadmin not give me the root password but instead set up a group that can do this task. While having root privileges can be convenient, not having responsibility when the system breaks is more convenient still.
One common situation is where a junior sysadmin is responsible for a particular portion of the system. I’ve had many DNS administrators work under me;
2
these people don’t ever install software, recompile the kernel, or perform other sysadmin tasks. They only answer emails, update zone files, and reload the named daemon. New sysadmins often believe that they need root access to do this sort of work. By establishing your own groups, consisting of people who perform similar administrative functions, you avoid distributing the root password and still allow people to do their work. In this section, we’ll implement group-level access control over nameserver files. The same principles apply to any files you choose to protect. Mail and web configuration files are other popular choices for group-based management.


System Accounts
FreeBSD reserves some user account names for integrated programs. For example, the nameserver runs under the user account bind and the group bind. Do not log in as the program user for this sort of work! If an intruder compromises the nameserver, he can only access the system with the privileges of the user bind.
What’s more, do not allow the group of the system account user to own the files created for that function. Create a separate user and group to own program files. That way, our hypothetical nameserver intruder cannot even edit the files used by the DNS server, further minimizing potential damage. If the program regularly updates the files (e.g., a database’s backend storage), you must give the program access rights, but chances are that a human being doesn’t ever need to edit that file. Similarly, there’s no reason a database should be able to edit its own configuration file.


Administrative Group Creation
The simplest way to create a group that owns files is to employ adduser(8) to
make a user that owns them, and utilize that user’s primary group as the group for the files. Because we already have a user called bind, we’ll create an administrative user dns. The username isn’t important, but you should choose a name that you’ll remember easily.
Give your administrative user a shell of nologin, which sets a shell of /sbin/nologin. This prevents anyone from actually logging in as the administrative user.
If you want, you could specify a particular UID and GID for these sorts of users. I’ve been known to choose UID and GID numbers that resemble those used by their related service accounts. For example, the user bind has a UID and GID of 53. I could give the user dns a UID of 10053 to make it easily

2 Some even survived the experience.


recognizable. At other times, I start numbering my administrative groups at 65535 and work my way down. It doesn’t matter so long as I’m completely consistent within an organization.
Do not add this administrative user to any other groups. Under no circumstances add this user to a privileged group such as wheel! Every user needs a home directory. For an administrative user, a home directory of /nonexistent works well. This user’s files are elsewhere in the system, after all. Lastly, let adduser(8) disable the account. While the shell prevents logins, an extra layer of defense won’t hurt.
Now that you have an administrative user and a group, you can assign ownership of files to that user. A user and a group own every file. You can see existing file ownership and permissions with ls -l. (If you’ve forgotten how Unix permissions work, read ls(1) and chmod(1).) Many sysadmins pay close attention to file owners, somewhat less attention to worldwide permissions, and only glance at the group permissions.

# ls -l total 3166 -rw-r-----  1 mwlucas  mwlucas    79552 Nov 11 17:58 rndc.key -rw-rw-r--  1 mwlucas  mwlucas  3131606 Nov 11 17:58 absolutefreebsd.com.db

Here, I’ve created two files. The first file, rndc.key, can be read and written by the user mwlucas, it can be read by anyone in the group mwlucas, but no one else can do anything with it. The file absolutefreebsd.com.db can be read or written by the user mwlucas or anyone in the group mwlucas, but others can only read the file. If you’re in the group mwlucas, you can edit the file absolutefreebsd.com.db without becoming root.
Change a file’s owner and group with chown(1). You must know the name of the user and group whose ownership you want to change. In this case, we want to change both files to be owned by the user dns and the group dns.

# chown dns:dns rndc.key # chown dns:dns absolutefreebsd.com.db # ls -l total 3166 -rw-r-----  1 dns  dns    79552 Nov 11 17:58 rndc.key -rw-rw-r--  1 dns  dns  3131606 Nov 11 17:58 absolutefreebsd.com.db

These files are now owned by the user dns and the group dns. Anyone who is in the group dns can edit absolutefreebsd.com.db without using the root password. Finally, this file can be read by the user bind, who runs the nameserver. Add your DNS administrators to the dns group in /etc/group, and abruptly they can do their jobs.
The DNS administrators might think that they need the root password for restarting the nameserver program itself. However, this is easily managed with rndc(8). Other tasks can be managed with cron jobs, or with the add-on program sudo(8).

Taken from: ABSOLUTE FREEBSD
2ND EDITION
THE COMPLETE GUIDE TO FREEBSD

by Michael Lucas

As long as you have a guide to installing it manually, I'm fine living without a port.

Cheers and thanks for the work.

 

[sub.mesa]

The "nologin" shell simply means you can't SSH to that user, but that doesn't solve the security issue. If you for example run other websites available to the public/internet and the webserver or PHP scripts become compromised, then they would have full root access with sudo if they were smart enough to figure out the www user has sudo privileges.

I'm already using nologin, portion from /etc/master.passwd:

www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

So you can't login via SSH to the www user, but if you somehow can execute stuff as www user, then you can execute sudo and thus root commands as well.

For most people using ZFSguru this shouldn't be an issue at all, since they run it on their protected LAN outside of public access, and the interface itself lacks any authentication other than limiting to local IP ranges (10.x.x.x / 192.168.x.x). That will change in 0.1.8 with new password-based and IP-based authentication that is both easy effective. Hopefully i figure out a good way to abandon the use of sudo, so www user becomes a normal non-privileged user account like it should be.

 

[sub.mesa]

Fantastic!!!! When can we expect an update number?

Update number? The 0.1.8 release should be about a month away. It will be worth the wait, though! With extensions that add functionality as biggest hot new feature; this is needed to give everyone the functionality that he/she wants without overburdening the main system with things you don't need.

I'll keep you guys updated on my progress.

I've had a horrendous failure I think, two of my drives in one of my home arrays have started to fail

Oh yes! More than 4000 PENDING sectors; these are VERY dangerous and just one of them can cause most Hardware RAID / Onboard RAID / Windows-based software RAIDs to kick them out of the array and you have a lot of headaches as a result!

Pending sectors are bad sectors on ACTIVE data; data that the HDD *SHOULD* be able to read but CANNOT because the bit errors exceed the internal 40-bit ECC correction capabilities.

Since your disks are EADS, they have normal 512-byte sectors. Due to their high data density the 40-byte ECC of those 512-byte sectors simply isn't enough to prevent occurrences like yours. Using 4KiB sector drives with 100-byte ECC would be able to correct more damage and becomes necessary with ever increasing data densities.

In other words, 2TB 512-byte sector disks could have serious amnesia. Your two disks appear to be suffering from just that.

I have attached some screen shots, please advise on how to proceed. I will have 2 new replacement drives within the hour.

First power down and install the new harddrives, leaving the existing ones untouched; though it shouldn't harm if you change cables or something; ZFS 'smells' the disks to see who they really are.

Now power up with your new two disks attached, format those disks (not your existing ones!) with GPT. You may need reserved space 0 depending on whether the new disk is smaller than the existing or not.

Once you have your disks formatted, you can execute this on the root command line:

zpool replace Raid1z-8TB gpt/1 gpt/FIRSTNEWDISK

and for the second disk:

zpool replace Raid1z-8TB gpt/2 gpt/SECONDNEWDISK

Of course, replace the name in capital letters with your chosen GPT name for those new disks. You MUST use different label names for your new disks!

You may also want to consider using RAID-Z2 (RAID6) with two parity drives; though that would require you copying all data to some temporary location and then creating a new RAID-Z2 pool from your 7 (?) disks.

 

[THE JEW (RaVeN)]

The "nologin" shell simply means you can't SSH to that user, but that doesn't solve the security issue. If you for example run other websites available to the public/internet and the webserver or PHP scripts become compromised, then they would have full root access with sudo if they were smart enough to figure out the www user has sudo privileges.

I'm already using nologin, portion from /etc/master.passwd:

www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

So you can't login via SSH to the www user, but if you somehow can execute stuff as www user, then you can execute sudo and thus root commands as well.

For most people using ZFSguru this shouldn't be an issue at all, since they run it on their protected LAN outside of public access, and the interface itself lacks any authentication other than limiting to local IP ranges (10.x.x.x / 192.168.x.x). That will change in 0.1.8 with new password-based and IP-based authentication that is both easy effective. Hopefully i figure out a good way to abandon the use of sudo, so www user becomes a normal non-privileged user account like it should be.

Thanks for the clarification. Looking forward to 0.1.8

 

[barbz]

Hi Sub,

Your planned add ons, will they run on the main OS or are you going to create a jail to run the add-ins to protect the core functionality? Is this even possible?

I have been playing with freebsd jails recently which would have saved me a few times with freenas when fuppes or firefly hit a broken file and send the server downhill quickly.

Looking forward to 1.8

Cheers
Paul

 

[monstertruck]

if someone more knowledgeable could figure out a more secure way to do this and re-post the guides.

I don't consider myself to be more knowledgeable, however I installed SABnzbd the same as you and found after I gave the _sabnzbd account (created during install) appropriate permissions to the download and completed directories, everything worked fine.

What failed for you when you tried, did it simply not let you change the directories outside of the default ones?

Assuming you're using the default ZFSGuru nfs user and group on your shares, I think the following should work.
Disclaimer: these commands could break stuff, suggest only proceeding if you're careful/confident.
EDIT: need to check this when i get home, i think you may need to: chown -R _sabnzbd:nfs /path/to/downloads

#add the sabnzbd user to the nfs group
pw groupmod nfs -m _sabnzbd 

#this will output all members of the nfs group, should list something like: nfs:*:501:nfs,_sabnzbd
pw groupshow nfs

#make sure nfs owns all files and folders in and under your downloads directory
chown -R nfs:nfs /path/to/downloads

#change permissions to 'wrx' for both the nfs user and nfs group. i found 0660 wasn't sufficient for sabnzbd so use 0770.
chmod 0770 /path/to/downloads

change sabnzbd download directories to /path/to/downloads, save, and check to make sure the configuration applied correctly. If it gives you a permissions error there's something else wrong.

 

[sub.mesa]

Hi Sub,

Your planned add ons, will they run on the main OS or are you going to create a jail to run the add-ins to protect the core functionality? Is this even possible?

Very nice question! And yes indeed this is a huge feature that i'm wanting to implement. If the service in question does not require access to your files like Samba or NFS, it can be run in a jail.

Think about DHCP service, MySQL server and tons of other services; they don't need access to your personally stored files, so why give it to them? By confining them to a FreeBSD Jail, we 'sandbox' that service, so that if it becomes compromised by a malicious user the damage could not spread beyond that service; no access to your personal files.

The 'database' of installable extensions would indicate whether that service will be jailed or not; no additional configuration by the user is necessary. So if it can be jailed, i would want to do so. Services that require direct access to your files would still run on the main system instead.

So future releases of ZFSguru might be okay to receive direct internet access for just those ports which are jailed, so you can run internet-related stuff like a database-driven website without fear that if they become compromised your data is at risk. Some would argue that you have to separate your hardware and not put internal+public stuff on one box, but if done properly it shouldn't be a security risk.

FreeBSD Jails, unlike virtualization, do not impose any performance penalties and thus run at full speed. This remains one of the cornerstone features of the FreeBSD operating system.

 

[cwagz]

sub.mesa,

I have been trying various solutions out now that drive extender was pulled from WHS.

I really like the concept of ZFSguru especially after trying Nexenta and the crazy slow interface.

I notice on your webpage that the GUI does not support L2ARC. I am really new to ZFS but I do have a SSD available in my setup and wanted to use it for L2ARC. Can I use the command line to setup the L2ARC?

Also - Will I be able to upgrade from one version of ZFSGuru to another without having to destroy my storage volume?

Thanks!

cwagz

 

[sub.mesa]

Hey there!

Thanks for trying out my project, some answers to your questions:

Will I be able to upgrade from one version of ZFSGuru to another without having to destroy my storage volume?

Yes! Both upgrades to the web-interface (system->update) or new installations (system->install) will not harm existing pools and their data. However, if you running Root-on-ZFS, you can't install the same system version on the same pool. But you can install a different (newer/older) system version from a running Root-on-ZFS on the same pool.

So you can install Root-on-ZFS to your data disks if you like, the only real disadvantage would be that you can't use the 4KiB sectorsize override feature when creating the pool; otherwise it wouldn't be bootable. This limitation may be solved in future releases.

I notice on your webpage that the GUI does not support L2ARC.

Coming in next release! For now you can easily configure your SSD as L2ARC:

• Format your SSD as GPT and select the "Secure Erase" checkbox to reset the performance (requires AHCI controller; use your onboard chipset SATA ports in AHCI).
• Now go to the root command line and execute something like zpool add <poolname> cache /dev/gpt/L2ARCDEV. Replace the <poolname> and L2ARCDEV for the names you chose.

Then you should see your cache device listed on the Pools page after clicking the pool name link.

 

[cwagz]

Hey thanks for the quick reply.

I bought two of these:

HITACHI Deskstar 5K3000 HDS5C3020ALA632 (0F12117) 2TB 32MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive

As far as I can tell they are not "Advanced Format Drives". Do you know if I am correct regarding the format? I was going to run them in a mirror with root-on-zfs... I do have two laptop drives which are standard format I could boot from if need be...

 

[svar]

Please tell me more about this problem, and exactly what hardware you have and what ZFSguru version + system version you use?

My system is as follows:

MoBo: Gigabyte GA-H57M-USB3.
CPU: Intel I3-530
RAM: Corsair 4GB Kit
PSU: CoolerMaster SilentProM 600w
NIC: Intel Gigabit NIC, PCI-E
HDD: 6*WD Green 2TB, 1*750GB Samsung for OS

ZFS_Guru ver 0.1.7
-----------------
I used the WD Data Lifeguard software found on the Ultimate Boot CD, and the results is as follows:

The drive at the buttom is the one that ZFSGuru reportet problems with, so I guess the drive is an bad one.

I guess that this kind of errors dont comes from software, but that the drive has not been good from then I got it.
I gona complain to the store, I beleve I can get this on the drives warrenty.

I gona try with anouther drive of same kind now, but I need to test that one too first, hehe. (it takes around 6hours pr drive on the i3 mashine)

I alsa tested the RAM with memtest86, no error found.

 

[sub.mesa]

You could try booting ZFSguru livecd on them and retrieving the SMART information, that may reveal what the problem really is. If you see alot of Reallocated Sector Count, then the utility repaired all damage like it said. If you still see Current Pending Sector, then the disk still has problems. Other errors to watch for are UDMA CRC Error Count (cable errors).

The SMART information can be found on Disks->SMART page.

 

[cwagz]

Hey there!

Thanks for trying out my project, some answers to your questions:


Yes! Both upgrades to the web-interface (system->update) or new installations (system->install) will not harm existing pools and their data. However, if you running Root-on-ZFS, you can't install the same system version on the same pool. But you can install a different (newer/older) system version from a running Root-on-ZFS on the same pool.

So you can install Root-on-ZFS to your data disks if you like, the only real disadvantage would be that you can't use the 4KiB sectorsize override feature when creating the pool; otherwise it wouldn't be bootable. This limitation may be solved in future releases.


Coming in next release! For now you can easily configure your SSD as L2ARC:

• Format your SSD as GPT and select the "Secure Erase" checkbox to reset the performance (requires AHCI controller; use your onboard chipset SATA ports in AHCI).
• Now go to the root command line and execute something like zpool add <poolname> cache /dev/gpt/L2ARCDEV. Replace the <poolname> and L2ARCDEV for the names you chose.

Then you should see your cache device listed on the Pools page after clicking the pool name link.

Man I am really liking ZFSguru - Nice Work. I had to do a little command line work to get my second NIC (dedicated for iSCSI) to keep from switching back to DHCP all the time. I just edited rc.conf and set it in there. Not sure why the web interface settings wouldn't stick.

Also had a little trouble figuring out the iSCSI setup but it started working fine once I fixed my initiator name, initiator IP, and fixed the size from 1GB to the actual size (known issue I believe).

I am looking forward to future updates. Are you going to be accepting donations for the project? I didn't see anything on your webpage...

 

[svar]

sub.mesa:
I tried that too, but the SMART told no errors.
The same thing happend if I yust rebooted the server too, no errors in SMART, but they was back then I tried to copy data.

Here is an picture of the SMART status after I ran the WD tools, this page is of the funny drive:

I thougt that now it was gona work, because it was not stopping at the middel as before, but now it stopped at the end of the copy, with like 1GB left.
I can hear that the drive is making some more noice than before (like clicking), and now the SMART status on drive says: "SMART incapable"

I alsa got this kind of errors on the ZFSGuru server itself:

I even had to shutdown the server and cold start before BIOS saw the drive again

After an reboot, the SMART still show no errors, but then I try to click on it, everything hangs.
Gona test this drive on another pc too, if I gets the same errors, I complain to the store.

 

[svar]

Something more funny.
After I changed the disk, I configured it with 4K sector sice, and the disks was named "GPT/Raid5_1", "GPT:/Raid5_2" and so on.
After I shut it down, moved it, and booted it, the sector-sice says 512K, and the member disk names are: "ada0p2", "ada2p2", "ada3p2" and so on.....

It kinda looks like the GPT tabels has fallen out.

 

[sub.mesa]

Try exporting the pool (zpool export <poolname>) and importing it again, or before importing check if it has GPT label on the disks page.

Did this happen only on the disks that had problems?

 

[svar]

Sub: Did not help to export and import.
On the disk pages, the GPT names show right, but on the Pool side, then I expand the pool, it show the other names on every disk.
I have removed the bad drive.

 

[jtg1993]

Something more funny.
After I changed the disk, I configured it with 4K sector sice, and the disks was named "GPT/Raid5_1", "GPT:/Raid5_2" and so on.
After I shut it down, moved it, and booted it, the sector-sice says 512K, and the member disk names are: "ada0p2", "ada2p2", "ada3p2" and so on.....

It kinda looks like the GPT tabels has fallen out.

I had the same problem with it going back to 512K sectors. I wouldn't write to the array until this is fixed, my array is now corrupt because I tried the non destructive benchmark.