OpenMediaVault: a distribution for NAS boxes
Given that the market is full of Linux-based NAS products, one might well wonder whether building a NAS server from scratch is worthwhile. There are a few reasons for doing so beyond the obvious "because we can." Most of the commercial products are relatively closed devices, depriving the owner of much of the freedom that Linux offers. They may not offer the specific combination of features and services that a user wants. It's a rare commercial box that gets regular security updates, but security is important for a storage server system. There may be a system sitting around already that is well suited to the task and just needs the right operating system. Or, if nothing else, it is comforting to have root access on the storage server and to be able to manage it with familiar commands and interfaces.
Installation
One of the advantages of a specialized distribution is that it tends to lack a lot of the baggage found in other distributions; a full OpenMediaVault 1.0.20 installation image weighs in at under 400MB, and the installed image takes just over 1GB. Booting that image yields a fairly standard sequence of Debian text-oriented installation screens. One thing that jumped out early on is that OpenMediaVault insists on taking a full disk for its own installation; it cannot work from a smaller partition, and it cannot export any part of the system disk to the network. That, of course, turns a four-bay server into a three-bay device; it also means that OpenMediaVault does not play well with any other distributions one might want to install on the system. Given that the system itself is quite small, it would be nice if it could accept life in a small partition and leave the bulk of the system drive available for other uses.
It's amusing that a storage server operating system's installation sequence ends by recommending that the user remove any floppies before rebooting into the installed system.
OpenMediaVault is based on the Debian stable ("wheezy") distribution, so it runs that distribution's venerable 3.2 kernel. That kernel has been consistently maintained since its release, so it will be well debugged and stable — but it won't be the place to look for exciting new features. There is no graphical desktop included with the system (unsurprisingly); it is Debian underneath, though, and is set up to use Debian's repositories, so a desktop environment could be installed if that truly seemed like a good idea.
Administration
![[Main
screen]](https://static.lwn.net/images/2015/nas/omv-main-sm.png)
One can log into the console as root and do all of the usual administrative
tasks from the command line. But the real added value in OpenMediaVault is
in its web-oriented administration interface. At the outset, though, there
were a couple of things that caught your editor's eye: (1) the whole
thing is implemented in PHP, and (2) by default, only port 80
(HTTP) is supported. Supporting HTTPS out of the box is hard, of course;
somebody has to come up with a server certificate from somewhere. One
could also
argue that a NAS box should run in a friendly environment, well sheltered
from the Internet, so higher security might just get in the way. But it
still feels wrong to have only insecure access
to an important administrative function.
The administrative screens provide access to most of the functionality that users will want. At the storage level, one can manage individual disks, including wiping them completely if desired. There is access to SMART monitoring, and, happily, an extensive set of power-management controls allowing disks to be configured to spin down when they are idle. One thing that is missing, again, is partitioning; OpenMediaVault really wants to work exclusively with whole drives.
There is a RAID management layer, providing access to the MD subsystem in
the kernel. Assembling a RAID array is a simple matter of filling out the
![[RAID
management screen]](https://static.lwn.net/images/2015/nas/omv-raid-sm.png)
forms. The experience could be a little smoother; did it really have to
spend five
hours synchronizing a simple two-disk mirror array that had no data on it?
But, little glitches like that aside, the RAID setup and management
interface works well enough.
The filesystem screen allows the creation and mounting of filesystems on the available physical devices. The system can manage ext4, JFS, and XFS filesystems; there is no support for filesystems like Btrfs. There is also no logical volume manager support, thus no ability to create pools of space to be divided across filesystems. There is a screen for the management of disk quotas.
There is another set of screens for user and group management. They work well enough for a small number of users, but the interface is clearly oriented toward the management of individual user accounts, one at a time, in a local database. There is an "import" functionality, but it has its own special format; one can't, thus, just paste the contents of a password file into it. There is no provision for obtaining user information from an LDAP or NIS database. One might be able to set that up at the command-line level, but the web-based interface clearly doesn't envision tying into a larger network.
Exporting of filesystems via CIFS, NFS, and FTP is easily managed via the
appropriate screens. One can also turn on services like rsync. There is
no access to some of the fancier aspects of the NFS server — user-ID
mapping, for example — but the basics are all there. Users can
be allowed to access the server via SSH, but only if (1) the service
has been explicitly enabled, and (2) the user in question is in the
![[Load
average display]](https://static.lwn.net/images/2015/nas/omv-loadavg-sm.png)
"ssh" group. Most of the time, one assumes, there will be no reason to
allow ordinary users to log into a NAS box.
Screens exist to provide system information in a number of forms; there are nice plots for network bandwidth usage or the system load average, for example. Conspicuously missing is any kind of plot of I/O bandwidth usage — a parameter that might be of interest on a box dedicated to storage! There is no provision for monitoring an uninterruptible power supply, unfortunately.
Closing notes
For the most part, the user interface works well. It does, though, have an annoying habit of requiring a click to save configuration changes, then another (at a distant location on screen) to confirm that the changes should really be saved. It might prevent a novice user from tripping, but it gets tiresome quickly. Also tiresome are the "do you really want to leave this page?" dialogs that pop up when the user does, indeed, want to leave an OpenMediaVault page.
One other little nit: there is a five-minute idle timeout by default; after that, the browser puts up this rather disconcerting image:
![[session expired]](https://static.lwn.net/images/2015/nas/omv-expired.png)
One does not normally want to hear about "software failures" on a storage box. In this case, the only failure is putting up a hair-raising warning when all that has happened is that the session has timed out.
For somebody wanting to set up a simple storage box for a home or a small
office, OpenMediaVault might well be an attractive option. It takes away
all of the fiddly details of setting up network services and, for the most
part, things Just Work. Users wanting more advanced features or
integration into a corporate network, instead, might find OpenMediaVault to
be a bit more limiting than they would like. That is fine; those users do
not appear to be the ones the project is targeting at this point. In the
end, your
editor is tempted to keep this distribution on the test server, but there
are others to try out first; stay tuned.
Posted Jan 3, 2015 3:07 UTC (Sat)
by TRS-80 (guest, #1804)
[Link]
Posted Jan 3, 2015 4:14 UTC (Sat)
by josh (subscriber, #17465)
[Link] (10 responses)
Posted Jan 3, 2015 19:12 UTC (Sat)
by eean (subscriber, #50420)
[Link]
Posted Jan 3, 2015 20:34 UTC (Sat)
by Gollum (guest, #25237)
[Link] (6 responses)
I'm now looking at installing onto a CF disk (hoping that it will be somewhat higher quality), will see how that works.
I have a USB-CF adapter, as well as a SATA-CF adapter, so will see which works best. With the SATA-CF adapter, I would need up replace the BIOS on the microserver to enable running a hard drive from the CDROM interface, which is well understood, but I have just not got around to doing that just yet.
Posted Jan 5, 2015 0:22 UTC (Mon)
by bobsol (subscriber, #54641)
[Link] (5 responses)
I have run routers for years (8 in one case) off CF storage with out problems. I think this works because the system mounts a ramdisk from the CF and only makes changes to the ramdisk with the exception of configuration changes.
Posted Jan 5, 2015 5:07 UTC (Mon)
by Gollum (guest, #25237)
[Link] (4 responses)
I tried a package (can't recall the name offhand) that copies chunks of the fs into ramdisk, and copies it back when requested, to avoid unnecessary disk writes. Unfortunately, it turned out not to work too well.
Posted Jan 5, 2015 6:25 UTC (Mon)
by dlang (guest, #313)
[Link] (2 responses)
Posted Jan 5, 2015 7:06 UTC (Mon)
by Seegras (guest, #20463)
[Link]
It's a Debian, of course ;)
Posted Jan 16, 2015 1:22 UTC (Fri)
by privatedancer (guest, #100623)
[Link]
Posted Jan 5, 2015 10:22 UTC (Mon)
by paulj (subscriber, #341)
[Link]
Posted Jan 4, 2015 6:34 UTC (Sun)
by Kayden (guest, #89093)
[Link]
Posted Jan 8, 2015 20:16 UTC (Thu)
by pj (subscriber, #4506)
[Link]
Posted Jan 3, 2015 11:46 UTC (Sat)
by debacle (subscriber, #7114)
[Link]
Posted Jan 3, 2015 12:24 UTC (Sat)
by tjasper (subscriber, #4310)
[Link] (12 responses)
Some things on the Samba server aren't quite the way I wanted them, and the extra options in the web interface didn't quite give me the control I wanted, so I modified the smb.conf file directly. Oh, and I keep a check on it because any changes from the web interface will overwrite the modified file.
Also, it is possible to install this on top of a basic "wheezy" install (some digging on the forums is required, but I have done it on an earlier version). So if one does want a different partitioning scheme, then a netinst install of wheezy (or possibly a full install with XFCE or LXDE) followed by some command line trickery will allow that.
As someone else mentioned, there is an lvm plugin and also a NUT plugin which does allow monitoring of a UPS. It may be possible to import users from the Debian installation prior to the OMV overlay. Being Debian underneath means that some things are doable from the command line to tweak the installation to one's preferences.
I have found the support forum to be helpful and friendly. Someone on there even included a module to look at sensors via lm_sensors and add that to the series of graphs in the earlier version. I haven't looked recently since going to the 1.0 release.
The scary warning for the time-out is a recent "feature", earlier versions just put up an error dialog with a timeout message.
Posted Jan 3, 2015 15:06 UTC (Sat)
by TRS-80 (guest, #1804)
[Link] (11 responses)
I too have made some manual edits to smb.conf, primarily to force permissions so that ACLs for group folders apply correctly. It does bug me you have to dig around on the internet to find the correct options (force security mode in particular) to get this to work, there's no documentation saying what options you should set to get sane behaviour.
Posted Jan 4, 2015 10:18 UTC (Sun)
by tjasper (subscriber, #4310)
[Link] (10 responses)
Afterall, is one man's sanity is another's madness?
Posted Jan 4, 2015 13:19 UTC (Sun)
by TRS-80 (guest, #1804)
[Link] (9 responses)
It's possible it's a problem only seen with Mac clients of a Samba server setting odd permissions, this question was one of the pages I visited that cleared it up for me at the time. The fact that the OMV server was at the other end of a satellite link and I only occasionally got told there was a problem certainly didn't help.
Posted Jan 14, 2015 21:27 UTC (Wed)
by robbe (guest, #16131)
[Link] (8 responses)
That's not exactly correct. For a file that is owned by user1 & group2, and has mode rwxr-x---, Linux ACLs¹ could grant read permission to user3 (which is not in group2) and read+execute to all members of group4 (some of which are not in group2). That's giving additional permissions in my opinion. That's why "ls -l" prints a + after the permissions if ACLs were found.
It's true that ACLs can give no write permissions in this example, because the group rights are reused as an upper bound, masking all ACL permissions.
But for the Samba case, you could just point the file gid to an empty dummy group, and set the group permissions (i.e. the mask) to rwx. No need to give wide permissions...
There's also richacls, but they are still out of tree, I think.
¹ Which are based on a withdrawn POSIX draft -- that's the best we have, there is no ACL standard that made it through the POSIX process as of yet.
Posted Jan 14, 2015 22:58 UTC (Wed)
by rleigh (guest, #14622)
[Link]
Posted Jan 15, 2015 2:10 UTC (Thu)
by TRS-80 (guest, #1804)
[Link]
I also found a reference that turning off unix extensions in Samba solves the problems for Mac clients, although I haven't confirmed this.
Posted Jan 15, 2015 16:44 UTC (Thu)
by cortana (subscriber, #24596)
[Link] (5 responses)
It's true that ACLs can give no write permissions in this example, because the group rights are reused as an upper bound, masking all ACL permissions. AIUI, ACLs have a separate 'mask' entry for the upper bound. For example:
Members of the daemon group can write to the file, even though members of parthenon cannot.
Posted Jan 15, 2015 20:47 UTC (Thu)
by robbe (guest, #16131)
[Link] (4 responses)
For this reason I consider your example bad practise. Changing the file gid to daemon, and having group:parthenon:r as a separate ACL would be nicer, I think. The results will be the same, unless there is some weird corner case with users that are in both groups...?
Posted Jan 16, 2015 0:29 UTC (Fri)
by cortana (subscriber, #24596)
[Link] (3 responses)
As for the corner case, a user in both groups will receive permissions from both the ACL_GROUP_OBJ and ACL_GROUP entry that matches their set of groups BTW (assuming that no ACL_USER_OBJ/ACL_USER entires matched first).
Posted Jan 16, 2015 0:37 UTC (Fri)
by TRS-80 (guest, #1804)
[Link] (2 responses)
Posted Jan 16, 2015 9:32 UTC (Fri)
by cesarb (subscriber, #6266)
[Link] (1 responses)
Some programs check the permissions for key configuration files, and complain if they're readable by anyone other than the owner. Reporting the mask as if it was the group permission keeps that functionality working even in the presence of ACLs.
Posted Jan 16, 2015 15:22 UTC (Fri)
by bfields (subscriber, #19510)
[Link]
I forget exactly how it works, but there's also some standards language to roughly the same effect--look up "file access permissions" in the SUS glossary.
Posted Jan 5, 2015 7:52 UTC (Mon)
by jezuch (subscriber, #52988)
[Link] (4 responses)
Apart from installing to an USB drive (but make sure it's not a crappy drive that will die after some months of sustained writes!), I think most (some?) NAS boxes have a small, internal drive intended as a host for the system partition. At least mine has (had, since I had to replace it with something bigger), albeit too small (256MB? Are you kidding me?) and on a legacy PATA interface (WTF?) that forces me to hand-compile the kernel since the one provided by Debian doesn't have a crucial option enabled.
> Conspicuously missing is any kind of plot of I/O bandwidth usage
I think it's redundant with the plot of network usage, since on a NAS [almost] everything goes through the network anyway :)
Posted Jan 5, 2015 10:01 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
Posted Jan 5, 2015 18:52 UTC (Mon)
by klossner (subscriber, #30046)
[Link] (1 responses)
Posted Jan 7, 2015 18:33 UTC (Wed)
by rahvin (guest, #16953)
[Link]
Posted Jan 7, 2015 9:26 UTC (Wed)
by jezuch (subscriber, #52988)
[Link]
These are not rotating-rust-drives but something called "disk on a chip". In other words, an SSD, but the notion appears to be older than the "SSD" moniker. From what I can tell they're big in industrial installations. I got one from a Chinese manufacturer marketing to Big Industry, anyway. Maybe I should take it apart and see if the firmware does any industrial espionage :)
Posted Jan 20, 2015 5:20 UTC (Tue)
by Baylink (guest, #755)
[Link] (3 responses)
Posted Jan 24, 2015 20:05 UTC (Sat)
by corbet (editor, #1)
[Link] (2 responses)
Posted Jan 24, 2015 20:58 UTC (Sat)
by zdzichu (guest, #17118)
[Link] (1 responses)
Posted Jan 26, 2015 12:12 UTC (Mon)
by nye (subscriber, #51576)
[Link]
The thing is, using Oracle's closed source ZFS branch essentially locks you in to an evolutionary dead end, when everyone else has headed in a different direction, which puts it squarely outside of LWN's remit.
(For the benefit of anyone who's unaware, the last common version of ZFS dates back to 2010, and since then the open and proprietary sides of the ZFS fork are incompatible with each other on-disk, in ways that are infeasible to fix - at least without Oracle deciding to make their ZFS open source.)
LVM support is available, albeit as a plugin that needs to be enabled. Ditto LDAP. Actually, I was surprised that the plugin system wasn't mentioned at all, as there is a fairly large range of community plugins available to give your OMV NAS many more functions than just plain fileserving.
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
# grep tmpfs /etc/fstab
tmpfs /tmp tmpfs defaults,noatime 0 0
tmpfs /var/lock tmpfs defaults,noatime 0 0
tmpfs /var/tmp tmpfs defaults,noatime 0 0
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
What is behind the web interface?
OpenMediaVault: a distribution for NAS boxes
The error message is a Guru Meditation, FWIW.OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
It's more a lacuna between Samba and POSIX ACLs - Samba will do what you tell it, but it won't tell you that POSIX ACLs can only remove permissions from a file, not add them beyond what the standard POSIX file permissions allow. So you need to force a rather wide POSIX file permission for ACLs to be useful. It's all obvious in retrospect, but it's just one of those gotchas that had me scratching my head. The Samba documentation on access controls gets frustratingly close to covering the problem, but just drops short.
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
> what the standard POSIX file permissions allow.
OpenMediaVault: a distribution for NAS boxes
Ah, I missed it's that the group permissions that are repurposed into being the upper bound mask for all ACLs, not that they are enforced after all ACLs are checked. Very subtle.OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
$ ls -l a
-rw-rwxr--+ 1 sam parthenon 0 Jan 15 16:37 a
$ getfacl -t a
# file: a
USER sam rw-
GROUP parthenon r--
group daemon rwx
mask rwx
other r--
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
Group permissions becoming the mask permissions is the documented behaviour per acl(5):OpenMediaVault: a distribution for NAS boxes
There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the permissions of the ACL_OTHER_OBJ entry.
I can't explain the rationale, but as I said before, it is really subtle (ie confusing). Which gets back to my earlier point, there's no good overarching documentation that explains the big picture, particularly once you start dealing with Samba.
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
OpenMediaVault: a distribution for NAS boxes
I looked at Openfiler, but it hasn't been updated since 2011. I kind of saw it as a dead project...
Openfiler
Openfiler
– it's not Linux
– for tests, it's only available as VirtualBox image
but it is useful to calibrate current Linux NAS offerings againts proprietary solution from few years back. I personally find the web UI and observability superior to everything on the market.
Openfiler