This is a post where I suggest work without any commitment to helping. I'm sorry. :)
I'm trying to help someone here:
https://ask.fedoraproject.org/t/stuck-setting-up-a-local-file-server/18772
... where they're trying to set up an NFS/Samba share using Cockpit. That seems like it _should_ be easy. Now, this particular person is new and there's some basic concepts to work on first, but... also, it turns out Cockpit doesn't actually have an included tool for doing that. This kind of surprises me, but is also the kind of thing I just don't know because I'm not a working sysadmin anymore. (I kind of miss it sometimes....)
I talked to Stephen Gallagher and this is something he was looking at but doesn't have time for. There is a third-party add-on https://github.com/45Drives/cockpit-file-sharing which looks pretty great, but is specifically made for 45Drives, and may be difficult to generalize and package for Fedora Server.
But that seems _really_ worth doing. Anyone interested in taking that on?
On ma, 29 marras 2021, Matthew Miller wrote:
This is a post where I suggest work without any commitment to helping. I'm sorry. :)
I'm trying to help someone here:
https://ask.fedoraproject.org/t/stuck-setting-up-a-local-file-server/18772
... where they're trying to set up an NFS/Samba share using Cockpit. That seems like it _should_ be easy. Now, this particular person is new and there's some basic concepts to work on first, but... also, it turns out Cockpit doesn't actually have an included tool for doing that. This kind of surprises me, but is also the kind of thing I just don't know because I'm not a working sysadmin anymore. (I kind of miss it sometimes....)
I talked to Stephen Gallagher and this is something he was looking at but doesn't have time for. There is a third-party add-on https://github.com/45Drives/cockpit-file-sharing which looks pretty great, but is specifically made for 45Drives, and may be difficult to generalize and package for Fedora Server.
But that seems _really_ worth doing. Anyone interested in taking that on?
Just package their plugin. It uses existing Samba tools (net utility). That would be a relatively simple starting point. It may need a somewhat specific modification to work with all types of Samba configurations we support but this is probably a next step.
For NFS it also uses a simple drop-in file mechanism so it should be independent of anything else.
I do not think it has anything specific to 45Drives except their branding.
On Mon, Nov 29, 2021 at 07:36:22PM +0200, Alexander Bokovoy wrote:
But that seems _really_ worth doing. Anyone interested in taking that on?
Just package their plugin. It uses existing Samba tools (net utility). That would be a relatively simple starting point. It may need a somewhat specific modification to work with all types of Samba configurations we support but this is probably a next step.
Stephen said that he looked and it seems to have some other dependencies?
On ma, 29 marras 2021, Matthew Miller wrote:
On Mon, Nov 29, 2021 at 07:36:22PM +0200, Alexander Bokovoy wrote:
But that seems _really_ worth doing. Anyone interested in taking that on?
Just package their plugin. It uses existing Samba tools (net utility). That would be a relatively simple starting point. It may need a somewhat specific modification to work with all types of Samba configurations we support but this is probably a next step.
Stephen said that he looked and it seems to have some other dependencies?
I do not see anything else beyond cockpit, samba, and python3.
On Mon, Nov 29, 2021 at 12:47 PM Alexander Bokovoy abbra@fedoraproject.org wrote:
On ma, 29 marras 2021, Matthew Miller wrote:
On Mon, Nov 29, 2021 at 07:36:22PM +0200, Alexander Bokovoy wrote:
But that seems _really_ worth doing. Anyone interested in taking that on?
Just package their plugin. It uses existing Samba tools (net utility). That would be a relatively simple starting point. It may need a somewhat specific modification to work with all types of Samba configurations we support but this is probably a next step.
Stephen said that he looked and it seems to have some other dependencies?
I do not see anything else beyond cockpit, samba, and python3.
It has been a while since last I looked at it, so it's possible I was confusing this with the Ceph setup tool, which definitely has 45Drives-isms in it. I'll have another look at the file-sharing extension sometime this week, if time permits.
On Mon, Nov 29, 2021 at 07:46:14PM +0200, Alexander Bokovoy wrote:
Stephen said that he looked and it seems to have some other dependencies?
I do not see anything else beyond cockpit, samba, and python3.
Yep and I just tried it and it worked. I had to manually add `include = registry` to `[global]` in `/etc/samba/smb.conf`.
Would that be something that might be appropriate to make the default?
On ma, 29 marras 2021, Matthew Miller wrote:
On Mon, Nov 29, 2021 at 07:46:14PM +0200, Alexander Bokovoy wrote:
Stephen said that he looked and it seems to have some other dependencies?
I do not see anything else beyond cockpit, samba, and python3.
Yep and I just tried it and it worked. I had to manually add `include = registry` to `[global]` in `/etc/samba/smb.conf`.
Would that be something that might be appropriate to make the default?
No. It is something that is used for a particular setup where administrator (or a solution designed) knows what they are doing. FreeIPA uses this mode, for example.
But for normal users who barely understand what to do with smb.conf, enabling registry becomes a source of issues.
I also don't think we tested registry with Samba AD configuration.
On Mon, Nov 29, 2021 at 1:57 PM Matthew Miller mattdm@fedoraproject.org wrote:
On Mon, Nov 29, 2021 at 07:46:14PM +0200, Alexander Bokovoy wrote:
Stephen said that he looked and it seems to have some other dependencies?
I do not see anything else beyond cockpit, samba, and python3.
Yep and I just tried it and it worked. I had to manually add `include = registry` to `[global]` in `/etc/samba/smb.conf`.
Would that be something that might be appropriate to make the default?
Playing around with it, this tool also appears to only understand users that are returned by `getpwent()` calls (which means that network users served by SSSD would not be visible unless `enumerate=True` is set, which is a performance hit). I might look into patching this to allow a user to be specified directly.
Alexander: Does samba have a drop-file configuration anywhere? So we could specify `include = registry` when this Cockpit plugin is installed, but not otherwise?
Hello all,
Stephen Gallagher [2021-11-29 14:34 -0500]:
Alexander: Does samba have a drop-file configuration anywhere? So we could specify `include = registry` when this Cockpit plugin is installed, but not otherwise?
IMHO this is generally not a good idea. Merely installing a (mostly unrelated) package should not unexpectedly reconfigure existing running services. The docs [1] don't really clarify the impact, but at least the "automatically activates registry shares" sounds like possibly unexpected fallout, and may violate the "least surprise" principle?
Pitti
[1] https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INCLUDE
On ti, 30 marras 2021, Martin Pitt wrote:
Hello all,
Stephen Gallagher [2021-11-29 14:34 -0500]:
Alexander: Does samba have a drop-file configuration anywhere? So we could specify `include = registry` when this Cockpit plugin is installed, but not otherwise?
IMHO this is generally not a good idea. Merely installing a (mostly unrelated) package should not unexpectedly reconfigure existing running services. The docs [1] don't really clarify the impact, but at least the "automatically activates registry shares" sounds like possibly unexpected fallout, and may violate the "least surprise" principle?
I agree with Martin. In addition, Samba does not have a drop-file configuration mechanism. There is 'include' option that allows to include files but it cannot take wildcards, so this is not a drop-in variant handling.
On Tue, Nov 30, 2021 at 07:13:45AM +0100, Martin Pitt wrote:
Stephen Gallagher [2021-11-29 14:34 -0500]:
Alexander: Does samba have a drop-file configuration anywhere? So we could specify `include = registry` when this Cockpit plugin is installed, but not otherwise?
IMHO this is generally not a good idea. Merely installing a (mostly unrelated) package should not unexpectedly reconfigure existing running services. The docs [1] don't really clarify the impact, but at least the "automatically activates registry shares" sounds like possibly unexpected fallout, and may violate the "least surprise" principle?
I think the alternative would be for the Cockpit plugin to, instead of telling users to edit the config file by hand, have a button to _just do it_. I don't like munging config files, though (so fragile!), so:
It looks from https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INCLUDE that although it doesn't have a drop-in file option, the include option _normally_ means "literally include a file here as though typed in place", and for some probably-too-clever-but-oh-well reason, "include = registry" has a special meaning.
I can think of several things we could do with this, but if we don't want surprising behavior, we could have [global] include
include = /etc/samba/cockpit.conf
in the standard package. I don't know how samba behaves if files are missing, but if it doesn't cause errors, that file could just be not there by default. Or, if it needs to have something, could just contain a commment. Then, the Cockpit tool could then replace just that file (either directly or with a symlink) when you press a button. (Samba server doesn't start by default, so that button could also enable the service?)
On Tue, Nov 30, 2021 at 01:59:50PM -0500, Matthew Miller wrote:
in the standard package. I don't know how samba behaves if files are missing, but if it doesn't cause errors, that file could just be not there by default. Or, if it needs to have something, could just contain a commment. Then, the Cockpit tool could then replace just that file (either directly or with a symlink) when you press a button. (Samba server doesn't start by default, so that button could also enable the service?)
Actually -- let me take that a step further... or maybe back.
If Samba isn't installed on the host, you get:
Failed to load Samba services. Is Samba installed or enabled?
Or maybe it says "SMB". This is from memory. And anyway similar for NFS.
It would be nice if that were instead a button (or wizard) that installed the necessary packages.
On Tue, Nov 30, 2021 at 3:26 PM Matthew Miller mattdm@fedoraproject.org wrote:
On Tue, Nov 30, 2021 at 01:59:50PM -0500, Matthew Miller wrote:
in the standard package. I don't know how samba behaves if files are missing, but if it doesn't cause errors, that file could just be not there by default. Or, if it needs to have something, could just contain a commment. Then, the Cockpit tool could then replace just that file (either directly or with a symlink) when you press a button. (Samba server doesn't start by default, so that button could also enable the service?)
Actually -- let me take that a step further... or maybe back.
If Samba isn't installed on the host, you get:
Failed to load Samba services. Is Samba installed or enabled?
Or maybe it says "SMB". This is from memory. And anyway similar for NFS.
It would be nice if that were instead a button (or wizard) that installed the necessary packages.
All of this is certainly *nice*, but it's moving the goalposts quite a ways beyond "package cockpit-file-sharing for Fedora"...
We've already established that time is at a premium for those who are interested in doing this... I suggest that adding new requirements as we go is probably NOT a good idea if we ever want to see it land.
Something functional-but-needs-manual-tweaks is still better than nothing at all.
On Tue, Nov 30, 2021 at 03:42:25PM -0500, Stephen Gallagher wrote:
Or maybe it says "SMB". This is from memory. And anyway similar for NFS. It would be nice if that were instead a button (or wizard) that installed the necessary packages.
All of this is certainly *nice*, but it's moving the goalposts quite a ways beyond "package cockpit-file-sharing for Fedora"...
Yeah, sorry -- please don't block.
On Tue, Nov 30, 2021 at 05:15:13PM -0500, Matthew Miller wrote:
All of this is certainly *nice*, but it's moving the goalposts quite a ways beyond "package cockpit-file-sharing for Fedora"...
Yeah, sorry -- please don't block.
So anyway. :) I'm hoping we can:
1. Get the thing packaged as is. 2. Get `include = /etc/samba/cockpit.conf` in the samba config, if that is possible. 3. Find someone interested in the enhancements (buttons to install and enable necessary packages, followed by a button to explicitly enable the above config)
Alexander, how does samba respond if there's an include file which just isn't there?
On Thu, Dec 9, 2021 at 9:06 AM Matthew Miller mattdm@fedoraproject.org wrote:
On Tue, Nov 30, 2021 at 05:15:13PM -0500, Matthew Miller wrote:
All of this is certainly *nice*, but it's moving the goalposts quite a ways beyond "package cockpit-file-sharing for Fedora"...
Yeah, sorry -- please don't block.
So anyway. :) I'm hoping we can:
- Get the thing packaged as is.
Out for review: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2030814
On Thu, Dec 09, 2021 at 02:01:40PM -0500, Stephen Gallagher wrote:
- Get the thing packaged as is.
Out for review: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2030814
Comments in bug -- it bundles some things we should drop. I think it's sufficient to just remove them in the %prep part of the specfile -- it's not a like a codec issue where we need to clean the source, just, like, it includes fontawesome.
Mostly this is easy, except there's a "file-sharing-patternfly.css.gz".
I know you're doing this as a total aside on top of other things, so I'm hoping someone else is inspired to step in and take a crack at the next steps.
On Mon, Dec 13, 2021 at 11:06:11PM -0500, Matthew Miller wrote:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2030814
Comments in bug -- it bundles some things we should drop. I think it's sufficient to just remove them in the %prep part of the specfile -- it's not a like a codec issue where we need to clean the source, just, like, it includes fontawesome.
Mostly this is easy, except there's a "file-sharing-patternfly.css.gz".
I've updated https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2030814 with a spec file which removes all of the bundling except the above. Suggestions, anyone?
On ti, 30 marras 2021, Matthew Miller wrote:
On Tue, Nov 30, 2021 at 07:13:45AM +0100, Martin Pitt wrote:
Stephen Gallagher [2021-11-29 14:34 -0500]:
Alexander: Does samba have a drop-file configuration anywhere? So we could specify `include = registry` when this Cockpit plugin is installed, but not otherwise?
IMHO this is generally not a good idea. Merely installing a (mostly unrelated) package should not unexpectedly reconfigure existing running services. The docs [1] don't really clarify the impact, but at least the "automatically activates registry shares" sounds like possibly unexpected fallout, and may violate the "least surprise" principle?
I think the alternative would be for the Cockpit plugin to, instead of telling users to edit the config file by hand, have a button to _just do it_. I don't like munging config files, though (so fragile!), so:
It looks from https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INCLUDE that although it doesn't have a drop-in file option, the include option _normally_ means "literally include a file here as though typed in place", and for some probably-too-clever-but-oh-well reason, "include = registry" has a special meaning.
I can think of several things we could do with this, but if we don't want surprising behavior, we could have [global] include
include = /etc/samba/cockpit.conf
in the standard package. I don't know how samba behaves if files are missing, but if it doesn't cause errors, that file could just be not there by default. Or, if it needs to have something, could just contain a commment. Then, the Cockpit tool could then replace just that file (either directly or with a symlink) when you press a button. (Samba server doesn't start by default, so that button could also enable the service?)
I don't like this approach, it mixes too much of Cockpit-specific assumptions here into the configuration that should be as neutral as possible.
This whole plugin would only work for a simple file server with password-based authentication. It will not work when Samba AD is configured on the system (Samba AD does not support 'include = registry'), it will not work without changes with Samba file server as a member of FreeIPA or Active Directory domain.
Adding non-existing include file does create a lot of noise -- every time Samba tools would parse configuration file. This would happen every three minutes if any of Samba daemons configured to run -- for example, if winbindd is configured to join an Active Directory domain, where otherwise one would not even use smbd, just winbindd.
If you want to control smb.conf from this Cockpit plugin, then doing a backup of existing smb.conf and clearly identifying what will be changed in the configuration is needed. E.g. 'After pressing the button below, your smb.conf will be backed up and registry configuration will be enabled' -- after checking that existing smb.conf is compatible with your mode of operation (e.g. that it does not have any of incompatible server roles).
This all smells like a dedicated project in itself. We have been working on a Cockpit plugin for Samba AD configuration upstream as a part of a Google Summer of Code few years ago but didn't get that code to production quality yet. There are not enough resources to dedicate to this work either upstream or downstream (both Fedora and RHEL).
On Tue, Nov 30, 2021 at 10:43:24PM +0200, Alexander Bokovoy wrote:
I don't like this approach, it mixes too much of Cockpit-specific assumptions here into the configuration that should be as neutral as possible.
Okay, fair enough.
in the configuration is needed. E.g. 'After pressing the button below, your smb.conf will be backed up and registry configuration will be enabled' -- after checking that existing smb.conf is compatible with your mode of operation (e.g. that it does not have any of incompatible server roles).
How about just back up and _replace_ the smb.conf a whole new one, noting clearly that automatic configuration in this way will do that, and that if you want to have it do more complicated things, you'll need to handle it by hand.
server@lists.fedoraproject.org
-
Alexander Bokovoy -
Martin Pitt -
Matthew Miller -
Stephen Gallagher