| blob | 73244b4c8f672c4b7f13089f3664a186c432f681 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <chapter id="VFS">
4 <chapterinfo>
5 &author.jelmer;
6 &author.jht;
7 &author.tpot;
8 <author><firstname>Simo</firstname><surname>Sorce</surname><contrib>original vfs_skel README</contrib></author>
9 <author><firstname>Alexander</firstname><surname>Bokovoy</surname><contrib>original vfs_netatalk docs</contrib></author>
10 <author><firstname>Stefan</firstname><surname>Metzmacher</surname><contrib>Update for multiple modules</contrib></author>
11 <author><firstname>Ed</firstname><surname>Riddle</surname><contrib>original shadow_copy docs</contrib></author>
12 </chapterinfo>
13 <title>Stackable VFS modules</title>
15 <sect1>
16 <title>Features and Benefits</title>
18 <para>
19 Since Samba-3, there is support for stackable VFS (Virtual File System) modules.
20 Samba passes each request to access the UNIX file system through the loaded VFS modules.
21 This chapter covers all the modules that come with the Samba source and references to
22 some external modules.
23 </para>
26 </sect1>
28 <sect1>
29 <title>Discussion</title>
31 <para>
32 If not supplied with your platform distribution binary Samba package you may have problems
33 compiling these modules, as shared libraries are compiled and linked in different ways
34 on different systems. They currently have been tested against GNU/Linux and IRIX.
35 </para>
37 <para>
38 To use the VFS modules, create a share similar to the one below. The
39 important parameter is the <smbconfoption name="vfs objects"/> parameter where
40 you can list one or more VFS modules by name. For example, to log all access
41 to files and put deleted files in a recycle bin, see <link linkend="vfsrecyc">next configuration</link>:
43 <smbconfexample id="vfsrecyc">
44 <title>smb.conf with VFS modules</title>
45 <smbconfsection>[audit]</smbconfsection>
46 <smbconfoption name="comment">Audited /data directory</smbconfoption>
47 <smbconfoption name="path">/data</smbconfoption>
48 <smbconfoption name="vfs objects">audit recycle</smbconfoption>
49 <smbconfoption name="writeable">yes</smbconfoption>
50 <smbconfoption name="browseable">yes</smbconfoption>
51 </smbconfexample>
52 </para>
54 <para>
55 The modules are used in the order in which they are specified.
56 Let's say that you want to both have a virus scanner module and a recycle
57 bin module. It is wise to put the virus scanner module as the first one so
58 that it is the first that get run an may detect a virus immediately, before
59 any action is performed on that file.
60 <smbconfoption name="vfs objects">vscan-clamav recycle</smbconfoption>
61 </para>
63 <para>
64 Samba will attempt to load modules from the <filename>/lib</filename> directory in the root directory of the
65 Samba installation (usually <filename>/usr/lib/samba/vfs</filename> or <filename>/usr/local/samba/lib/vfs
66 </filename>).
67 </para>
69 <para>
70 Some modules can be used twice for the same share.
71 This can be done using a configuration similar to the one shown in <link linkend="multimodule">the following example</link>.
73 <smbconfexample id="multimodule">
74 <title>smb.conf with multiple VFS modules</title>
75 <smbconfsection>[test]</smbconfsection>
76 <smbconfoption name="comment">VFS TEST</smbconfoption>
77 <smbconfoption name="path">/data</smbconfoption>
78 <smbconfoption name="writeable">yes</smbconfoption>
79 <smbconfoption name="browseable">yes</smbconfoption>
80 <smbconfoption name="vfs objects">example:example1 example example:test</smbconfoption>
81 <smbconfoption name="example1: parameter">1</smbconfoption>
82 <smbconfoption name="example: parameter">5</smbconfoption>
83 <smbconfoption name="test: parameter">7</smbconfoption>
84 </smbconfexample>
85 </para>
87 </sect1>
89 <sect1>
90 <title>Included Modules</title>
92 <sect2>
93 <title>audit</title>
95 <para>
96 A simple module to audit file access to the syslog
97 facility. The following operations are logged:
98 <itemizedlist>
99 <listitem><para>share</para></listitem>
100 <listitem><para>connect/disconnect</para></listitem>
101 <listitem><para>directory opens/create/remove</para></listitem>
102 <listitem><para>file open/close/rename/unlink/chmod</para></listitem>
103 </itemizedlist>
104 </para>
106 </sect2>
108 <sect2>
109 <title>extd_audit</title>
111 <para>
112 This module is identical with the <command>audit</command> module above except
113 that it sends audit logs to both syslog as well as the <command>smbd</command> log files. The
114 <smbconfoption name="log level"/> for this module is set in the &smb.conf; file.
115 </para>
117 <para>
118 Valid settings and the information that will be recorded are shown in <link linkend="xtdaudit">the next table</link>.
119 </para>
121 <table frame="all" id="xtdaudit">
122 <title>Extended Auditing Log Information</title>
123 <tgroup cols="2" align="center">
124 <thead>
125 <row><entry align="center">Log Level</entry><entry>Log Details - File and Directory Operations</entry></row>
126 </thead>
127 <tbody>
128 <row><entry align="center">0</entry><entry align="left">Make Directory, Remove Directory, Unlink</entry></row>
129 <row><entry align="center">1</entry><entry align="left">Open Directory, Rename File, Change Permissions/ACLs</entry></row>
130 <row><entry align="center">2</entry><entry align="left">Open & Close File</entry></row>
131 <row><entry align="center">10</entry><entry align="left">Maximum Debug Level</entry></row>
132 </tbody>
133 </tgroup>
134 </table>
136 <sect3>
137 <title>Configuration of Auditing</title>
139 <para>
140 This auditing tool is more felxible than most people readily will recognize. There are a number of ways
141 by which useful logging information can be recorded.
142 </para>
144 <itemizedlist>
145 <listitem><para>Syslog can be used to record all transaction. This can be disabled by setting
146 in the &smb.conf; file <parameter>syslog = 0</parameter>.</para></listitem>
147 <listitem><para>Logging can take place to the default log file (<filename>log.smbd</filename>)
148 for all loaded VFS modules just by setting in the &smb.conf; file
149 <parameter>log level = 0 vfs:x</parameter>, where x is the log level.
150 This will disable general logging while activating all logging of VFS
151 module activity at the log level specified.</para></listitem>
152 <listitem><para>Detailed logging can be obtained per user, per client machine, etc.
153 This requires the above together with the creative use of the
154 <parameter>log file</parameter> settings.</para>
155 <para>An example of detailed per-user and per-machine logging can
156 be obtained by setting
157 <smbconfoption name="log level">/var/log/samba/%U.%m.log</smbconfoption>.
158 </para></listitem>
159 </itemizedlist>
161 <para>
162 Auditing information often must be preserved for a long time. So that the log files do not get rotated
163 it is essential that the <smbconfoption name="max log size">0</smbconfoption> be set
164 in the &smb.conf; file.
165 </para>
167 </sect3>
169 </sect2>
171 <sect2 id="fakeperms">
172 <title>fake_perms</title>
174 <para>
175 This module was created to allow Roaming Profile files and directories to be set (on the Samba server
176 under UNIX) as read only. This module will, if installed on the Profiles share, report to the client
177 that the Profile files and directories are writeable. This satisfies the client even though the files
178 will never be overwritten as the client logs out or shuts down.
179 </para>
181 </sect2>
183 <sect2>
184 <title>recycle</title>
186 <para>
187 A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved
188 to the recycle directory instead of being deleted. This gives the same effect as the
189 <guiicon>Recycle Bin</guiicon> on Windows computers.
190 </para>
192 <para>
193 The <guiicon>Recycle Bin</guiicon> will not appear in <application>Windows Explorer</application> views of the network file system
194 (share) nor on any mapped drive. Instead, a directory called <filename>.recycle</filename> will be
195 automatically created when the first file is deleted. Users can recover files from the
196 <filename>.recycle</filename> directory. If the <parameter>recycle:keeptree</parameter> has been
197 specified, deleted files will be found in a path identical with that from which the file was deleted.
198 </para>
200 <para>Supported options for the <command>recycle</command> module are as follow:
201 <variablelist>
202 <varlistentry>
203 <term>recycle:repository</term>
204 <listitem><para>
205 Relative path of the directory where deleted files should be moved.
206 </para></listitem>
207 </varlistentry>
209 <varlistentry>
210 <term>recycle:keeptree</term>
211 <listitem><para>
212 Specifies whether the directory structure should be kept or if the files in the directory that is being
213 deleted should be kept separately in the recycle bin.
214 </para></listitem>
215 </varlistentry>
217 <varlistentry>
218 <term>recycle:versions</term>
219 <listitem><para>
220 If this option is set, two files
221 with the same name that are deleted will both
222 be kept in the recycle bin. Newer deleted versions
223 of a file will be called <quote>Copy #x of <replaceable>filename</replaceable></quote>.
224 </para></listitem>
225 </varlistentry>
227 <varlistentry>
228 <term>recycle:touch</term>
229 <listitem><para>
230 Specifies whether a file's access date should be touched when the file is moved to the recycle bin.
231 </para></listitem>
232 </varlistentry>
234 <varlistentry>
235 <term>recycle:maxsize</term>
236 <listitem><para>
237 Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
238 </para></listitem>
239 </varlistentry>
241 <varlistentry>
242 <term>recycle:exclude</term>
243 <listitem><para>
244 List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
245 </para></listitem>
246 </varlistentry>
248 <varlistentry>
249 <term>recycle:exclude_dir</term>
250 <listitem><para>
251 Contains a list of directories. When files from these directories are
252 deleted, they are not put into the
253 recycle bin but are deleted in the
254 regular way.
255 </para></listitem>
256 </varlistentry>
258 <varlistentry>
259 <term>recycle:noversions</term>
260 <listitem><para>
261 Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning should be used. Only useful when <emphasis>recycle:versions</emphasis> is enabled.
262 </para></listitem>
263 </varlistentry>
264 </variablelist>
265 </para>
267 </sect2>
269 <sect2>
270 <title>netatalk</title>
272 <para>
273 A netatalk module will ease co-existence of Samba and netatalk file sharing services.
274 </para>
276 <para>Advantages compared to the old netatalk module:
277 <itemizedlist>
278 <listitem><para>Does not care about creating .AppleDouble forks, just keeps them in sync.</para></listitem>
279 <listitem><para>If a share in &smb.conf; does not contain .AppleDouble item in hide or veto list, it will be added automatically.</para></listitem>
280 </itemizedlist>
281 </para>
283 </sect2>
285 <sect2>
286 <title>shadow_copy</title>
287 <warning>
288 <para>
289 <emphasis>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL
290 SOLUTION!</emphasis></para>
291 <para>
292 With Samba or Windows servers, shadow copy is designed to be
293 an end-user tool only. It does not replace or enhance your
294 backup and archival solutions and should in no way be
295 considered as such. Additionally, if you need version
296 control, implement a version control system. You have been
297 warned.</para>
298 </warning>
299 <para>
300 The shadow_copy module allows you to setup functionality that
301 is similar to MS shadow copy services. When setup properly,
302 this module allows Microsoft shadow copy clients to browse
303 "shadow copies" on samba shares. You will need to install the
304 shadow copy client. You can get the MS shadow copy client
305 <ulink noescape="1"
306 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">here.</ulink>.
307 Note the additional requirements for pre-Windows XP clients.
308 I did not test this functionality with any pre-Windows XP
309 clients. You should be able to get more information about MS
310 Shadow Copy <ulink noescape="1"
311 url="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx">from
312 the Microsoft's site</ulink>.</para>
313 <para>
314 The shadow_copy VFS module requires some underlying file system
315 setup with some sort of Logical Volume Manager (LVM) such as
316 LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of
317 this document; however, we will outline the steps we took to
318 test this functionality for <emphasis>example purposes
319 only.</emphasis> You need to make sure the LVM implementation
320 you choose to deploy is ready for production. Make sure you
321 do plenty of tests.</para>
322 <para>
323 Here are some common resources for LVM and EVMS:
324 <itemizedlist>
325 <listitem>
326 <para><ulink noescape="1"
327 url="http://www.sistina.com/products_lvm_download.htm">Sistina's
328 LVM1 and LVM2</ulink></para>
329 </listitem>
330 <listitem>
331 <para><ulink url="http://evms.sourceforge.net/">Enterprise
332 Volume Management System (EVMS)</ulink></para>
333 </listitem>
334 <listitem>
335 <para><ulink url="http://tldp.org/HOWTO/LVM-HOWTO/">The LVM HOWTO</ulink></para>
336 </listitem>
337 <listitem>
338 <para>
339 See <ulink
340 url="http://www-106.ibm.com/developerworks/linux/library/l-lvm/">Learning
341 Linux LVM, Part 1</ulink> and <ulink
342 url="http://www-106.ibm.com/developerworks/library/l-lvm2.html">Learning
343 Linux LWM, Part 2</ulink> for Daniel Robbins' well
344 written a two part tutorial on Linux and LVM using LVM
345 source code and reiserfs.</para>
346 </listitem>
347 </itemizedlist>
348 </para>
349 <sect3>
350 <title>Shadow Copy Setup</title>
351 <para>
352 At the time of this writing, not much testing has been done.
353 I tested the shadow copy VFS module with a specific scenario
354 which was not deployed in a production environment, but more
355 as a proof of concept. The scenario involved a Samba 3 file
356 server on Debian Sarge with an XFS file system and LVM1. I
357 do NOT recommend you use this as a solution without doing
358 your own due diligence with regard to all the components
359 presented here. That said, following is an basic outline of
360 how I got things going.</para>
361 <orderedlist>
362 <listitem>
363 <formalpara>
364 <title>Installed Operating System </title>
365 <para>
366 In my tests, I used <ulink
367 url="http://www.debian.org/devel/debian-installer/">Debian
368 Sarge</ulink> (i.e. testing) on an XFS file system.
369 Setting up the OS is a bit beyond the scope of this
370 document. It is assumed that you have a working OS
371 capable of running Samba.</para>
372 </formalpara>
373 </listitem>
374 <listitem>
375 <formalpara>
376 <title>Install & Configure Samba</title>
377 <para>
378 See the <link linkend="introduction">installation
379 section</link> of this HOWTO for more detail on this.
380 It doesn't matter if it is a Domain Controller or
381 Member File Server, but it is assumed that you have a
382 working Samba 3.0.3 or newer server running.</para>
383 </formalpara>
384 </listitem>
385 <listitem>
386 <formalpara>
387 <title>Install & Configure LVM</title>
388 <para>
389 Before you can make shadow copies available to the
390 client, you have to create the shadow copies. This is
391 done by taking some sort of file system snapshot.
392 Snapshots are a typical feature of Logical Volume
393 Managers such as LVM, so we first need to have that
394 setup.</para>
395 </formalpara>
396 <itemizedlist>
397 <para>
398 The following is provided as an example and will be
399 most helpful for Debian users. Again, this was tested
400 using the "testing" or "Sarge" distribution.</para>
401 <listitem>
402 <para>
403 Install lvm10 and devfsd packages if you have not
404 done so already. On Debian systems, you are warned
405 of the interaction of devfs and lvm1 which requires
406 the use of devfs filenames. Running
407 <command>apt-get update && apt-get install
408 lvm10 devfsd xfsprogs</command> should do the trick
409 for this example.</para>
410 </listitem>
411 <listitem>
412 <para>
413 Now you need to create a volume. You will need to
414 create a partition (or partitions) to add to your
415 volume. Use your favorite partitioning tool
416 (e.g. Linux fdisk, cfdisk, etc.). The partition
417 type should be set to 0x8e for "Linux LVM." In this
418 example, we will use /dev/hdb1.</para>
419 <para>
420 Once you have the Linux LVM partition (type 0x8e),
421 you can run a series of commands to create the LVM
422 volume. You can use several disks and or
423 partitions, but we will use only one in this
424 example. You may also need to load the kernel
425 module with something like <command>modprobe lvm-mod
426 </command> and set your system up to load it on
427 reboot by adding it to
428 (<filename>/etc/modules</filename>). </para>
429 </listitem>
430 <listitem>
431 <para>
432 Create the physical volume with <command>pvcreate
433 /dev/hdb1</command></para>
434 </listitem>
435 <listitem>
436 <para>
437 Create the volume group with and add /dev/hda1 to it
438 with <command>vgcreate shadowvol /dev/hdb1</command>
439 </para>
440 <para>
441 You can use <command>vgdisplay</command> to review
442 information about the volume group.</para>
443 </listitem>
444 <listitem>
445 <para>
446 Now you can create the logical volume with something
447 like <command>lvcreate -L400M -nsh_test
448 shadowvol</command></para>
449 <para>
450 This creates the logical volume of 400MB's named
451 "sh_test" in the volume group we created called
452 shadowvol. If everything is working so far, you
453 should see them in
454 <filename>/dev/shadowvol</filename>.</para>
455 </listitem>
456 <listitem>
457 <para>
458 Now we should be ready to format the logical volume
459 we named sh_test with <command>mkfs.xfs
460 /dev/shadowvol/sh_test</command></para>
461 <para>
462 You can format the logical volume with any file
463 system you choose, but make sure to use one that
464 allows you to take advantage of the additional
465 features of LVM such as freezing, resizing and
466 growing your file systems.</para>
467 <para>
468 Now we have an LVM volume where we can play with the
469 shadow_copy VFS module.</para>
470 </listitem>
471 <listitem>
472 <para>
473 Now we need to prepare the directory with something
474 like <command>mkdir -p /data/shadow_share</command>
475 or whatever you want to name your shadow copy
476 enabled Samba share. Make sure you set the
477 permissions such that you can use it. If in doubt,
478 use <command>chmod 777 /data/shadow_share</command>
479 and tighten the permissions once you get things
480 working.</para>
481 </listitem>
482 <listitem>
483 <para>
484 Mount the LVM volume using something like
485 <command>mount /dev/shadowvol/sh_test
486 /data/shadow_share</command></para>
487 <para>
488 You may also want to edit your
489 <filename>/etc/fstab</filename> so that this
490 partition mounts during the system boot.</para>
491 </listitem>
492 </itemizedlist>
493 </listitem>
494 <listitem>
495 <formalpara>
496 <title>Install & Configure the shadow_copy VFS
497 Module</title>
498 <para>
499 Finally we get to the actual shadow_copy VFS module.
500 The shadow_copy VFS module should be available in
501 Samba 3.0.3 and higher. The smb.conf configuration is pretty
502 standard. Here is our example of a share configured
503 with the shadow_copy VFS module:</para>
504 </formalpara>
505 <para>
506 <smbconfexample id="vfsshadow">
507 <title>Share With shadow_copy VFS</title>
508 <smbconfsection>[shadow_share]</smbconfsection>
509 <smbconfoption name="comment">Shadow Copy Enabled Share</smbconfoption>
510 <smbconfoption name="path">/data/shadow_share</smbconfoption>
511 <smbconfoption name="vfs objects">shadow_copy</smbconfoption>
512 <smbconfoption name="writeable">yes</smbconfoption>
513 <smbconfoption name="browseable">yes</smbconfoption>
514 </smbconfexample>
515 </para>
516 </listitem>
517 <listitem>
518 <formalpara>
519 <title>Create Snapshots and Make Them Available to shadow_copy.so</title>
520 <para>
521 Before you can browse the shadow copies, you must
522 create them and mount them. This will most likely be
523 done with a script that runs as a cron job. With this
524 particular solution, the shadow_copy VFS module is
525 used to browse LVM snapshots. Those snapshots are not
526 created by the module. They are not made available by
527 the module either. This module allows the shadow copy
528 enabled client to browse the snapshots you take and
529 make available.</para>
530 </formalpara>
531 <para>
532 Here is a simple script used to create and mount the
533 snapshots:
534 <screen>
535 #!/bin/bash
536 # This is a test, this is only a test
537 SNAPNAME=`date +%Y.%m.%d-%H.%M.%S`
538 xfs_freeze -f /data/shadow_share/
539 lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test
540 xfs_freeze -u /data/shadow_share/
541 mkdir /data/shadow_share/@GMT-$SNAPNAME
542 mount /dev/shadowvol/$SNAPNAME /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro
543 </screen>
544 Note that the script does not handle other things like
545 remounting snapshots on reboot.
546 </para>
547 </listitem>
548 <listitem>
549 <formalpara>
550 <title>Test From Client</title>
551 <para>
552 To test, you will need to install the shadow copy
553 client which you can obtain from the <ulink
554 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">Microsoft
555 web site.</ulink> I only tested this with an XP client
556 so your results may vary with other pre-XP clients.
557 Once installed, with your XP client you can
558 right-click on specific files or in the empty space of
559 the shadow_share and view the "properties". If
560 anything has changed, then you will see it on the
561 "Previous Versions" tab of the properties
562 window. </para>
563 </formalpara>
564 </listitem>
565 </orderedlist>
566 </sect3>
567 </sect2>
569 </sect1>
571 <sect1>
572 <title>VFS Modules Available Elsewhere</title>
574 <para>
575 This section contains a listing of various other VFS modules that
576 have been posted but do not currently reside in the Samba CVS
577 tree for one reason or another (e.g., it is easy for the maintainer
578 to have his or her own CVS tree).
579 </para>
581 <para>
582 No statements about the stability or functionality of any module
583 should be implied due to its presence here.
584 </para>
586 <sect2>
587 <title>DatabaseFS</title>
589 <para>
590 URL: <ulink noescape="1" url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink>
591 </para>
593 <para>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer.</ulink></para>
595 <para>
596 I have created a VFS module that implements a fairly complete read-only
597 filesystem. It presents information from a database as a filesystem in
598 a modular and generic way to allow different databases to be used
599 (originally designed for organizing MP3s under directories such as
600 <quote>Artists,</quote> <quote>Song Keywords,</quote> and so on. I have since easily
601 applied it to a student
602 roster database.) The directory structure is stored in the
603 database itself and the module makes no assumptions about the database
604 structure beyond the table it requires to run.
605 </para>
607 <para>
608 Any feedback would be appreciated: comments, suggestions, patches,
609 and so on. If nothing else, hopefully it might prove useful for someone
610 else who wishes to create a virtual filesystem.
611 </para>
613 </sect2>
615 <sect2>
616 <title>vscan</title>
618 <para>URL: <ulink noescape="1" url="http://www.openantivirus.org/projects.php#samba-vscan">http://www.openantivirus.org/projects.php#samba-vscan</ulink></para>
620 <para>
621 samba-vscan is a proof-of-concept module for Samba, which
622 provides on-access anti-virus support for files shared using
623 Samba.
624 samba-vscan supports various virus scanners and is maintained
625 by Rainer Link.
626 </para>
628 </sect2>
629 </sect1>
631 </chapter>