| blob | bc93e296ee47471da8deda5bc1ed372801a5b011 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
5 %global_entities;
6 ]>
8 <chapter id="VFS">
9 <chapterinfo>
10 &author.jelmer;
11 &author.jht;
12 &author.tpot;
13 <author><firstname>Simo</firstname><surname>Sorce</surname><contrib>original vfs_skel README</contrib></author>
14 <author><firstname>Alexander</firstname><surname>Bokovoy</surname><contrib>original vfs_netatalk docs</contrib></author>
15 <author><firstname>Stefan</firstname><surname>Metzmacher</surname><contrib>Update for multiple modules</contrib></author>
16 <author><firstname>Ed</firstname><surname>Riddle</surname><contrib>original shadow_copy docs</contrib></author>
17 </chapterinfo>
18 <title>Stackable VFS modules</title>
20 <sect1>
21 <title>Features and Benefits</title>
23 <para>
24 Since Samba-3, there is support for stackable VFS (Virtual File System) modules.
25 Samba passes each request to access the UNIX file system through the loaded VFS modules.
26 This chapter covers all the modules that come with the Samba source and references to
27 some external modules.
28 </para>
31 </sect1>
33 <sect1>
34 <title>Discussion</title>
36 <para>
37 If not supplied with your platform distribution binary Samba package you may have problems
38 compiling these modules, as shared libraries are compiled and linked in different ways
39 on different systems. They currently have been tested against GNU/Linux and IRIX.
40 </para>
42 <para>
43 To use the VFS modules, create a share similar to the one below. The
44 important parameter is the <smbconfoption><name>vfs objects</name></smbconfoption> parameter where
45 you can list one or more VFS modules by name. For example, to log all access
46 to files and put deleted files in a recycle bin, see <link linkend="vfsrecyc">next configuration</link>:
48 <smbconfexample id="vfsrecyc">
49 <title>smb.conf with VFS modules</title>
50 <smbconfsection>[audit]</smbconfsection>
51 <smbconfoption><name>comment</name><value>Audited /data directory</value></smbconfoption>
52 <smbconfoption><name>path</name><value>/data</value></smbconfoption>
53 <smbconfoption><name>vfs objects</name><value>audit recycle</value></smbconfoption>
54 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
55 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
56 </smbconfexample>
57 </para>
59 <para>
60 The modules are used in the order in which they are specified.
61 Let's say that you want to both have a virus scanner module and a recycle
62 bin module. It is wise to put the virus scanner module as the first one so
63 that it is the first that get run an may detect a virus immediately, before
64 any action is performed on that file.
65 <smbconfoption><name>vfs objects</name><value>vscan-clamav recycle</value></smbconfoption>
66 </para>
68 <para>
69 Samba will attempt to load modules from the <filename>/lib</filename> directory in the root directory of the
70 Samba installation (usually <filename>/usr/lib/samba/vfs</filename> or <filename>/usr/local/samba/lib/vfs
71 </filename>).
72 </para>
74 <para>
75 Some modules can be used twice for the same share.
76 This can be done using a configuration similar to the one shown in <link linkend="multimodule">the following example</link>.
78 <smbconfexample id="multimodule">
79 <title>smb.conf with multiple VFS modules</title>
80 <smbconfsection>[test]</smbconfsection>
81 <smbconfoption><name>comment</name><value>VFS TEST</value></smbconfoption>
82 <smbconfoption><name>path</name><value>/data</value></smbconfoption>
83 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
84 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
85 <smbconfoption><name>vfs objects</name><value>example:example1 example example:test</value></smbconfoption>
86 <smbconfoption><name>example1: parameter</name><value>1</value></smbconfoption>
87 <smbconfoption><name>example: parameter</name><value>5</value></smbconfoption>
88 <smbconfoption><name>test: parameter</name><value>7</value></smbconfoption>
89 </smbconfexample>
90 </para>
92 </sect1>
94 <sect1>
95 <title>Included Modules</title>
97 <sect2>
98 <title>audit</title>
100 <para>
101 A simple module to audit file access to the syslog
102 facility. The following operations are logged:
103 <itemizedlist>
104 <listitem><para>share</para></listitem>
105 <listitem><para>connect/disconnect</para></listitem>
106 <listitem><para>directory opens/create/remove</para></listitem>
107 <listitem><para>file open/close/rename/unlink/chmod</para></listitem>
108 </itemizedlist>
109 </para>
111 </sect2>
113 <sect2>
114 <title>extd_audit</title>
116 <para>
117 This module is identical with the <command>audit</command> module above except
118 that it sends audit logs to both syslog as well as the <command>smbd</command> log files. The
119 <smbconfoption><name>log level</name></smbconfoption> for this module is set in the &smb.conf; file.
120 </para>
122 <para>
123 Valid settings and the information that will be recorded are shown in <link linkend="xtdaudit">the next table</link>.
124 </para>
126 <table frame="all" id="xtdaudit">
127 <title>Extended Auditing Log Information</title>
128 <tgroup cols="2" align="center">
129 <thead>
130 <row><entry align="center">Log Level</entry><entry>Log Details - File and Directory Operations</entry></row>
131 </thead>
132 <tbody>
133 <row><entry align="center">0</entry><entry align="left">Creation / Deletion</entry></row>
134 <row><entry align="center">1</entry><entry align="left">Create / Delete / Rename / Permission Changes</entry></row>
135 <row><entry align="center">2</entry><entry align="left">Create / Delete / Rename / Perm Change / Open / Close</entry></row>
136 </tbody>
137 </tgroup>
138 </table>
140 </sect2>
142 <sect2 id="fakeperms">
143 <title>fake_perms</title>
145 <para>
146 This module was created to allow Roaming Profile files and directories to be set (on the Samba server
147 under UNIX) as read only. This module will, if installed on the Profiles share, report to the client
148 that the Profile files and directories are writeable. This satisfies the client even though the files
149 will never be overwritten as the client logs out or shuts down.
150 </para>
152 </sect2>
154 <sect2>
155 <title>recycle</title>
157 <para>
158 A Recycle Bin-like module. Where used, unlink calls will be intercepted and files moved
159 to the recycle directory instead of being deleted. This gives the same effect as the
160 <guiicon>Recycle Bin</guiicon> on Windows computers.
161 </para>
163 <para>
164 The <guiicon>Recycle Bin</guiicon> will not appear in <application>Windows Explorer</application> views of the network file system
165 (share) nor on any mapped drive. Instead, a directory called <filename>.recycle</filename> will be
166 automatically created when the first file is deleted. Users can recover files from the
167 <filename>.recycle</filename> directory. If the <parameter>recycle:keeptree</parameter> has been
168 specified, deleted files will be found in a path identical with that from which the file was deleted.
169 </para>
171 <para>Supported options for the <command>recycle</command> module are as follow:
172 <variablelist>
173 <varlistentry>
174 <term>recycle:repository</term>
175 <listitem><para>
176 Relative path of the directory where deleted files should be moved.
177 </para></listitem>
178 </varlistentry>
180 <varlistentry>
181 <term>recycle:keeptree</term>
182 <listitem><para>
183 Specifies whether the directory structure should be kept or if the files in the directory that is being
184 deleted should be kept separately in the recycle bin.
185 </para></listitem>
186 </varlistentry>
188 <varlistentry>
189 <term>recycle:versions</term>
190 <listitem><para>
191 If this option is set, two files
192 with the same name that are deleted will both
193 be kept in the recycle bin. Newer deleted versions
194 of a file will be called <quote>Copy #x of <replaceable>filename</replaceable></quote>.
195 </para></listitem>
196 </varlistentry>
198 <varlistentry>
199 <term>recycle:touch</term>
200 <listitem><para>
201 Specifies whether a file's access date should be touched when the file is moved to the recycle bin.
202 </para></listitem>
203 </varlistentry>
205 <varlistentry>
206 <term>recycle:maxsize</term>
207 <listitem><para>
208 Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
209 </para></listitem>
210 </varlistentry>
212 <varlistentry>
213 <term>recycle:exclude</term>
214 <listitem><para>
215 List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
216 </para></listitem>
217 </varlistentry>
219 <varlistentry>
220 <term>recycle:exclude_dir</term>
221 <listitem><para>
222 Contains a list of directories. When files from these directories are
223 deleted, they are not put into the
224 recycle bin but are deleted in the
225 regular way.
226 </para></listitem>
227 </varlistentry>
229 <varlistentry>
230 <term>recycle:noversions</term>
231 <listitem><para>
232 Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning should be used. Only useful when <emphasis>recycle:versions</emphasis> is enabled.
233 </para></listitem>
234 </varlistentry>
235 </variablelist>
236 </para>
238 </sect2>
240 <sect2>
241 <title>netatalk</title>
243 <para>
244 A netatalk module will ease co-existence of Samba and netatalk file sharing services.
245 </para>
247 <para>Advantages compared to the old netatalk module:
248 <itemizedlist>
249 <listitem><para>Does not care about creating .AppleDouble forks, just keeps them in sync.</para></listitem>
250 <listitem><para>If a share in &smb.conf; does not contain .AppleDouble item in hide or veto list, it will be added automatically.</para></listitem>
251 </itemizedlist>
252 </para>
254 </sect2>
256 <sect2>
257 <title>shadow_copy</title>
258 <warning>
259 <para>
260 <emphasis>THIS IS NOT A BACKUP, ARCHIVAL, OR VERSION CONTROL
261 SOLUTION!</emphasis></para>
262 <para>
263 With Samba or Windows servers, shadow copy is designed to be
264 an end-user tool only. It does not replace or enhance your
265 backup and archival solutions and should in no way be
266 considered as such. Additionally, if you need version
267 control, implement a version control system. You have been
268 warned.</para>
269 </warning>
270 <para>
271 The shadow_copy module allows you to setup functionality that
272 is similar to MS shadow copy services. When setup properly,
273 this module allows Microsoft shadow copy clients to browse
274 "shadow copies" on samba shares. You will need to install the
275 shadow copy client. You can get the MS shadow copy client
276 <ulink noescape="1"
277 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">here.</ulink>.
278 Note the additional requirements for pre-Windows XP clients.
279 I did not test this functionality with any pre-Windows XP
280 clients. You should be able to get more information about MS
281 Shadow Copy <ulink noescape="1"
282 url="http://www.microsoft.com/windowsserver2003/techinfo/overview/scr.mspx">from
283 the Microsoft's site</ulink>.</para>
284 <para>
285 The shadow_copy VFS module requires some underlying file system
286 setup with some sort of Logical Volume Manager (LVM) such as
287 LVM1, LVM2, or EVMS. Setting up LVM is beyond the scope of
288 this document; however, we will outline the steps we took to
289 test this functionality for <emphasis>example purposes
290 only.</emphasis> You need to make sure the LVM implementation
291 you choose to deploy is ready for production. Make sure you
292 do plenty of tests.</para>
293 <para>
294 Here are some common resources for LVM and EVMS:
295 <itemizedlist>
296 <listitem>
297 <para><ulink noescape="1"
298 url="http://www.sistina.com/products_lvm_download.htm">Sistina's
299 LVM1 and LVM2</ulink></para>
300 </listitem>
301 <listitem>
302 <para><ulink url="http://evms.sourceforge.net/">Enterprise
303 Volume Management System (EVMS)</ulink></para>
304 </listitem>
305 <listitem>
306 <para><ulink url="http://tldp.org/HOWTO/LVM-HOWTO/">The LVM HOWTO</ulink></para>
307 </listitem>
308 <listitem>
309 <para>
310 See <ulink
311 url="http://www-106.ibm.com/developerworks/linux/library/l-lvm/">Learning
312 Linux LVM, Part 1</ulink> and <ulink
313 url="http://www-106.ibm.com/developerworks/library/l-lvm2.html">Learning
314 Linux LWM, Part 2</ulink> for Daniel Robbins' well
315 written a two part tutorial on Linux and LVM using LVM
316 source code and reiserfs.</para>
317 </listitem>
318 </itemizedlist>
319 </para>
320 <sect3>
321 <title>Shadow Copy Setup</title>
322 <para>
323 At the time of this writing, not much testing has been done.
324 I tested the shadow copy VFS module with a specific scenario
325 which was not deployed in a production environment, but more
326 as a proof of concept. The scenario involved a Samba 3 file
327 server on Debian Sarge with an XFS file system and LVM1. I
328 do NOT recommend you use this as a solution without doing
329 your own due diligence with regard to all the components
330 presented here. That said, following is an basic outline of
331 how I got things going.</para>
332 <orderedlist>
333 <listitem>
334 <formalpara>
335 <title>Installed Operating System </title>
336 <para>
337 In my tests, I used <ulink
338 url="http://www.debian.org/devel/debian-installer/">Debian
339 Sarge</ulink> (i.e. testing) on an XFS file system.
340 Setting up the OS is a bit beyond the scope of this
341 document. It is assumed that you have a working OS
342 capable of running Samba.</para>
343 </formalpara>
344 </listitem>
345 <listitem>
346 <formalpara>
347 <title>Install & Configure Samba</title>
348 <para>
349 See the <link linkend="introduction">installation
350 section</link> of this HOWTO for more detail on this.
351 It doesn't matter if it is a Domain Controller or
352 Member File Server, but it is assumed that you have a
353 working Samba 3.0.3 or newer server running.</para>
354 </formalpara>
355 </listitem>
356 <listitem>
357 <formalpara>
358 <title>Install & Configure LVM</title>
359 <para>
360 Before you can make shadow copies available to the
361 client, you have to create the shadow copies. This is
362 done by taking some sort of file system snapshot.
363 Snapshots are a typical feature of Logical Volume
364 Managers such as LVM, so we first need to have that
365 setup.</para>
366 </formalpara>
367 <itemizedlist>
368 <para>
369 The following is provided as an example and will be
370 most helpful for Debian users. Again, this was tested
371 using the "testing" or "Sarge" distribution.</para>
372 <listitem>
373 <para>
374 Install lvm10 and devfsd packages if you have not
375 done so already. On Debian systems, you are warned
376 of the interaction of devfs and lvm1 which requires
377 the use of devfs filenames. Running
378 <command>apt-get update && apt-get install
379 lvm10 devfsd xfsprogs</command> should do the trick
380 for this example.</para>
381 </listitem>
382 <listitem>
383 <para>
384 Now you need to create a volume. You will need to
385 create a partition (or partitions) to add to your
386 volume. Use your favorite partitioning tool
387 (e.g. Linux fdisk, cfdisk, etc.). The partition
388 type should be set to 0x8e for "Linux LVM." In this
389 example, we will use /dev/hdb1.</para>
390 <para>
391 Once you have the Linux LVM partition (type 0x8e),
392 you can run a series of commands to create the LVM
393 volume. You can use several disks and or
394 partitions, but we will use only one in this
395 example. You may also need to load the kernel
396 module with something like <command>modprobe lvm-mod
397 </command> and set your system up to load it on
398 reboot by adding it to
399 (<filename>/etc/modules</filename>). </para>
400 </listitem>
401 <listitem>
402 <para>
403 Create the physical volume with <command>pvcreate
404 /dev/hdb1</command></para>
405 </listitem>
406 <listitem>
407 <para>
408 Create the volume group with and add /dev/hda1 to it
409 with <command>vgcreate shadowvol /dev/hdb1</command>
410 </para>
411 <para>
412 You can use <command>vgdisplay</command> to review
413 information about the volume group.</para>
414 </listitem>
415 <listitem>
416 <para>
417 Now you can create the logical volume with something
418 like <command>lvcreate -L400M -nsh_test
419 shadowvol</command></para>
420 <para>
421 This creates the logical volume of 400MB's named
422 "sh_test" in the volume group we created called
423 shadowvol. If everything is working so far, you
424 should see them in
425 <filename>/dev/shadowvol</filename>.</para>
426 </listitem>
427 <listitem>
428 <para>
429 Now we should be ready to format the logical volume
430 we named sh_test with <command>mkfs.xfs
431 /dev/shadowvol/sh_test</command></para>
432 <para>
433 You can format the logical volume with any file
434 system you choose, but make sure to use one that
435 allows you to take advantage of the additional
436 features of LVM such as freezing, resizing and
437 growing your file systems.</para>
438 <para>
439 Now we have an LVM volume where we can play with the
440 shadow_copy VFS module.</para>
441 </listitem>
442 <listitem>
443 <para>
444 Now we need to prepare the directory with something
445 like <command>mkdir -p /data/shadow_share</command>
446 or whatever you want to name your shadow copy
447 enabled Samba share. Make sure you set the
448 permissions such that you can use it. If in doubt,
449 use <command>chmod 777 /data/shadow_share</command>
450 and tighten the permissions once you get things
451 working.</para>
452 </listitem>
453 <listitem>
454 <para>
455 Mount the LVM volume using something like
456 <command>mount /dev/shadowvol/sh_test
457 /data/shadow_share</command></para>
458 <para>
459 You may also want to edit your
460 <filename>/etc/fstab</filename> so that this
461 partition mounts during the system boot.</para>
462 </listitem>
463 </itemizedlist>
464 </listitem>
465 <listitem>
466 <formalpara>
467 <title>Install & Configure the shadow_copy VFS
468 Module</title>
469 <para>
470 Finally we get to the actual shadow_copy VFS module.
471 The shadow_copy VFS module should be available in
472 Samba 3.0.3 and higher. The smb.conf configuration is pretty
473 standard. Here is our example of a share configured
474 with the shadow_copy VFS module:</para>
475 </formalpara>
476 <para>
477 <smbconfexample id="vfsshadow">
478 <title>Share With shadow_copy VFS</title>
479 <smbconfsection>[shadow_share]</smbconfsection>
480 <smbconfoption><name>comment</name><value>Shadow Copy Enabled Share</value></smbconfoption>
481 <smbconfoption><name>path</name><value>/data/shadow_share</value></smbconfoption>
482 <smbconfoption><name>vfs objects</name><value>shadow_copy</value></smbconfoption>
483 <smbconfoption><name>writeable</name><value>yes</value></smbconfoption>
484 <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
485 </smbconfexample>
486 </para>
487 </listitem>
488 <listitem>
489 <formalpara>
490 <title>Create Snapshots and Make Them Available to shadow_copy.so</title>
491 <para>
492 Before you can browse the shadow copies, you must
493 create them and mount them. This will most likely be
494 done with a script that runs as a cron job. With this
495 particular solution, the shadow_copy VFS module is
496 used to browse LVM snapshots. Those snapshots are not
497 created by the module. They are not made available by
498 the module either. This module allows the shadow copy
499 enabled client to browse the snapshots you take and
500 make available.</para>
501 </formalpara>
502 <para>
503 Here is a simple script used to create and mount the
504 snapshots:
505 <screen>
506 #!/bin/bash
507 # This is a test, this is only a test
508 SNAPNAME=`date +%Y.%m.%d-%H.%M.%S`
509 xfs_freeze -f /data/shadow_share/
510 lvcreate -L10M -s -n $SNAPNAME /dev/shadowvol/sh_test
511 xfs_freeze -u /data/shadow_share/
512 mkdir /data/shadow_share/@GMT-$SNAPNAME
513 mount /dev/shadowvol/$SNAPNAME /data/shadow_share/@GMT-$SNAPNAME -onouuid,ro
514 </screen>
515 Note that the script does not handle other things like
516 remounting snapshots on reboot.
517 </para>
518 </listitem>
519 <listitem>
520 <formalpara>
521 <title>Test From Client</title>
522 <para>
523 To test, you will need to install the shadow copy
524 client which you can obtain from the <ulink
525 url="http://www.microsoft.com/windowsserver2003/downloads/shadowcopyclient.mspx">Microsoft
526 web site.</ulink> I only tested this with an XP client
527 so your results may vary with other pre-XP clients.
528 Once installed, with your XP client you can
529 right-click on specific files or in the empty space of
530 the shadow_share and view the "properties". If
531 anything has changed, then you will see it on the
532 "Previous Versions" tab of the properties
533 window. </para>
534 </formalpara>
535 </listitem>
536 </orderedlist>
537 </sect3>
538 </sect2>
540 </sect1>
542 <sect1>
543 <title>VFS Modules Available Elsewhere</title>
545 <para>
546 This section contains a listing of various other VFS modules that
547 have been posted but do not currently reside in the Samba CVS
548 tree for one reason or another (e.g., it is easy for the maintainer
549 to have his or her own CVS tree).
550 </para>
552 <para>
553 No statements about the stability or functionality of any module
554 should be implied due to its presence here.
555 </para>
557 <sect2>
558 <title>DatabaseFS</title>
560 <para>
561 URL: <ulink noescape="1" url="http://www.css.tayloru.edu/~elorimer/databasefs/index.php">http://www.css.tayloru.edu/~elorimer/databasefs/index.php</ulink>
562 </para>
564 <para>By <ulink url="mailto:elorimer@css.tayloru.edu">Eric Lorimer.</ulink></para>
566 <para>
567 I have created a VFS module that implements a fairly complete read-only
568 filesystem. It presents information from a database as a filesystem in
569 a modular and generic way to allow different databases to be used
570 (originally designed for organizing MP3s under directories such as
571 <quote>Artists,</quote> <quote>Song Keywords,</quote> and so on. I have since easily
572 applied it to a student
573 roster database.) The directory structure is stored in the
574 database itself and the module makes no assumptions about the database
575 structure beyond the table it requires to run.
576 </para>
578 <para>
579 Any feedback would be appreciated: comments, suggestions, patches,
580 and so on. If nothing else, hopefully it might prove useful for someone
581 else who wishes to create a virtual filesystem.
582 </para>
584 </sect2>
586 <sect2>
587 <title>vscan</title>
589 <para>URL: <ulink noescape="1" url="http://www.openantivirus.org/projects.php#samba-vscan">http://www.openantivirus.org/projects.php#samba-vscan</ulink></para>
591 <para>
592 samba-vscan is a proof-of-concept module for Samba, which
593 uses provides on-access anti-virus support for files shared using
594 Samba.
595 samba-vscan supports various virus scanners and is maintained
596 by Rainer Link.
597 </para>
599 </sect2>
600 </sect1>
602 </chapter>