Sources
The impetus
To set the stage, my goal setup is twofold.
- TrueNAS box (at
10.0.0.7
). The only purpose of this box is to make storage available via the network, and maybe run Syncthing. It’s a decently powerful machine - Intel i5 8500T, 32 gigs of RAM, NVMe SSD boot drive, and 4x 12.73TiB disks running RAIDz1 for a total of about 37TiB worth of actual storage. - Mini PC (AceMagic AM06 Pro AMD Ryzen) running Proxmox (mostly because I already had Proxmox already set up, and I’d like to continue to learn from maintaining it) with most of the capacity dedicated to a Debian 12 virtual machine (at
10.0.0.4
). Services include Jellyfin and Navidrome for media streaming, Transmission, FileBrowser, among others.
The goal is to have the NAS live up to its name - network attached storage - not be the one-stop shop for all services on the LAN. It needs to do one thing and do it very well: store and serve my data. (This might change in the future, but for now it makes a lot of sense. I’m still in the requirement-defining phase for a lot of what I actually want to do with the NAS and how to set it up to accomplish this. Mainly the structure of the shares, as well as what exact services make more sense to run on the NAS itself, such as Syncthing.)
To accomplish this, I’ve been fighting with NFS for the past couple weeks (Setting up NFS share on TrueNAS), and haven’t had the wherewithal to dive into NFSv4. Theoretically I think that could solve my issues with file ownership / permissions and authentication, but it still doesn’t seem like a great solution. I got NFS to work, but I was not satisfied with the results. Permissions seem like a lost cause, and I hadn’t yet figured out how to mount at boot or automount.
SMB is an alternative, but I really don’t want to use it - from what I can gather it’s been retrofitted to work with Linux machines, and while fully compatible at this point, I don’t want to rely on it.
Enter stage left: iSCSI. I had absolutely no idea this existed. In short, while NFS and SMB share at the file level, iSCSI shares at the block level - e.g. it shares the disk itself across the network. This immediately clicked as the answer to my solution, at least in theory. Instead of having to wrangle file ownership and permissions on both machines, or just squash them and forget about them entirely, I can use the virtual disk served by the NAS as a normal lettered drive (/dev/sdX
) on my mini PC. This means I can format with a filesystem, mount, mount automatically at boot via /etc/fstab
, and set file ownership / permissions on the mini PC - the TrueNAS machine doesn’t care.
Some ramifications
- VIrtual disks seem to be pre-allocated, as they are zvols instead of datasets (up until this point, I have set all datasets to have the maximum capacity available instead of trying to pre-partition).
- The same issue applies when it comes to multiple machines: if I want to share this disk to multiple machines, I will have to manage users/groups/permissions on both machines.
- I am not yet sure if I even can share this disk with more than one machine.
- The target must support iSCSI. Mounting on demand from another device may not work; it may only be accessible through the mini PC.
The process
Creating the zvol on the TrueNAS machine
- Datasets → Add Zvol
- Name: share
- Size: 1TiB
- Remainder at defaults
- Save
Creating the iSCSI share
- Shares → “Wizard” under “Block (iSCSI) Shares Targets”
- Create or Choose Block Device
- Name: share
- Extent type: Device
- Device: previously created zvol (
tank/share
) - Sharing platform: Modern OS
- Target: Create New
- Portal
- Create New
- Discovery Authentication Method: CHAP
- Discover Authentication Group: Create New
- Group ID:
1
- User:
root
- Enter secret and confirm secret (no more than 16 characters)
- IP Addresses: Add, then
0.0.0.0
- Initiators: blank
- Save
When prompted to start iSCSI service, make sure “Enable this service to start automatically” is checked, and confirm.
Info
After creation, click the pencil “edit” icon next to the newly created iSCSI share.
Enforce authentication:
- Authentication method: CHAP
- Authentication group number: 1
- Save
Secure the connection to a single device - stopgap for more robust security:
- Add network
- Enter IP:
10.0.0.4
/32
Connecting to the shared drive from the initiator machine
Discovering device
Configuring authentication and automatic startup
# /etc/iscsi/iscsid.conf
...
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = root
discovery.sendtargets.auth.password = password
...
node.session.auth.authmethod = CHAP
node.session.auth.username = root
node.session.auth.password = password
...
# /etc/iscsi/nodes/<node-name>/<ip-address:port,options>/default
...
node.startup = automatic
...
Partitioning and formatting the disk
My disk showed up as
/dev/sdc
.
Mounting the disk automatically at startup
# edit /etc/fstab
...
UUID=<uuid> /<mountpoint> ext4 _netdev 0 0
Final thoughts
- Still haven’t figured out the overall structure/types of libraries to share - I’m pretty sure that I don’t want everything on an iSCSI share.
- Idea: could I expose a subfolder of this as an NFS share? I don’t see why I couldn’t…it would just be from the mini PC IP instead directly from the TrueNAS server. I’m not sure if that solves any of my issues.
- Security is sketchy. I enforced to only one client for the time being. Another solution would be to just run all services on the NAS itself, and not have to expose the storage device over the network. Something to look into in the future.
- Related to the foregoing: might try out encryption?
EOF