Homelab upgrade - "Modern" alternatives to NFS, SSHFS?
-
Gotta agree. Even better if backed by zfs.
-
By default, unencrypted, and unauthenticated, and permissions rely on IDs the client can fake.
May or may not be a problem in practice, one should think about their personal threat model.
Mine are read only and unauthenticated because they're just media files, but I did add unneeded encryption via ktls because it wasn't too hard to add (I already had a valid certificate to reuse)
-
I don't know what you're on about, I'm talking about segregating with vlans and firewall.
If you're encrypting your San connection, your architecture is wrong.
-
That's what I though you were saying
-
NFS is good for hypervisor level storage. If someone compromises the host system you are in trouble.
-
Oh, OK. I should have elaborated.
Yes, agreed. It's so difficult to secure NFS that it's best to treat it like a local connection and just lock it right down, physically and logically.
When i can, I use iscsi, but tuned NFS is almost as fast. I have a much higher workload than op, and i still am unable to bottleneck.
-
Have you ever used NFS in a larger production environment? Many companies coming from VMware have expensive SAN systems and Proxmox doesn't have great support for iscsi
-
Yes, i have. Same security principles in 2005 as today.
Proxmox iscsi support is fine.
-
It really isn't.
You can't automatically create new disks with the create new VM wizard.
Also I hope you aren't using the same security principals as 2005. The landscape has evolved immensity.
-
Last time I had a problem with ceph losing data was during 0.10, does it still happen?
-
If you want to try something that’s quite new and mostly unexplored, look into NVMe over TCP. I really like the concept, but it appears to be too new to be production ready. Might be a good fit for your adventurous endeavors.
-
NFS is fine if you can lock it down at the network level, but otherwise it's Not For Security.
-
sshfs is somewhat unmaintained, only "high-impact issues" are being addressed https://github.com/libfuse/sshfs
I would go for NFS.
-
I preach this to people everywhere I go and seldom do they listen. There's no reason for object storage for a non-enterprise environment. Using it in homelabs is just...mostly insane..
-
If someone compromises the host system you are in trouble.
Not only the host. You have to trust every client to behave, as @forbiddenlake already mentioned, NFS relies on IDs that clients can easily fake to pretend they are someone else. Without rolling out all the Kerberos stuff, there really is no security when it comes to NFS.
-
NFS is bulletproof.
For it to be bulletproof, it would help if it came with security built in. Kerberos is a complex mess.
-
This is just block device over network, it will not allow the use cases OP is asking for. You will still need a filesystem and a file-serving service on top of that.
-
But NFS has mediocre snapshotting capabilities (unless his setup also includes >10g nics)
-
NFS + Kerberos?
But everything I read about NFS amd so on: You deploy it on a dedicated storage LAN and not in your usual networking LAN.
-
At least something that's distributed and fail safe (assuming OP targets this goal).
And if proxmox doesnt support it natively, someone could probably still config it local on the underlying debian OS.
