tutorials:it:file_server

File server

The Fileserver allows all clients connected to the internal Network to access documentation and multimedia files. A raspberry pi 2 powers the fileserver and is connected to at least one harddisk using a USB to SATA connector. The contents of the harddisk are encrypted so we do not have to worry what happens to the disk when it cannot be accessed anymore.

Setup

  • Prepare a sd-card with the raspian base image
  • Connect a raspberry to the network
  • Connect the disk(s) to the raspberry using USB-SATA adapters
  • Configure the gateway to give the raspberry a fixed IP and the local name 'file' based on its mac-address

When the raspberry boots, it should get the configured IP-address (192.168.1.32) in our case and is ready to be configured using ssh: ssh pi@file. Now we setup some users. This depends on the type of fileserver you want to build. We use 'core' for members and 'workaway' for guests that are visiting for a longer time.

Install Software

Next we need to install some software. As the system should serve files to any PC in the network we install samba and for the disk encryption cryptsetup.

sudo apt-get install samba cryptsetup

For easy administration tmux dstat htop mc is installed as well.

Then we add a user 'echo' to the system and configure a long password together with authorized keys and add the user to the sudoers file. Then we disable the 'pi' user. Now we create a directory /data with the desired shares and set root ownership to those directories. Add a file 'HARDISK_NOT_MOUNTED' in every share, so that users see that something is wrong when the pi rebooted.

Now we need to partition the disk (or use LVM). When LVM is used, the following commands are slightly different.

Prepare Disk

fdisk /dev/sda Create a partition for every group of files: core, workaway, public, media and choose the size wisely as changing it afterwards is not easy. Be aware, we use /dev/sda here, check dmesg for the actual device name, otherwise you partition and format the wrong device and you lose all your data!

/dev/sda1 100G core
/dev/sda2 100G workaway
/dev/sda3 200G public
/dev/sda4 1.6T media

When the partitions are ready, we need to run cryptsetup luksFormat for each device and provide a passphrase. Store the passphrase in a secure location that you can access when the fileserver needs a reboot.

$ cryptsetup luksFormat /dev/sda1

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 

Repeat this for all partitions.

Then create a script in /data that contains a line for each partition:

/data/unlock_disk.sh

#!/bin/bash

echo 'to unlock you need passwords stored on rh'
echo 'run identity file to get the passphrases for cpublic, ccore, cworkaway and cmedia'
echo 'the unlock will take multiple minutes'
echo '---'
echo 'core'
cryptsetup luksOpen /dev/sda1 ccore
echo 'workaway'
cryptsetup luksOpen /dev/sda2 cworkaway
echo 'public'
cryptsetup luksOpen /dev/sda3 cpublic
echo 'media'
cryptsetup luksOpen /dev/sda4 cmedia

Make the script executable and run it as root. It will ask you for the passphrases and create devices in /dev/mapper.

Now we need to format the devices with a filesystem and set options that unlock all available space on the disk.

$ mkfs.ext4 /dev/mapper/ccore
$ tune2fs /dev/mapper -r0

When the devices are formatted they can be added to the fstab. The noauto is important, otherwise the pi will not boot and drop into a shell - bad thing if you do not have a keyboard and a screen attached:

/dev/mapper/cpublic     /data/public     ext4 defaults,noauto 0 0
/dev/mapper/ccore       /data/core       ext4 defaults,noauto 0 0
/dev/mapper/cworkaway   /data/workaway   ext4 defaults,noauto 0 0
/dev/mapper/cmedia      /data/media      ext4 defaults,noauto 0 0

Then create a script in /data that contains a line for each partition:

/data/mount_disk.sh

#!/bin/bash

mount /dev/mapper/public
mount /dev/mapper/ccore
mount /dev/mapper/cworkaway
mount /dev/mapper/cmedia

Run the script and see that the filesystems are mounted. Check that they are mounted and correct the ownership for the directories in /data with chmod and chown:

root@file:~# mount
/dev/mapper/cmedia on /data/media type ext4 (rw,relatime,data=ordered)
/dev/mapper/ccore on /data/core type ext4 (rw,relatime,data=ordered)
/dev/mapper/cworkaway on /data/workaway type ext4 (rw,relatime,data=ordered)
/dev/mapper/cpublic on /data/public type ext4 (rw,relatime,data=ordered)
root@file:~# ls -la /data
total 32
drwxrwxrwx  6 nobody   nogroup  4096 Oct  3 09:01 .
drwxr-xr-x  4 core     core     4096 Oct  3 09:19 core
drwxr-xr-x  6 nobody   nogroup  4096 Oct  2 13:34 media
-rwxr-x---  1 root     root      115 Oct  3 09:01 mount_disk.sh
drwxrwxrwx  4 nobody   nogroup  4096 Oct  3 09:25 public
-rwxr-x---  1 root     root      413 Oct  3 09:01 unlock_disk.sh
drwxr-xr-x  3 workaway workaway 4096 Oct  3 08:57 workaway

Samba

Now it is time to configure samba, open the file /etc/samba/smb.conf and add the following entries:


[public]
  comment = Files accessible to all local and remote users
  path = /data/public
  browseable = yes
  writeable = yes
  guest ok = yes

[workaway]
  comment = Files that are available for users that workaway
  path = /data/workaway
  browseable = yes
  writeable = yes
  valid users = workaway, core
  force group = workaway
  create mask = 0770
  directory mask = 0770

[core]
  comment = Files that are availabel for instructed users only
  path = /data/core
  browseable = yes
  writeable = yes
  valid users = @core
  force group = core
  create mask = 0700
  directory mask = 0700


[media]
  comment = Files that make audio or video signals, you cannot upload anything, use public share and inform core member.
  path = /data/media
  browseable = yes
  read only = yes
  guest ok = yes

you should also change the workgroup at the top of the file to 'ecohackerfarm'.

The last step is to set passwords for the users core and workaway:

smbpasswd -a core
smbpasswd -a workaway

Test

Put a file test.txt into each directory in data and ensure its ownership matches (eg /data/workaway/test should be rw for the workaway group).

Check using a client-system (eg osx) and connect to the server. Connect with no credentials (guest) and check that you cannot use the shares workaway and core, but you can see the testfile in media (but cannot change anything) and you see the file in public (and you can change it). Repeat this for the workaway and the core user.

When everything is done you should reboot the system to see that the service is comming up nicely. After the reboot the shares are available but the clients should only see the HARDDISK_NOT_MOUNTED message. Login and execute the scripts /data/unlock_disk.sh providing the disk-passphrases and /data/mount_disk.sh. Now the clients should see the test.txt again.

Populate with Data

Transfer of data to the PI using wifi can be quite slow. If you plan to put a Terrabyte of learning material on it, consider plugging the disk into a real pc with SATA as you will need a 10th of the time:

WIFI: 1MB/s -> 3.6GB/h, the terrabyte will take 277h to copy
SATA: 100MB/s -> 360GB/h, the terrabyte will take about 3 hours to copy

Publish

Now your visitors and workaways need to know that there is a fileserver and what to do with it. Write a enduser documentation of about half a page and put it on the wiki and print it out.

Costs

For the described installation you need a raspberry pi 2+, a USB-SATA adapter and a harddisk. The costs in 2016 were: 35EUR for the PI, 20EUR for the USB-SATA and 71EUR for the 2TB disk. The system uses about 5W of electrical energy and needs to be always on.

This hackerspace provides a fileserver when you connect to the echo-vpn network. It its name is file and it has the ip-address 192.168.1.32. It provides media files and public storage for everyone and stores documents only accessible for workaways and the core members.

  • Open Explorer
  • Browse network
  • find 'echohackerfarm' and 'file'
  • connect to the share you want
  • Open Finder
  • Select Connect to Server
  • Enter
    smb://file
  • select the share you want
  • Open Files
  • Select Connect to Server
  • Enter
    smb://file
  • select the share you want

As workaway, upload any files (photos, documents or similar) you want to share with other workaways or the core-team into the workaway share. Upload any file you want to share with the whole world to the public share.

  • tutorials/it/file_server.txt
  • Last modified: 2017/11/07 17:45
  • by ecohack