Alexander Kojevnikov | Blog

DIY NAS with Debian Lenny

After playing with FreeNAS I ended up using Debian for my server. FreeNAS is a great distribution if you want an out of the box experience, but I found it hard to customise, mostly because I'm not very familiar with BSDs. Also, they are switching to Debian for the next version. So, Debian it is.

This post will explain how to set up a NAS server with Debian running essential services such as ssh, samba, nfs, cups, rdiff-backup and rtorrent with a web interface; and using two HDDs in RAID 1 mode with everything encrypted. It took me awhile to research all bits and pieces, hopefully it will save you time if you are going to do a similar set up.

Table of contents

Hardware

I use a VIA ARTiGO A2000 barebone storage server. It's powered by a VIA C7-D processor, which has a built-in encryption engine called Padlock — quite useful for our scenario. If you are unsure which server to get, I can highly recommend A2000.

Some parts of this walk-through are specific to A2000 or C7, but most of it will apply to any hardware as long as it includes two HDDs and is compatible with Lenny.

Partition layout

I assume that you know how to use the Debian installer, if not — check the documentation. Because A2000 doesn't have a CD-ROM, I booted the installer from a memory stick, you might need to do the same.

The tricky part of the installation process is disk partitioning. I used the following layout, though there are many ways to do the set up.

First we create RAID 1 partitions. We need a separate partition for /boot, because it won't be encrypted; and for /tmp, because it will have encryption settings different from the root partition. This means we will have three partitions on each disk:

Phew, that was quite a few steps! Now you will see three RAID1 devices in the list, let's set them up:

You should see two encrypted volumes now: md1_crypt is automatically set up to be used as swap (do it manually if it's not); md2_crypt however needs more tweaking.

That's it! With this scheme, data and root partitions sit on top of an LVM group, which sits on top of an encrypted volume, which sits on top of a multi-disk volume. Some people prefer to have separate encrypted partitions for root and for data, but then you will need to enter passphrases for each of them on start up.

Finalising the installation and fixing GRUB

The rest of the installation should be straight-forward. When you reach the "Software selection" screen, make sure you choose "Standard system" and "File server"; and unselect "Desktop environment" — you are not going to need it on a headless server. Also tick off "Print server" if you need (I do).

After everything is installed, boot your server, type your passphrase to unlock the encrypted partition, and login as root. Now, because the installer writes GRUB only to the first disk, we need to install it manually to the second. Without this, if your first disk fails you won't be able to boot:

# grub
grub> root (hd1,0)
grub> setup (hd1)
grub> quit

SSH and sudo

Let's install SSH, otherwise we will need a spare monitor and a keyboard connected to the server:

# aptitude update
# aptitude install ssh

Edit /etc/ssh/sshd_config, I suggest disabling PermitRootLogin and PasswordAuthentication and enabling PubkeyAuthentication. If you decide to use public key authentication, add your public key to ~/ssh/authorized_keys. Then restart sshd, install sudo, and edit the list of sudoers:

# /etc/init.d/ssh restart
# aptitude install sudo
# visudo

Add this line under root, <user> is your non-root login:

<user> ALL=(ALL) ALL

Padlock modules

This section is specific to VIA C7 CPU. As I mentioned, it includes the hardware encryption engine called Padlock. The engine is supported by the Linux kernel, but the support is not enabled by default.

First make sure you have it:

# modprobe padlock_aes
# modprobe padlock_sha

If the modules load fine, these steps (thanks Google Translate!) will auto-load them:

alias aes padlock_aes
padlock-aes  
padlock-sha

These steps are needed because Padlock modules must be loaded at boot, to work with our encrypted partitions. If they are loaded at a later stage, the software encryption modules will not be replaced because they are already in use.

After rebooting, check if Padlock is used. If aes_i586 is in use instead of padlock_aes, you did something wrong:

# lsmod | grep -i aes

To enable hardware encryption for SSL, edit /etc/ssl/openssl.cnf and add this before the [new_oids] section:

openssl_conf = openssl_def

[openssl_def]
engines = openssl_engines

[openssl_engines]
padlock = padlock_engine

[padlock_engine]
default_algorithms = ALL

After the change, observe an enormous speed bump with:

# openssl speed -evp aes-128-cbc

NFS

If you selected "File server" during the installation, NFS should already be up and running. To share the entire /data partition, edit /etc/exports and add this line:

/data   *(rw,sync,no_subtree_check)

Check NFS documentation if you want something different. After changing your exports, reload them with:

# exportfs -a

On the client computers, add this line to /etc/fstab, replacing <server> with the IP of your NAS:

<server>:/data /mnt/data nfs defaults 0 0

Then mount with mount -a. Again, check the docs if you need more control over how the NFS share is mounted.

Samba

As with NFS, Samba should already be running on your server. Append this to /etc/samba/smb.conf, replacing <user> with a non-root login on your server:

[data]
    path = /data
    browseable = yes
    available = yes
    public = yes
    writable = yes
    force user = <user>
    create mask = 0644
    directory mask = 0755

Then restart Samba and you are set:

# /etc/init.d/samba restart

Check Samba docs for more options.

CUPS

The set up heavily depends on the printer model. I have a fairly common Epson colour ink printer, its driver is included in the gutenprint package which gets installed if you select "Print server" during the installation.

You will need to edit /etc/cups/cupsd.conf to make the CUPS web interface accessible from another machine, then just add your printer from http://localhost:631/. Also check /etc/samba/smb.conf, it should have these sections:

[printers]
   comment = All Printers
   browseable = yes
   path = /var/spool/samba
   printable = yes
   guest ok = yes
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Check CUPS docs if it doesn't work or if you want to fine-tune permissions.

rTorrent + ruTorrent

FreeNAS comes with Transmission BitTorrent client. It looks nice but the web interface is too simple to my taste, it doesn't even support labels. On the desktop I used to run Deluge, which is great but probably a bit heavy for a small server. After a bit of research I ended up using rTorrent, which is what most blogs recommend for a headless server.

There are quite a few frontends for rTorrent, the one I liked was ruTorrent, its development also seems to be the most active at the moment. It's an almost exact rip-off of a popular Windows-based μTorrent client, hence the name.

ruTorrent requires a recent version of rTorrent compiled with the XML-RPC support. The bad news is that Lenny doesn't have all packages required to build it. This can be circumvented by temporarily switching to testing (aka Squeeze), installing rTorrent's build-deps, then switching back to Lenny. Depending on your situation, switching to testing may not be the best idea, do it only if you are comfortable breaking your system.

After installing build-deps, get the latest tarball of rTorrent, ./configure it with --with-xmlrpc-c option, make and make install. Afterwards, copy an example .rtorrent.rc file to ~/ and edit it to suit your needs. Also follow the steps in the Starting rTorrent on System Startup section.

ruTorrent can work with any web server supporting PHP 5.0, I went for lighttpd. Install it from the official repo, then follow ruTorrent set up guide.

The tricky part is setting up XML-RPC, there are a few contradictions in the the rTorrent and ruTorrent docs but the following works for me™:

Add to ~/.rtorrent.rc:

scgi_port = localhost:5000
encoding_list = UTF-8

Edit /etc/lighttpd/lighttpd.conf as described here. Ignore instructions from rTorrent, they won't work. Restart rTorrent and the web server after you are done:

# /etc/init.d/rtorrent restart
# /etc/init.d/lighttpd force-reload

Backup with rdiff-backup

rdiff-backup is such a fantastic tool: it's available on all major platforms, it's ultra fast and efficient, it performs backups incrementally, it can work over SSH and also it allows to restore files at any point of time. If you don't already use it to backup your home directories — give it a try!

On the server, there's nothing special to be done to install it. Just get it from Debian repos and add your public keys to ~/ssh/authorized_keys — we are going to use SSH.

On Linux clients, invoke it like this, replacing <user> with your login and <server> with the IP of the NAS:

% rdiff-backup /home/<user> <server>::/data/Backup/<user>

On Windows clients, install Putty and follow these steps to generate a compatible key. Then invoke rdiff-backup like this:

rdiff-backup.exe --no-hard-links --remote-schema
    "plink.exe -i C:Users<WinUser>privatekey.ppk %s rdiff-backup --server"
    C:Users<WinUser> <user>@<server>::/data/Backup/<user>

Check rdiff-backup docs for more options, there are plenty!

Performance

Extremely unscientific tests, but they give an idea:

# bonnie++ -d /data/tmp
Version 1.03d       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
server           2G 10862  91 63699  27 29931  12 11483  91 83455  22 196.7   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16  2693  67 +++++ +++  3467  37  2948  47 +++++ +++  3131  38
#
# sync
# dd if=/dev/zero bs=16384 count=131072 of=/data/tmp
131072+0 records in
131072+0 records out
2147483648 bytes (2.1 GB) copied, 40.7823 s, 52.7 MB/s
#
# sync
# dd if=/data/tmp bs=16384 count=131072 of=/dev/null
131072+0 records in
131072+0 records out
2147483648 bytes (2.1 GB) copied, 23.5763 s, 91.1 MB/s

# hdparm -tT /dev/mapper/md2_crypt 

/dev/mapper/md2_crypt:
 Timing cached reads:   584 MB in  2.01 seconds = 291.10 MB/sec
 Timing buffered disk reads:  222 MB in  3.03 seconds =  73.19 MB/sec

hda is a 1TB WD Caviar Green, hdb is a 640GB Seagate Barracuda. I know, using different disk models is bad for RAID 1, but that's what I had. At some point I will get a second 1TB WD, read the next section to find out how to grow the mirror when upgrading drives.

NFS transfers are slower, but good enough for my needs: 49 MB/sec when reading from a NFS share and 23 MB/sec when writing to it.

Growing partitions

When your RAID 1 mirror is filled up you probably want to upgrade the disks with bigger ones. This can be done by replacing the first disk, syncing the mirror, then replacing the second one, and syncing again. After that you need to grow your data partition.

So, shut down your NAS, replace one of the drives, boot up and SSH to it. Check the status the mirror, notice that only one drive is used:

# watch -n 2 cat /proc/mdstat

Personalities : [raid1]
md2 : active raid1 hda3[0]
      622679296 blocks [2/1] [U_]

md1 : active raid1 hda2[0]
      1951808 blocks [2/1] [U_]

md0 : active raid1 hda1[0]
      497856 blocks [2/1] [U_]

unused devices: <none>

Here I assume that hda is used and hdb has been replaced, run fdisk -l to check which is which in your case. Now copy the partition table from hda to hdb:

# sfdisk -d /dev/hda | sfdisk /dev/hdb

Adjust the last partition on hdb: run cfdisk /dev/hdb, select hdb3 and delete it, re-create hdb3 to use the entire free space, change the partition type to "FD Linux raid autodetect", and finally write changes to disk and quit.

Add new partitions to the RAID array and wait until the sync is finished:

# mdadm --add /dev/md0 /dev/hdb1
# mdadm --add /dev/md1 /dev/hdb2
# mdadm --add /dev/md2 /dev/hdb3
# watch -n 2 cat /proc/mdstat

Add grub to hdb:

# grubgrub> root (hd1,0)
grub> setup (hd1)
grub> quit

If you replaced the drive with a bigger one, you need to grow the last partition to take advantage of all available space. Here's how to do it (the steps are borrowed from here):

# mdadm --grow /dev/md2 --size=max

Reboot, then run this:

# pvresize /dev/mapper/md2_crypt
# vgdisplay -A | grep -i free
  Free  PE / Size       X / Y GB

Note the number X, we will use it in the next command. Also replace MAIN-data with the name you used for the /data partition:

# lvextend -l +X /dev/mapper/MAIN-data

Finally, grow the filesystem:

# xfs_growfs /data

The previous command will only work for XFS, adapt it if you use ext3 or another file system.

A2000 tweaks

Inspired by this forum post I replaced stock A2000 fans with Scythe Mini Kaze SY124010L 40mm fan on the CPU and Noctua NF-R8 80mm fan on the rear exhaust. This made A2000 even more quiet. Other than that, I cannot think of any other mod I would like to do, A2000 is a very nice piece of hardware.


  1. When creating a physical volume for encryption, you can select the encryption algorithm and the key size. I use AES, because C7 provides hardware support for it; and 128 bits instead of default 256, because I'm not paranoid. Do your research and preferably select what your hardware supports. Software encryption is likely to be slow unless you have a very fast CPU. 

Published: 2009-11-19

Tags: linux