You are here
Fileserver
Sharing files in a hostile/untrusted environment
Only file sharing protocols that are encrypted should be accessible from a hostile or untrusted environment - e.g. publicly accessible via the internet. As a general rule, it is safest to only make protocols that are explicitly wrapped in an encryption layer available from hostile networks. Currently those protocols are SCP/SFTP, Rsync, SSHFS (all wrapped in an SSH layer) and FTPS (wrapped in SSL/TLS).
Newer versions of SMB/CIFS (explicitly SMBv3) also support encryption, but encryption was historically never a consideration. So it is recommended to either use either a VPN or SSH tunnel to connect specific external sites that need CIFS/SMB access. If you are sure that you want to expose "naked" CIFS/SMB please consult the Samba security information first.
TKLBAM backups
TKLBAM works fine with the TurnKey Fileserver. However please be aware that when storing lots of files and/or large files and/or files that regularly change significantly can cause backup and restore times to become quite significant. It can also cause backup storage costs to "blow out" and become quite costly. So you may prefer to exclude some less important files from your TKLBAM backups and just back them up locally. If you do do that, to make TKLBAM configuration easier, it is recommended to store the files to be excluded from the remote backup in a separate directory to the files to include in the backup. Please see the TKLBAM docs for more details on configuration.
VM vs LXC container
When running a TurnKey Fileserver locally on ProxmoxVE, to provide tighter control and greater separation, it may be preferable to run it within a KVM VM. However many users may prefer to use an LXC guest.
By default there may be some limitations when running in LXC. Many of the filesharing protocols provided by TurnKey Fileserver work fine within an LXC container OOTB, although there are some limitations where further configuration is required. See below for NFS configuration requirements.
For additional/advanced LXC configuration, please see the Proxmox wiki.
NFS in ProxmoxVE LXC container
TurnKey Fileserver includes NFS by default. It's enabled and should "just work" when installed from ISO or using an AMI (AWS). However on LXC, it won't work by default and additional steps are required on the host:
-
Ensure that the NFS kernel module package - nfs-kernel-server - is installed on the Proxmox host:
apt update apt install nfs-kernel-server
- Ensure that you use a privileged container. If you have an existing Fileserver container, then either create a new privileged container and transfer your data (e.g. using TKLBAM) or create a Proxmox backup and launch a new LXC server from your backup.
-
Disable the container's AppAmour confinement by editing the container config (on the host). Where xxx is your container ID, add this line to /etc/pve/lxc/xxx.conf:
lxc.apparmor.profile: unconfined
- Ensure that the NFS ports are open - i.e. in the Turnkey firewall if enabled.
Note you can't mount an NFS share within an LXC container. If you require an NFS inside a container, mount it to a directory on the host, then mount that directory within the guest.