newbie all-in-one basic ZFS storage / security questions

[vjeko]

I have the following setup on a home lab server :
(a)local disk SSD for ESXI + OmniOS/napp-it VM
The following is pass-through to OmniOS
(b)2* 80GB SSD in a disk pool running in parallel for VMs
(I have only 2 VMs here)
(c)2* 1TB HDDs in a disk pool running in parallel for storage/NAS

Basic questions:
(i)On a Windows pc usually a disk is partitioned to have a partition for
Windows/programs and another for user data. What is the best practice
when using ZFS ? Do you create separate filesystems/datastores
for each VM and userdata ?

(ii)If I want to have a VM for eg. virus testing, would I need
a separate physical disk for that VM or is a separate
datastore/filesystem sufficient ?

(iii)What is the best practice for my bulk storage (c) - is one datastore/filesystem
created or should there be several ?

(iv)What would be the best practice to make the bulk storage secure
- what is the required VM and network topology ?

 

[gea]

ZFS use storage virtualisation so you do not handle partitions like with Windows.
You have a ZFS pool (your whole extenseable datapool) where you can create ZFS filesystems. The size of a filesystem can grow dynamically up to poolsize. You can manage filesystems via quotas, reservations and ZFS properties.

1
For an AiO I would suggest two datapools, one SSD pool for VMs and ond diskbased pool for filer and backup use. On the SSD pool I would create a single filesystem that you share via NFS and use it as an ESXi datastore to place VMs and virtual disks for your VMs. A filesystem per VM makes it complicated without reason.

2
For virus test VM, you can use the same datastore. ESXi is very secure and in the event of a very unlikely outbreak of a VM via ESXi a separate datastore would not help. You should only care about NFS or SMB shares (use separate network segments or filerwall settings)

3.
one performance pool and one large pool, filesystems as required

4.
use different network segments with different vnics, ESXi virtual switches to seperate traffic or the OmniOS firewall

 

[vjeko]

In case someone read my deleted long post - here's my attempt at a short
version :

(a) According to your suggestions, user data is stored only on the hdd
datastore and not on any separate ssd virtual disk - correct ?
(b)What's the difference between creating a folder in the hdd datastore
and pointing to that for a new virtual disk or just creating the virtual disk
pointing to the hdd datastore - both just create vmdk files and both
have folders ?
(c)For the case of a vm for virus testing/security, I guess you would
avoid using shared disks - correct ? Is one supposed to avoid
shared disks unless data needs to be common to vm's ?

 

[gea]

Not sure if I understood correctly

a
You can share your ZFS filesystems via NFS or SMB.
Usually you place your ESXi virtual disks (vmfs) disks on NFS and userdata on SMB shares not on virtual ESXi disks.

SMB offers shared multiuser access, authorisation and authentication.
A disk, does not matter if its a virtual disks (ESXi), a real disk or an iSCSI LUN offers only exclusive access from one operation system at a time (you can only switch a disk).

b
when you create a virtual disk you can place in on any datastore,
locally or on NFS, within the VM folder or on another

c
As said, you cannot share disks.
On SMB shares you can set permissions to restrict access ovre the SMB fileservice and you have ZFS snaps for versioning or readonly access.

 

[vjeko]

Much appreciated that's helped me a lot- it just shows how "much" I know

 

[vjeko]

I came back to play with the AIO and wanted to setup the
filesystems as per gea's recommendations above but am a bit confused (again ).
I used to have a window 10 VM (I presume it is the 3.39GB used in SSDpool - see filesystems.png) but
can't see it in ESXI and I don't know how to check this. I would like to recover the VM, move it temporarily to eg HDDpool,
delete then create new SSDpool filesystem - how do I go about doing that ?

 

[gea]

I asume you have mounted the NFS share from the SSD pool in ESXi and created the VM onto this NFS share. You can then

copy/move/backup/restore:
Mount the filesystem via NFS or SMB ex from Windows.
A VM is a simple folder on the share. ZFS Snaps are available via Windows previous versions.

Another option for copy
Do a ZFS replication of the filesystem from ssdpool to hdpool.
If you want to use the replicated filesystem, disable readonly in napp-it menu filesystem. Mount the NFS share from the hdpool then in ESXi.

Import/copy/check a VM in ESXi
Open the ESXi filebrowser (web-ui storage), goto the NFS datastore. Every VM is a folder. Open the VM folder and with a mouse right click on the .vmx file you can import this VM

 

[vjeko]

I udated the screen shots of disk,pool and filesystem above (something was wrong, they couldn't be viewed)

I accessed ESXI via web browser and in Datastore browser only saw the datastore “esxiomnistore“ which is for OmniOS (and ESXI is on the same disk).


I then added the datastore :
“Mount NFS datastore”
NFS server = ip of OmniOS,
NFS share = ssdpool/ssdfilesystemname and saw that the contents is a Win10.iso
file – if I remember now, in an emergency,I may have removed the disk on which I had installed Win10 from this iso file. I am
not sure whether I need to do anything in napp-it/ZFS
about the removed disk (it was a single disk).

So now I need to
-copy the Win10.iso file to the hddpool
-delete Win10.iso from ssdpool
- delete existing ssdfileystem and create one ssdfilesystem on ssdpool for several VM’s
-Install Win10 VM on ssdpool filesystem from VM10.iso from hddpool
- Add a data file to the hddpool eg a word document

Could you please give me a few pointers on how you would go about this including details on
NFS/SMB mounting ?

 

[gea]

I am a little confused about and not sure if I understand correctly

1.)
You create a ZFS filesystem in napp-it menu "ZFS Filesystems" on a pool and enable NFS and SMB in this menu for a filesystem.

2.)
You can now SMB connect to an SMB shared filesystem from Windows.
For management you can connect as user root (asume you have added a passwort to root after setup)

You can create a regular folder on the share ex iso where you upload the win.iso

3.)
Add the NFS share to ESXi with its ip and /pool/filesystem as path. Make sure you have permissions set to everyone = modify. You can now also access the NFS datastore via ESXi file browser in the ESXi web-ui under storage. You may create/check a folder ex iso or upload files/folders.

4.)
Create a new VM in ESXi
During creation you can enter the disk where the VM is stored. Select the NFS datastore. In the dvd settings of the VM you can select "physical" dvd drive or iso. Select iso and point to the .iso file.

If you see the content of the win.iso on the share, I asume you have not uploaded the windows.iso file but its content (If you double click a .iso it just opens)