Hi Fabian, how are you running Samba to do this? It sounds like you're mounting cephfs with the kernel and re-exporting by Samba? There are a whole bunch of ways that will get pretty messy. In this particular case: snapshot folders are fundamentally read only with Ceph and there's not a plausible way to change that.
More generally, stacking things this way will work if samba is the only tenant, but it means you can't scale out samba daemons and any simultaneous cephfs access to the same files will not be consistent. There's an old and creaky Ceph plugin from ~2013 which is available in samba upstream, but there's an IBM team working on a vfs plugin as well that will be substantially more integrated. It integrates well with the upcoming Tentacle release, though I know that's not immediate help. There is some documentation at https://wiki.samba.org/index.php/Samba_4.21_Features_added/changed#New_cephfs_VFS_module. -Greg On Mon, Jun 23, 2025 at 10:16 AM Fabian Wenzel <c...@sky.brightspace.de> wrote: > > Hi everyone, > > when setting up ceph fs (using reef) on my system, I have noticed that there > is an issue with an SELinux environment for an smb-gateway: > > SELinux requires samba shares to be of type samba_share_t. While this can be > achieved with e.g. chcon on the mounted ceph fs (since it supports xattr), it > is not possible to assign an SELinux type to the .snap subfolder, since it is > read-only. Therefore, Is -lZ .snap returns a question mark, and samba access > results in an access denied error to the type "unlabeled_t". > > While it is possible (as a workaround) to implement a rule that allows samba > to access folders of "unlabeled_t", I think a proper solution would be to > assign a label to the .snap folder as well. > > For samba, accessing the .snap folder is essential in order to enable > "previous versions" functionality of the Windows Explorer with the samba > shadow_copy2 vfs, as it can be found in a couple of youtube tutorials > covering ceph fs + samba. > > How could this be done? > > Thanks, > > sophonet > > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
