快速部署Samba共享服务器作为k8s后端存储
安装软件包
apt install samba
- 编辑配置文件 vim /etc/samba/smb.conf在最末尾添加以下
# cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
[Share]
comment = Shared Folder
path = /srv/samba/share
browsable = yes
read only = no # 允许写入
valid users = smbjbl
create mask = 0664 # 客户端文件权限上限
directory mask = 0775 # 客户端目录权限上限
force create mode = 0664 # 强制文件权限
force directory mode = 0775 # 强制目录权限
- 重启服务
#创建目录
mkdir -p /srv/samba/share
#创建用户和设置密码
useradd -M -s /usr/sbin/nologin smbjbl
smbpasswd -a smbjbl
#查看
pdbedit -L | grep smbjbl
# 授权(假设 smbuser 属于组 smbgroup)
chown -R smbuser:smbgroup /srv/samba/share
chmod -R 0775 /srv/samba/share # 目录权限
find /srv/samba/share -type f -exec chmod 0664 {} \; # 文件权限
#重启服务
systemctl restart smbd
普通客户端挂测试必须通过
#安装挂载工具
apt install cifs-utils -y
# smbclient -L //172.16.8.56 -U smbjbl%123456 (用户%密码)
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Share Disk Shared Folder
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
smbjbl Disk Home Directories
SMB1 disabled -- no workgroup available
#挂载成功
mount -t cifs //172.16.8.56/Share /mnt/smb -o username=smbjbl,password=123456
# df -h | tail -n 1
//172.16.8.56/Share 46G 2.5G 43G 6% /mnt/smb
以下配置SMB-Csi
# 官网
https://github.com/kubernetes-csi/csi-driver-smb/tree/master/charts/v1.17.0
helm repo add csi-driver-smb https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts
helm pull csi-driver-smb csi-driver-smb/csi-driver-smb --version v1.17.0 --untar
我的values.yaml文件已经替换好国内镜像了
# egrep -v "^[[:space:]]*#|^$" values.yaml
image:
baseRepo: registry.cn-hangzhou.aliyuncs.com/google_containers
smb:
repository: ccr.ccs.tencentyun.com/abcdh/abpay
tag: smb
pullPolicy: IfNotPresent
csiProvisioner:
repository: /csi-provisioner
tag: v5.2.0
pullPolicy: IfNotPresent
csiResizer:
repository: /csi-resizer
tag: v1.13.1
pullPolicy: IfNotPresent
livenessProbe:
repository: /livenessprobe
tag: v2.15.0
pullPolicy: IfNotPresent
nodeDriverRegistrar:
repository: /csi-node-driver-registrar
tag: v2.13.0
pullPolicy: IfNotPresent
#csiproxy: ----------注释windows
#repository: ghcr.io/kubernetes-sigs/sig-windows/csi-proxy
#tag: v1.1.2
#pullPolicy: IfNotPresent
serviceAccount:
create: true # When true, service accounts will be created for you. Set to false if you want to use your own.
controller: csi-smb-controller-sa
node: csi-smb-node-sa
rbac:
create: true
name: smb
driver:
name: smb.csi.k8s.io
feature:
enableGetVolumeStats: true
enableInlineVolume: true
controller:
name: csi-smb-controller
replicas: 1
dnsPolicy: ClusterFirstWithHostNet # available values: Default, ClusterFirstWithHostNet, ClusterFirst
metricsPort: 29644
livenessProbe:
healthPort: 29642
runOnMaster: false
runOnControlPlane: false
logLevel: 5
workingMountDir: "/tmp"
resources:
csiProvisioner:
limits:
memory: 400Mi
requests:
cpu: 10m
memory: 20Mi
csiResizer:
limits:
memory: 400Mi
requests:
cpu: 10m
memory: 20Mi
livenessProbe:
limits:
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
smb:
limits:
memory: 200Mi
requests:
cpu: 10m
memory: 20Mi
affinity: {}
nodeSelector: {}
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/controlplane"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "CriticalAddonsOnly"
operator: "Exists"
effect: "NoSchedule"
node:
maxUnavailable: 1
logLevel: 5
livenessProbe:
healthPort: 29643
affinity: {}
nodeSelector: {}
linux:
enabled: true
dsName: csi-smb-node # daemonset name
dnsPolicy: ClusterFirstWithHostNet # available values: Default, ClusterFirstWithHostNet, ClusterFirst
kubelet: /var/lib/kubelet
krb5CacheDirectory: "" # directory for kerberos credential cache, empty string means default(/var/lib/kubelet/kerberos/)
krb5Prefix: "" # prefix for kerberos credential cache, empty string means default(krb5cc_)
tolerations:
- operator: "Exists"
resources:
livenessProbe:
limits:
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
nodeDriverRegistrar:
limits:
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
smb:
limits:
memory: 200Mi
requests:
cpu: 10m
memory: 20Mi
windows:
enabled: false -------------修改此处为false
useHostProcessContainers: true
dsName: csi-smb-node-win # daemonset name
kubelet: 'C:\var\lib\kubelet'
removeSMBMappingDuringUnmount: true
tolerations:
- key: "node.kubernetes.io/os"
operator: "Exists"
effect: "NoSchedule"
resources:
livenessProbe:
limits:
memory: 150Mi
requests:
cpu: 10m
memory: 40Mi
nodeDriverRegistrar:
limits:
memory: 150Mi
requests:
cpu: 10m
memory: 40Mi
smb:
limits:
memory: 600Mi
requests:
cpu: 10m
memory: 40Mi
csiproxy: -------------修改此处为false
enabled: false # required if windows.enabled is true and useHostProcessContainers is false, but may be installed manually also
dsName: csi-proxy-win # daemonset name
tolerations: {}
affinity: {}
username: "NT AUTHORITY\\SYSTEM"
nodeSelector:
"kubernetes.io/os": windows
customLabels: {}
podAnnotations: {}
podLabels: {}
priorityClassName: system-cluster-critical
securityContext: { seccompProfile: {type: RuntimeDefault} }
配置Secret和StorageClass
apiVersion: v1
kind: Secret
metadata:
name: smbcreds
namespace: default
type: Opaque
data:
username: c21iamJsCg== <base64 - encoded - username>
password: MTIzNDU2Cg== <base64 - encoded - password>
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: smb-sc
provisioner: smb.csi.k8s.io
parameters:
source: //172.16.8.56/Share. -------服务器地址和共享名
csi.storage.k8s.io/provisioner-secret-name: smbcreds
csi.storage.k8s.io/provisioner-secret-namespace: default
csi.storage.k8s.io/node-stage-secret-name: smbcreds
csi.storage.k8s.io/node-stage-secret-namespace: default
volumeBindingMode: Immediate
mountOptions:
- dir_mode=0777
- file_mode=0777
- uid=1001
- gid=1001
- noserverino
测试
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: smb-sc
---
kind: Pod
apiVersion: v1
metadata:
name: nginx-smb
namespace: default
spec:
containers:
- image: mcr.microsoft.com/oss/nginx/nginx:1.17.3-alpine
name: nginx-smb
command:
- "/bin/sh"
- "-c"
- while true; do echo $(date) >> /mnt/smb/outfile; sleep 1; done
volumeMounts:
- name: smb01
mountPath: "/mnt/smb"
readOnly: false
volumes:
- name: smb01
persistentVolumeClaim:
claimName: smb-pvc
- 总结:
SMB 在 跨平台混合环境 中不可替代,尤其适合需深度集成 Windows 生态的场景25。
建议根据集群操作系统分布、性能需求及运维复杂度综合选择。
SMB和NFS比较
优先选择 NFS 的场景
纯 Linux 环境:需高性能共享存储(如 AI 训练、日志聚合);
多 Pod 共享读写:如 CI/CD 流水线共享构建目录;
简化运维:社区支持成熟,动态供给方案稳定。
优先选择 SMB 的场景
混合操作系统集群:含 Windows 节点的 K8S 环境25;
企业级权限管理:需与 Active Directory 集成或细粒度 ACL 控制5;
遗留系统整合:对接已有 Windows 文件服务器
| 特性 | NFS | SMB |
|---|---|---|
| 协议兼容性 | 原生支持类 Unix 系统,Windows 兼容性较差(需额外配置) | 原生支持 Windows,跨平台兼容性更优(Linux/macOS 需 cifs-utils) |
| 性能 | 在 Linux 环境下性能更高(内核级支持,传输效率高) | 处理小文件时性能略低,适合通用文件共享场景 |
| 权限管理 | 依赖服务端本地文件系统权限,需手动同步 UID/GID | 支持 ACL 细粒度权限控制,与 Windows AD 集成更便捷 |
| 动态供给支持 | 成熟(通过 nfs-client-provisioner 实现动态 PV 创建) | 依赖第三方 CSI 驱动(如 smb.csi.k8s.io),配置复杂度较高 |
| 安全性 | 默认无加密,需结合 Kerberos 或 VPN 增强 | 支持 SMB 3.0+ 加密传输,安全性更优 |
statefulset测试
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset-smb
namespace: default
labels:
app: nginx
spec:
serviceName: statefulset-smb
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: statefulset-smb
image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
command:
- "/bin/bash"
- "-c"
- set -euo pipefail; while true; do echo $(date) >> /mnt/smb/outfile; sleep 1; done
volumeMounts:
- name: persistent-storage
mountPath: /mnt/smb
readOnly: false
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: nginx
volumeClaimTemplates:
- metadata:
name: persistent-storage
spec:
storageClassName: smb
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi