why i chose solaris for my NAS

fyi: this is all opinion. sure, maybe (insert os with zfs support here) does (thing) better, but i've been floored with zfs on its native platform thus far. i'm not saying you should build your system on solaris- simply stating why i chose to do so.

i recently rebuild my NAS from scratch, having used freeNAS for quite some time- i chose to use solaris 11.3 as the foundation, and i'd like to shed some light on why i made this decision.

for reference, the specifications for the NAS are below:

dell poweredge t320
intel xeon e5-2420 @ 1.9ghz
24gb ddr3-1333 ecc memory
8x seagate ironwolf 2tb (ibm m1015 as hba)
250gb samsung 850 evo nvme
120gb intel ssd 530

the drives are in a 6x raidz2 array with two hot spares- the nvme disk is used for l2arc, and the intel ssd for slog.

but why choose solaris?

i chose solaris because it contains the most mature, feature-complete release of zfs available.


at the time of writing, openzfs does not support native dataset encryption (allowing me to encrypt, say, a dataset with private data, but leave the dataset with my music unencrypted).

openzfs implementations of encryption usually involve pulling in another utility (geli on freeBSD, lofi on linux), which are susceptible to watermarking attacks. for some (potentially most) users this may be a non-issue, but as a member of the infosec community, i do my best to avoid such things.

UPDATE: i was helpfully informed by @debdrup of the following:

GELIs integrity mode using a HMAC, which isn't default, did have a problem where it would write some data in plaintext due to uninitialized memory, but that has been fixed in HEAD and MFC'd.
GELI CBC uses a ESSIV-like and XTS (default, iirc) isn't suceptible to watermarking.

i am not sure whether this applies to lofi on linux, however, which may still be susceptible.

dataset encryption on zfs is simple:

zfs set encryption=on data/private

i will be asked to provide a passphrase, and am also given other options, such as defining a key source, and a storage location.


additionally, the codebase for solaris, and, by extension, zfs, are bulletproof- solaris has had an extremely long lifespan and is, to quote a coworker, the "best unix OS ever made". it is an enterprise-grade operating system by design, and includes a litany of features that improve security and performance.

dataset sharing

although this is present with openzfs, solaris also supports autoconfiguration of samba and nfs to share datasets over the network. for example, if i want to share my music over smb, i simply run the following commands:

svcadm enable -r smb/server
zfs set share=name=music,path=/data/music/,prot=smb data/music
zfs set share.smb=on share.smb.csc=auto data/music

solaris will automatically configure the samba server to share this dataset- all that is necessary from my end beyond that is to configure PAM to require user authentication to mount samba shares, and enable my login user for samba.

licensing? no problem.

solaris' licensing now allows for home use as well- according to wikipedia:

The new license allows Solaris 10 and Solaris 11 to be downloaded free of charge from the Oracle Technology Network and used without a support contract indefinitely however the license only expressly permits the user to use Solaris as a development platform and expressly forbids commercial and "production" use.

so far, i've been extremely pleased with solaris' stability, and given my experience administering it in previous jobs, it wasn't a difficult transition.