Shares, exports, and protocol configuration
This chapter explains file exports or shares for the various client platforms, the different export options, and the different client mount options. It explains permissions and access control list (ACL) management for these shares and preferred practices for data access, performance, and security.
This chapter describes the following topics:
Shares or exports can be managed through the graphical user interface (GUI) or command-line interface (CLI) by IBM Scale Out Network Attached Storage (SONAS) administrator users or users that have a user role of Administrator defined in the cluster. SONAS users are not authorized to manage SONAS system shares or exports.
For example, a user, as an external user, is not able to change the name or the SONAS system configuration settings of a share or export, even if that user is the owner of the shared or exported directory. They control the data, but not the share. For that reason SONAS administrators must understand and protect the needs and requirements of the data owners when they create and manage the shares.
A share or export results from making a disk space accessible through the protocols that are specified during its creation. The following shares and exports can be created if the corresponding protocol is enabled for the system:
•Hypertext Transfer Protocol (HTTP)
•Secure Copy Protocol (SCP)
•File Transfer Protocol (FTP)
•CIFS
•NFS
Shares and exports can be created only for data that is stored in the IBM General Parallel File System (IBM GPFS) file system of the SONAS system. Non-GPFS file system content cannot be shared or exported.
6.1 Choices when you are creating a share or export
You have the following choices when you are creating a share or export:
•Sharing or exporting an existing directory that contains user files or data other than.snapshots and quota metadata, where no changes to ACLs or ownership are possible.
|
Tip: Because ownership of an existing file set path cannot be changed when you are creating a share or export that contains user files or data, ensure that the ownership and corresponding ACLs of all of the directories in the entire path to which the file set is linked are correct. Do this task before you create a share or export on an existing path that contains user files or data.
|
•Sharing or exporting a new directory, which is created during execution, and optionally specifying an owner for this newly created directory.
|
Tip: When a file system or file set is created, and the owner is not specified, the default owner/group/permissions of the new path is root/root/700.
|
Creating a share or export on a path with owner root might render the share or export inaccessible to users. When you use the GUI to create a share or export, specifying an owner is not mandatory if the directory exists and the owner is not root. Otherwise, when you use the GUI to share or export a new directory, or an existing directory that is owned by root, specifying an owner for the share or export directory is mandatory.
|
Tip: This requirement is true even when ACLs are configured with inheritance. Owner specification does not affect ACL settings, including group ACL definitions.
|
Owner specification is still required when you are using the GUI to create a share or export, even though the share or export definition enables ACL manipulation on subdirectories. For example, an NFS export that is configured with the no_root_squash option.
6.2 Background information for creating shares and exports
To access the share or export, a user must have appropriate permissions for accessing the path, and ACL authorization to read (r) and execute (x) each directory in the full path.
If a SONAS system administrator disables the --bypassTraversalCheck option of the chcfg SONAS CLI command, which is enabled by default, retains the traversal rights entry to ensure that users are able to access the share or export and its subdirectories.
For example, to access a share or export that is mounted at /ibm/mydir/mysubdir/myexport, the preceding ACLs, at a minimum, must be applied to /ibm, /ibm/mydir, /ibm/mydir/mysubdir, and /ibm/mydir/mysubdir/myexport.
6.3 Managing authentication and ID mapping
To enable user read and write access to directories and files on the SONAS system, you must configure the SONAS environment for user authentication. You can configure an external server for authentication and authorization of users and groups. Only one user authentication method, and only one instance of that method, can be supported at any time. If Active Directory (AD) is configured, use the principle AD domain.
If Lightweight Directory Access Protocol (LDAP) is used and multiple LDAP servers are configured, they must be replicas of the same master LDAP server, or they can be any LDAP hosts with the same schema, which contain data that is imported from the same LDAP Data Interchange Format (LDIF) file.
6.3.1 Authentication server conditions
The following conditions must be met:
•Ensure that an authentication server external to the SONAS system is installed with the correct connectivity to and from the SONAS environment.
|
Note: The CLI and GUI do not provide any means to configure or manage the external authentication server.
|
•You can configure only one type of authentication server, at any time. The following authentication servers are supported:
– LDAP
– LDAP with MIT Kerberos
– SAMBA Primary Domain Controller (PDC) on Microsoft Windows NT version 4 (NT4)
– Active Directory Server (ADS), which works as Kerberos, and AD with Microsoft Windows Services for UNIX (SFU)
– Network Information Service (NIS) as an extension to AD/Samba PDC
– Added support in SONAS 1.5.1.0 for local authentication server, and hosting an authentication server within SONAS
•Obtain, in advance, the administrative information as required by the implementation steps for the authentication server, such as the administration account, password, Secure Sockets layer (SSL) certificate, and Kerberos keytab file.
|
Important: Obtaining this administrative information is an important requirement for SONAS or IBM Storwize V7000 Unified configuration.
|
6.3.2 Server-side authentication configuration
The SONAS system provides server-side authentication configuration for these services:
•CIFS
•FTP
•SCP
•NFS version 3 (NFSv3)
•NFS version 4 (SONAS 1.5.1 and later)
•HTTP Secure (HTTPS)
For the configuration of NFSv3, only the protocol configuration is done. Because authentication occurs on the NFSv3 client side, configure the authentication on the clients that are attaching to an SONAS system. This process is a manual procedure, which is described in detail in the IBM Knowledge Center:
•Only the interface nodes are configured for authentication. Storage nodes are not part of this configuration.
•The SONAS system must be cluster and network configured (as a part of initial installation) before authentication server configuration is started.
•Ensure that all SONAS nodes are in time synchronization (by using an Network Time Protocol (NTP) Server) with the authentication server. Authentication does not work correctly if the time is not synchronized across the cluster nodes.
•For Kerberos, create service principals for all of the services that are managed by the Kerberos domain controller; that is, the host, CIFS, and NFS.
6.3.3 Other authentication elements
The following other authentication elements are supported by the SONAS system:
•Netgroups. Groups of hosts are used to restrict access for mounting NFS exports on a set of hosts, and deny mounting on the remainder of the hosts. The SONAS system supports netgroups that are stored in NIS, in LDAP, in SFU as Server for NIS, or in local files.
•Kerberos. The SONAS system supports Kerberos only with AD. It also supports Kerberos optionally with LDAP, but not with the internal OpenLDAP server.
•SSL or Transport Layer Security (TLS). These protocols are primarily used to increase the security and integrity of data that is sent over the network. These protocols are based on public key cryptography and use digital certificates that are based on X509 for identification.
6.4 Establishing user and group mapping for client access
Map the Microsoft Windows security identifiers (SIDs) to the UNIX 32-bit user identifiers and group identifiers (UID and GID).
6.4.1 Central ID mapping for users and groups
A Microsoft Windows system uses SIDs internally to identify users and groups.
A UNIX system like the SONAS system requires a 32-bit UID/GID. It is necessary to map the Windows SID to the UNIX UID/GID. The mapping of Windows security identifiers is done by using the winbind system, which supports several pluggable mapping systems, depending on the customer environment. Common SID mapping schemes are the RFC2307 SFU scheme or a reserved ID range (RID) scheme. Both mapping schemes are coherent across the system.
The SONAS system supports the following authentication server integrations:
•LDAP
•LDAP with MIT Kerberos
•Samba Primary Domain Controller (PDC) on Microsoft Windows NT version 4 (NT4)
•Active Directory Server (ADS), which works as Kerberos, and Active Directory (AD) with Microsoft Windows Services for UNIX (SFU)
•Network Information Service (NIS) as an extension to AD/Samba PDC
•Local authentication server hosted within SONAS
The following types of server integration support central ID mapping:
•LDAP, where the UID or GID is stored in a dedicated field in the user or group object on the LDAP server
|
Tip: Netgroups, which are managed by LDAP, are supported.
|
•Active Directory with SFU, where the UID or GID is stored in a dedicated field in the user or group object on the ADS
|
Tip: The SFU schema extension or W2003R2 is required. NIS in extended mode can be used for netgroups. This is often considered the preferred practice method for SONAS authentication, and the easiest service to maintain overall.
|
•SONAS 1.5.1 supporting deterministic ID mapping and tools to maintain consistent ID maps of 2 or more SONAS clusters
•NIS as an extension to AD/Samba PDC
|
Tip: The SONAS system supports NIS as an extension over AD/Samba PDC in two modes, either netgroups only or netgroups and ID mapping. In the latter mode, ID mappings are stored on, and read from, the NIS server.
|
The UID/GID can be used by the SONAS system and also by other systems, such as NFS clients and multiple SONAS systems (including replication sites).
6.4.2 Manual ID mapping for users and groups
When central ID mapping is not established or cannot be used, such as when pure AD without SFU or a Samba PDC is used, the mapping must be manually established on every NFS client that must to attach to, and work with, the files of the SONAS system. This ensures that the ID mapping on the client is identical to the mapping from the SONAS system.
Manual mapping
To establish the manual mapping, complete the following steps:
1. Determine the UID/GID of a user that exists in the SONAS system by using the chkauth command. See the man page of the chkauth CLI command for complete usage information. For example:
# chkauth --userName w2k3dom01\laura -iOutput is displayed in the following format:
Gid = 10000017, Uid = 10000000, Home Directory = /var/opt/IBM/sofs/scproot,
Template Shell = /usr/bin/rssh2
2. Define users manually on the client with the same UID/GID. Edit the /etc/passwd file on all clients that require access. Using the example from step 1 on page 176, the following line must be added:
laura::10000000:10000017::/:
|
Important: The information on the SONAS system for the home directory and template shell are more restrictive than what must be applied on the client. The previously shown example does not provide or apply such settings, and only describes the information that is required for UID/GID to be consistent on all the clients and the SONAS system.
|
6.5 Managing authorization and access control lists
Authorization grants or denies an already authenticated identity. Access control must prevent unauthorized access to SONAS system resources.
Detailed information about SONAS or Storwize V7000 Unified authentication is discussed in Chapter 2, “Authentication” on page 25. It is important to fully understand data access and authentication to understand data shares or exports from SONAS. Managing authentication and ID mapping for SONAS authentication information is described in 6.9, “Connecting with other protocols” on page 202.
6.5.1 Access Control List and Access Control Entry
An access control list (ACL) is a list of permissions that is associated with a resource. An access control entry (ACE) is an individual entry in an access control list, and describes the permissions for an individual user or group. An ACL usually consists of multiple ACEs. An ACL describes which identities are allowed to access a particular resource. ACLs are the built-in access control mechanism of the UNIX and Windows operating systems.
The SONAS system uses the Linux built-in ACL mechanism for access control to files that are stored on the SONAS system. Types of access include read, write, and execute. A file that can be accessed by a user is in a SONAS file system that is created using the General Parallel File System (GPFS). Example 6-1 on page 177 shows sample output from running the mmgetacl command on a file in SONAS.
Example 6-1 Sample output from running “mmgetacl” on a file in SONAS
[[email protected] testdir]# mmgetacl file418
#NFSv4 ACL
#owner:root
#group:root
special:owner@:rw-c:allow
(X)READ/LIST (X)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (-)READ_NAMED
(-)DELETE (-)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (-)WRITE_NAMED
special:group@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (-)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
special:everyone@:----:allow
(-)READ/LIST (-)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (-)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
|
Note: (-) means not selected and (X) means selected in the output in Example 6-1.
|
Starting with SONAS 1.5.1, the on-disk format of the ACL changes, and is as shown in Example 6-2.
Example 6-2 New ACL format with SONAS 1.5.1
mmgetacl redbookexport2
#NFSv4 ACL
#owner:STORAGE4TEST
edbook2
#group:STORAGE4TESTdomain users
#ACL flags:
# OWNER_DEFAULTED
# GROUP_DEFAULTED
# DACL_PRESENT
# DACL_DEFAULTED
# SACL_PRESENT
# NULL_SACL
special:owner@:rwxc:allow:FileInherit:DirInherit
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
special:group@:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
special:everyone@:--x-:allow:DirInherit
(-)READ/LIST (-)WRITE/CREATE (-)MKDIR (-)SYNCHRONIZE (-)READ_ACL (-)READ_ATTR (-)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
user:STORAGE4TEST
edbook2:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:STORAGE4TESTdomain users:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
Note that all users and groups must be part of the domain and known to the domain server that is used by the SONAS system. If the domain server does not recognize the user and group used in the ACL, the SONAS system does not recognize them, and does not add the correct entries to the internal database.
There are a broad range of ACL formats, which differ in syntax and semantics. The ACL format that is defined by Network File System version 4 (NFSv4) is called NFSv4 ACL.
GPFS supports the NFSv4 ACL format; this implementation is sometimes referred to as GPFS NFSv4 ACL. Therefore, this is also what is supported with SONAS and Storwize V7000 Unified.
The SONAS system stores all user files in GPFS. Access protection in the SONAS system is implemented in GPFS using NFSv4 ACLs, and is enforced for all of the protocols that are supported by the SONAS system: CIFS, NFS, FTP, HTTPS, and SCP.
The implementation of NFSv4 ACLs in GPFS does not imply that GPFS or the SONAS system supports NFSv4. The SONAS system supports NFS version 2 (NFSv2) and NFS version 3 (NFSv3), in the current release.
|
NFSv4.0 on SONAS 1.5.1: For SONAS 1.5.1 and later, support for NFSv4.0 is added. This version is the IBM implementation of the NFSv4 protocol. This implementation also supports the NFSv3 protocol.
|
Changes to on-disk ACL format and support for Creator Owner and Creator Group in SONAS 1.5.1
Starting with SONAS 1.5.1, the on-disk format of the ACLs is changed to improve the inheritance behavior of ACLs to match the Windows behavior, and to support Creator Owner and Creator Group entries. All newly created file systems benefit immediately from this improvement. Existing file systems must be updated as described in the Upgrading ACL from V 1.4.x to V 1.5.1 section of the SONAS information in the IBM Knowledge Center:
Without an update, the inheritance behavior matches the Windows behavior only for folders with newly set ACLs, but not for all new folders. Also, the ACL update is required to enable Creator Owner ACLs.
The only method to administer ACLs in the SONAS system is with a Windows client and CIFS protocol, by using the Windows Security dialog in Windows Explorer (see Figure 6-1 on page 179) to adjust the ACLs.
|
Tip: SONAS v1.5.1 and later provides support to view and modify ACLs by using either the CLI or the GUI. For more information, see the Authentication chapter in IBM SONAS Implementation Guide, SG24-7962.
|
Figure 6-1 Sample session of the Windows Security Dialog pane
The owner can be changed, and has permission to read and write the ACL of the owned file regardless of the settings in the ACE. This implementation prevents a user from locking themselves out of setting the access rights for files that they own.
A correctly authorized SONAS system administrative user can change the owner, group, or both, of a file system, file set, share, or export by using the chowner CLI command, if the object does not contain any directories or files other than the.snapshots subdirectory and quota files. An administrative user cannot modify ACLs.
6.5.2 ACL permissions
The ACL permissions Read Permissions and Read Attributes are required to list a file.
A file owner requires only the Read Attributes permission to list a file, because the permission Read Permissions is implied. A different user must have both the Read Permissions and Read Attributes permissions enabled to reliably list the file. These permissions are both automatically granted together when read access is granted.
The inheritance of ACEs in the ACL from the owner of a directory to subdirectories and files works only for subdirectories and files that have the same owner as the parent directory.
A subdirectory or file that is created by a different owner does not inherit the ACE of a parent directory that is owned by another user. In this case, the owner of the newly created subdirectory or file must explicitly set an ACE for the newly created subdirectory or file that is appropriate for the owner of the parent directory. All of the other ACEs are inherited, whether the owner of the new file or directory is changed or retained.
|
Remember: The preceding restriction does not apply to SONAS version 1.5.1 and later. The inheritance behavior of ACLs matches the Windows behavior and also now supports Creator Owner and Creator Group entries.
|
For Microsoft Windows clients, the SONAS system maps NFSv4 ACLs to Windows NT ACLs, and does a reverse mapping for Windows NT ACLs that are set by Windows workstations. GPFS NFSv4 ACLs and CIFS ACLs are not equivalent.
For example, CIFS supports unlimited nested groups, which are not fully supported by GPFS NFSv4 ACLs. The SONAS system maps most of the CIFS ACL features to GPFS NFSv4 ACLs, with some limitations.
The ownership of a file cannot be migrated by using a user ID; you must configure and use an SONAS system administrative user to do data migration. When migrating existing files and directories from other systems to the SONAS system, the ACL might not contain explicit traversal rights for the users because the source system can grant this right implicitly. After migrating the files with ACLs, ensure that traversal rights are granted to the parent directory of each exported path.
6.5.3 BypassTraversalCheck privilege
One such example is the Windows BypassTraversalCheck privilege. You can enable the optional --bypassTraversalCheck option of the chcfg SONAS CLI command to allow CIFS users to traverse through directories without explicit ACL permissions.
Listing of files in a directory must still be permitted by the ACL read permission.
For example, in the directory structure /A/B/C, assume that a CIFS user has read permission on C but no permissions on A and B. When the --bypassTraversalCheck option is set to its default value of yes, this CIFS user can access C without having Traverse Folder and Execute File permissions set to allow on A and B, but it is still not allowed to browse the contents of A and B.
|
Tip: Setting the --bypassTraversalCheck option enables a user to directly access files and folders that the user owns, and that are contained under parent folders for which the user does not have Read or Write permissions. Users without Read and Execute access to the share or export in which the user-owned files and folders are located can Read and Modify the files inside the export for which the user has permissions granted by the --bypassTraversalCheck option.
However, in this case, operations like Rename file and Delete file are not granted by default. This is normal CIFS behavior. Modify ACLs as required to enable these operations.
|
6.5.4 POSIX bits
The Portable Operating System Interface (POSIX) bits of a file are another authorization method, which is different from ACLs. POSIX bits can also be used to specify access permissions for a file. UNIX file systems enable you to specify the owner and the group of a file. You can use the POSIX bits of a file to configure access control for an owner, a group and for all users to read, update, or execute the file. POSIX bits are less flexible than ACLs.
|
Tip: Changing the POSIX bits of a GPFS file system triggers a modification of the file system’s GPFS NFSv4 ACL, including the deletion of some ACEs. Because the SONAS system uses GPFS NFSv4 ACLs for access control, SONAS administrators should avoid changing the POSIX bits of files that are stored on the SONAS system, unless these specific GPFS NFSv4 ACL modifications and ACE deletions are clearly intended.
|
NFSv3 clients can set and read the traditional UNIX permissions. NFSv3 clients setting UNIX permissions reduce the ACL to match the UNIX permissions. In most NFS-only cases, the POSIX permissions are used directly. For NFSv3 clients, file sharing with CIFS access protection is done by using NFSv4 ACLs in GPFS, but NFSv3 clients only see the mapping of ACLs to traditional UNIX access permissions. The full NFSv4 ACLs are enforced on the server, and not necessarily the client.
6.5.5 Displaying and changing a file system directory’s owner and group
Use the lsowner CLI command to display the owner and group of a directory in a file system. (see Example 6-3). An authorized SONAS administrative user can use the chowner CLI command to change the owner, the group, or both the owner and group, of an empty directory in a file system.
Example 6-3 Sample output of checking the owner of a file when the fully qualified path is used
$lsowner /ibm/gpfs0/testdir/file418
Owner Uid Group Gid
root 0 root 0
EFSSG1000I The command completed successfully.
The chowner CLI command changes only the owner and group that is assigned to the specified directory. It does not change the authorization of the owner or group. The authorization is derived from the system umask, or from inherited ACLs from higher-level directories. The chowner CLI command can only be used for a file system directory path that does not contain user files or subdirectories. You must specify the directory path enclosed in quotes, and you can optionally specify an owner, a group, or both using the syntax owner:group, as described in the following scenarios:
•To change only the group and not the owner, you must precede the group name with a colon, using the syntax :group.
•To change only the owner and not the group, use the syntax owner, without a colon.
•To change the owner and also change the group to the new owner’s primary group, suffix the owner with a colon, using the syntax owner:.
The following paragraphs provide some specific examples:
•To change only the owner of directory /nas/gpfs0/myexport to mydomain\testuser, and change the specified directory’s group to mydomain\testgroup, enter the following command:
$ chowner 'mydomain\testuser:mydomain\testgroup' /nas/gpfs0/myexport/
•To change only the owner of directory /nas/gpfs0/myexport to mydomain\testuser without changing the specified directory’s group, enter the following command:
$ chowner 'mydomain\testuser' /nas/gpfs0/myexport/
•To change the owner of directory /nas/gpfs0/myexport to mydomain\testuser, and also change the specified directory’s group to be the primary group of the new owner, enter the following command:
$ chowner 'mydomain\testuser:' /nas/gpfs0/myexport/
•To change the group of directory /nas/gpfs0/myexport to mydomain\testgroup, without changing the specified directory’s owner, enter the following command:
$ chowner ':mydomain\testgroup' /nas/gpfs0/myexport/
6.6 Changing shares and exports
You can add or remove a service to a share or export by using the GUI or by using the chexport CLI command.
6.6.1 GUI navigation
To work with this function in the management GUI, log on to the GUI and select Files → Shares (see Figure 6-2).
Figure 6-2 Image of edit panel on GUI managed Share protocols
6.6.2 CLI usage
The chexport CLI command can be used to add a service to a share or export.
To modify an export named testexport by adding the FTP service and removing the NFS service, enter the following command:
# chexport testexport --ftp --nfsoff
6.7 Working with Common Internet File System (CIFS) shares
CIFS clients are widely used with Windows clients. The term CIFS is generally used interchangeably with the older name of Server Message Block (SMB).
6.7.1 Creating a CIFS share
The following steps outline an example scenario for creating a new CIFS share. When you use the CLI to create a share or export, specifying the owner is optional.
Details can also be found in IBM SONAS Implementation Guide, SG24-7962, or by using the Help button in the GUI and the SONAS information in the IBM Knowledge Center (Creating shares or exports):
To create a share, complete the following steps:
1. Create a new independent file set within an existing file system. For more detailed information, see the Creating a file set section in the SONAS section of the IBM Knowledge Center:
2. Link the newly created file set to a directory (junction path) on the underlying file system or file set. For more detailed information, see Linking a file set in the SONAS section of the IBM Knowledge Center:
3. Change the owner and group of the file set junction path. For more detailed information, see Displaying and changing a file system directory’s owner and group in the SONAS section of the IBM Knowledge Center.
4. Create a quota definition for the newly created file set. For more information, see Managing quotas in the SONAS section of the IBM Knowledge Center:
5. Create a CIFS share or export by using the newly created file set. For more information, see Creating shares and exports in the SONAS section of the IBM Knowledge Center:
6. Modify ACLs and define inheritance. For more detailed information, see the following topics in the SONAS section of the IBM Knowledge Center:
– Managing authorization and access control lists:
– Authorization limitations:
|
Tip: Depending on the default ACLs and the usage of inheritance, the directory might become inaccessible. This might be the case when the ACLs are not inherited from the owning directory, and no owner has been specified. In this case, the directory is owned by the default owner root, and therefore inaccessible to users.
|
7. Modify the newly created share or export. For more detailed information, see the following SONAS topics in the IBM Knowledge Center:
– Changing shares and exports:
– Adding a service to a share or export:
As previously mentioned, the SONAS Knowledge and IBM SONAS Implementation Guide, SG24-7962 provide information to help with these tasks, whether you choose to use the GUI or the CLI. See these resources for detailed information about each specific requirement.
SONAS 1.5.1 includes support for the Server Message Block (SMB) 2.1 protocol. SMB 2.1 was introduced in Microsoft Windows Server 2008 R2 and Windows 7, and is supported by the Samba server in SONAS.
SMB 2.1 support brings important performance and usability enhancements including large maximum transmission unit (MTU) support (increased from 64 kilobytes to 1 megabyte), support for an interim response, and asynchronous I/O (read, write) support. An interim response from the server enables the server to tell the client that more information will follow, do not time out.
If a file is recalled from tape, the client waits longer for the SONAS to deliver the actual file. SMB 2.1 support delivers more efficient use of 10 gigabit Ethernet (GbE) network bandwidth, improving the performance of various tasks, such as copying large files.
SONAS also now supports SMB 2 signing. SMB signing adds a cryptographic checksum to digitally sign a packet. This enables the communication between a client and server to be validated, and prevents data tampering or man-in-the-middle attacks.
For more information about CIFS, see the CIFS limitations section in the SONAS area of the IBM Knowledge Center:
6.7.2 CIFS data integrity options
When you submit the mkexport or chexport SONAS CLI commands and use the --cifs option, you can optionally specify parameter values in a comma-separated, key-value pair list. Some of these CIFS options regulate SONAS CIFS server behavior that is related to
data integrity.
data integrity.
oplocks=yes/no
The default value is yes. You can disable opportunistic locks (oplocks) to avoid the loss of data if a CIFS connection breaks or times out.
An oplock is an SMB/CIFS mechanism that promises a client that a block region of the requested file will not be written or modified by the server without correct notification until the oplock is cleared by the client. It does not apply to NFS, but only SMB/CIFS shared files and Windows-based clients. Oplocks are enabled on all Windows clients and servers by default.
Oplocks are a caching mechanism. If the oplocks option is set to yes, the client can request an oplock from an SMB server when it opens a file. If the server grants the request, then the client can cache large chunks of the file and not notify the server what it is doing with those cached chunks until it is finished. That reduces network I/O significantly, and is a big boost
to performance.
to performance.
Although oplocks give applications a performance boost, they can also contribute to data loss when a CIFS connection breaks or times out. Some examples of events that can cause connection interruptions are an interface node failover and GPFS or storage hang.
When an oplock is granted for a file, when Windows Redirector has stored the data into its cache, it acknowledges to the application that the data was written. From the application’s perspective, the data was written successfully, and the application proceeds. Windows later destages the data to the SONAS system in the background. If any of the preceding events occurs, and the network connection is interrupted while there is still data in Windows Redirector to write to the SONAS system, the Redirector cache is erased.
When oplocks are in use and an out-of-space error occurs, the same data loss can happen. The write has already been acknowledged by the application, but the Windows Redirector cannot write the data to the SONAS system. In these cases, the Windows operating system usually logs a Delayed Write Failed event. Monitor the Windows event log for these events.
When files are in high contention, oplocks begin to lose their value quickly as oplock revocation communication creates resource demands. In many cases where CIFS performance becomes a bottleneck due to high contention, disabling oplocks on CIFS shares can provide significant performance improvement for the client and server stacks.
syncio=yes/no
The syncio parameter is disabled (set to a value of no) by default. A value of yes specifies that files in a share for which the setting is enabled are opened with the O_SYNC flag. The file is opened for synchronous I/O, and writes on the resulting file descriptor block the calling process until the data has been physically written to the underlying hardware.
This minimizes data loss in the case of a node failover because otherwise, a value of no might result in data being acknowledged as written to the client while the interface node has the data only in its cache and has not yet written that data to disk. That data is lost if a node failover occurs.
However, a value of yes can result in a significant performance decrease for most applications.
The preferred practice is to avoid operating data-critical workloads over CIFS, unless oplocks are disabled and synchronous I/O is enabled.
Workloads, such as database applications that update only small blocks in a large file, might have improved performance when syncio is enabled, because, in that case, GPFS does not read a complete block if there is only a small update to it.
leases=yes/no
This option is enabled (set to a value of yes) by default. A value of yes specifies that clients that are accessing the file over other protocols (such as NFS) can break the opportunistic lock of a CIFS client, so the CIFS client is informed when another client is now accessing the same file at the same time.
Disabling this feature provides a slight performance increase each time that a file is
opened, but it increases the risk of data corruption when files are accessed over multiple protocols without correct synchronization. This option (leases=yes) is less important if oplocks are disabled).
opened, but it increases the risk of data corruption when files are accessed over multiple protocols without correct synchronization. This option (leases=yes) is less important if oplocks are disabled).
locking=yes/no
This option is enabled (set to a value of yes) by default. A value of yes specifies that, before granting a byte range lock to a CIFS client, a determination is made whether a byte range file control lock is already present on the requested portion of the file. Clients that access the same file by using another protocol, such as NFS, are able to determine whether a CIFS client has set a lock on that byte range of that file.
sharemodes=yes/no
The CIFS protocol enables an application to permit simultaneous access to files by defining share modes, which can be any combination of SHARE_READ, SHARE_WRITE, and SHARE_DELETE.
If no share mode is specified, all simultaneous access attempts by another application or client to open a file in a manner that conflicts with the existing open mode are denied, even if the user has the appropriate permissions granted by share and file system access control lists.
The sharemodes option is enabled (set to a value of yes) by default. A value of yes specifies that the share modes that are specified by CIFS clients are respected by other protocols.
A value of no specifies that the share modes apply only to access by CIFS clients, and clients using all other protocols are granted or denied access to a file without regard to any share mode that is defined by a CIFS client.
synconclose=yes/no
This option is enabled (set to a value of yes) by default. A value of yes specifies that the file system synchronizes data to disk each time that a file is closed after a write to ensure that the written data is flushed to disk.
|
Important: Disabling this option (setting it to a value of no) increases the risk of possible data loss if there is a node failure.
Tip: This option applies only to file system data, not metadata.
|
coherency={yes|no|nodirs|norootdir}
In the CIFS specification, lock enforcement is mandatory if a client application has requested a lock. By default (coherency=yes), which is the preferred practice for data integrity, the SONAS system enforces this specification by using system-wide locking, which can decrease performance for some special workloads. A warning message displays when a SONAS system administrative user sets the --cifs option coherency to a value other than yes, and prompts for confirmation.
The --cifs coherency option values yes (default), no, nodirs, and norootdir are mutually exclusive. You might consider using a non-default coherency value if performance is a consideration, and if data integrity and consistency is ensured at the application level. These are ensured because the application enforces a strict access control model, and requires that files and directories are not modified by multiple processes at the same time.
Also, it requires that reading a file’s contents does not occur while another process is writing to that file. The application must coordinate all file accesses to avoid conflicts, because conflicts are no longer managed at the CIFS protocol level.
If coherency is set to no, the SONAS system does not enforce any CIFS protocol system-wide consistent locking, which therefore must be ensured by the application to avoid data corruption and data loss. Avoid this configuration.
If coherency is set to nodirs, the SONAS system does provide consistent file locking, but not consistent directory locking.
If coherency is set to norootdir, the SONAS system disables the synchronization of directory locks for the root directory of the specified share, keeping the lock coherency for all the files and directories within the share root.
|
Attention: This option should only be used if data integrity is ensured on the application level (rather than the protocol level). The applications must ensure that files/directories are not modified by multiple processes at the same time, and that reading of file content does not happen while another process is still writing the file.
Alternatively, if the application is coordinating all file accesses to avoid conflicts. Without locking, the consistency of files is no longer guaranteed on protocol level. If data integrity is not ensured on application level this can lead to data corruption.
Tip: When the --cifs option coherency has a value other than yes, the lsexport SONAS CLI command displays the coherency value of a share or export.
|
6.7.3 Connecting by using a CIFS client
You can connect to a CIFS share by using a CIFS client from many different client operating systems.
|
Attention: The CIFS protocol does not include a built-in failover capability to transparently reestablish a lost CIFS connection. If a CIFS connection to the SONAS system is lost due to a failover or a network event, the CIFS client must establish a new CIFS connection and reopen all of the file handles that were previously open when the connection was lost. This is a limitation of the CIFS protocol. The SONAS system synchronizes file data to disk only when it receives a close request for a file.
If an SONAS interface node failover occurs during a write request, the most recent changes might not be written to disk. Therefore, only file changes that were both written and closed are always saved, and CIFS clients might experience corrupted files for any files that were open for write at the time of failover.
|
Also note that used space and free space that is reported to CIFS clients depends on the quotas that are applicable to the current user.
Scenarios for connecting to SONAS with a Windows client
The following examples are not meant to be in-depth. The examples use the following definitions:
System name SONAS03
Share name gpfs0all
Several methods are available for connecting to the SONAS system with a Windows client:
•Using the Universal Naming Convention (UNC) syntax
•Mapping a network drive using Windows Explorer
•Mapping a network drive using NET.EXE from the Windows command line
Example 1: UNC mapping
Using Windows Explorer, enter the path to the network share in the address bar using UNC syntax:
\sonas03gpfs0all
|
Note: The preferred practice is to use a fully qualified domain name when connecting to shares. If your organization has a flat domain name server (DNS) namespace, this is less important, but in a large organization with an internal DNS hierarchy, using the full name means the server will be found even if the client moves around the organization.
|
If you are not currently authenticated to the domain on which the share resides, you are prompted for your credentials, as shown in Figure 6-3.
Figure 6-3 Windows Authentication Prompt
After authentication, a new window opens showing the contents of your share, as shown in Figure 6-4.
Figure 6-4 Explorer view using UNC paths to connect to the SONAS system
Example 2: Mapping a network drive by using Windows Explorer
To map a network drive to a drive letter from Windows Explorer, click Tools → Map Network Drive or use the icon. Figure 6-5 shows the Explorer pane using drive letters to connect to the SONAS system.
Figure 6-5 Windows Authentication and Drive Letter Attachment to Map a Network Drive
Optionally, you can specify a user name and password to access the share using the connection with a different user name option. Figure 6-6 shows the window prompting for authentication information.
Figure 6-6 Different user auth panel pop-up
The domain separator on Windows clients is a backslash (). That means you must enter w2k3dom01 est1 for the user test01 from the domain w2k3dom01.
Example 3: Mapping a network drive by using NET.EXE
The following example maps the share gpfs0all from sonas03 to the drive letter X: and prompts for the password without echoing the password to the screen:
C:> net use x: \SONAS03gpfs0all/user:DOMAIN\username
The command waits for your password input. If your authentication information is successful, you are notified that the command completed successfully.
Connecting with CIFS from the Linux operating system
To attach to a CIFS share or export by using a Linux operating system, use a CIFS client. To access the share or export, a user must have appropriate permissions for accessing the path, and ACL authorization to at least allow read (r) and execute (x) each directory in the full path of the directory on which the share or export is mounted.
|
Tip: Connecting by using CIFS from IBM AIX is not supported.
|
You can use the CIFS client in the Linux kernel to mount a share, similar in concept to mounting an NFS export.
|
Tip: Linux clients that are running the CIFS protocol with a version of CIFS before version 1.69 might experience issues that are related to I/O transactions. Use CIFS version 1.69 or higher installed on the client to improve reliability.
|
You can also use interactive CIFS clients, such as smbclient and smbget, from the Samba Software Suite that is available for any major Linux distribution. Some desktop environments have their own CIFS clients, such as Gnome, where you can use the menu item Places → Connect to server, and select CIFS, after which the mounted share displays in the desktop environment’s file browser.
Example 1: Attaching to a CIFS share or export by using a Linux host
The following example describes how to connect to a Microsoft Windows network by using the CIFS protocol from the Linux operating system. For more information, administrators of other UNIX operating systems should consult the documentation for their CIFS client. It is assumed that you have root access to the host.
Example 6-4 uses these definitions:
System name SONAS03
Share or export name gpfs0all
If you do not already know the name of the share or export that you want to access, you can use the smbclient command to obtain a list of available resources.
Example 6-4 Sample smbclient command to list resources
(root@linuxhost)~ # smbclient -L sonas03 -U DOMAIN\username
Password: <password not displayed>
Domain=[DOMAIN] OS=[UNIX] Server=[SONAS Cluster]
Exportname Type Comment
--------- ---- -------
IPC$ IPC IPC Service ("SONAS Cluster")
phil Disk CIFS share or export of SONAS3 cluster for user Phil
gpfs0all Disk CIFS share or export of SONAS3 to share or export FS gpfs0
Domain=[DOMAIN] OS=[UNIX] Server=[SONAS Cluster]
Server Comment
--------- -------
Workgroup Master
--------- -------
You can access the share or export with an FTP-like utility by using the following command from an interactive system shell, as shown in Example 6-5.
Example 6-5 Sample access by using smbclient
(user@linuxhost)~ # smbclient //SONAS03/gpfs0all -U DOMAIN\username
Password: <password not displayed>
Domain=[DOMAIN] OS=[UNIX] Server=[SONAS Cluster]
smb: >
Furthermore, you can mount the CIFS share or export to a local directory, /tmp/mount in this example, by submitting the command in Example 6-6 as root from a system shell.
Example 6-6 Mount a CIFS share
(root@linuxhost)~ # mount -t cifs -o user=DOMAIN\username //server/export /tmp/mount
Verify that the mount occurred by running the mount command without any arguments, as shown in Example 6-7. The output will display the file systems that are mounted on the
Linux system.
Linux system.
Example 6-7 Sample output from the mount command
(root@linuxhost)~ # mount
/dev/hda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
udev on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/hda2 on /boot type ext3 (rw)
proc on /var/lib/ntp/proc type proc (rw)
//sonas03/gpfs0all on /tmp/mount type cifs (rw,mand)
Conversely, to unmount the share or export, run the following command at the system shell:
# umount /tmp/mount
6.7.4 Using substitution variables for CIFS shares
Although it is possible to use substitution variables for creating a CIFS share, in most cases you should not use this configuration for reasons of simplicity and consistency.
However, having a large number of Windows users all concurrently accessing the same CIFS share can lead to performance bottlenecks, because Windows clients automatically open the root folder of a share when connecting. In a home directory environment, it is helpful to use substitution variables when you create CIFS exports for home directories. For example, home directory exports can be created by using the %U substitution variable to represent the user name on the mkexport command:
mkexport home /ibm/gpfs0/.../%U --cifs
For more information about substitution variables, see the Using substitution variables topic in the SONAS area of the IBM Knowledge Center:
6.8 Working with Network File System (NFS) exports
When you submit the mkexport or chexport SONAS CLI commands and use the --nfs option, you can optionally specify NFS options and corresponding parameter values in a semicolon-separated list that is enclosed by double quotation characters. Each option is followed by its corresponding parameter values, if any exist, enclosed in parentheses (see Example 6-8).
Example 6-8 NFS options example
--nfs "master(rw);trusty(rw,no_root_squash);sync"
6.8.1 NFS options
Some of these NFS options regulate SONAS CIFS server behavior that is related to data integrity.
async/sync
Using the async option clears the default sync option. The async option enables the SONAS NFS server to respond to NFS write and commit requests without committing data to stable storage, such as permanent disk media, violating the NFS protocol specification.
When configured with the sync option, the NFS server behavior strictly conforms to the NFS protocol specification. Configuring the async option enables for the possibility that data that has been written by an NFS client, but not yet committed to stable storage by the NFS server, can be lost when a failure condition, such as the loss of an SONAS interface node, occurs. The result is data loss. This data loss can occur without notice to the application, even after successful returns from the fsync or close system calls.
Note that the async option might not significantly improve the performance of NFS write requests, because asynchronous optimization is now embedded in the protocol and a feature of the NFS protocol. When the async option is set, the no_wdelay option has no effect.
The async option, should only be used in environments where the potential for data loss that occurs without notification to the application can be tolerated, and where the performance benefits of setting the option have been verified.
wdelay/no_wdelay
NFS has an optimization algorithm enabled by default, by the NFS wdelay option that delays disk writes if NFS calculates that a sufficient probability exists that a related write request might arrive soon.
The write delay reduces the number of disk writes, and might increase performance; however, when the actual related write request pattern does not reach the predicted probability, performance might decrease because this behavior causes delay in every request.
The mutually exclusive NFS option no_wdelay disables the wdelay behavior.
In general, the no_wdelay NFS option is considered preferred practice when most of the NFS requests are small and unrelated. The no_wdelay NFS option is enabled by the SONAS system by default, and directs NFS to write to disk as soon as possible.
6.8.2 NFSv4 support in SONAS 1.5.1
SONAS 1.5.1 supports two types of NFS:
•The kernel-based NFSv3 server that is implemented in the operating system that is the Red Hat Enterprise Linux (RHEL) implementation
•The user space-based NFSv4 server that is the IBM implementation, which also supports the NFSv3 protocol
By default, the SONAS cluster is configured to use the kernel-based NFSv3 server. You can migrate to the IBM NFSv4 stack to use the NFSv4 protocol using the chnfsserver command. You can also switch back to the kernel-based Red Hat NFSv3 stack.
For complete details about migration to and fro between IBM NFSv4 and RHEL NFSv3 stack, see the Managing the NFS stack topic in the SONAS section of the IBM Knowledge Center:
The following NFS options are supported on both RHEL NFSv3 and IBM NFSv4:
•rw
•no_root_squash
•all_squash
•anonuid=<uid> and anongid=<gid>
•insecure
•sec=<seclist>
The following NFS options are supported only on RHEL NFSv3:
•async
•no_wdelay
•nohide
•crossmnt
•no_subtree_check
•insecure_locks, no_auth_nlm
•no_acl
•mountpoint=<path>
The following NFS options are supported only on IBM NFSv4:
•transportprotocol
•protocol
For a detailed description of these NFS options, see the man page for the mkexport command.
Preferred practices for using NFS
The following list describes some preferred practices for using NFS:
•If you want to have the exact NFSv4 protocol semantics, switch all the NFSv3 clients to NFSv4 because some features of NFSv3 and NFSv4 protocols are incompatible. For example, the NFSv3 protocol does not support Share Reservations or open operations that the NFSv4 protocol supports.
•Before migrating from kernel-based RHEL NFSv3 stack to the IBM NFSv4 stack, save the export configuration by using the lsexport -v command. You might need this information if you migrate back to the kernel-based RHEL NFSv3 stack.
•Frequent migration between the kernel-based RHEL NFSv3 stack and IBM NFSv4 stack is not recommended.
•If you have nested exports, such as /a and /a/b/c on the same file system for the same NFS client, the NFS protocol cannot determine that the client is accessing the same file through different exports and data corruption might occur. Each export is assigned a new file system ID even if the exports are from the same file system. Therefore, do not create nested exports on the same file system for the same NFS client.
•The NFSv4 protocol does not support nested exports. If you want to use the NFSv4 protocol after you migrate to the IBM NFSv4.0 stack, ensure that the export with the common path, called as the top-level export, has all the permissions.
•The NFSv4 protocol uses string names for user and group identification, but the NFSv3 protocol uses UIDs and GIDs. After you migrate to the IBM NFSv4.0 stack, if all clients are to use the NFSv4 protocol or a mix of NFSv3 and NFSv4 protocols, install a common ID mapping server so that the clients and the storage server obtain the same names or UIDs and GIDs.
•A NFS client must mount an NFS export by using the IP address of the Storwize V7000 Unified system. If a host name is used, ensure that the name is unique and remains unique.
•The default NFS protocol that is used on client systems might differ. For example, the AIX 6.3 client system uses NFSv3, where the RHEL 6.2 client system uses NFSv4 by default. If you are using a client that uses NFSv3 by default, you must explicitly specify NFSv4 in the mount command.
•For more information about important things to be considered for different types of NFS clients, see the NFS client considerations topic in the SONAS section of the IBM Knowledge Center:
Limitations of NFS
For detailed information about NFS limitations, see the NFS limitations section in the SONAS section of the IBM Knowledge Center:
6.8.3 Netgroups
Netgroups are used in UNIX environments to control access for NFS exports, remote logins, and remote shells. Netgroups cannot be used to control access for any NAS protocols other than NFS. Each netgroup has a unique name and defines a set of hosts, users, groups, and other netgroups. Netgroups were introduced as part of NIS, and can also be stored in LDAP, in SFU as Server for NIS, or in local files on the client.
The SONAS system versions 1.1.1 and higher support netgroups by using an NIS database, and lookup of netgroups in NIS can be configured in either of the first two configurations that are listed in the table in Table 6-1. SONAS system versions 1.3.1 and higher also support netgroups by using the NIS and LDAP database configurations that are listed in rows 3 and 4 in Table 6-1.
Table 6-1 SONAS netgroup support
|
Netgroup database
|
Authentication
|
ID mapping
|
SONAS release
|
CLI commands to configure
|
|
NIS
|
None
|
None
|
1.1.1
|
cfgnis
|
|
NIS
|
Active Directory
|
Auto
|
1.1.1
|
cfgad, cfgnis
|
|
NIS
|
Active Directory
|
SFU
|
1.3.1
|
cfgad, cfgsfu, cfgnis
|
|
LDAP
|
LDAP
|
LDAP
|
1.3.1
|
cfgldap
|
|
Note: Local authentication scheme available in SONAS 1.5.1 does not support netgroups.
|
Netgroup host definition format
The SONAS system supports netgroups only for grouping hosts to restrict access to NFS file systems that are exported by the SONAS system. The /etc/netgroup file of a server defines network-wide groups.
Netgroups are used in UNIX environments to control access for NFS exports, remote logins, and remote shells. Netgroups cannot be used to control access for any NAS protocols other than NFS. Each netgroup has a unique name and defines a set of hosts, users, groups, and other netgroups. Netgroups were introduced as part of NIS, and can also be stored in LDAP, in SFU as Server for NIS, or in local files on the client.
You can define a netgroup host in one of the following formats:
•By name. For example, myhost.
•By fully qualified domain name. For example, myhost.mydom.com.
Because NFS inherently works with host names for netgroups, avoid using Internet Protocol (IP) addresses in netgroup definitions.
|
Tip: The host name in the netgroup definition must have both forward and reverse DNS lookup configured, so that the SONAS system can resolve both the host name and the host IP address, with which the mount service is requested on the SONAS system. Otherwise, a mount request fails with an access denied error.
|
Displaying a netgroup configuration
There is no SONAS CLI command to verify how the SONAS system resolves a netgroup reference.
You can, however, submit the lsauth SONAS CLI command to display the SONAS system authentication method configuration. Use the methods that are appropriate to the authentication method that you have configured to verify the configuration of external authentication servers.
6.8.4 NFS and ID mapping
The NFS authorization is based on UIDs and GIDs. The NFS client sends the UID of the current user to the NFS server. In this case, it is the SONAS system. This UID is only correct if the client has the same ID mapping as the server.
For example:
•Client has user johndoe with UID 2323
•Server has user janedoe with UID 2323
When the client (johndoe) accesses the server, the server thinks that janedoe is connecting and grants access to janedoe’s files.
One solution is to manually define users on the client with the correct IDs. Use the chkauth CLI command to assist with this task (see Example 6-9).
Example 6-9 Sample chkauth command and output
# chkauth -c sonas3.strg001st001 -u w2k3dom01\laura -i
Gid = 10000017, Uid = 10000000, Home Directory = /var/opt/IBM/sonas/scproot, Template Shell = /usr/bin/rsshAuthorization
The SONAS system uses the group IDs (GIDs) that are supplied by the NFS client to grant or deny access to file system objects, as defined in RFC 5531. When a user is defined in more than 16 groups, to get the wanted access control, you must define the groups that are transmitted from the client, and define mode bits or ACLs on the SONAS system.
Changes to NFS and ID mapping in 1.5.1
The NFSv4 clients cannot get UIDs and GIDs from NIS because the NFSv4 protocol uses string names ([email protected]) for user and group identification and not UIDs and GIDs.The client and server must then map these strings to traditional POSIX user and group IDs because GPFS is a POSIX-based file system.
NFSv4 mandates support for a strong security model, where client/server interactions are done using the GSS-API framework. The required security type is Kerberos. The quality of protection, such as which crypto techniques are used, and service (authentication only, integrity, or privacy) are negotiated between the client and server.
As with the previous protocol versions, NFSv4 defers to the authentication provisions of the supporting RPC protocol. Because the RPC mechanisms are the same for versions 3 & 4, the NFS implementation supports Kerberos for both Version 3 & 4.
The NFSv4 clients and the Storwize V7000 Unified system must be configured with the same authentication and ID mapping server. The Storwize V7000 Unified system does not support NFSv4 clients to be configured with different authentication and ID mapping servers. The NFSv4 implementation still supports traditional UNIX style authentication and security though it is not recommended.
6.8.5 Connecting with an NFS client
This section describes how to connect to SONAS with an NFS topic:
Connecting from the UNIX operating systems
As a prerequisite, NFS client packages must be installed, and the administrator give the user the right to mount remote file systems. Otherwise, the administrator must create the mount.
|
Tip: NFS clients are responsible for maintaining data integrity when a server restarts, crashes, or fails over. In the NFS protocol, the NFS client is responsible for tracking which data is destaged, for detecting that a server has crashed before destaging all data, and for tracking which data must be rewritten to disk.
|
Failover is not visible to most applications in NFS, with the following exceptions:
•Client applications might experience -EEXIST or -ENOENT errors when they create or delete file system objects.
•NFS clients should always use IP addresses when they are mounting NFS exports because reliable file locking and lock recovery requires that the NFS client reconnect all of the NFS locked and statd services to the original server node after a client restart or crash. In most cases, the SONAS IP addresses are floating IPs controlled by clustered trivial database (CTDB) that move between SONAS interfaces. If a node crashes or restarts, there is no default guarantee that the same IP will be put back on the same server after restart.
The following example shows connecting to a SONAS using NFS.
To check which exports are available, run the following command on the command line:
showmount -e SONAS <public name or IP address>
The output, showing the export list, is shown in Example 6-10.
Example 6-10 Sample showmount export list
$ showmount -e furby.tuc.stglabs.ibm.com
Export list for furby.tuc.stglabs.ibm.com:
/ibm/gpfs1 *
/ibm/gpfs0/redbookexport1 *
/ibm/gpfs0/furbywin1 *
/ibm/gpfs0/furbylin1 *
|
Tip: By default, an AIX client (much like a MAC OS client) uses non-reserved ports. However, the SONAS system rejects requests from non-reserved ports. To enable the use of reserved ports on an AIX client, submit the AIX command nfso -p -o nfs_use_reserved_ports=1.
|
The AIX NFS client also has a known issue in datagram retransmission behavior. There are two actions to address this issue, both of which must be used.
The NFS client is responsible for detecting whether it is necessary to retransmit data, and for retransmitting all uncommitted cached data to the NFS server if retransmission is required. SONAS system failover relies on this expected client behavior.
Use the specific NFS mount options hard,intr,timeo=1000,dio,noac on the AIX client to extend the retransmit time to 100 seconds on failure. To mount the remote NFS export to a local mount point, submit the following command:
mount -t nfs -o hard,intr,timeo=1000 <server>:/<path>
The following things are important to note:
•If you use NFS file locking, use the server IP address rather than the host name when you create the mount. This step is required to ensure that file locking is reliable and to prevent orphaned locks.
•For Linux users: If you want file changes to be immediately visible to applications on NFS clients, it might be necessary to add the lookupcache=none option when you mount the export. This setting can adversely affect performance.
Check the NFS man page on your client system for recommendations on mount parameters, and more information about soft and hard mounts. Use the -o hard,intr parameter when you create a mount. On AIX and older Linux systems, the intr parameter enables NFS requests to be interrupted if the server goes down or cannot be reached.
Set the default timeout to 1000 (which equals 100 seconds).
For example, issue the following command:
mount -t nfs -o hard,intr,timeo=1000 sonas3:/ibm/gpfs0 /mnt
|
Tip: The mount command is an administrative command unless the administrator gives access privileges to users that include the ability to mount devices. The NFS mount point might already be configured by the administrator.
|
Connecting to IBM NFSv4/NFSv3 (Kerberized) Server from UNIX clients
A detailed description of setting up Kerberos and UNIX clients to support NFSv4 exports is beyond the scope of this book. The process typically includes the following steps:
1. Enable IBM NFSv4 stack using the chnfsserver CLI command.
2. Ensure all the domains are set up correctly by using the setnwdns CLI command.
3. Ensure that the fully qualified domain name (FQDN) of SONAS and its corresponding public IPs are registered in the DNS.
4. Create a proxy AD NFS user account, set the NFS service principal attribute for the SONAS FQDN, and register the proxy AD NFS user account with it.
5. Create a keytab file for SONAS on the AD server by using this principal and map it to the proxy AD user.
6. Using the keytab file, configure AD with Kerberos support on SONAS.
7. Adapt the general NFS server settings to the Kerberos domain (which would also be the NFSv4 domain) and enable NFSv4 protocol by using the chservice CLI command and verify the settings by using the lsservice CLI command, as shown in Example 6-11.
Example 6-11 General NFS server settings
$chservice nfs --options 'squash=root_squash,domain=sonas,realm=SONAS.com,NFS4_service=enable'
Do you really want to perform the operation (yes/no - default no):yes
EFSSG1000I The command completed successfully.
lsservice --protocoloptions
CIFS
=====
serverDescription : "IBM NAS"
diskFreeQuota : yes
NFS
=====
Lease_Lifetime : 90
NFS4_service : enable
domain : sonas
realm : SONAS.com
anongid : -2
anonuid : -2
access : ro
squash : root_squash
sec : sys
secure : true
transportprotocol : tcp
protocol : 3;4
EFSSG1000I The command completed successfully.
Example 6-12 View the share using the lsexport command
$ mkexport nfsv4test '/ibm/gpfs0/nfsv4test' --nfs '*(rw,root_squash,sec=krb5,protocol=3;4)' --owner 'SONASautouser1:SONASdomain users'
EFSSG0019I The export nfsv4test has been successfully created.
EFSSG1000I The command completed successfully.
$lsexport -v | grep nfsv4test
nfsv4test /ibm/gpfs0/nfsv4test NFS true 10/23/14 8:24 PM *(root_squash,rw,anonuid=-2,anongid=-2,secure,protocol=3;4,transportprotocol=tcp,sec=krb5)
9. Configure the RHEL NFSv4 client:
a. Ensure that the Linux client details are configured in the DNS with IP, FQDN, and that the forward and reverse name IP lookups work.
b. On the AD server, create a client computer account that will be used for the Kerberized NFS service.
c. On the AD server, create a proxy AD NFS user account that will the NFS service principal for the client computer account.
d. On the AD server map, the NFS service principal for this client computer account to the proxy AD NFS user.
e. Create a keytab file for the Linux client with the previous principal, and map to the dummy AD user.
f. Copy the created keytab file to the Linux client under /etc/krb5.keytab.
g. Configure the Linux client to authenticate with the AD server and ensure that Kerberos is configured properly. AD users should be able to log in to this Linux client. Also ensure that /etc/idmapd.conf is configured with the correct domain and realm.
h. Ensure that the Linux client can get the granting ticket from AD with kinit by using a valid principal.
i. Configure the client for Kerberized services (mount, I/O) which require the gssd daemon and the secure NFS setting, as shown in Example 6-13.
Example 6-13 Configuring the client for Kerberized services
#cat /etc/sysconfig/nfs | grep SECURE_NFS
SECURE_NFS="yes"
#service rpcgssd restart
Stopping RPC gssd: [FAILED]
Starting RPC gssd: [ OK ]
[root@client001 nfsv4test]# service rpcgssd status
rpc.gssd (pid 2272) is running...
[root@client001 nfsv4test]#
10. Mount the Kerberized export with the sec=krb5 option and verify the configuration, as shown in Example 6-14.
Example 6-14 Mounting an NFSv4 share
#showmount -e newinstsonas.sonas.com
Export list for newinstsonas.sonas.com:
/ibm/gpfs0/nfsv4test *
/ibm/gpfs0/abc *
#mount -vv -t nfs4 -o tcp,soft,intr,sec=krb5 newinstsonas.sonas.com:/ibm/gpfs0/nfsv4test /mnt/nfsv4test
mount.nfs4: timeout set for Sat Oct 25 16:07:32 2014
mount.nfs4: trying text-based options 'tcp,soft,intr,sec=krb5,addr=10.0.100.141,clientaddr=10.0.100.240'
newinstsonas.sonas.com:/ibm/gpfs0/nfsv4test on /mnt/nfsv4test type nfs4 (rw,tcp,soft,intr,sec=krb5)
# cat /proc/mounts | grep nfsv4test
newinstsonas.sonas.com:/ibm/gpfs0/nfsv4test/ /mnt/nfsv4test nfs4 rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.0.100.240,minorversion=0,local_lock=none,addr=10.0.100.141 0 0
11. Log in as an AD user on the Linux client. Run the kinit command to get the Kerberos credentials, access the mount, and do file operations. See Example 6-15.
Example 6-15 Accessing NFSv4 mount
# su - sonas\autouser1
bash-4.1$ id
uid=16777216(SONASautouser1) gid=16777218(SONASautouser) groups=16777218(SONASautouser),16777217(BUILTINusers),16777219(SONASdomain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.1$ id
uid=16777216(SONASautouser1) gid=16777218(SONASautouser) groups=16777218(SONASautouser),16777217(BUILTINusers),16777219(SONASdomain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.1$ kinit
Password for [email protected]:
bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_16777216
Default principal: [email protected]
Valid starting Expires Service principal
10/25/14 16:14:15 10/26/14 02:14:18 krbtgt/[email protected]
renew until 11/01/14 16:14:15
bash-4.1$ cd /mnt/nfsv4test/
bash-4.1$ echo "This is write to file from nfsv4 client" > testfile1.txt
-bash-4.1$ ls -l
total 0
-rwx------. 1 SONASautouser1 SONASautouser 40 Oct 25 2014 testfile1.txt
bash-4.1$ cat testfile1.txt
This is write to file from nfsv4 client
bash-4.1$ chown :sonas\"domain users" testfile1.txt
bash-4.1$ ls -l
total 0
-rwx------. 1 SONASautouser1 SONASdomain users 40 Oct 25 2014 testfile1.txt
bash-4.1$ chmod 750 testfile1.txt
-bash-4.1$ ls -l
total 0
-rwxr-x---. 1 SONASautouser1 SONASdomain users 40 Oct 25 16:18 testfile1.txt
Connecting with Apple Mac OS X clients
Consider the following Mac OS X requirements when you configure and manage the SONAS or Storwize V7000 Unified shared file system:
•Mac OS X Version 10.6.8 does not support display of backup files in a /.snapshots subdirectory. To display backup files in a /.snapshots subdirectory with Mac OS X Version 10.7.4 or later, you can use Finder → Search to find the file, click Get Info on the file, and click General.
•By default, a Mac OS client uses non-reserved ports. The SONAS and Storwize V7000 Unified system reject requests from non-reserved ports. To enable the use of reserved ports on a MAC OS client, run the mount command with the -o resvport option.
For example:
# sudo mount -t nfs -o resvport 192.168.101.100:/ibm/gpfs0/abc /mnt
Connecting by using NFS from a Windows client
Although you can connect to an NFS export by using the NFS client that is included in some versions of the Microsoft Windows operating system, the preferred practice is to use CIFS to connect to SONAS.
6.9 Connecting with other protocols
Although most clients likely connect to CIFS or NFS, interactive access with a web browser is an easy interface for users to download files. FTP and SCP protocols are often used when writing automated scripts.
6.9.1 Using FTP
Users can connect to a SONAS environment by using the FTP protocol. As a prerequisite, an FTP client must be installed and working correctly. Microsoft Windows clients have an FTP client that is installed by default, but this FTP client does not support automatic resume or reconnect in the case of an error.
|
Important: The FTP protocol does not use encryption. The user name, password, and
the file contents are sent across the network in plain text. When possible, use SCP rather than FTP. |
The SONAS environment provides failover capabilities for FTP. If a failure occurs, the FTP client must reconnect and resume the transfer. Availability of the resume and the automatic reconnection features depends on the capabilities of the FTP client. The FTP server of the SONAS environment does support resume and reconnecting FTP clients. The FTP server supports the Representational State Transfer (REST) command to assist with resuming abnormally stopped operations on the SONAS system.
When you are using FileZilla to view a directory listing on an SONAS system, all file time stamps have a constant time offset. The time offset is caused by FileZilla automatically converting the time stamps from Coordinated Universal Time to the local time zone. This conversion can be customized by adding the SONAS system to the site manager and adjusting the server time offset in the Advanced tab.
For the system named sonas3.w2k3dom01.com, go to the command-line interface and start the FTP client:
ftp sonas3.w2k3dom01.com
The system asks for a user name and password and, if successful, the panel message displays in the format shown in Example 6-16.
Example 6-16 Sample FTP
# ftp sonas3.w2k3dom01.com
Connected to sonas3.w2k3dom01.com.
220 -FTP Server (user '[email protected]')
220
User (sonas3.w2k3dom01.com:(none)): sonasdm estuser
331 -Password:
331
Password:
230-230 Login successful.
6.9.2 Using Secure Copy Protocol
Secure Copy Protocol (SCP) is a protocol for securely transferring files between a local and a remote host or between two remote hosts. The protocol has certain options that can be displayed on a Linux or UNIX system by using the man scp command. One option (-o) can be used to pass Secure Shell (SSH) options in the format that is used by the system-wide configuration file, /etc/ssh/ssh_config.
Search the client operating system documentation for information about the ssh_config options that are available by default to understand what options are available for your use in the SONAS environment. Describing those options is beyond the scope of this section.
To connect to an SONAS environment by using SCP, a prerequisite is that an SCP client is installed, available, and functioning correctly. Windows clients do not have an SCP client installed by default, so one must be installed before this protocol can be used.
To copy data from the local system to the SONAS system by using the SCP protocol, submit the following command:
scp local_path/files user:sharename
An example of the scp command and output is shown in Example 6-17.
Example 6-17 Sample scp command
# scp /tmp/* "w2k3dom01 est1"@sonas01.w2k3dom01.com:/sonas01.w2k3dom01 [email protected]'s password:
Provide the domain and user name in the syntax domainuser to authenticate against the HTTPS server, which is w2k3dom01 est1 in this example. Otherwise, the login fails.
When the password of the corresponding user is entered, the files are copied.
6.9.3 Using HTTPS
You can connect to a SONAS share or export by using the HTTP/HTTPS service with the following procedure.
The HTTPS protocol does not include an automated failover capability to transparently reestablish a lost connection. If an HTTPS connection to the SONAS system is lost due to a node IP failover event, the client must establish a new connection and restart the abnormally stopped operation. You can restart only a GET operation; resuming a GET operation with the Range: option in the HTTPS header is not supported.
Complete the following steps:
1. Open a browser, and enter the following address:
http://<sonas_cluster_name>/<share_or_export_name>
|
Note: The share or export name is optional. If you do not provide the share name, a listing of all available shares will be presented.
|
The system redirects all HTTP access requests to HTTPS.
For example, enter: http://9.32.248.166/Jshare2/, as shown in Figure 6-7.
Figure 6-7 Internet Explorer view: Connecting to export Jshare2
When only a self-signed certificate is used, the browser returns an error message that the certificate is not trusted. You can proceed to get access, or you can select to install the certificate to avoid this message in the future.
2. When you connect for the first time, you might see a security alert, as shown in Figure 6-8.
Figure 6-8 SONAS Security alert on a self-signed certificate
You can click Yes to proceed, but then you must repeat this procedure every time you want to connect using HTTPS to the SONAS software system.
3. Alternatively, you can click the View Certificate button and install the certificate, as shown in Figure 6-9.
Figure 6-9 Self Installed Certificate
If you want to install this certificate on your client, proceed with installing this certificate and answer all of the questions in this wizard.
4. Next, you must authenticate (see Figure 6-10).
Figure 6-10 HTTP connection authentication panel
5. Enter the domain and user name by using the syntax domainuser to authenticate against the HTTPS server, which is w2k3dom01 est1, as shown in Figure 6-11. Otherwise, the login fails.
When the user is authenticated and has access to the system, the user can browse all files and folders to which the user has access.
Figure 6-11 Explorer View of HTTP connection
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.