CITI, NFSv4, and ASCI

50 %
50 %
Information about CITI, NFSv4, and ASCI

Published on August 8, 2008

Author: peterhoneyman

Source: slideshare.net

Description

this is a talk andy adamson and i gave at sandia in august 2003

CITI, NFSv4, and ASCI Peter Honeyman and Andy Adamson Center for Information Technology Integration University of Michigan Ann Arbor

Outline Brief history Skin in the game Accomplishments

Brief history

Skin in the game

Accomplishments

CITI’s NFSv4 experiences Fleshing out protocol spec Flushing out protocol bugs Complete 2.4 implementation, but isolated from NFSv2/v3

Fleshing out protocol spec

Flushing out protocol bugs

Complete 2.4 implementation, but isolated from NFSv2/v3

NFSv4: Making it real Delivered the critical building blocks in Linux 2.5 Completely rewritten (twice) Integrated with NFSv2/v3 Identical performance Posix ACLs mapped

Delivered the critical building blocks in Linux 2.5

Completely rewritten (twice)

Integrated with NFSv2/v3

Identical performance

Posix ACLs mapped

NFSv4: Making it real Some pieces still to come As “bug fixes” not new features CITI/ASCI project starts DCE/DFS bows out

Some pieces still to come

As “bug fixes” not new features

CITI/ASCI project starts

DCE/DFS bows out

Meeting ASCI needs Parallel file systems Mostly Gedanken experiments Security, ACLs, principals Important for DFS migration

Parallel file systems

Mostly Gedanken experiments

Security, ACLs, principals

Important for DFS migration

Parallel file systems CITI’s first introduction; principally GPFS Devised FILE_LOCATIONS extension Load sharing among parallel NFSv4 servers I/O striping

CITI’s first introduction; principally GPFS

Devised FILE_LOCATIONS extension

Load sharing among parallel NFSv4 servers

I/O striping

Current work Global namespace Migration and replication Directory delegation Minor versioning

Global namespace

Migration and replication

Directory delegation

Minor versioning

NFSv4 principals NFSv2/v3 use AUTH_SYS (32-bit integers) to designate identity On the wire and on the disk DFS and AFS manage their own principals and IDs Impose them on the file system Usually kept in synch with UNIX IDs (if yer smart)

NFSv2/v3 use AUTH_SYS (32-bit integers) to designate identity

On the wire and on the disk

DFS and AFS manage their own principals and IDs

Impose them on the file system

Usually kept in synch with UNIX IDs (if yer smart)

NFSv4 principals NFSv4 mandates RPCSEC_GSS Each GSS_API mechanism has its own standard for representing principals Kerberos V X.509 Both are string representations, not integers

NFSv4 mandates RPCSEC_GSS

Each GSS_API mechanism has its own standard for representing principals

Kerberos V

X.509

Both are string representations, not integers

NFSv4 principals GSS context needs to be mapped to an identity coherent to the server Upcall to GSSD Security is paramount here Passes GSS principal GSSD calls a mapping service NSSwitch, LDAP, PTS, local database, … There can be many names, all denoting the same principal Returns an ID

GSS context needs to be mapped to an identity coherent to the server

Upcall to GSSD

Security is paramount here

Passes GSS principal

GSSD calls a mapping service

NSSwitch, LDAP, PTS, local database, …

There can be many names, all denoting the same principal

Returns an ID

NFSv4 ACLs Protocol specifies principals (owner and group) in ACLs in the form of [email_address] Linux Posix ACLs use 32-bit ints GetACL returns … ? File owner could be local UNIX name, X.509 DN, Kerberos principal, … Canonical name depends on the server local file system (UNIX name in our case)

Protocol specifies principals (owner and group) in ACLs in the form of [email_address]

Linux Posix ACLs use 32-bit ints

GetACL returns … ?

File owner could be local UNIX name, X.509 DN, Kerberos principal, …

Canonical name depends on the server local file system (UNIX name in our case)

NFSv4 ACLs SetACL sends … ? Strings … Mapped to canonical names on the server To SetACL a remote user, e.g., [email_address] , we (merely) need to assign a local UID

SetACL sends … ?

Strings …

Mapped to canonical names on the server

To SetACL a remote user, e.g., [email_address] , we (merely) need to assign a local UID

NFSv4 principals Administrative domain imposes consistency on name space NSSwitch database maps canonical name to many names Two steps: X.509 name (OU=…), Kerberos V name mapped to canonical name (bob) Canonical name mapped to UID (71337)

Administrative domain imposes consistency on name space

NSSwitch database maps canonical name to many names

Two steps:

X.509 name (OU=…), Kerberos V name mapped to canonical name (bob)

Canonical name mapped to UID (71337)

NFSv4 principals We are implementing what we can And we seek comments from you lovely people whose pants are on fire

We are implementing what we can

And we seek comments from you lovely people whose pants are on fire

Accomplishments Code in Linux kernel NFSv4, RPC, VFS, scalability issues, security, … RPCSEC_GSS code in MIT Kerberos V CITI code in OpenSSL Channel for CITI’s SPKM3

Code in Linux kernel

NFSv4, RPC, VFS, scalability issues, security, …

RPCSEC_GSS code in MIT Kerberos V

CITI code in OpenSSL

Channel for CITI’s SPKM3

Accomplishments Influenced NFSv4 protocol Influencing NFSv4.1 CITI’s major contribution to ASCI is the ability to understand and represent ASCI needs (†) in these arenas and help make change real. (†) With your help

Influenced NFSv4 protocol

Influencing NFSv4.1

CITI’s major contribution to ASCI is the ability to understand and represent ASCI needs (†) in these arenas and help make change real.

(†) With your help

Questions?! http://www.citi.umich.edu/

Add a comment

Related presentations

Related pages

CITI: Projects: ASC - Home Page

NFSv4 is designed for speed and is the ... Supercedes Center for Information Technology Integration Technical Report CITI-TR ... ASC/ICSI Linux NFSv4 ...
Read more

CITI: pNFS

The first patch is the CITI NFSv4 patch for the 2.6.14 kernel. NFSv4 File Layout Driver Patch (applies after the above patches) Outdated Docs.
Read more

Parallel NFS (pNFS) - Digital Technology Center Home Page

Parallel NFS (pNFS) Garth Gibson CTO & co ... CITI (Files over PVFS2, Files over NFSv4) Netapp, Sun ... http://www.citi.umich.edu/projects/asci/pnfs/linux/
Read more

PRESENTATION TITLE GOES HERE - Homepage | SNIA

PRESENTATION TITLE GOES HERE NFSv4.1 ... NFSv3 file created with the name René contains an 8 bit ASCII ... Microsoft NFSv4.1 Windows client from CITI 20 .
Read more

pNFS and Linux: Working Towards a Heterogeneous Future

Page 8 More Information Linux pNFS Documentation and Code – www.citi.umich.edu/projects/asci pNFS – www.pdl.cmu.edu/pNFS NFSv4 – www.nfsv4.org
Read more

pNFS Update - NITRD

Slide 2 PNFS Update HEC IWG FSIO 06 Abstract and Outline pNFS is an extension to the NFSv4 file system protocol standard that allows direct, parallel I/O ...
Read more

pNFS Update A standard for parallel file systems

pNFS Update A standard for parallel file systems HPC Advisory Council Lugano, March 2011 1 Brent Welch welch@panasas.com Panasas, Inc.
Read more

[nfsv4] ACL interoperability testing - Internet ...

[nfsv4] ACL interoperability testing. To: ... http://www.citi.umich.edu/projects/asci/icsi ... _____ nfsv4 mailing list nfsv4 at ietf.org https ...
Read more