CITI, NFSv4, and ASCI Peter Honeyman and Andy Adamson Center for Information Technology Integration University of Michigan...
Outline <ul><li>Brief history </li></ul><ul><li>Skin in the game </li></ul><ul><li>Accomplishments </li></ul>
CITI’s NFSv4 experiences <ul><li>Fleshing out protocol spec </li></ul><ul><li>Flushing out protocol bugs </li></ul><ul><li...
NFSv4: Making it real <ul><li>Delivered the critical building blocks in Linux 2.5 </li></ul><ul><ul><li>Completely rewritt...
NFSv4: Making it real <ul><li>Some pieces still to come </li></ul><ul><ul><li>As “bug fixes” not new features </li></ul></...
Meeting ASCI needs <ul><li>Parallel file systems </li></ul><ul><ul><li>Mostly Gedanken experiments </li></ul></ul><ul><li>...
Parallel file systems <ul><li>CITI’s first introduction; principally GPFS </li></ul><ul><li>Devised FILE_LOCATIONS extensi...
Current work <ul><li>Global namespace </li></ul><ul><li>Migration and replication </li></ul><ul><li>Directory delegation <...
NFSv4 principals <ul><li>NFSv2/v3 use AUTH_SYS (32-bit integers) to designate identity </li></ul><ul><ul><li>On the wire a...
NFSv4 principals <ul><li>NFSv4 mandates RPCSEC_GSS </li></ul><ul><ul><li>Each GSS_API mechanism has its own standard for r...
NFSv4 principals <ul><li>GSS context needs to be mapped to an identity coherent to the server </li></ul><ul><ul><li>Upcall...
NFSv4 ACLs <ul><li>Protocol specifies principals (owner and group) in ACLs in the form of  [email_address] </li></ul><ul><...
NFSv4 ACLs <ul><li>SetACL sends … ? </li></ul><ul><ul><li>Strings … </li></ul></ul><ul><ul><li>Mapped to canonical names o...
NFSv4 principals <ul><li>Administrative domain imposes consistency on name space </li></ul><ul><li>NSSwitch database maps ...
NFSv4 principals <ul><li>We are implementing what we can </li></ul><ul><li>And we seek comments from you lovely people who...
Accomplishments <ul><li>Code in Linux kernel </li></ul><ul><ul><li>NFSv4, RPC, VFS, scalability issues, security, … </li><...
Accomplishments <ul><li>Influenced NFSv4 protocol </li></ul><ul><li>Influencing NFSv4.1 </li></ul><ul><li>CITI’s major con...
Questions?! http://www.citi.umich.edu/
Upcoming SlideShare
Loading in …5
×

CITI, NFSv4, and ASCI

1,262 views

Published on

this is a talk andy adamson and i gave at sandia in august 2003

Published in: Business, Education
1 Comment
0 Likes
Statistics
Notes
  • oops, i meant hair, not pants.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
1,262
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

CITI, NFSv4, and ASCI

  1. 1. CITI, NFSv4, and ASCI Peter Honeyman and Andy Adamson Center for Information Technology Integration University of Michigan Ann Arbor
  2. 2. Outline <ul><li>Brief history </li></ul><ul><li>Skin in the game </li></ul><ul><li>Accomplishments </li></ul>
  3. 3. CITI’s NFSv4 experiences <ul><li>Fleshing out protocol spec </li></ul><ul><li>Flushing out protocol bugs </li></ul><ul><li>Complete 2.4 implementation, but isolated from NFSv2/v3 </li></ul>
  4. 4. NFSv4: Making it real <ul><li>Delivered the critical building blocks in Linux 2.5 </li></ul><ul><ul><li>Completely rewritten (twice) </li></ul></ul><ul><ul><li>Integrated with NFSv2/v3 </li></ul></ul><ul><ul><li>Identical performance </li></ul></ul><ul><ul><li>Posix ACLs mapped </li></ul></ul>
  5. 5. NFSv4: Making it real <ul><li>Some pieces still to come </li></ul><ul><ul><li>As “bug fixes” not new features </li></ul></ul><ul><li>CITI/ASCI project starts </li></ul><ul><li>DCE/DFS bows out </li></ul>
  6. 6. Meeting ASCI needs <ul><li>Parallel file systems </li></ul><ul><ul><li>Mostly Gedanken experiments </li></ul></ul><ul><li>Security, ACLs, principals </li></ul><ul><ul><li>Important for DFS migration </li></ul></ul>
  7. 7. Parallel file systems <ul><li>CITI’s first introduction; principally GPFS </li></ul><ul><li>Devised FILE_LOCATIONS extension </li></ul><ul><ul><li>Load sharing among parallel NFSv4 servers </li></ul></ul><ul><ul><li>I/O striping </li></ul></ul>
  8. 8. Current work <ul><li>Global namespace </li></ul><ul><li>Migration and replication </li></ul><ul><li>Directory delegation </li></ul><ul><li>Minor versioning </li></ul>
  9. 9. NFSv4 principals <ul><li>NFSv2/v3 use AUTH_SYS (32-bit integers) to designate identity </li></ul><ul><ul><li>On the wire and on the disk </li></ul></ul><ul><ul><li>DFS and AFS manage their own principals and IDs </li></ul></ul><ul><ul><ul><li>Impose them on the file system </li></ul></ul></ul><ul><ul><ul><li>Usually kept in synch with UNIX IDs (if yer smart) </li></ul></ul></ul>
  10. 10. NFSv4 principals <ul><li>NFSv4 mandates RPCSEC_GSS </li></ul><ul><ul><li>Each GSS_API mechanism has its own standard for representing principals </li></ul></ul><ul><ul><ul><li>Kerberos V </li></ul></ul></ul><ul><ul><ul><li>X.509 </li></ul></ul></ul><ul><ul><li>Both are string representations, not integers </li></ul></ul>
  11. 11. NFSv4 principals <ul><li>GSS context needs to be mapped to an identity coherent to the server </li></ul><ul><ul><li>Upcall to GSSD </li></ul></ul><ul><ul><ul><li>Security is paramount here </li></ul></ul></ul><ul><ul><ul><li>Passes GSS principal </li></ul></ul></ul><ul><ul><li>GSSD calls a mapping service </li></ul></ul><ul><ul><ul><li>NSSwitch, LDAP, PTS, local database, … </li></ul></ul></ul><ul><ul><ul><li>There can be many names, all denoting the same principal </li></ul></ul></ul><ul><ul><ul><li>Returns an ID </li></ul></ul></ul>
  12. 12. NFSv4 ACLs <ul><li>Protocol specifies principals (owner and group) in ACLs in the form of [email_address] </li></ul><ul><li>Linux Posix ACLs use 32-bit ints </li></ul><ul><li>GetACL returns … ? </li></ul><ul><ul><li>File owner could be local UNIX name, X.509 DN, Kerberos principal, … </li></ul></ul><ul><ul><li>Canonical name depends on the server local file system (UNIX name in our case) </li></ul></ul>
  13. 13. NFSv4 ACLs <ul><li>SetACL sends … ? </li></ul><ul><ul><li>Strings … </li></ul></ul><ul><ul><li>Mapped to canonical names on the server </li></ul></ul><ul><ul><li>To SetACL a remote user, e.g., [email_address] , we (merely) need to assign a local UID </li></ul></ul>
  14. 14. NFSv4 principals <ul><li>Administrative domain imposes consistency on name space </li></ul><ul><li>NSSwitch database maps canonical name to many names </li></ul><ul><li>Two steps: </li></ul><ul><ul><li>X.509 name (OU=…), Kerberos V name mapped to canonical name (bob) </li></ul></ul><ul><ul><li>Canonical name mapped to UID (71337) </li></ul></ul>
  15. 15. NFSv4 principals <ul><li>We are implementing what we can </li></ul><ul><li>And we seek comments from you lovely people whose pants are on fire </li></ul>
  16. 16. Accomplishments <ul><li>Code in Linux kernel </li></ul><ul><ul><li>NFSv4, RPC, VFS, scalability issues, security, … </li></ul></ul><ul><li>RPCSEC_GSS code in MIT Kerberos V </li></ul><ul><li>CITI code in OpenSSL </li></ul><ul><ul><li>Channel for CITI’s SPKM3 </li></ul></ul>
  17. 17. Accomplishments <ul><li>Influenced NFSv4 protocol </li></ul><ul><li>Influencing NFSv4.1 </li></ul><ul><li>CITI’s major contribution to ASCI is the ability to understand and represent ASCI needs (†) in these arenas and help make change real. </li></ul><ul><ul><li>(†) With your help </li></ul></ul>
  18. 18. Questions?! http://www.citi.umich.edu/

×