Acropolis File Services (AFS) is a software-defined, scale-out file storage solution that provides a repository for unstructured data, such as home directories, user profiles, departmental shares, application logs, backups, and archives. Flexible and responsive to workload requirements, AFS is a fully integrated, core component of the Nutanix Enterprise Cloud Platform. At both of our .Next User conferences in Washington, D.C. and Nice France, NFS support for AFS was highlighted as a new feature to be added along with the current SMB support in an upcoming release.
NFS has been around almost as long as I have been breathing air as an eighties baby. Being an open standard, NFS has evolved over the years and now has different versions available. In most cases the version used is driven by the client that will be accessing the server. To this end Nutanix is entering the NFS space first with support for version 4 to go along with the current SMB support. NFS v4 is stable and has been going thru iterations since the 2000s. Most recent distributions of various platforms like Linux (CentOS, Ubuntu), Solaris, AIX use NFS v4 as the default client protocol and additional attention to security made it great easy choice.
NFS v4 improves security by limiting the number of ports that need to be opened for operating the protocol. The only port you need opened for NFS v4 is 2049 versus NFS v3 where mounting, file locking and Network Status Monitor happened outside the protocol requiring additional ports. Only one firewall rule can now be set and more importantly there is less attack surface with the reduction in open protocols mentioned above.
NFS v4 allows you to move away from local password files and UID/GID that can be easily spoofed. With support for Kerberos and Active Directory (AD) required for clients and the server to agree on user and group assignments. NFS v4 uses strings 'user@domain' and 'group@domain', where domain represents a registered DNS domain or a sub-domain. Typically this can be configured in idmapd.conf on the client.
There are 3 different levels of Kerberos authentication if you decide to enable AD support. All of the below options use Kerberos version5 :
- krb5, DES (Data Encryption Standard) symmetric key encryption and a MD5 one-way hash used to for the credentials used by AFS
- krb5i (Integrity), in addition to krb5, uses MD5-based MAC on every request/response.
- krb5p (privacy), on top of krb5 and krbi krb5 applies DES encryption to provide privacy of the connection between client and server.
Without krbp it is theoretically possible that someone could recreate your data with a man in the middle attack. I say theoretical because you can have the NFS data on a separate network and it would reduce the threat of this happening.
If your AD is able to support RFC-2307 you can enable it for easier management on AFS. RFC-2307 allows you store user and group information in an AD with Linux integration. It's able to convert UID/GID from AD. Support for RFC-2307 allows:
- Central administration of IDs in AD.
- Fast configuration of attributes.
- No local ID mapping databases that can corrupt.
- Enable individual login shells and home directory paths for users from AD
Locking management becomes a lot easier with NFS v4 with leased based locking included in the protocol. Prior to version 4 the application had to do the locking. This would leave locks on the server and cause additional administrative overhead cleaning up the locks. With the client and AFS having a lease they are able to stay on the same page.
NFS v4 creates a pseudo filesystem as presented by the server, AFS in this case. This pseudo file system can be used to limit the parts of the name space that the client can see. The feature both falls under management and security.
If we export:
The client will only see /marketing, /sales and archive from a common root directory. The pseudo-file system allows for the disjointed name space that is shown above in blue.
NFS v3 to NFS v4
To make the transition easy for NFS v3, AD or LDAP support are not required. You can use AUTH_SYS or AUTH_NONE authentication on AFS. With AUTH_NONE no authentication information is passed. Just networking and ACLs can be used to protect the export from being mounted elsewhere.
AUTH_SYS will authenticate at the client and will not represent any change moving over from NFS version 3. AUTH_SYS maintains the client UID/GID in file creation and will continue to respect them. This could be used a quick migration if timelines are tight or simply no need to change the application process.
You will also need to check older clients that may have been using UDP. In NFS v4 only TCP is allowed. Since there is no congestion control with UDP, clients typically have short timeouts that may affect failover for your NFS v4 clients.
NFSv4 uses UTF-8 for file names and directories. UTF-8 is backwards compatible with 7 bit encoded ASCII, any names that are 7 bit ASCII will continue to work. Previous names may contain 8 bit characters and then misinterpreted by NFSv4 as UTF-8 causing errors. This mostly likely seen with international languages that use characters like é, Ã, ï as an example.
NFS v4 First for AFS
While client availability and security are paramount, support for referrals is very important for AFS. AFS with its built in one-click optimization and ability to distribute data to multiple controllers under a single name space. For the single name space AFS needs ability to use FS_LOCATIONS which is a NFS v4 feature. When a client reaches a FSVM put the controller doesn't host it's export a NFS4ERR_MOVED is issued and then the client will get the right location using FS_LOCATIONS. As datasets and connections grow, the file server controllers can scale up and out without having to physical move data around while keeping daily operations simple.
As new workloads or continuous integration pipelines get deployed to AFS additional file server controllers can service the load under one mount point if desired. Even with intense metadata workloads AFS can continue to deliver a consistent experience across the board with help of NFS v4.
NFS v4 represent the gold standard for security and streamlines operations. NFS v4 will give AFS the one-click goodness that customers of Nutanix have come to know and love.
Forward-Looking Statements Disclaimer
This blog includes forward-looking statements, including but not limited to statements concerning our plans and expectations relating to product features and technology that are under development or in process and capabilities of such product features and technology. These forward-looking statements are not historical facts, and instead are based on our current expectations, estimates, opinions and beliefs. The accuracy of such forward-looking statements depends upon future events, and involves risks, uncertainties and other factors beyond our control that may cause these statements to be inaccurate and cause our actual results, performance or achievements to differ materially and adversely from those anticipated or implied by such statements, including, among others: failure to develop, or unexpected difficulties or delays in developing, new product features or technology on a timely or cost-effective basis; delays in or lack of customer or market acceptance of our new product features or technology; the failure of our software to interoperate on different hardware platforms; failure to form, or delays in the formation of, new strategic partnerships and the possibility that we may not receive anticipated results from forming such strategic partnerships; the introduction, or acceleration of adoption of, competing solutions, including public cloud infrastructure; a shift in industry or competitive dynamics or customer demand; and other risks detailed in our Form 10-Q for the fiscal quarter ended October 31, 2017, filed with the Securities and Exchange Commission. These forward-looking statements speak only as of the date of this presentation and, except as required by law, we assume no obligation to update forward-looking statements to reflect actual results or subsequent events or circumstances.
© 2018 Nutanix, Inc. All rights reserved. Nutanix, the Enterprise Cloud Platform, and the Nutanix logo are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).