NFS
This page describes how the Weka system enables file access through the NFS protocol instead of the Weka client.
NFS (Network File System) is a protocol that allows clients to access the Weka filesystem without installing Weka’s client software using the standard NFS implementation of the client operating system.
Weka’s default NFS implementation is NFS-W. NFS-W allows overcoming the inherent limitation in the NFS protocol of up to 16 security groups a user can be part of. It supports the NFSv3, NFSv4.0, and NFSv4.1 protocols.
In addition, a legacy NFS stack is also available for backward compatibility. The legacy NFS supports only the NFSv3 protocol and up to 16 security groups a user can be part of.
Step | Implementation method |
Define a set of servers that provide the NFS service. It can be the whole cluster or a subset of the cluster. | Define an interface group. |
Define Ethernet ports on each defined server that provides the NFS service. | Define an interface group. |
Allocate a pool of IP addresses used by the Weka software to provide the NFS service. | Define an interface group. |
Define a round-robin DNS name that resolves to the floating IPs. | On the local DNS service configuration. It does not involve Weka management. |
Define the list of clients that have access permissions to the NFS filesystems. | Create a client permission group. |
Configure the clients and the filesystems that they can access. | Create a client permission group. |
Mount the file systems on the clients using the NFS mount operating system support. | On the client operating system. It does not involve Weka management. |
You can add only a single port to an interface group. Therefore, to support High Availability (HA) in NFS, create two interface groups. On each interface group, assign the server ports. In addition, to ensure that a single point of failure is not created in the switch, consider the network topology (switches) when assigning the other server ports to these interface groups.
To define the NFS service, one or more interface groups must be set. An interface group consists of the following:
- A collection of Weka servers with an Ethernet port for each server, where all the ports must be associated with the same layer-2 subnets.
- A collection of floating IPs that serve the NFS protocol on the servers and ports. All IP addresses must be associated with the layer-2 subnet above.
- A routing configuration for the IPs. The IP addresses must comply with the IP network configuration.
You can define up to 10 different Interface groups. Use multiple interface groups if the cluster needs to connect to multiple layer 2 -subnets. You can set up to 50 servers in each interface group.
The Weka system automatically distributes the IP addresses evenly on each server and port. If a server failure occurs, the Weka system redistributes the IP addresses associated with the failed server to other servers. To minimize the effect of any server failures, it is recommended to define sufficient floating IPs so that the Weka system can assign four floating IPs per server.
Note: The Weka system configures the server IP networking for the NFS service on the server operating system. The user must not perform this action.
To ensure that the various NFS clients balance the load on the different Weka servers serving NFS, it is recommended to define a round-robin DNS entry that resolves to the list of floating IPs, ensuring that client loads are equally distributed across all servers.
Note: Set the TTL (Time to Live) for all A records assigned to the NFS servers to 0 (Zero). This action ensures that the client or the DNS server does not cache the IP.
The NFS client permission groups must be defined to control the access mapping between the servers and the filesystems. Each NFS client permission group contains the following:
- A list of filters for IP addresses or DNS names of clients that can be connected to the Weka system by NFS.
- A collection of rules that control access to specific filesystems.
Configure the NFS mount on the client by the standard NFS stack operating system. The NFS server IP address must point to the round-robin DNS name (as described above).
The Weka NFS service is a scalable, fully load-balanced, and resilient service that provides continuous service through failures of any kind.
Scalability is implemented by defining many servers that serve the NFS protocol, thereby enabling performance scaling by adding more servers to the interface group.
Load balancing is implemented by floating IPs. By default, the floating IPs are evenly distributed over all the interface group servers/ports. When different clients resolve the DNS name into an IP service, each receives a different IP address, ensuring that other clients access different servers. This allows the Weka system to scale and service thousands of clients.
The exact mechanism ensures the resiliency of the service. On a server failure, all IP addresses associated with the failed server are reassigned to other servers (using the GARP network messages), and the clients reconnect to the new servers without any reconfiguration or service interruption.
The NFS protocol, using AUTH_SYS protocol, has a limitation of 16 security groups that users can be part of. The protocol truncates the group list to 16 if a user is part of more than 16 groups, and a permissions check can fail for authorized users.
As in many cases, a user can be part of more than 16 security groups. It is possible to configure the Weka system to ignore the groups passed by the NFS protocol and resolve the user's groups external to the protocol. For that, several steps should be taken:
- 1.Define an interface group that supports the external group-IDs resolution. Verify that the
allow-manage-gids
option is set toon
. - 2.Define the NFS client permissions for external group-IDs resolution (
manage-gids
option). - 3.Set up the relevant servers to retrieve the user's group-IDs information.
For the servers part of the interface group, you can set the server to retrieve the user's group-IDs information in any method that is part of the environment.
You can also set the group resolution by joining the AD domain, the Kerberos domain, or using LDAP with a read-only user.
Configure the
sssd
on the server to serve as a group IDs provider. For example, you can configure the sssd
directly using LDAP or as a proxy to a different nss
group IDs provider.Example: set
sssd
directly for nss
services using LDAP with a read-only user[sssd]
services = nss
config_file_version = 2
domains = LDAP
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
# The DN used to search the ldap directory with.
ldap_default_bind_dn = cn=ro_admin,ou=groups,dc=example,dc=com
# The password of the bind DN.
ldap_default_authtok = password
If you use another method than the
sssd
but with a different provider, configure an sssd proxy
on each relevant server. The proxy is used for the Weka container to resolve the groups by any method defined on the server.To configure
sssd proxy
on a server, use the following:# install sssd
yum install sssd
# set up a proxy for weka in /etc/sssd/sssd.conf
[sssd]
services = nss
config_file_version = 2
domains = proxy_for_weka
[nss]
[domain/proxy_for_weka]
id_provider = proxy
auth_provider = none
# the name of the nss lib to be proxied, e.g., ldap, nis, winbind, vas4, etc.
proxy_lib_name = ldap
Note: All users must be present and resolved in the method used in the
sssd
for the group's resolution. In the above example, using an LDAP-only provider, local users (such as a local root) who are not present in LDAP do not receive their groups resolved and are denied. For such users or applications, add the LDAP user.ac
async
noatime
lookupcache=all
noac
sync
atime
lookupcache=none
You can change the following mount options. These values are commonly used with the Weka system.
rw
hard
rsize=524288
wsize=524288
namlen=255
timeo=600
retrans=2
nconnect=1
(only supported in NFS-W)
Note: Set these values on the mount command because different values are not supported.
nolock
Note: The following options must have fixed values, but usually are either the NFS mount defaults or are negotiated to these values by the protocol.
sec=sys
proto=tcp
mountproto=tcp
Related topics
Last modified 3mo ago