NFS/Kerberos: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
m (corrected link to previous revision)
m (remove extraneous ])
Line 11: Line 11:
= ZFS =
= ZFS =


On March 15, 2008, we transitioned to ZFS. This move has since been reversed; details are preserved in [http://wiki.csclub.uwaterloo.ca/User-data?oldid=2331 a previous revision of this page]].
On March 15, 2008, we transitioned to ZFS. This move has since been reversed; details are preserved in [http://wiki.csclub.uwaterloo.ca/User-data?oldid=2331 a previous revision of this page].


The NFSv4 domain is auto-detected by default, although to be safe, you can explicitly set it in /etc/default/nfs:
The NFSv4 domain is auto-detected by default, although to be safe, you can explicitly set it in /etc/default/nfs:

Revision as of 19:30, 18 January 2010

Our user-data is stored in /users on ginseng in a RAID 1 mirror running on two 400 GB SATA disks. All of our systems NFS mount /users.

We have also explored additional methods for replicating user-data, including AFS, Coda, and DRBD, but have found all to be unusable or problematic.

NFS

NFSv3 has been in long standing use by the CSC as well as almost everyone else on the planet. NFSv4 mounts of /users are currently in the works to CSCF. Unfortunately NFS has a number of problems. Clients become desperately unhappy when disconnected from the NFS server. Also previous to NFSv4 there was no way to client side cache, resulting in poor performance with large files.

On November 8, 2007, we experienced a major NFS failure. An analysis of the logs indicated that the fault was likely caused by NFSv4-specific code. As a result, we have returned to mounting with NFSv3.

ZFS

On March 15, 2008, we transitioned to ZFS. This move has since been reversed; details are preserved in a previous revision of this page.

The NFSv4 domain is auto-detected by default, although to be safe, you can explicitly set it in /etc/default/nfs:

NFSMAPID_DOMAIN=csclub.uwaterloo.ca

Initial setup

This documents some important steps that needed to be done once.

You need to create an NFS Kerberos principal on caffeine:

sudo kadmin.local
addprinc -randkey zfs/ginseng.csclub.uwaterloo.ca
ktadd -e des-cbc-crc:normal -k /tmp/ginseng.nfs.keytab

You then need to merge that keytab (using ktutil) into /etc/krb5/krb5.keytab on ginseng.

NFS (client-side)

In order to support NFSv4 ACL's with getfacl/setfacl, you should apply the NFSv4 ACL patch. You can also compile the nfs4_getfacl/nfs4_setfacl utils.