Escolar Documentos
Profissional Documentos
Cultura Documentos
Instructor Notes
<Notes>
Student Notes
<Notes>
CLASSROOM LOGISTICS
Instructor Notes
<Notes>
Student Notes
<Notes>
INTRODUCTIONS
Instructor Notes
<Notes>
Student Notes
<Notes>
COURSE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
<Notes>
THANK YOU
Instructor Notes
<Notes>
Student Notes
<Notes>
NFS
Instructor Notes
<Notes>
Student Notes
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
10
11
Instructor Notes
<Notes>
12
b)
c)
d)
The sources of configuration information such as VLDB tables , mgwd Tables , files in mroot etc.
13
The approach that will be taken in each of the following modules is that :
we will attempt to :
a) Learn about the CLI Commands,EMS,Counters,Logging and Tracing tools for triaging issues related to the
topics being discussed
b) understand why the issue has occurred
c)Learn how we can fix it.
14
WHERE TO GO NEXT
Instructor Notes
<Notes>
Student Notes
15
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
16
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
dev01cluster-1::> vserver nfs show
Vserver: dev01
General Access: true
v3: enabled
v4.0: enabled
4.1: disabled
UDP: enabled
TCP: enabled
Default Windows User: learn\Administrator
Default Windows Group: learn\Domain Users
dev01cluster-1::> set diag
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y
dev01cluster-1::*> nfs status
The NFS server is running on Vserver "dev01".
17
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
18
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
19
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
20
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
21
NFS-SPECIFIC COMMANDS
Instructor Notes
<Notes>
Student Notes
22
MODULE SUMMARY
Instructor Notes
<Notes>
Student Notes
23
THANK YOU
Instructor Notes
<Notes>
Student Notes
24
NFS
Instructor Notes
<Notes>
Student Notes
25
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
26
Instructor Notes
Student Notes
27
28
29
30
31
32
NFSV3 FEATURES
Instructor Notes
Student Notes
NFS version 3 (NFSv3) introduces the concept of safe asynchronous writes. An NFSv3 client can specify that the
server is allowed to reply before the server saves the requested data to disk, which permits the server to gather small
NFS write operations into a single efficient disk write operation. An NFSv3 client can also specify that the data must be
written to disk before the server replies, just like an NFS version 2 (NFSv2) write. The client specifies the type of write
by setting the stable_how field in the arguments of each write operation to UNSTABLE (or ASYNC) to request a safe
asynchronous write and to STABLE (SYNC or FSYNC) for a NFSv2-style write.
33
34
35
36
Student Notes:
The state field in the expanded NFS LOCK command packet is an odd number.
37
NFSV3 LOCKS
Instructor Notes
<Notes>
Student Notes
The NLM provides two types of locks, monitored and non-monitored.
Monitored Locks:
Monitored locks are reliable. A client process which establishes monitored locks can be assured that if the server host, on which the locks are
established, crashes and recovers, the locks will be reinstated without any action on the client process' part. Likewise, locks that are held by a
client process will be discarded by the NLM on the server host if the client host crashes before the locks are released.
Monitored locks require both the client and server hosts to implement the NSM protocol.
Monitored locks are preferred over the non-monitored locks.
NSM
Each NSM keeps track of its own "state" and notifies any interested party of a change in this state. The state is merely a number which increases
monotonically each time the condition of the host changes: an even number indicates the host is down, while an odd number indicates the host is
up.
The NSM does not actively "probe" hosts it has been asked to monitor; instead it waits for the monitored host to notify it that the monitored host's
status has changed (that is, crashed and rebooted).
When it receives an SM_MON request an NSM adds the information in the SM_MON parameter to a notify list. If the host has a status change
(crashes and recovers), the NSM will notify each host on the notify list via the SM_NOTIFY call. If the NSM receives notification of a status change
from another host it will search the notify list for that host and call the RPC supplied in the SM_MON call.
NSM maintains copies of its current state and of the notify list on stable storage.
For example on RedHat RHEL 6.5
# mount
38
Cluster-Mode:
For NFSv3, no lock information is stored on N-blade
The dblade persistently stores information about the clients which have made lock requests in two metafiles (lmgr_host_file and
lmgr_host_notify). When the NFS server reboots (D-blade goes down), the lock manager goes through all records stored in the
metafiles and sends reclaim requests to the N-blade . The N-blade then sends these reclaim requests to the appropriate
clients. Each client is responsible for reclaiming all previously requested locks within the grace period designated by the server.
Any state which is not reclaimed is cleaned up by the server once the grace period has expired.
38
On the client, shut down all processes that use the affected NFS resources by using ps ef and grep for known
processes such as a database process.
2.
3.
On the client, determine the process ID of statd and lockd: ps ef | grep lockd and ps ef | grep statd.
4.
Kill the lockd and statd processes: kill [lockd_process_id] and kill [statd_process_id].
5.
On the server, use vserver locks show to verify that the locks are gone. If not use vserver locks break to break the
locks
6.
On the client, restart the statd and lockd processes: /usr/lib/nfs/statd and /usr/lib/nfs/lockd.
7.
On the client, remount the NFS export and restart any required processes.
39
40
MODULE SUMMARY
Instructor Notes
<Notes>
Student Notes
41
THANK YOU
Instructor Notes
<Notes>
Student Notes
42
NFS
Instructor Notes
<Notes>
Student Notes
43
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
44
45
46
47
48
Slide 48
LP7
49
50
51
52
Each Vserver with FlexVol volume has a default export policy that contains no rules. An export
policy with rules must exist before clients can access data on the Vserver, and each FlexVol volume
contained in the Vserver must be associated with an export policy.
When you create a Vserver with FlexVol volume, the storage system automatically creates a default
export policy called default for the root volume of the Vserver. You must create one or more rules
for the default export policy before clients can access data on the Vserver. Alternatively, you can
create a custom export policy with rules. You can modify and rename the default export policy, but
you cannot delete the default export policy.
When you create a FlexVol volume in its containing Vserver with FlexVol volume, the storage
system creates the volume and associates the volume with the default export policy for the Vserver. By
default, each volume created in the Vserver is associated with the default
export policy for the vserver. You can use the default export policy for all volumes contained in
the Vserver, or you can create a unique export policy for each volume. You can associate multiple
volumes with the same export policy.
The root volume of a virtual server (Vserver) is created from an aggregate within the cluster. The root volume
is mounted at the root junction path (/) and is automatically assigned the default export policy. As you add
new volumes to the namespace, assign new export policies (such as vsNFS_vol1 assigned vsNFS_policy1)
or have the export policy inherit from the volumes parent (vsNFS_vol02 inherits from vsNFS_roots
export policy).
2014 NetApp. All rights reserved.
53
54
55
56
57
58
59
60
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
61
When an NFS client connects to the SVM, Data ONTAP obtains the UNIX credentials(unix user name and group
name) for the user
by checking different name services, depending on the name services configuration of the SVM.
Data ONTAP can check credentials for local UNIX accounts, NIS domains, and LDAP domains. At
least one of them must be configured so that Data ONTAP can successfully authenticate the user.
You can specify multiple name services and the order in which Data ONTAP searches them.
In a pure NFS environment with UNIX volume security styles, this configuration is sufficient to
authenticate and provide the proper file access for a user connecting from an NFS client
In NFSv3, client-server communication happens using numeric UID/GID. The client is responsible
for mapping it back to the unix user name and group name using the source of the GID/UID mapping
specified in the /etc/nsswitch.conf file on the client.
For example, user root has uid = 0 and gid = 0.
Now the client sends a CREATE request to the ONTAP to create a
file called foo. The UID and the GID are contained in the RPC layer and parameters, such as
filename, attributers, etc., for the CREATE procedure embedded in the NFS layer. When the
ONTAP nfs server gets the CREATE request from the client, it uses the UID and GID
numbers from the RPC header and stores them in the inode of the new file foo if the security style of the volume
being accessed is unix
If the security style is ntfs then the UID/GID have to be mapped to the unix user name and group name respectively.
Data ONTAP uses the sources in specified for the passwd and group databases to perform this mapping. The sources
may be nis,files or ldap.
2014 NetApp. All rights reserved.
62
Subsequently the unix user name has to mapped to a windows name which in turn must be
mapped to a SID. This SID is then stored in the inodo of the file foo
After the file foo is created, the nfs server returns the numeric UID and GID during every
GETATTR request for that file from the client. The client then maps the corresponding UID
and GID numbers that the nfs server returns to to unix user name and group name
respectively after consulting the /etc/nsswitch.conf file for appropriate sources.
In 8.2, the name server switch configuration was at the vserver level and that meant that for all the
databases - netgroups, hosts, users, and groups - the set of name servers had to be evaluated in the
order provided.
vsim::> vserver modify -vserver vs1 -ns-switch ?
nis file ldap
This UI had additional problems.
One could not specify 'dns' as a value in the 'ns-switch' for a vserver because of the shared nature of
this configuration. A DNS server does not have the capability to host a netgroup database. So if
someone set ns-switch to 'files,dns' netgroup resolution would fail if ONTAP tried to contact a DNS
server for netgroup information. So 'dns' was never allowed as a valid entry that could be specified in
the 'ns-switch' field for a vserver.
62
Netgroup Limits
For Netgroups in 8.3 we support a maximum nesting level of 1000. And for a local netgroup file we support a maximum
of 4096 characters per line in the netgroup file.
http://limits.gdl.englab.netapp.com/limits/ONTAP/CMode/sw:fullsteam.0/limit:max_netgroup_nest
http://limits.gdl.englab.netapp.com/limits/ONTAP/CMode/sw:fullsteam.0/limit:max_netgroup_characters
http://limits.gdl.englab.netapp.com/limits/ONTAP/CMode/sw:fullsteam.0/limit:max_exports_characters
63
64
65
66
67
AUTHORIZATION
Instructor Notes
<Notes>
Student Notes
68
69
SecD IN NFS
Instructor Notes
<Notes>
Student Notes
70
Slide 70
LP8
71
TRACE MATCH
[kern_SecD:info:1599] |
[kern_SecD:info:1599] |
All
|
|
[kern_SecD:info:1599] |------------------------------------------------------------------------------'
[kern_SecD:info:1599] | [000.000.061] debug: Worker Thread 34369186320 processing RPC 702:SecD_rpc_config_table_update with request ID:23133 which sat in
the queue for 0 seconds. { in run() at server/SecD_rpc_server.cpp:1463 }
[kern_SecD:info:1599] | [000.000.130] debug: An update to configuration table SecD_cifs_server_security_db_view has been received. Checking table contents... { in
SecD_rpc_config_table_update_1_svc() at configuration_manager/SecD_rpc_config.cpp:353 }
[kern_SecD:info:1599] | [000.000.222] debug: SUCCESS: Number of field names matches number of field values! Updating table 'SecD_cifs_server_security_db_view'
{ in SecD_rpc_config_table_update_1_svc() at configuration_manager/SecD_rpc_config.cpp:369 }
[kern_SecD:info:1599] | [000.000.248] debug: Update received for config source SecD_cifs_server_security_db_view: row about to be added { in updateSourceData()
at ../SecD/include/SecD_configuration_sources.h:188 }
[kern_SecD:info:1599] | [000.000.263] debug: Translating row to record for table 'CifsServerSecurity' { in updateSourceData() at
../SecD/include/SecD_configuration_sources.h:193 }
[kern_SecD:info:1599] | [000.000.368] debug: Querying config source 'CifsServerSecurity' (with 0 rows of data) by keys vserver id: '5' { in query() at
configuration_manager/SecD_configuration_sources.cpp:4308 }
[kern_SecD:info:1599] | [000.000.393] debug: Translating rowToRecord for table 'CifsServerSecurity' { in postUpdateSourceData() at
configuration_manager/SecD_configuration_sources.cpp:4379 }
[kern_SecD:info:1599] | [000.000.496] debug: SecD RPC Server sending reply to RPC 702: SecD_rpc_config_table_update { in SecDSendRpcResponse() at
server/SecD_rpc_server.cpp:1359 }
[kern_SecD:info:1599] |------------------------------------------------------------------------------.
[kern_SecD:info:1599] |
[kern_SecD:info:1599] |
[kern_SecD:info:1599] '------------------------------------------------------------------------------'
72
73
74
75
76
One of the enhancements made to SecD was to provide extensive caching for connections.
This helps improve performance by preventing constant calls for connections, as well as avoid issues when
a network hiccups.
77
ldap-groupid-to-name ldap-groupname-to-id
nis-groupid-to-name
nis-groupname-to-id
nis-username-to-creds
nis-group-membership
netgroup
78
kerberos-realm
machine-account
nis-domain
vserver
vserverid-to-name
unix-group-membership local-unix-user
local-unix-group
kerberos-keyblock
ldap-config
ldap-client-config
ldap-client-schema
name-mapping
nfs-kerberos
cifs-server-options
cifs-server-security
dns
cifs-preferred-dc
79
kerberos-realm
machine-account
nis-domain
vserver
vserverid-to-name
unix-group-membership local-unix-user
local-unix-group
kerberos-keyblock
ldap-config
ldap-client-config
ldap-client-schema
name-mapping
nfs-kerberos
cifs-server-options
cifs-server-security
dns
cifs-preferred-dc
virtual-interface
routing-group-routes
SecD-cache-config
Example of DNS config query for Vserver 12:
::*> diag SecD configuration query -node nodename -source-name dns
vserver: 12
domains: rtp2k3dom3.ngslabs.netapp.com
name-servers: 10.61.70.5
state: true
timeout: 2
attempts: 1
2014 NetApp. All rights reserved.
80
user-modified: true
80
https://wikid.netapp. com/w/NFS/FS.0/Documents/Exports/libC/DesignSpec#libc
DNS was vserverized in Data ONTAP starting 8.2.1.
vsim::> vserver services dns hosts ?
create Create a new host table entry delete
Remove a host table entry modify
Modify hostname or aliases
show Display IP address to hostname mappings
The NFS exports code in mgwd used SecD to talk to the DNS server starting 8.2.1. But SecD did/does not have
support to refer to a local hosts database for hostname to IP address resolution. The NFS exports code would always
talk to the DNS server to resolve hostnames or IP addresses. So NFS exports could never take advantage of
hostnames configured locally using the 'vserver services dns hosts' command.
81
In 8.2.0,8.2.1 and 8.2.2 for example, if the netgroup contained 80000 hostnames, the exports processing code in mgwd
would wait until the entire list of 80000 hostnames was downloaded from the name server before checking the IP
address of the client (for which the export check was being performed) was a member of the netgroup or not.
82
In 8.2.0,8.2.1 and 8.2.2 for example, if the netgroup contained 80000 hostnames, the exports processing code in mgwd
would wait until the entire list of 80000 hostnames was downloaded from the name server before checking the IP
address of the client (for which the export check was being performed) was a member of the netgroup or not.
83
84
Instructor Notes
<Notes>
Student Notes
When connecting by means of NFS, the N-blade
makes calls to mgwd and/or SecD to gather
information about export policy objects, users,
groups,extended groups,hosts and netgroups of
the client and user that is attempting to connect.mgwd and SecD in turn may make calls to external name servers to
gather this information.
Data ONTAP uses several exports related caches to store the gathered information for faster access. There
are certain tasks you can perform to manage export policy caches for
troubleshooting purposes.
How Data ONTAP uses export policy caches
To improve system performance, Data ONTAP uses local caches to store information such as host
names and netgroups. This enables Data ONTAP to process export policy rules more quickly than
retrieving the information from external sources. Understanding what the caches are and what they
do can help you troubleshoot client access issues.
You configure export policies to control client access to NFS exports. Each export policy contains
rules, and each rule contains parameters to match the rule to clients requesting access. Some of these
parameters require Data ONTAP to contact an external source, such as DNS or NIS servers, to
resolve objects such as domain names, host names, or netgroups.
These communications with external sources take a small amount of time. To increase performance,
Data ONTAP reduces the amount of time it takes to resolve export policy rule objects by storing
information locally on each node in several caches.
2014 NetApp. All rights reserved.
85
Every export policy rule has a anon field. The UNIX credentials of this anon user need to be provided during an export
check. If a UID is specified for anon field in a export policy rule, the UID must be mapped to a unix user name.
Cache is used for anon. Doesn't matter what the clientmatch is. Clientmatch could be any of IP
Address/Domain/Host/Netgroupnd corresponding UNIX credentials are looked up by making a RPC call to SecD and
the obtained credential is stored in the 'id' cache.
The nsswitch sources referred are passwd (for UID and primary GID)
group (for additional GID) when building the UNIX credentials
86
Every export policy rule has a anon field. The UNIX credentials of this anon user need to be provided during an export
check. If a UNIX username is specified for anon field in a export policy rule, the UID corresponding to that UNIX
username is looked up by making a RPC call to SecD and the obtained UID is stored in the 'name' cache.
Cache is used for anon. Doesn't matter what the clientmatch is. Clientmatch could be any of IP
Address/Domain/Host/Netgroup
Nsswitch sources referred are passwd (for looking up UNIX username to UID mapping)
87
Export policy rules that have hostname in the clientmatch field will use this cache. The hostname specified in the rule
is converted into an IP address by performing a lookup. The IP address and hostname is stored in the cache. The
client IP address that comes as part of the export check RPC is compared with the IP address of the hostname
present in the policy rule for comparison.
If Clientmatch is host , the ns-switch sources specified for the hosts database are looked up(for looking up IP address
corresponding to the hostname specified in the clientmatch rule)
88
Export policy rules that have netgroup in the clientmatch field will use this cache. The netgroup specified in the rule is
fetched from the name server specified in the ns-switch order for netgroup. Once all these hostnames are fetched they
are converted into IP addresses by performing a lookup on the name servers in the ns-switch order specified for hosts.
These IP addresses are then stored in the Patricia Trie in the cache. The client IP address that comes as part of the
export check RPC is compared with the IP address in the Trie for match.
Clientmatch is netgroup
netgroup database sources (for looking up all hosts present in a netgroup specified in the rule)
hosts database sources (for converting hostnames present in the netgroup into IP addresses)
89
by host" The IP address was found/not-found to be in the netgroup through a lookup done using the netgroup.byhost
API. Either the netgroup.byhost database contains the IP address as a key OR contains the hostname corresponding
to this IP address as a key. The hostname for this IP address is obtained via a reverse DNS query
This result state implies:
the netgroup cache (Patricia Trie) is in the process of being populated. And while it is being populated the
netgroup.byhost API is used to do the lookup and/or
the IP address was not found in the partial set of IP addresses present in the Patricie Trie that is in the process of
being populated
"cache" The IP address was found to be in the netgroup through a lookup done using the netgroup cache. The IP
address matched an IP address that was found in the Patricia Trie This result state implies:
the netgroup cache has been populated and is in a ready state or
the netgroup cache has been partially populated and the IP address we were looking for was found in the partial set of
IP addresses present in the Patricia Trie
"reverse lookup scan" The IP address was found/not-found to be in the netgroup through a lookup that involved: a
check to see if the IP address was present in the list of host entries obtained for the netgroup from the name server
if the IP address match fails, a reverse DNS query is performed to get the hostname corresponding to the IP address
a match is then attempted using this hostname with the host entries obtained for the netgroup from the name server
This result implies: the netgroup lookup could not be done using the netgroup.byhost API either because
netgroup.byhost has not been configured OR the netgroup.byhost API returned an non-deterministic result and/or
the netgroup cache is still in the process of being built. But the list of host entries present in the netgroup has already
been fetched from the name server. What is going on at the moment is that these host entries are being converted into
IP addresses (if not already an IP address) and being inserted into the Patricia Trie
the IP address was not found in the partial set of IP addresses present in the Patricie Trie that is in the process of
being populated
"not a member" The IP address was not found in the netgroup This result implies the IP address was deterministically
found to not be a member of the netgroup using one of the following:
by a lookup using the netgroup.byhost API if the netgroup cache is not yet populated
by a lookup using the netgroup cache only if the cache has been fully populated (non-membership cannot be
2014 NetApp. All rights reserved.
90
90
Example:
netgroup file has (h1,,)
DNS domain has lab.netapp.com for that vserver
ip1 accesses the volume and DNS returns h1.lab.netapp.com for that IP address
If netgroup DNS domain search is enabled, h1 will be allowed access.
If netgroup DNS domain search is disabled, h1 will be denied access.
91
92
93
https://wikid.netapp.com/w/NFS/FS.0/Documents/Exports/showmount/DesignSpec#Overview_of_chosen_approach
As exports are added or deleted, a job will be created in the cluster to run in the mhost to rewrite the exports data file for each vserver.
Whenever a volume
is created with a junction path
deleted with a junction path
is promoted as a root volume
or a qtree
is created to have an explicit export policy
modified to have an explicit export policy
modified to remove an explicit export policy
deleted with an explicit export policy
then we will kick off the job
going offline
going online
being unmounted
being mounted
As such, we do not start a job in these scenarios.
As MOUNTD EXPORT requests arrive in the nblade, the exports data XDR buffers will be read from the file and sent back to the client.
In the mhost, when the job manager loops over all vservers, if it detects that the option is disabled for the current vserver, it skips over regenerating the exports.data file
for that vserver.
In the nblade, when processing a MOUNTD_EXPORT request, if the nblade skips trying to access the exports.data file and simply reports '/'. Note that if there was an
old copy of the file (i.e., an admin turned off the feature), then it need not be deleted.
The location of the exports.data file
dev01cluster-1-01% pwd
/clus/dev01/.vsadmin/config/etc
dev01cluster-1-01% ls
exports.data
It is in XDR format
The read buffers for the exports file will be cached in the Nblade for N minutes. Any new MOUNT EXPORT requests that the Nblade received in those N minutes will
use the cached read buffer list to create the response without having to reread the exports file. The exports file is not likely to be changing with any great frequency. So,
in the case of a mount storm the cached read buffer list will greatly improve the response time and alleviate unnecessary load on the filer. The added reference to the
cached read buffers will be dropped after N mins and the buffers will be released back into the system on last use.
https://wikid.netapp.com/w/NFS/FS.0/Documents/Exports/showmount/DesignSpec
94
95
N-BLADE INTERACTION
Instructor Notes
<Notes>
Student Notes
NFS mount a volume in vserver student1 whose security style is ntfs and issue the following command:
cluster1::diag nblade credentials*> show -vserver student1 unix-user-name root
96
97
shares
spinnp
::diag nblade cifs*>
credentials interfaces path-mapping server
shares
spinnp
::*> diag nblade cifs credentials show -vserver vs0 -unix-user-name cmodeuser
Getting credential handles.
3 handles found....
Getting cred 0 for user.
Global Virtual Server: 7
Cred Store Uniquifier: 2
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 1
Allocation Time: 338055323 ms
Hit Count: 6 ms
Locked Count: 0 ms
Windows Creds:
Flags: 128
Primary Group: S-1-000000000005-21-184436492-4217587956-933746605-513
Domain 0 (S-1-000000000005-21-184436492-4217587956-933746605):
Rid 0: 1117
Rid 1: 1195
Rid 2: 513
Domain 1 (S-1-000000000005-32):
Rid 0: 545
Domain 2 (S-1-000000000001):
Rid 0: 0
Domain 3 (S-1-000000000005):
Rid 0: 11
Rid 1: 2
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 503
Gid: 500
Additional Gids:
Gid 0: 500
Getting cred 1 for user.
Global Virtual Server: 7
Cred Store Uniquifier: 2
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 1
Allocation Time: 19900289 ms
Hit Count: 9 ms
Locked Count: 0 ms
Windows Creds:
Flags: 128
Primary Group: S-1-000000000005-21-184436492-4217587956-933746605-513
Domain 0 (S-1-000000000005-21-184436492-4217587956-933746605):
Rid 0: 1117
Rid 1: 1195
Rid 2: 513
Domain 1 (S-1-000000000005-32):
Rid 0: 545
Domain 2 (S-1-000000000001):
Rid 0: 0
Domain 3 (S-1-000000000005):
Rid 0: 11
Rid 1: 2
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 503
Gid: 500
Additional Gids:
Getting cred 2 for user.
Global Virtual Server: 7
Cred Store Uniquifier: 2
Cifs SuperUser Table Generation: 0
Locked Ref Count: 0
Info Flags: 1
Alternative Key Count: 0
Additional Buffer Count: 1
Allocation Time: 9559651 ms
Hit Count: 8 ms
Locked Count: 0 ms
Windows Creds:
Flags: 128
Primary Group: S-1-000000000005-21-184436492-4217587956-933746605-513
Domain 0 (S-1-000000000005-21-184436492-4217587956-933746605):
Rid 0: 1117
Rid 1: 513
Domain 1 (S-1-000000000005-32):
Rid 0: 545
Domain 2 (S-1-000000000001):
Rid 0: 0
Domain 3 (S-1-000000000005):
Rid 0: 11
Rid 1: 2
Unix Creds:
Flags: 0
Domain ID: 0
Uid: 503
Gid: 500
Additional Gids:
::*> diag nblade cifs credentials flush -vserver vs0
FlushCredStore succeeded flushing 2 entries
br3050n2-rtp::*> diag nblade cifs credentials show -vserver vs0 -unix-user-name cmodeuser
Getting credential handles.
ERROR: command failed: RPC call to SecD failed. RPC: 'cred store: not found'.
Reason: ''
98
99
100
101
102
exports.ngbh.allFailed This message occurs when a netgroup by host request fails because all ns-switch sources for the netgroup database have returned connection
errors and files are unusable as a source.
Severity:ERR
Frequency 1m
Remedial Action:There might be temporary connectivity issues with the Vserver's configured ns-switch sources for the netgroup database. Check connectivity to the
name servers configured for netgroups
netgroup.nis.config This message occurs when a netgroup lookup request finds that Network Information Service (NIS) is specified as a ns-switch source, but NIS is not
configured for the Vserver. Netgroup lookups using NIS will not function.
Severity:ERR
Frequency 5m
Remedial Action:Check the ns-switch sources configured for the netgroup database using "vserver services name-service ns-switch show" and the NIS configuration for
the Vserver using "nis-domain show". Either remove NIS as a ns-switch source, or configure NIS.
netgroup.nis.byhost.missing This message occurs when the netgroup.byhost map is not configured on the Network Information Service (NIS) server and NIS is
configured as a ns-switch source for the Vserver. Enabling netgroup.byhost enables mount operations to succeed faster when the netgroup size is large.
Severity:INFO
Frequency:12h
Remedial Action:Consider configuring the netgroup.byhost map on the NIS server to gain better performance with netgroups.
netgroup.ldap.config This message occurs when a netgroup lookup request finds that Lightweight Directory Access Protocol (LDAP) is specified as a ns-switch source,
but LDAP is not configured for the Vserver. Netgroup lookups using LDAP will not function.
Severity :ERR
Frequency:5m
Remedial Action:Check the ns-switch sources configured for the netgroup database using "vserver services name-service ns-switch show" and the LDAP configuration
for the Vserver using "ldap show" and "ldap client show". Either remove LDAP as a ns-switch source, or configure LDAP.
netgroup.ldap.byhost.missing This message occurs when netgroup.byhost is disabled in the Lightweight Directory Access Protocol (LDAP) client configuration on the
storage system, and LDAP is configured as an ns-switch source for the Vserver. Enabling netgroup.byhost enables mount operations to succeed faster when the
netgroup size is large.
Severity:INFO
Frequency:12h
Remedial Action:Consider configuring the netgroup.byhost database on the LDAP server and enabling netgroup.byhost on the LDAP client configuration on the storage
system by using the "ldap client modify" command.
netgroup.files.missing This message occurs when a netgroup lookup request finds that files is specified as a ns-switch source, but a netgroup file cannot be found.
Severity:ERR
Frequency:5m
Remedial Action:Check that the local netgroup file is present and load it if necessary. The commands to perform this are "vserver services netgroup load" and "vserver
services netgroup status".
103
104
105
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
106
COMMON ISSUES
Instructor Notes
<Notes>
Student Notes
107
Newclients may access the server even before the server has had a chance to pull the new netgroup file
that has this client present in the netgroup.
In 8.2.3 and 8.3.0, a worst case of 3 hours can be expected before a new client added to a netgroup is
allowed access.
108
109
110
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
111
MODULE SUMMARY
Instructor Notes
<Notes>
Student Notes
112
THANK YOU
Instructor Notes
<Notes>
Student Notes
113
NFS
Instructor Notes
<Notes>
Student Notes
114
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
115
116
117
118
JUNCTION CHARACTERISTICS
Instructor Notes
<Notes>
Student Notes
Junction inodes are created in the volume they are mounted on.
/student1_nfs - > vserver root volume junction student1_nfs
/student1_nfs/volx -> student1_nfs junction volx
119
msid
isActive
120
121
122
123
ABOUT VLDB
Instructor Notes
<Notes>
Student Notes
124
VLDB
Instructor Notes
<Notes>
Student Notes
::*> node run local showfh /vol/test
flags=0x00 snapid=0 fileid=0x000040 gen=0x65f84bc3 fsid=0x7cc0f654 dsid=0x00000000000444
msid=0x00000080000438
::*> vol explore -format volume 1092 -dump name,dsid,msid,fsid
(volume explore)
name=test
dsid=1092
msid=2147484728
fsid=0x7CC0F654
::*> vol show -volume test -fields msid,dsid,fsid
(volume show)
vserver
fsid
125
126
dump voltable
-s
dump snapshottable
-f
dump familytable
-F
dump flexclonetable
-M
dump msidtable
-a
dump aggrtable
-b
dump bladetable
-i
dump allocidtable
-n
dump nextidtable
-j
dump junctiontable
-m
dump mgmtvoltable
-c
dump coralstripetable
-e
dump coralepochtable
-l
127
dsidlookup
getsnapshots
getbladeinfo
getnewids
updateaggrmap
volnamelookup
getbladelist
msidlookup
rootlookup
isLeaf: 1
DSID: 1092
Access:1
Storage:1
Stripe:1
DataVersion:1
BladeID: 4c0fc069-cd09-11e0-8990-3d8225f660d2
128
129
There are N-Blade counters available in FreeBSD sysctl as well as "stats rw_ctx" that provide information about the
number of rewinds and giveups along with the reason. Small increments in these values are always expected as
operations do suspend from time to time due to several valid reasons. But large increments in giveup or rewinds may
indicate an underlying issue
130
131
132
Mean
Process ID
Description
Maximum
Samples
(usec)
(msec)
br3170c-01
vldb
TM_changeRole
vldb
RM_newEpochCB
vldb
12
QM_doWork
vldb
13
QM_briefWait
vldb
14
QM_getQuorumInfo
vldb
15
146.5
1
703
553
LU_writeUnitFile
18
LU_beginUpdate
906433
1002
21.5
QM_getSiteDataList 2
16
vldb
10.6221
506
vldb
4
1
21
538.75
702
vldb
21
LU_logCommitRec
vldb
22
LU_postCommit
196
369
vldb
24
LDB_retrieveRec
27
2.96296
vldb
29
LDB_readTxnChanges 25
vldb
33
resource_readLock
vldb
34
resource_
0
0
0.4
2552
0.384404
2552
0.344044
readLockDrop
vldb
35
resource_writeLock 414
vldb
36
resource_
0.63285
vldb
38
vldb
39
DBI_addRecord
vldb
40
DBI_removeRecord
102
15.3431
vldb
44
DBI_cursorAdvance
1276
17.7296
vldb
45
414
0.227053
0
0
writeLockDrop
DBI_appCompareFunc 13051
DBI_
311
1.39821
17.4984
1206
13.573
cursorMoveToTarget
vldb
46
DBI_
70
0.7
cursorEstablishPosit
ion
vldb
47
vldb
49
cb_queueCallback
49.5
vldb
50
DBI_cursorNext
cb_invokeCallback
70
2
448
vldb
78
rpc_qm_client_qmPoll 47
vldb
80
rpc_qm_server_qmPoll 2
vldb
82
rpc_tm_client_
vldb
103
vldb
111
2.01429
1075.89
103
2403
5
0
propagate
rpc_rm_client_
1291
1693
getVersion
rpc_rm_client_
goOnline
30 entries were displayed.
133
134
135
STALE JUNCTIONS
Instructor Notes
<Notes>
Student Notes
136
137
----
msid
junction-path
--------------- -------------
::*> debug smdb table modifyVolume run -volToModify 1113 -volmsid 2147484749 -fieldsToModify 2 -force true
::*> vol show -vserver vs0 -volume dummy -fields msid,dsid,junction-path
vserver volume dsid msid
junction-path
138
ABOUT WEX
Instructor Notes
<Notes>
Student Notes
WAFL Explorer tool.
139
VOLUME EXPLORER
Mounting /access a corrupt volume can lead to a hung client. This command can be used to check the volume.
Instructor Notes
<Notes>
Student Notes
140
140
nitrocfg
Instructor Notes
<Notes>
Student Notes
Tracing difficult to demo because for most modules tracing is not registered for non-debug kernels
nitrocfg configures and queries "generic" nblade components (and a few components which didn't really have enough configurability/observability to warrant their own tools)
% nitrocfg 0 showVar
OncRpcHistCtl = 0x8a6c52e8
NfsDebug = 0x0007
OncRpcDupReqDebug = 0x0007
CPxDebug = 0x0000
SpinNpHistCtl = 0x8ca0caa8
Nfs41pNFSLayoutReturnOnClose = 0x0000
AVCacheDebug = 0x000f
AVCacheRefreshPeriod = 0x493e0
AVPolicyEnabled = 0x0001
VldbHistCtl = 0x8e9e6fa8
ReferralDebug = 0x000f
ReplayCacheDebug = 0x000f
AccessCacheDebug = 0x000f
AccessCacheMaxRefreshTime = 0x249f0
AccessCacheMinRefreshTime = 0x01f4
AccessCacheRefreshPeriod = 0x493e0
ExportChecksEnabled = 0x0001
CfVldbDebug = 0x001f
VldbCacheRefreshPeriod = 0x927c0
NitroRpcDebug = 0x0007
BsdHostIfRpcDebugEnable = 0x0000
NbladeEMSTest = 0x0000
NitroTimerDebug = 0x0000
NitroPostmanDebug = 0x0000
NitroExecContextDebug = 0x0000
NitroCIDDebug = 0x0000
NitroStreamCoreDebug = 0x0000
Nitrocfg syntax:
% nitrocfg
nitrocfg
Copyright (c) 1992-2011 NetApp, Inc.
Usage: nitrocfg instance [-s] [command {opts ...} ]
-s enables silent mode, which disables printing of retry messages
commands:
csmAddLocal
nbladeId[]
dbladeId[]
csmAddLocalDceUuid
nblade_dce_uuid dblade_dce_uuid
csmAddRemote
bladeId[] ipAddr port proto
csmAddRemoteDceUuid
ipAddr port proto
csmAddClusterVif
bladeId[] ipaddr port proto
csmAddClusterVifDceUuid dce_uuid ipaddr port proto
invalidateAccessCache
virtual_server_id ruleset_id
invalidateAVCache
policy_id
FlushMsidCache
FlushVserverCache
FlushJunctionCache
VldbCacheInvalidateMsid msid
VldbCacheInvalidateDsid dsid
VldbCacheInvalidateVserver
VirtualServer
VldbCacheInvalidateDblade
dblade_dce_uuid
getMsid msid
getDsid dsid
pmapSet
programNumber programVersion protocol port virtualServer
pmapUnset
programNumber programVersion protocol virtualServer
pmapDump
virtualServer
getVar
name
setVar
name value
showVar
setNfsOptions
VirtualServer ctxHigh ctxIdle nfsAccess V2E V3E V4.0E V4.0AclE V4.0RdDlgE V4.0WrDlgE V4FsidCE V4RlyDrop V40RefE V4.0RqOC V4IdDomain udpEnable tcpEnable spinauthEnable jukeboxEnable jukeboxCacheEnable nfsV3RequireReadAttributes ntfsSecOps nfsChown
forceSpinNpReaddir traceE trigger udpXferSize tcpXferSize tcpV3ReadSize tcpV3WriteSize V4SymLinkEnable V4LeaseS V4GraceS V3FsidCE V3ConnDropE V4AclPreserveE V4.1E rquotaEnable V4.1SPE V4.1ImplIdDomain V4.1ImplIdName V4.1ImplIdDate V41pNFS V41pNFSStriped V40MigrE V41RefE V41MigrE V41AclE
vStorageEnable
getNfsOptions
VirtualServer
protocol: 17 = udp, 6 = tcp
pingMsid msid isRw
pingDsid dsid
pingUUID UUID
pingAllUUIDs
mapTest interface-name
runTest interface-index ...
cacheMsid msid epoch
141
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
142
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
143
MODULE SUMMARY
Instructor Notes
<Notes>
Student Notes
144
THANK YOU
Instructor Notes
<Notes>
Student Notes
145
146
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
147
148
UNIX and most other systems mount local disks or partitions on directories of the root file system. NFS
exports are exported relative to root or /. Early versions of Data ONTAP had only one volume, so directories
were exported relative to root just like any other NFS server.
When disk capacities grew to the point that a single volume was no longer practical, the ability to create
multiple volumes was added.
NFS server administrators rarely make the entire server's filesystem name space available to NFS clients. More often
portions of the name space are made available via an "export" feature. In previous versions of the NFS protocol, the
root filehandle for each export is obtained through the MOUNT protocol; the client sends a string that identifies the
export of name space and the server returns the root filehandle for it. The MOUNT protocol supports an EXPORTS
procedure that will enumerate the server's exports.
NFS version 4 servers present all the exports within the framework of a single server name space. An NFS version 4
client uses LOOKUP and READDIR operations to browse seamlessly from one export to another. Portions of the
server name space that are not exported are bridged via a "pseudo filesystem" that provides a view of exported
directories only. A pseudo filesystem has a unique fsid and behaves like a normal, read only filesystem.
The ROOT filehandle is the "conceptual" root of the filesystem name space at the NFS server. The client uses or starts
with the ROOT filehandle by employing the PUTROOTFH operation. The PUTROOTFH operation instructs the server
to set the "current" filehandle to the ROOT of the server's file tree. Once this PUTROOTFH operation is used, the client
can then traverse the entirety of the server's file tree with the LOOKUP operation.
149
150
We will take about owner and group information later in the module
151
NFSV4 FEATURES
https://wikid.netapp.com/w/NFS/v4gx/FS-updated
https://wikid.netapp.com/w/NFS/v4gx/DS#v4gx_Design
Instructor Notes
Student Notes
NFSv4 introduces a major structural change to the protocol compared to earlier versions and the elimination of
ancillary protocols. In NFS version 2 (NFSv2) and NFS version 3 (NFSv3), the Mount protocol is used to obtain the
initial file handle, while file locking is supported by the Network Lock Manager (NLM) protocol. NFS version 4 (NFSv4)
is a single protocol that uses a well-defined port, which, coupled with the use of TCP, allows NFS to easily transit
firewalls to enable support for the Internet. As in WebNFS, the use of initialized file handles obviates the need for a
separate Mount protocol. Locking is fully integrated into the protocol, which is also required to enable mandatory
locking. The lease-based locking support adds significant state (and concomitant error-recovery complexity) to the
NFSv4 protocol.
Another structural difference between NFSv4 and its predecessors is the introduction of a COMPOUND remote
procedure call (RPC) procedure that allows the client to group traditional file operations into a single request to send to
the server. In NFSv2 and NFSv3, all actions are RPC procedures. NFSv4 is no longer a simple RPC-based
distributed application. In NFSv4, work is accomplished through operations. An operation is a file-system action that
forms part of a COMPOUND procedure. NFSv4 operations correspond functionally to RPC procedures in earlier
versions of NFS. The server in turn groups the operation replies into a single response. Error handling is simple on the
server: Evaluation proceeds until the first error or last operation, whereupon the server returns a reply for all evaluated
operations.
See NFS Version 4 Protocol at http://www.netapp.com/library/tr/3085.pdf for more information.
152
NFSV4: CONNECTION
Instructor Notes
Student Notes
A client first contacts the server by using the SETCLIENTID operation, in which it presents an opaque
structure, identifying itself to the server, together with a verifier. The opaque structure uniquely identifies a
particular client. A verifier is a unique, nonrepeating 64-bit object that is generated by the client that allows
a server to detect client reboots. On receipt of the clients identifying data, the server returns a 64-bit client
ID. The client ID is unique and does not conflict with those that were previously granted, even across server
reboots. The client ID is used in client recovery of a locking state after a server reboot. A server after a
reboot rejects a stale client ID, which forces the client to re-establish a client ID and locking state. After a client
reboot, the client must get a new client ID to use to identify itself to the server. When it does so, using the
same identity information and a different verifier, the server notes the reboot and frees all locks that were
obtained by the previous instantiation of the client.
153
Preliminary testing of callback functionality by means of a CB_NULL procedure determines whether callbacks can be
supported. The CB_NULL procedure checks the continuity of the callback path. We will talk about this when discussing
delegations.
154
155
156
157
158
DELEGATION
https://wikid.netapp.com/w/NFS/v4gx/Delegation
Instructor Notes
Student Notes
NFSv4 allows a server to delegate specific actions on a file to a client to enable more aggressive client caching of data
and to allow caching of the locking state. A server cedes control of file updates and the locking state to a client through
a delegation. This reduces latency by allowing the client to perform operations and cache data locally. After a client
holds a delegation, it can perform operations on files whose data was cached locally to avoid network latency and
optimize I/O. The more aggressive caching that results from delegations can be a big help in environments with the
following characteristics:
Frequent opens and closes
Frequent GETATTRs
File locking
Read-only sharing
High latency
Fast clients
A heavily loaded server with many clients
Two types of delegations exist: READ and WRITE. Delegations do not help to improve performance for all workloads.
A proper evaluation of the workload and the application behavior pattern must be done before you use delegations. For
example, if multiple writers to a single file exist, then the WRITE delegation might not be a good choice, while for readintensive workloads, the READ delegation would provide better performance.
A READ delegation can be given out to multiple clients with an OPEN for a READ as long as they have a callback
path. A client can voluntarily return the delegation, or the NetApp storage system can recall the delegation in case of
conflicting access to the file. This is done through a callback path that is established from the server to the client.
159
160
161
DELEGATIONS USAGE
Instructor Notes
Student Notes
The NFSv4 server in Data ONTAP will grant a read delegation in response to an OPEN for read,if no other client has the file open for read or denying read. This guarantees that no other client will be able to write to the file. If other clients open the same file for read-only access, they will be
allowed to read the file. If another NFSv4 client
supporting read delegations opens the file for read-only access, it will be granted a read delegation as well. For files being created, no delegation is returned on exclusive creates. This is because the client will issue a SETATTR request after the CREATE, which will cause the delegation to be
recalled anyway, so as an optimization, we do not give out the delegation in the first place.
When using a read delegation, a client can do read-only opens and corresponding closes locally. It also doesnt need to poll the server to check modified times on the file, because no one will be allowed to modify the file. A lease is associated with a delegation.Upon lease expiration, the
delegation's state goes away and any locks associated with the delegation are marked expired.If the client does not renew its lease within acertain time period (controlled by an option), these locks are revoked.
Read Delegation Granting
Granted during OPEN with share_access READ
Server may grant a read delegation if:
read delegation option is enabled, and
open does not require confirmation, and
this is not an exclusive open, and
no client has the file open for write, and
no client has file open with deny-read, and
a recall path present, and
claim type is CLAIM_NULL or CLAIM_PREVIOUS (reclaim)
Subject to recall (via CB_RECALL proc) in case of a conflicting access
Client can keep the delegation until recall or voluntary return via DELEGRETURN
Note:
RFC3530 section 8.1.8. restricts the server from bestow a delegation for any open which would require confirmation. It is difficult and adds complexity.
No read delegation will be given out on exclusive open. This is because the client will issue a SETATTR after the create, which will cause the delegation to be recalled. As an optimization, we do not give out the delegation in the first place
RECALLING A READ DELEGATION
A client can voluntarily return the delegation,or the nfsv4 server can recall the delegation in case of conflicting access to the file. This is done through a callback path
established from the server to the client.
Server recalls when
OPEN request for write
OPEN request denying read
RENAME, REMOVE, SETATTR
WRITE request
When a delegation is recalled, there might be a number of opens that the client has done locally and now
needs to propagate to the server. It will do that before returning the delegation.
There are other scenarios where read delegations are recalled for e.g. dump restore of a volume.
When a conflicting request such as an OPEN for WRITE comes in for a file that has a read
delegation, an NFSERR_DELAY/NFSERR_JUKEBOX error is returned if the request is coming
from an NFSv4 client. Client retries conflicting request after some delay.
If the request is coming over NFSv2/NFSv3/CIFS, the request is
suspended waiting for the delegation to be recalled. When that is done, the suspended request is
restarted and finally granted.
162
Write delegation gives exclusive access to a file to one client. The server will grant a write
delegation if no other client has the file open.
Once a client has a write delegation, it is guaranteed that no other client can access that file
as long as the delegation remains valid.
Granted during OPEN with share_access WRITE or BOTH
Server may grant a write delegation if:
write delegation option is enabled, and
open does not require confirmation, and
no other client has the file open, and
a recall path present, and
claim type is CLAIM_NULL or CLAIM_PREVIOUS (reclaim)
No other client can read or write
Subject to recall (via CB_RECALL proc) in case of a conflicting access
Client can keep the delegation until recall or voluntary return via DELEGRETURN
Note: RFC3530 section 8.1.8. restricts the server from bestow a delegation for any open which would require confirmation. It is difficult and adds complexity.
Write Delegation Recall
The way delegations work, clients should do all OPEN, WRITE, LOCK, and UNLOCK
requests locally. However, there are some clients, such as Solaris, that send LOCK and
UNLOCK requests to the server even though they might be holdinga write delegation for that
file. The NetApp storage system associates such opens and locks with the delegation, and if
the delegation is returned, these opens and locks are disassociated from the delegation
state.
However, if a client decides to do locking/unlocking locally, it will have to send the lock state
over when the delegation is being returned/recalled.
Server recalls when
A non-subsumed OPEN request is received
I/O request without an opened sharelock
RENAME, REMOVE, SETATTR (Note that the server do not recall a write delegation if a SETATTR is coming in with the delegation stateid. It is coming from the client holding the delegation)
WRITE request with a stateid other than that of the delegation or an open subsumed by the delegation, or a byte-range lock gotten under such an open. The only other stateids that should exist are the special stateids and write done with those
should definitely cause a recall.
NFSERR_DELAY will be returned to the client making the conflicting request. Client retries conflicting request after some delay.
There are other scenarios where write delegations are recalled For e.g. volume offline,volume delete and dump restore
Delegation Reclaim
Delegations maybe reclaimed by the client upon server reboot.
Client reclaims delegation upon server reboot
OPEN with claim type set to CLAIM_PREVIOUS
Server should grant delegation
If delegation being reclaimed is not more permissive than the corresponding OPEN
If recall path is not setup, server can set the recall flag
Client should return delegation as soon as possible
Delegation Revoke
Delegations maybe revoked by the server.
Server can revoke a delegation if
Client does not return delegation upon recall
When the lease expires and the last recall time is greater than the lease time
"locks break" command
SnapMirror operation
162
Instructor Notes
Student Notes
163
Instructor Notes
Student Notes
Client1 opens file f2 in mode O_RDONLY
Server grants client1 a read delegation for file f2
Client1 tries to obtain a read only byte range lock on file f2
164
Instructor Notes
Student Notes
The server has no knowledge of byte range read only lock on file f2 by an application running on client1 since
client1 processed the lock on locally cached contents (since it has a read delegation)
Server is only aware of the read delegation
165
Instructor Notes
Student Notes
Server grants read delegation to client2
Client 2 opens file f2 for read/write
166
Instructor Notes
Student Notes
The server recalls the read delegation for f2 because client2 has opened it for read/write.
Client1 makes the server aware of opens and locks that client1 had processed locally
So the byte range lock now appears at the server side
Client2 opens file f2 for read/write
167
1.
2.
3.
4.
Even though the client application makes multiple read calls reading only 5 characters at a time only 1 read is sent
to the server which reads all the file contents
5.
6.
Client1 sends to server the opens and locks on f1 that client1 executed on the locally cached content
7.
168
Instructor Notes
Student Notes
169
Instructor Notes
Student Notes
170
1.
2.
3.
Client1 writes to f8 using stateid 0x6f88 i.e delegation (all bytes are written in 1 write operation)
4.
Client1 reads f8 using stateid 0x6f88 i.e delegation (no open for read,since it is processed locally)
Server does not honor claim since client 2 has opened the file for read
7.
171
172
173
174
175
DENY ACEs should be avoided whenever possible, since they can be confusing and complicated.
When DENY ACEs are set, users might be denied access when they expect to be granted access. This is
because the ordering of NFSv4 ACLs affects how they are evaluated.
The above
NOTE: The more ACEs, the greater impact the ACL has on performance.
176
ACE PERMISSIONS
Instructor Notes
Student Notes
For more information on NFSv4 ACLs and ACEs, refer to the following:
http://linux.die.net/man/1/nfs4_setfacl
http://linux.die.net/man/5/nfs4_acl
177
178
ACL PRESERVATION
Instructor Notes
Student Notes
179
Instructor Notes
Student Notes
The NFSv4 ID domain name is a pseudo domain name that the client and server must agree upon before they can do
most of the NFSv4 operations. The NFSv4 domain name may not be equal to the NIS or Domain Name System (DNS)
domain name. It could be any string that the client and server NFSv4 implementations must understand. Unlike NFSv2
and NFSv3, NFSv4 does not ship the traditional user ID (UID) and group ID (GID) in the NFS requests and responses.
For all the NFSv4 requests to be processed correctly, you must ensure that the user-name-to-user-ID mappings are
available to the server and the client.
[-v4-id-domain <NIS or DNS domain>]: NFSv4 ID Mapping Domain: In Data ONTAP, this optional
parameter specifies the domain portion of the string form of user and group names as defined by the
NFSv4 protocol. By default, the domain name is normally taken from the NIS domain or the DNS domain
that is in use. However, the value of this parameter overrides the default behavior.
In NFSv4 the client and server exchange of the owner and owners group between client and server
happens in the string format,
For example, user root has uid = 0 and gid = 0. When a client sends a request to create a file called foo
Now the client sends an OPEN operation to the server, instead of CREATE. The RPC will still have the
numeric UID and GID, and the NFS layer will have
an OPEN operation with the CREATE flag set to ON to create the file, as well as the FATTR parameter,
which will contain root@domain.com as the owner and
root@domain. Com as the owners group.domain.com is the nfsv4 id-domain.
On the Linux client, this domain is configured in the
/etc/idmapd.conf
(/etc/nfs/default
on a Solaris client) file by specifying following line:
Domain=domain.com
2014 NetApp. All rights reserved.
180
For simplicity, suppose that we are dealing with files as passwd and group source.
Unix-user table will be consulted for UID for root for the given SVM, and
Unix-group table will be consulted for GID for root group for the given SVM. Once number the
UID and GID are obtained, the file
foo is created, and the numerical UID/GID is stored on disk(inode of file foo).
The reverse mapping will be performed when the client issues the GETATTR operation.
ONTAP must fill the FATTR parameter with the unix-user name/group-name , and
-v4-id-domain will be added to the end of the string name before it is sent it on the wire.
On the client side , when the domain check is passed, NSDB is consulted for mapping of the
received username and groupname to numeric UID and GID. NSDB does the mapping
according to the /etc/nsswitch.conf file.
Because id-domains are matching, it is assumed that client and ONTAP will use the same
source for this mapping,
i.e the same NIS or LDAP server, or the entries in /etc/passwd of the client match the entries
for the SVM in the unix-user table of the cluster and the entries in /etc/group of the client
match the entries for the SVM in unix-group table of the cluster.
180
Instructor Notes
Student Notes
181
182
183
NFSV4 REFERRALS
https://wikid.netapp.com/w/NFS/v4gx/Referrals
Instructor Notes
Student Notes
Data ONTAP 8.1 introduces NFSv4 referrals. When referrals are enabled in a virtual server (Vserver), Data ONTAP
8.1 provides referrals within that Vserver to NFSv4 clients. An intraVserver referral occurs when a cluster node that is
receiving the NFSv4 request refers the NFSv4 client to another LIF in the Vserver. The NFSv4 client uses this referral
to direct its access over the referred path at the target LIF from that point onward. The original cluster node issues a
referral when it determines that a LIF exists in the Vserver and is a resident on the cluster node on which the data
volume resides. In other words, if a cluster node receives an NFSv4 request for a nonlocal volume, it can refer the
client to the local path for that volume through the LIF. This therefore allows clients faster access to the data and
avoids extra traffic on the cluster interconnect.
If a volume moves to another aggregate on another node, the volume movement is done nondisruptively. However, the
referral is not updated until the NFSv4 client unmounts and remounts the file system to understand the new location of
the volume and direct the client to the LIF on the node on which the volume now resides. By default, NFSv4 referrals
are enabled on Linux clients like Red Hat Enterprise Linux 5.4 and later releases.
intra-vserver
Occurs at junction crossings
Controlled by option v4.0-referrals or v4.1-referrals enabled|disabled
NFS4ERR_MOVED and FS_LOCATIONS attribute
184
Instructor Notes
Student Notes
When a mount request is sent, the request will act as a normal NFSv4.x mount operation. However, once the DH LOOKUP call is made, the server
(NetApp cluster) will respond with the GETFH status of NFS4ERR_MOVED to notify the client that the volume being accessed does not live
where the LIF being requested lives. The server will then send a LOOKUP call to the client, notifying it of the IP (via the fs_location4 value) on the
node where the data volume lives. This works regardless of whether a client is mounting via DNS name or IP. However, the client will report that it
is mounted to the IP specified rather than the IP returned to the client from the s
The mount location looks to be at the IP address specified by the client:
[root@centos6 /]# mount | grep /mnt
10.61.92.37:/nfsvol on /mnt type nfs4 (rw,addr=10.61.92.37,clientaddr=10.61.179.164)
But the cluster shows that the connection was actually established to node1, where the data volume lives. No connection was made to node2:
cluster::> network connections active show -node node1 -service nfs*
Vserver Interface Remote
CID Ctx Name Name:Local Port Host:Port Protocol/Service
--------- --- --------- ----------------- -------------------- ---------------Node: node1
286571835 6 vs0 data:2049 10.61.179.164:763 TCP/nfs
cluster::> network connections active show -node node2 -service nfs*
There are no entries matching your query.
Clients might become confused about which IP address they are actually connected to as per the mount command
If a volume is junctioned below other volumes, the referral will use the volume being mounted to refer as the local volume. For example:
A client wants to mount vol2
Vol2s junction is /vol1/vol2
Vol1 lives on node1; vol2 lives on node2
A mount is made to cluster:/vol1/vol2
The referral will return the IP address of a LIF that lives on node2, regardless of what IP address is returned from DNS for the hostname cluster
The mount will use the LIF local to vol2 on node2
In a mixed client environment, if any of the clients do not support referrals, then the -v4.0-referrals option should not be enabled. If the option is
enabled and clients that do not support referrals get a referral from the server, that client will be unable to access the volume and will experience
failures. See RFC 3530 for more details on referrals.
185
Instructor Notes
Student Notes
186
1.
2.
Server 10.63.26.230 replies with NFSERR_MOVED and Fs Location 10.63.25.222 (lif on node1 where aggr1
hosts dev01_nfsv4)
3.
187
188
189
Instructor Notes
Student Notes
190
191
192
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
193
REFERENCES
Instructor Notes
Student Notes
194
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
195
THANK YOU
Instructor Notes
<Notes>
Student Notes
196
197
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
198
NFSV4.1
HTTPS://WIKID.NETAPP.COM/W/NFS/RR/V4.1FS#OVERVIEW
Instructor Notes
Student Notes
199
SESSIONS
HTTPS://WIKID.NETAPP.COM/W/NFS/V4.1GX/SESSIONS/DESIGNSPEC#OVERVIEW
Instructor Notes
Student Notes
Exactly once semantics (EOS) improves on NFSv4. Within the lifetime that a server retains a sessions state, a client
never has a request erroneously executed multiple times, nor does any doubt exist as to whether a request was
executed.
200
In Data ONTAP:
We support sessionid trunking to the extent of trunking all connections coming to the
same LIF. There is no support for sessionid trunking across LIFs on one node. There
is also no support for clientid trunking.
200
NFSV4.1: CONNECTION
Instructor Notes
Student Notes
This process is similar to the NFS version 4 (NFSv4) connection method, except a client first contacts the
server by using the EXCHANGEID operation.
201
202
203
The EXCHANGE_ID result contains a sequence number. The client must use this sequence number for the next
CREATE_SESSION operation performed for this client (if the EXCHGID4_FLAG_CONFIRMED_R flag is not set,
otherwise the client must ignore the seqid value). The sequence number is used to provide replay protection for the
CREATE_SESSION operation
204
205
206
The SEQUENCE operation is used to build Exactly Once Semantics (EOS) into the NFSv4.1 protocol. Each set of
operations issued for a session will be proceeded by a SEQUENCE operation. The SEQUENCE operation, if present,
must be the first op in a COMPOUND. Otherwise, NFS4ERR_SEQUENCE_POS is returned to the client. The
operation request includes a session id, slot id, sequence id, a value specifying the highest outstanding slot id and a
Boolean specifying if the result of this current request should be cached. Processing of these values ensures that the
client and server are in sequence (with regard to outstanding and processed requests) and that any request is only
processed by the server once. This is a big change from previous versions of NFS protocols, which did not provide
EOS. Previously, reply caches were used to prevent the replay of non-idempotent operations. Idempotent operations
were allowed to be executed many times over if a retransmission occurred. With EOS, any type of operation will be
executed only once. A retry of an operation will result in either a cached response or an error
207
When processing a SEQUENCE operation, a particular slot table entry is accessed using the slot id in the SEQUENCE
request. If the slot id is greater than the highest slot id in the slot table, the server will return NFS4ERR_BADSLOT for
the SEQUENCE operation. If the slot id is valid, the status of the slot entry is checked to determine if this is: A) the first
request made by the client on this slot B) a request for a slot which has an in progress operation C) a request for a slot
which has a completed operation. In the case of (A), the request must be made with seqid 1, otherwise a
MISORDERED error is returned. In the case of (B), ERR_DELAY is returned as an error for the SEQUENCE
operation. Both a per-session and system wide stat are incremented to note an inprogress hit. In the case of (C), the
seqid in the request is compared against the one in the slot table entry. The following rules are applied for the
sequencing check:
If sa_seqid == slot_entry_seqid, this is a retransmission and the reply data in the slot entry is used to formulate a
response. The SEQUENCE operation results in NFS4_OK. The slot entry is unchanged with regard to sequencing,
reply data or state. Per-session and system wide stats are incremented noting a hit in the slot table for a retransmitted
request.
If sa_seq < slot_entry_seqid OR sa_seq > (slot_entry_seqid + 1), this is a misordered sequence operation. The
SEQUENCE operation results in a MISORDERED error. The slot entry is unchanged with regard to sequencing, reply
data or state. Per-session and system-wide stats are incremented noting a misordered sequence operation.
If sa_seq == slot_entry_seqid + 1, this is a properly sequenced request. The SEQUENCE operation results in
NFS4_OK. The slot entry seqid is incremented by one and the entry status is marked inprogress.
208
209
RELIABLE CALLBACKS
Instructor Notes
Student Notes
A channel is not a connection. A channel represents the direction ONC RPC requests are sent. Each session has one
or two channels: the fore channel and the backchannel. Because there are at most two channels per session, and
because each channel has a distinct purpose, channels are not assigned identifiers. The fore channel is used for
ordinary requests from the client to the server, and carries COMPOUND requests and responses. A session always
has a fore channel. The backchannel is used for callback requests from server to client, and carries CB_COMPOUND
requests and responses. Whether or not there is a backchannel is a decision made by the client; however, many
features of NFSv4.1 require a backchannel. NFSv4.1 servers must support backchannels.
210
211
PNFS
HTTPS://WIKID.NETAPP.COM/W/NFS/PNFS/FUNCTIONALSPECIFICATION#OVERVIEW
HTTPS://WIKID.NETAPP.COM/W/NFS/PNFS/ARCHITECTURESPECIFICATION
Instructor Notes
Student Notes
In pNFS, clients access a metadata server to query where the data is found. The metadata server returns
information about the datas layout and location. Clients direct requests for data access to a set of data
servers that are specified by the layout through a data-storage protocol, which may be NFSv4.1 or another
protocol. This removes I/O bottlenecks by eliminating a single storage access and improves large file
performance. It also improves data management by load-balancing data across multiple machines. pNFS
requires Linux kernel 2.6.39 or higher.
212
PNFS ACCESS
Instructor Notes
Student Notes
In this example, the pNFS client mounts at LIF4. Node 4 hosting LIF4 becomes the metadata server. When the client
performs a LOOKUP to OPEN a file that is found in volume T controlled by node 1. If a file that is requested by the
pNFS client exists in a volume that is resigning in an aggregate that is controlled by node 4, node 4 serves the file
locally. If the file is in a volume that is in an aggregate on node 1 (or any of the other nodes), then for NFSv3, that
becomes a nonlocal access for any client. But with pNFS, the client receives the layout for the file and the file. The
client then subsequently accesses the file over LIF1.
213
Storage Device (NFSv4.1 definition) A storage device stores a regular file's data, but leaves metadata management to the metadata server. A
storage device could be another NFSv4.1 server, an object storage device (OSD), a block device accessed over a SAN (e.g., either FiberChannel
or iSCSI SAN), or some other entity.
Storage Protocol The NFSv4.1 pNFS feature has been structured to allow for a variety of storage protocols to be defined and used. One example
storage protocol is NFSv4.1 itself. Other options for the storage protocol are: Block/volume protocols such as iSCSI, FCP and Object protocols
such as OSD over iSCSI or Fibre Channel.
Control Protocol It is used by the exported file system between the metadata server and storage devices. Specification of such protocols is
outside the scope of the NFSv4.1 protocol. Such control protocols would be used to control activities such as the allocation and deallocation of
storage, the management of state required by the storage devices to perform client access control, and, depending on the storage protocol, the
enforcement of authentication and authorization so that restrictions that would be enforced by the metadata server are also enforced by the
storage device
Metadata Information about a file system object, such as its name, location within the namespace, owner, ACL and other attributes.
Metadata may also include storage location information and this will vary based on the underlying storage mechanism that is used.
Metadata Server (or Server) An NFSv4.1 server which supports the pNFS feature. A variety of architectural choices exists for the metadata server
and its use of file system information held at the server. Some servers may contain metadata only for file objects residing at the metadata server
while the file data resides on associated storage devices. Other metadata servers may hold both metadata and a varying degree of file data.
Device Id The device ID identifies a group of storage devices.
Device Mappings The mappings that exist between Device Id and the storage addresses that reach each of the storage devices in the group.
Data Server For all practical purposes, equated with Device Mapping Layout A layout describes the mapping of a file's data to the storage devices
that hold the data.
Constituent Also referred to as volume constituent. Basically, an entity, a group of which forms a volume. A constituent could store a stripe of a
file or a full copy of the file itself.
214
LAYOUTS
Layout Type A layout belongs to a specific layout type. The layout type allows for variants to handle different storage
protocols, such as those associated with block/volume, object, and NFSv4.1 file layout types. Volume A logical and
manageable storage container that stores customers data set. A volume could be hosted on a single physical
controller or could be hosted on multiple hosts and store copy or a stripe of the data.
Instructor Notes
Student Notes
In the request, the NFSv4.1 client provides the following:
Client id which represents the NFSv4.1 client.
The filehandle is the filehandle of the file on the metadata server.
The layout type
The layout iomode indicates to the metadata server the clients intent to perform on the data, either READ or
READ and WRITE operations.
The range is used to detect overlapping layouts granted clients.
In the response, the NFSv4.1 metadata server provides the following for a file layout:
Device ID which represents the location of the data.
A file_id which represents how the data on a file on each data server is organized and whether COMMIT
operations should be sent to metadata server or the data server.
The first stripe index is a location of the first element that is to be used.
The pattern offset is the logical offset into the stripe location to start.
The filehandle list is a an array of filehandles on the data servers.
Multiple layouts may be returned to the client. For more information, please see RFC 5661 found at:
http://www.faqs.org/rfcs/rfc5661.html.
215
216
217
Layout Operations
LAYOUTGET
LAYOUTCOMMIT
LAYOUTRETURN
NFSv4.1 standard : The LAYOUTGET operation requests a layout from the metadata server
for reading or
writing the file given by the filehandle at the byte- range specified by offset and length Data ONTAP metadata
server in response to a LAYOUTGET request creates a layout state object or bumps up
sequence number on the existing layout state object.
NFSv4.1 standard :The LAYOUTCOMMIT operation commits changes in the layout represented
by the current
filehandle, client ID (derived from the session ID in the preceding SEQUENCE operation), byte-range, and stateid.
Since layouts are sub-dividable, a smaller portion of a layout, retrieved via LAYOUTGET, can be committed.
Basically commit changes to a file or byte range in a file belonging to a volume. In the case
of Data ONTAP layout is of a volume.File is a subset of the volume.
Data ONTAP metadata server response to a LAYOUTCOMMIT is a no-op and only verifies if the time
attributes supplied by client are not stale. ONTAP maintains the consistency of attributes of files on
each filesystem it support .Thus, client's attributes are not honored.
NFSV4.1 standard : LAYOUTRETURN This operation returns from the client to the server one or more layouts
represented by the client ID Data ONTAP metadata server response to a LAYOUTRETURN is to
218
Lif migrate
Lif revert
Lif delete
Node reboot
Volume failover
Volume move
Volume delete
D-blade reboot
SFO (Storage failover)
A successful failover of these events will trigger invalidation of pNFS device configuration
and the recall of layouts granted corresponding to them. Client is expected to return the
layouts and stop accessing the data servers. If the clients do not stop accessing the data
servers, those requests will be fenced off.
It is expected that VLDB, VifMgr will call pNFS Device Mappings subsystem when location of
a volume constituent or a Lif changes
NFSv4.1 standard: The CB_LAYOUTRECALL operation is used by the server to recall layouts from
the client; as a result, the client will begin the process of returning layouts via LAYOUTRETURN. The
CB_LAYOUTRECALL operation specifies one of three forms of recall processing with the value of
layoutrecall_type4. The recall is for one of the following: a specific layout of a specific file
(LAYOUTRECALL4_FILE), an entire file system ID (LAYOUTRECALL4_FSID), or all file systems
(LAYOUTRECALL4_ALL). Data ONTAP
218
Instructor Notes
Student Notes
219
Instructor Notes
Student Notes
220
1.
2.
221
222
1.
OPEN to MDS
2.
SESSION
Instructor Notes
Student Notes
223
1.
OPEN to MDS
2.
SESSION
Instructor Notes
Student Notes
224
225
226
Instructor Notes
Student Notes
227
228
Volume move occurs during the time client has file open for write
Before volume move write is redirected to DS
After volume move DS returns NFS$ERR_STALE for write access (Due to volume move all stateids associated with
the invalidated deviceid are marked stale .VLDB RPC call to Nblade)
Write is redirected to MDS
229
230
231
232
PNFS STATUS
Instructor Notes
Student Notes
233
234
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
235
EXERCISE
Instructor Notes
<Notes>
Student Notes
Please refer to your exercise guide.
236
MODULE OBJECTIVES
Instructor Notes
<Notes>
Student Notes
237
REFERENCES
Instructor Notes
Student Notes
238
THANK YOU
Instructor Notes
<Notes>
Student Notes
239