NFSv4 Questions

[Jeff]

Okay, you'll have excuse a neophyte question here, but we've been running with NFSv4 disabled since I arrived.  Mainly due to some issues with how we handle credentialing here (it's a mash-up of LDAP and something else which I do not recall).  Regardless, our initial testing had proved out that we could not run with NFSv4.  Now we are seeing a bigger need for v4 and consequently a way to test without breaking the existing NFSv3 connections.  

My first thought is to stand up a virtual instance of the latest OneFS to run the testing and I suspect that's the best answer regardless.  However, I'm also wondering what would happen to existing NFSv3 connections if we were to enable NFSv4 on our live clusters?  Is the connection level determined by the level of NFS the client is running, or what is being served by the cluster?

The main reason for moving to NFSv4 is to allow encryption, I'd like to hear from anyone that is doing this, pros/cons etc.

Thanks!

[Jerry Uanino]

Ah... NFSv4.  Let us know how it goes, I've always been curious to meet someone who gets NFSv4 to work reliably. It has been many years since I tried nfsv4. Honestly, I didn't know that isilon was supporting nfsv4.  How does it handle moving a stateful connection I wonder? Is the performance better/same/worse?  Not that I have much to add, but VERY curious if you succeed at this.

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Adam Fox]

FYI.  You don’t need NFSv4 for encryption.  For NFS it’s done through Kerberos.  

If your goal is data path encryption (encrypt the data over the wire), you can do it with NFSv3 or NFSv4, but be aware that the node is doing the encryption/decryption and it is not free.  You could see a significant performance hit for doing this in software. I can’t say exactly for every environment, but 30% would not be unreasonable (but YMMV).  If you cluster is lightly used, you may not notice it, but if you are hitting it hard, you definitely want to test it first.  Folks who want line speed encryption tend to use external devices built to do this rather than using the SW of the server.

But you don’t need to turn on v4 to do this.  You just need the kerberos infrastructure in place.

— Adam Fox

adam...@yahoo.com

[Erik Weiman]

V4 has been supported for quite some time (at least 6.5 perhaps older). 

It is stateful and like SMB does not have the transparent failover that you see with NFSv3. 

--

Erik Weiman 

Sent from my iPhone 6+

[John Beranek - PA]

On Thursday, 3 September 2015 20:18:01 UTC+1, Jeff wrote:

Okay, you'll have excuse a neophyte question here, but we've been running with NFSv4 disabled since I arrived.  Mainly due to some issues with how we handle credentialing here (it's a mash-up of LDAP and something else which I do not recall).  Regardless, our initial testing had proved out that we could not run with NFSv4.  Now we are seeing a bigger need for v4 and consequently a way to test without breaking the existing NFSv3 connections.  

My first thought is to stand up a virtual instance of the latest OneFS to run the testing and I suspect that's the best answer regardless.  However, I'm also wondering what would happen to existing NFSv3 connections if we were to enable NFSv4 on our live clusters?  Is the connection level determined by the level of NFS the client is running, or what is being served by the cluster?

Selection of protocol level is a negotiation between server and client.

As soon as NFSv4 is available on the server, any client which supports NFSv4 will use it, unless the mount options have been specified to override the version auto-negotiation (with something like nfsvers=3, on Linux).

We ended up disabling NFSv4 on all of our clients which used local authentication, and leaving NFSv4 enabled on the clusters. I have not yet had any success enabling NFSv4 privacy, even on Linux clients which are AD-integrated.

Cheers,

John

[Jerry Uanino]

eish. So everytime a node fails in the cluster, you'll have a disconnect and reconnect at clients?

Does linux just puke when this happens and cause a stale nfs mount or does it actually recover?

[John Beranek - PA]

Sounds like a useful thing to try in a lab cluster... ;)

John

[John Beranek - PA]

I almost managed to test this on a lab cluster, but when I failed a node the pool IPs just stayed put.

I believe to get pool IP failover you need SmartConnect Advanced, and my lab cluster isn't licensed...

John