NFSv4 Working Group S. Faibish Internet-Draft EMC Corporation Intended status: Proposed Standard D. Black Expires: January 9, 2011 EMC Corporation Updates: 5661, 5662 M. Eisler NetApp J. Glasgow Google July 9, 2010 pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on January 9, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this Faibish et al. Expires January 9, 2011 [Page 1] Internet-Draft pNFS Access Permissions Check July 2010 document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Abstract This document extends the pNFS protocol to communicate errors caused by inability to access data servers referenced by layouts, including checks performed by both clients and the MDS. The extension provides means for clients to communicate client-detected access denial errors to the MDS, including the case in which a client requests direct NFS access via the MDS that the MDS cannot perform. Table of Contents 1. Introduction...................................................3 2. Conventions used in this document..............................5 3. Changes to Operation 51: LAYOUTRETURN (RFC 5661)...............5 3.1. ARGUMENT (18.44.1)........................................5 3.2. RESULT (18.44.2)..........................................6 3.3. DESCRIPTION (18.44.3).....................................6 3.4. IMPLEMENTATION (18.44.4)..................................7 4. Security Considerations........................................8 5. IANA Considerations............................................8 6. Conclusions....................................................8 7. References.....................................................9 7.1. Normative References......................................9 Faibish et al. Expires January 9, 2011 [Page 2] Internet-Draft pNFS Access Permissions Check July 2010 1. Introduction Figure 1 shows the overall architecture of a Parallel NFS (pNFS) system: +-----------+ |+-----------+ +-----------+ ||+-----------+ | | ||| | NFSv4.1 + pNFS | | +|| Clients |<------------------------------>| MDS | +| | | | +-----------+ | | ||| +-----------+ ||| | ||| | ||| Storage +-----------+ | ||| Protocol |+-----------+ | ||+----------------||+-----------+ Control | |+-----------------||| | Protocol | +------------------+|| Storage |------------+ +| Devices | +-----------+ Figure 1 pNFS Architecture In this document, "storage device" is used as a general term for a data server and/or storage server for the file, block or object pNFS layouts. The current pNFS protocol [RFC5661] assumes that a client can access every storage device (SD) included in a valid layout sent by the MDS server, and provides no means to communicate client access failures to the MDS. Access failures can impair pNFS performance scaling and allow significant errors to go unreported. If the MDS can access all the storage devices involved, but the client doesn't have sufficient access rights to some storage devices, the client may choose to fall back to accessing the file system using NFSV4.1 without pNFS support; there are environments in which this behavior is undesirable, especially if it occurs silently. An important example is addition of a new storage device to which a large population of pNFS clients (e.g., 1000s) lack access permission. Layouts granted that use this new device, result in client errors, requiring that all I/Os to that new storage device be served by the MDS server. This creates a performance and scalability bottleneck that may be difficult to detect based on I/O behavior because the other storage devices are functioning correctly. Faibish et al. Expires January 9, 2011 [Page 3] Internet-Draft pNFS Access Permissions Check July 2010 The preferable approach to this scenario is to report the access failures before any client attempts to issue any I/Os that can only be serviced by the MDS server. This makes the problem explicit, rather than forcing the MDS, or a system administrator, to diagnose the performance problem caused by client I/O using NFS instead of pNFS. There are limits to this approach because complex mount structures may prevent a client from detecting this situation at mount time, but at a minimum, access problems involving the root of the mount structure can be detected. The most suitable time for the client to report inability to access a storage device is at mount time, but this is not always possible. If the application uses a special tag or a switch to the mount command (e.g., -pnfs) and syscall to declare its intention to use pNFS, at the client, the client can check for both pNFS support and device accessibility. This document introduces an error reporting mechanism that is an extension to the return of a pNFS layout; a pNFS client MAY use this mechanism to inform the MDS that the layout is being returned because one or more data servers are not accessible to the client. Error reporting at I/O time is not affected because the result of an inaccessible data server may not be an I/O error if a subsequent retry of the operation via the MDS is successful. There is a related problem scenario involving an MDS that cannot access some storage devices and hence cannot perform I/Os on behalf of a client. In the case of the block layout [RFC5663] if the MDS has no access to a storage device (e.g., LUN), MDS implementations generally do not export any filesystem using that storage device. In contrast to the block layout, MDSs for the file [RFC5661] and object [RFC5664] layouts may be unable to access the storage devices that store data for an exported filesystem. This enables a file or object layout MDS to provide layouts that contain client-inaccessible devices. For the specific case of adding a new storage device to a filesystem, MDS issuance of test I/Os to the newly added device before using it in layouts avoids this problem scenario, but does not cover loss of access to existing storage devices at a later time. In addition, [RFC5661] states that a client can write through or read from the MDS, even if it has a layout; this assumes that the MDS can access all the storage devices. This document makes that assumed access an explicit requirement. Faibish et al. Expires January 9, 2011 [Page 4] Internet-Draft pNFS Access Permissions Check July 2010 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. 3. Changes to Operation 51: LAYOUTRETURN (RFC 5661) The existing LAYOUTRETURN operation is extended by introducing two new layout return types: o LAYOUT4_RET_REC_FSID_NO_ACCESS at fsid scope; and o LAYOUT4_RET_REC_FILE_NO_ACCESS at file scope. The former returns all layouts for the FSID and informs the server that the reason for the return is a storage device connectivity problem, and the latter performs the same function for an individual file layout. 3.1. ARGUMENT (18.44.1) The ARGUMENT specification of the LAYOUTRETURN operation in section 18.44.1 of [RFC5661] is replaced by the following XDR code [XDR]: /* Constants used for new LAYOUTRETURN and CB_LAYOUTRECALL */ const LAYOUT4_RET_REC_FILE = 1; const LAYOUT4_RET_REC_FSID = 2; const LAYOUT4_RET_REC_ALL = 3; const LAYOUT4_RET_REC_FSID_NO_ACCESS = 4; const LAYOUT4_RET_REC_FILE_NO_ACESSS = 5; enum layoutreturn_type4 { LAYOUTRETURN4_FILE = LAYOUT4_RET_REC_FILE, LAYOUTRETURN4_FSID = LAYOUT4_RET_REC_FSID, LAYOUTRETURN4_ALL = LAYOUT4_RET_REC_ALL, LAYOUTRETURN4_FSID_NO_ACCESS = LAYOUT4_RET_REC_FSID_NO_ACCESS, LAYOUTRETURN4_FILE_NO_ACCESS = LAYOUT4_RET_REC_FILE_NO_ACCESS }; struct layoutreturn_file4 { offset4 lrf_offset; length4 lrf_length; stateid4 lrf_stateid; Faibish et al. Expires January 9, 2011 [Page 5] Internet-Draft pNFS Access Permissions Check July 2010 /* layouttype4 specific data */ opaque lrf_body<>; }; struct layoutreturn_fsid_no_access4 { deviceid4 lrfna_deviceid; nfsstat4 lrfna_status; }; struct layoutreturn_file_no_access4 { offset4 lrfna_offset; length4 lrfna_length; stateid4 lrfna_stateid; deviceid4 lrfna_deviceid; nfsstat4 lrfna_status; /* layouttype4 specific data */ opaque lrfna_body<>; }; union layoutreturn4 switch(layoutreturn_type4 lr_returntype) { case LAYOUTRETURN4_FILE: layoutreturn_file4 lr_layout; case LAYOUTRETURN4_FSID_NO_ACCESS: layoutreturn_fsid_no_access4 lr_fsid<>; case LAYOUTRETURN4_FILE_NO_ACCESS: layoutreturn_file_no_accesss4 lr_layout; default: void; }; 3.2. RESULT (18.44.2) The RESULT of the LAYOUTRETURN operation is unchanged; see section 18.44.2 of [RFC5661]. 3.3. DESCRIPTION (18.44.3) The following text is added to the end of the LAYOUTRETURN operation DESCRIPTION in section 18.44.3 of [RFC5661]: There are two NO_ACCESS layoutreturn_type4 values that indicate lack of storage device access, LAYOUT4_RET_REC_FSID_NO_ACCESS and LAYOUT4_RET_REC_FILE_NO_ACCESS. A client uses these values to return Faibish et al. Expires January 9, 2011 [Page 6] Internet-Draft pNFS Access Permissions Check July 2010 all layouts for an FSID or to return a layout (or portion thereof) for a file, and in both cases to inform the server that the reason for the return is an inability to access one or more storage devices. The same stateid may be used or the client MAY force use of a new stateid in order to report a new error. An NFS error (nfsstat4) is included in the layoutreturn data structures for these two types to distinguish access permission problems from device inaccessibility: o NFS4ERR_PERM SHOULD be used for access permission denial; and o NFS4ERR_NXIO SHOULD be used for inability to access a device. Other NFS errors MAY be used when they are appropriate. All uses of these two layout return types that report errors SHOULD be logged by the client. The client MAY use the new LAYOUT4_RET_REC_FILE_NO_ACCESS instead of LAYOUT_RET_REC_FSID_NO_ACCESS when it has reason to believe that only one, or a small number of files are affected. If the problem affects multiple devices, the client may use multiple file layout return operations to communicate the multiple devices encountering errors; each return operation SHOULD return a layout extent obtained from the device for which an error is being reported. In contrast, LAYOUT_RET_REC_FSID_NO_ACCESS includes an array of pairs to enable errors to be reported for multiple devices in one operation so that the client is not required to repeat the FSID- scoped layout return operation to report multiple errors. 3.4. IMPLEMENTATION (18.44.4) The following text is added to the end of the LAYOUTRETURN operation IMPLEMENTATION in section 18.4.4 of [RFC5661]: A client that expects to use pNFS for a mounted filesystem SHOULD check for pNFS support at mount time. This check SHOULD be performed by sending an OPEN request, a LAYOUTGET operation and a GETDEVICELIST operation, followed by layout-type-specific checks for accessibility of each storage device returned by GETDEVICELIST. If the NFS server does not support pNFS, the LAYOUTGET operation will be rejected with an NFS4ERR_NOTSUPP error; in this situation it is up to the client to determine whether it is acceptable to proceed with NFS-only access. When an I/O fails because a storage device is inaccessible, the client SHOULD retry the failed I/O via the MDS. In this situation, before retrying the I/O, the client SHOULD return the layout, or inaccessible portion thereof, and SHOULD indicate which storage device or devices was or were inaccessible. If the client does not Faibish et al. Expires January 9, 2011 [Page 7] Internet-Draft pNFS Access Permissions Check July 2010 return at least the inaccessible portion of the layout before the I/O retry via the MDS, and that I/O retry fails with NFS4ERR_PERM or NFS4ERR_NXIO, then the client MUST return at least the inaccessible portion of layout, as the MDS error indicates that the affected portion of that file is completely inaccessible to the client. Backwards compatibility may require a client to perform two layout return operations to deal with servers that don't understand the NO_ACCESS layoutreturn_type4 values and hence respond with NFS4ERR_INVAL. In this situation, the client SHOULD perform an ordinary FSID or file layout return operation and remember that the new return types are not to be used with that server. The metadata server (MDS) SHOULD NOT use storage devices in pNFS layouts that are not accessible to the MDS. To the extent that an MDS can determine whether storage devices are accessible to clients, an MDS SHOULD NOT include a storage device in any pNFS layouts sent to a client that cannot access that storage device. At a minimum, the server SHOULD perform these storage device accessibility checks before exporting a filesystem that supports pNFS and when the device configuration for such an exported filesystem is changed (e.g., to add a storage device). A client MAY perform I/O via the MDS even when the client holds a layout that covers the I/O; servers MUST support this client behavior. 4. Security Considerations All control operations from the MDS to the storage devices, including any operations required for access permission checks, SHOULD be authenticated in order to maintain integrity of stored data. 5. IANA Considerations There are no IANA considerations in this document beyond pNFS IANA Considerations are covered in [RFC5661]. 6. Conclusions This draft specifies additions to the pNFS protocol addressing client and MDS server inability to access storage devices used in pNFS layouts for all layout types. Faibish et al. Expires January 9, 2011 [Page 8] Internet-Draft pNFS Access Permissions Check July 2010 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5661] Shepler, S., Eisler, M., and D. Noveck, "Network File System (NFS) Version 4 Minor Version 1 Protocol", http://tools.ietf.org/html/rfc5661, January 2010. [RFC5663] Black, D., Glasgow, J., Fridella, S., "Parallel NFS (pNFS) Block/Volume Layout", http://tools.ietf.org/html/rfc5663, January 2010. [RFC5664] Halevy, B., Welch, B., Zelenka, J., "Object-Based Parallel NFS (pNFS) Operations", http://tools.ietf.org/html/rfc5664, January 2010 [XDR] Eisler, M., "XDR: External Data Representation Standard", STD 67, RFC 4506, May 2006. Acknowledgments This draft includes ideas from discussions with the primary author of the pNFS object layout, Benny Halevy, and the Linux kernel pNFS maintainers, including Bruce Fields. This document was prepared using 2-Word-v2.0.template.dot. Faibish et al. Expires January 9, 2011 [Page 9] Internet-Draft pNFS Access Permissions Check July 2010 Authors' Addresses Sorin Faibish (editor) EMC Corporation 32 Coslin Drive Southboro, MA 01772 US Phone: +1 (508) 305-8545 Email: sfaibish@emc.com David L. Black EMC Corporation 176 South Street Hopkinton, MA 01748 US Phone: +1 (508) 293-7953 Email: david.black@emc.com Michael Eisler NetApp 5765 Chase Point Circle Colorado Springs, CO 80919 US Phone: +1 (719) 599-9026 Email: mike@eisler.com Jason Glasgow Google 5 Cambridge Center, Floors 3-6 Cambridge, MA 02142 US Phone: +1 (617) 575-1599 Email: jglasgow@google.com Faibish et al. Expires January 9, 2011 [Page 10]