m17res01

Copyright © 2013 EMC Corporation. All rights reserved

This module focuses on the NFS protocol and the process involved in making a file system available for a NFS client and application access via the network. It also covers the integration and interoperability between the VNX storage systems and VMware vSphere ESXi hosts.

Exporting NFS File Systems to UNIX/ESXi 1


This lesson covers the NFS protocol and the process involved in making a file system available for a NFS client and application access via the network. The lesson explains how to export a file system at the root level and at the sub-directory level. The lesson also covers how to mount the exported file system at the NFS client considering the host/user access level and security authentication process.



NFS stands for Network File System protocol. It is a client or server distributed file service which provides file sharing in network environments. Client computers in the enterprise network are able to access file system data stored on a VNX for File or Unified storage configurations.

To provide access to data stored on the VNX storage system, a Data Mover is configured as a NFS server. The file systems on the Data Mover must be mounted and a path to the file systems must be exported. After the exporting process, the file systems are available to be mounted by remote NFS client systems. NFS environments can include Unix, and Linux clients, as well as ESXi hosts and Virtual Machines running Linux guest operating systems. Microsoft Windows systems configured with third-party applications that provide NFS client services (such as Hummingbird) can also be granted access.

VNX supports file system access for clients running versions 2, 3, and 4 of the NFS protocol. The NFS version 4 protocol is a further revision of the NFS protocol defined by versions 2 and 3. It retains the essential characteristics of previous versions (a design independent of transport protocols, operating systems, and file systems) and integrates file locking, strong security, operation coalescing, and delegation capabilities to enhance client performance.



Clients authorized to access the NFS exports are specified through their hostname, netgroup, subnet, or IP address. A client system may have read-write access while a particular user might have only read access to a specific file. This slide shows the authentication methods

The VNX NFS service authenticates users through the different mechanisms: Unix Security, Secure NFS, Authentication daemon.

• UNIX security: performed by the NFS client machine. The UID and GIDs are carried by the RPC protocol. By default NFS exports uses UNIX user authentication.

• Secure NFS: Provides Kerberos-based user and data authentication, data integrity, and data privacy. Kerberos, a distributed authentication service, is designed to provide strong authentication that uses secret-key cryptography.

• Authentication daemon: For a Windows system (PC client) that uses NFS to access the VNX, an authentication daemon, typically rpc.pcnfsd or pcnfsd, is used to bridge the differences between Windows and UNIX NFS user authentication methods.

All NFS versions support UNIX security and the PC authentication daemon. NFS versions 3 and 4 support secure NFS by using either UNIX or Linux or Windows Kerberos KDC.



To create an NFS export a file system must already exist, and the file system must be mounted.

With Unisphere, by default, the file system is mounted at the time of creation. File systems fs1 mounted at /fs1 and fs2 mounted at /fs2 are shown here. When they were created, each one was automatically mounted to a mountpoint based on the individual file system’s name.

In case a file system is unmounted or if the user wants to mount the file system to a different mountpoint, there are two methods to perform these tasks as shown here.



The Create Mount dialog box will allow the selection of the file system and determine where it will be mounted, the path, the state mode, and the access checking policy.

• File System Name: Select the file system to mount.

• Mount On : Select the Data Mover on which the file system will be mounted.

• Path : Specify the pathname of the new mount. The pathname must begin with a forward slash (/). The pathname is limited to 255 bytes (represented as 255 ASCII characters or a variable number of Unicode multibyte characters), and can include upper and lowercase letters, numbers, forward slashes, hyphens (-), underscores (_), and periods (.).

• Read Only : Select the write mode for the file system: Read/Write or Read Only.

• Access-Checking Policy : Select an access-checking policy for the file system. The default policy is NATIVE. Access-checking policies apply only when the Data Mover’s user authentication is set to the recommended default, NT. This is set by using the -add security option to the server_cifs command. An access-checking policy defines the file and directory permissions that are applied (UNIX mode bits, Windows ACLs, or both) when a user attempts to access a file system in a mixed NFS and CIFS environment.

• Virus Checking Enabled : Clear to disable the Virus Checker protocol for the file system. This option is enabled by default.

• CIFS Oplocks Enabled : Clear to disable opportunistic lock granting for CIFS client access on this file system. Opportunistic locks reduce network traffic by enabling CIFS clients to cache the file and make changes locally.

• Set Advanced Options : Select to display advanced options. If clear, only basic properties appear.


filsys_Accesschecking_policies.htm


There are a few ways in Unisphere to create the export. In Unisphere, on the File System tab highlight the file system you want to export. Right-click on the file system, select NFS exports and Create NFS Export. Or navigate to Storage > Shared Folders > NFS and click the Create button.

The next screen will show all the options for exporting a file system.



The Create NFS Export page is displayed to configure the export. Various options can be configured to allow a host IP address, an IP subnet, and/or a netgroup to gain access to file system resources. Every file system exported for NFS must have security options specified in order to grant access to the appropriate users.

Host Access Read-only Export : This option exports the path for all NFS client as read-only .

Read-only hosts: It exports the path for specified NFS clients as read-only. It can be an IP host, subnet, or netgroup .

Read/Write hosts: It exports the path as read, or write for the specified IP client, subnet or netgroup .

Root Host: The specified IP host, subnet or netgroup gets to root access to the file system.

Access Hosts: It provides default access (read and execute) for the specified clients. It denies access to those NFS clients who are not given explicit access.



Once the file system has been exported from VNX, NFS clients need to NFS mount the file system. When this has been done, NFS redirects any references to a given local directory, out through the network, to the file system on the Data Mover. The typical procedure involves the use of an empty local directory, whether pre-existing or created specifically for this purpose.

The mounting process can be either manual or automatic. In order to manually mount the file system using the mount command as follow.

mount <NFS server IP address or FQDN>:/<exported fs> /<mount point>

The automounter feature uses the autofs service to automatically mount files systems as they are needed. The usage of the automouter feature in conjunction with NIS (Network Information Service) can produce a powerful and centralized set of maps allowing autofs service to mount all the file systems very quickly.



In UNIX and Linux permissions are divided into four parts. The first part represents the first character of the permission. Regular files are represented with hyphen (-). Directories and links are represented with letters d for directory and l for links. The second, third, and fourth parts are represented with three characters each. The first part is the owner permissions. Second part is the group permissions and the third part is for others. Others are all users that are neither the owner nor belong to the owner group.

In order to allow the access to the exported file system, the VNX looks at the owner, group, and others permissions. The minimum permission to access the file system is read-only (4).

For instance if you want to give read, write, execute for the owner and group, and read, execute for others on the directory engineering/ the chmod command should be as follow.

# chmod 775 engineering

Note: The example above is not an EMC recommendation for your environment. It is being used as shown for training purpose only.



When a UxFS file system is created, by default it contains, at its root level, two key directories; .etc and lost+found. These directories are extremely important to the function and integrity of the file system.

The .etc directory contains configuration files and lost+found contains files that are restored after a system crash, or when a partition has not been unmounted before a system shutdown.

In order to keep these directories safe, export a directory instead of the root file system. This procedure hides theses directories protecting them from being removed, or accessed by non-administrators users on the enterprise network.

The next slides will show how to hide these directories and how to export at subdirectory level.



In order to export at the subdirectory level, first create an NFS export for the root of the file system or edit an existing one and export it with root permissions to an administrative client.

In this example, the root user from the host with IP address 192.168.1.106 will have root permissions to the /fs01 file system export. This top-level export of the file system will be used exclusively by the administrator.



The administrator mounts the file system export (in this example the /fs01 file system) on the NFS client.

The administrator then creates a directory underneath the exported file system as shown on the slide (in the example /fs1). And give to this new directory the permissions that match the company policy and needs.

In this example, the permissions on this directory have been set to read and write for the owner and group. Read and execute for others (775). The ownership was given to the user epallis and group engprop.

The newly created subdirectory on the file system can now be exported to the user community as it is shown on the next slide.



Create an export to the newly created subdirectory on the file system and grant the access to the NFS clients.

In this example, the access was configured so the user hosts within a same subnet can access the export. The user hosts from the 192.168.1.0/255.255.255.0 subnet are configured for read/write access to the export. All the users that can access the exported file system on this host will only be able to read and write on the exported file system.



User community hosts can now mount and access the file system’s subdirectory export without having access to the top-level .etc and lost+found directories.

This slide shows the previously created file system /fs01 being exported at subdirectory level to the host 192.168.1.106.

The path /fs01/engineering is being exported as read and write.

The permissions on this directory have been set to read and write for the owner and group. Read and execute for others (775).



The Network Information Service (NIS), as the name implies, is a service for distributing network configuration data such as host names and users throughout the network.

After configuring your NIS server on your environment, you can use Unisphere to configure NIS within VNX.

For configuring NIS using Unisphere you have to know the Data Mover for which the services are being configured, the domain name, and the IP address of the NIS server.



This slide shows how to permanently un-export an NFS file system using Unisphere. By opting to delete the export, you are not deleting the file system, but merely the network access to it.

Note: Unmount the file system on the NFS client before deleting the NFS Export.



This lesson covered the NFS protocol and the process involved in making a file system available for a NFS client access via the network. The lesson also explained how to export a file system at the root level and at the sub-directory level, and how to mount the exported file system at the NFS client considering the host/user access level and security authentication process.



This lesson covers the integration and interoperability between the VNX storage systems and VMware vSphere ESXi hosts. The lesson will discuss how EMC Virtual Storage Integrator plug-ins can help provisioning VNX for File storage to ESXi servers.



NFS (Network File System) is a file based protocol and is used to establish a client-server relationship between the ESXi hosts and the NAS (Network Attached Storage) device.

NFS allows volumes to be accessed simultaneously by multiple ESX and ESXi hosts running multiple virtual machines. Currently, VMware supports NFS version 3 over TCP/IP.

An NFS datastore can be provisioned to an ESXi server from the VMware vSphere client interface by selecting an existing VNX file system NFS exported through Unisphere. A VNX file system and NFS export can be created with the use of the EMC Virtual Storage Integrator (VSI) plug-in for VMware vSphere.



EMC Virtual Storage Integrator (VSI) Unified Storage Management (USM) Plug-in for VMware vSphere is a VMware vCenter integration feature designed to simplify storage administration of the EMC VNX and VNXe unified storage platforms.

The feature has built-in VAAI functionality that enables VMware administrators to provision new NFS and VMFS datastores, and RDM volumes directly from the vSphere Client. VAAI or vStorage APIs for Array Integration consists of a set of APIs that allows vSphere to offload specific host operations to the storage array. These features reduce host workload, lessen network traffic, and improve over all performance. VNX OE for File and Block supports VAAI with FC, iSCSI, and NFS protocols.

The Unified Storage Management feature can be downloaded from EMC Online Support. The application is accessed and run from within Virtual Center server.



Once VSI USM is installed and enabled on the vSphere vCenter Center server, the VNX storage system can be added to take advantage of the Plug-in features.



EMC Unified Storage Management Plug-in for VMware vSphere provides the ability to :

• Provision storage, and extend VMFS file systems. For VMFS datastores and RDM volumes on block storage, users can use the feature to provision and mount new storage based on storage pools or RAID groups, and to set a tiering policy for the new storage.

• Compress virtual machines (VM) reducing the storage space utilized for VMs through VNX File Deduplication and Compression

• Uncompress VMs on demand

• Create VM clones: Fast Clones (Space-optimized copy) and Full Clones (array-acelerated copy) on NFS datastores

• Provision cloned VMs to VMware View and Refresh desktops in VMware View

Compress virtual machines (VNX File)

The Provision Storage option launches a wizard that prepares a NAS NFS file system as well as block VMFS file system, or block RDM volume for use by the ESXi server(s). If you choose to provision storage on a cluster, folder, or data center, then all hosts within the selected object will mount the newly provisioned NFS datastore, VMFS datastore, or RDM volume.

Right-click the object (the object can be a host, cluster, folder or data center). If you choose a cluster, folder, or data center, then all ESXi hosts within the object will be attached to the newly provisioned storage.

Select the EMC > Unified Storage then select Provision Storage.

The Provision Storage wizard will appear.



The Provisioning Storage wizard presents the user with a series of ordered tasks for creating a new datastore to the ESXi server starting with the option of using a Disk/LUN or a Network File System. These wizard screens illustrate creating an NFS datastore.

1. Select Network File System (NFS) and the Provision Storage wizard will prepare a NAS NFS file system for use by the ESXi server.

2. Choose the VNX Storage System where the new file system is to be created or where the NFS export of an existing file system is to be found. Or add a new storage system.

3. Type the name for the new NFS datastore.

4. Select the Data Mover where the existing file system is mounted (or where it will be created) and the IP interface that will be used for the NFS connection.

5. The Provision Storage wizard allows the user to select an existing file system that was previously created and NFS exported on the VNX by the user using the Unisphere interface. Or just create a new file system on the VNX and NFS export it.



The “new NFS export” screen allows the selection of the storage pool, thin provisioning, and initial and maximum sizes for the file system.

And finally the advanced button allows the configuration of any advanced setting on the exported file system, including setting a different mount point (to hide the root of the file system).

After clicking Finish, the Unified Storage Management feature:

• Creates a file system on the selected storage pool.

• Mounts the newly created file system on the selected VNX Data Mover.

• Exports the newly created file system over NFS and provides root and access privileges to the ESXi hosts that will mount the NFS datastore.

• Creates the NFS datastore on the selected ESXi hosts.

• Updates the selected NFS options on the chosen ESXi hosts.



Click the Summary tab > Resources or Configuration tab > Datastores to see the newly provisioned storage.



On the VNX Storage Array we see the properties of the newly created file system that has been NFS exported.



This Unisphere feature presents information about all ESXi Servers attached to the VNX storage system. The feature simplifies the discovery of the relationship between Virtual Machines within an attached ESXi Server and the storage with which they are associated.

From the “Host” tab, select “Virtualization”.

Right-click on an already registered ESXi server and click Virtual Machines to retrieve information about the vmdk files and related VNX storage.

Or Run the “Hypervisor Information Configuration” wizard to add a new ESXi host. You will have the choice to discover the Servers either by going through the Virtual Center, providing there is one, or by connecting directly to the ESXi server in question. After reading the steps that will be performed by the Wizard, select the storage system to which the ESXi Server is connected and follow through with the rest of the steps.



This lesson covered the integration and interoperability between the VNX storage systems and VMware vSphere ESXi hosts. The lesson also discussed how EMC Virtual Storage Integrator plug-ins can help provisioning VNX for File storage to ESXi servers.



This module covered the NFS protocol and the process involved in making a file system available for a NFS client and application access via the network. It also covered the integration and interoperability between the VNX storage systems and VMware vSphere ESXi hosts.


m17res01

Documents

Transcript of m17res01