0 s\ \ '6 LA-UR- 0 <=\ - Approved for public release; distribution is unlimited. Title: Kerberized Network File System for Clusters Author(s): Ian Burns Christoph er Hoffman Paige Ashlynn Intended for: Electronic/World-wide Web Academi c Distribution /-J Los Alamos NATIONA L LABOR ATOR Y ---- EH.1941 ---- Los Alamos National Laboratory, an aHirmatlve action/equal opportunity employer, is operated by the Los Alamos National Security, LLC for th e Na tional Nuclear Security Administration of the U.S. Department of Energy under contract DE-AC52-06NA25396. By acceptance of this article, the publisher recognizes that the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or to allow others to do so, for US. Government purposes. Los Alamos National Laboratory requests that the publisher identify this article as work performed under the auspices of the U.S. Department of Energy. Los Alamos National Laboratory strongly supports academic freedom and a researcher's right to publish; as an institution, however, the Laboratory does not endorse the viewpoint of a publication or guarantee its technical correctness Form 836 (7/06)
Abstracts Kerberized Network File System for Clusters Paige Ashlynn , UN M I an Burns, NMT Christopher Hoffma n, M TU Abstract: With constantly looming cyber-security threats, protecting valuable da ta has beco me a very i mp ortant issu e. The implementat io n of security protocols sho ul d not com p rom ise ease of use or perfonnance. T he Ke rberos protocol provides a high I vel of sec ur it y wh ile minimizi ng overhead. A c en tral Kerberos server needs to be ab le to pro vi de authenticat io n for a va ri ety of serv'ces distribut ed ov er a number of connected networks. Though cl ustered environ me n ts traditi nally h av e not r eq ui re d i ntemal sec ur ity, t he landsca pe is changi ng rapidly. It is im portant for a ny authorized person to be abl e to access their data from whatever compu te r they must use for their work. Th is could be a simple desktop workstation, or a lar ge su percompute r. The re needs to be a sing le , secure method of accom pl is hing th is sh aring for a 1l enviro nm en ts. Ker be rized FS can be Ll sed to address t hi s ne ed for data mo bili ty in a secure manner. How ever, t he pe rf o rm ance impact that Kerberos wi ll ha ve on NFS in a clustered setting is sti ll la rge ly un known. Factors su ch as level of security and differ en t ty pes of encrypt ion a ff ect perfo rma nce an d usability greatly. We w ill ev aluate these impacts and ma ke a g en eral recomme nd ation for suitable security levels and feasibil ity for po ss ib le deployments in c ur rent and fu ture LANL sys te ms.
~ ~ Kerberized Network File System for Clusters Presented on 08-03-2009 by: Chris Hoffman Ian Burns Paige Ashlynn Instructor: Andree Jacobson Mentor: David Kennel ISTI lWOf<\f,\TlO\, SCI I:: :\LE &:. nXllX O WU' l'\~ J Jn ~ lJ LoS Alamos UNCLASSIFIED NATIONAL LAB O RAT ORY ____ E ST 19 43' -." VA. &rFJ Operated by Los Alamos National Security, LLC for NNSA
~) Introduction Kerberized NFSv4 in an HPC Cluster • Motivation • Advantages & Disadvantages of Ke~beros • Changes in NFSv4 • Behaviour • Performance Los Alamos UNCLASSIF ED N ATI O NA L LA BO RA TO RY ____ HT 1 94) Operated by Los Alamos National Security, LLC for NNSA
~S1 Impetus The Problem: • Secure, light-weight, remote data access from nodes on supercomputer clusters. The Solution: • Kerberos and NFSv4 are designed to accomplish this task on enterprise networks . Los Alamos UNCLASSIF ' IED N AT I O NA L LA BO RAT O RY ___ _ £ST.1943 ... . Operated by Los Alamos National Security, LLC for NNSA V& OJ
Advantages of Kerberos Authentication • Single Sign-On • Password Security • Verified Clients • Scalable • Integration p, Los Alamos UNCLASSIFIED NA TI ONAL L ABORA TOR Y ____ E ST . 19 4113 Operated by Los Alamos National Security, LLC for NN SA
Disadvantages of Kerberos Authentication -- • Single Point of Compromise • Requires Application Support ~ Los Alamos UNCLASSIFIED NATIONAL LABORATORY ____ £"51 .1943 Operated by Los Alamos National Security, LLC for NNSA
V~. Changes in NFSv4 _ .. -_. - • Native Support for Authentication Protocols • Kerberbs Integration Options : • KRB5 = Authentication • KRB5i = Authentication & Integ rity • KRB5p = Authentication, Integ rity, & Encryption • Non-Unix Compatibility • Virtual Filesystem ') Los Alamos UNCLASSIFIED NATIONAL LA B ORATORY ______ _ " T .1'" ____________________________________________________________________________________________________________ __________________________________________ _ - • . J~ Operated by Los Alamos National Security, LLC for NNSA
Test Environment Ente rprise VLA.N Client Kerberos l D A P ~ Los Alamos UNCLASSIFIED NA T IONA L LA BO RATORY ____ EST. 194 3 va.'sr:4 Operated by Los Alamos National Security, LLC for NNSA
Behaviour in a Clustered Environment • Network Address Translation • Addressless ticketing • Torque Job Scheduler Los Alamos UNCLASSIFIED NATIONAL L AB O RATORY ---_ EST 19"1 Operated by Los Alamos National Security, LLC for NN SA
~ Performance Test • Levels of Security • Large vs. Small Files • SCP vs. Bare NFSv4 vs. Kerberized NFSv4 over Gigabit Ethernet LoS Alamos UNCLASSIFIED NATIONA L LABORAT O RY _______ EST.',.) ~ ______________________________________________________________________________________________________________________________ ~;~ Operated by Los Alamos National Security. LLC for NNSA
-~ ~ ~ ~ bare ~ krb5 ~) ~ ~ Average File Transfer Rate .---- - - - - -- -.----- -.----- - - - - 50 45 ....... krb5i .-. 40 -- tn krb5p OJ 35 nfs :E --- 30 .., Q) co 25 . I- 20 tn s::::: 15 co l- I-- 10 5 . 0 0.1 0. 5 10 100 50 0 1024 2048 File Size (MB) Los Alamos - .. UNCLASSIFIED NATIONA L LABO R ATORY ____ [ST.1941 Operated by Los Alamos National Security, LLC for NNSA V& 'i
~ VA~ ~ Average ime to Copy 10,000 5-kB Files - - . . - . -- - - -- 00:40.00 - tn -c c o 00:30.00 (J (I) UJ • • UJ .., (I) 00:20.00 c: .- - E (I) .5 00:10.00 I- ;0 ) 00:00.00 - ; Los Alamos .. UNCLASSIFIED NAT I O NA L lAB O RA T ORY ____ fST , 19 CJ Operated by Los A lamos National Security. LLC for NNSA ..
VA.'f~' ~ ~ Average Time to Copy 20 SOO-MB Files .-. 14:24 .00 c: 0 u (1) en • • en .... (1) 09:36.00 :::l c: .- E --- (1) E 04:48.00 .- 00:00.00 Los Alamos UNCLASSIFIED NATIONAL L AB OR A TORY ____ £s'T . 1943 •. Wr'far:J'tfi Operated by Los Alamos National Secunty, LLC for NNSA
CPU Utilization by Protocol -- - --- ._- ----- - 60 :: I I I I I 1 : ~:e l ~Jg:B l -1--i-t--+---+- J- J1 () 30 r ~ a. ?ft. 20 1 0 -+-1 ---f-----, o little I big I little big I little I big I little ' big I little ' big bare nfs krb5 krb5i krb5p scp los Alamos UNCLASSIFIED NAT IONA L L ABORATORY ___ ES T. 19.J Operated by Los Alamos National Security, LLC for NNSA
Summary Kerberized NFSv4 in an HPC Cluster • Motivation ' . Advantages & Disadvantages of Kerberos • Changes in NFSv4 • Behaviour • Performance ~ Los Alamos UNCLASSIFIED NA TIO NA L LA BO RA TO RY - ___ nT.194) Operated by Los Alamos National Security, LLC for NNSA
HE"-CVL.~S · ~Vf[f',.OS Questions? Answers! C£l\B.ER.VlIoT AD . PEl\TRAXIT ~ Los Alamos UNCLASSIFIED NA TIO N AL LAB O RA TO RY ____ fS T. 19 'l Operated by Los Alamos National Security, LLC for NNSA
Recommend
More recommend
