[PDF] - /-J Los Alamos NATIONA L LABOR ATOR Y ---- EH.1941 ---- Los Alamos PDF Document

SLIDE 1

LA-UR-

0 <=\ -

0 s\

\ '6

Approved for public release; distribution is unlimited.

Title: Author(s): Intended for:

Kerberized Network File System for Clusters Ian Burns Christopher Hoffman Paige Ashlynn Electronic/World-wide Web Academic Distribution

/-J

Los Alamos

NATIONA L LABOR ATOR Y

--- EH.1941 ----

Los Alamos National Laboratory, an aHirmatlve action/equal opportunity employer, is operated by the Los Alamos National Security, LLC for the National Nuclear Security Administration of the U.S. Department of Energy under contract DE-AC52-06NA25396. By acceptance

f this article, the publisher recognizes that the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the

published form of this contribution, or to allow others to do so, for US. Government purposes. Los Alamos National Laboratory requests that the publisher identify this article as work performed under the auspices of the U.S. Department of Energy. Los Alamos National Laboratory strongly supports academic freedom and a researcher's right to publish; as an institution, however, the Laboratory does not endorse the viewpoint of a publication or guarantee its technical correctness Form 836 (7/06)

SLIDE 2

Abstracts

Kerberized Network File System for Clusters

Paige Ashlynn , UN M Ian Burns, NMT Christopher Hoffman, MTU Abstract: With constantly looming cyber-security threats, protecting valuable data has become a very important issue. The implementation of security protocols should not com promise ease of use or perfonnance. The Kerberos protocol provides a high I vel of security while minimizing

verhead. A central Kerberos server needs to be able to provide authentication for a variety of

serv'ces distributed over a number of connected networks. Though cl ustered environ ments traditi nally have not required i ntemal security, the landscape is changi ng rapidly. It is important for any authorized person to be able to access their data from whatever computer they must use for their work. This could be a simple desktop workstation, or a large

supercomputer. There needs to be a single, secure method of accomplishing this sharing for a1l
environments. Kerberized

FS can be Llsed to address this need for data mobility in a secure

manner. However, the performance impact that Kerberos will have on NFS in a clustered setting

is still largely unknown. Factors such as level of security and different types of encryption affect performance and usability greatly. We will evaluate these impacts and make a general recommendation for suitable security levels and feasibil ity for possible deployments in current and fu ture LANL systems.

SLIDE 3

Kerberized Network File System for Clusters

Presented on 08-03-2009 by: Chris Hoffman Ian Burns Paige Ashlynn Instructor: Andree Jacobson Mentor: David Kennel LoS Alamos

NATIONAL LAB O RATORY

____ EST 19 43' Operated by Los Alamos National Security, LLC for NNSA

ISTI

lWOf<\f,\TlO\, SCI I:::\LE &:. nXllXOWU' l'\~

J Jn ~ lJ ~

UNCLASSIFIED

."
VA. &rFJ

~

SLIDE 4

Introduction

Kerberized NFSv4 in an HPC Cluster

Motivation
Advantages & Disadvantages of Ke~beros
Changes in NFSv4
Behaviour
Performance

~)

Los Alamos

NATI O NA L LA BORATO RY

UNCLASSIF ED

____ HT 194) Operated by Los Alamos National Security, LLC for NNSA

SLIDE 5

Impetus

The Problem:

Secure, light-weight, remote data access from

nodes on supercomputer clusters. The Solution:

Kerberos and NFSv4 are designed to

accomplish this task on enterprise networks.

Los Alamos

N AT I ONA L LA BO RAT O RY

UNCLASSIF 'IED

____

£ST.1943

Operated by Los Alamos National Security, LLC for NNSA

...

V&

.

~S1

OJ

SLIDE 6

Advantages of Kerberos Authentication

Single Sign-On
Password Security
Verified Clients
Scalable
Integration

p,

Los Alamos

UNCLASSIFIED

NATI ONAL LABORATOR Y

____ EST . 19 4113 Operated by Los Alamos National Security, LLC for NNSA

SLIDE 7

Disadvantages of Kerberos Authentication
Single Point of Compromise
Requires Application Support

~ Los Alamos

NATIONAL LABORATORY

UNCLASSIFIED

____ £"51 .1943 Operated by Los Alamos National Security, LLC for NNSA

SLIDE 8

Changes in NFSv4

_ .. -_.
Native Support for Authentication Protocols
Kerberbs Integration Options:
KRB5 = Authentication
KRB5i =Authentication & Integ rity
KRB5p = Authentication, Integ rity, & Encryption
Non-Unix Compatibility
Virtual Filesystem

')

Los Alamos

NATIONAL LA BORATORY

UNCLASSIFIED

_______ " T .1'" _______________________________________________________________________________________________________________________________________________________

Operated by Los Alamos National Security, LLC for NNSA

• .J~

V~.

SLIDE 9

Test Environment

Enterprise VLA.N

Client

l D A P

Kerberos

~ Los Alamos

NATIONA L LA BO RATORY

UNCLASSIFIED

____ EST. 194 3 Operated by Los Alamos National Security, LLC for NNSA

va.'sr:4

SLIDE 10

Behaviour in a Clustered Environment

Network Address Translation
Addressless ticketing
Torque Job Scheduler

Los Alamos

NATIONAL LAB ORATORY

UNCLASSIFIED

--_

EST 19"1

Operated by Los Alamos National Security, LLC for NNSA

SLIDE 11

Performance Test

Levels of Security
Large vs. Small Files
SCP vs. Bare NFSv4 vs. Kerberized NFSv4
ver Gigabit Ethernet

~

LoS Alamos

NATIONA L LABORAT O RY

UNCLASSIFIED

_______ EST.',.) ~ ______________________________________________________________________________________________________________________________~;~

Operated by Los Alamos National Security. LLC for NNSA

SLIDE 12

45

.......krb5i

.-. 40 tn

krb5p

OJ

35

:E

~

bare

nfs

Q)

30

..,

co

25 .

~

I-

~

20

tn

s:::::

15

co

l-

I--

10

Average File Transfer Rate

.----
--
~
.-----
.-----
- -

~

50

~

krb5

5 . 0.1

0.5

10 100 500 1024 2048

~)

File Size (MB)

Los Alamos

NATIONA L LABO RATORY

UNCLASSIFIED

____ [ST.1941 Operated by Los Alamos National Security, LLC for NNSA

..

~

V&

'i

SLIDE 13

•

Average ime to Copy 10,000 5-kB Files

. --

-

. .

00:40.00
tn
c

c

00:30.00

(J

(I)

UJ UJ

(I)

..,

~

00:20.00

c:

.-

E

.5

(I)

00:10.00

I-

;0)

00:00.00

;Los Alamos

NAT I ONA L lABORATORY

UNCLASSIFIED

____ fST,19CJ Operated by Los Alamos National Security. LLC for NNSA

~

..

VA~ ..

SLIDE 14

Average Time to Copy 20 SOO-MB Files

.-.

~

14:24 .00

c: u

(1)

en

•

en

(1) 09:36.00

....

:::l

c:

.-

E

(1)

E 04:48.00

.-

~

00:00.00

Los Alamos

NATIONAL LAB OR ATORY

UNCLASSIFIED

____ £s'T. 1943

Operated by Los Alamos National Secunty, LLC for NNSA

.Wr'far:J'tfi

VA.'f~'

SLIDE 15

CPU Utilization by Protocol

._-
60
little I big

I little

big

I little I big

I little ' big I little ' big

krb5 krb5i krb5p scp bare nfs

los

Alamos

UNCLASSIFIED

NATIONA L LABORATORY

___ ES T. 19.J

Operated by Los Alamos National Security, LLC for NNSA

:: I I I

1 : ~:e

l ~Jg:B

I I

~ a.

() 30 r

l -1--i-t--+---+-J- J1

?ft.

20 1 0 -+-1---f-----,

SLIDE 16

Summary

Kerberized NFSv4 in an HPC Cluster

Motivation

' . Advantages & Disadvantages of Kerberos

Changes in NFSv4
Behaviour
Performance

~ Los Alamos

NATIO NA L LA BORATO RY

UNCLASSIFIED

___ nT.194)

Operated by Los Alamos National Security, LLC for NNSA

SLIDE 17

Questions?

Answers!

HE"-CVL.~S

C£l\B.ER.VlIoT

AD

·~Vf[f',.OS

.PEl\TRAXIT

~ Los Alamos

NATIO N AL LAB O RATO RY

UNCLASSIFIED

____ fS T. 19'l

Operated by Los Alamos National Security, LLC for NNSA