IETF Logo Mail Archive

Re: [nfsv4] (belated) copy of my review of draft-ietf-nfsv4-layout-types-03 (part 3)

Thomas Haynes <loghyr@primarydata.com> Thu, 20 July 2017 04:27 UTC

Return-Path: <loghyr@primarydata.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7CED12F5DB for <nfsv4@ietfa.amsl.com>; Wed, 19 Jul 2017 21:27:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.49
X-Spam-Level:
X-Spam-Status: No, score=-2.49 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=primarydata.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PZzRK9Dn4S0 for <nfsv4@ietfa.amsl.com>; Wed, 19 Jul 2017 21:27:04 -0700 (PDT)
Received: from us-smtp-delivery-194.mimecast.com (us-smtp-delivery-194.mimecast.com [63.128.21.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0433F12F3D6 for <nfsv4@ietf.org>; Wed, 19 Jul 2017 21:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=PrimaryData.onmicrosoft.com; s=selector1-primarydata-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9cY0gl78TtNXxNlModjdrxeiZL1uYFDPD0WjD8gaGPY=; b=dDtVcgtZZe9Zi6I+i3uCym86ZL3AH9dLzYQCuAiRl9JtYfMMY8KEXeuj25DAO89sA1lZc5AuSKcLUUW1ZZuZNIBmLSuUkf453Q6CqMJ+CDXZOS4edAzKHjhkGnOzJSD39fBToz33Ro7cm8okyte2zDkhK65RAwLbSO7GKQ7lOj4=
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03lp0049.outbound.protection.outlook.com [216.32.180.49]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-80-QADICTvrM0qF-BcWxyWTyA-1; Thu, 20 Jul 2017 00:27:01 -0400
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com (10.164.166.21) by BY2PR1101MB1096.namprd11.prod.outlook.com (10.164.166.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Thu, 20 Jul 2017 04:26:58 +0000
Received: from BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) by BY2PR1101MB1093.namprd11.prod.outlook.com ([10.164.166.21]) with mapi id 15.01.1261.024; Thu, 20 Jul 2017 04:26:58 +0000
From: Thomas Haynes <loghyr@primarydata.com>
To: Dave Noveck <davenoveck@gmail.com>
CC: "nfsv4@ietf.org" <nfsv4@ietf.org>
Thread-Topic: [nfsv4] (belated) copy of my review of draft-ietf-nfsv4-layout-types-03 (part 3)
Thread-Index: AQHTARBsB7bZArx/LkqWtdyAjrJAIA==
Date: Thu, 20 Jul 2017 04:26:58 +0000
Message-ID: <76AC74CA-3AD3-49D2-9325-A65520D2CB72@primarydata.com>
References: <CADaq8jc5ZkHbF=d8-6P+3hU0Y8YeXH_vRBK1RyepAK=vo4g93Q@mail.gmail.com>
In-Reply-To: <CADaq8jc5ZkHbF=d8-6P+3hU0Y8YeXH_vRBK1RyepAK=vo4g93Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:67c:1232:144:412a:96b6:3c15:67e5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR1101MB1096; 20:fPF+lpUSQwspeYf+hISSc59bPz9e0dNwljcm96mKnANTu5gFwgs8RLP8ELue2je5TG6BlXn9ODO9zVepmX0zMg2rLGq4OEulHYPEKvz+ULUTdhAffR05io6Nb3lGk2xUMG7mlLOiIbOjSXguqTYFMNaxQSQsmraVugK83PMR7J4=
x-ms-office365-filtering-correlation-id: 7a718909-d6a7-4079-c35f-08d4cf278f8f
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR1101MB1096;
x-ms-traffictypediagnostic: BY2PR1101MB1096:
x-exchange-antispam-report-test: UriScan:(278178393323532)(158342451672863)(133145235818549)(236129657087228)(192374486261705)(48057245064654)(148574349560750)(167848164394848)(50300203121483)(247924648384137);
x-microsoft-antispam-prvs: <BY2PR1101MB10961E5F74070A7606D5D938CEA70@BY2PR1101MB1096.namprd11.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(2017060910075)(10201501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123562025)(2016111802025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(20161123564025)(6043046)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR1101MB1096; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR1101MB1096;
x-forefront-prvs: 0374433C81
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39830400002)(39450400003)(377454003)(24454002)(54356999)(81166006)(50986999)(102836003)(53546010)(76176999)(8936002)(33656002)(8676002)(6116002)(2906002)(53936002)(3660700001)(6512007)(54896002)(99286003)(236005)(189998001)(6306002)(86362001)(3280700002)(229853002)(478600001)(36756003)(230783001)(6436002)(6916009)(4326008)(82746002)(39060400002)(6486002)(77096006)(2900100001)(5660300001)(38730400002)(6506006)(14454004)(6246003)(2950100002)(110136004)(7736002)(1411001)(83716003)(606006)(25786009)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR1101MB1096; H:BY2PR1101MB1093.namprd11.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: primarydata.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2017 04:26:58.3601 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1101MB1096
X-MC-Unique: QADICTvrM0qF-BcWxyWTyA-1
Content-Type: multipart/alternative; boundary="_000_76AC74CA3AD349D29325A65520D2CB72primarydatacom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/6-KqYF65SbL28LWCk4khv3X4i7w>
Subject: Re: [nfsv4] (belated) copy of my review of draft-ietf-nfsv4-layout-types-03 (part 3)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 04:27:09 -0000


Here is part 3:

On Jul 16, 2015, at 4:21 PM, David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com>> wrote:


Implementations in Existing Layout Types

Some issues to address:

  *   The section title needs to be changed to reflect the fact that what is being described is primarily how the layout types are specified.  If implementations are described, those implementations have to match the specification.

Done

  *   It needs to be stated that the description of block and object layout are not normative since this document does not update RFC5663 and RFC5664.

Done

  *   You might also choose to state that the description of the files layout type is not normative, i.e. that you are only updating chapter 12 of RFC5661 and not chapter 13.

Done


We also have a potential issue for all of the mapping type regarding the potential interaction between open deny modes and use of anonymous stateids.  The issue is similar to mandatory byte-range locking but I can't recall its being addressed directly.


The fun never ends….



File Layout Type

I suggest replacing the first sentence by the following:


Because the storage protocol is a subset of NFSv4.1, the semantics of the File Layout Type comes closest to the semantics of NFSv4.1 in the absence of pNFS.


In the second sentence, suggest replacing "stateid" by "stateid and principal" since many of the validations mentioned relate to authorization.

Also in the second sentence, suggest replacing "was" by "were".

Suggest deleting "in the absence of pNFS" from the second sentence and adding the following sentence:

The same set of validations apply whether pNFS is in effect or not.

Ack to all of the above

Okay, the last two sentences now seem very redundant:

      Because the storage protocol is a subset of NFSv4.1, the semantics
      of the file layout type comes closest to the semantics of NFSv4.1
      in the absence of pNFS.  In particular, the stateid and principal
      used for I/O MUST have the same effect and be subject to the
      same validation on a data server as it would if the I/O were
      being performed on the metadata server itself.  The same set of
      validations apply whether pNFS is in effect or not.





I have some issues that relate to material that starts in the second paragraph, proceeds through the bulleted items and goes on into the third (non-bulleted) paragraphs.  Some issues:

  *   As far as I can see, chapter 13 of RFC5661 does not say "SHOULD" about these validations with regard to the file layout type.

1) client holds a valid layout,

page 329:

   The iomode need not be checked by the data servers when clients
   perform I/O.  However, the data servers SHOULD still validate that
   the client holds a valid layout and return an error if the client
   does not.

2) client I/O matches the layout iomode, and,

(note, see the “need not” above in 1)

page 328:

   the server to return a layout enabling the client to do so.  As such,
   the client SHOULD set the iomode based on its intent to read or write
   the data.  The client may default to an iomode of LAYOUTIOMODE4_RW.

3) client does not go out of the byte ranges,

page 285

   client.  If a storage device receives an I/O request for a byte-range
   for which the client does not hold a layout, the storage device
   SHOULD reject that I/O request.  Note that the act of modifying a

Granted this is Chapter 12, but there is no mention of this in Chapter 13.



  *   If the data server is not enforcing these validations, then who is?  I don't see how the semantic requirements for NFSv4 as a whole can be enforced if nobody is requiring that appropriate layouts be validly held by the client when IO is done to data servers? If this is not a MUST for the data server then I think it it has to be a MUST for clients.

It COULD be a requirement for data servers, but it CAN NOT be a requirement for storage devices.



  *   While section 13.6 of RFC5661 does have the following MUST. it does not mention appropriateness of ranges or modes.  Also, since the data server must reject the IO, it isn't clear why the server MUST NOT issue it.

As described in Section 12.5.1<https://tools.ietf.org/html/rfc5661#section-12.5.1>, a client MUST NOT send an I/O to a data server for which it does not hold a valid layout; the data server MUST reject such an I/O.

That directly conflicts with Sections 13.8.




With regard to the last paragraph:

  *   It is only the data filehandle that ensures that the client has a valid layout for the the I/O being performed. The mention of the stateid confuses things since this only used to ensure proper locking.
  *   Suggest replacing "fenced off for" by "fenced off from"
  *   If you invalidate a stateid, you are not typically fencing ff a client. Rather you are fencing off a particular owner or open file. Only in the case of a delegation stateid are you fencing off a client.

Ask 99.9999% of the people who have read the spec (or assume they understand pNFS) and they would use the term of fencing off the client.

I am heartened by the fact that 6 9s of reliability is wrong. :-)

And for completeness sake, fencing off a lock stateid would mean only fencing off a lock owner.


Okay, I’ve pulled out a “whilst”, but I separated the two issue.

It appears that because the files layout is able to cleanly deal with locking issues as well as security/authorization issues, they wind up confused here. It appears that you have to make a decision to clearly discuss locking issues as well as security issues. If you do, then. as in this case, you need to clearly separate locking considerations from authorization ones when necessary.


Hand waving that I have done, expecting to be corrected if I have not. :-0



Block Layout Type

With regard to the phrase "at the granularity of individual hosts, not individual blocks", this conflates two ways in which SAN access control is coarser-grained than that for NAS devices.  It seems that you have to decide which of the following you want to say:

  *   at the granularity of LUNs rather than of individual files or blocks. [object granularity]
  *   at the granularity of hosts rather than of principals. [subject granularity]

TBD


With regard to the last sentence of the first paragraph:

  *   Suggest replacing "is very careful to define" by "specifies”.

Heh, the first time your replacement text has been shorter than what it replaces!


  *   Since "SHOULD NOT" does not appear to to meet the definition in RFC2219, it should appear in quote marks in this document.

The usage is directly from RFC 5663.

I’ve fixed this by quoting the text verbatim.




  *   A suitable paraphrase of the intent of the last clause might be "use of the pNFS Block Layout Type is not appropriate”.

see above

Suggest the following replacement for the second paragraph:


As a result of these granularity issues, the security burden has been shifted from the storage devices to the client.  Those deploying implementations of this layout type need to be sure that  the client implementation can be trusted  This is not a new sort of requirement in the context of SAN protocols.  In such environments,  the client is expected to provide block-based protection.


Ack


With regard to the third paragraph:

  *   In the first sentence, suggest replacing "implication" by "shift of the burden”

Ack


  *   As ACLs relate  to security, if they need to be mentioned explicitly (which I don't think is necessary), it should be done in the previous paragraph.

Taken out


  *   In the second sentence, suggest replacing "might not be" by "is not”.

Ack


  *   The third sentence is confusing.  Suggest the following replacement:

For example, the server may use a layout iomode allowing reading to enforce a mandatory read-only lock,  In such cases, the client has to support that use by not sending WRITEs to the storage devices.

  *   In the fourth sentence:
     *   Suggest replacing "basic" by "fundamental".
     *   Suggest replacing "can be treated" by "is treated by this layout type".
     *   Suggest ending this sentence after "dumb disk" and proceeding with a new sentence like the following:

Once the client has access to the storage device, it is able to perform both READ and WRITE I/O to the entire storage device.

  *   The fifth sentence is a good summary but it needs something additional to "close the deal".  Suggest:

Therefore, the client is required to provide that enforcement.

Ack to the above



With regard to the last paragraph, suggest the following replacement:


In the context of client fencing upon revocation Of a layout, the abovementioned limitations come into play again, i.e. the granularity of the fencing can only be at the host/logical-unit level.  Thus, if one of a client's layouts is revoked by the server, it will effectively revoke *all* of the client's layouts for files located on the storage units comprising the logical volume.  This may extend to the client's layouts for files in other file systems.  Clients need to be prepared for such revocations and reacquire layouts as needed.



Took an edited version

v2.23.0 | Report a Bug | By Email