NFSRODS
May 15, 2019
Renaissance Computing Institute
UNC-Chapel Hill
Terrell Russell, Ph.D.
@terrellrussell
Chief Technologist, iRODS Consortium
NFSRODS
NFSRODS - Overview
- What
- A new iRODS client
- https://github.com/irods/irods_client_nfsrods
- Presents iRODS as NFSv4.1
- Allows 'mount' of an iRODS Zone
- Why
- Provides a standard POSIX filesystem presentation to existing/legacy tools and applications
- Provides full iRODS policy layer and enforcement
- How
- A full nfs4j Virtual File System implementation
- Deployed as a Docker container
NFSRODS - Security Model
- Assumptions
- Authenticated access is via unix user with identically named iRODS user account.
- Authenticated unix user is traversing the mount point (VM)
- Entries in /etc/password and /etc/shadow are synced (uids/gids must match) on both the machine with the mount point (VM) and the machine running NFSRODS
- Note
- An authenticated user with sudo/root access on VM could appear to iRODS (and, therefore, all policy) as any user
NFSRODS - Demo Configuration / Setup
- Single t2.medium EC2 instance
- Docker
- NFSRODS
- iRODS 4.2.5
- Docker
- RabbitMQ
- Logstash
- Elasticsearch
- Kibana
- Docker
- Added local alice and bobby unix accounts
- Added alice and bobby iRODS accounts
NFSRODS - Demo Configuration / Setup
ubuntu$ cat /home/ubuntu/irods_client_nfsrods/mynfsrodsconfig/server.json { "nfs_server": { "port": 2049, "irods_mount_point": "/tempZone", "user_information_refresh_time_in_minutes": 60, "file_information_refresh_time_in_seconds": 2 }, "irods_server": { "zone": "tempZone", "host": "aws-ec2-internal-ip", "port": 1247, "default_resource": "demoResc" }, "irods_proxy_admin_account": { "username": "rods", "password": "rods" } }
1. NFSRODS Configuration:
NFSRODS - Demo Configuration / Setup
ubuntu$ docker run -d --name nfsrods \ -p 3000:2049 \ -v /home/ubuntu/irods_client_nfsrods/mynfsrodsconfig:/nfsrods_ext:ro \ -v /etc/passwd:/etc/passwd:ro \ -v /etc/shadow:/etc/shadow:ro \ nfsrods:latest
ubuntu$ sudo mkdir -p /mnt/the_nfsrods_mountpoint ubuntu$ sudo mount -o sec=sys,port=3000 `hostname`:/ /mnt/the_nfsrods_mountpoint
3. Create the mount point:
2. Launch the NFSRODS Docker container:
bobby$ cd /mnt/the_nfsrods_mountpoint/home/bobby
bobby$ echo "science" > science.txt
bobby$ ls -l science.txt
-rw------- 1 bobby bobby 8 May 15 17:29 science.txt
bobby$ cat science.txt
science
4. Use the mount point:
Questions?
- Thank you!
- This version (NFSv4.1) of NFSRODS was built by:
- Kory Draughn, iRODS Consortium
- Alek Mieczkowski, iRODS Consortium
- Mike Conway, NIH/NIEHS
- Jason Coposky, iRODS Consortium
- Terrell Russell, iRODS Consortium
- Inspired by work (NFSv3) presented at UGM2016 (slides, paper):
- Danilo Oliveira, Center for Informatics UFPE, Brazil
- I. Fé, Center for Informatics UFPE, Brazil
- A. Lobo Jr., Center for Informatics UFPE, Brazil
- F. Silva, Center for Informatics UFPE, Brazil
- G. Callou, Center for Informatics UFPE, Brazil
- V. Alves, Center for Informatics UFPE, Brazil
- P. Maciel, Center for Informatics UFPE, Brazil
- Stephen Worth, EMC Corporation
TRiRODS May 2019 - NFSRODS
By iRODS Consortium
TRiRODS May 2019 - NFSRODS
- 1,392