toasters

toasters@lists.teaparty.net

2 participants
13529 discussions

Awful ufsrestore performance reading from DLT7000 on F810 (update)
by Chris Thompson 21 Aug '04

21 Aug '04

You may recall I raised this on toasters in early March this year. A quick recap: We ufsdump some Solaris partitions onto a DLT7000 attached to an F810. They are blocked at 63KB and write performance is not bad (though not quite as good as the dumps/restores of the F810 itself). But ufsrestore from this drive reads at 10% or less of that rate. Tests showed this problem was not specific to ufsrestore, but seemed always to occur when reading via the rmt(8) interface. But it didn't use to happen, back when this was Solaris 8 and ONTAP 6.2.2 on an F740, as opposed to Solaris 9 and ONTAP 6.4.3P2 on an F810 - so what changed? I've now repeated the experiments with ONTAP 6.5.1R1P6, and get the same results. But, I now have a workround! It turns out that if you stuff more than one "R" (read) command into the rmt(8) connection before waiting for the results of the first one then you can keep the tape moving. Keeping just one extra read pending all the time gives almost the full advantage, and gets ufsdump-type speeds. So I can run a (Perl) program using that algorithm to pull the whole dump file onto local disc on the Solaris hosts, and then ufsrestore from that. (Luckily, space isn't a significant problem here.) One needs to be careful about subsequent tape positioning because of the extra read(s) past end-of-file that have been done. I still don't know the answer to "what changed?", though. Here's an idea that _didn't_ work. I thought: as ONTAP restore reads the tape at a decent rate, why don't I apply it to the Solaris dumps and then move the results from the filer to the Solaris local discs? After all, if Solaris ufsrestore can read ONTAP dumps (modulo occasional problems that have been discussed in other threads over the years), then why shouldn't ONTAP restore be able to read Solaris dumps? So give it a try: filer> restore rfD nrst0a /vol/test/solaris-test RESTORE: tape file #1 on device nrst0a. RESTORE: Unsupported dump format. RESTORE: Could not initialize media. RESTORE: RESTORE IS ABORTED Oh well, it was a good idea while it lasted ... :-) Chris Thompson University of Cambridge Computing Service, Email: cet1(a)ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom.

1 0

RE: IPsec NFS to Unix clients
by Muhlestein, Mark 20 Aug '04

20 Aug '04

Here are a couple of other things you can do to improve NFS security: 1. If you have CIFS you might consider using the nfs.require_valid_mapped_uid option. That allows you to set up the usermap.cfg file to do things like this: # allow the following UIDs NFS access from the specified IP addresses tom <= 192.168.3.34:tom jerry <= jerrypc.dorm.foo.edu:jerry jerry <= lab1.foo.edu:jerry jerry <= lab2.foo.edu:jerry # etc. # allow root from the admin network Administrator <= 10.10.20.0/24:root # prevent all other NFS access "" <= * The nfs.require_valid_mapped_uid option causes the usermap.cfg entries to be consulted even for access to data on qtrees with UNIX security. Combined with the normal export controls, this approach works as long as clients are not allowed to successfully spoof source IP addresses. It is also more manageable if the number of combinations of users/hosts is not overly large or dynamic; however I know we have had sites that have used this type of approach with a script-generated usermap.cfg. 2. If you have MultiStore available you can also use that to fence off NFS access. NFS clients accessing an IP address associated with a vfiler are not allowed to access storage assigned to another vfiler. This is enforced at the WAFL layer, so even if clients attempt handle spoofing the access is denied as long as the potentially rogue clients are not allowed to access the other vfilers' IP addresses (e.g. different networks on separate NICs). Mark -----Original Message----- From: Steve Losen [mailto:scl@sasha.acc.virginia.edu] Sent: Friday, August 20, 2004 7:08 AM To: Brian Parent Cc: toasters(a)mathworks.com Subject: Re: IPsec NFS to Unix clients > Has anyone else come up with some alternate means by which to secure > NFS exported data, where the server is a NetApp filer? (For years I've > been losing the battle to get the physical network secure, using > locking wall jacks in our public access labs.) I've been using NetApp > file servers since 1995, and have been generally happy, but this security > problem is making me seriously reconsider. We came up with a pretty ugly hack to prevent folks from installing impostor NFS clients on a physically insecure network, such as in a student Unix lab. We were aware of the risk, but were finally motivated to do something when some little bastard (ahem, student) replaced a lab machine with his Linux laptop, so he was able to NFS mount the home directories, and because he had root on his laptop, he could su to any user and have read/write access to their home directory. So here is what we did. We export to a netgroup. We discovered that once a NFS client has an NFS mount, it doesn't matter if you remove the NFS client from the netgroup map. NFS keeps working fine. So we removed all the lab machines from the netgroup. We wrote a little client/server application in perl that temporarily puts the NFS client in the netgroup. The NFS client connects to the NIS master and identifies itself with a "secret handshake" The NIS master adds the NFS client to the netgroup map and the NFS client mounts the home directory volume. Then the NIS master removes the NFS client from the netgroup map. The NIS master has a list of machines that are allowed to be added to the netgroup. This prevents the attack we experienced. Physical access to the network is not enough any more. You also need to know the "secret handshake" to get added to the netgroup map, and only root has access to that file. (If someone gets root on a lab machine, then they don't need an impostor machine.) This is certainly far from perfect. There is no protection against a man in the middle attack. I suppose someone could put a Linux box with two ethernet interfaces between the lab machine and the ethernet switch. The Linux box could be programmed to pass through network packets, except that it would intercept NFS packets and modify them. Perhaps the uid field could be changed. That way the hacker could make NFS requests as himself on the lab machine, but his Linux box would change the uid field to another user. Does NFS have any protection against this sort of tampering? IPsec would prevent this, of course. There is also a brief window of vulnerability while the lab machine is in the netgroup. Perhaps with some determined trial and error a hacker could quickly slip in an impostor machine and mount the volume during this window. But he would need to power cycle the lab machine to make it boot and he would need to slip in the impostor at just the moment that the lab machine was in the netgroup. Not easy, but certainly possible. Steve Losen scl(a)virginia.edu phone: 434-924-0640 University of Virginia ITC Unix Support

2 1

reliability of 15k vs 10k
by Michael Christian 20 Aug '04

20 Aug '04

Does anyone have a good feel for the reliability of the 15k drives vs 10k? We haven't really used the 15k's much yet, but the prices seem to be coming into line... Thanks, -MikeC

1 0

IPsec NFS to Unix clients
by Brian Parent 20 Aug '04

20 Aug '04

If anyone has been able to get IPsec protected NFS working between a NetApp filer and a Unix machine, I'd love to hear about it. I can get it to work using a Solaris 8 box as both the server and the client, but when I try to use a NetApp (6.4.4R1) as the server, no luck. I opened a case (697672), but was told that the only clients supported are windows 2K and later. This doc reinforces that: http://now.netapp.com/NOW/knowledge/docs/ontap/rel65/html/ontap/nag/ipsec2.… Towards the end of the page, under the section: About the Network Appliance IPsec implementation ... Only clients running Windows 2000 or greater are supported for IPsec connections. An RFE is filed: http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=130292 though the page is pretty useless, as it only says "Bug information not available". I enabled "watching" for that RFE, but haven't heard anything back since April, 2004. I've also tried using kerberos to secure the NFS exported data, but the way we share the data between heterogeneous platforms, it means that unless we can get all of our supported clients to use kerberized NFS, then it doesn't help to do any subset. At this point, MacOS X is holding us back. I'm praying that Tiger (10.4?) release will address the issue, but I'm not holding my breath. Even if they do, another hurdle is CAP. We re-export NFS mounted data via CAP to MacOS 9 boxes. Getting CAP to track kerberos credentials is not something we're willing to invest time in. Has anyone else come up with some alternate means by which to secure NFS exported data, where the server is a NetApp filer? (For years I've been losing the battle to get the physical network secure, using locking wall jacks in our public access labs.) I've been using NetApp file servers since 1995, and have been generally happy, but this security problem is making me seriously reconsider.

3 4

RE: Number of Disks on a F720
by Stephenson, Burke T. GD 20 Aug '04

20 Aug '04

We had up to 4-6 DS8/9 shelves on a F720 at one time. The limitation that we ran into was the .5TB limitation. I am not sure what the actual disk limitation is, or if there even is one. Burke -----Original Message----- From: Paul McGuinness (ext. 771) [mailto:Paul.McGuinness@fineos.com] Sent: Friday, August 20, 2004 9:54 AM To: toasters(a)mathworks.com Subject: Number of Disks on a F720 Hi, I have an F720 filer (Release 6.3.1) with 2 FC9 shelves and 1 DS14 shelf - both fully populated. My question is can I add another shelf to this or am I maxed out? Any thoughts on this much appreciated Paul ********************************************************************** The information contained in this e-mail is confidential, may be privileged and is intended only for the user of the recipient named above. If you are not the intended recipient or a representative of the intended recipient, you have received this e-mail in error and must not copy, use or disclose the contents of this e-mail to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. This e-mail has been swept for computer viruses. However, you should carry out your own virus checks. Registered in Ireland, No. 205721. http://www.FINEOS.com **********************************************************************

2 1

760 specs
by Michael Christian 20 Aug '04

20 Aug '04

Anyone know how many mk2 shelves you can throw on a 760? Thanks, -MikeC

2 1

RE: Number of Disks on a F720
by Timothy Naple 20 Aug '04

20 Aug '04

Paul, What size disks are you running? Tim -----Original Message----- From: Paul McGuinness (ext. 771) [mailto:Paul.McGuinness@fineos.com] Sent: Friday, August 20, 2004 1:54 AM To: toasters(a)mathworks.com Subject: Number of Disks on a F720 Hi, I have an F720 filer (Release 6.3.1) with 2 FC9 shelves and 1 DS14 shelf - both fully populated. My question is can I add another shelf to this or am I maxed out? Any thoughts on this much appreciated Paul ********************************************************************** The information contained in this e-mail is confidential, may be privileged and is intended only for the user of the recipient named above. If you are not the intended recipient or a representative of the intended recipient, you have received this e-mail in error and must not copy, use or disclose the contents of this e-mail to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. This e-mail has been swept for computer viruses. However, you should carry out your own virus checks. Registered in Ireland, No. 205721. http://www.FINEOS.com **********************************************************************

1 0

Number of Disks on a F720
by Paul McGuinness (ext. 771) 20 Aug '04

20 Aug '04

Hi, I have an F720 filer (Release 6.3.1) with 2 FC9 shelves and 1 DS14 shelf - both fully populated. My question is can I add another shelf to this or am I maxed out? Any thoughts on this much appreciated Paul ********************************************************************** The information contained in this e-mail is confidential, may be privileged and is intended only for the user of the recipient named above. If you are not the intended recipient or a representative of the intended recipient, you have received this e-mail in error and must not copy, use or disclose the contents of this e-mail to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. This e-mail has been swept for computer viruses. However, you should carry out your own virus checks. Registered in Ireland, No. 205721. http://www.FINEOS.com **********************************************************************

1 0

RE: usable size of a 146-GB drive
by Brubaker, Paul 19 Aug '04

19 Aug '04

We also back out 30% (20% for snap reserve + 10% WAFL overhead) and then another 10% buffer for disk fragmentation... So approx 40% total. Paul M. Brubaker, Jr. RIDS - Intel System Support AT&T Wireless - Harrisburg PA e-mail: paul.brubaker(a)attws.com office #: 717-526-5011 cell #: 717-578-2254 -----Original Message----- From: owner-toasters(a)mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Bokkelkamp Ernst Sent: Thursday, August 19, 2004 2:05 PM To: geoff.hardin(a)dalsemi.com; James Brigman; toasters Subject: RE: usable size of a 146-GB drive I think this might interest you. The magic figure is about 30. 36 -> 30 GB 72 -> 60 GB 144 -> 120 GB 250 -> 180 GB Although not exactly accurate, for my purposes this has worked out quite well. The other magic factor is about 0.8 Take a filer with 5 x DS14 shelfs giving 70 drives. Assume that one shelf will be assigned to "overhead", create volumes on the remaining 4 shelf with two parity drives, giving a total of 8 drives overhead. Assume that the system drive takes two drives and 4 drives are reserved as spares (8 + 2 + 4 = 14 drives), leaving 56 drives ( or 80% ) for data. If you now apply 0.8 again to the remainder it will give you the approximate size of the space available for the file system. (this is a crude approximation of the magic 30 factor). (0.8 x 0.8 = 0.64) If you now apply 0.8 again to the remainder it will give you the approximate space availabe to the users with a snapshot reserve of 20%. (0.8 x 0.8 x 0.8 = 0.5) This crude methode has work well for me until now Bye Ernie -----Original Message----- From: owner-toasters(a)mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of James Brigman Sent: Thursday, August 19, 2004 2:38 PM To: 'toasters' Subject: RE: usable size of a 146-GB drive Geoff; You've done some good research: I'm seeing similar numbers you're finding on 36 and 72GB disks. However, notice that the space efficiency is going to vary dramatically with the size of the RAID group. That should not be surprising: a two-spindle volume's real availability drops to 33%. (48GB / 144GB ... everyone sees that with vol0...) I believe it's possible, if you make the raid group very large and use RAID-DP, you could increase space efficiency and performance too. I don't have 144GB numbers for you, but the "250GB" drives in an R200 work out to less than 200GB usable. I'll try to post some numbers to the list later this week... JKB -----Original Message----- From: owner-toasters(a)mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Geoff Hardin Sent: Wednesday, August 18, 2004 8:20 PM To: toasters Subject: usable size of a 146-GB drive I was just wondering if anyone had any info on the usable size of the 146-GB drives from NetApp. I am trying to figure out how many drives I'll need, but I can't really tell without knowing what my usable space will be. If it helps, here's some data I have collected from other drives. 18 GB disk - becomes 17.0 GB because of disk overhead (right size) - becomes 14.923389 because of OS overhead - becomes 13.431053 with a 10% snap reserve - becomes 11.938713 with a 20% snap reserve 36 GB disk - becomes 33.917 GB because of disk overhead - becomes 31.776308 because of OS overhead - becomes 27.273826 with a 10% snap reserve - becomes 25.421048 with a 20% snap reserve 72 GB disk - becomes 67.906 GB because of disk overhead - becomes 59.747608 because of OS overhead - becomes 53.772850 with a 10% snap reserve - becomes 47.798088 with a 20% snap reserve Thanks, Geoff Hardin UNIX System Administrator Dallas Semiconductor / Maxim Integrated Products geoff.hardin(a)dalsemi.com It's illegal to walk your elephant without a leash in Wisconsin.

1 0

search function of website
by Mike Langas 19 Aug '04

19 Aug '04

Is the search function broken at the following URL? http://toasters.mathworks.com/toasters/Search.html I keep getting a page can not be found error. Thanks, Mike __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

toasters