Lustre discuss - Jul 2010 - Kerberos auth by lnet

Hello,

I set up 3 lustre networks for the following:

tcp0  for kerberized connections lustre 2.0
tcp21 for no kerberos auth connections to lustre 2.0
tcp18 for no kerberos auth connections to lustre 1.83

Below are the kerb specifications by network:

  Secure RPC Config Rules:
  BEER.srpc.flavor.tcp=krb5p
  BEER.srpc.flavor.tcp21=null
  BEER.srpc.flavor.default=krb5n

The name of the lustre filesystem is /beer.

youngs.beer.psc.edu on tcp0
youngs-145.beer.psc.edu on tcp21

[root at youngs ~]# !lctl list_nids
lctl list_nids list_nids
128.182.58.125 at tcp
128.182.145.125 at tcp21

[root at youngs ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                       4.8G  2.0G  2.6G  43% /
/dev/hda1              99M   24M   71M  25% /boot
tmpfs                 506M     0  506M   0% /dev/shm
guinness.beer.psc.edu at tcp0:/BEER
                        99G   50G   47G  52% /beer
guinness-145.beer.psc.edu at tcp21:/BEER
                        99G   50G   47G  52% /beer-145

Problem:
--------
  I can change all kerberos flavors modifications on default and tcp0, 
tcp21 and get indication  on MDS server showing the changes. 
I don''t see such confirmation  for tcp21. But I can certainly mount as 
shown above. I suspect that tcp21 is defaulting to krb5p and thus 
requiring still auth for users. /beer and /beer-145 are NFS-exported to
other systems residing in same and different kerberos realms.
Root can access the filesystems with no problem but users require 
authentication.

My modprobe is of the form
options lnet ip2nets="tcp0(eth0) 128.182.58.*; tcp21(eth1)
128.182.145.*"
routes="tcp0 128.182.145.121 at tcp21; tcp21 128.182.58.121 at tcp0"

Question:
--------
What''s the interoperability between lustre 2.0* and lustre 1.83?
Officially it is not compatible and/or supported?
But unofficially, we can try it? Or absolutely not compatible.

I would appreciate any feedback/corrections.

Thanks,
josephine

Reference:
----------
Lustre version: 2.0.5 Alpha
Lustre release: 1.9.280
Kernel: 2.6.18_128.7.1

Correction:
> Problem:
> --------
>  I can change all kerberos flavors modifications on default and tcp0,
> tcp21 and get indication  on MDS server showing the changes ONLY for 
default and tcp0 (not tcp21).


On Thu, 29 Jul 2010, Josephine Palencia wrote:
>
> Hello,
>
> I set up 3 lustre networks for the following:
>
> tcp0  for kerberized connections lustre 2.0
> tcp21 for no kerberos auth connections to lustre 2.0
> tcp18 for no kerberos auth connections to lustre 1.83
>
> Below are the kerb specifications by network:
>
>  Secure RPC Config Rules:
>  BEER.srpc.flavor.tcp=krb5p
>  BEER.srpc.flavor.tcp21=null
>  BEER.srpc.flavor.default=krb5n
>
> The name of the lustre filesystem is /beer.
>
> youngs.beer.psc.edu on tcp0
> youngs-145.beer.psc.edu on tcp21
>
> [root at youngs ~]# !lctl list_nids
> lctl list_nids list_nids
> 128.182.58.125 at tcp
> 128.182.145.125 at tcp21
>
> [root at youngs ~]# df -h
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/mapper/VolGroup00-LogVol00
>                       4.8G  2.0G  2.6G  43% /
> /dev/hda1              99M   24M   71M  25% /boot
> tmpfs                 506M     0  506M   0% /dev/shm
> guinness.beer.psc.edu at tcp0:/BEER
>                        99G   50G   47G  52% /beer
> guinness-145.beer.psc.edu at tcp21:/BEER
>                        99G   50G   47G  52% /beer-145
>
> Problem:
> --------
>  I can change all kerberos flavors modifications on default and tcp0,
> tcp21 and get indication  on MDS server showing the changes.
> I don''t see such confirmation  for tcp21. But I can certainly
mount as
> shown above. I suspect that tcp21 is defaulting to krb5p and thus
> requiring still auth for users. /beer and /beer-145 are NFS-exported to
> other systems residing in same and different kerberos realms.
> Root can access the filesystems with no problem but users require
> authentication.
>
> My modprobe is of the form
> options lnet ip2nets="tcp0(eth0) 128.182.58.*; tcp21(eth1)
128.182.145.*"
> routes="tcp0 128.182.145.121 at tcp21; tcp21 128.182.58.121 at
tcp0"
>
> Question:
> --------
> What''s the interoperability between lustre 2.0* and lustre 1.83?
> Officially it is not compatible and/or supported?
> But unofficially, we can try it? Or absolutely not compatible.
>
> I would appreciate any feedback/corrections.
>
> Thanks,
> josephine
>
> Reference:
> ----------
> Lustre version: 2.0.5 Alpha
> Lustre release: 1.9.280
> Kernel: 2.6.18_128.7.1
>
>
>
> _______________________________________________
> Lustre-discuss mailing list
> Lustre-discuss at lists.lustre.org
> http://lists.lustre.org/mailman/listinfo/lustre-discuss
>

On 2010-07-29, at 15:45, Josephine Palencia wrote:
> What''s the interoperability between lustre 2.0* and lustre 1.83?
There are a small number of known interoperability issues between 1.8.3 clients
and 2.0.0 servers that were found during release testing, and while some of them
were fixed for the final 2.0.0 release there are a couple of issues that also
needed changes appearing in the 1.8.4 client.

I assume you are already aware that 1.8.x clients cannot use Kerberos
authentication in any form, so in that regard 1.8.x is not compatible with 2.0
if you require Kerberos auth.
> Officially it is not compatible and/or supported?  But unofficially, we can
try it? Or absolutely not compatible.
I''d have to dig a bit to recall what the 1.8.3 <-> 2.0.0
interoperabilty issues were, but they were fairly minor (e.g. one was an issue
with early replies from adaptive timeouts, which I think was fixed in the 2.0.0
server) and it can''t hurt to do some testing in your environment.

Cheers, Andreas
--
Andreas Dilger
Lustre Technical Lead
Oracle Corporation Canada Inc.