[LU-13307] add LCFG_NODEMAP_ADD_RANGEv6 records for IPv6 - Whamcloud Community JIRA

Details

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.16.0
Affects Version/s: Lustre 2.16.0
Labels:
- IPv6

Rank (Obsolete):
9223372036854775807

Description

Add LCFG_NODEMAP_ADD_RANGEv6 and LCFG_NODEMAP_DEL_RANGEv6 records to hold IPv6 addresses. There may need to be some better semantics for what constitutes a "range" for IPv6 addresses, as we definitely do not want enumeration of addresses involved.

Attachments

Issue Links

is related to

LU-14288 Enhance nodemap ranges to work better with IPv6

Resolved

is related to

LU-10391 LNET: Support IPv6

Resolved

LU-3527 UID/GID Mapping

Resolved

Activity

[LU-13307] add LCFG_NODEMAP_ADD_RANGEv6 records for IPv6

Peter Jones added a comment - 20/Jan/24 2:29 PM

Merged for 2.16

Peter Jones added a comment - 20/Jan/24 2:29 PM Merged for 2.16

Gerrit Updater added a comment - 20/Jan/24 3:40 AM

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/53135/
Subject: ~~LU-13307~~ nodemap: have nodemap_add_member support large NIDs
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 0ea23e019454e03810d532758afa52aa054995d8

Gerrit Updater added a comment - 20/Jan/24 3:40 AM "Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/53135/ Subject: LU-13307 nodemap: have nodemap_add_member support large NIDs Project: fs/lustre-release Branch: master Current Patch Set: Commit: 0ea23e019454e03810d532758afa52aa054995d8

Andreas Dilger added a comment - 06/Jan/24 9:32 AM

Per comments in the patch, it would be much better if IPv6 netmask could handle more than just a single NID per entry. Otherwise, I'm worried at the prospect of each connect walking a linked list of 5000+ clients in a nodemap on every connection to find if the NID belongs there or not. I don't think this is fatal as it would only apply to sites that actually do this, but it would be much better to fix it if possible before the release.

Andreas Dilger added a comment - 06/Jan/24 9:32 AM Per comments in the patch, it would be much better if IPv6 netmask could handle more than just a single NID per entry. Otherwise, I'm worried at the prospect of each connect walking a linked list of 5000+ clients in a nodemap on every connection to find if the NID belongs there or not. I don't think this is fatal as it would only apply to sites that actually do this, but it would be much better to fix it if possible before the release.

James A Simmons added a comment - 04/Jan/24 5:23 PM

Got https://review.whamcloud.com/c/fs/lustre-release/+/53135 fully working for IPv6 and IPv4. Its ready for review. Once this lands we can put lustre into a feature freeze.

James A Simmons added a comment - 04/Jan/24 5:23 PM Got https://review.whamcloud.com/c/fs/lustre-release/+/53135 fully working for IPv6 and IPv4. Its ready for review. Once this lands we can put lustre into a feature freeze.

James A Simmons added a comment - 06/Dec/23 12:27 AM

Currently working on https://review.whamcloud.com/c/fs/lustre-release/+/53135.

Works for IPv4 and it mostly works for IPv6. Still some issues for final deleting of the nodemap due to the records support missing currently. Also for this patch only one large NID is stored for each nodemap.

James A Simmons added a comment - 06/Dec/23 12:27 AM Currently working on https://review.whamcloud.com/c/fs/lustre-release/+/53135. Works for IPv4 and it mostly works for IPv6. Still some issues for final deleting of the nodemap due to the records support missing currently. Also for this patch only one large NID is stored for each nodemap.

Andreas Dilger added a comment - 18/Nov/23 6:36 PM

This patch allows a single nodemap entry to be specified but not a range of NIDs. I don't think this ticket should be closed when 53135 is landed, since we really need to have a solution for specifying multiple IPv6 NIDs into a range efficiently instead of listing 5000 NIDs individually for multiple nodemaps.

Andreas Dilger added a comment - 18/Nov/23 6:36 PM This patch allows a single nodemap entry to be specified but not a range of NIDs. I don't think this ticket should be closed when 53135 is landed, since we really need to have a solution for specifying multiple IPv6 NIDs into a range efficiently instead of listing 5000 NIDs individually for multiple nodemaps.

Gerrit Updater added a comment - 14/Nov/23 8:16 PM

"James Simmons <jsimmons@infradead.org>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/53135
Subject: ~~LU-13307~~ nodemap: have nodemap_add_member support large NIDs
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 4aa8457f95ee21d72a35d596082f34f6fbee1ace

Gerrit Updater added a comment - 14/Nov/23 8:16 PM "James Simmons <jsimmons@infradead.org>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/53135 Subject: LU-13307 nodemap: have nodemap_add_member support large NIDs Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 4aa8457f95ee21d72a35d596082f34f6fbee1ace

Andreas Dilger added a comment - 05/Apr/23 4:51 AM

It would seem reasonable to change nodemap_idx_type similar to my previous suggestion, but instead of (or in addition to) nr6_count to add a nr6_netmask_bits so that it can encode e.g. 192.168.10.1/24 or ::1/52 (or whatever is used for IPv6 addresses):

enum nodemap_idx_type {
        :
      NODEMAP_RANGE6_IDX = 6
};

struct nodemap_range6_rec {
        __u64 nr6_count;
        struct nr6_start_nid;
        __u32 nr6_netmask_bits;
};

Andreas Dilger added a comment - 05/Apr/23 4:51 AM It would seem reasonable to change nodemap_idx_type similar to my previous suggestion, but instead of (or in addition to) nr6_count to add a nr6_netmask_bits so that it can encode e.g. 192.168.10.1/24 or ::1/52 (or whatever is used for IPv6 addresses): enum nodemap_idx_type { : NODEMAP_RANGE6_IDX = 6 }; struct nodemap_range6_rec { __u64 nr6_count; struct nr6_start_nid; __u32 nr6_netmask_bits; };

Andreas Dilger added a comment - 06/Mar/23 12:05 AM

Neil, nodemaps are used for managing client-specific configuration.

Originally nodemaps were developed for UID/GID mapping for clients connecting from different "workgroup" clusters that are/were not managed with the same central user administration. They are also used to direct clients to mount only a subdirectory of the filesystem, and to limit root access/admin permissions to the rest of the filesystem (root squash, and more).

Because nodemaps can control admin access on clients, the clients can also use strong authentication (shared secret key or Kerberos) in addition to the IP address to ensure that clients are not spoofing their address.

Definitely the clients will need to use consistent source addresses, and/or advertise all of their addresses at connect time to the servers, so that the server knows that later RPCs are from the same client, or they will be rejected.

Andreas Dilger added a comment - 06/Mar/23 12:05 AM Neil, nodemaps are used for managing client-specific configuration. Originally nodemaps were developed for UID/GID mapping for clients connecting from different "workgroup" clusters that are/were not managed with the same central user administration. They are also used to direct clients to mount only a subdirectory of the filesystem, and to limit root access/admin permissions to the rest of the filesystem (root squash, and more). Because nodemaps can control admin access on clients, the clients can also use strong authentication (shared secret key or Kerberos) in addition to the IP address to ensure that clients are not spoofing their address. Definitely the clients will need to use consistent source addresses, and/or advertise all of their addresses at connect time to the servers, so that the server knows that later RPCs are from the same client, or they will be rejected.

Neil Brown added a comment - 05/Mar/23 9:45 PM

It is important to be aware that a network interface can (and usually does) have multiple IPv6 addresses.

There is a link-local address which cannot be routed, there maybe a an address based on the hardware MAC address, there might be 1 or more temporary addresses that are assigned randomly and used as the source of outgoing connections and are discarded after a time when not in use. There might be an address assigned by dhcp6. And there could be addresses that are manually assigned.

Servers typically have a manually assigned address which is published in the DNS. Hosts that only act as a client could only have randomly assigned addresses - one permanent for the rare case when an incoming connection is needed, one or two which are temporary and recycles, and used for all outgoing connections.

NFS and Lustre both set IPV6_PREFER_SRC_PUBLIC so when connecting to a server the client will advertise a stable IPv6 address that will not expire. However if there are multiple possible public source addresses for the chosen interface, there is not currently any code to choose between them.

With this context: What are nodemaps used for? grouping servers? grouping clients? Both?

Can we just assume that people who want to use nodemaps will configure appropriate IPv6 addresses and NIDs to make the mapping convenient?

I would MUCH rather limit support to net-masks, avoiding any suggestion of numeric ranges which are not power-of-2 in size and alignment.

Neil Brown added a comment - 05/Mar/23 9:45 PM It is important to be aware that a network interface can (and usually does) have multiple IPv6 addresses. There is a link-local address which cannot be routed, there maybe a an address based on the hardware MAC address, there might be 1 or more temporary addresses that are assigned randomly and used as the source of outgoing connections and are discarded after a time when not in use. There might be an address assigned by dhcp6. And there could be addresses that are manually assigned. Servers typically have a manually assigned address which is published in the DNS. Hosts that only act as a client could only have randomly assigned addresses - one permanent for the rare case when an incoming connection is needed, one or two which are temporary and recycles, and used for all outgoing connections. NFS and Lustre both set IPV6_PREFER_SRC_PUBLIC so when connecting to a server the client will advertise a stable IPv6 address that will not expire. However if there are multiple possible public source addresses for the chosen interface, there is not currently any code to choose between them. With this context: What are nodemaps used for? grouping servers? grouping clients? Both? Can we just assume that people who want to use nodemaps will configure appropriate IPv6 addresses and NIDs to make the mapping convenient? I would MUCH rather limit support to net-masks, avoiding any suggestion of numeric ranges which are not power-of-2 in size and alignment.

People

Assignee:: James A Simmons

Reporter:: Andreas Dilger

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 28/Feb/20 12:43 PM

Updated:: 20/Jan/24 2:29 PM

Resolved:: 20/Jan/24 2:29 PM