Internet Engineering Task Force (IETF)                     D. Black, Ed.
Request for Comments: 6688                               EMC Corporation
Updates: 5663                                                 J. Glasgow
Category: Standards Track                                         Google
ISSN: 2070-1721                                               S. Faibish
                                                         EMC Corporation
                                                               July 2012
        
Internet Engineering Task Force (IETF)                     D. Black, Ed.
Request for Comments: 6688                               EMC Corporation
Updates: 5663                                                 J. Glasgow
Category: Standards Track                                         Google
ISSN: 2070-1721                                               S. Faibish
                                                         EMC Corporation
                                                               July 2012
        

Parallel NFS (pNFS) Block Disk Protection

并行NFS(pNFS)块磁盘保护

Abstract

摘要

Parallel NFS (pNFS) extends the Network File System version 4 (NFSv4) to enable direct client access to file data on storage devices and bypass the NFSv4 server. This can increase both performance and parallelism, but it requires additional client functionality, some of which depends upon the type of storage used. The pNFS specification for block storage (RFC 5663) describes how clients can identify the volumes used for pNFS, but this mechanism requires communication with the NFSv4 server. This document updates RFC 5663 to add a mechanism that enables identification of block storage devices used by pNFS file systems without communicating with the server. This enables clients to control access to pNFS block devices when the client initially boots, as opposed to waiting until the client can communicate with the NFSv4 server.

并行NFS(pNFS)扩展了网络文件系统版本4(NFSv4),允许客户端直接访问存储设备上的文件数据,并绕过NFSv4服务器。这可以提高性能和并行性,但需要额外的客户端功能,其中一些功能取决于所使用的存储类型。块存储的pNFS规范(RFC 5663)描述了客户端如何识别用于pNFS的卷,但此机制需要与NFSv4服务器通信。本文档更新了RFC 5663,以添加一种机制,该机制允许在不与服务器通信的情况下识别pNFS文件系统使用的块存储设备。这使客户端能够在客户端最初引导时控制对pNFS块设备的访问,而不是等到客户端可以与NFSv4服务器通信。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6688.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6688.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Conventions Used in This Document ...............................4
   3. GPT Partition Table Entry .......................................4
   4. Security Considerations .........................................5
   5. References ......................................................5
      5.1. Normative References .......................................5
      5.2. Informative References .....................................6
   6. Acknowledgements.................................................6
        
   1. Introduction ....................................................3
   2. Conventions Used in This Document ...............................4
   3. GPT Partition Table Entry .......................................4
   4. Security Considerations .........................................5
   5. References ......................................................5
      5.1. Normative References .......................................5
      5.2. Informative References .....................................6
   6. Acknowledgements.................................................6
        
1. Introduction
1. 介绍

Figure 1 shows the overall architecture of a Parallel NFS (pNFS) system:

图1显示了并行NFS(pNFS)系统的总体架构:

       +-----------+
       |+-----------+                                 +-----------+
       ||+-----------+                                |           |
       |||           |       NFSv4.1 + pNFS           |           |
       +||  Clients  |<------------------------------>|    MDS    |
        +|           |                                |           |
         +-----------+                                |           |
              |||                                     +-----------+
              |||                                           |
              |||                                           |
              ||| Storage        +-----------+              |
              ||| Protocol       |+-----------+             |
              ||+----------------||+-----------+  Control   |
              |+-----------------|||           |  Protocol  |
              +------------------+||  Storage  |------------+
                                  +|  Devices  |
                                   +-----------+
        
       +-----------+
       |+-----------+                                 +-----------+
       ||+-----------+                                |           |
       |||           |       NFSv4.1 + pNFS           |           |
       +||  Clients  |<------------------------------>|    MDS    |
        +|           |                                |           |
         +-----------+                                |           |
              |||                                     +-----------+
              |||                                           |
              |||                                           |
              ||| Storage        +-----------+              |
              ||| Protocol       |+-----------+             |
              ||+----------------||+-----------+  Control   |
              |+-----------------|||           |  Protocol  |
              +------------------+||  Storage  |------------+
                                  +|  Devices  |
                                   +-----------+
        

Figure 1. pNFS Architecture

图1。pNFS体系结构

In this document, "storage device" is used as a general term for a data server and/or storage server for any pNFS layout type. The MetaData Server (MDS) is the NFSv4 server that provides pNFS layouts to clients and handles operations on file metadata (e.g., names and attributes).

在本文档中,“存储设备”用作任何pNFS布局类型的数据服务器和/或存储服务器的通用术语。元数据服务器(MDS)是NFSv4服务器,它向客户端提供pNFS布局,并处理对文件元数据(例如名称和属性)的操作。

For the pNFS block protocol as specified in [RFC5663], client identification of pNFS storage devices requires contacting the MDS to obtain device signature information. It is not possible for a pNFS client to reliably identify pNFS block storage devices without contacting the MDS, because the device signature location and contents may vary among devices and servers; both device signature location and contents are determined by the MDS, not the client.

对于[RFC5663]中规定的pNFS块协议,pNFS存储设备的客户端标识需要联系MDS以获取设备签名信息。pNFS客户端不可能在不联系MDS的情况下可靠地识别pNFS块存储设备,因为设备签名位置和内容可能因设备和服务器而异;设备签名位置和内容都由MDS而不是客户端确定。

Typical operating system (OS) boot functionality scans and activates block devices (e.g., Small Computer System Interface (SCSI)) before activating the NFS client (including pNFS functionality). This sequence of operations creates a window of time during which the client OS may modify a pNFS block device without contacting the server (e.g., by attempting to mount or initialize a local physical filesystem). This document specifies an identification mechanism for pNFS block storage devices that can be used by an OS implementation to remove this window of vulnerability.

典型的操作系统(OS)引导功能在激活NFS客户端(包括pNFS功能)之前扫描并激活块设备(例如,小型计算机系统接口(SCSI))。此操作序列创建了一个时间窗口,在此期间,客户端操作系统可以修改pNFS块设备,而无需联系服务器(例如,通过尝试装载或初始化本地物理文件系统)。本文档指定了pNFS块存储设备的标识机制,操作系统实现可使用该机制删除此漏洞窗口。

Many storage area network (SAN) storage systems provide quasi-static access control mechanisms (e.g., Logical Unit Number (LUN) mapping and/or masking) that operate at the granularity of individual hosts. While it is feasible to use such mechanisms to remove this window (e.g., by only enabling a client to access pNFS block storage devices after the client has contacted the responsible MDS), such usage is undesirable and potentially problematic. This is because the storage access control mechanisms are quasi-static; they are typically configured once to allow client access to the block pNFS storage devices and not reconfigured dynamically (e.g., based on crashes and reboots). Block storage access controls can be changed to respond to unusual circumstances (e.g., to fence [remove access from] an uncooperative pNFS client), but should not be used as part of routine client operations (e.g., reboot). A different mechanism is needed.

许多存储区域网络(SAN)存储系统提供准静态访问控制机制(例如,逻辑单元号(LUN)映射和/或掩蔽),这些机制在各个主机的粒度上运行。虽然使用此类机制删除此窗口是可行的(例如,仅允许客户端在与负责的MDS联系后访问pNFS块存储设备),但此类使用是不可取的,并且可能存在问题。这是因为存储访问控制机制是准静态的;它们通常配置一次,以允许客户端访问块pNFS存储设备,而不是动态重新配置(例如,基于崩溃和重新启动)。可以更改块存储访问控制以响应异常情况(例如,隔离[删除]不合作的pNFS客户端的访问),但不应将其用作常规客户端操作的一部分(例如,重新启动)。需要一种不同的机制。

This document specifies an entry in the GUID (Globally Unique Identifier) partition table (GPT) that can be used by a pNFS server to label pNFS storage devices. This GPT entry is intended for shared pNFS storage devices that are accessible to pNFS clients and servers, and that may be accessible to other hosts or systems. This entry enables pNFS clients, as well as other hosts and systems, to avoid accessing pNFS storage devices via means other than pNFS.

本文档指定了GUID(全局唯一标识符)分区表(GPT)中的一个条目,pNFS服务器可以使用该条目来标记pNFS存储设备。此GPT条目适用于pNFS客户端和服务器可以访问的共享pNFS存储设备,以及其他主机或系统可以访问的共享pNFS存储设备。此条目使pNFS客户端以及其他主机和系统能够避免通过pNFS以外的方式访问pNFS存储设备。

2. Conventions Used in This Document
2. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

3. GPT Partition Table Entry
3. GPT分区表项

The following mechanism enables pNFS clients to identify pNFS block storage devices without contacting the server:

以下机制使pNFS客户端能够识别pNFS块存储设备,而无需联系服务器:

- Each block storage device dedicated to pNFS includes a GUID partition table (GPT) [GPT].

- 每个专用于pNFS的块存储设备都包括一个GUID分区表(GPT)[GPT]。

- The pNFS block storage partitions are identified in the GPT with GUID e5b72a69-23e5-4b4d-b176-16532674fc34, which has been generated for this purpose. GPT GUID usage is well understood and implemented. This document provides a definition for this GUID and its usage. A central registration mechanism does not exist for GPT GUIDs, or GUIDs in general, by design; see [RFC4122].

- pNFS块存储分区在GPT中以GUID e5b72a69-23e5-4b4d-b176-16532674fc34标识,该GUID已为此目的生成。GPT GUID的用法已得到充分理解和实现。本文档提供了此GUID的定义及其用法。GPT guid或一般设计的guid不存在中央注册机制;见[RFC4122]。

This mechanism enables an operating system to prevent non-pNFS access to pNFS block storage immediately upon boot. Servers that support pNFS block layouts SHOULD use the GPT and this GUID for all pNFS block storage devices.

此机制使操作系统能够在引导时立即防止非pNFS访问pNFS块存储。支持pNFS块布局的服务器应为所有pNFS块存储设备使用GPT和此GUID。

A pNFS client operating system that supports block layouts SHOULD recognize this GUID and SHOULD use its presence to prevent data access to pNFS block devices until a layout that includes the device is received from the MDS.

支持块布局的pNFS客户端操作系统应识别此GUID,并应使用其存在来阻止对pNFS块设备的数据访问,直到从MDS接收到包含该设备的布局。

Data stored on pNFS block layout storage devices can be better protected by incorporating checks for this GUID into other hosts and systems that do not support pNFS block layouts. If pNFS block storage devices are presented to such hosts or systems by mistake, the check for presence of this GUID can be used to prevent writes that could otherwise corrupt stored pNFS data.

通过将对该GUID的检查合并到不支持pNFS块布局的其他主机和系统中,可以更好地保护存储在pNFS块布局存储设备上的数据。如果错误地将pNFS块存储设备呈现给此类主机或系统,则可以使用检查此GUID是否存在来防止写操作,否则会损坏存储的pNFS数据。

Many current operating system versions support the GPT [GPT-W].

许多当前的操作系统版本都支持GPT[GPT-W]。

4. Security Considerations
4. 安全考虑

The pNFS block layout security considerations in [RFC5663] apply to this document.

[RFC5663]中的pNFS块布局安全注意事项适用于本文档。

The security considerations in [RFC4122] apply to the GUID specified in this document.

[RFC4122]中的安全注意事项适用于本文档中指定的GUID。

5. References
5. 工具书类
5.1. Normative References
5.1. 规范性引用文件

[GPT] Unified EFI Forum, "Unified Extensible Firmware Interface Specification", Version 2.3.1, Errata A, Section 5.3, September 2011, available from http://www.uefi.org.

[GPT]统一EFI论坛,“统一可扩展固件接口规范”,版本2.3.1,勘误表A,第5.3节,2011年9月,可从http://www.uefi.org.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC5663] Black, D., Fridella, S., and J. Glasgow, "Parallel NFS (pNFS) Block/Volume Layout", RFC 5663, January 2010.

[RFC5663]Black,D.,Fridella,S.,和J.Glasgow,“并行NFS(pNFS)块/卷布局”,RFC 5663,2010年1月。

5.2. Informative References
5.2. 资料性引用

[GPT-W] Wikipedia, "GUID Partition Table", July 2012, http://en.wikipedia.org/w/ index.php?title=GUID_Partition_Table&oldid=502098731.

[GPT-W]维基百科,“GUID分区表”,2012年7月,http://en.wikipedia.org/w/ php?title=GUID\u Partition\u Table&oldid=502098731。

[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2005.

[RFC4122]Leach,P.,Mealling,M.和R.Salz,“通用唯一标识符(UUID)URN名称空间”,RFC 4122,2005年7月。

6. Acknowledgements
6. 致谢

This document was produced by the IETF NFSv4 Working Group. Review comments from members of the working group improved this document and are gratefully acknowledged. The authors would like to thank Tom Talpey, and members of the IESG for helpful comments on this document, and also Alex Burlyga for providing an appropriate reference for the format of the GPT.

本文件由IETF NFSv4工作组编制。工作组成员的审查意见改进了本文件,对此表示感谢。作者要感谢Tom Talpey和IESG成员对本文件的有益评论,并感谢Alex Burlyga为GPT格式提供了适当的参考。

Authors' Addresses

作者地址

David L. Black (editor) EMC Corporation 176 South Street Hopkinton, MA 01748 USA Phone: +1 (508) 293-7953 EMail: david.black@emc.com

David L.Black(编辑)美国马萨诸塞州霍普金顿南街176号EMC公司电话:+1(508)293-7953电子邮件:David。black@emc.com

Jason Glasgow Google 5 Cambridge Center, Floors 3-6 Cambridge, MA 02142 USA Phone: +1 (617) 575-1599 EMail: jglasgow@google.com

杰森·格拉斯哥谷歌剑桥中心5号楼3-6楼马萨诸塞州剑桥02142美国电话:+1(617)575-1599电子邮件:jglasgow@google.com

Sorin Faibish EMC Corporation 228 South Street Hopkinton, MA 01748 USA Phone: +1 (508) 305-8545 EMail: sfaibish@emc.com

Sorin Faibish EMC Corporation 228 South Street Hopkinton,MA 01748美国电话:+1(508)305-8545电子邮件:sfaibish@emc.com