1. INFINIDAT Support
  2. InfiniBox
  3. Best Practice Guides for Services
InfiniBox Best Practices Guide for Setting Up a NAS Service

Follow

Introduction

Scope of document

This document provides guidelines and instructions for setting up the InfiniBox NAS service.

Unless otherwise specified, use Infinidat Management Console's command-line UI (InfiniShell) to run the CLI commands described in this document.

Related documentation

  • InfiniBox Best Practices Guide for Setting Up the Network Connectivity
    Describes how to set up the physical network prior to setting up the services.
  • InfiniBox Best Practices Guide for Setting Up the Replication Service

Creating a NAS service

Switch requirements

This configuration requires two switches that support LAGs (LACP port-groups) distributed across them. This configuration is typically supported by stacked switches. It is also supported by some non-stacked switches, such as Cisco Nexus Virtual Port Channel.

It is recommended to:

  • Set the LACP rate of the relevant port-group (or port channel) to "Fast". This is consistent with the InfiniBox port groups' IEEE 802.3ad standard for the availability and load-balancing of the physical ports.
  • Configure the switches to use a spanning-tree algorithm so that the ports connected to InfiniBox react to network changes.
    The switch configuration semantics of many network vendor implementations refer to this as “portfast”, “edge” or “edge-port”.
  • Enable RX/TX flow-control for the entire network path between the InfiniBox system and all NAS clients.
  • Set the link up/down delay to less than 15 seconds.
    Cisco calls this delay "debounce", Juniper calls it "hold-time", and HP calls it "link change suppression". 
    The default link up/down delay for some switches is 60 seconds or more.

InfiniBox advertises LACP capability on all configured Ethernet ports, regardless of the number of ports configured in a port group.
LACP is only advertised after a network space is configured.

To configure the switch-to-port connections:

  1. Connect one port from each node to Switch A.
  2. Connect one port from each node to Switch B.

Creating a network (Ethernet) interface

To configure a LAG for the paired ports:

  1. In the InfiniBox Management Console, click the Settings icon on the left toolbar.
  2. Select the Network Interfaces tab, click the Create button, and select Port Group.
  3. Create a new InfiniBox Port Group that includes the ports connected to all the nodes.

Creating a network space

Create a network space for NAS. If you need to run both NAS and replication on the same port group, create a network space for each using the same port group.

  1. In the InfiniBox Management Console, click the Settings icon on the left toolbar.
  2. Select the Network Spaces tab, and click Create.

    The Create Network Space window opens.
  3. Enter a network space name.

  4. In the Service drop-down menu, select NAS.

  5. In the MTU field, enter the size, in bytes, of the Ethernet transfer over the wire. The default value is 1500.

    See the "NAS network space MTU best practice" section below.

  6. For each node, select its Ethernet interface from the drop-down menu.
    If the desired interface was not created earlier from the Network Interfaces tab and is not in the drop-down menu, you can add a new one to the menu. See the Creating network (Ethernet) interfaces from the Create Network Space window section in this document.
  7. (Optional) To group the interfaces into a Virtual LAN, click the Create VLAN button.
  8. Click Next to proceed to the IP Configuration step.
  9. Enter the networking data.
    • Network:
      Enter the first IP address in the network range.
    • Netmask

    • For each one of the recommended number of IP addresses in the network space:
      Enter an IP address or range (in the format 172.16.34.5-12) within the subnet range, and then click Add to verify the validity of the IP address.

      For NAS and iSCSI services, it is recommended to enter 6 IP addresses.

      For a replication service, it is recommended to enter 10 IP addresses. See InfiniBox Best Practices Guide for Setting Up the Replication Service.

  10. Click Finish.
    The network space is displayed in the window.

Creating network (Ethernet) interfaces from the Create Network Space window

You can create Ethernet interfaces from the Network Interfaces tab, or from the Create Network Space window.

  1. In the Create Network Space window, click the Create new option from a node's Ethernet interface field's drop-down menu, or click the Create Interfaces button at the bottom of the window.

    The Create Ethernet Interfaces tab opens.
  2. Either select an Ethernet interface or click Create Interfaces.
  3. You can rename the default interface name.
  4. Select two ports for NAS from the available Ethernet ports.
    Ports that are already taken by other interfaces are grayed-out.
  5. Click Create.
    The new interface is now selected in the Create Network Space window.

NAS network space MTU best practice

NAS performance highly depends on the actual application workload. As a rule of thumb, large file I/O operations benefit from decreasing the fragmentation of packets.

To decrease packet fragmentation, set your Ethernet network to use jumbo frames. For InfiniBox NAS, set the MTU to 9000, which can be done during the network space creation:

It is important to preserve consistent settings on the client, network, and file server to get the best performance.

NAS client performance 

Each client typically connects to the InfiniBox export using a single IP address (as resolved using DNS load balancing). This enables communication to flow between a single IP address on the client and a single IP address on one of the InfiniBox nodes. Due to the underlying LACP interface behavior, a single NFS or SMB connection is limited to the bandwidth of a single physical Ethernet port, even when following the recommendation to place two physical Ethernet ports in the interface.

In NAS environments where there are thousands of clients, the full aggregate bandwidth of the NAS network space can be used by the clients. 

Load balancing

DNS Round Robin is the best and simplest way to enable a balanced distribution of NFS mounts or SMB shares among the 6 IP addresses in the network space. Simply define multiple A records with the same hostname and different IP addresses in your DNS zone file:

;    zone file fragment
ibox IN   A    192.168.0.4
ibox IN   A    192.168.0.5
ibox IN   A    192.168.0.6
ibox IN   A    192.168.0.7
ibox IN   A    192.168.0.8
ibox IN   A    192.168.0.9

With this setup, the name ibox has been assigned as the hostname. Each sequential name lookup results in the next IP being used, so client connections are distributed across the available ports and IP addresses.

Automounter can be used to balance NFS mounts between multiple IP addresses:

fs01 -rw 192.168.0.4,192.168.0.5,192.168.0.6,192.168.0.7:/fs01

Manual IP balancing can also be used when there are a small number of clients.

NAS data protection

Replication

InfiniBox currently offers asynchronous replication capabilities for both block and NAS storage. For more information on replication, see InfiniBox Best Practices Guide for Setting Up the Replication Service.

NAS backup

We recommend utilizing the highly efficient InfiniBox snapshot capability for backup. We offer convenient integration with several key backup vendor environments for snapshot management. Check with your InfiniBox sales representative for more details.

NFSv3 best practices

Infinidat NFS and UNIX defaults

New InfiniBox NFS exports have default access permissions, defined by a system-level parameter mgmt/file.export_permissions_default

There are several system-level defaults that can be modified by Infinidat support:

SettingParameter NameDefault Value

Export permissions for newly created exports

mgmt/file.export_permissions_default 

[{"access":"RW","client":"*"," no_root_squash":true}]

Access permissions for newly created filesystems

mgmt/file.root_mode_default 

0755/-rwxr-xr-x 

The root folder on new filesystems are created with root:root ownership and permissions 0755/-rwxr-xr-x.

$ ls -ld /mnt/fs01
drwxr-xr-x 2 root root 0 Sep 12 10:10 /mnt/fs01

Modify the filesystem ownership and/or permissions on the client, with root access to the filesystem as needed.

$ sudo chown john:it /mnt/fs01
$ sudo chmod 2750 /mnt/fs01
$ ls -ld /mnt/fs01
drwxr-s--- 2 john it 0 Sep 12 10:10 /mnt/fs01

Linux NFS client configuration options

Numerous articles describe NFS client performance tuning recommendations. For example, for Linux clients, refer to:  http://nfs.sourceforge.net/nfs-howto/ar01s05.html

The recommended Linux mount options are:

vers=3,tcp,hard,rsize=262144,wsize=262144

For example:

# mount -t nfs -o vers=3,tcp,hard,rsize=262144,wsize=262144 ibox:/FS1 /mount-point

File locking

InfiniBox releases 5.0 and above support NLM (Network Lock Manager).

Infinidat strongly recommends setting the mount options hard so that hard NFS mounts are used with interrupts disabled.

When using soft a NFS mount, NFS timeouts and errors are propagated to applications, causing file access disruptions. This can cause application errors during unplanned situations (such as network failures) or planned operations (such as InfiniBox software upgrade).

VMware NFS client configuration

VMware offers less flexibility for NFS mount configuration. In particular, read/write block size cannot be tuned, and are fixed at 64KB.

VMware does not use NLM for file locking.

Follow the VMware standard recommendations for NFS datastores configuration:

Windows NFS client configuration

There are several NFS client implementations for Microsoft Windows operating systems. This document describes how to configure the native Microsoft NFS client to access InfiniBox NFS.

An alternative NFS client is available from OpenText. (See http://connectivity.opentext.com/products/nfs-clients.aspx)

Installing Windows NFS client

The Microsoft NFS client installation procedure may differ slightly for different Windows versions. It is highly recommended to check Microsoft documentation for your specific version to ensure a proper setup.

To install Microsoft NFS client on Windows Server 2012 R2:

  1. Log in to your Windows Server and start the Server Manager.
  2. In the navigation pane, select Local Server.


  3. Open the Manage menu at the right top of the toolbar, and select Add Roles and Features.
  4. In the Installation Type dialog, select Role-based or feature-based installation.
  5. In the Features dialog, select the Client for NFS option.
  6. In the Confirmation dialog, click the Install button.
  7. It is important to define mapping of Unix User IDs/Group IDs to Windows users and groups. If Active Directory is deployed in your organization, it can be used for such mapping.
    To configure the Microsoft NFS client to use Active Directory for UID-to-user-name mapping, run at the Windows command prompt
nfsadmin mapping
[ComputerName] config adlookup=yes addomain=DomainName

Configuring Windows user account UID and GID

To configure UIDs and GIDs for a Windows user account in Active Directory:

  1. Launch Active Directory Users and Computers on your AD controller.
  2. In the View menu, make sure the Advanced Features option is enabled.
  3. In the Users section, right-click the user’s name, and open the Attribute Editor tab. Modify the uidNumber, uid, gidNumber, gid as needed.

Running the NFS filesystem mount command

The NFS filesystem must be mounted using the following arguments:

  • mtype=hard - the mount type is hard, as is customary for Linux client implementations
  • nolock - do not use NLM to lock files

To mount the NFS filesystem on your Windows machine, run at the Windows command prompt:

> mount -o nolock mtype=hard rsize=64 wsize=64 \\ibox\exported_path Z:

The default mtype for Windows NFS client is soft. If the NFS mount is soft, errors will be propagated to applications whenever NFS times out, causing file access disruptions. This can cause application errors during unplanned situations (such as network failures) or planned operations (such as InfiniBox software upgrade).

To ensure a hard NFS mount, Infinidat strongly recommends using the mount option  mtype=hard whenever mounting an NFS export in Windows.

Snapshot access

The snapshot pseudo-directory enables NFS clients to access the contents of filesystem snapshots. The snapshot directory allows end-users to recover deleted or modified files autonomously without the intervention of the administrator. Using the snapshot directory, the end-user can run a backup from a static view of the filesystem, without mounting the snapshot.

This feature supports customers migrating from existing NAS solutions by allowing the admin to determine the way the snapshot directory is named.

Visibility and contents of the snapshot directory

  • The snapshot directory appears and is accessible as a regular folder. 
  • Its name is configurable during the filesystem creation. The default name is .snapshot
    • After an upgrade, if there was a folder named .snapshot, the existing folder will not be accessible.  
  • Only RO snapshots that were never writable can be visible and accessed in the snapshot directory.
  • Visibility of the snapshot directory:
    • The visibility of snapshot directory is configurable per export.
    • A snapshot directory that is not visible is still accessible by providing the specific path.
    • Snapshots of snapshots are not accessible from the snapshot directory. They are accessible if mounted to the first-level snapshots.
  • The snapshot directory is accessible from any folder.
    • Replication snapshot are not visible on the snapshot directory.

For more information, see Overview of snapshot directory.

Backup to external media via NFS mount

For backup to external media we recommend mounting relevant filesystems directly on the backup media server and performing backup via NFS mount.

SMB best practices

SMB quick setup guide

Make sure a NAS network space has been defined on the InfiniBox system. SMB clients will use this network space to access the shares you define.

Changing the default local Administrator password

The default password for the local SMB Administrator user is P@ssw0rd (note the zero). It is recommended to replace the default Administrator password with a new one.

SMB user passwords must comply with the standard password complexity rules in Windows environments. See https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756109(v=ws.10)

To change the Administrator password, run the following CLI command:

admin@localhost> config.nas.smb_users.change_password user=Administrator
Please enter a password for user Administrator: 
Re-enter new password:
Smb user "Administrator" password changed

Joining the Active Directory domain

To specify which AD domain to join, include its FQDN and IP addresses of the domain controllers InfiniBox should use, in the following CLI command:

admin@localhost> config.nas.active_directory.join domain=ad2k12.local username=Administrator preferred_controllers=172.20.86.71,172.20.86.72
Please enter a password for user Administrator:

The InfiniBox system name and FQDN of should be different than those of the Active Directory.

Creating a filesystem that supports SMB

To create a filesystem that supports SMB shares, include the security_style=WINDOWS parameter in the following CLI command:

admin@localhost> fs.create name=my-fs1 pool=my-pool size=100gb thin=yes security_style=WINDOWS
Filesystem "my-fs1" created

The root folder on new filesystems (with WINDOWS security style) are owned by the local SMB Administrator user, and

  • Allow members of the  local SMB Administrator group and members of the Active Directory Domain Admins group full control of files in the share
  • Allow everyone else read-only access to files in the share

You can modify the filesystem root folder ownership and/or permissions on the client, after creating an SMB share and mounting is using an administrator account.

Creating an SMB share

To create an SMB share on the filesystem root folder, run the following CLI command:

admin@localhost> fs.share.create name=MyShare fs=my-fs1 internal_path=/
Share "MyShare" created
The default permissions for SMB shares allows everyone full-control. This default can be changed by Infinidat support.

Connecting to SMB shares

Windows clients can access SMB shares by mapping them, either using Windows File Explorer or via Windows CLIs such as Command Prompt.

Mac users can access SMB shares through the Connect to Server feature.

In all cases, to gain access to the share, Windows clients must authenticate using either Kerberos authentication or NTLMv2 authentication. 

Authenticating using Kerberos

With Kerberos authentication, Windows users provide their passwords only once, during login to the computer or domain.

Kerberos authentication is more secure than NTLMv2. It requires the following conditions:

  • The InfiniBox system is joined to an Active Directory domain.
  • The SMB client is a member of this domain (or a trusted domain).
  • The user logged into the SMB client using an Active Directory domain account.
  • The user uses FQDN to mount the SMB share, and the FQDN resolves to an IP address from the NAS network space.

If the above conditions are not all met, the Windows client must authenticate using NTLMv2.

Authenticating using NTLMv2

A local SMB user (defined in InfiniBox) and an Active Directory domain account (if the InfiniBox system was joined to an Active Directory domain) can both authenticate using NTLMv2.

With NTLMv2 authentication, Windows users must provide a valid user name and password.

The authenticating user need not be the same as the one logged into the Windows client.

When authenticating a local SMB user using NTLMv2, use one of the following formats:

  • user-name@system-FQDN, where system-FQDN  is the InfiniBox system's FQDN (as it appears in the config.system.query CLI command)
    For example: to use the default Administrator user of InfiniBox system ibox734.infinidat.com, connect as Administrator@ibox734.infinidat.com 
  • system-host-name\user-name, where system-host-name is the host-name portion of the InfiniBox system's FQDN (as it appears in the config.system.query CLI command).
    For example: to use the default Administrator user of InfiniBox system ibox734.infinidat.com, connect as ibox734\Administrator 
    If the system-host-name  is longer than 15 characters, use the first 15 characters
    For example: to use the default Administrator user of InfiniBox system abcdefgh-corporate.infinidat.com, connect as abcdefgh-corpor\Administrator 

The local SMB user name is case-sensitive.

When authenticating an Active Directory domain account, use one of the following formats:

  • user-name@domain-FQDN, where domain-FQDN  is the FQDN of the Active Directory domain.
    For example: Administrator@ad2k16.local 
  • Use domain-NetBIOS-name\user-name, where domain-NetBIOS-name is the NetBIOS (short) name of the Active Directory domain.
    For example: AD2K16\Administrator 

The Active Directory user name is not case-sensitive.

Connecting to a share using Windows Explorer

To connect to a share with Kerberos authentication, the UNC used must contain an FQDN that resolves to an IP address in the NAS network space. For example:

  

If Kerberos authentication is not possible, select the Connect using different credentials checkbox. The Windows client will use NTLMv2 authentication and the Enter network credentials dialog will appear.

Type in the user name, in the format stated above (see authentication with NTLMv2), and the user's password:

Connecting to a share using Windows Command Prompt

To connect to a share using Kerberos authentication, issue the net use  command without specifying a dedicated user. For example:

net use z: \\ibox3676-nas1-1.lab.gdc.il.infinidat.com\MyShare
The command completed successfully.

If Kerberos authentication is not possible, include the user name in the net use  command. For example:

net use z: \\ibox3676-nas1-1.lab.gdc.il.infinidat.com\MyShare /user:Administrator@ad2k12.local

The Command Prompt requests the user's password:

Enter the password for 'Administrator@ad2k12.local' to connect to 'ibox3676-nas1-1.lab.gdc.il.infinidat.com':
The command completed successfully.

You can also specify the user's password on the command line. For example:

net use z: \\ibox3676-nas1-1.lab.gdc.il.infinidat.com\MyShare THE-PASSWORD /user:Administrator@ad2k12.local
The command completed successfully.

To disconnect from a share, run at the Windows command prompt:

net use z: /delete

Connecting to a share from a Mac

To connect to a share from a Mac using NTLMv2 authentication:

  1. Select Go > Connect to Server.
    Screen Shot 2022-03-27 at 13.21.12.png
  2. Enter the drive and IP address of the share server, and click Connect.
  3. Enter your credentials , and click Connect.
  4. Click Connect.

Snapshot access

To access historical content of files and folders, use the Windows File Explorer to access the file or folder's Properties window, and select the Previous Versions tab:

Refer to Microsoft documentation at https://support.microsoft.com/en-us/windows/recover-lost-or-deleted-files-7bf065bf-f1ea-0a78-c1cf-7dcf51cc8bfc.


Print Friendly and PDF Download PDF
Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Last edited: 2022-08-06 08:08:47 UTC

Comments