Versions Compared

Old Version 162

changes.mady.by.user RIS-SVC-conf-publish

Saved on

compared with

New Version Current

changes.mady.by.user RIS-SVC-conf-publish

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

RIS has a long history of managing specialized storage before joining WashU IT. Using the same underpinning technologies and lessons learned, this was generalized into the concept of a Storage Service that could be offered to a wider audience at the University. Over time, details of the resources that make up this offering have changed due to new policies, designs, discoveries and technologies. This can sometimes lead to or explain intentional or accidental changes in service behaviour or availability. This is a limitation of our development processes and technical details, a look at which may provide insight to some observed behaviors.

Components of a Storage Allocation

When the storage service is used, it employs a number of technical resources that all need to be coordinated together in order to function properly. Some of these may include:

...

Each of these items have their own design and configuration and combine to implement controlled access to digital storage. These resources may have been created or modified by different processes or entities throughout the evolution of the service.

Changes to the Storage Service Over Time

Historical

GPFS, Disk groups in LIMS, storage0, identity management through IPA, NFS, private network

Early Access to Storage Service

GPFS, SMB integrated with ACCOUNTS Active Directory domain (WUSTL Key), WUSM network

...

For some time it is dual-homed and known by both gsc.wustl.edu and ris.wustl.edu names, causing some headaches

Early Features

Active

Free 5 TB via SMB, hardquotas, billed for additional usage. POSIX mode 0000 , unseen because only used through SMB. Not browseable, can not see directories without ACL permission. “Bypass Traverse Check” in SMB:

...

This feature is relied upon, preventing future access via compute1

Archive

Lower cost, stored to tape

Provision storage container/script

Where allocations previously been made “by hand”, this brings some much needed consistency to the provisioning process. However it has shortcomings with managing existing allocations. Many changes are still made by hand.

Projects

New RW/RO groups for every project, ACL or POSIX _only_

Filesets changed for ACL + POSIX perms

Setting POSIX perms no longer wipes ACL, special ACEs can represent and influence POSIX permissions

Add default posix permissions

Observe applications break with mode 0000 files when used in compute, e.g. git. Start using heritable default of 0700.

Using Ansible

Defining allocations in a declarative style suitable to be used by a “desired state” tool and run idempotently to manage the configuration of an allocation throughout its lifecycle. This development leads to the “ris.research-storage-allocation” Ansible role.

NFS turned on for engineering

A fact to be aware of.

Inherit different permissions for files and folders

Git is still not happy, files which should not be executable are made executable. Change to default 0700 for directories, but 0600 for files. Effectively a umask of 0077.

This still munges permissions in git, as it turns out any inherited ACE causes umask to be ignored. POSIX ACLs do this too and IBM has confirmed it is functioning as designed/desired.

The Storage Allocation Today

March 2020

RIS is developing new processes to manage all of this in a more specific and consistent manner. This includes a new interface, “ITSM”, and bringing all allocations up to our current design and standards. It is inevitable that changes and mistakes will occur, and having a record and method to refer to will ensure that such changes or mistakes are more easily caught and avoided in the future.

...