|
Documentation Explore Project activities Links |
This section provides an introduction to Openfiler Storage Configuration Centre and covers licensing and trademark information. Welcome to the Openfiler Storage Configuration Centre Administration Guide. The Openfiler Storage Configuration Centre is a management interface designed to simplify management of storage resources in heterogeneous networks. Openfiler empowers storage administrators to simplify management of storage resources in the enterprise via an intuitive browser-based interface. Openfiler is ideal for multi-platform networks where the workstations/servers are running disparate operating systems such as Microsoft® Windows® 98/XP/2000, Mac OS9/X®, UNIX® and Linux®. A very unique feature of Openfiler is that it bridges the SAN and NAS paradigms on a network so that the entire scope of storage management tasks on an enterprise network could potentially be managed from one single console. The main beneficiaries of Openfiler are the storage and network administrators whose jobs are becoming increasingly more difficult to carry out due to the massive explosion in data proliferation on enterprise networks. There is data on workstations, data on servers, data in SAN islands and on NAS appliances scattered all over the network. The administrator is tasked with managing these disparate storage resources - bring all users in a certain department into a single storage domain; provide the MIS people with more space for their Oracle-based business intelligence applications; bring in block-based storage volumes from the SAN into the file-based NAS environment to increase storage capacity for IP clients on the network. These are just some of the challenges that administrators are faced with on a daily basis, and Openfiler is designed to make solving them as simple as "point and click". Openfiler is designed consolidate and simplify management of storage resources in a network. In its initial standalone form, Openfiler installed on a standard x86 Intel-based server or workstation turns that system into a full-fledged NAS appliance. This document and the software it describes are governed by the terms of the GNU General Public License (GPL), which is available at: http://www.gnu.org/copyleft/gpl.html Copyright 2004, 2005 Xinit Systems Ltd, Voluna Software Ltd. UK. All rights reserved. This document contains information that is subject to change without notice and is not representative of a commitment on the part of Xinit Systems or Voluna Software. This Administrator Guide describes the Openfiler Storage Configuration Centre which is governed by the GNU GPL. Openfiler Storage Configuration Centre may only be used in accordance with the terms of the GNU GPL. Openfiler, The Openfiler moniker, Xinit Systems, the Xinit Systems moniker, Voluna & Voluna Software, and the Voluna Software moniker are trademarks of Xinit Systems Ltd. and Voluna Software Ltd. Windows, Windows NT, Windows 95, Windows 98, Windows XP, Windows 2000, Windows 2003, Microsoft, Internet Explorer, and Active Directory are registered trademarks of Microsoft Corporation. Java and Solaris are registered trademarks of Sun Microsystems Inc. MacOS, MacOS X, AppleTalk, Macintosh and Safari are registered trademarks of Apple Corporation. XFS and Irix are trademarks or registered trademarks of SGI Inc. AIX and JFS are trademarks or registered trademarks of IBM Corporation. Red Hat, Red Hat Enterprise Linux and Fedora are trademarks or registered trademarks of Red Hat Inc. SuSE Linux 8.0, SuSE Linux 9.0 and SuSE Linux Enterprise Server 8 are trademarks or registered trademarks of SuSE Linux and Novell Inc. Netware is a registered trademark of Novell Inc. Linux is a registered trademark of Linus Torvalds. This section describes the Openfiler Storage Configuration Centre management interface. If the Administrator is already conversant with the interface and wishes to start configuration of network storage resources, please proceed to section 3 of this document. To access the interface, open a web browser and establish a connection with the system running Openfiler by pointing the browser at the configured IP address of the Openfiler system. The network port for the interface is 446. To access the interface, use the HTTPS protocol: https://<IP or hostname>:446/ This section describes all the configuration sections in the administration interface, giving a brief description of what is included in the respective tabs. The first page the administrator sees is the login screen. Enter the administrator username "openfiler" and the default administrator password "password" in the provided fields. The Accounts Section consists of four tabs leading to four different sub-sections. The User Information Configuration sub-section provides a means of selecting different methods of retrieving user information on the network. This user information is used in other sections of the Openfiler Storage Configuration Centre for granting access control to groups and users. Openfiler supports user information retrieval from the following network directory protocols:
Details about each of the User Information Configuration protocols is beyond the scope of this document. The Use NIS checkbox should be selected to configure the system as a NIS client to a NIS server running elsewhere on the network for user information and authentication. The NoteA NIS Domain should not be confused with a Windows Domain. If the The Use LDAP checkbox should be selected if user and group information should be imported from and LDAP server. The TLS checkbox should be selected if Transport Layer Security is to be used for the communications with the LDAP server. The WarningThe Openfiler interface does not prevent multiple user information configuration methods from being selected simultaneously. Administrators should proceed with caution when using more than one directory server to prevent clashes between identical user ID and group ID entries in different configured directory services. More than one User Information protocol should be selected only when there is a guarantee that identical entries do not exist in the different directories. The Use Windows domain controller and authentication checkbox should be selected if users and groups in a Windows domain are to be allowed access to the storage resource on the Openfiler appliance. Openfiler now supports both standard NT4 domain controllers as well as native and mixed-mode Active Directory authentication. For native-mode Active Directory servers, the Active Directory radio button must be selected, and for mixed-mode or NT4-domain controllers, the NT4-style Domain (RPC) radio button must be selected. The Domain field must contain the domain name only when using mixed-mode or NT4-style Domain, otherwise this field should be left blank. The NoteThe Use Windows domain controller and authentication option works in conjunction with the SMB settings found in the Services tab of the Openfiler Storage Configuration Centre. The NetBIOS name entered in the Services -> SMB Settings section will be the name used to register the Openfiler appliance with the domain controller. The UID range and GID range fields allow the Openfiler administrator to set the range of UID and GID mappings from Windows to Unix. If more than one User Information protocol is selected in addition to using the Windows domain controller and authentication then care must be taken to ensure that the range will not clash with UIDs and GIDs in one of the other user authentication methods. The Use Hesiod checkbox should be selected if user and group information should be imported from a remote Hesiod database. Hesiod is an extension to DNS that uses DNS records to store information such as user and group data. The NoteThe Hesiod protocol in this context is intended to work in combination with a Kerberos authentication server, which can be configured in the Authentication Configuration sub-section of the Accounts page. The Authentication Configuration sub-section below provides a means of selecting different authentication mechanisms for network clients accessing services on the Openfiler appliance. These authentication mechanisms are used in conjunction with the user Information provided by directory servers such as LDAP and Hesiod. Openfiler supports the following authentication methods:
The Use LDAP Authentication checkbox should be selected if LDAP is to be the authentication mechanism. LDAP entries must have user password information stored along with the username. The Use TLS checkbox enables or disables the use of Transport Layer Security when communicating with the LDAP server. The NoteLDAP settings in the User Information Configuration sub-section are automatically propagated to the Authentication Configuration sub-section and vice-versa. The Use Kerberos 5 checkbox should be selected if Kerberos is to be used as the authentication mechanism. Usually this is used in conjunction with either LDAP or Hesiod directories. The The Use SMB Authentication checkbox should be selected if authentication is to be done via an SMB server. This could be a Windows or Samba server on the network capable of authenticating users. The The List of Groups tab allows the Administrator to view group information imported from the different servers enabled and configured in the Authentication tab. Information is displayed in a tabular format with the column headings:
Clicking on the table headers GID, Group Name and Group Type, will sort the list of entries by GID, Group Name and Group Type respectively. Clicking on items in the group name column itself pops up a window with group membership information. The group list is paginated to present up to ten group names per page. The Administrator can navigate the list forward or backward by using the links provided in the table header. Clicking on an individual group name link will present a popup with a list of all the members of that particular group. NoteThis version of Openfiler does not support the addition and deletion of users and groups. This is because users are being pulled in to the system from external directories such as LDAP or Windows PDC/AD and there is no uniform mechanism to add or delete users on these directory servers remotely. Future versions of Openfiler may have support for addition and deletion of users and groups via a local instance of an LDAP directory server. The List of Users tab allows the administrator to view user information imported from the different directory servers enabled and configured in the Authentication tab. Information is displayed in a tabular format with the column headings:
Clicking on the table headers UID, User Name, User Type and Primary Group will sort the list of entries by each of the respective headers. The Admin Password tab opens up a page for changing the Openfiler administrator password. The administrator username, openfiler, cannot be changed. In order to change the administrator password, the current administrator password is required for security reasons. Three fields need to be filled to change the password. The The Volumes Section consists mainly of two tabs leading to two different pages. The Existing Volumes tab opens up a page for managing existing volume groups. Information and facilities provided on this page include:
All volume groups, once configured, will have a cluster of logical volumes that are part of that volume group. Individual volumes enable administrators to physically limit the storage capacity exported on a per-share basis, and also set resource controls such as quotas. Snapshots are point-in-time copies of a volume. Snapshots can be created for individual volume slices once the volume slices have been created in the Create New Volume page. Clicking on the Create or Manage links in the Snapshots column in the list of volumes takes you to the snapshots management sub-section for that volume. In this sub-section, the administrator can look at the list of existing snapshots and also create new snapshots. Volume snapshots are implemented using a copy-on-write mechanism. This means that space allocated to snapshots is utilized whenever any updates are made to the data blocks on the source volume after the snapshot is created. The display shows the current block utilization of the snapshot and the maximum allocated space which can be extended using the Snapshot size column and the Save button. The Share contents field is used to indicate whether the read-only snapshot is made available for sharing using the original volume's share settings. The administrator can schedule snapshots to happen automatically in an unattended manner. To do this, the administrator provides the Interval in hours field and the Rotate count field, apart from the size and share option. The snapshot schedule then starts from the next midnight and snapshots happen at the configured intervals in time. Once a number of snapshots equal to the Rotate count are taken, the next scheduled snapshot will automatically delete the oldest snapshot. Hence snapshots are rotated in this way so that at any time, the maximum number of snapshots in rotation equals the Rotate count. The Create New Volume tab opens up a page for creating new volumes. Block storage statistics for each volume group is summarized in a table.
Furthermore, the administrator will be able to create logical volumes within each volume group. The Volume Name field is for setting the name of the new volume. This volume name field sets the path for the volume under the openfiler path eg.: /mnt/openfiler/<new_volume_name>/ The The Quota section consists of a single page for setting group quotas. The Group Quota page allows the administrator to set per-volume quotas for individual groups accessing storage resources on the Openfiler appliance. In order for the settings for Group Quota to be visible, at least one volume must exist. If there are no existing volumes, clicking on the Quota tab will redirect to the Volumes tab, where the administrator needs to create new volumes on which to allocate quota. For more information about quota allocation, please see the System Setup section. The Shares Section consists of two tabs leading to two different pages for creating and viewing shares and snapshots of shares. Shares are filesystem locations that are exported via any one of the file-based storage export protocols supported by Openfiler, such as NFS and SMB/CIFS. Shares are created within sub-directories of logical volumes. At least one logical volume must exist before a share can be created. Once a logical volume has been created, the administrator can click on the Shares tab and the list of logical volumes that have been created will show up in the List of Shares, under which subdirectories and, subsequently, shares can be created. The List of Current Shares tab opens up a page for creating shares within defined logical volumes. Each logical volume that has been defined in the Volumes section will be listed on this page. The administrator can then click on any logical volume to create subdirectories of the logical volume which in turn can contain child nodes to be converted to shares, or be converted into shares themselves. The List of Snapshot Shares tab opens up a page that lists all existing snapshots of logical volumes. The administrator has the option of enabling sharing of a snapshot in the snapshots page of the logical volume in question, which will allow users access to point-in-time copies of their data. If the administrator enables sharing on the snapshot of a logical volume, the List of Snapshot Shares page lists which snapshots are enabled for sharing along with the corresponding share names and locations on the filesystem. The Services Section consists of two tabs leading to two different pages, for enabling and disabling services, and configuration of SMB settings. The Enable/Disable tab opens up a page for starting and stopping network filesystem services. Openfiler allows storage resources to be exported via a number of protocols. The corresponding services for these protocols can be managed from this page. Storage export services are listed in a table with three columns:
The SMB Settings tab opens up a page for entering SMB settings for the Openfiler appliance. Options that can be set include The The System Section consists of three tabs leading to three different pages for configuring local networks, system clock and shutting down the system. The Local Networks tab opens up a page for setting networks that are allowed to access resources exported by the Openfiler appliance. This is used for network-level access control. Networks and hosts that will need to access resources from the Openfiler appliance are first added to this list, and the individuals hosts and networks are then assigned access to particular shares in the shares section. Networks and hosts are listed in a table with four columns:
The Clock tab opens up a page for setting system time. The administrator has the option of setting the system time manually or using a remote network time protocol (NTP) server. The administrator can also set the system timezone. NoteIt is important that system time is accurate. Whenever possible, the administrator should elect to use an NTP server. The Shutdown tab opens a page that will allow the administrator to shutdown the system. The administrator has the option of shutting down the system immediately or after a specified interval. The administrator can elect to have filesystems checked on startup. There are two types of shutdown actions. The This section deals with out-of-the-box Openfiler appliance setup and configuration. Administrators should follow the sequence of steps to quickly get an Openfiler installation up and serving storage via file-based storage export protocols. The Openfiler Storage Configuration Centre is HTML-based and XHTML 1.0 Transitional conformant. A standard web-browser which supports JavaScript is all that is required to access the interface and perform administrative tasks. The administrator should point the web-browser to the IP address of the Openfiler appliance to establish a connection. If the IP address of the Openfiler appliance has been entered into a local DNS, the hostname can be used instead. The management interface operates on port 446 and runs in encrypted mode using SSL so the HTTPS protocol URI should be used in the navigation bar to access the interface. Example: https://openfilerappliance.exampledomain.com:446/ or https://192.168.1.17:446/ Once a successful connection has been established the administrator is presented with a security certificate challenge. This is a self-signed certificate, hence the warning. It is safe to click the OK button and continue. After clicking the OK button, the administrator is presented with the Openfiler login screen. The Openfiler administrator account username is "openfiler". The default password is "password". Both the username and password are case sensitive. Proceed to enter the username and password in the designated fields. Once the username and password have been entered, the administrator should proceed by clicking on the To change the administrator password, click on the Admin Password tab, this will open a page where the administrator password can be changed. Changing the administrator password is simple. The administrator is presented with three fields. In the Once all fields have been completed, click the NoteAll fields need to be completed accurately for the administrator password change to be committed. If there is a mismatch between the It is imperative that the system time is set correctly before users are allowed to store data on the system. To set the system time, click the General tab then click the Clock tab. System time can be set manually or the system clock can be synced with a time server. If the system running Openfiler has a route to Internet, it is better to set the system time using a time server. If there is no route to the Internet, then system time must be set manually. To set system time manually, scroll down to the Set system clock manually sub-section of the Clock tab. When the Clock page is reloaded, the system time at the point when the page was loaded will be displayed in the Set system clock manually sub-section. To set the system date, use the drop down listboxes provided in the Date row. The first listbox is for selecting the day of the month. The second listbox is for selecting the month of the year. The third listbox is for selecting the year. Select desired values for all three options. To set the system time, use the drop down listboxes provided in the Time row. The first listbox is for selecting the hour of the day. The second listbox is for selecting the minutes of the hour. Select desired values for the two options. Once all the Data and Time options have been satisfactorily selected, the system data and time can be set by clicking on the NoteIf the system time is wrongly set, any files that are subsequently stored on the filesystem will have the wrong timestamp. A way to ensure that the correct time is set is to use a trusted network time server. The Set system clock using NTP sub-section lets the administrator set the system time automatically from a network time server that will provide an accurate time. Setting the system time using NTP is as simple as selecting one of several timeservers from the provided list in the dropdown menu and clicking on the The system timezone must be set in conjunction with the system date and time. Scroll down to the Timezone sub-section and select the correct timezone from the list. If the system clock uses Universal Time Constant (UTC), then the The next step in setting up the system is to create storage volumes. A logical volume (volume slice) is the fundamental storage unit within which shares are created. A logical volume is a slice of the total disk space available. Logical volumes allow the administrator to physically separate different organisational units or applications on the storage appliance. For instance, the sales department could be physically allocated 100GB of storage and the finance department can be allocated 70GB of storage. To create a logical volume, click on the Volumes tab. This will open the main Volumes page which shows statistics for existing volumes. At this point the only volume group in existence is the main volume group, openfiler, from which volume slices will be created. These volume slices can subsequently be accessed in the Shares section and shares created within them. Proceed to create a volume slice by clicking on the Create New Volume tab. The available volume groups on the system are listed sequentially in alphabetical order. Scroll down to the volume group where the logical volume is to be created. To create a new volume slice, a name, description and desired space in megabytes are required. Enter the desired name for the volume slice that is to be created. This field is the on-disk filesystem unixname. It should resemble the name one would give to a file on the filesystem. The name should not contain any spaces. All entries are created under the /mnt/<vgname> path on the filesystem. So in this case entering "sales" in the Volume Name field will create a volume slice and mount it in /mnt/<vgname>/sales/. The Volume Description field allows the administrator to set a logical name to describe the volume in the Shares section where shares are created within volumes. In this case, the Volume Description has been set to Sales_data. The Required Space field is for entering the desired space in MB for the volume slice. For example to allocate 100GB to the sales volume, enter 100000 in the Required Space field. Once all the fields have been correctly filled, click the Create button to create the volume slice. Once the volume slice has been created, the administrator will be automatically redirected to the Existing Volumes page where statistics for the newly created volume can be viewed. Additional volume slices can be created by clicking on the Create New Volume tab and entering the desired information in the provided fields. Repeat the volume creation step and add as many different volume slices as desired up to the maximum available storage space. The Free Space row in the Block storage statistics for VG "openfiler" table shows how much space is available to create volumes with. The minimum volume size is 32MB.[1]. Once the volume slices have been created, it is time to configure user information and authentication. NoteCreating large volume slices can take a very long time. The system might seem to have hung but what is actually happening is that the volume slice is being created and initialized in the background. Once the volume slice is ready, the Existing Volumes page automatically loads up. Openfiler Storage Configuration Centre imports user and group information from central directory servers such as LDAP, NIS and Windows Domain Controllers. Authentication of users is also done from central directory or authentication servers. Currently Openfiler Storage Configuration Centre supports importing user information from LDAP, Windows PDC, NIS and Hesiod directories. Authentication support is available for LDAP, Kerberos 5 and SMB. One or more user directories can be combined with one or more authentication mechanisms. For instance both NIS and LDAP can be selected for user information with user authentication for LDAP happening within LDAP itself or using Kerberos 5. Another combination could be Windows Domain Controller and LDAP. It is the responsibility of the administrator to ensure that there are no clashes between UID and GID entries among the different directories if more than one information and authentication mechanism is to be used. If a clash exists, Openfiler Storage Configuration Centre has no way of determining the difference between identical users and groups in the different directory servers, rendering the system configuration unstable. To configure authentication click on the Accounts tab. The Authentication page is the default page for the accounts section. The Authentication page is divided into two sub-sections. User Information Configuration and Authentication configuration. The User Information Configuration sub-section is for configuring directory servers to import user and group lists from. These user lists will have general user account information such as the username, groupname, numerical user ID and group ID and other user data. The Authentication Configuration section is for configuring authentication mechanisms for the users that are imported from directory servers configured in the User Information Configuration sub-section. In some cases, with NIS for instance, the user information and authentication mechanisms are integrated. In other cases, such as with LDAP or Windows Domain Controller, the user information authentication mechanisms can be either integrated within the same resource, or the user information directories can be combined with different authentication entities. The Administrator should proceed by adding at least one User Information directory, and one or more authentication mechanism for the selected user directory if the authentication system is not integrated with the user directory service. NIS is usually configured as a standalone integrated user directory and authentication system. To configure the system to use NIS scroll down to the Use NIS row of the User Information Configuration table. Select the Use NIS checkbox. Enter the domainname value of the NIS domain in the Domain field of the Use NIS row. Enter the IP address, or if the NIS server is in DNS, fully qualified hostname of the NIS server in the Server field of the Use NIS row. To commit the entry, scroll to the bottom of the Authentication page and click the Submit button. To verify that the user and group list has been imported from the NIS domain, click on the List of groups and / or List of users tabs at the top of the page. NoteIt will take about 60 seconds for any changes in the user directories to appear in the interface. Please be patient. If no other user directory is present on the network, please proceed to Configure Local Networks section. To configure LDAP user directory, proceed to the Use LDAP sub-section. The system can be configured to import user information from LDAP. LDAP can be used standalone for both user information and user authentication. It can also be used in combination with Kerberos for user authentication. LDAP + Kerberos is an advanced configuration and is not supported with CIFS export at this time. Generally, configuring authentication for Windows clients with anything other than a Windows Domain Controller will require substantial configuration expertise of the respective directory and authentication servers. Configuration of directory and authentication servers is beyond the scope of this document. To configure the system to use LDAP for both user information and user authentication, scroll down to the Use LDAP row of the User Information Configuration table. Select the Use LDAP checkbox. If the LDAP server has been configured with TLS support, select the Use TLS checkbox in the Use LDAP row of the User Information Configuration table. In the Server field for the Use LDAP row, enter the IP address or fully qualified domain name of the LDAP server that holds the user database. In the Base DN field for the Use LDAP row, enter the Base DN of the LDAP domain. If the LDAP server does not allow anonymous bind, a To complete the LDAP configuration, scroll down to the Authentication Configuration sub-section of the Authentication page. Select the NoteIt will take about 60 seconds for any changes in the user directories to appear in the interface. Please be patient. To configure the system to use LDAP for user information and Kerberos for user authentication, follow the same steps as in section 3.5.2.1 but instead of selecting the Use LDAP Authentication checkbox in the Authentication Configuration sub-section of the Authentication page, select the Use Kerberos 5 checkbox. In the Realm field enter the desired Kerberos 5 realm. In the KDC field, enter the fully qualified hostname or IP address of the Kerberos key distribution centre for the realm. In the Admin Server field, enter one or more comma-separated hostnames or IP addresses of Kerberos administration servers. To commit the settings, scroll down to the bottom of the Authentication page, and click the Submit button. To verify that the user and group list has been imported from the LDAP domain, click on the List of groups and / or List of users tabs at the top of the page. If no other user directory is present on the network, please proceed to Configure Local Networks section. NoteIt will take about 60 seconds for any changes in the user directories to appear in the interface. Please be patient. The Windows Domain Controller option is likely to be the most common method for importing user and group information to support Windows-based network clients. To configure a Windows domain controller, scroll down to the Windows domain controller row of the User Information Configuration table and check the For configuring authentication with Active Directory, select the For configuring authentication with NT4 PDC, select the To configure the system to use Hesiod for user and group information and Kerberos for user authentication, scroll down to the Use Hesiod row of the User Information Configuration table. Select the Use Hesiod checkbox. In the LHS and RHS fields of the Use Hesiod configuration, enter the LHS and RHS domain prefix and default domain values. Next scroll down to the Use Kerberos 5 row of the Authentication Configuration table. Select the Use Kerberos 5 checkbox and enter the rest of the values for the respective Kerberos 5 fields. Once the desired entries have been made, scroll down to the bottom of the Authentication page and click the button. To verify that the user and group list has been imported from the Hesiod domain, click on the List of groups and / or List of users tabs at the top of the page. If no other user directory is present on the network, please proceed to Configure Local Networks section. NoteOnly user accounts imported from a network directory system such as a Windows Domain Controller, NIS server or LDAP server can access shares on the system. The only exception to this is the guest account which is a special Openfiler account for guest access to shares. Users created locally at the command line will not be able to access shares on the system. Openfiler Storage Configuration Centre provides an access control mechanism for networks and hosts. This is a security feature that ensures data is safe from prying eyes. The administrator can specify which network hosts are allowed to access the data stored on an Openfiler appliance. Before proceeding to create shares, the administrator must configure local networks that are allowed to access shares. Once local networks have been added, the administrator can then create shares and assign access control for each share individually. Local networks configuration takes place in the Configure Local Networks page. To configure local networks, click General tab followed by Configure Local Networks tab. Once on the Configure Local Networks page, proceed to add hosts and / or networks that will be allowed to access shares on the Openfiler appliance. To add a new host or network to the list, simply enter the desired information in the designated fields and click the update button. Only one network or host entry can be made at a time. To delete an entry from the list, select the checkbox for that entry in the Delete column and click the update button. All fields are mandatory. Remember to use sensible and unique names for networks and hosts. The name key is the only identifier that will allow the administrator to determine network access control in the shares section. Every time a new entry is made and the update button clicked, another row is automatically provided for a new entry. The administrator can make as many entries as required. Once network entries have been made, proceed to create shares by clicking on the Shares tab. A share is a location in a volume slice that can be exported via any one of the Openfiler-supported network filesystem protocols. Shares can be created and edited in the Shares screen by clicking on the Shares tab. The default Shares screen lists all existing volume slices. Once shares are created within the volumes, the default Shares screen will show all existing volume slices, their folders and sub-folders, and any shares created within these folders and sub-folders. Shares are created within volume slices. Clicking on a volume slice link will open a dialog to enter the name of a sub-folder of the volume slice, which can subsequently be converted to a share. To create a share, click on the identifier for an existing volume. This is the root folder for that volume. A dialog box will popup with a singe field, Folder name, where the administrator should enter the name for a folder. Once the name for the folder has been specified, click the button. This will create a sub-folder of the root folder. Parent folders, folders that contain sub-folders, cannot be made shares, or deleted. Only leaf folders can be made into shares. The root folder is a parent folder and hence cannot be made a share. The administrator can create as many sub-folders as desired. Clicking on a sub-folder will open a dialog box that allows several actions. From within this dialog box, the administrator can create a sub-folder within the sub-folder, rename the sub-folder, or convert the sub-folder into a share. To make the sub-folder a share, click on the button. This will convert the sub-folder to a share and the administrator will be automatically taken to the share management page for the newly created share. The administrator will be able to tell that the sub-folder is a share because the icon next to the sub-folder identifier now has an arrow to indicate that it is a share. Shares cannot have sub-folders (clients will be able to create directories and files inside shares when they are exported). Clicking on the identifier for a share will open a new page "Edit Shares". The Edit Shares page is divided into three sections. There is a section for renaming a share identifier and description, one for setting group access control, and the final section for setting network access control and services for the share. To change the name or description of a share, scroll down to the Edit share <path of share>, section. Here the share name or description can be changed. To change the name of the share, enter the new identifier for the share in the Share name field. Click the change button for the Share name field. To change the description of the share, enter the new description in the Share description field. Click the change button for the Share description field. Changing the share name has the effect of moving the filesystem path terminating with the old share name to a new filesystem path terminating with the new share name. Any network filesystem mounts, such as NFS or WebDAV, would need to be remounted with the new path after a Share name change. Changing the share description has the effect of presenting the share in the network neighbourhood browse list with the new share name. Any mapped drives will therefore lose their connection to the share and would need to be remapped with the new share name. Access to shares is configured at the group level and network level. Security for a share can be loose or tight depending on the required security level for the share. For loose security, the share can be set to public access level. With public access, any user on the network, logged into a client machine that has network access will be able to access the share. With controlled access, only users that have been given specific access permissions will be able to access the share. To configure group access to a share, scroll down to the Group access configuration sub-section. There are two selectable radio-buttons. To allow guest access to the share, select the For restricted access to the share, the
Every share must have a primary group, of which there can be only one. To select the primary group for a share, simply select the corresponding To grant read-only access to a group for the share, select the Once access control to the share has been configured at the group-level, network-level access control has to be configured. The host access configuration section is for determining which hosts on the network are permitted access to shares. Groups that have been granted access rights to the share will only be able to access or view the share from a host that has been granted network-level access rights to the share. The Administrator can determine what share access protocols are permitted for each individual host or network. To configure network-level access control, scroll down to the Host access configuration sub-section of the Edit Share page. The information in this sub-section is displayed in a tabular format. The first column of the table lists the names of networks and hosts that are permitted network access to the Openfiler appliance. Any hosts or networks listed in the Create Local Networks section will appear in this list. Hosts listed in this table must be given access to shares via at least one protocol in order to access any storage resources on the appliance. Currently, the administrator can set access control for SMB (CIFS), NFSv3, HTTP(S)/WebDAV and FTP protocols which are listed in the second, third, fourth and fifth columns respectively. The default setting is for access control to be disabled for all networks over all protocols. The administrator will need to explicitly enable the desired network access control level for each individual host or network. For each host or network, the administrator can set access to the share via the supported protocols at the desired access control level. Network access control for SMB/CIFS allows for different settings depending on the desired effect for the share and source of the connection. There are four options for SMB/CIFS network ACL and they are applied on a per-host or per-network basis. The options and their descriptions are:
The administrator must ensure that any share exported via NFSv3 has the correct level of security settings in line with the requirements of the network storage security policy. There are six options for NFSv3 and they are applied on a per-network basis. The options and their descriptions:
NoteIf Export ACL is disabled, only the users in the GID marked as primary group can access the share. If Export ACL is enabled, only users in all the groups assigned to the share can access the share. Enabling this option will turn on a special extension to the NFSv3 protocol which may break interoperability with older NFS clients. Access control via HTTP(S)/WebDAV can be set on a per-host or per-network basis based on the access requirements for the share. There are three options available for HTTP(S)/WebDAV network access control. The options and their descriptions are:
Access control via FTP can be set on a per-host or per-network basis based on the access requirements for the share. There are three options available for FTP network access control. The options and their descriptions are:
A share can only be deleted from within the configuration page for the share itself. To delete a share, scroll down to the bottom of the page for the particular share. Click the "Delete This Share" button. The share, including all user data, will be deleted. Once host access configuration has been set for all desired hosts and networks, click the button. Any individual hosts within the specified network(s) will then be able to access the share via specified protocols and access levels. Proceed to Allocate Quota if any restriction is desired on the amount of data or number of files a user or group should be assigned on a volume. By default, storage space on the Openfiler appliance must be allocated on a per-group and per-volume slice basis. This means that once group and host access control have been configured, quota allocation to the configured volume slices can take place. Quota allocation in this case is a physical resource limit on the filesystem of the amount of storage resources a group is allowed to consume. The administrator should bear in mind that quota allocation is taking place at the volume slice level and not at the share level. This has two implications:
To configure quota allocation, click on the Quota tab. This will open up the Quota page, defaulting to the Group Quota tab. The Group Quota page is divided into two sub-sections. The Select Volume sub-section allows the administrator to select the target volume slice for quota information display and space allocation. Volume slices are displayed in a drop-down listbox. To view statistical information and perform administrative tasks on the current listed volume slice, leave the selection unchanged and scroll down to the Edit quota sub-section. To perform administrative tasks on a different volume slice, select the desired volume slice from the dropdown listbox and click the Change button. This will reload the page with the selected volume slice. Once the desired volume slice has been selected and the page has reloaded, scroll down to the Edit quota sub-section of the Group Quotas page. The Edit quota sub-section allows allocation of quota at the block and file level. Block level quota allocation places a physical limit on the amount of space a group can consume on the volume slice. File level quota allocation places a physical limit on the number of files and directories a group is allowed on the volume slice. By default, both block-level and file-level allocation is set to zero for all groups. The Edit quota section lists all groups that have been imported from the directory servers configured. Quota allocation for groups can proceed individually, where block and file level quota is allocated for each group respectively or it can be batched, whereby several groups can be selected at a time and quota allocated for all selected groups at the same time. There are two tables in the Edit quota section. The first table is for allocating quota in batched mode. The second table lists all groups that have been imported by Openfiler Storage Configuration Centre and is for allocating quota on a per-group basis. The second table is divided into eleven columns:
To allocate quota in batch mode, click the X table header. This will select all groups in the list. Deselect any groups that do not fall within this quota allocation by deselecting the corresponding checkbox for that group in the X column. Scroll back up to the first table of the Edit quota sub-section and enter the desired megabyte and file limits. Click the Save button. Clicking the Save button will commit the changes and reload the page. All groups that were selected will now have their block and file allocation quotas set to the desired values. To customise further, individual groups can have specific block and file quota allocation by entering the desired values in the respective column fields for the individual groups and clicking the corresponding Save button when desired values have been entered. If allocating identical quota for more than one group, it is always more efficient to simply select the checkbox in the X column for the desired groups and configure the quota in batch mode. Once the desired settings have been committed in the Quotas section, the final task for the administrator is to enable services. Once all other configuration tasks have been completed, file-export services can be enabled. Enabling a service means that any shares in the Shares List that have that service configured as one of the supported protocols will be activated. Once the share is activated, any users on the network that have been given access to that share will be able to access the share via the corresponding activated protocols. To enable services click on the Services tab. This will open the Services screen where the supported services are listed in a table. The first column displays the protocol, the second column displays the state of the service and the third column allows the administrator to enable or disable the service depending on whether the service is running or not. To enable a disabled service, click on the Enable link in the Modification column. To disable an enabled service, click on the Disable link in the Modification column. Once a service has been enabled, users on the network will be able access any shares for which they have been given access rights. The administrator is encouraged to explore the different facets of the Openfiler Storage Configuration Centre interface further. This section deals with advanced volume managment such as volume group creation and snapshot administration. Volume management in the Openfiler SCC deals with creating logical volumes (volume slices) from existing volume groups. In order to use volume groups in the Openfiler SCC Volume section, they must first be created at the command line or should have been created during the installation process. Volume creation is a three step process:
A physical volume in the context of the Logical Volume Manager (LVM) is a block device (disk) that has been initialised with LVM metadata. A block device can be any local or imported disk unit that is to be used exclusively as a volume group object i.e it cannot be used for any other purpose. The list below outlines the types of block devices that can be used for LVM physical volumes:
A physical volume must be initialised before being used in a volume group. Physical volumes are initialised with the pvcreate command. WarningRunning pvcreate on a block device will destroy ALL data on the block device. Do not run pvcreate on a block device or disk partition that contains a filesystem with important data on it. The pvcreate command can be run on either an entire disk or a partition of a disk. To initialise a disk or disk partition as an LVM physical volume, run the pvcreate command with the disk device(s) as a parameter. Mulitiple disk devices can be passed to the pvcreate command. The example below initialises multiple disks and disk partitions as LVM physical volumes. pvcreate /dev/hda /dev/hdb /dev/hdc1 /dev/hdd2 /dev/sda1 The command above initialises two disks and three partitions with LVM physical volume metadata. Once the command completes, the first IDE disk (hda), the second IDE disk (hdb), the first partition of the third IDE disk (hdc1), the second partition of the fourth IDE disk (hdd2) and the first partition of the first SCSI disk (sda1) will have been initialised with LVM metadata. They can then be used to form a volume group. Volume group creation is described in the following section. NoteIf running pvcreate on a disk partition, that partition must be set as type 0x8e first or the pvcreate command will fail to initialise it. fdisk can be used to partition disks and to set parition types. A single physical volume can be up to 2TB in size, which is the block device size limit in the 2.4 Linux kernel. WarningA physical volume can only belong to one volume group at a time. Do not try to initialise a physical volume that already belongs to an active volume group. A volume group is an aggregation of one or more physical volumes created by concatenating multiple physical volumes to create one large virtual volume. The capacity of the volume group is equal to the combined capacity of all the physical volumes allocated to the volume group. To create a volume group, pass a volume group identifier (the name of the volume group) and the list of initialised physical volumes, which are to be used for the data store, as parameters to the < |
