Re: How to set up a common USER home directory across multiple zLinux Guests
On Wed, Dec 23, 2009 at 10:33 PM, CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov wrote: We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? You would need that central location to be as highly available than the rest... But even then, it may not be nice to always require that central location for everything you do. Along those lines, in a CSE environment I prefer production services not depend on a remote resource. Local resource for anything that keeps the system running, possibly remote resource for things that can be postponed, planned or worked around. For our Linux setup, we decided on a slightly different route where each user gets a home directory on temporary space, but has his central own directory mounted R/O within that temporary home directory (eg as ~/homedir ) The files in the temporary space were discarded after 2 weeks or so. This worked well for coming back a few times when diagnosing problems or doing things on some system. Also, when you don't share the actual home directory there's no risk of mixing things up. Only on the NFS host itself, the user got that as his home directory to make updates (you can use scp to put something there). The reason for R/O was that our developers had root access on their own sandbox systems. We don't want them to use that to plant a trojan horse into someone's home directory that would be invoked on a production system again. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
Actually the support has been excellent! Gerard -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of David Boyes Sent: Wednesday, December 23, 2009 7:22 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: How to set up a common USER home directory across multiple zLinux Guests Most definately. And the support available is pretty good. They have to answer to me if it isn't...8-) On Dec 23, 2009, at 7:05 PM, Shane Ginnane sginn...@isi.com.au wrote: We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? Wasn't this what {Open}AFS was designed for ?. Even allowed locally cached copies to be used and/or editted (not saved) when the server went away. And yes failover is available for configuration. Never tried it, but it looks like s390x is an option. Shane ... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
James, Can anyone point me to a sample or documentation to resolve this? We did document a travelling /home using NFS+LDAP+automount in the books z/VM and Linux on IBM System z The Virtualization Cookbook for SLES 10 SP2 or RHEL 5.2 on the Web at http://www.redbooks.ibm.com/abstracts/sg247493.html or http://www.redbooks.ibm.com/abstracts/sg247492.html See the Miscellaneous Recipes chapter. Hope this helps. Mike MacIsaac mike...@us.ibm.com (845) 433-7061 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael MacIsaac wrote: We did document a travelling /home using NFS+LDAP+automount in the books z/VM and Linux on IBM System z The Virtualization Cookbook for SLES 10 SP2 or RHEL 5.2 on the Web at http://www.redbooks.ibm.com/abstracts/sg247493.html or http://www.redbooks.ibm.com/abstracts/sg247492.html See the Miscellaneous Recipes chapter. Hope this helps. This is what we're doing: LDAP authentication + NFSv3 home directories + Home dir automount maps in ldap. Here's a couple of tweaks we found useful in our environment. NFSv3 is not known for it's security. Consider the use of the NFS option 'root_squash', along with limiting the list of hosts who can connect to your home share. Only export home dirs to hosts which you control, remember that anyone who has root on their box (e.g. a dev workstation) can impersonate any user to NFS. Here's the relevant /etc/exports line we use (sorry for the line wrap): /export/unixdata/homedirs \ @hgrp_autohome_admin(rw,no_root_squash,insecure,sync) \ @hgrp_autohome_hosts(rw,root_squash,insecure,sync) I look forward to going to NFSv4 with kerberos authentication, but we're not there yet. Regarding automount maps in LDAP, this works very well for us with one exception. The problem is that there's a significant number of automount map schemas out there, and different OS's (and different revisions of OS's) use different ones. As we are a fairly heterogeneous environment, I found it near impossible to keep a master map in LDAP. Right now we're just keeping a /etc/auto.master or /etc/auto_master on each host. In order to make the individual map entries work heterogeneously, I had to add several object classes and a few redundant attributes to each entry. Here's what my home dir automount map entry looks like (again sorry for the line wrap): # ap00375, auto_home, unix.mayo.edu dn: automountKey=ap00375,automountMapName=auto_home,dc=unix,dc=mayo,dc=edu automountInformation: rchnas05n1.mayo.edu:/vol/vol2/unixhomes-5gb/75/ap00375 cn: ap00375 automountKey: ap00375 objectClass: automount objectClass: nisNetId objectClass: top Regarding heterogeneous clients, we found AIX in particular to be the hardest of our clients to configure, and linux the easiest. Insure on AIX that you have the latest available LDAP client package from IBM. Also be aware that AIX wants to use it's extended LDAP schema rather than RFC2307, and wants full write access to the LDAP servers from every AIX client. Despite that, it will work with RFC2307 and read only access. Solaris, like linux, has an option to not use an LDAP proxy account at all via anonymous binding, but I never got Solaris anonymous binding to work. I recommend making LDAP use TLS or SSL on the wire, in order to keep cleartext passwords from flying about. Both AIX and Solaris require the server public SSL certs to be loaded on every client to do LDAP over TLS or SSL. Linux can be configured to ignore authenticating the LDAP servers' certs and proceed with TLS/SSL anyway - this is convenient, but does open the possibility of man in the middle attacks. In our environment this isn't a big deal, but it might be in yours. We've found posix group membership management to be one of our more challenging issues overall. Some older systems (e.g. solaris = 8 or 9) enforce the old posix limit of no more than 16 secondary groups. Further, the primary group concept is annoying - conceptually, in any organization with modest member mobility, which primary group do they get? If one assumes that the primary group is meaningful, e.g. reflective of someone's function, role, or job, what about people who do two or more things (E.g. student *and* employee) or people who transfer, but will have a transitional period? Our not so great compromise was to first use nis style netgroups via LDAP for anything we can. In particular, we use a mutation of netgroups to control individual's authorization to log in via the use of service search descriptors, and also for sudo privileges. Second in our environment all meaningful posix groups are secondary groups. For primary groups we adopt the linux convention of creating a separate posix group for each individual: e.g. userA gets a group userA as her primary group. This has the problem of a huge proliferation of groups, though, and several LDAP clients, in particular AIX, have issues with that. Anyway, apologies for the long ramble, but I hope this has some helpful info: - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksz19cACgkQNObCqA8uBswzQQCeNdKtNyPomTzLtD7DkFN5vpCq VmoAnAsc9n7CfpdcOHZrItE+/y4FwsAC =kG6c -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu
Re: How to set up a common USER home directory across multiple zLinux Guests
My recommendation to you is to consider Linux for the NFS server platform, if you already have Linux under z/VM then deploy the NFS servers under z/VM. The reason I would suggest this is the level of NFS development currently is most focused in that area, I am unsure what other UNIXes are supported in your organization. If you have multiple production z/VM instances on separate CEC's consider using a cluster filesystem for the underlying storage. With SLES the OCFS2 software would be my recommendation while RHEL provides GFS. With the cluster filesystem you'll then use something like heartbeat to provide for the failover mechanism. We currently have clustered NFS servers providing shares to Linux z/VM, Linux x86, Linux ppc and AIX clients in multiple environments. I have supported NFS servers since the first release on SunOS and have worked with various cluster filesystems including GPFS on AIX, AFS and OCFS for Oracle RAC. Start out by examining the following doc... http://www.novell.com/documentation/sles10/pdfdoc/heartbeat/heartbeat.pdf It has examples including NFS servers. Good luck. -- john CHAPLIN, JAMES (CTR) james.chap...@as To sociates.dhs.gov LINUX-390@VM.MARIST.EDU Sent by: Linux on cc 390 Port linux-...@vm.mar Subject IST.EDU How to set up a common USER home directory across multiple zLinux 12/23/2009 04:33 Guests PM Please respond to Linux on 390 Port linux-...@vm.mar IST.EDU We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? Right now as I understand NFS, if we use an NFS to hold user home directories, if the hosting server is taken down, no one can log into any of the other zLinux guests. Can anyone point me to a sample or documentation to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
How to set up a common USER home directory across multiple zLinux Guests
We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? Right now as I understand NFS, if we use an NFS to hold user home directories, if the hosting server is taken down, no one can log into any of the other zLinux guests. Can anyone point me to a sample or documentation to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
Haven't used this feature for a while, but last I knew, automounter maps could specify multiple servers. But it was/is a first responder wins kind of thing, so it might be better to have an alias IP address for your NFS server which your alternate server assumes when the primary fails. The former is cooler, but the latter gives you more control. On 2009-12-23, CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov wrote: We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? Right now as I understand NFS, if we use an NFS to hold user home directories, if the hosting server is taken down, no one can log into any of the other zLinux guests. Can anyone point me to a sample or documentation to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Sent from my mobile device -- R; -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? Wasn't this what {Open}AFS was designed for ?. Even allowed locally cached copies to be used and/or editted (not saved) when the server went away. And yes failover is available for configuration. Never tried it, but it looks like s390x is an option. Shane ... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
Most definately. And the support available is pretty good. They have to answer to me if it isn't...8-) On Dec 23, 2009, at 7:05 PM, Shane Ginnane sginn...@isi.com.au wrote: We want to create a central location for all zLinux server's user home directory located on a common server (using NFS?) with some method of failover if that server is down. Is there a file system that crosses different servers that can be mounted by one system as the user home file system, and then can fail over to another system if that (NFS holding the Home Directories) server goes down? Wasn't this what {Open}AFS was designed for ?. Even allowed locally cached copies to be used and/or editted (not saved) when the server went away. And yes failover is available for configuration. Never tried it, but it looks like s390x is an option. Shane ... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shane Ginnane wrote: Wasn't this what {Open}AFS was designed for ?. Note that AFS requires kerberos. It's not a bad place to be at, but is a complex pre-requisite. Also AFS has different file permission semantics's than the 'normal' unix model. Specifically an AFS acl applies to a directory and all files it contains, but never to an individual file. This makes dirs that need a mix of private and public files (e.g. $HOME/.xauthority, $HOME/.ssh/*_key) tricky to implement. I'd really like a system with AFS's namespaces, kerberos authentication, server redundancy, and client caching, but NFSv4's more unix like permisions model + ACL's. - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksyx7UACgkQNObCqA8uBsyBmQCcD0D9Fw2GPhvkLBWwu7skCbuF n4UAn0AV+ZDhceDl2+F/QYvMWxaHfDdy =zdRr -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: How to set up a common USER home directory across multiple zLinux Guests
Linux on 390 Port LINUX-390@VM.MARIST.EDU wrote on 12/23/2009 08:45:25 PM: Patrick Spinler spinler.patr...@mayo.edu Sent by: Linux on 390 Port LINUX-390@VM.MARIST.EDU 12/23/2009 08:45 PM Please respond to Linux on 390 Port LINUX-390@VM.MARIST.EDU To LINUX-390@VM.MARIST.EDU cc Subject Re: How to set up a common USER home directory across multiple zLinux Guests -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shane Ginnane wrote: Wasn't this what {Open}AFS was designed for ?. Note that AFS requires kerberos. It's not a bad place to be at, but is a complex pre-requisite. Also AFS has different file permission semantics's than the 'normal' unix model. Specifically an AFS acl applies to a directory and all files it contains, but never to an individual file. This makes dirs that need a mix of private and public files (e.g. $HOME/.xauthority, $HOME/.ssh/*_key) tricky to implement. I'd really like a system with AFS's namespaces, kerberos authentication, server redundancy, and client caching, but NFSv4's more unix like permisions model + ACL's. - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksyx7UACgkQNObCqA8uBsyBmQCcD0D9Fw2GPhvkLBWwu7skCbuF n4UAn0AV+ZDhceDl2+F/QYvMWxaHfDdy =zdRr -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 Pat, You'll probably find appendix B of this Redbook interesting: http://www.redbooks.ibm.com/redpieces/abstracts/sg246657.html A lot of the development groups inside IBM have slowly been migrating from AFS to GSA for the last 5 years. GSA has most of the things in your wish list. Regards, Ray Higgs System z FCP Development Bld. 706, B24 2455 South Road Poughkeepsie, NY 12601 (845) 435-8666, T/L 295-8666 rayhi...@us.ibm.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390