[gpfsug-discuss] Experiences upgrading in place to GPFS 4.1?
James Davis
jamiedavis at us.ibm.com
Fri Apr 17 15:11:24 BST 2015
Hi Chris,
Based on your question I think you are aware of this already, but just in
case...
There is not currently an encrypt-in-place solution for GPFS encryption. A
file's encryption state is determined at create-time. In order to encrypt
your existing 100TB of data, you will need to apply an encryption policy to
the current (or a new) GPFS file system(s) and then do something like:
cp file file.enc #now file.new is encrypted
mv file.enc file #replace the unencrypted file with the encrypted file
This can be done in parallel using mmapplypolicy if you want. In 4.1.1
(forthcoming) I plan to provide an improved version of
the /usr/lpp/mmfs/samples/ilm/mmfind (a find-esque interface to
mmapplypolicy) that shipped in the last release; this should be an
effective tool for the job.
Cheers,
Jamie
Jamie Davis
GPFS Functional Verification Test (FVT)
jamiedavis at us.ibm.com
From: Daniel Kidger <daniel.kidger at uk.ibm.com>
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Date: 17-04-15 08:16 AM
Subject: Re: [gpfsug-discuss] Experiences upgrading in place to GPFS
4.1?
Sent by: gpfsug-discuss-bounces at gpfsug.org
Hi Chris,
The Crypto feature of GPFS 4.1 requires the addition of just one extra RPM
over the standard edition. Other RPMs remain the same.
It also requires licenses for "Advanced Edition". These are of the order
of 30% more expensive than the standard edition.
The model for GPFS encryption at rest is that the client node fetches the
encrypted file from the fileserver.
The file remains encrypted in transfer and is only decrypted by the client
node using a key it holds.
A result is end-to-end encryption as well as encryption of data at rest,
Encryption can be on a per file level if desired. Hence a way to migrate
from an existing non-encrypted. setup.
note inodes should be 4kB to make sure there is enough room to store the
encryption attributes.
A side effect of adding encryption is that you also need additional remote
key management (RKM) servers to handle the key management. These need
licensed software.
see
http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/com.ibm.cluster.gpfs.v4r104.gpfs200.doc/bl1adv_encryptionsetupreqs.htm
I am sure DDN can help you with all of this.
Hope this helps,
Daniel
Dr.Daniel No. 1 The Square,
Kidger
Technical Temple Quay,
Specialist Bristol BS1 6DG
SDI
(formerly
Platform
Computing)
Mobile: +44-07818 522 266 United Kingdom
Landline: +44-02392 564 121 (Internal ITN
3726 9250)
e-mail: daniel.kidger at uk.ibm.com
From: Frank Leers <fleers at gmail.com>
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Date: 16/04/2015 23:21
Subject: Re: [gpfsug-discuss] Experiences upgrading in place to GPFS
4.1?
Sent by: gpfsug-discuss-bounces at gpfsug.org
Hi Chris,
Since you mention GRIDScaler, I assume that you are a DDN customer and that
you have a support contract with them. If not, then feel free to take the
advice that follows with a measure of salt although it mostly still
applies ;-)
With 4.1, there are now 'Editions' of GPFS, which break out various feature
sets into a tiered arrangement, with each tier being licensed (and possibly
priced) differently.
Have a look here (Q 1.3) for the 4.1 licensing notes -
http://www-01.ibm.com/support/knowledgecenter/SSFKCN/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.html
With GPFS 3.5, you are most likely running the equivalent of the 'Standard
Edition' today. The crypto feature set comes with the 'Advanced Edition',
which is licensed differently.
Have a look at Chapter 15 of the Advanced Admin Guide for 4.1 as a
primer ...
http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/gpfs4104_content.html
-frank
On Thu, Apr 16, 2015 at 1:33 PM, Garrison, E Chris <ecgarris at iu.edu> wrote:
Hello,
My site is working up to upgrading our paired GridScaler system from GPFS
3.5 to 4.1. There is a mandate to provide encryption at rest, and that's an
advertised feature of 4.1. We already have over 100 TB of data,
synchronously replicated between two geographically separated sites, and we
have concerns about how the upgrade, as well as the application of
encryption to all that data, will go.
I'd like to hear from admins who've been through this upgrade. What gotchas
should we look out for? Can it easily be done in place, or would we need
some extra equipment to "slosh" our data to and from so that it is written
to an encrypted GPFS?
Thank you for your time, and for any sage advice on this process.
Chris
--
Chris Garrison
Indiana University
Research Systems Storage
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0009.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0010.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20386063.gif
Type: image/gif
Size: 360 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0011.gif>
More information about the gpfsug-discuss
mailing list