[gpfsug-discuss] Experiences upgrading in place to GPFS 4.1?

James Davis jamiedavis at us.ibm.com
Fri Apr 17 15:11:24 BST 2015


Hi Chris,

Based on your question I think you are aware of this already, but just in
case...

There is not currently an encrypt-in-place solution for GPFS encryption. A
file's encryption state is determined at create-time. In order to encrypt
your existing 100TB of data, you will need to apply an encryption policy to
the current (or a new) GPFS file system(s) and then do something like:
  cp file file.enc #now file.new is encrypted
  mv file.enc file #replace the unencrypted file with the encrypted file

This can be done in parallel using mmapplypolicy if you want. In 4.1.1
(forthcoming) I plan to provide an improved version of
the /usr/lpp/mmfs/samples/ilm/mmfind (a find-esque interface to
mmapplypolicy) that shipped in the last release; this should be an
effective tool for the job.

Cheers,

Jamie

Jamie Davis
GPFS Functional Verification Test (FVT)
jamiedavis at us.ibm.com



From:	Daniel Kidger <daniel.kidger at uk.ibm.com>
To:	gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Date:	17-04-15 08:16 AM
Subject:	Re: [gpfsug-discuss] Experiences upgrading in place to GPFS
            4.1?
Sent by:	gpfsug-discuss-bounces at gpfsug.org



Hi Chris,

The Crypto feature of GPFS 4.1  requires the addition of just one extra RPM
over the standard edition. Other RPMs remain the same.
It also requires licenses for  "Advanced Edition". These are of the order
of 30% more expensive than the standard edition.

The model for GPFS encryption at rest is that the client node fetches the
encrypted file from the fileserver.
The file remains encrypted in transfer and is only decrypted by the client
node using a key it holds.
A result is end-to-end encryption as well as encryption of data at rest,

Encryption can be on a per file level if desired. Hence a way to migrate
from an existing non-encrypted. setup.
note inodes should be 4kB to make sure there is enough room to store the
encryption attributes.

A side effect of adding encryption is that you also need additional remote
key management (RKM) servers to handle the key management. These need
licensed software.
see
http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/com.ibm.cluster.gpfs.v4r104.gpfs200.doc/bl1adv_encryptionsetupreqs.htm


I am sure DDN can help you with all of this.

Hope this helps,
Daniel
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
 Dr.Daniel                                   No. 1 The Square,                  
 Kidger                                                                         
                                                                                
 Technical                                   Temple Quay,                       
 Specialist                                  Bristol  BS1 6DG                   
 SDI                                                                            
 (formerly                                                                      
 Platform                                                                       
 Computing)                                                                     
                                                                                
                                                                                
 Mobile:    +44-07818 522 266                United Kingdom                     
                                                                                
 Landline:  +44-02392 564 121 (Internal ITN                                     
            3726 9250)                                                          
                                                                                
 e-mail:    daniel.kidger at uk.ibm.com                                            
                                                                                
                                                                                
                                                                                






From:        Frank Leers <fleers at gmail.com>
To:        gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Date:        16/04/2015 23:21
Subject:        Re: [gpfsug-discuss] Experiences upgrading in place to GPFS
4.1?
Sent by:        gpfsug-discuss-bounces at gpfsug.org



Hi Chris,

Since you mention GRIDScaler, I assume that you are a DDN customer and that
you have a support contract with them.  If not, then feel free to take the
advice that follows with a measure of salt although it mostly still
applies ;-)
With 4.1, there are now 'Editions' of GPFS, which break out various feature
sets into a tiered arrangement, with each tier being licensed (and possibly
priced) differently.
Have a look here (Q 1.3) for the 4.1 licensing notes -
http://www-01.ibm.com/support/knowledgecenter/SSFKCN/com.ibm.cluster.gpfs.doc/gpfs_faqs/gpfsclustersfaq.html


With GPFS 3.5, you are most likely running the equivalent of the 'Standard
Edition' today.  The crypto feature set comes with the 'Advanced Edition',
which is licensed differently.

Have a look at Chapter 15 of the Advanced Admin Guide for 4.1 as a
primer ...
http://www-01.ibm.com/support/knowledgecenter/SSFKCN_4.1.0.4/gpfs4104_content.html


-frank


On Thu, Apr 16, 2015 at 1:33 PM, Garrison, E Chris <ecgarris at iu.edu> wrote:

Hello,

My site is working up to upgrading our paired GridScaler system from GPFS
3.5 to 4.1. There is a mandate to provide encryption at rest, and that's an
advertised feature of 4.1. We already have over 100 TB of data,
synchronously replicated between two geographically separated sites, and we
have concerns about how the upgrade, as well as the application of
encryption to all that data, will go.

I'd like to hear from admins who've been through this upgrade. What gotchas
should we look out for? Can it easily be done in place, or would we need
some extra equipment to "slosh" our data to and from so that it is written
to an encrypted GPFS?

Thank you for your time, and for any sage advice on this process.

Chris
--
Chris Garrison
Indiana University
Research Systems Storage

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss


Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0009.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0010.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20386063.gif
Type: image/gif
Size: 360 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150417/d0bab395/attachment-0011.gif>


More information about the gpfsug-discuss mailing list