Have you tested prefetching reads on the NFS server node? That should help for streaming reads as ultimatively initial by the ftp user.
— Peter On 2015 Nov 3 Tue, at 04:49, Martin Gasthuber <[email protected]> wrote: > the path via NFS is already checked - problem here is not the bandwidth, > although the WAN ports allows for 2 x 10GE, its the file rate we need to > optimize. With NFS, in between GPFS and FTP, we saw ~2 times less file > download rate. My concern are also not really about raw IB access and misuse > - its because IPoIB, in order to minimize the risk, we had to reconfigure all > other cluster nodes to refuse IP connects through the IB ports from that node > - more work, less fun ! Probably we had to go the slower NFS way ;-) > > best regards, > Martin >> On 2 Nov, 2015, at 16:22, Wahl, Edward <[email protected]> wrote: >> >> First off let me recommend vsftpd. We've used that in a few single point >> to point cases to excellent results. >> >> Next, I'm going to agree with Johnathan here, any hacker that someone gains >> advantage on an FTP server will probably not have the knowledge to take >> advantage of the IB, however there are some steps you could take to mitigate >> this on a node such as you are thinking of: >> >> -Perhaps an NFS share from an NSD across IB instead of being a native GPFS >> client? This would remove any possibility of escalation exploits gaining >> access to other servers via SSH keys on the IB fabric but will reduce this >> nodes speed of access. On the other hand almost any IB faster than SDR >> probably is going to wait on the external network unless it's 40Gb or 100Gb >> attached. >> >> -firewalled access and/or narrow corridor for ftp access. This is pretty >> much a must. >> >> -fail2ban like product checking the ftp logs. Takes some work, but if the >> firewall isn't narrow enough this is worth it. >> >> Ed Wahl >> OSC >> >> >> ________________________________________ >> From: [email protected] >> [[email protected]] on behalf of Martin Gasthuber >> [[email protected]] >> Sent: Monday, November 02, 2015 8:53 AM >> To: gpfsug main discussion list >> Subject: [gpfsug-discuss] GPFS (partly) inside dmz >> >> Hi, >> >> we are currently in discussion with our local network security people about >> the plan to make certain data accessible to outside scientists via ftp - >> this implies that the host running the ftp daemon runs with their ethernet >> ports inside a dmz. On the other hand, all NSD access is through IB (and >> should stay that way). The biggest concerns are around the possible intrude >> from that ftp host (running as GPFS client) through the IB infrastructure to >> other cluster nodes and possible causing big troubles on the scientific >> data. Did anybody here has similar constrains and possible solutions to >> mitigate that risk ? >> >> best regards, >> Martin >> >> _______________________________________________ >> gpfsug-discuss mailing list >> gpfsug-discuss at spectrumscale.org >> http://gpfsug.org/mailman/listinfo/gpfsug-discuss >> _______________________________________________ >> gpfsug-discuss mailing list >> gpfsug-discuss at spectrumscale.org >> http://gpfsug.org/mailman/listinfo/gpfsug-discuss > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
