Professional Documents
Culture Documents
OneFS 8-1-2 - New Features Technical
OneFS 8-1-2 - New Features Technical
2
Technical Update
What is new in Isilon OneFS 8.1.2
• Hadoop 3 compatibility
• LLAP support
• Hadoop 3.0 and 3.1 introduce some small behavioral changes in the HDFS rpc calls
– OneFS needs to make adjustments to these protocols level interactions (HDFS client requests and
WebHDFS responses)
– Note that some of these changes are in Apache Hadoop 2.9, but no commercial ISV vendors have shipped
their stacks with 2.9
– Moving test infrastructure to CentOS 7 (required by the Java version that Hadoop 3.0 uses)
• Presents only settings that are needed to deploy OneFS (e.g. SmartConnect address)
• Isilon Management Pack is also release independent. Any update can be done outside of OneFS
release cycle.
– Apache Knox works natively with OneFS (without the need of httpfs workaround)
– All applications or tools that rely on WebHDFS should work with OneFS
– Multithreading for file writes over WebHDFS (instead of single threading today)
• LLAP uses client-side caching of column data to reduce queries to the DataNode.
– Require the use of “Reference by inode” to ensure cache consistency with HDFS layer
– Use that same inode on future queries to ensure the same resource is accessed (even after rename, move,
etc). More details at https://hortonworks.com/tutorial/interactive-sql-on-hadoop-with-hive-llap/
• “Reference by inode” is currently only used by Hive/LLAP, but can also be used by other
applications in the future
• Today, OneFS uses unsecure HTTP communication to download policies from Ranger Policy Server
• OneFS supports One-Way SSL with Kerberos to secure communication with Ranger Policy Server:
– After Kerberizing OneFS and HDP, OneFS uses SPNEGO (HTTP Kerberos principal) to communicate with Ranger.
– Ranger is configured to use a certificate authority and issues a certificate in its response to OneFS, completing One-
Way SSL.
• This work also enable secure SSL communication between OneFS and Ambari Server (for pre-HDP 3.0
deployments) and Ambari Metrics Server using Kerberos
– The new Isilon Management Pack does not require Ambari Agent/Server communication and hence this is not
applicable
• Patch signing
• Non-disruptive upgrades
• In HDFS workflows, Navigator monitors and tracks data as it is created and reused
Blocks on disk
HADOOP
iNotify Log
Navigator
Navigator
Navigator
Isilon OneFS
Navigator
(prior to 8.1.x)
OneFS
Navigator
8.1.1
1
1. Nightly FSImage job – tree walk,
rebuilds a new FSImage
Navigator OneFS
Navigator OneFS
Navigator
OneFS
Navigator
Navigator
..
…
Navigator LOG skip/error
Navigator
Navigator
• Adds the capability to allow data transfers to be secured by encrypting data in-flight
• SMB3 Encryption capability is found in Windows 8 / Server 2012 and newer clients
• Performance Optimizations
– Leverages AES-NI (Advanced Encryption Standard New Instructions) found in modern CPUs
– Further gains achieved leveraging the PCLMULQDQ extensions in Intel CPUs.
• SMB3 encryption can be enabled on individual shares, entire access zones or the
entire cluster
Global/Zone/Share do not exactly form a hierarchy as you can manually change the
encryption setting for an item.
• Performance characteristics are similar to other cloud providers and are based on tier chosen
and internet connection speeds
• Isilon does not support the native Google Cloud Authentication method (OAuth2)
• Isilon requires the Google Cloud Storage account have ‘Interoperability Mode’ enabled and S3
key/secret to be generated
• This is implemented through the Google Cloud Administration Dashboard
1) Copy the root certificate of target service provider <cert.pem> into directory
- % cp <cert.pem> /ifs/.ifsvar/modules/cloud/cacert
<suffix> starts as 0. If there is a collision of existing symlink file name, then use the next number as suffix.
• https://support.emc.com/kb/ 497931
• Currently there is no way for customers to validate the authenticity of upgrade images or
patches
• Dell EMC side: Package created containing patch files and manifest, detached signature file
provided for validation
– Transparent to customer
• CLI changes:
• isi_signatures
•
Usage: isi_signatures [ -s <signature file> -p <package file> ]
-s <signature file>: file containing a digital signature and public key for a package
-p <package>: signed package
• Expected Output:
• Success: the signature is valid for this package
• Error: Failure: the signature is not valid for this package
• Flexible framework available to customers and Support personnel to pro-actively monitor cluster
and environment to identify problems before they become issues
• Unified way of creating, running and maintaining the scripts
• Health check data is available for analysis in log gathers from /ifs/modules/health-check/results
• Prior to OneFS 7.2, encoding was not enforced for any NFSv3 exports
• With OneFS 7.2 and later, clients were forced to use the encoding specified in the OneFS exports
• With OneFS 8.1.1, enables exports to the NFS clients that uses multiple character encodings
– Restores Pre-OneFS 7.2 encoding behavior