Implementing Alternate Data Streams in Likewise Storage Services Wei Fu <wfu@likewise.com> Software Engineer Likewise Software

Similar documents
A COMPARISON BETWEEN THE SAMBA3 AND LIKEWISE LWIOD FILE SERVERS

Solaris CIFS Service CIFS. Alan Wright

Caching SMB Data for Offline Access and an Improved Online Experience

Windows NT File System. Outline. Hardware Basics. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

The Native AFS Client on Windows The Road to a Functional Design. Jeffrey Altman, President Your File System Inc.

Outline. Windows NT File System. Hardware Basics. Win2K File System Formats. NTFS Cluster Sizes NTFS

The Win32 Network Management APIs

LWIOD Access Audit Module

PineApp Surf-SeCure Quick

TECHNICAL TRACKSNETWORKING ESSENTIALS OPPORTUNISTIC LOCKING

Qsync Install Qsync utility Login the NAS The address is :8080 bfsteelinc.info:8080

Using NFS v4 ACLs with Samba in a multiprotocol environment

Configuring Security Features of Session Recording

USING USER ACCESS CONTROL LISTS (ACLS) TO MANAGE FILE PERMISSIONS WITH A LENOVO NETWORK STORAGE DEVICE

Acronis Backup & Recovery: Events in Application Event Log of Windows

Understand Troubleshooting Methodology

Local Accounts and Privileges in Likewise Storage Server Rafal Szczesniak EMC Isilon

Introduction to Computer Security

Windows Server 2008/2012 Server Hardening

OMU350 Operations Manager 9.x on UNIX/Linux Advanced Administration

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

ms-help://ms.technet.2005mar.1033/enu_kbntrelease/ntrelease/ htm

SMB in the Cloud David Disseldorp

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Release Notes. CTERA Portal May CTERA Portal Release Notes 1

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Windows Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Agency Pre Migration Tasks

Setting Up Resources in VMware Identity Manager

<Samba status report>

Creating Synergies on the Cloudbox. Mohan Sundar Samsung Electronics

Active Directory at the University of Michgan. The Michigan Way Since 2000

Chapter 15 Windows Operating Systems

The Mac OS X Server Essentials v10.5 Exam Skills Assessment Guide

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

HP A-IMC Firewall Manager

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

CHAPTER 17: File Management

Feature and Technical

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Windows8 Internals, Sixth Edition, Part 1

Features of AnyShare

70-417: Upgrading Your Skills to MCSA Windows Server 2012

Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XR and Windows 2000

Exam : Installing and Configuring Windows Server 2012

Introduction to Automated Testing

Protocols for Dummies

Test Case 3 Active Directory Integration

Likewise Open Installation and Administration Guide

EMC Documentum Composer

Chapter 5: Operating Systems Part 1

Samba as an Active Directory Domain Controller

Novell Filr. Windows Client

Module 10: Maintaining Active Directory

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Linux Kernel Architecture

Configuration Guide BES12. Version 12.1

Polycom RealPresence Resource Manager System Getting Started Guide

MSRPC NULL sessions. Exploitation and protection. Jean-Baptiste Marchand

VMware Mirage Web Manager Guide

Active Directory network protocols and traffic

Best Practices & Deployment SurfControl Mobile Filter v

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

WINDOWS 2000 Training Division, NIC

For Active Directory Installation Guide

Samba 4 AD + Fileserver

Upgrading Client Security and Policy Manager in 4 easy steps

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

IceWarp Unified Communications. AntiVirus Reference. Version 10.4

SuperLumin Nemesis. Administration Guide. February 2011

Downtime Reports. Administrator's Guide

Chapter 12 File Management. Roadmap

Chapter 12 File Management

Web. Security Options Comparison

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

EView/400i Management Pack for Systems Center Operations Manager (SCOM)

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Xerox 700 Digital Color Press with Integrated Fiery Color Server. Printing from Mac OS

Windows Server 2003 default services

Configuration Guide BES12. Version 12.3

Personal Cloud. Support Guide for Mac Computers. Storing and sharing your content 2

Configuration Guide. Installation and. BlackBerry Enterprise Server Resource Kit. Version: 5.0 Service Pack: 4

Advanced Event Viewer Manual

SQLBase. Starter Guide

Xerox 700 Digital Color Press with Integrated Fiery Color Server. Utilities

Security Options... 1

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Configuration Guide BES12. Version 12.2

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Administration Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Administration Guide

CAC/PIV PKI Solution Installation Survey & Checklist

70-685: Enterprise Desktop Support Technician

5053A: Designing a Messaging Infrastructure Using Microsoft Exchange Server 2007

DFS Namespaces. Virtualization for Remote File Systems. Dan Lovinger DFSN Development Lead Microsoft

Active Directory Integration

Implementing the Hadoop Distributed File System Protocol on OneFS Jeff Hughes EMC Isilon

XyLoc Security Server w/ AD Integration (XSS-AD 5.x.x) Administrator's Guide

Transcription:

Implementing Alternate Data Streams in Likewise Storage Services Wei Fu <wfu@likewise.com> Software Engineer Likewise Software

Outline Introduction to Likewise Storage Services What is an ADS (Alternative Data Stream)? ADS Data Model ADS On-Disk storage Model Implementation Adventures Demonstration of ADS support in Likewise Storage 2

Likewise Storage Services Architectural Overview CreateFile CreateNamedPipe IoFsControl DeviceIoControl Server Service (srvsvcd) IPC (lwmsg) Registry (lwregd) LwDsGetDcName Resolver (netlogond) DNS CLDAP I/O Manager (lwiod) Client File API Core API Driver API Drivers Libraries Likewise Security Authority (lsassd) Client Lsa API Provider Routing Local Accounts The Likewise Storage Services architecture includes the following multi-threaded services: lwiod: The Likewise input-output service and the file server. lsassd: The Likewise security and authentication subsystem that forms the core of the Likewise Identity Service, or LWIS. srvsvcd: Server and workstation RPC services (\srvsvc) netlogond: The domain controller locator and affinity manager. lwregd: The Likewise registry. AD DCE/RPC LDAP Active Directory Forest 3 3

Likewise I/O Manager Likewise I/O Manager (lwiod) Client File API Core API - IoMgr NtCreateFile IoCreateFile IoIrpMarkPending IoIrpComplete POSIX FS (PVFS) Driver API {Driver}CreateFile {Driver}ReadFile {Driver}LockFile {Driver}SetSecurityFile PvfsCreateFile Dispatch on IRP_TYPE_CREATE IoCreateFile IoReadFile IoLockFile IoSetSecurityFile SMB/SMB2 Client Network Requests Port 445 Named Pipe FS SMB Redirector DFS NFSv3 /NFSv4.x WebDAV NFS/Mount Network Requests Port 2049, 925 4

What is Alternative Data Stream? Alternative Data Streams metadata associated with master file/directory objects Modern SMB/SMB2 clients make use of alternative data streams Desktop UI enhancements Additional document properties Location information for files downloaded from untrusted networks 5

What is Alternative Data Stream (Cont) Stream Naming Convention Filename : stream_name : stream_type $,?, *,, <, >, are legal chars in stream name except /,\\. For instance, ads.txt:$test?:$data is a legal named stream Stream Types $DATA (Currently supported in PVFS) $ATTRIBUTE_LIST, $BITMAP, $EA, $EA_INFORMATION, $FILE_NAME, $INDEX_ALLOCATION, $INDEX_ROOT etc Default Data Stream vs. Alternative data stream Directories do not have default unnamed data stream (cannot open a directory by stream name dir::$data ads.txt is equivalent to ads.txt::$data (default/unnamed data stream) ads.txt:summary:$data (named data stream for file object ads.txt) 6

ADS Application Use File object: SDC2011_ppt_template.ppt Two named streams SDC2011_ppt_template.ppt:Zon e.identifier:$data Downloaded from the web; Zone.Identifier is created by the browser to store URL security zone information. SDC2011_ppt_template.ppt:ads 1.txt:$DATA Created manually with notepad. 7

PVFS Data Model (Pre-ADS) File Control Block (FCB) Represents the file on disk FCB is removed from memory when last open handle is closed Create Control Block (CCB) Open file handle Stored on the IO_FILE_HANDLE owned by IoMgr CCB points to its FCB; FCB owns a list of its CCBs 8

PVFS Data Model (Pre-ADS) PVFS Create Control Block File Control Block [ example.txt ] I/O Logical File Object Files Create Control Block File Control Block Disk FCB File Object Oplocks CCB Open Handle Device/Inode Byte-Range Lock Sharemode File Descriptor Creation Sequence: CCB->FCB 9

PVFS Data Model with ADS Stream Control Block (SCB) Each SCB represents the default or named stream on-disk Replaces the FCB as the target of the CCB SCB is removed from memory when last open handle is closed Create Control Block (CCB) Represents an open handle to a SCB The master object is accessed by creating CCB on the default SCB Stored in the IO_FILE_HANDLE owned by IoMgr File Control Block (FCB) FCB stores information shared by all its streams FCB is removed from memory when last open handle to all of its streams (default/named) is closed 10

PVFS Data Model with ADS (Cont.) PVFS Create Control Create Block Control Create Block Control Block Create Control Block Create Control Create Block Control Create Block Control Block File Control Block File Control Block [ example.txt ] Stream Control Block Stream Control Block [ ::$DATA ] [ :stream_name:$data ] Logical File Object I/O Files Disk 11

PVFS Data Structures with ADS CCB points to its SCB; SCB owns a list of its CCBs (one-to-many) SCB points to its Owner FCB; FCB owns a list of its SCBs (one-to-many) Creation Sequence: CCB->FCB->SCB 12

ADS Storage Model on Ext{3,4} Stream metadata directory :STREAM For a given directory, its files and subdirectories stream data are stored inside a :STREAM directory Stream objects residence :STREAM contains a directory for each file/subdirectory, each of those storing their streams. A sample store 13

ADS Storage Model on Ext{3,4} (Cont.) EnumerateDirectory calls needs to filter on :STREAM No need to modify create path For instance, attempt to open foo_parent/:stream/foo_file/filestream is rejected due to invalid : in pathname 14

Implementation Adventures Ep. 1 Problem: \\filesrv cannot copy certain files (files with streams) Root cause: SetFileBasicInfo needs to be done on base(master) object (FCB) even though the request is issued on stream handle (SCB) FCB vs. SCB Attributes 15

FCB vs. SCB Attributes FCB Attributes shared attributes among all alternate data streams: Extended attributes Security descriptors (ACL check during CreateFile ) File Attributes TimeStamps (LastWriteTime, LastAccessTime) SCB Attributes - unique to each stream Opportunistic locks / Leases Allocation size Actual size Valid data length Sharing modes BRL 16

Oplocks and Leases Oplock list stored on the SCB (a list of legacy oplock and leases) ntcreate&x locking&x Deferred ops stored in a queue on the SCB Requested/Ackno wledged using FsIoCtrl on CCB IoCreateFile Success SRV IoFsCtrl(Req) Pending PVFS Success (Break) IoFsCtrl(Ack) Success or Pending 17

Share Modes Share mode enforcement is done for each stream by iterating through all its open handles Check for a conflict between the request access and an existing share mode Check for a conflict between the request share mode and an existing granted access Special case: A default stream is asking for DELETE access All open stream handles must be opened with FILE_SHARE_DELETE for in order for the access to be granted. 18

Delete-On-Close A named stream (SCB) can be deleted by setting delete-on-close In case it is default data stream (SCB), delete-onclose check will be done on master object (FCB) 19

Implementation Adventures Ep. 2 <<synchronized>> pszfilename pszfilename1 pszfilename2 pszfilename3 PVFS_FCB <<synchronized>> PSTR: pszfilename <<synchronized>> PPVFS_FCB : pparentfcb Problem: NetBench run shows assert failure... <<synchronized>> PVFS_LIST Scbs Root cause: <<synchronized>> pszfullstreamname pszfullstreamname1 pszfullstreamname2 PVFS_SCB <<immutable>> pownerfcb <<synchronized>> PSTR: pszfullstreamname Original data model - store streams and base file objects in separate tables linked based on name pszfullstreamname3... <<synchronized>> PVFS_STREAM_TYPE: StreamType <<synchronized>> PVFS_LIST Ccbs Unnatural relationship that complicated lock synchronization for operations such as renames <<synchronized>> PVFS_LIST OplockList <<immutable>> pscb PVFS_CCB Rename a master file object ends up modifying a bunch of SCBs in ScbTable, so does file object delete 20

Implementation Adventures Ep. 3 Problem: End up pointing to a wrong logic file on-disk or doing conversion back and forth all the time Root cause: File name ambiguity (PSTR -> PVFS_FILE_NAME) PVFS internally only uses PVFS_FILE_NAME typedef struct _PVFS_FILE_NAME { PSTR FileName; PSTR StreamName; PVFS_STREAM_TYPE Type; // Flag indicate whether it is a stream name PVFS_FILE_NAME_OPTIONS NameOptions; } PVFS_FILE_NAME, *PPVFS_FILE_NAME; // Current API on PVFS_FILE_NAME: NTSTATUS PvfsSysOpenByFileName( OUT int *pfd, OUT PBOOLEAN pbcreateownerfile, IN PPVFS_FILE_NAME pfilename, IN int iflags, IN mode_t Mode ); // Old API on PSTR: NTSTATUS PvfsSysOpen( int *pfd, PSTR pszfilename, int iflags, mode_t Mode ); 21

Implementation Adventures Ep. 4 Problem: Failed in smbtorture test raw.streams.dir Failed in smbtorture test raw.streams.names2 Root cause: Should disallow open a default (unamed) stream using name dir::$data Should disallow /, \\, : in stream names Internally however for consistency purpose, default SCB for directories are created 22

Demonstration of ADS support in Likewise Storage 23

Demonstration of ADS support in Likewise Storage Client opens test.txt on share (V:) Server disk based ADS store 24

Demonstration of ADS support in Likewise Storage The sample file is copied to share with all data streams being preserved 25

Questions? 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information