Ilja Coolen \ ICSS

Well,

It has been quite a while since my last post. I’ve been very busy working on a number of storage proposals. Which I guess is good in this time of financial crisis.

I’ve been working on IBM San Volume Controller for a number of years, and I even had a contract as a Storage Instructor for IBM San Volume Controller.  I have had many questions or remarks as to why the SVC still had no support for role based access and centralized account administration like LDAP or Active Directory. And honestly, it did surprise me how long it took IBM to incorporate it into the code.
Only recently, the SVC code 6.3 has been released sporting AD and LDAP user authentication. I have not yet have any change to test LDAP, but I did get Active Directory working. The IBM documentation isn’t all that detailed as to how to setup AD authentication. Neither has the AD support team on site been very helpful (accept maybe for one guy who seems to know what AD is all about).

There are a couple of things you should be aware of;

• The SVC is an appliance that is not trusted by AD, it is not part of a Active Directory domain. Therefore you might need to provide an AD account that has sufficient credentials to use AD to authenticate.
• The account you will use to query AD with (not the account a user uses to attempt a login) has to be configured with it’s complete AD location path.an example: you are provided an AD account that is privileged  to query AD that is called ‘ibm2145queryad’ and sits in the AD tree at “DOMAIN\Accounts\ReadOnly” (<-fictional).You will need to enter the ldapconfiguration in the SVC console as;

  chldap -username 'CN=ibm2145queryad,ou=ReadOnly,ou=Accounts,dc=DOMAIN,dc=corp' -password 'XXXXXX' -security none -userattribute sAMAccountName -groupattribute memberOf -auditlogattribute name -type ad

• Even if AD authentication fails because the query user is not authorized to query AD, the ‘testldapserver’ will result in a success. If you are testing authentication of a valid user login, this will result in a message that the user is not correct or the password is mismatched. This suggests the user trying to login is invalid, but actually, the account used to query AD is invalid. So this might throw you of a bit.
• Only supply AD servers or LDAP servers, do not mix AD and LDAP servers. This will not work as desired.

Your SVC administrators have to be members of a specific security group in AD, separating them from ordinary users that should not have SVC access. This group name has to be defined in the SVC as a remote group. Only users that are member of that specific security group in AD will have access to the SVC. The user group on the SVC has to be configured with specific access rights on the SVC, like “administrator” or something else that matches your company requirements. This role is also assigned to AD users that are part of that security group at the moment the successfully log in to the SVC.
When using LDAP or AD user authentication, local users still are usable. You will need a local account with the “Security Administrator” privilege to update LDAP/AD settings on the SVC. I guess you do not want to make all authenticated users have the highest privilege on SVC.

Once you know these quirks you will  be able to configure and use LDAP or AD services to authenticate your SVC administrators with. Two things I have to comment about are the fact you cannot enter LDAP or AD servers by their hostnames. You need to enter the IPv4 addresses. This also shows the second annoyance. There is no support for IPv6 yet. I guess it is on it’s way, but who knows how long this will take IBM.

This morning, I saw a tweet about a x86 blade being shoved into a zSeries frame.
It appeared to be an IBM Press release introducing new developments in IBM zSeries land. Like tape, mainframe is dead for years (so they say). There are not many analysts that believe this statement, and mainframe is long from being dead. I do see fewer of them however. Only the very large (mostly financial) companies seem to be able to run zSeries workloads because of the expertise and cost involved with running zSeries.

Over the last years, IBM has done a lot of development in mainframe equipment and really has brought down cost of running mainframe gear. For most IT folks, the mainframe has lost its sexiness (if it ever was sexy), and it has gotten really hard to find decent staff to operate mainframe gear and workloads. So in a technical and financial sense, the mainframe might be long from dead, but without good staff, who can run mainframe gear in their shops? I have been seeing a lot of new faces in the IT industry, none of which seem to be developing skills in the mainframe arena.

The open systems world seems to be more exciting because the development is done much faster and cheaper (although I myself might not agree with the cheaper part). Many new developments in the various IT stacks like networking, storage, systems and software are solely targeted at open systems worlds, completely ignoring the mainframe world. The vendors we spoke last week at Tech Field Day also have no plans on developing for mainframe. Part of which is the mainframe vendors own fault, since they have really closed down access to mainframe development resources for everyone.

zEnterprise (z196)

The new zEnterpise will be available later this year, and will hold 96 of the worlds fastest CPU’s running at 5.2 Ghz. It has water-cooling enablement. Funny, because water-cooling was removed around the time I was introduced to the mainframe world, back in 1996. This system is going to have 60% more capacity then its predecessor “System z10″, while consuming about the same amount of energy.

Introducing the BladeCenter Extension.

IBM is also developing gear which is supposed to simplify the data-center. The’d be stupid not to obviously. The BladeCenter extension is a frame that can be attached to the new IBM zEnterprise “main”-frame which will be able to hold a number of “open systems” blades.

” The IBM zEnterprise BladeCenter Extension allows supports purpose IBM POWER7 and System x BladeCenter systems as well as blades optimized for specific workloads, such as analytics and managing Web infrastructure.”

• Later this year IBM will be introducing the Power7 blades to run IBM AIX
• Next year, xSeries blades will be running Linux OS in this extension.

Using the new Unified Resource Management software, IBM claims to be able to run over a 100,000 virtual machines on a fully configured zEnterprise system.

The mainframe software has a very well deserved reputation of being extremely manageable and configurable and is well known for its stability and predictability. My life in IT once started as a MVS operator, so I always have had a weakness for mainframe environments.

What this will hold for us in the future, who knows, but if IBM manages to gets the virtualization part of the ground including Microsoft Windows workloads, this might be another player in the UCS and VCE arena worth watching, although I sure hope there is a way to run this zEnterprise system without the need of mainframe system engineering skills. If these skills are required to operate this system, I think the market is limited to the current mainframe shops and will pose no threat to the UCS and VCE solutions.

My opinion on this is, unless IBM manages to run this system with the server virtualization features a la VMware or Microsoft Hyper-V they will have a hard time selling this. Even in the shops that already deploy mainframe gear.

The data center convergence question I have for IBM is; when will you join in convergence with “Ficon over Ethernet (FioE)” or in accordance with recent Tech Field Day developments FCoTR?

But I love to be educated on the markets IBM is targeting and how they would be doing that.

You will all have already seen IBM’s announcement last week on it’s Long Term File System (LTFS). In short, it’s a software feature that enables you to mount a sequential media (only LTO gen 5 or newer) as if it were a local file system. In itself this is not a real innovation. Seagate had this for years, although it never kicked off. In my opinion there has never been a real use case for this type op I/O.

IBM obviously sees a market for this, or they wouldn’t have put in the effort of developing this feature. For now, it’s only supported on Redhat Enterprise Linux 5.4 in combination with IBM’s tape drivers. So what would the use case be for a feature like this.

In their announcement they mention you can use it to store unused archive-able data. A customer case mentions saving a lot of money by moving old digital media to the LTFS, which I guess would make most sense. Media files are usually quite large. I wonder how this would be made a workable solution without radically disturbing the current operating procedures within a file serving environment. You’d have to create procedures on how to (manually) move the old file data to the tape tier (lets call it tier3 for now). At the moment, I know of no automated mechanism that moves file data into another tier if it is not virtualized by a NAS like device.

Next, the LTO media cartridge would remain in the drive for as long as the filesystem has to be mounted, eating up precious resources in case you are using this drive for backup purposes as well. Even if you were to buy a LTO5 drive for this purpose alone, this would cost quite a some of money. For the price of a single LTO5 drive you would be able to by a bunch of 2TB hard disks. Even then, you would be filling up a tape with about 1.5TB to 2.5TB (IBM numbers) depending on the compression rate. That’s not a large enough amount in your file sharing environment to make it worth your while I guess. It would make a lot more sense if you were able to attach an autochanger, like a tape library, to your RHEL server and have RHEL automatically load and mount the desired tape cartridge ( a lot like any decent HSM appliance/application would).

Even with an autochanger or libray solution, you would still need a mechanism to protect this archival data from a tape media failure, or you could be in a heap of trouble if that archived data would get lost.

What about filesystem checks. I imagine you can turn of filesystem checks, by in case the host goes down unplanned while writing data to the tape device, how can you make sure the data on the tape is not corrupted?

So what would work? Well, I had some ideas on this, and one would be to attach these LTO5 drives and library to the back of (in IBM’s case) a N-Series (NetApp) filer and load the LTFS code in there. That’s an issue now, as you would not be able to load FUSE modules into the ONTAP code. But, given IBM’s (and maybe even NetApp’s) resources, they should be able to code this into ONTAP or any other NAS head operating system. So later, if you can load the LTFS code into a NAS head you could be able to automatically migrate older data from high-end drives to midrange or even low-range drives, or if desired directly to tape. The end-users wouldn’t notice that, meaning they would not need to change their way of managing their files.

Since IBM already has an enterprise level file virtualization appliance with SONAS, I would think it would make sense to inject the LTFS code into SONAS and have one of their tape libraries attached to the back of SONAS with a bunch of drives. You would need to keep an index of all files in memory to present to the end users, and mount the required media in case an end user would eventually request an archived file. But again, this is nothing new in HSM land, so it shouldn’t be much trouble to incorporate this.

One thing that could pose a big issue to enterprise customers with millions of files is the amount of memory required to index these files. IBM documents show that you need 1GB or RAM for every 1 million files on the tape media.

My opinion on this LTFS feature is that it is quite nice and adds perfectly to the virtualization layers already in use throughout the datacenters, but not in its current offering. Stick it in SONAS or N-Series, and I think it would or could make a valuable addition into the quest to increase savings in environmental costs.

Please feel free to leave your remarks in the comments, or on twitter @iCoolen