Itzikr's Blog

A joint post by Anuraj PD & Itzik Reich

PowerScale – the world’s most flexible[1] and cyber-secure scale-out NAS solution[2]  – is powering up the new year with the launch of the innovative OneFS 9.5 release. With data integrity and protection being top of mind in this era of unprecedented corporate cyber threats, OneFS 9.5 brings an array of new security features and functionality to keep your unstructured data and workloads more secure than ever, as well as delivering significant performance gains on the PowerScale nodes – such as up to 55% higher performance on all-flash F600 and F900 nodes as compared with the previous OneFS release.[3]

Improving performance for the most demanding workloads

OneFS 9.5 unlocks dramatic performance gains, particularly for the all-flash NVMe platforms, where the PowerScale F900 can now support line-rate streaming reads. SmartCache enhancements allow OneFS 9.5 to deliver streaming read performance gains of up to 55% on the F-series nodes, F600 and F900³, delivering benefit to media and entertainment workloads, plus AI, machine learning, deep learning, and more.

Enhancements to SmartPools in OneFS 9.5 introduce configurable transfer limits. These limits include maximum capacity thresholds, expressed as a percentage, above which SmartPools will not attempt to move files to a particular tier, boosting both reliability and tiering performance.

Granular cluster performance control is enabled with the debut of PowerScale SmartQoS, which allows admins to configure limits on the maximum number of protocol operations that NFS, S3, SMB, or mixed protocol workloads can consume.

We are going to configure the PowerScale SmartQoS, which is a new feature released with the OneFS 9.5. SmartQoS enables us to monitor and throttle the cluster resource utilization and throttle the maximum number of protocol operation per second (Protocol Ops) that an individual pinned workload can consume. SmartQoS help us to have efficient utilization of the cluster resources as the cluster size increases and lots of workloads are placed on to the same cluster.

Create Performance Dataset

Dataset is a grouping of workloads identified with the same metrices. Here we will create a dataset with path and protocol as the metrices to be monitored. We can create up to a maximum of 4 datasets and each dataset can have up to 1024 workloads.

Pin Workload

By pinning workload, we are selecting the specific path and protocol to be monitored. In this cluster we have four different nfs3 exports created on four different paths. There is also some sample workload being ran on all these exports to have some utilization of the cluster resources. So, we will pin all the four paths and we can monitor the cluster resource utilization. As there is no throttling configured yet, all the workloads are having similar utilization. It is also possible to configure the protocol ops limit while pinning, we will configure it as a separate step as the initial step we want to monitor the current utilization, then as per the utilization and application priority we will configure the throttling as next step.

Configure Throttle

    Currently all the workloads are having similar utilization. Now we want to make sure app1 is getting priority and all other workloads utilization is limited. The UI allow us to configure throttling individually or as bulk operation. We will us the bulk operation as we need to configure the throttling for three workloads.

After the throttling is configured, we can observe the utilization of app1 goes up and utilization of all other workloads are limited to the configured throttle value.

You can access the PowerScale 9.5 documentation by, clicking the screenshot below

More review on the PowerScale 9.5 release

Below, you can see a demo, showing how to configure the SmartQos feature

This section summarizes the new features in OneFS 9.5.0.0.

SupportAssist introduced as the new way to connect with Dell Technologies Support. – SupportAssist is the new remote connectivity system that connects your OneFS cluster with Dell Technologies Support. For more information, see the SupportAssist section in the OneFS Administration guide.

Host-based firewall added to OneFS. – The firewall controls inbound traffic on the front-end network. The firewall comes with predefined default policies that protect the OneFS default ports. You can modify the default policies and create custom policies. New Web UI options and isi network firewall commands are available.

Account policy restrictions have been updated. – Security restrictions can be configured to enforce a delay for subsequent logins after a failed administrative login. You can also disable inactive local accounts after a specified number of days, and limit the number of active sessions a user can have on a node.

Expanded password policy configuration. – Password complexity is configurable for each local provider, and password policies can be configured for each access zone.

Support for Active Directory domain encryption added. – If the Active Directory domain requires encryption, the redirector will enable and use encryption.

TLS options added for LDAP communications. – You can configure PKI communication between the OneFS cluster and an LDAP server to use TLS. Enable TLS and configure options in the isi auth ldap create or isi auth ldap modify commands. Options define levels of verification during the TLS handshake and include revocation checking against Online Certificate Status Protocol (OCSP) URIs.

Secure transfer of log files added. – The FTPS protocol support has been implemented for secure transfer of log files which protects cluster configuration logs from interception.

NFS persisted locks and waiters listings updated. –The NFS locks and waiters functionality are updated in the Web UI and CLI commands with new listing options.

Expanded certificate management in the web interface. – The OneFS web interface now includes the ability to import and manage your certificates. For more information, see the Certificates section of the OneFS Web Administration Guide.

Read performance has been improved. – Improved read performance for NFS over RDMA.

Smart QoS (partitioned performance) workload limits updated. – Protocol operations limits added on workloads.

HealthCheck definition packages have been enhanced. – Removed the HealthCheck definition package list from the output of the patch CLI isi upgrade patch list.

OneFS PAPI command added to enable or disable USB port connectivity. – Security command added to configure authorization and authenticity of peripherals (typically attached using USB connections to the node’s hardware).

Command to disable all USB peripheral ports is added. –You can disable all USB ports across the cluster with an option that was added to the isi security settings modify command. The STIG hardening profile disables all USB ports across the cluster.

Configurable option added for setting a threshold limit of SmartPools.- Set a maximum threshold limit that stops moving files from source to target node pools or tier.

SyncIQ updated file create time in target location.- SyncIQ target location files are updated to display the same create time (c-time) as the file in the source location. This update takes effect as files are synced.

Support for the Nvidia ConnectX- 6 Ethernet Adapter added. – Support for the Nvidia Connectx-6 Ethernet adapter has been added to OneFS in version 9.5.0.0.

Remove earlier versions of software components. – Once a version of a software component (like Python or SQLite) is installed, OneFS removes any earlier versions of that software component.

The Python version has been updated.- The Python version has been updated from 2.7.x to 3.8.x in OneFS.

The Python urllib3 library has been updated.- The Python library urllib3 was updated to version 1.26.9.

The libxml2 library has been updated.- The libxml2 library was updated to version 2.9.14.

Support added for newer versions of CURL.- OneFS 9.5.0.0 supports CURL 7.83.0.

Expanded support for IPv6 on OneFS.- A new IPv6 configuration option enables or disables IPv6 on the cluster. Other options include several duplicate address detection (DAD) settings, IPv6 automatic configuration, local link generation, and processing of ICMPv6 redirect messages. IPv6 configuration was changed to use the isi network external modify, isi network pools create, and isi network pools modify commands.

OneFS auditing includes a new system audit topic. –System audits collect platform events, such as shutdowns and reboots, and account related events, such as password changes.

Syslog forwarding in the audit module is improved. – The syslog forwarding feature in the auditing module forwards logs directly to the configured remote servers. The local collection that occurred in previous releases is eliminated.

TLS options added to syslog forwarding in the audit module. – You can configure syslog forwarding to use TLS. You can configure each audit topic (configuration, protocol, and system) separately for TLS. Each audit topic.

Root password changes are audited. –The system audit topic captures root password changes. This feature is always on and cannot be disabled.

Restricted CLI provides an audited and limited CLI. –The Restricted CLI is a new login shell. All commands that are issued in the Restricted CLI are logged. No file access is permitted. For information about the Restricted CLI, see the PowerScale OneFS 9.5.0.0 Security Configuration Guide.

The bash shell has been updated. – The bash shell is updated to version 5.1.16.

Rekey feature added to the key store manager. –You can reencrypt the OneFS keystores without interrupting processing. There are separate reencrypting commands for the cluster key store and the self-encrypted drive (SED) key stores.

Single sign-on capability added to the WebUI. – The WebUI includes a wizard for enabling single sign-ons.

Apache changes have been added. –The OneFS HTTP data paths and control paths are separated. The two paths use separate ports. Configuration parameters in the isi http settings modify command can set Apache directives that control session timeouts.

FIPS 140-2 compliance for hardening clusters. – The STIG hardening profile implements the FIPS 140-2 cryptographic algorithms and disables services that do not comply with the standard. In nonhardening mode, you can enable FIPS mode to use the cryptographic algorithms.

Improved workflows in the Hardening Module. – The workflows for applying a hardening profile and returning to system defaults are simplified.

Hardening Module includes new profile reports. – A profile report lists all rules in the profile and indicates whether the cluster complies with each rule. The verbose option shows, for each rule, where the rule is configured, the expected value for compliance, and the current value on the cluster.

STIG hardening profile complies with the Approved Products List (APL). –Many new rules are added to the STIG profile. The new rules configure a cluster to comply with the United States Federal Government APL.