Monday, February 29, 2016

Deploying the Nutanix Acropolis File Server

Nutanix introduced a cool new feature in AOS 4.6 called Acropolis File Server (AFS). This is a distributed, highly available file server that runs on your existing Nutanix cluster and uses the same storage pool that backends your Acropolis Distributed Storage Fabric.

Before I go into too many details, I should point out that the AFS is in Tech Preview in 4.6, and is only available if you're running Acropolis Hypervisor.

Now that the disclaimer is out of the way, let's walk through setting up an Acropolis File Server.

Login to Prism and click the Home menu button at the top. You'll notice a new entry in this list compared to previous releases, called File Server. Click on that.

Now click on the "+ File Server" button in the top right corner. If you've been using Nutanix for awhile, this type of button should look familiar.



If you're running AOS 4.6, you'll be warned that the file server feature is in Tech Preview and not intended for production workloads. There is also no promised upgrade path from the 4.6 version to a future GA version.


Click Continue

Now you can define your AFS server properties, starting with the name. This is the name that will be added as a Computer object to Active Directory, and thus DNS. This is your single namespace, so choose wisely.

You can provide other details here as well. Just like with your first Nutanix cluster, the minimum number of AFS nodes is 3. There are limited vCPU and RAM options for these VMs. I chose the minimum allowed configuration.


Click Next

On the network page, you can choose both an internal (AFS VMs to CVMs) and external (clients to AFS VMs) network for the AFS VMs to use. I was lazy and chose a single flat network for both and it seems to work. Don't forget to add your DNS and NTP servers.


On the next screen, you define your Active Directory domain and provide credentials. This will create a Computer object in AD, and if you're using Active Directory integrated DNS, DNS records for the AFS VMs.


Now sit back and wait for the VMs to be created. A blue status icon will appear at the top of Prism.



If you navigate to the VMs menu, you will soon see the VMs show up in the list. I filtered to keep the list small.


You can even open a console to the VMs, but there isn't much to see.


Once the task hits 100%, you can now create your first share. Click the Home menu again and select File Server. On the upper right side, you should see a + Share button.

I want to use this share as a home drive for my VDI users, so I've called the share Home.


That's about all there is to it from a Nutanix perspective. You may be wondering where to set file share permissions. I suggest finding the AFS Computer object in Active Directory, right-clicking and selecting Manage. This will bring up the familiar Computer Management snap-in. In my experience, this took awhile. You may also just try to make a UNC connection straight to \\afs.fqdn\sharename if you prefer. Whichever way you do it, you want to get into the share properties so that you can adjust the Windows Security settings. By default, Domain Admins have access to the share. 


In my case, I used the Advanced button in order to add my AD account to the ACL with Full Control. 

Don't be fooled by the built-in Administrators and Users groups. I found Administrators to have my Domain Admins group nested, and the Domain Users group was nested in the Users group. However, I found the permissions to be inadequate for writing to the share. Maybe it had something to do with cross-domain AD membership and kerberos or something. I'm not 100% sure but found it best to explicitly set the permission with my account and not leverage the built-in groups. For security's sake you may want to at least remove the Users built-in group.

Now you should be able to create a directory in the share. For some reason, Acropolis File Server does not allow you to create files at the root of the share, only directories. In my case I plan to create a unique directory for every user, so that's not a show stopper. 


You may wonder how the single namespace works with DNS. Since I have three AFS VMs, I have 3 different DNS A records for the same file server name, each pointing to the unique external IP of the respective AFS VM.

You may also wonder how the overall lookup and authentication flow works. Thanks to Dwayne Lessner (@dlink7) for providing this image and the steps.


The above diagram shows what happens behind the scenes when a client sends a file access request. 
1.    When a user “Nicki” wants to access her files, a DNS request is first sent for the file server name.
2.    A DNS reply comes back with the address of a file server VM, using DNS round robin; in this example, the IP for file server VM-1 was returned first. 
3.    A create/open request is sent to file server VM-1. 
4.    The \Nicki folder doesn’t exist so a STATUS_PATH_NOT_COVERED is returned.
5.    The client then requests a DFS referral for the folder.
6.    file server VM-1 refers the client to file server VM-3 by looking up the correct mapping in the file server’s zookeeper.
7.    A DNS request goes out to resolve file server VM-3.
8.    The DNS requests returns the IP of file server VM-3.
9.    The client gets access to the correct folder.






No comments:

Post a Comment