Teaching material
based on Distributed
Systems: Concepts
and Design, Edition 3,
Addison-Wesley 2001.
Distributed Systems Course
Viewing: These slides
must be viewed in
slide show mode.
nh
Vi
en
Zo
Chapter 2 Revision: Failure model
Chapter 8:
8.1
8.2
8.3
[8.4
8.5
8.6
Si
Copyright © George
Coulouris, Jean Dollimore,
Tim Kindberg 2001
email:
This material is made
available for private study
and for direct use by
individual teachers.
It may not be included in any
product or employed in any
service without the written
permission of the authors.
ne
.C
om
Distributed File Systems
SinhVienZone.com
Introduction
File service architecture
Sun Network File System (NFS)
Andrew File System (personal study)]
Recent advances
Summary
/>
om
Learning objectives
ne
.C
Understand the requirements that affect the design
of distributed services
nh
Vi
en
Obtain a knowledge of file systems, both local and networked
Caching as an essential design technique
Remote interfaces are not the same as APIs
Security requires special consideration
Si
–
–
–
–
Zo
NFS: understand how a relatively simple, widelyused service is designed
Recent advances: appreciate the ongoing research
that often leads to major advances
SinhVienZone.com
2
/>
Chapter 2 Revision: Failure model
Description
Process halts and remains halted. Other processes may
detect this state.
Crash
Process Process halts and remains halted. Other processes may
not be able to detect this state.
Omission
Channel A message inserted in an outgoing message buffer never
arrives at the other end’s incoming message buffer.
Send-omission Process A process completes a send, but the message is not put
in its outgoing message buffer.
Receive-omission Process A message is put in a process’s incoming message
buffer, but that process does not receive it.
Arbitrary
Process Process/channel exhibits arbitrary behaviour: it may
(Byzantine)
or channel send/transmit arbitrary messages at arbitrary times,
commit omissions; a process may stop or take an
incorrect step.
.C
Affects
Process
Si
nh
Vi
en
Zo
ne
Class of failure
Fail-stop
om
Figure 2.11
SinhVienZone.com
3
/>
om
Storage systems and their properties
ne
.C
In first generation of distributed systems (1974-95),
file systems (e.g. NFS) were the only networked
storage systems.
Si
nh
Vi
en
Zo
With the advent of distributed object systems
(CORBA, Java) and the web, the picture has
become more complex.
SinhVienZone.com
4
/>
Storage systems and their properties
om
Types of consistency between copies: 1 - strict one-copy consistency
√ - approximate consistency
X - no automatic consistency
.C
Figure 8.1
ne
Sharing Persis- Distributed
Consistency Example
tence
cache/replicas maintenance
File system
Distributed file system
Web
1
RAM
1
UNIX file system
Sun NFS
Web server
Ivy (Ch. 16)
Si
Distributed shared memory
nh
Vi
en
Zo
Main memory
Remote objects (RMI/ORB)
1
CORBA
Persistent object store
1
CORBA Persistent
Object Service
Persistent distributed object store
SinhVienZone.com
PerDiS, Khazana
5
/>
What is a file system?
1
om
Persistent stored data sets
.C
Hierarchic name space visible to all processes
ne
API with the following characteristics:
Zo
– access and update operations on persistently stored data sets
– Sequential access model (with additional random facilities)
nh
Vi
en
Sharing of data between users, with access control
Concurrent access:
– certainly for read-only access
– what about updates?
Si
Other features:
– mountable file stores
– more? ...
SinhVienZone.com
6
/>
*
2
om
What is a file system?
ne
nh
Vi
en
status = close(filedes)
count = read(filedes, buffer, n)
count = write(filedes, buffer, n)
Opens an existing file with the given name.
Creates a new file with the given name.
Both operations deliver a file descriptor referencing the open
file. The mode is read, write or both.
Closes the open file filedes.
Transfers n bytes from the file referenced by filedes to buffer.
Transfers n bytes to the file referenced by filedes from buffer.
Both operations deliver the number of bytes actually transferred
and advance the read-write pointer.
Moves the read-write pointer to offset (relative or absolute,
depending on whence).
Removes the file name from the directory structure. If the file
has no other names, it is deleted.
Adds a new name (name2) for a file (name1).
Gets the file attributes for file name into buffer.
Zo
filedes = open(name, mode)
filedes = creat(name, mode)
.C
Figure 8.4 UNIX file system operations
Si
pos = lseek(filedes, offset,
whence)
status = unlink(name)
status = link(name1, name2)
status = stat(name, buffer)
SinhVienZone.com
7
/>
*
4
om
What is a file system?
Figure 8.3 File attribute record structure
ne
.C
File length
Creation timestamp
updated
by system:
nh
Vi
en
Zo
Read timestamp
Write timestamp
updated
by owner:
Si
Attribute timestamp
Reference count
Owner
File type
Access control list
E.g. for UNIX: rw-rw-r-SinhVienZone.com
9
/>
*
File service requirements
Heterogeneity
Fault tolerance
Consistency
Efficiency..
om
.C
Si
Security
ne
Replication
Zo
Concurrency
Tranparencies
Concurrency
properties
Replication
properties
Heterogeneity
Access:
Sameproperties
operations
Fault
tolerance
Consistency
Isolation
Security
File
service
maintains
multiple
identical
copies
of
Efficiency
Service
can
be
accessed
by
clients
running
on
Location:
Same
name
space
after
relocation
of
Service
must
continue
tocontrol
operate
even
when
Unix
offers
one-copy
update
semantics
for asclients
File-level
or
record-level
locking
files
Must
maintain
access
and
privacy
(almost)
any
OS
or hardware
platform.
Goal
for
distributed
file systems
is usually for
files
or
processes
make
errors
or
crash.
operations
on local files - caching is completely
local
files.
Other
forms
of
concurrency
control
to
minimise
•
Load-sharing
between
servers
makes
service
performance
comparable
tothe
local
file
system.
Design
must
be
compatible
with
file
systems
of
Mobility:
Automatic
relocation
of
files
is
possible
transparent.
•more
at-most-once
semantics
•based
on identity of user making request
contention
scalable
different
OSes
Performance:
Satisfactory
performance
across a
Difficult
to
achieve
the
same
for
distributed
file
•
at-least-once
semantics
•identities
of
remote
users must
be authenticated
• Service
Local access
has
better
response
(lower
latency)
specified
rangebe
of open
system
loads
interfaces
must
- precise
systems
while
maintaining
good
performance
•requires
idempotent
operations
•privacy
requires
secure
communication
• Fault
specifications
APIs
published.
Scaling:
Service of
can
be are
expanded
to meet
andtolerance
scalability.
Service must
resume
after
a server
machine not
interfaces
are
open
to all processes
additional
loads
FullService
replication
is difficult
to
implement.
crashes.
excluded by a firewall.
Caching (of all or part of a file) gives most of the
If the service
is replicated,
it can continue
impersonation
andto
other
benefits •vulnerable
(except faulttotolerance)
operate
even during a server crash.
attacks
nh
Vi
en
Transparency
SinhVienZone.com
10
/>
*
Model file service architecture
Figure 8.5
om
Lookup
AddName
UnName
GetNames
ne
Server computer
Directory service
Zo
nh
Vi
en
Application Application
program
program
.C
Client computer
Flat file service
Si
Client module
SinhVienZone.com
Read
Write
Create
Delete
GetAttributes
SetAttributes
11
/>
Server operations for the model file service
om
Figures 8.6 and 8.7
Flat file service
Directory service
.C
position of first byte
Delete(FileId)
nh
Vi
en
Create() -> FileId
Si
GetAttributes(FileId) -> Attr
SetAttributes(FileId, Attr)
SinhVienZone.com
Zo
position of first byte
Write(FileId, i, Data)
Lookup(Dir, Name) -> FileId
FileId
AddName(Dir, Name, File)
ne
Read(FileId, i, n) -> Data
UnName(Dir, Name)
GetNames(Dir, Pattern) -> NameSeq
Pathname lookup
FileId
Pathnames
such as '/usr/bin/tar' are resolved
Aby
unique
identifier
anywhere
thefor
iterative
callsfor
to files
lookup(),
oneincall
network.
each component of the path, starting with
the ID of the root directory '/' which is
known in every client.
12
/>
*
om
File Group
Zo
ne
located on any server or moved
between servers while
maintaining the same names.
Si
nh
Vi
en
– Similar to a UNIX filesystem
– Helps with distributing the load of file
serving between several servers.
– File groups have identifiers which are
unique throughout the system (and
hence for an open system, they must
be globally unique).
Used to refer to file groups and files
SinhVienZone.com
13
To construct a globally unique
ID we use some unique
attribute of the machine on
which it is created, e.g. IP
number, even though the file
group may move subsequently.
.C
A collection of files that can be
File Group ID:
32 bits
IP address
/>
16 bits
date
*
om
Case Study: Sun NFS
An industry standard for file sharing on local networks since the 1980s
.C
An open standard with clear and simple interfaces
ne
Closely follows the abstract file service model defined above
transparency
heterogeneity
efficiency
fault tolerance
nh
Vi
en
–
–
–
–
Zo
Supports many of the design requirements already mentioned:
–
–
–
–
concurrency
replication
consistency
security
Si
Limited achievement of:
SinhVienZone.com
14
/>
*
NFS architecture
Client computer
om
Figure 8.8
NFS
Application
program Client
Application Application
program
program
Operations
on local files
ne
Operations
on
remote files
NFS
client
Virtual file system
NFS
server
NFS
Client
Si
UNIX
file
system
nh
Vi
en
Virtual file system
Other
file system
UNIX kernel
Application
program
Kernel
Zo
UNIX
system calls
Server computer
.C
Client computer
UNIX
file
system
NFS
protocol
(remote operations)
SinhVienZone.com
15
/>
*
om
NFS architecture:
does the implementation have to be in the system kernel?
No:
Zo
ne
.C
– there are examples of NFS clients and servers that run at applicationlevel as libraries or processes (e.g. early Windows and MacOS
implementations, current PocketPC, etc.)
nh
Vi
en
But, for a Unix implementation there are advantages:
– Binary code compatible - no need to recompile applications
Standard system calls that access remote files can be routed through the
NFS client module by the kernel
Si
– Shared cache of recently-used blocks at client
– Kernel-level server can access i-nodes and file blocks directly
but a privileged (root) application program could do almost the same.
– Security of the encryption key used for authentication.
SinhVienZone.com
16
/>
*
NFS server operations (simplified)
nh
Vi
en
Zo
ne
.C
fh = fileModel
handle:flat file service
read(fh, offset, count) -> attr, data
Read(FileId, i, n) -> Data
write(fh, offset, count, data) -> attr
identifier i-node
number i-node generation
Write(FileId,
i, Data)
create(dirfh, name, attr) -> newfh, attr Filesystem
Create() -> FileId
remove(dirfh, name) status
Delete(FileId)
getattr(fh) -> attr
GetAttributes(FileId) -> Attr
setattr(fh, attr) -> attr
SetAttributes(FileId, Attr)
lookup(dirfh, name) -> fh, attr
rename(dirfh, name, todirfh, toname)
Model directory service
link(newdirfh, newname, dirfh, name)
Lookup(Dir, Name) -> FileId
readdir(dirfh, cookie, count) -> entries
AddName(Dir, Name, File)
symlink(newdirfh, newname, string) -> statusUnName(Dir, Name)
readlink(fh) -> string
GetNames(Dir, Pattern)
mkdir(dirfh, name, attr) -> newfh, attr
->NameSeq
rmdir(dirfh, name) -> status
statfs(fh) -> fsstats
Si
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
om
Figure 8.9
SinhVienZone.com
17
/>
*
om
NFS access control and authentication
.C
Stateless server, so the user's identity and access rights must
be checked by the server on each request.
ne
– In the local file system they are checked only on open()
Zo
Every client request is accompanied by the userID and groupID
nh
Vi
en
– not shown in the Figure 8.9 because they are inserted by the RPC system
Server is exposed to imposter attacks unless the userID and
groupID are protected by encryption
Si
Kerberos has been integrated with NFS to provide a stronger
and more comprehensive security solution
– Kerberos is described in Chapter 7. Integration of NFS with Kerberos is covered
later in this chapter.
SinhVienZone.com
18
/>
*
om
Mount service
ne
.C
Mount operation:
mount(remotehost, remotedirectory, localdirectory)
nh
Vi
en
Zo
Server maintains a table of clients who have
mounted filesystems at that server
Si
Each client maintains a table of mounted file
systems holding:
< IP address, port number, file handle>
Hard versus soft mounts
SinhVienZone.com
19
/>
*
Local and remote file systems accessible on an NFS client
Client
(root)
(root)
...
usr
nfs
Remote
people
mount
students
Remote
x
Si
big jon bob
vmunix
nh
Vi
en
export
Zo
ne
(root)
Server 2
.C
Server 1
om
Figure 8.10
...
staff
mount
users
jim ann jane joe
Note: The file system mounted at /usr/students in the client is actually the sub-tree located at /export/people in Server 1;
the file system mounted at /usr/staff in the client is actually the sub-tree located at /nfs/users in Server 2.
SinhVienZone.com
20
/>
*
om
NFS optimization - server caching
Similar to UNIX file caching for local files:
nh
Vi
en
Zo
ne
.C
– pages (blocks) from disk are held in a main memory buffer cache until the space
is required for newer pages. Read-ahead and delayed-write optimizations.
– For local files, writes are deferred to next sync event (30 second intervals)
– Works well in local context, where files are always accessed through the local
cache, but in the remote case it doesn't offer necessary synchronization
guarantees to clients.
NFS v3 servers offers two strategies for updating the disk:
Si
– write-through - altered pages are written to disk as soon as they are received at
the server. When a write() RPC returns, the NFS client knows that the page is
on the disk.
– delayed commit - pages are held only in the cache until a commit() call is
received for the relevant file. This is the default mode used by NFS v3 clients. A
commit() is issued by the client whenever a file is closed.
SinhVienZone.com
23
/>
*
om
NFS optimization - client caching
.C
Server caching does nothing to reduce RPC traffic between
client and server
ne
– further optimization is essential to reduce server load in large networks
nh
Vi
en
Zo
– NFS client module caches the results of read, write, getattr, lookup and readdir
operations
– synchronization of file contents (one-copy semantics) is not guaranteed when
two or more clients are sharing the same file.
Timestamp-based validity check
Si
– reduces inconsistency, but doesn't eliminate it
– validity condition for cache entries at the client:
(T - Tc < t) v (Tmclient = Tmserver)
– t is configurable (per file) but is typically set to
3 seconds for files and 30 secs. for directories
– it remains difficult to write distributed
applications that share files with NFS
SinhVienZone.com
24
t
Tc
freshness guarantee
time when cache entry was last
validated
Tm time when block was last
updated at server
T current time
/>
*
om
Other NFS optimizations
Sun RPC runs over UDP by default (can use TCP if required)
ne
.C
Uses UNIX BSD Fast File System with 8-kbyte blocks
Zo
reads() and writes() can be of any size (negotiated between
client and server)
nh
Vi
en
the guaranteed freshness interval t is set adaptively for
individual files to reduce gettattr() calls needed to update Tm
Si
file attribute information (including Tm) is piggybacked in
replies to all file requests
SinhVienZone.com
25
/>
*
NFS summary
1
.C
om
An excellent example of a simple, robust, high-performance
distributed service.
ne
Achievement of transparencies (See section 1.4.7):
Zo
Access: Excellent; the API is the UNIX system call interface for both local
and remote files.
nh
Vi
en
Location: Not guaranteed but normally achieved; naming of filesystems is
controlled by client mount operations, but transparency can be ensured
by an appropriate system configuration.
Si
Concurrency: Limited but adequate for most purposes; when read-write
files are shared concurrently between clients, consistency is not perfect.
Replication: Limited to read-only file systems; for writable files, the SUN
Network Information Service (NIS) runs over NFS and is used to
replicate essential system files, see Chapter 14.
SinhVienZone.com
27
/>
cont'd *
NFS summary
2
om
Achievement of transparencies (continued):
ne
.C
Failure: Limited but effective; service is suspended if a server fails.
Recovery from failures is aided by the simple stateless design.
Mobility: Hardly achieved; relocation of files is not possible, relocation of
Zo
filesystems is possible, but requires updates to client configurations.
nh
Vi
en
Performance: Good; multiprocessor servers achieve very high
performance, but for a single filesystem it's not possible to go beyond
the throughput of a multiprocessor server.
Si
Scaling: Good; filesystems (file groups) may be subdivided and allocated
to separate servers. Ultimately, the performance limit is determined by
the load on the server holding the most heavily-used filesystem (file
group).
SinhVienZone.com
28
/>
*
om
Recent advances in file services
NFS enhancements
nh
Vi
en
Zo
ne
.C
WebNFS - NFS server implements a web-like service on a well-known port.
Requests use a 'public file handle' and a pathname-capable variant of lookup().
Enables applications to access NFS servers directly, e.g. to read a portion of a
large file.
One-copy update semantics (Spritely NFS, NQNFS) - Include an open()
operation and maintain tables of open files at servers, which are used to
prevent multiple writers and to generate callbacks to clients notifying them of
updates. Performance was improved by reduction in gettattr() traffic.
Improvements in disk storage organisation
Si
RAID - improves performance and reliability by striping data redundantly across
several disk drives
Log-structured file storage - updated pages are stored contiguously in memory
and committed to disk in large contiguous blocks (~ 1 Mbyte). File maps are
modified whenever an update occurs. Garbage collection to recover disk space.
SinhVienZone.com
34
/>
*