Overview
This technology article is all about something I was interested that I have dealt with that was enjoyable and challenging that I solved Broadridge client crucial issue of sharing filesystem between Linux and Windows on the Amazon AWS
Problem Statement
Broadridge client got the unique requirement for dmEdge project where application running on AWS Cloud Linux instance needs to share filesystem with application running on AWS Cloud Windows instance.
R&D/Proof of Concept (POC)
Amazon EFS is not supported on Windows instances to meet the problem statement.
To resolve the problem and to find out the best possible solution, I have carried out the following proof of concepts:
Sharing the filesystem with AWS EFS + Samba Server (AWS Cloud Linux) + Windows
Sharing the filesystem with ObjectiveFS + Samba (AWS Cloud Linux) + Windows
Sharing the filesystem with Samba (AWS Cloud Linux) + Windows
Etc.…
Conclusion
Upon through study I have found that for web server workloads, ObjectiveFS suite best has higher performance and lower latency compared to Amazon EFS, etc. The key performance statistics between ObjectiveFS and AWS EFS are listed below:
| ObjectiveFS | EFS | |
| Reliability | Backed by Amazon S3 | NFS-based (NFSv4) protocol |
| Storage Durability | 99.999999999% by S3 | Not specified |
| Performance | Always high performance | Pay for performance |
| Performance: Small Files | 80X faster than EFS (info) | Slow for small files |
| Performance: Large Files | 350MB/s (info) | 100MB/s |
| Scalability | 1 to 1000s | 1 to 1000s |
| Storage Cost | S3: $0.03/GB. S3 Pricing | EFS: $0.30/GB in US East (N. Virginia). EFS Pricing |
| Security | End-to-end encryption | Data at rest is encrypted. Data in transit encryption is in preview. |
| Availability | Supports all regions | Currently only in 6 regions (Northern Virginia, Ohio, Oregon, Northern California) |
| Accessibility | Access from anywhere | Limited to same region as EC2 instances using it |
| Product Maturity | In production since 2013 | Released in July 2016 |
| OS Supported | Linux, OS X, Windows via Samba/NFS | Linux only. Using Amazon EFS with Microsoft Windows Amazon EC2 instances is not supported. |
| Backup and Disaster Recovery |
Secure storage such as S3 and
on-premise S3-compatible object stores. Can use the built-in Snapshot feature to recover point-in-time snapshots of your data Can use S3 Cross-Region-Replication | Custom coded EFS-to-EFS Backup solution |
| Features | ||
| Snapshots | Automatic & Checkpoint | – |
| Data integrity | Strong checksums | – |
| Cross-region access | Yes | – |
| Local disk cache | Yes | – |
| Compression | Yes | – |
| Transfer Acceleration | Yes | – |
| AWS IAM support | Yes | Yes |
| User/Group ID mapping | Yes | Yes |
| AWS KMS support | Yes | Yes |
| Client-side encryption | Yes | – |
| Server-side encryption | Yes | Yes |
The following pages covers the steps to share your ObjectiveFS filesystem from Linux to Windows via Samba.
Download/Install ObjectiveFS and Export ObjectiveFS to Windows via Samba
Launch EC2 Linux instance by following the Broadridge guidelines.
Note: Choose Broadridge approved hardened Image
- Connect to your Amazon EC2 instance.
- Alleviate your user privilege.
sudo su
- Update the EC2 instance.
yum update -y
- After you’ve connected, install ObjectiveFS with the following command.
Note: ObjectiveFS is a licensed product, need to have an account & license.
$ curl -O https://objectivefs.com/user/download/acpbuxv5r/objectivefs-5.4-1.x86_64.rpm
$ yum install objectivefs-5.4-1.x86_64.rpm
- Verify NTP has a small offset (<1 sec):
$ /usr/sbin/ntpdate -q pool.ntp.org
- Configure your credentials. If using keys, get your S3 Keys.
Note: Create user name ‘logger’ when getting S3 keys.
$ sudo mount.objectivefs config
Enter ObjectiveFS license: <your objectivefs license>
Enter Access Key Id: <your AWS or GCS access key>
Enter Secret Access Key: <your AWS or GCS secret key>
Enter Default Region (optional): <S3 or GCS region>
If using IAM roles
$ sudo mount.objectivefs config -i
Enter ObjectiveFS license: <your objectivefs license>
Enter Metadata Host [169.254.169.254]: <your metadata host ip>
Enter Default Region (optional): <S3 or GCS region>
- Create a file system:
For your filesystem name, use a globally unique, non-secret name (i.e. a new bucket not used by others) and ObjectiveFS will create a new bucket with that name for your filesystem.
Choose a strong passphrase, write it down and store it somewhere safe.
IMPORTANT: Without the passphrase, there is no way to recover any files
Default region: The default region entered in step 2 (if not specified, us-west-2 for AWS)
$ sudo mount.objectivefs create <your filesystem name>
Passphrase: <your passphrase>
Verify passphrase: <your passphrase>
To specify your filesystem region:
$ sudo mount.objectivefs create -l <your region> <your filesystem name>
Passphrase: <your passphrase>
Verify passphrase: <your passphrase>
- Mount the file system
You need an existing empty directory to mount your file system, e.g. ofs. Process will run in the background.
$ sudo mkdir /ofs
$ sudo mount.objectivefs <your filesystem name> /ofs
Passphrase: <your passphrase>
Alternatively, you can mount a filesystem called ofs with S3 Transfer Acceleration enabled for a faster files transfer.
$ sudo mkdir /ofs
$ sudo AWS_TRANSFER_ACCELERATION=1 mount.objectivefs <your filesystem name> /ofs
Passphrase: <your passphrase>
- Install Samba
CentOS command as follows:
$ sudo yum install samba
- Use nano (for example nano /etc/samba/smb.conf) and paste the following at the end.
[ofs]
path = /ofs
valid users = logger
read only = no
guest ok = yes
writable = yes
browseable = yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
nt acl support = yes
create mask = 0700
directory mask = 0700
force user = logger
Note: ‘force user’ parameter will allow windows user ‘logger’ to write data into the windows share.
Or otherwise, if you want to reach those shares from any machine on your network, paste the following at the end. Since we set that share as anonymous, users won’t have to log in to access the files and folders within.
[Anonymous]
path = /ofs
browsable = yes
writable = yes
read only = no
Or otherwise, create Windows EC2 instances root userid/password and configure it in samba to connect.
Or otherwise, create local user account on Windows EC2 instances with samba account userid/password to connect samba share.
- Save and start your samba by service smb start. Just to make sure you have set the configuration file right testparm can help to validate it.
$ testparm
- Exit out and create a user – logger in this case. Note: This userid/password is needed for windows login connect to samba share.
useradd logger
passwd logger
- Create the same password in smb:
smbpasswd -a logger
Mapping ObjectiveFS (S3) to Windows
SMB is ready, let’s move to Windows environment and map this share to some drive latter as “Add a network location”.
For the share availability we just need to open 2049 port (EC2 -> Security Group) and it is pre-defined in the list of protocols (just pick it and define your IP, CIDR or another Security Group).
Make sure you have setup your security group accordingly (445 and 139 ports should be open between source and target). Check further from other instances and see if this concept works.
Please ensure following ports are opened as shown below:
Test Samba Share (This is to simulate InDesign on Windows Instance)
Launch EC2 Microsoft Windows Server instance by following the Broadridge guidelines.
Note: Choose Broadridge approved hardened Image
To connect to your Amazon EC2 instance and test samba share
- Connect to your Amazon EC2 instance.
- After you’ve connected, open the “Start–>Run”. Enter IP address of samba server with backward slash. Refer below screens for more understanding.
Note: When prompt for user Id/password, use logger/logger that is created in earlier step
Mount a shared folder in Linux (This is to simulate Customization Engine on Linux instance)
Launch EC2 Linux instance by following the Broadridge guidelines.
Note: Choose Broadridge approved hardened Image
- Connect to your Linux instance as ec2-user using SSH.
- Alleviate your user privilege.
sudo su
- Update the EC2 instance.
yum update -y
- Create a local folder.
$mkdir test_dir
- Mount the share using the following command
$ mount -t cifs //Windows_IP/share_name target_folder_path -o username=user,password=pwd
To map a network drive locally
- Open a command prompt on the windows machine and run the following command:
net use devicename: \\computername\sharename /USER:domainname\userid password /PERSISTENT:NO
| net use | Execute the net use command alone to show detailed information about currently mapped drives and devices. |
| devicename | Use this option to specify the drive letter or printer port you want to map the network resource to. For a shared folder on the network, specify a drive letter from D: through Z:, and for a shared printer, LPT1: through LPT3:. Use * instead of specifying device name to automatically assign the next available drive letter, starting with Z: and moving backward, for a mapped drive. |
| \\computername\sharename | This specifies the name of the computer, computername, and the shared resource, sharename, like a shared folder or a shared printer connected to computername. If there are spaces anywhere here, be sure to put the entire path, slashes included, in quotes. |
| username | Use this option with /user to specify the username to use to connect to the shared resource. |
| password | This is the password needed to access the shared resource on computername. You can choose to enter the password during the execution of the net use command by typing * instead of the actual password. |
| domain name | Specify a different domain than the one you’re on, assuming you’re on one, with this option. Skip domain name if you’re not on a domain or you want net use to use the one you’re already on. |
Recommendations
- Enable disk cache when local SSD or hard drive is available. For EC2 instances, recommend using the local SSD instance store instead of EBS because EBS volumes may run into ops limit depending on the volume size.
- Use i3.xLarge EC2 Instance Type for Production and General Purpose EC2 Instance Type for non-production environment.
- To ensure failover capabilities, consider assign a secondary private IP address to the primary ENI that can be moved to a failover instance. In the event of an instance failover you can move the secondary private IPv4 address to a standby instance.
Setup file system Passphrase from an AWS Parameter Store
- Make sure AWS Systems Manager (SSM) is allowed in the IAM role attached to your EC2 instance to access AWS parameter store.
- Verify AWS CLI is a newer version with support for SSM get-parameter.
- Add your passphrase as a secure string to AWS parameter store.
#aws –region=<your s3 region> ssm put-parameter –name ‘OBJECTIVEFS_PASSPHRASE’ –value ‘<your passphrase>’ –type SecureString
- Create an executable file (e.g. /usr/sbin/get_aws_ssm) with the file content as follows. This script will call AWS parameter store and will only print out your passphrase to return to ObjectiveFS.
#!/bin/sh
aws –region <your s3 region> ssm get-parameter –name ‘OBJECTIVEFS_PASSPHRASE’ –with-decryption | sed -n ‘/Value/s/.*: “\(.*\)”,/\1/p’
- In ‘/etc/objectivefs.env/OBJECTIVEFS_PASSPHRASE’, specify the path to the executable file as the file content.
#!/usr/sbin/get_aws_ssm