Overview

This technology article is all about something I was interested that I have dealt with that was enjoyable and challenging that I solved Broadridge client crucial issue of sharing filesystem between Linux and Windows on the Amazon AWS

Problem Statement

Broadridge client got the unique requirement for dmEdge project where application running on AWS Cloud Linux instance needs to share filesystem with application running on AWS Cloud Windows instance.

.

R&D/Proof of Concept (POC)

Amazon EFS is not supported on Windows instances to meet the problem statement.

To resolve the problem and to find out the best possible solution, I have carried out the following proof of concepts:

Sharing the filesystem with AWS EFS + Samba Server (AWS Cloud Linux) + Windows

Sharing the filesystem with ObjectiveFS + Samba (AWS Cloud Linux) + Windows

Sharing the filesystem with Samba (AWS Cloud Linux) + Windows

Etc.…

Conclusion

Upon through study I have found that for web server workloads, ObjectiveFS suite best has higher performance and lower latency compared to Amazon EFS, etc. The key performance statistics between ObjectiveFS and AWS EFS are listed below:

  ObjectiveFS EFS
Reliability Backed by Amazon S3 NFS-based (NFSv4) protocol
Storage Durability 99.999999999% by S3 Not specified
Performance Always high performance Pay for performance
Performance: Small Files 80X faster than EFS (info) Slow for small files
Performance: Large Files 350MB/s (info) 100MB/s
Scalability 1 to 1000s 1 to 1000s
Storage Cost S3: $0.03/GB. S3 Pricing EFS: $0.30/GB in US East (N. Virginia). EFS Pricing
Security End-to-end encryption Data at rest is encrypted. Data in transit encryption is in preview.
Availability Supports all regions Currently only in 6 regions (Northern Virginia, Ohio, Oregon, Northern California)
Accessibility Access from anywhere Limited to same region as EC2 instances using it
Product Maturity In production since 2013 Released in July 2016
OS Supported Linux, OS X, Windows via Samba/NFS Linux only. Using Amazon EFS with Microsoft Windows Amazon EC2 instances is not supported.
Backup and Disaster Recovery Secure storage such as S3 and on-premise S3-compatible object stores.
Can use the built-in Snapshot feature to recover point-in-time snapshots of your data  Can use S3 Cross-Region-Replication
Custom coded EFS-to-EFS Backup solution 
     
Features    
Snapshots Automatic & Checkpoint
Data integrity Strong checksums
Cross-region access Yes
Local disk cache Yes
Compression Yes
Transfer Acceleration Yes
AWS IAM support Yes Yes
User/Group ID mapping Yes Yes
AWS KMS support Yes Yes
Client-side encryption Yes
Server-side encryption Yes Yes

The following pages covers the steps to share your ObjectiveFS filesystem from Linux to Windows via Samba.

 

Download/Install ObjectiveFS and Export ObjectiveFS to Windows via Samba

Launch EC2 Linux instance by following the Broadridge guidelines.

Note: Choose Broadridge approved hardened Image

  1. Connect to your Amazon EC2 instance.
  2. Alleviate your user privilege.

sudo su

  1. Update the EC2 instance.

yum update -y

  1. After you’ve connected, install ObjectiveFS with the following command.

Note: ObjectiveFS is a licensed product, need to have an account & license.

$ curl -O https://objectivefs.com/user/download/acpbuxv5r/objectivefs-5.4-1.x86_64.rpm

$ yum install objectivefs-5.4-1.x86_64.rpm

  1. Verify NTP has a small offset (<1 sec):

$ /usr/sbin/ntpdate -q pool.ntp.org

  1. Configure your credentials. If using keys, get your S3 Keys.

Note: Create user name ‘logger’ when getting S3 keys.

$ sudo mount.objectivefs config

Enter ObjectiveFS license: <your objectivefs license>

Enter Access Key Id: <your AWS or GCS access key>

Enter Secret Access Key: <your AWS or GCS secret key>

Enter Default Region (optional): <S3 or GCS region>

If using IAM roles

$ sudo mount.objectivefs config -i

Enter ObjectiveFS license: <your objectivefs license>

Enter Metadata Host [169.254.169.254]: <your metadata host ip>

Enter Default Region (optional): <S3 or GCS region>

  1. Create a file system:

For your filesystem name, use a globally unique, non-secret name (i.e. a new bucket not used by others) and ObjectiveFS will create a new bucket with that name for your filesystem.

Choose a strong passphrase, write it down and store it somewhere safe.

IMPORTANT: Without the passphrase, there is no way to recover any files

Default region: The default region entered in step 2 (if not specified, us-west-2 for AWS)

$ sudo mount.objectivefs create <your filesystem name>

Passphrase: <your passphrase>

Verify passphrase: <your passphrase>

To specify your filesystem region:

$ sudo mount.objectivefs create -l <your region> <your filesystem name>

Passphrase: <your passphrase>

Verify passphrase: <your passphrase>

  1. Mount the file system

You need an existing empty directory to mount your file system, e.g. ofs. Process will run in the background.

$ sudo mkdir /ofs

$ sudo mount.objectivefs <your filesystem name> /ofs

Passphrase: <your passphrase>

Alternatively, you can mount a filesystem called ofs with S3 Transfer Acceleration enabled for a faster files transfer.

$ sudo mkdir /ofs

$ sudo AWS_TRANSFER_ACCELERATION=1 mount.objectivefs <your filesystem name> /ofs

Passphrase: <your passphrase>

  1. Install Samba

CentOS command as follows:

$ sudo yum install samba

  1. Use nano (for example nano /etc/samba/smb.conf) and paste the following at the end.

[ofs]

path = /ofs

valid users = logger

read only = no

guest ok = yes

writable = yes

browseable = yes

vfs objects = acl_xattr

acl_xattr:ignore system acls = yes

nt acl support = yes

create mask = 0700

directory mask = 0700

force user = logger

Note: ‘force user’ parameter will allow windows user ‘logger’ to write data into the windows share.

Or otherwise, if you want to reach those shares from any machine on your network, paste the following at the end. Since we set that share as anonymous, users won’t have to log in to access the files and folders within.

[Anonymous]

path = /ofs

browsable = yes

writable = yes

read only = no

Or otherwise, create Windows EC2 instances root userid/password and configure it in samba to connect.

Or otherwise, create local user account on Windows EC2 instances with samba account userid/password to connect samba share.

  1. Save and start your samba by service smb start. Just to make sure you have set the configuration file right testparm can help to validate it.

$ testparm

  1. Exit out and create a user – logger in this case. Note: This userid/password is needed for windows login connect to samba share.

useradd logger

passwd logger

  1. Create the same password in smb:

smbpasswd -a logger

 

Mapping ObjectiveFS (S3) to Windows

SMB is ready, let’s move to Windows environment and map this share to some drive latter as “Add a network location”.

For the share availability we just need to open 2049 port (EC2 -> Security Group) and it is pre-defined in the list of protocols (just pick it and define your IP, CIDR or another Security Group).

Make sure you have setup your security group accordingly (445 and 139 ports should be open between source and target). Check further from other instances and see if this concept works.

Please ensure following ports are opened as shown below:

Test Samba Share (This is to simulate InDesign on Windows Instance)

Launch EC2 Microsoft Windows Server instance by following the Broadridge guidelines.

Note: Choose Broadridge approved hardened Image

To connect to your Amazon EC2 instance and test samba share

  1. Connect to your Amazon EC2 instance.
  2. After you’ve connected, open the “Start–>Run”. Enter IP address of samba server with backward slash. Refer below screens for more understanding.

Note: When prompt for user Id/password, use logger/logger that is created in earlier step

 

Mount a shared folder in Linux (This is to simulate Customization Engine on Linux instance)

Launch EC2 Linux instance by following the Broadridge guidelines.

Note: Choose Broadridge approved hardened Image

  1. Connect to your Linux instance as ec2-user using SSH.
  2. Alleviate your user privilege.

sudo su

  1. Update the EC2 instance.

yum update -y

  1. Create a local folder.

$mkdir test_dir

  1. Mount the share using the following command

$ mount -t cifs //Windows_IP/share_name  target_folder_path -o username=user,password=pwd

 

 

To map a network drive locally

  1. Open a command prompt on the windows machine and run the following command:

net use devicename: \\computername\sharename /USER:domainname\userid password /PERSISTENT:NO

net use Execute the net use command alone to show detailed information about currently mapped drives and devices.
devicename Use this option to specify the drive letter or printer port you want to map the network resource to. For a shared folder on the network, specify a drive letter from D: through Z:, and for a shared printer, LPT1: through LPT3:. Use * instead of specifying device name to automatically assign the next available drive letter, starting with Z: and moving backward, for a mapped drive.
\\computername\sharename This specifies the name of the computer, computername, and the shared resource, sharename, like a shared folder or a shared printer connected to computername. If there are spaces anywhere here, be sure to put the entire path, slashes included, in quotes.
username Use this option with /user to specify the username to use to connect to the shared resource.
password This is the password needed to access the shared resource on computername. You can choose to enter the password during the execution of the net use command by typing * instead of the actual password.
domain name Specify a different domain than the one you’re on, assuming you’re on one, with this option. Skip domain name if you’re not on a domain or you want net use to use the one you’re already on.

Recommendations

  1. Enable disk cache when local SSD or hard drive is available. For EC2 instances, recommend using the local SSD instance store instead of EBS because EBS volumes may run into ops limit depending on the volume size.
  2. Use i3.xLarge EC2 Instance Type for Production and General Purpose EC2 Instance Type for non-production environment.
  3. To ensure failover capabilities, consider assign a secondary private IP address to the primary ENI that can be moved to a failover instance. In the event of an instance failover you can move the secondary private IPv4 address to a standby instance.

 

Setup file system Passphrase from an AWS Parameter Store

  1. Make sure AWS Systems Manager (SSM) is allowed in the IAM role attached to your EC2 instance to access AWS parameter store.
  2. Verify AWS CLI is a newer version with support for SSM get-parameter.
  3. Add your passphrase as a secure string to AWS parameter store.

#aws –region=<your s3 region> ssm put-parameter –name ‘OBJECTIVEFS_PASSPHRASE’ –value ‘<your passphrase>’ –type SecureString

  1. Create an executable file (e.g. /usr/sbin/get_aws_ssm) with the file content as follows. This script will call AWS parameter store and will only print out your passphrase to return to ObjectiveFS.

#!/bin/sh

aws –region <your s3 region> ssm get-parameter –name ‘OBJECTIVEFS_PASSPHRASE’ –with-decryption | sed -n ‘/Value/s/.*: “\(.*\)”,/\1/p’

  1. In ‘/etc/objectivefs.env/OBJECTIVEFS_PASSPHRASE’, specify the path to the executable file as the file content.

            #!/usr/sbin/get_aws_ssm