[OpenAFS] Re: client behind NAT firewall

Andrew Deason adeason@sinenomine.net
Tue, 5 Aug 2014 10:36:05 -0500

On Tue, 05 Aug 2014 16:12:41 +0200
Alex <euergetikos.k@gmail.com> wrote:

> On 08/05/14 15:08, Brandon Allbery wrote:
> > So you might be able to get by with just running "fs checkvolumes"
> > periodically in a cron job to make up for missing callback breaks on
> > volume releases.

That only refreshes the vldb info; volume name -> id mappings and such.
That doesn't really help here.

> > For the most reliable operation, however, you should check that the
> > NAT gateway can remember UDP NAT mappings *specifically on client
> > port 7001* for at least 2 hours and open 7001/udp in the firewall so
> > the client can receive callback breaks.

If you're going by the longest callback expiration time, that is 4
hours. But as said elsewhere I think, we have other keepalive 'pings'
and such that should make the required mapping time much shorter.

> Thank you all for answering, I guess we should test it more carefully
> to check how it will work. Parallel access is a must for us.The main
> concern is the possibility that one client overwrites modifications of
> another one who is editing the file in the same time.

That is always possible, even without NAT. If you have 2 clients writing
to the same area of a file simultaneously, there is no way to
automatically 'merge' the contents; the one who wrote last will win.
File data is conceptually managed in 'chunks' which vary from around
128KiB to 1MiB; so if you write to the same e.g. 1MiB area of a file
at the same time from 2 clients, that 1MiB will either be entirely what
one client wrote, or the other client.

If you need to be writing to the same file from multiple clients, you
need to synchronize/serialize them somehow. This can be done with
whole-file locks, or some other synchronization mechanism outside of the

On Tue, 5 Aug 2014 15:51:10 +0200
Stephan Wiesand <stephan.wiesand@desy.de> wrote:

> On 2014-08-05, at 9:30, Alex <euergetikos.k@gmail.com> wrote:
> > -all Openafs servers are behind the same NAT firewall. Firewall
> > rules can be changed.
> I'm not that NAT savvy... how could this possibly work (more than one
> server)?

I assume that Alex means there are multiple public-facing IPs; they are
just handled by the same device that handles the translation/firewall.

But in case it's not clear: Alex, you need one IP per openafs server
that a client will contact to. You can't run 5 servers off of 1 public
IP right now or anything like that.

Andrew Deason