GithubHelp home page GithubHelp logo

ubccr / iquota Goto Github PK

View Code? Open in Web Editor NEW
5.0 5.0 3.0 3.29 MB

Linux CLI tools for CCR Quota reporting

License: BSD 3-Clause "New" or "Revised" License

Go 97.63% Shell 2.37%
go golang isilon onefs quota

iquota's Introduction

Linux CLI tool for CCR quota reporting

What is iquota?

iquota is a command line tool and associated server application for reporting quotas for CCR storage systems.

Linux clients mount storage systems over nfs. Users obtain kerberos credentials via knit and run the iquota client command which connects to the iquota-server (proxy) over HTTPS (using GSSAPI/SPNEGO for auth). The iquota-proxy server validates the users kerberos credentials and requests quota information cached in redis.

Features

  • User/Group quota reporting from command line
  • Kerberos based authentication
  • Caching via redis

Requirements

  • Linux
  • Kerberos
  • sssd-ifp (SSSD InfoPipe responder)

Install and configure iquota-server proxy

Note these docs are for CentOS 7.x. May need adjusting depending on your flavor of Linux

Download the RPM release here:

$ rpm -Uvh iquota-server-0.x.x-x.el7.centos.x86_64.rpm

Setup Kerberos HTTP keytab

The iquota-server uses Kerberos authentication. You'll need to create a HTTP service keytab file. For example:

kadmin: addprinc -randkey HTTP/[email protected]

If using FreeIPA you can run:

$ ipa service-add HTTP/host.domain.com
$ ipa-getkeytab -s master.domain.com -p HTTP/host.domain.com -k http.keytab

Configure sssd

iquota-server uses sssd-ifp (SSSD InfoPipe responder) over DBUS to fetch the unix groups for a given user. For more information on sssd-ifp see here.

Ensure the sssd-dbus package is installed:

# yum install sssd-dbus

Configure sssd-ifp. Add the following lines to /etc/sssd/sssd.conf:

[sssd]
services = nss, sudo, pam, ssh, ifp

[ifp]
allowed_uids = iquota, root

Restart sssd to make the changes take effect:

# systemctl restart sssd

You can test to ensure sssd-ifp is configured properly by running the following command. The array of unix groups for the user should be displayed:

# dbus-send --print-reply --system \
  --dest=org.freedesktop.sssd.infopipe \
  /org/freedesktop/sssd/infopipe \
  org.freedesktop.sssd.infopipe.GetUserGroups \
  string:username

   array [
      string "physics"
      string "compsci"
      string "users"
   ]

Configure iquota.yaml

Edit iquota configuration file:

$ vim /etc/iquota/iquota.yaml 
keytab: "/path/to/http.keytab"
[ edit to taste ]

It's highly recommended to run iquota-server using HTTPS. You'll need an SSL cert/private_key either using FreeIPA's PKI, self-signed, or from a commercial certificate authority. Creating SSL certs is outside the scope of this document. You can also run iquota-server behind haproxy or Apache/Nginx.

Copy your SSL cert/private_key to the following directories and set correct paths in /etc/iquota/iquota.yaml. The iquota-server binary will run as non-root user (iquota) so need to ensure file perms are set correctly:

$ mkdir /etc/iquota/{cert,private}
$ cp my.crt /etc/iquota/cert/my.crt
$ cp my.key /etc/iquota/private/my.key
$ chmod 640 /etc/iquota/private/my.key
$ chgrp iquota /etc/iquota/private/my.key

Start iquota-server service

Start iquota-server service:

$ systemctl restart iquota-server
$ systemctl enable iquota-server

To view iquota-server system logs run:

$ journalctl -u iquota-server

Install iquota on all client machines mounting storage over nfs

On all client machines mounting storage over nfs install the iquota client. Download the RPM release here:

$ rpm -Uvh iquota-0.x.x-x.el7.centos.x86_64.rpm

Edit iquota configuration file. Add URL for iquota-server:

$ vim /etc/iquota/iquota.yaml 
iquota_url: "http://host.domain.com"
[ edit to taste ]

Usage

Check user/group quotas:

$ kinit walterwhite
Password for walterwhite@REALM:
$ iquota -u -g
User quotas:
Filesystem  user               files      used     limit    grace 
/ifs/user
            (default)                             2.0 GB   1 week 
            walterwhite           34    370 kB    2.0 GB   1 week 

Group quotas:
Filesystem  group              files      used     limit    grace 
/ifs/projects
            (default)                             520 GB   1 week 
            hermanos               4    699 MB    520 GB   1 week

Configure caching

iquota-server should be configured to cache results for a given time period. This helps reduce the load on the storage APIs and provide better iquota performance. To enable caching first install redis then update /etc/iquota/iquota.yaml.

Install Redis (install from EPEL):

$ yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ yum install redis
$ systemctl restart redis
$ systecmtl enable redis

Edit /etc/iquota/iquota.yaml and restart:

$ vi /etc/iquota/iquota.yaml
enable_caching: true

$ systecmtl restart iquota-server

License

iquota is released under a BSD style license. See the LICENSE file.

iquota's People

Contributors

aebruno avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

cloudxtreme eznode dpreuss

iquota's Issues

Provide ability to change user prompt

When a user tries to use iquota without first running kinit, they're prompted with:

FATA[0000] No Kerberos credentials available. Please run kinit

We use a custom version of kinit so this error is confusing. We can't alias the kinit command so it would be nice if we could customize this error.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.