distributed network file systems

2021-04-01 18:46:31 -06:00 · 2021-04-01 18:46:31 -06:00 · 72378552c3
commit 72378552c3
parent f43f742fe0
2 changed files with 340 additions and 0 deletions
--- a/src/_posts/2021-01-14-the-web.md
+++ b/src/_posts/2021-01-14-the-web.md
@ -3,6 +3,7 @@ title: >-
    The Web
 description: >-
    What is it good for?
+series: nebula
 tags: tech
 ---

--- a/src/_posts/2021-04-06-evaluation-of-network-filesystems.md
+++ b/src/_posts/2021-04-06-evaluation-of-network-filesystems.md
@ -0,0 +1,339 @@
+---
+title: >-
+    Evaluation of Network Filesystems
+description: >-
+    There can only be one.
+series: nebula
+tags: tech
+---
+
+It's been a bit since updating my progress on what I've been lately calling the
+"cryptic nebula" project. When I last left off I was working on building the
+[mobile nebula][mobile_nebula] using [nix][nix]. For the moment I gave up on
+that dream, as flutter and nix just _really_ don't get along and I don't want to
+get to distracted on problems that aren't critical to the actual goal.
+
+Instead I'd like to pursue the next critical component of the system, and
+that's a shared filesystem. The use-case I'm ultimately trying to achieve is:
+
+* All hosts communicate with each other via the nebula network.
+* All hosts are personal machines owned by individuals, _not_ cloud VMs.
+* A handful of hosts are always-on, or at least as always-on as can be achieved
+  in a home environment.
+* All hosts are able to read/write to a shared filesystem, which is mounted via
+  FUSE (or some other mechanism, though I can't imagine what) on their computer.
+* Top-level directories within the shared filesystem can be restricted, so
+  that only a certain person (or host) can read/write to them.
+
+What I'm looking for is some kind of network filesystem, of which there are
+_many_. This document will attempt to evaluate all relevant projects and come up
+with the next steps. It may be that no project fits the bill perfectly, and that
+I'm stuck either modifying an existing project to my needs or, if things are
+looking really dire, starting a new project.
+
+The ultimate use-case here is something like a self-hosted, distributed [keybase
+filesystem](https://book.keybase.io/docs/files); somewhere where individuals in
+the cluster can back up their personal projects, share files with each other,
+and possibly even be used as the base layer for more complex applications on
+top.
+
+The individuals involved shouldn't have to deal with configuring their
+distributed FS, either to read from it or add storage resources to it. Ideally
+the FS process can be bundled together with the nebula process and run opaquely;
+the user is just running their "cryptic nebula" process and everything else is
+handled in the background.
+
+## Low Pass Filter
+
+There are some criteria for these projects that I'm not willing to compromise
+on; these criteria will form a low pass filter which, hopefully, will narrow our
+search appreciably.
+
+The network filesystem used by the cryptic nebula must:
+
+* Be able to operate over a nebula network (obviously).
+* Be open-source. The license doesn't matter, as long as the code is available.
+* Run on both Mac and Linux.
+* Not require a third-party to function.
+* Allows for a replication factor of 3.
+* Supports sharding of data (ie each host need not have the entire dataset).
+* Allow for mounting a FUSE filesystem in any hosts' machine to interact with
+  the network filesystem.
+* Not run in the JVM, or any other VM which is memory-greedy.
+
+The last may come across as mean, but the reason for it is that I forsee the
+network filesystem client running on users' personal laptops, which cannot be
+assumed to have resources to spare.
+
+## Rubric
+
+Each criteria in the next set lies along a spectrum. Any project may meet one of
+thses criteria fully, partially, or not at all. For each criteria I assign a
+point value according to how fully a project meets the criteria, and then sum up
+the points to give the project a final score. The project with the highest final
+score is not necessarily the winner, but this system should at least give some
+good candidates for final consideration.
+
+The criteria, and their associated points values, are:
+
+* **Hackability**: is the source-code of the project approachable?
+    - 0: No
+    - 1: Kind of, and there's not much of a community.
+    - 2: Kind of, but there is an active community.
+    - 3: Yes
+
+* **Documentation**: is the project well documented?
+    - 0: No docs.
+    - 1: Incomplete or out-of-date docs.
+    - 2: Very well documented.
+
+* **Transience**: how does the system handle hosts appearing or disappearing?
+    - 0: Requires an automated system to be built to handle adding/removing
+      hosts.
+    - 1: Gracefully handled.
+
+* **Priority**: is it possible to give certain hosts priority when choosing
+  which will host/replicate some piece of data?
+    - 0: No.
+    - 1: Yes.
+
+* **Caching**: will hosts reading a file have that file cached locally for the
+  next reading (until the file is modified)?
+    - 0: No.
+    - 1: Yes.
+
+* **Conflicts**: if two hosts updated the same file at the same time, how is
+  that handled?
+    - 0: The file can no longer be updated.
+    - 1: One update clobbers the other, or both go through in an undefined
+      order.
+    - 2: One update is disallowed.
+    - 3: A copy of the file containing the "losing" update is created (ie: how
+      dropbox does it).
+    - 4: Strategy can be configured on the file/directory level.
+
+* **Consistency**: how does the system handle a file being changed frequently?
+    - 0: File changes must be propagated before subsequent updates are allowed (fully consistent).
+    - 1: Files are snapshotted at some large-ish interval (eventually consistent).
+    - 2: File state (ie content hash, last modifid, etc) is propagated
+      frequently but contents are only fully propagated once the file has
+      "settled" (eventually consistent with debounce).
+
+* **POSIX**: how POSIX compliant is the mounted fileystem?
+    - 0: Only the most basic features are implemented.
+    - 1: Some extra features are implemented.
+    - 2: Fully POSIX compliant.
+
+* **Scale**: how many hosts can be a part of the cluster?
+    - 0: A finite number.
+    - 1: A finite number of dedicated hosts, infinite ephemeral.
+    - 2: Infinite hosts.
+
+* **Failure**: how does the system handle failures (network partitions, hosts
+  hanging, buggy client versions)?
+    - 0: Data loss.
+    - 1: Reads and writes are halted.
+    - 2: Reads are allowed but writes are halted.
+    - 3: System is partially read/write, except effected parts.
+
+* **Limitations**: are there limits on how big files can be, or how big
+  directories can be?
+    - 0: Files are limited to below 1TB in size.
+    - 1: Directories are limited to below 100,000 files.
+    - 2: No limits.
+
+* **Encryption**: how is data encrypted?
+    - 0: Not at all, DIY.
+    - 1: Encrypted at rest.
+    - 2: Per-user encryption.
+
+* **Permissions**: how are modifications to data restricted?
+    - 0: Not at all.
+    - 1: Permissions are only superifically enforced.
+    - 2: Fully enforced user/group restrictions, complex patterns, and/or POSIX ACLs.
+
+* **Administration**: how much administration is required for the system to
+  function?
+    - 0: Frequent.
+    - 1: Infrequent.
+    - 2: Essentially none.
+
+* **Simplicity**: how understandable is the system as a whole?
+    - 0: Very complex.
+    - 1: Understandable with some study.
+    - 2: Very simple, easy to predict.
+
+* **Visibility**: how much visibility is available into processes within the
+  system?
+    - 0: Total black box.
+    - 1: Basic logging.
+    - 2: CLI tooling.
+    - 3: Exportable metrics (e.g. prometheus).
+
+## Evaluations
+
+With the rubric defined, let's start actually working through our options! There
+are many, many different possibilities, so this may not be an exhaustive list.
+
+### [Ceph](https://docs.ceph.com/en/latest/cephfs/index.html)
+
+> The Ceph File System, or CephFS, is a POSIX-compliant file system built on
+> top of Ceph’s distributed object store, RADOS. CephFS endeavors to provide a
+> state-of-the-art, multi-use, highly available, and performant file store for
+> a variety of applications, including traditional use-cases like shared home
+> directories, HPC scratch space, and distributed workflow shared storage. 
+
+- Hackability: 2. Very active community, but it's C++.
+- Documentation: 2. Hella docs, very daunting.
+- Transience: 0. Adding hosts seems to require multiple configuration steps.
+- Priority: 1. There is fine-tuning on a per-host basis.
+- Caching: 1. Clients can cache both metadata and block data.
+- Conflicts: 1. The FS behaves as much like a real FS as possible.
+- Consistency: 0. System is CP.
+- POSIX: 2. Fully POSIX compliant.
+- Scale: 2. Cluster can grow without any real bounds.
+- Failure: 3. There's no indication anywhere that Ceph goes into any kind of cluster-wide failure mode.
+- Limitations: 2. There are performance considerations with large directories, but no hard limits.
+- Encryption: 0. None to speak of.
+- Permissions: 2. POSIX ACLs supported.
+- Administration: 1. This is a guess, but Ceph seems to be self-healing in general, but still needs hand-holding in certain situations (adding/removing nodes, etc...)
+- Simplicity: 0. There are many moving pieces, as well as many different kinds of processes and entities.
+- Visibility: 3. Lots of tooling to dig into the state of the cluster, as well as a prometheus module.
+
+TOTAL: 22
+
+#### Comments
+
+Ceph has been recommended to me by a few people. It is clearly a very mature
+project, though that maturity has brought with it a lot of complexity. A lot of
+the complexity of Ceph seems to be rooted in its strong consistency guarantees,
+which I'm confident it fulfills well, but are not really needed for the
+use-case I'm interested in. I'd prefer a simpler, eventually consistent,
+system. It's also not clear to me that Ceph would even perform very well in my
+use-case as it seems to want an actual datacenter deployment, with beefy
+hardware and hosts which are generally close together.
+
+### [GlusterFS](https://docs.gluster.org/en/latest/)
+
+> GlusterFS is a scalable network filesystem suitable for data-intensive tasks
+> such as cloud storage and media streaming. GlusterFS is free and open source
+> software and can utilize common off-the-shelf hardware. 
+
+- Hackability: 2. Mostly C code, but there is an active community.
+- Documentation: 2. Good docs.
+- Transience: 0. New nodes cannot add themselves to the pool.
+- Priority: 0. Data is distributed based on consistent hashing algo, nothing else.
+- Caching: 1. Docs mention client-side caching layer.
+- Conflicts: 0. File becomes frozen, manual intervention is needed to save it.
+- Consistency: 0. Gluster aims to be fully consistent.
+- POSIX: 2. Fully POSIX compliant.
+- Scale: 2. No apparent limits.
+- Failure: 3. Clients determine on their own whether or not they have a quorum for a particular sub-volume.
+- Limitations: 2. Limited by the file system underlying each volume, I think.
+- Encryption: 2. Encryption can be done on the volume level, each user could have a private volume.
+- Permissions: 2. ACL checking is enforced on the server-side, but requires syncing of users and group membership across servers.
+- Administration: 1. Beyond adding/removing nodes the system is fairly self-healing.
+- Simplicity: 1. There's only one kind of server process, and the configuration of volumes is is well documented and straightforward.
+- Visibility: 3. Prometheus exporter available.
+
+TOTAL: 23
+
+#### Comments
+
+GlusterFS was my initial choice when I did a brief survey of DFSs for this
+use-case. However, after further digging into it I think it will suffer the
+same ultimate problem as CephFS: too much consistency for a wide-area
+application like I'm envisioning. The need for syncing user/groups across
+machines as actual system users is also cumbersome enough to make it not a
+great choice.
+
+### [MooseFS](https://moosefs.com/)
+
+> MooseFS is a Petabyte Open Source Network Distributed File System. It is easy
+> to deploy and maintain, highly reliable, fault tolerant, highly performing,
+> easily scalable and POSIX compliant.
+>
+> MooseFS spreads data over a number of commodity servers, which are visible to
+> the user as one resource. For standard file operations MooseFS acts like
+> ordinary Unix-like file system.
+
+- Hackability: 2. All C code, pretty dense, but backed by a company.
+- Documentation: 2. There's a giant PDF you can read through like a book. I
+  guess that's.... good?
+- Transience: 0. Nodes must be added manually.
+- Priority: 1. There's "Storage Classes".
+- Caching: 1. Caching is done on the client, and there's some synchronization
+  with the master server around it.
+- Conflicts: 1. Both update operations will go through.
+- Consistency: 0. Afaict it's a fully consistent system, with a master server
+  being used to synchronize changes.
+- POSIX: 2. Fully POSIX compliant.
+- Scale: 2. Cluster can grow without any real bounds.
+- Failure: 1. If the master server is unreachable then the client can't
+  function.
+- Limitations: 2. Limits are very large, effectively no limit.
+- Encryption: 0. Docs make no mention of encryption.
+- Permissions: 1. Afaict permissions are done by the OS on the fuse mount.
+- Administration: 1. It seems that if the topology is stable there shouldn't be
+  much going on.
+- Simplicity: 0. There are many moving pieces, as well as many different kinds of processes and entities.
+- Visibility: 2. Lots of cli tooling, no prometheus metrics that I could find.
+
+TOTAL: 17
+
+Overall MooseFS seems to me like a poor-developer's Ceph. It can do exactly the
+same things, but with less of a community around it. The sale's pitch and
+feature-gating also don't ingratiate it to me. The most damning "feature" is the
+master metadata server, which acts as a SPOF and only sort of supports
+replication (but not failover, unless you get Pro).
+
+## Cutting Room Floor
+
+The following projects were intended to be reviewed, but didn't make the cut for
+various reasons.
+
+* Tahoe-LAFS: The FUSE mount (which is actually an SFTP mount) doesn't support
+  mutable files.
+
+* HekaFS: Doesn't appear to exist anymore(?)
+
+* IPFS-cluster: Doesn't support sharding.
+
+* MinFS: Seems to only work off S3, no longer maintained anyway.
+
+* DRDB: Linux specific, no mac support.
+
+* BeeGFS: No mac support (I don't think? I couldn't find any indication it
+  supports macs at any rate).
+
+* NFS: No support for sharding the dataset.
+
+## Conclusions
+
+Going through the featuresets of all these different projects really helped me
+focus in on how I actually expect this system to function, and a few things
+stood out to me:
+
+* Perfect consistency is not a goal, and is ultimately harmful for this
+  use-case. The FS needs to propagate changes relatively quickly, but if two
+  different hosts are updating the same file it's not necessary to synchronize
+  those updates like a local filesystem would; just let one changeset clobber
+  the other and let the outer application deal with coordination.
+
+* Permissions are extremely important, and yet for all these projects are
+  generally an afterthought. In a distributed setting we can't rely on the OS
+  user/groups of a host to permission read/write access. Instead that must be
+  done primarily via e2e encryption.
+
+* Transience is not something most of these project expect, but is a hard
+  requirement of this use-case. In the long run we need something which can be
+  run on home hardware on home ISPs, which is not reliable at all. Hosts need to
+  be able to flit in and out of existence, and the cluster as a whole needs to
+  self-heal through that process.
+
+In the end, it may be necessary to roll our own project for this, as I don't
+think any of the existing distributed file systems are suitable for what's
+needed.
+
+[mobile_nebula]: https://github.com/cryptic-io/mobile_nebula
+[nix]: https://nixos.org/manual/nix/stable/