As most of us know, VMware supports many storage protocols – FC, FCoE, iSCSI and NFS.
However, only NFSv3 was supported in vSphere 4.x and 5.x. NFSv3 has many limitations and shortcomings like:
- No multipathing support
- Proprietary advisory locking due to lack of proper locking from protocol
- Limited security
- Performance limited by the single server head
Starting with vSphere 6, VMware introduces NFSv4.1. Compared to NFSv3, v4.1 brings a bunch of new features:
- Session Trunking/Multipathing
- Increased performance from parallel access (load balancing)
- Better availability from path failover
- Improved Security
- Kerberos, Encryption and Signing is supported
- User authentication and non-root access becomes available
- Improved Locking
- In-band mandatory locks, no longer proprietary advisory locking
- Better Error Recovery
- Client and server not state-less any more, with recoverable context
- Efficient Protocol
- Less chatty, no file lock heartbeat
- Session leases
Note: NFSv4.1, does not support SDRS, SIOC, SRM and vVOLs.
Supportability of NFSv3 and NFSv4.1:
- NFSv3 locking is not compatible with NFS 4.1
- NFSv3 uses propriety client side locking
- NFSv4.1 uses server side locking
- Single protocol accessforadatastore
- Use either NFSv3 or NFSv4.1 to mount the same NFS share across all ESXi hosts within a vSphere HA cluster
- Mounting one NFS share as NFSv3 on one ESX host and the same share as NFSv4.1 on another host is not supported!
Kerberos Support for NFSv4.1:
- NFSv3 only supports AUTH_SYS
- NFSv4.1 support AUTH_SYS and Kerberos
- Requires Microsoft AD for KDC
- Supports RPC header authentication (rpc_gss_svc_none or krb5)
- Only supports DES-CBC-MD5
- Weaker but widely used
- AES-HMAC not supported by many vendors
Implications of using Kerberos:
- NFSv3 to NFSv4.1
- Be aware of the uid, gid on the files
- For NFSv3 the uid & gid will be root
- Accessing files created with NFSv3 from NFSv4.1 – Kerberized client will result in permission denied errors
- Always use the same user on all hosts
- vMotion and other features might fail if two hosts use different users
- Host Profiles can be used to automate the usage of users