Monday, 4 December 2017

On Demand Anti-Virus Scan on SnapVault Destination?

ONTAP 9.1 introduced VSCAN On-Demand Scan. There might be reasons why you want to run On-Demand scan on your SnapVault destination cluster (perhaps to save processor cycles on your source controller, or as a security check just to see if anything has got past virus scanning on the end-clients and production SVM.) This post demonstrates how to do this.

Setting up Offbox VSCAN

We already have the following components installed on our Anti-Virus scanning server:
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise for Storage
- ONTAP AV Connector

We already have:
- Snapvault relation configured
- Have vaulted a known bad file (see here for details of the EICAR file used for Anti-Virus testing)

And we complete the following setup as detailed in the post ‘Offbox Anti-Virus Configuration Super Express Guide’:

1) Connecting up the ONTAP AV Connector

Create user:

security login create -username LAB\AVADMIN -application ontapi -authmethod domain -role readonly -vserver C93B

Connect to the cluster in the ONTAP AV Connector.

Image: Successful ONTAP AV Connector connection

2) Configure Vscan:

vserver vscan scanner-pool create -vserver C93B -scanner-pool POOL1 -hostnames WFA41.lab.priv -privileged-users LAB\AVADMIN
vserver vscan on-access-policy create -vserver C93B -policy-name POL1 -filters scan-ro-volume
vserver vscan scanner-pool apply-policy -vserver VAULT-SVM -scanner-pool POOL1 -scanner-policy primary
vserver vscan on-access-policy disable -vserver VAULT-SVM -policy-name default_CIFS
vserver vscan on-access-policy enable -vserver VAULT-SVM -policy-name POL1
vserver vscan enable -vser VAULT-SVM

Running On-Demand Scan

We need to create an R/W volume for the On-Demand task reports, together with a share so we can access the reports::>

vol create -volume VSCAN_REPORTS  -vserver VAULT-SVM -aggregate data1 -size 10g -space-guarantee none -junction-path /VSCAN_REPORTS -security-style ntfs
cifs share create -share-name VSCAN_REPORTS$ -vserver VAULT-SVM -path /VSCAN_REPORTS

Then we create our on-demand task and run it:

vserver vscan on-demand-task create -vserver VAULT-SVM -task-name ODT -scan-path / -report-directory /VSCAN_REPORTS -schedule ""
vserver vscan on-demand-task run -vserver VAULT-SVM -task-name ODT

Reviewing the Output

The test infected file showed up in the “event log show” output:

12/4/2017 14:54:52 C93-01 ERROR Nblade.vscanVirusDetected: Possible virus detected. Vserver: VAULT-SVM, vscan server IP:, file path: \\TEST1_CIFS_volume_dst\EICAR.COM, client IP: -, SID: On-Demand, vscan engine status: 222200002, vscan engine result string: File threatened. The file could not be deleted, the file is still threatened.

There were only 4 files in my test vault SVM. The avod log showed successful virus detection:

Vserver  : VAULT-SVM
Task Name: ODT

Traversing  path: /

/TEST1_CIFS_volume_dst/Text Doc 3.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text Doc 2.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text Doc 1.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/EICAR.COM: File scanned successfully by Vscanner: "", Scan result: "File is infected", Vendor: "mcafee virusscan enterprise for storage", Version: "511579916.8729", Serviced by node: "C93-01", Scan duration in ms: "135", Extended-status: "222200002".
/TEST1_CIFS_volume_dst/EICAR.COM: On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

       Number of Attempted Scans: 5
       Number of Files Skipped from Scanning: 0
       Number of Already Scanned Files: 0
       Number of Successful Scans: 5
       Number of Failed Scans: 0
       Number of Timeout Scans: 0
       Number of Clean Files: 4
       Number of Infected Files: 1
       Number of Internal Error: 4


You can only have one scheduled on-demand-task per SVM.

Error: command failed: Cannot schedule task "ODT4" because another task "ODT3" is currently scheduled, and only one scheduled task per Vserver is supported. Use the command without the "-schedule" parameter, or use the "vserver vscan on-demand-task unschedule" command to unschedule the task, and then try the command again.

Saturday, 2 December 2017

Mapping APIs to ClusterShell and PowerShell - UPDATE

An update to this April 2017 post! Not sure if it’s just me, or its ONTAP 9.3RC1 perhaps, but I couldn’t get Invoke-NcSsh to work with the PowerShell Toolkit 4.5 (Get-NaToolkitVersion 4.3). My work around requires you have plink.exe in your working folder. The pictured bit of code, creates a temporary password, creates a temporary user, runs plink with this user and password to get the show-ontapi output, then deletes the temporary user. I’ve never been a fan of Invoke-NcSsh or Invoke-NaSsh, this seems like a nice workaround and you’re only passing a temporary randomly generated plaintext password over the network.

Image: Using Plink instead of Invoke-NcSsh to get show-ontapi output

The Script

Copy into a text editor and save as say API-to-CS-PS.ps1
Then run the following in PowerShell::>

Import-Module DataONTAP
Connect-NcController {CLUSTER}

## API to CShell & PShell V3 ##
## ========================= ##

## PRE-REQ: A connection to a cluster:
## PS> Import-Module DataONTAP
## PS> Connect-NcController {CLUSTER}
## PS> .\API-to-CS-PS.ps1
## Also needs plink.exe in the working directory
## (used here as working alternative to Invoke-NcSsh)

[String]$CluName = (Get-NcCluster).ClusterName
[String]$CluIP   = (Get-NcCluster).NcController

## USING PLINK TO GET show-ontapi ##
## ============================== ##

[String]$alphabet =""
For($a=65;$a -le 90;$a++){$alphabet +=,[char][byte]$a}
[String]$tempPass = ""
For($loop=1;$loop -le 8;$loop++){$tempPass += ($alphabet|Get-RANDOM)}
$tempPass += [String](Get-Random -Maximum 10)
[Void](New-NcUser -UserName TempPlinkUser -Vserver $CluName -Application ssh -AuthMethod password -Role admin -Password $tempPass)
[System.Array]$Global:Lines = .\plink -ssh -x -a -l TempPlinkUser -pw $tempPass $CluIP "show-ontapi"
[Void](Remove-NcUser -UserName TempPlinkUser -Vserver $CluName -Application ssh -AuthMethod password -Confirm:$FALSE)

## ================= ##

[System.Object]$Global:APItoCSHELL = @{}
[System.Array]$APIlist = @()
[Boolean]$Recording = $FALSE
[String]$ONTAPI     = ""
[String]$Command    = ""
$Global:Lines | Foreach{
    If($_.StartsWith(" ")){
      If($Command){$Command += " "}
      # += " " because command might carry onto next line #
      $Command += $_.Trim(" ")
      If($ONTAPI -and $Command){
        $Global:APItoCSHELL.$ONTAPI = $Command
        $APIlist += $ONTAPI
        [String]$ONTAPI = ""
        [String]$Command = ""                         
      If($_.Split(" ").Count -eq 1){ $ONTAPI = $_ }
        $ONTAPI = $_.Split(" ")[0]
        $Command = $_.SubString($ONTAPI.length,($_.length - $ONTAPI.length)).Trim(" ")
  If($_.StartsWith("-")){$Recording = $TRUE}
  # The header finishes with a line of "-" #
  If($_ -like '[0-9]*'){$Recording = $FALSE}
  # The show-ontapi output ends with a count #

## ================= ##

$GetNcHelp = Get-NcHelp
# A cmdlet might map to two or more APIs, we need unique APIs #
[System.Object]$Global:APItoPSHELL = @{}
$GetNcHelp | Foreach{
    Foreach($API in $_.API.Split(",")){
        [System.Object]$Global:APItoPSHELL.$API = @{}
        [String]$Global:APItoPSHELL.$API.Category   = ""
        [String]$Global:APItoPSHELL.$API.Family     = ""
        [String]$Global:APItoPSHELL.$API.PowerShell = ""
      If($Global:APItoPSHELL.$API.PowerShell){$Global:APItoPSHELL.$API.PowerShell += " "}
      # Above adds " " if a cmdlet has already been logged for the API #
      If($_.Category){ $Global:APItoPSHELL.$API.Category    = $_.Category}
      If($_.Family){   $Global:APItoPSHELL.$API.Family      = [String]($_.Family)}
      If($_.Name){     $Global:APItoPSHELL.$API.PowerShell += $_.Name}

## ======================= ##

[System.Array]$Global:CSV = @()

[System.Array]$TextOut = @()
$TK = Get-NaToolkitVersion
$TextOut += "API-to-CS-PS"
$TextOut += "============",""
$TextOut += "NaToolkitVersion = $($TK.major).$($TK.minor)"
$TextOut += "ONTAP Version    = $((Get-NcSystemVersionInfo).Version)",""

$APIlist | Foreach{
  $Category = $Family = $PSHELL = ""
    $Category = $Global:APItoPSHELL.$_.Category
    $Family = $Global:APItoPSHELL.$_.Family
    $PSHELL = $Global:APItoPSHELL.$_.PowerShell
  $Global:CSV += [PSCustomObject]@{
    "API"      = $_
    "Category" = $Category
    "Family"   = $Family
    "CSHELL"   = $Global:APItoCSHELL.$_
    "PSHELL"   = $PSHELL
       [String]$APIout = $_.Replace("`n","").Replace("`r","")
    [String]$CshOut = ($Global:APItoCSHELL.$_).Replace("`n","").Replace("`r","")
       $TextOut += ("API = $APIout")
       $TextOut += ("CS  = $CshOut")
       $PSHELL = $PSHELL.Trim(" ")
       [System.Array]$SplitPS = $PSHELL.Split(" ")
       Foreach($PS in $SplitPS){
              $TextOut += ("PS  = " + $PS)
       $TextOut += ""

$Global:CSV | Export-CSV "API-to-CS-PS.CSV" -NoTypeInformation
$TextOut | Set-Content "API-to-CS-PS.TXT"
Notepad "API-to-CS-PS.TXT"

ONTAP API Changes 9.1 v 9.3

In this post from April 2017, I shared a tool I wrote to create a CSV mapping APIs to ClusterShell and PowerShell commands. I’d previously run the tool against ONTAP 9.1, so thought I’d run it against ONTAP 9.3 with the very latest PowerShell toolkit installed (advertised as 4.5 but Get-NaToolkitVersion displays as 4.3). This post details the new APIs in ONTAP 9.3 (that weren’t in ONTAP 9.1), and APIs that have gone. You might be wondering “what happened to 9.2?” well I’ve just not the time and it makes sense to compare the long-term support (.odd-number) releases.

And in the next post the upgraded API-to-CS-PS.ps1 script which I used (upgraded with a cunning fix for the PowerShell ToolKit 4.5 seemingly to have broken Invoke-NcSsh).

APIs new to ONTAP 9.3 that were not in ONTAP 9.1 (115)

API (ClusterShell)

aggr-efficiency-cumulated-get (storage aggregate show-cumulated-efficiency)
aggr-efficiency-get-iter (storage aggregate show-efficiency)
aggr-object-store-attach (storage aggregate object-store attach)
aggr-object-store-config-create (storage aggregate object-store config create)
aggr-object-store-config-delete (storage aggregate object-store config delete)
aggr-object-store-config-get (storage aggregate object-store config show)
aggr-object-store-config-get-iter (storage aggregate object-store config show)
aggr-object-store-config-modify (storage aggregate object-store config modify)
aggr-object-store-config-provider-list (storage aggregate object-store config provider-list)
aggr-object-store-get-iter (storage aggregate object-store show-space)
application-provisioning-lun-start (lun create)
application-provisioning-volume-start (volume create)
cache-policy-get (qos settings cache show)
cache-policy-get-iter (qos settings cache show)
cache-policy-modify (qos settings cache modify)
cache-policy-modify-iter (qos settings cache modify)
cluster-image-get-upgrade-plan (cluster image show-upgrade-plan)
cluster-zoneinfo-get (cluster date zoneinfo show)
cluster-zoneinfo-load-from-uri (cluster date zoneinfo load-from-uri)
export-check-access-get-iter (vserver export-policy check-access)
external-cache-get (system node external-cache show)
external-cache-modify (system node external-cache modify)
fcp-nameserver-get-iter (vserver fcp nameserver show)
fcp-topology-get-iter (vserver fcp topology show)
fcp-topology-port-get-iter (network fcp topology show)
fcp-zone-get-iter (network fcp zone show)
file-directory-effective-permissions-get (vserver security file-directory show-effective-permissions)
iscsi-auth-add-initiator-address-ranges (vserver iscsi security add-initator-address-ranges)
iscsi-auth-remove-initiator-address-ranges (vserver iscsi security remove-initator-address-ranges)
ldap-check-get-iter (vserver services name-service ldap check)
license-v2-apply (system license add)
license-v2-capacity-get-iter (system license show)
license-v2-status-get-iter (system license show-status)
lun-alignment-reset-statistics (lun modify)
metrocluster-configuration-settings-get-iter (metrocluster configuration-settings show-status)
metrocluster-connection-connect-async (metrocluster configuration-settings connection connect)
metrocluster-connection-disconnect-async (metrocluster configuration-settings connection disconnect)
metrocluster-connection-get-iter (metrocluster configuration-settings connection show)
metrocluster-dr-group-create (metrocluster configuration-settings dr-group create)
metrocluster-dr-group-delete (metrocluster configuration-settings dr-group delete)
metrocluster-dr-group-get-iter (metrocluster configuration-settings dr-group show)
metrocluster-interface-create (metrocluster configuration-settings interface create)
metrocluster-interface-delete (metrocluster configuration-settings interface delete)
metrocluster-interface-get-iter (metrocluster configuration-settings interface show)
net-dns-check-get-iter (vserver services name-service dns check)
net-tuning-icmp-get (network tuning icmp show)
net-tuning-icmp-modify (network tuning icmp modify)
net-tuning-icmp6-get (network tuning icmp6 show)
net-tuning-icmp6-modify (network tuning icmp6 modify)
net-tuning-tcp-get (network tuning tcp show)
net-tuning-tcp-modify (network tuning tcp modify)
qos-adaptive-policy-group-create (qos adaptive-policy-group create)
qos-adaptive-policy-group-delete (qos adaptive-policy-group delete)
qos-adaptive-policy-group-delete-iter (qos adaptive-policy-group delete)
qos-adaptive-policy-group-get (qos adaptive-policy-group show)
qos-adaptive-policy-group-get-iter (qos adaptive-policy-group show)
qos-adaptive-policy-group-modify (qos adaptive-policy-group modify)
qos-adaptive-policy-group-modify-iter (qos adaptive-policy-group modify)
qos-adaptive-policy-group-rename (qos adaptive-policy-group rename)
security-certificate-truststore-clear (security certificate truststore clear)
security-key-manager-add (security key-manager add)
security-key-manager-delete (security key-manager delete)
security-key-manager-query-v2-get (security key-manager query)
security-key-manager-query-v2-get-iter (security key-manager query)
security-saml-sp-create-async (security saml-sp create)
security-saml-sp-destroy (security saml-sp delete)
security-saml-sp-get (security saml-sp show)
security-saml-sp-modify (security saml-sp modify)
snaplock-event-retention-abort (snaplock event-retention abort)
snaplock-event-retention-apply-start (snaplock event-retention apply)
snaplock-event-retention-get-iter (snaplock event-retention show)
snaplock-event-retention-policy-create (snaplock event-retention policy create)
snaplock-event-retention-policy-destroy (snaplock event-retention policy delete)
snaplock-event-retention-policy-get-iter (snaplock event-retention policy show)
snaplock-event-retention-policy-modify (snaplock event-retention policy modify)
snaplock-legal-hold-abort (snaplock legal-hold abort)
snaplock-legal-hold-begin-start (snaplock legal-hold begin)
snaplock-legal-hold-dump-files-start (snaplock legal-hold dump-files)
snaplock-legal-hold-dump-litigations-start (snaplock legal-hold dump-litigations)
snaplock-legal-hold-end-start (snaplock legal-hold end)
snaplock-legal-hold-get-iter (snaplock legal-hold show)
snapmirror-protect (snapmirror protect)
snmp-enable-snmpv3 (system snmp show)
snmp-test-trap-trigger (system snmp traphost add)
storage-acp-firmware-file-get-iter (storage firmware acp show)
storage-bridge-coredump-collect (storage bridge coredump collect)
storage-bridge-coredump-delete (storage bridge coredump delete)
storage-bridge-coredump-get-iter (storage bridge coredump show)
storage-disk-firmware-file-get-iter (storage firmware disk show)
system-node-discovery-get-iter (system node show-discovered)
system-status-service-get-iter (system status show)
template-management-template-copy (template copy)
template-management-template-delete (template delete)
template-management-template-get (template show)
template-management-template-get-iter (template show)
template-management-template-parameter-get (template parameter show)
template-management-template-parameter-get-iter (template parameter show)
template-management-template-parameter-modify (template parameter modify)
template-management-template-parameter-modify-iter (template parameter modify)
template-management-template-provision (template provision)
template-management-template-rename (template rename)
virtual-machine-system-disks-get-iter (system node virtual-machine instance show-system-disks)
volume-autosize-set-async (volume modify)
volume-encryption-conversion-get-iter (volume encryption conversion show)
volume-encryption-conversion-pause (volume encryption conversion pause)
volume-encryption-conversion-resume (volume encryption conversion resume)
volume-encryption-conversion-start (volume encryption conversion start)
volume-encryption-rekey-get-iter (volume encryption rekey show)
volume-encryption-rekey-pause (volume encryption rekey pause)
volume-encryption-rekey-resume (volume encryption rekey resume)
volume-encryption-rekey-start (volume encryption rekey start)
vserver-peer-permission-create (vserver peer permission create)
vserver-peer-permission-delete (vserver peer permission delete)
vserver-peer-permission-get (vserver peer permission show)
vserver-peer-permission-get-iter (vserver peer permission show)

APIs not in ONTAP 9.3 that were in ONTAP 9.1 (25)


Image: The API-to-CS-PS-v3 tool used (up in the next post)

Upgrading the ONTAP Simulator to 9.3RC1

In order to try out the latest version of ONTAP - with ONTAP 9.3RC1 being the latest as I write this - then you’ll need to upgrade the ONTAP Simulator (assuming you don’t have suitable hardware to play with). Fortunately it is very easy to do this and to get a basic cluster setup up and running.

Note: Here I show you my way - there are other ways.


1) Download the latest version of the simulator from:

Since I’m using VMware Workstation, I go for:
Simulate ONTAP 9.2 for VMware Workstation, VMware Player, and VMware Fusion (vsim-netapp-DOT9.2-cm.ova)

2) Download the ONTAP 9.3RC1 from:

The file is: 93RC1_q_image.tgz

3) Open the downloaded vsim-netapp-DOT9.2-cm.ova in VMware Workstation, and follow the prompts to import the VM.
4) (If you need to) Modify any hardware settings (networks, add extra vNICs).
5) Power on the VM
6) (Optional) Press {SPACE} at the “Hit [Enter] to boot immediately...” to get to the VLOADER> prompt
7) (Optional) A few things I like to do at the VLOADER> prompt - enable to use more and larger vDisks, and allow the VM to power itself off:

setenv bootarg.sim.vdevinit 31:14:0,31:14:1,31:14:2,31:14:3
setenv bootarg.vm.sim.vdevinit 31:14:0,31:14:1,31:14:2,31:14:3
setenv bootarg.vm.no_poweroff_on_halt false

8) When prompted, press Ctrl-C to access the boot menu
9) From the Boot Menu select option (7) “Install new software first”, and follow the prompts to install ONTAP 9.3RC1.

Note: You need to have already presented the ONTAP image via a webserver for this step (if you don’t have a webserver, Mongoose.exe from is good and light, or you could try hfs.exe which I’m using here)

... Do you want to continue? y
... port ... for the download? e0c
... Reboot now? y

Enter the IP address for port e0c:
Enter the netmask...:
... default gateway:
What is the URL for the package?
... user name ... if any?

... default ... for subsequent reboots? y
... reboot now? y

Image: Boot Menu from ONTAP 9.2 SIM
10) When prompted, press Ctrl-C to access the boot menu
11) From the Boot Menu select option (4) “Clean configuration and initialize all disks”, and follow the prompts.

Zero disks...? y
... are you sure? y

And wait...

12) Complete the node setup part of the “cluster setup wizard”:

Type yes to confirm and continue? y
Enter the node management interface port? e0c
Enter the node management interface IP address:
Enter the node management interface netmask:
Enter the node management interface default gateway:

A node management interface ... has been created.

13) I don’t like using the VM console any more than I have to, so at this point press Ctrl+C and login as “admin”.
14) To enable SSH, run the following commands::>

security login password

security login create -vserver Default -user-or-group-name admin -application ssh -authmethod password -role admin

15) Now connect via SSH to the node management IP.
16) Create the cluster::>

cluster create -clustername C93A -node-count 1

Note 1: ‘Cluster Setup’ kept on prompting for node management addressing, then kicked me out of SSH, hence using the cluster create.
Note 2: I did try the Guided Setup with the 9.3RC1 SIM, but it wouldn’t discover my node.

17) Basic cluster setup.
The following commands:
- Create a cluster management LIF
- Configure cluster DNS
- Configure timezone
- Configure NTP
- Assign disks
- Create a couple of data aggregates
- Install the feature licenses from the 9.2 SIM (with serial: 4082368507)

net int create -vserver C93A -lif cluster_mgmt -role cluster-mgmt -home-node C93A-01 -home-port e0c -address -netmask

vserver services name-service dns create -domains lab.priv -name-servers

timezone -timezone Europe/London
cluster time-service ntp server create -server

disk assign -all true -node C93A-01
aggr create -aggregate data1 -diskcount 26 -maxraidsize 26
aggr create -aggregate data2 -diskcount 26 -maxraidsize 26

license add YVUCRRRRYVHXCFABGAAAAAAAAAAA # CIFS                      
license add WKQGSRRRYVHXCFABGAAAAAAAAAAA # FCP                
license add SOHOURRRYVHXCFABGAAAAAAAAAAA # FlexClone          
license add YBSOYRRRYVHXCFABGAAAAAAAAAAA # Insight_Balance   
license add KQSRRRRRYVHXCFABGAAAAAAAAAAA # iSCSI                     
license add MBXNQRRRYVHXCFABGAAAAAAAAAAA # NFS                
license add QDDSVRRRYVHXCFABGAAAAAAAAAAA # SnapLock           
license add CYAHWRRRYVHXCFABGAAAAAAAAAAA # SnapManager       
license add GUJZTRRRYVHXCFABGAAAAAAAAAAA # SnapMirror        
license add OSYVWRRRYVHXCFABGAAAAAAAAAAA # SnapProtect       
license add UZLKTRRRYVHXCFABGAAAAAAAAAAA # SnapRestore           

And we’re done!

APPENDIX: What’s behind option (9) Configure Advanced Drive Partitioning?

Image: Advanced Drive Partitioning Boot Menu Options