Wednesday, 27 December 2017

Tech Roundup (27th December 2017)

Stuff collected in the last couple of months or so - mostly links (things to read/watch) and some random notes.
With headings: AWS, Fujitsu, IBM, Linux, Microsoft, Miscellany, NetApp (+Demo Series, Tech ONTAP Podcast, The Pub, TRs), Nutanix, oVirt, Proxmox, Veeam, VMware


“... what a departure for the biggest Xen shop in the world.”
‘there's no "vCenter for KVM" available today’



“The ultimate air-gapped backup storage just got better – IBM has announced LTO-8 with double capacity of the previous LTO generation (12TB native capacity per cartridge), and performance of up to 360MB/s.”

“IBM research recently demonstrated the ability to record data at an areal density of 201 gigabits per square inch on magnetic tape. That translates to the equivalent of 330TB of data stored in a tape cartridge about the same size as the palm of your hand.





NetApp Cloud Data Services Portal:

- Available in the ToolChest: The NetApp Import Utility for SnapCenter and VSC is a standalone utility that helps customers using VSC 6.x import metadata to SnapCenter 3.0.1 and to VSC Appliance 7.0 and higher versions.

“NetApp Nation is a tool that helps you become socially engaged.”

Image: NTAP over 5 years

Non-Disruptive SVM-DR Vserver Cutovers in ONTAP 9.3:
This is tech preview only (no release date yet). You can see the commands as below. It does need to be enabled (don’t ask me, I’ve yet to discover this):

::> set advanced
::*> vserver migrate ?
 cleanup         *Remove migrating entity
 cutover         *Perform Cutover of the migrate operation
 pause           *Pause a Vserver migrate operation
 repeer          *Repeer Existing Vserver Peer Relationships after Vserver Migration
 resume          *Resume a migrate operation
 show            *Display status of migrating Vservers
 show-progress   *Display status of volumes in a migrating Vservers
 show-volume     *Display status of volumes in a migrating Vservers
 start           *Start the Vserver migrate operation

Measuring performance between nodes:
ttcp and xttcp are removed from ONTAP 9.3 and were replaced by iperf3 (works in the systemshell). Clustershell alternative that should work with any SVM from ONTAP 9.3 is below.

::> set advanced
::*> network test-link ?
 run-test       *Test link bandwidth
 show           *Display test results
 start-server   *Start server for bandwidth test
 stop-server    *Stop server for bandwidth test
::*> network ?
 test-path      *Test path performance between two nodes

NetApp Demo Series - New Recordings

NetApp Tech ONTAP Podcast

New since the last roundup:

NetApp The Pub

New since the last roundup:

NetApp TRs

New since the last roundup:


“Nutanix Acropolis hyperconverged infrastructure includes a license-free hypervisor, AHV...”


“oVirt is a complete virtualization management platform, licensed and developed as open source software. oVirt builds on the powerful kernel based virtual machine (KVM hypervisor) and on the RHEV-M management server, released by Red Hat to the open source community.”


Open-Source Virtualization Platform
Compute, network and storage in a single solution



Note: The vSphere Client is no longer available starting with vSphere 6.5.

“... avoid doing things like creating vmkernel ports during the production hours.”

Monday, 4 December 2017

On Demand Anti-Virus Scan on SnapVault Destination?

ONTAP 9.1 introduced VSCAN On-Demand Scan. There might be reasons why you want to run On-Demand scan on your SnapVault destination cluster (perhaps to save processor cycles on your source controller, or as a security check just to see if anything has got past virus scanning on the end-clients and production SVM.) This post demonstrates how to do this.

Setting up Offbox VSCAN

We already have the following components installed on our Anti-Virus scanning server:
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise for Storage
- ONTAP AV Connector

We already have:
- Snapvault relation configured
- Have vaulted a known bad file (see here for details of the EICAR file used for Anti-Virus testing)

And we complete the following setup as detailed in the post ‘Offbox Anti-Virus Configuration Super Express Guide’:

1) Connecting up the ONTAP AV Connector

Create user:

security login create -username LAB\AVADMIN -application ontapi -authmethod domain -role readonly -vserver C93B

Connect to the cluster in the ONTAP AV Connector.

Image: Successful ONTAP AV Connector connection

2) Configure Vscan:

vserver vscan scanner-pool create -vserver C93B -scanner-pool POOL1 -hostnames WFA41.lab.priv -privileged-users LAB\AVADMIN
vserver vscan on-access-policy create -vserver C93B -policy-name POL1 -filters scan-ro-volume
vserver vscan scanner-pool apply-policy -vserver VAULT-SVM -scanner-pool POOL1 -scanner-policy primary
vserver vscan on-access-policy disable -vserver VAULT-SVM -policy-name default_CIFS
vserver vscan on-access-policy enable -vserver VAULT-SVM -policy-name POL1
vserver vscan enable -vser VAULT-SVM

Running On-Demand Scan

We need to create an R/W volume for the On-Demand task reports, together with a share so we can access the reports::>

vol create -volume VSCAN_REPORTS  -vserver VAULT-SVM -aggregate data1 -size 10g -space-guarantee none -junction-path /VSCAN_REPORTS -security-style ntfs
cifs share create -share-name VSCAN_REPORTS$ -vserver VAULT-SVM -path /VSCAN_REPORTS

Then we create our on-demand task and run it:

vserver vscan on-demand-task create -vserver VAULT-SVM -task-name ODT -scan-path / -report-directory /VSCAN_REPORTS -schedule ""
vserver vscan on-demand-task run -vserver VAULT-SVM -task-name ODT

Reviewing the Output

The test infected file showed up in the “event log show” output:

12/4/2017 14:54:52 C93-01 ERROR Nblade.vscanVirusDetected: Possible virus detected. Vserver: VAULT-SVM, vscan server IP:, file path: \\TEST1_CIFS_volume_dst\EICAR.COM, client IP: -, SID: On-Demand, vscan engine status: 222200002, vscan engine result string: File threatened. The file could not be deleted, the file is still threatened.

There were only 4 files in my test vault SVM. The avod log showed successful virus detection:

Vserver  : VAULT-SVM
Task Name: ODT

Traversing  path: /

/TEST1_CIFS_volume_dst/Text Doc 3.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text Doc 2.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text Doc 1.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/EICAR.COM: File scanned successfully by Vscanner: "", Scan result: "File is infected", Vendor: "mcafee virusscan enterprise for storage", Version: "511579916.8729", Serviced by node: "C93-01", Scan duration in ms: "135", Extended-status: "222200002".
/TEST1_CIFS_volume_dst/EICAR.COM: On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

       Number of Attempted Scans: 5
       Number of Files Skipped from Scanning: 0
       Number of Already Scanned Files: 0
       Number of Successful Scans: 5
       Number of Failed Scans: 0
       Number of Timeout Scans: 0
       Number of Clean Files: 4
       Number of Infected Files: 1
       Number of Internal Error: 4


You can only have one scheduled on-demand-task per SVM.

Error: command failed: Cannot schedule task "ODT4" because another task "ODT3" is currently scheduled, and only one scheduled task per Vserver is supported. Use the command without the "-schedule" parameter, or use the "vserver vscan on-demand-task unschedule" command to unschedule the task, and then try the command again.

Saturday, 2 December 2017

Mapping APIs to ClusterShell and PowerShell - UPDATE

An update to this April 2017 post! Not sure if it’s just me, or its ONTAP 9.3RC1 perhaps, but I couldn’t get Invoke-NcSsh to work with the PowerShell Toolkit 4.5 (Get-NaToolkitVersion 4.3). My work around requires you have plink.exe in your working folder. The pictured bit of code, creates a temporary password, creates a temporary user, runs plink with this user and password to get the show-ontapi output, then deletes the temporary user. I’ve never been a fan of Invoke-NcSsh or Invoke-NaSsh, this seems like a nice workaround and you’re only passing a temporary randomly generated plaintext password over the network.

Image: Using Plink instead of Invoke-NcSsh to get show-ontapi output

The Script

Copy into a text editor and save as say API-to-CS-PS.ps1
Then run the following in PowerShell::>

Import-Module DataONTAP
Connect-NcController {CLUSTER}

## API to CShell & PShell V3 ##
## ========================= ##

## PRE-REQ: A connection to a cluster:
## PS> Import-Module DataONTAP
## PS> Connect-NcController {CLUSTER}
## PS> .\API-to-CS-PS.ps1
## Also needs plink.exe in the working directory
## (used here as working alternative to Invoke-NcSsh)

[String]$CluName = (Get-NcCluster).ClusterName
[String]$CluIP   = (Get-NcCluster).NcController

## USING PLINK TO GET show-ontapi ##
## ============================== ##

[String]$alphabet =""
For($a=65;$a -le 90;$a++){$alphabet +=,[char][byte]$a}
[String]$tempPass = ""
For($loop=1;$loop -le 8;$loop++){$tempPass += ($alphabet|Get-RANDOM)}
$tempPass += [String](Get-Random -Maximum 10)
[Void](New-NcUser -UserName TempPlinkUser -Vserver $CluName -Application ssh -AuthMethod password -Role admin -Password $tempPass)
[System.Array]$Global:Lines = .\plink -ssh -x -a -l TempPlinkUser -pw $tempPass $CluIP "show-ontapi"
[Void](Remove-NcUser -UserName TempPlinkUser -Vserver $CluName -Application ssh -AuthMethod password -Confirm:$FALSE)

## ================= ##

[System.Object]$Global:APItoCSHELL = @{}
[System.Array]$APIlist = @()
[Boolean]$Recording = $FALSE
[String]$ONTAPI     = ""
[String]$Command    = ""
$Global:Lines | Foreach{
    If($_.StartsWith(" ")){
      If($Command){$Command += " "}
      # += " " because command might carry onto next line #
      $Command += $_.Trim(" ")
      If($ONTAPI -and $Command){
        $Global:APItoCSHELL.$ONTAPI = $Command
        $APIlist += $ONTAPI
        [String]$ONTAPI = ""
        [String]$Command = ""                         
      If($_.Split(" ").Count -eq 1){ $ONTAPI = $_ }
        $ONTAPI = $_.Split(" ")[0]
        $Command = $_.SubString($ONTAPI.length,($_.length - $ONTAPI.length)).Trim(" ")
  If($_.StartsWith("-")){$Recording = $TRUE}
  # The header finishes with a line of "-" #
  If($_ -like '[0-9]*'){$Recording = $FALSE}
  # The show-ontapi output ends with a count #

## ================= ##

$GetNcHelp = Get-NcHelp
# A cmdlet might map to two or more APIs, we need unique APIs #
[System.Object]$Global:APItoPSHELL = @{}
$GetNcHelp | Foreach{
    Foreach($API in $_.API.Split(",")){
        [System.Object]$Global:APItoPSHELL.$API = @{}
        [String]$Global:APItoPSHELL.$API.Category   = ""
        [String]$Global:APItoPSHELL.$API.Family     = ""
        [String]$Global:APItoPSHELL.$API.PowerShell = ""
      If($Global:APItoPSHELL.$API.PowerShell){$Global:APItoPSHELL.$API.PowerShell += " "}
      # Above adds " " if a cmdlet has already been logged for the API #
      If($_.Category){ $Global:APItoPSHELL.$API.Category    = $_.Category}
      If($_.Family){   $Global:APItoPSHELL.$API.Family      = [String]($_.Family)}
      If($_.Name){     $Global:APItoPSHELL.$API.PowerShell += $_.Name}

## ======================= ##

[System.Array]$Global:CSV = @()

[System.Array]$TextOut = @()
$TK = Get-NaToolkitVersion
$TextOut += "API-to-CS-PS"
$TextOut += "============",""
$TextOut += "NaToolkitVersion = $($TK.major).$($TK.minor)"
$TextOut += "ONTAP Version    = $((Get-NcSystemVersionInfo).Version)",""

$APIlist | Foreach{
  $Category = $Family = $PSHELL = ""
    $Category = $Global:APItoPSHELL.$_.Category
    $Family = $Global:APItoPSHELL.$_.Family
    $PSHELL = $Global:APItoPSHELL.$_.PowerShell
  $Global:CSV += [PSCustomObject]@{
    "API"      = $_
    "Category" = $Category
    "Family"   = $Family
    "CSHELL"   = $Global:APItoCSHELL.$_
    "PSHELL"   = $PSHELL
       [String]$APIout = $_.Replace("`n","").Replace("`r","")
    [String]$CshOut = ($Global:APItoCSHELL.$_).Replace("`n","").Replace("`r","")
       $TextOut += ("API = $APIout")
       $TextOut += ("CS  = $CshOut")
       $PSHELL = $PSHELL.Trim(" ")
       [System.Array]$SplitPS = $PSHELL.Split(" ")
       Foreach($PS in $SplitPS){
              $TextOut += ("PS  = " + $PS)
       $TextOut += ""

$Global:CSV | Export-CSV "API-to-CS-PS.CSV" -NoTypeInformation
$TextOut | Set-Content "API-to-CS-PS.TXT"
Notepad "API-to-CS-PS.TXT"

ONTAP API Changes 9.1 v 9.3

In this post from April 2017, I shared a tool I wrote to create a CSV mapping APIs to ClusterShell and PowerShell commands. I’d previously run the tool against ONTAP 9.1, so thought I’d run it against ONTAP 9.3 with the very latest PowerShell toolkit installed (advertised as 4.5 but Get-NaToolkitVersion displays as 4.3). This post details the new APIs in ONTAP 9.3 (that weren’t in ONTAP 9.1), and APIs that have gone. You might be wondering “what happened to 9.2?” well I’ve just not the time and it makes sense to compare the long-term support (.odd-number) releases.

And in the next post the upgraded API-to-CS-PS.ps1 script which I used (upgraded with a cunning fix for the PowerShell ToolKit 4.5 seemingly to have broken Invoke-NcSsh).

APIs new to ONTAP 9.3 that were not in ONTAP 9.1 (115)

API (ClusterShell)

aggr-efficiency-cumulated-get (storage aggregate show-cumulated-efficiency)
aggr-efficiency-get-iter (storage aggregate show-efficiency)
aggr-object-store-attach (storage aggregate object-store attach)
aggr-object-store-config-create (storage aggregate object-store config create)
aggr-object-store-config-delete (storage aggregate object-store config delete)
aggr-object-store-config-get (storage aggregate object-store config show)
aggr-object-store-config-get-iter (storage aggregate object-store config show)
aggr-object-store-config-modify (storage aggregate object-store config modify)
aggr-object-store-config-provider-list (storage aggregate object-store config provider-list)
aggr-object-store-get-iter (storage aggregate object-store show-space)
application-provisioning-lun-start (lun create)
application-provisioning-volume-start (volume create)
cache-policy-get (qos settings cache show)
cache-policy-get-iter (qos settings cache show)
cache-policy-modify (qos settings cache modify)
cache-policy-modify-iter (qos settings cache modify)
cluster-image-get-upgrade-plan (cluster image show-upgrade-plan)
cluster-zoneinfo-get (cluster date zoneinfo show)
cluster-zoneinfo-load-from-uri (cluster date zoneinfo load-from-uri)
export-check-access-get-iter (vserver export-policy check-access)
external-cache-get (system node external-cache show)
external-cache-modify (system node external-cache modify)
fcp-nameserver-get-iter (vserver fcp nameserver show)
fcp-topology-get-iter (vserver fcp topology show)
fcp-topology-port-get-iter (network fcp topology show)
fcp-zone-get-iter (network fcp zone show)
file-directory-effective-permissions-get (vserver security file-directory show-effective-permissions)
iscsi-auth-add-initiator-address-ranges (vserver iscsi security add-initator-address-ranges)
iscsi-auth-remove-initiator-address-ranges (vserver iscsi security remove-initator-address-ranges)
ldap-check-get-iter (vserver services name-service ldap check)
license-v2-apply (system license add)
license-v2-capacity-get-iter (system license show)
license-v2-status-get-iter (system license show-status)
lun-alignment-reset-statistics (lun modify)
metrocluster-configuration-settings-get-iter (metrocluster configuration-settings show-status)
metrocluster-connection-connect-async (metrocluster configuration-settings connection connect)
metrocluster-connection-disconnect-async (metrocluster configuration-settings connection disconnect)
metrocluster-connection-get-iter (metrocluster configuration-settings connection show)
metrocluster-dr-group-create (metrocluster configuration-settings dr-group create)
metrocluster-dr-group-delete (metrocluster configuration-settings dr-group delete)
metrocluster-dr-group-get-iter (metrocluster configuration-settings dr-group show)
metrocluster-interface-create (metrocluster configuration-settings interface create)
metrocluster-interface-delete (metrocluster configuration-settings interface delete)
metrocluster-interface-get-iter (metrocluster configuration-settings interface show)
net-dns-check-get-iter (vserver services name-service dns check)
net-tuning-icmp-get (network tuning icmp show)
net-tuning-icmp-modify (network tuning icmp modify)
net-tuning-icmp6-get (network tuning icmp6 show)
net-tuning-icmp6-modify (network tuning icmp6 modify)
net-tuning-tcp-get (network tuning tcp show)
net-tuning-tcp-modify (network tuning tcp modify)
qos-adaptive-policy-group-create (qos adaptive-policy-group create)
qos-adaptive-policy-group-delete (qos adaptive-policy-group delete)
qos-adaptive-policy-group-delete-iter (qos adaptive-policy-group delete)
qos-adaptive-policy-group-get (qos adaptive-policy-group show)
qos-adaptive-policy-group-get-iter (qos adaptive-policy-group show)
qos-adaptive-policy-group-modify (qos adaptive-policy-group modify)
qos-adaptive-policy-group-modify-iter (qos adaptive-policy-group modify)
qos-adaptive-policy-group-rename (qos adaptive-policy-group rename)
security-certificate-truststore-clear (security certificate truststore clear)
security-key-manager-add (security key-manager add)
security-key-manager-delete (security key-manager delete)
security-key-manager-query-v2-get (security key-manager query)
security-key-manager-query-v2-get-iter (security key-manager query)
security-saml-sp-create-async (security saml-sp create)
security-saml-sp-destroy (security saml-sp delete)
security-saml-sp-get (security saml-sp show)
security-saml-sp-modify (security saml-sp modify)
snaplock-event-retention-abort (snaplock event-retention abort)
snaplock-event-retention-apply-start (snaplock event-retention apply)
snaplock-event-retention-get-iter (snaplock event-retention show)
snaplock-event-retention-policy-create (snaplock event-retention policy create)
snaplock-event-retention-policy-destroy (snaplock event-retention policy delete)
snaplock-event-retention-policy-get-iter (snaplock event-retention policy show)
snaplock-event-retention-policy-modify (snaplock event-retention policy modify)
snaplock-legal-hold-abort (snaplock legal-hold abort)
snaplock-legal-hold-begin-start (snaplock legal-hold begin)
snaplock-legal-hold-dump-files-start (snaplock legal-hold dump-files)
snaplock-legal-hold-dump-litigations-start (snaplock legal-hold dump-litigations)
snaplock-legal-hold-end-start (snaplock legal-hold end)
snaplock-legal-hold-get-iter (snaplock legal-hold show)
snapmirror-protect (snapmirror protect)
snmp-enable-snmpv3 (system snmp show)
snmp-test-trap-trigger (system snmp traphost add)
storage-acp-firmware-file-get-iter (storage firmware acp show)
storage-bridge-coredump-collect (storage bridge coredump collect)
storage-bridge-coredump-delete (storage bridge coredump delete)
storage-bridge-coredump-get-iter (storage bridge coredump show)
storage-disk-firmware-file-get-iter (storage firmware disk show)
system-node-discovery-get-iter (system node show-discovered)
system-status-service-get-iter (system status show)
template-management-template-copy (template copy)
template-management-template-delete (template delete)
template-management-template-get (template show)
template-management-template-get-iter (template show)
template-management-template-parameter-get (template parameter show)
template-management-template-parameter-get-iter (template parameter show)
template-management-template-parameter-modify (template parameter modify)
template-management-template-parameter-modify-iter (template parameter modify)
template-management-template-provision (template provision)
template-management-template-rename (template rename)
virtual-machine-system-disks-get-iter (system node virtual-machine instance show-system-disks)
volume-autosize-set-async (volume modify)
volume-encryption-conversion-get-iter (volume encryption conversion show)
volume-encryption-conversion-pause (volume encryption conversion pause)
volume-encryption-conversion-resume (volume encryption conversion resume)
volume-encryption-conversion-start (volume encryption conversion start)
volume-encryption-rekey-get-iter (volume encryption rekey show)
volume-encryption-rekey-pause (volume encryption rekey pause)
volume-encryption-rekey-resume (volume encryption rekey resume)
volume-encryption-rekey-start (volume encryption rekey start)
vserver-peer-permission-create (vserver peer permission create)
vserver-peer-permission-delete (vserver peer permission delete)
vserver-peer-permission-get (vserver peer permission show)
vserver-peer-permission-get-iter (vserver peer permission show)

APIs not in ONTAP 9.3 that were in ONTAP 9.1 (25)


Image: The API-to-CS-PS-v3 tool used (up in the next post)