Monday, 28 November 2016

Wipeconfig my cDOT SIM ... and Restore

I’ve not blogged any lab stuff for ages, so, since I wanted to see what wipeconfig does to my ONTAP 8.3.2P2 SIM, and it’s a little bit interesting and different, here we go...

Some outputs from my single-node SIM cluster:


CLU1::> version
NetApp Release 8.3.2P2: Mon May 23 13:45:25 UTC 2016

CLU1::> cluster show
Node                  Health  Eligibility
--------------------- ------- ------------
CLU1N1                true    true


First thing we do is take some configuration backups:


CLU1::> set -c off; set adv
CLU1::> system configuration backup create -node CLU1N1 -backup-type node -backup-name 20161128_node
CLU1::> system configuration backup create -node CLU1N1 -backup-type cluster -backup-name 20161128_cluster
CLU1::> job show -description *Backup*


Wait for the backup job to complete.
Note: We don’t use the cluster backup, it’s just taken as extra backup. It is important that the cluster backup name is different to the node backup name, otherwise it will overwrite.

Halt the node:


CLU1::> halt -node local -inhi -igno -skip


Boot the node (boot_ontap if you’re at the LOADER> prompt).

At the Boot Menu type “wipeconfig”:

Image: Typing “wipeconfig” at the Boot Menu
You will see the warning:

This will delete critical system configuration, including cluster membership.
Warning: do not run this option on a HA node that has been taken over.
Are you sure you want to continue?:

Type “y” to the warning.

The node will:


Rebooting to finish wipeconfig request


And you should see on screen:


Wipe filer procedure requested
Abandoned in-memory /var file system


Then it will reboot again.

When it comes back up, it will have forgotten its identity (you’ll see localhost in the messages) and the login prompt appears. The login is now admin with no password.


login: admin
CLU1::> cluster show

Error: “show” is not a recognized command

CLU1::> node show
Node      Health
--------- ------
localhost -


Q: How to we restore this single node SIM cluster?

Type the following clustershell commands:


CLU1::> set -c off; set adv
CLU1::> system configuration backup show
CLU1::> system configuration recovery node restore -backup 20161128_node.7z


You will see a warning:

Image: Node Restore Warning

Type Y to continue.

And the node will reboot back to the login prompt, with its identity has returned!


CLU1::> cluster show
Node                  Health  Eligibility
--------------------- ------- ------------
CLU1N1                true    true


What there some purpose to this?

Yes! The purpose was reusing a HA-pair that had previously been ARL-ed out of another cluster, and making sure it was clean and ready for a disruptive headswap into the DR cluster. The wipeconfig worked fine. For a physical system, after running wipeconfig you will see:


*******************************
*                             *
* Press Ctrl-C for Boot Menu. *
*                             *
*******************************
The boot device has changed. System configuration information
could be lost. Use option (6) to restore the system configuration, or
option (4) to initialize all disks and setup a new system.
Normal Boot is prohibited.


It’s very good that the Normal Boot is prohibited here, since with the ARL and cDOT disruptive headswap, it is essential to do the option 6 “Update flash from backup config” after the disks have been reassigned and before first fully booting up ONTAP.


Saturday, 19 November 2016

Highlights from the ONTAP 9.1 RC1 Release Notes

 

Back in June there was Highlights from the ONTAP 9.0 RC1 Release Notes. This is supplemental to that post with the changes in ONTAP 9.1 (and is my way of trying to keep up with all the awesome developments to ONTAP.)

Changes in ONTAP 9.1: New and changed features

Data protection enhancements

- Support for volume encryption

- Support for SnapLock technology

- Support for RAID-TEC as the default RAID type

Manageability enhancements

- Enhanced cluster dashboard

- Support for cluster setup
-- “… can use System Manager to set up a new cluster … ”

- Support for most active files or clients functionality
-- “… can track and report the most active instances of a file or client in a cluster using statistical sampling techniques.”

MetroCluster configuration enhancements

- Support for onboard FC-VI ports on AFF A300 and FAS8200 storage systems

New hardware support

- Support for new FAS and AFF platforms
-- “… FAS2600, FAS8200, FAS9000, AFF A300, AFF A700 …”

- Support for increasing the maximum SAN cluster size to 12 nodes

- Support for DS224C and DS212C disk shelves
Note: ONTAP 9 only supported these with AFF8080, ONTAP 9.1 expands this.

- Support for the X1134A adapter
-- “The X1134A is a 2-port 32 Gb FC target-only adapter”

Storage resource management enhancements

- Support for FlexGroup volumes

SAN enhancements

- Support for Foreign LUN Import (FLI) Interoperability Matrix (IMT)

- Support for Using Foreign LUN Import to import LUNS into AFF

- Support for simplified SAN AFF provisioning templates
-- ONTAP 9.1 added the following template: SAN SAP HANA

Upgrade enhancements

- Support for installing ONTAP software and firmware from an external USB mass storage device
-- “The USB device is specified as file://usb0/filename

Sunday, 30 October 2016

Simulating Linux SSH in PowerShell for ONTAP

There’s no native way in Windows of doing> ssh [user@]hostname command
So - as a curiosity - I thought I’d write the function. This works for NetApp Clustered Data ONTAP/ONTAP.

The Script

Save as say ssh.ps1 and import into your PowerShell session using . .\ssh.ps1 (dot space dot), then run in PowerShell as>
ssh [user@]hostname command


# The following function simulates the Linux SSH syntax in PowerShell for ...
# ... NetApp Clustered Data ONTAP, in conjunction with the Data ONTAP PSTK:
# > ssh [user@]hostname command
# It takes advantage of the NcCredential feature of the Data ONTAP PSTK ...
# ... use> Add-NcCredential CONTROLLER = Add credentials

Function SSH{
  ## GENERIC: LOAD THE DATA ONTAP PSTK ##
  If(!(Get-Module DataONTAP)){
    [Void](Import-Module DataONTAP -ErrorAction SilentlyContinue)
    If(!(Get-Module DataONTAP)){ "Failed to load DataONTAP PSTK!"; RETURN }
  }
 
  ## SCENARIO 1: No Argument/No 2nd Arg (No $Args[0]/No $Args[1]) ##
  If(!$Args[0]){ "SYNTAX ERROR: 0 arguments detected (2 expected)!"; RETURN }
  If(!$Args[1]){ "SYNTAX ERROR: 1 argument detected (2 expected)!"; RETURN }
 
  ## PROCESS INPUT $Arg[0] and $Arg[1] ##
  [System.Array]$Arg0 = $Args[0].Split("@")
  If($Arg0.Count -eq 2){
    [String]$User = $Arg0[0]
    [String]$Host = $Arg0[1]
  }elseif($Arg0.Count -eq 1){
    [String]$User = ""
    [String]$Host = $Arg0[0]
  }else{
    "SYNTAX ERROR: Too many @ in $Args[0]!"; RETURN
  }
 
  ## CHECK HOST CREDENTIAL ##
  $GetNcCred = Get-NcCredential $Host
  If(!$GetNcCred){
    "ERROR: No credentials for $Host in the NcCredentials cache. To add use> Add-NcCredential $Host"; RETURN
  }
  $NcCredUser = $GetNcCred.Credential.Username
  If($User -and ($NcCredUser -ne $User)){
    "ERROR: NcCredential for $Host uses user $NcCredUser and not $User. To add correct credential use> Add-NcCredential $Host"; RETURN
  }
 
  ## EXAMINE CurrentNcController ##     
  If($Global:CurrentNcController){
    If($Global:CurrentNcController.Name -ne $Host){ $Global:CurrentNcController = $Null}
    else{
      $TempUser = $Global:CurrentNcController.Credentials.Username
      $TempDomain = $Global:CurrentNcController.Credentials.Domain
      If($TempDomain){ $TempUser += ("\" + $TempDomain) }
      If($User -ne $TempUser){ $Global:CurrentNcController = $Null }
    }
  }
 
  ## CONNECT ##
  If(!$Global:CurrentNcController){
    [Void](Connect-NcController $Host -ErrorAction SilentlyContinue)
    If(!$Global:CurrentNcController){"ERROR: Failed to connnect to $Host!"; RETURN}
  }
 
  ## RUN COMMAND ##
  (Invoke-NcSsh $Args[1]).Value
}


Example

Image: Running SSH [user@]hostname command in PowerShell
Note: Not sure if it’s because I’m using a simulator, but this doesn’t run fast, the Invoke-NcSSH isn’t quick.

Wednesday, 26 October 2016

Offbox Anti-Virus Configuration Super Express Guide (8.3.2)

This guide covers a configuration on the NetApp cluster for Offbox Anti-Virus, with a view to a non-multi-tenancy/non-service-provider environment where we’ll configure just one scanner-pool and an on-access-policy on the cluster/admin SVM, and use these for any Data SVM requiring Vscan.

Part 1) Cluster Build

1.1) Create a security login for the Anti-Virus user::>


security login create -username LAB\AVUSER -application ontapi -authmethod domain -role readonly -vserver CLUSTERNAME


1.2) Create a scanner pool::>


vserver vscan scanner-pool create -vserver CLUSTERNAME -scanner-pool POOLNAME -servers VSCAN_SERVER_IPADDRESSES -privileged-users LAB\AVUSER


1.3) Create an on-access-policy (or use the default default_CIFS on-access-policy)::>


vserver vscan on-access-policy create -vserver CLUSTERNAME -policy-name POLICYNAME -filters FILTERS


{Configure your on-access-policy as per requirements}

Table: Vscan on-access-policy settings and defaults
Part 2) SVM Build

2.1) Apply the scanner-pool to the Data SVM::>


vserver vscan scanner-pool apply-policy -vserver DATASVM -scanner-pool POOLNAME -scanner-policy primary


2.2) Disable the default_CIFS on-access-policy (if not using), and enable the desired on-access-policy::>


vserver vscan on-access-policy disable -vserver DATASVM -policy-name default_CIFS
vserver vscan on-access-policy enable -vserver DATASVM -policy-name POLICYNAME


2.3) Enable Vscan on the SVM::>


vserver vscan enable -vserver DATASVM


2.4) Configure shares with the -vscan-fileop-profile to enable scanning::>

::> cifs share modify -vscan-fileop-profile ?
no-scan     = Virus scans are never triggered for accesses to this share.
standard    = Virus scans can be triggered by open, close, and rename operations.
Strict      = Virus scans can be triggered by open, read, close, and rename operations.
writes-only = Virus scans can be triggered only when a file that has been modified is closed.

Part 3) Vscan Infrastructure Build

See the NetApp Interoperability Matrix for infrastructure components and Anti-Virus vendors documentation.

As an example with McAfee:

- A very rough rule of thumb is that you’ll need one AV server for every 6000 CIFS IO/s (please check but 2 CPUs and 8GB RAM is a reasonable server spec)
- Vscan Server’s O/S = Windows Server 2008 or better (not Server 2016 yet)
- McAfee VirusScan Enterprise for Storage 1.2.0
- Clustered Data ONTAP 8.3.2
- Clustered Data ONTAP Antivirus Connector 1.0.3

Tuesday, 25 October 2016

ONTAP 8.3.2 Defaults - Vserver Services NDMP

In the 8th of the ONTAP 8.3.2 defaults series and following on from the previous post about NDMP, we look at Vserver Services NDMP defaults.

All the information presented in the table below can be got from::>


set diag
man vserver services ndmp modify


Image: Table of Vserver Services NDMP defaults

And in CSV format (actually - Hash delimited format because of commas in the table):


Switch#Priv.#Values#Default#Note
 -vserver##{vserver name>##
 -maxversion##{integer>##
 -ignore-ctime-enabled##{true|false>#false#
 -offset-map-enable##{true|false>#true#
 -tcpnodelay ##{true|false>#false#
 -tcpwinsize##{integer>#32768#(32K)
 -data-port-range##{text>#all#[1024-65535]
 -backup-log-enable##{true|false>#true#
 -per-qtree-exclude-enable##{true|false>#false#
 -authtype##{NDMP Authentication types>, ...#challenge#
 -debug-enable#adv.#{true|false>#false#
 -debug-filter#adv.#{text>#none#
 -dump-logical-find#adv.#{text>#default#
 -abort-on-disk-error#adv.#{true|false>#false#
 -fh-dir-retry-interval#adv.#{integer>#250#milliseconds
 -fh-node-retry-interval#adv.#{integer>#250#milliseconds
 -restore-vm-cache-size#adv.#{integer>#64#
 -dump-detailed-stats#diag.#{true|false>#false#
 -enable##{true|false>#false#
 -preferred-interface-role##{cluster|data|node-mgmt|intercluster|cluster-mgmt>, ...#intercluster, cluster-mgmt, node-mgmt#Data Vserver: intercluster, data
 -secondary-debug-filter#adv.#{text>##
 -is-secure-control-connection-enabled##{true|false>#false#