Friday, 22 January 2021

[ONTAP 9.7+] Roles Created by NetApp’s VSC 9.7.1

From this link:
VSC, VASA Provider, SRA 9.7: Configuring User Roles and Privileges
 
The documentation tells us to download the ‘ONTAP Privileges’ file from:
https://{virtual_appliance_IP}:9083/vsc/config/VSC_ONTAP_User_Privileges.zip
 
This zip contains a file called VSC_user_roles.json. You upload the JSON file via the ONTAP 9.7+ System Manager -
Cluster > Settings > Users and Roles > Add User
- selecting ‘Virtualization products’ and choose ‘Product Capability’ which gives the choice -

  • VSC 9.7
  • VSC and VASA Provider 9.7
  • VSC and SRA 9.7
  • VSC, VASA Provider and SRA 9.7
- Specify  a user name (new user who will be assigned the role), password for the user, pick your privileges -
  • Discovery: Allows discovery of all connected storage controllers.
  • Create Storage: Allows creation of volumes and LUNs.
  • Modify Storage: Allows resizing and deduplicating of storage.
  • Destroy Storage: Allows destruction of volumes and LUNs.
  • NAS/SAN Role: Allows discovery of all connected storage controllers, only on VMware SRM environment.
- and finally click Add.
 
The above allows for a number of different roles (NAS/SAN Role only appears when SRA 9.7 is selected.)
 
Image: Add User > Virtualization Products > VSC_user_roles.json + Product Capability

 
Image: ONTAP 9.7 > Virtualization Products > Privileges

 
ONTAP Privileges
 
There’s too many different roles to document in this blog, so I’ll document just the one I’m particularly interested in, which is this one:
 
Virtualization Products:
Product = VSC, VASA Provider and SRA
Product Capability = VSC and VASA Provider 9.7
Privileges = Discovery + Create + Modify + Destroy
 
I’m not interested in SRA 9.7 product capability for this scenario. I want all the privileges, and later on I will attempt to modify the privileges to disable VMware Admins from creating/destroying flexvols (they need to be able to create/destroy LUNs), with an eye to giving them enough permission to do everything they need to do in order to manage VMs on VVOLs, just leave it to a storage admin to provision the flexvols for the VVOL datastores.
 
Note 1: “If VASA Provider is required for a particular storage controller, then the storage system must be added to VSC at the cluster level.” - source
Note 2: All the users are added with application = ontapi
 
These are the access and cmddirname specified by the role UnifiedVirtualApplianceVSC&VP9.7_Discovery_Create_Modify_Destroy:
 
ACCESS   : CMDDIRNAME
---------+-----------
none     : DEFAULT
readonly : cluster identity modify
readonly : cluster identity show
readonly : cluster modify
readonly : cluster peer show
readonly : cluster show
all      : job
readonly : job show-completed
all      : lun comment
all      : lun create
all      : lun delete
readonly : lun geometry
all      : lun igroup add
readonly : lun igroup create
readonly : lun igroup modify
all      : lun igroup set
readonly : lun igroup show
all      : lun mapping create
all      : lun mapping delete
all      : lun mapping show
all      : lun modify
all      : lun move
all      : lun offline
all      : lun online
all      : lun resize
all      : lun show
readonly : network fcp adapter modify
readonly : network fcp adapter show
readonly : network interface create
readonly : network interface delete
all      : network interface migrate
readonly : network interface modify
readonly : network interface show
readonly : network port delete
readonly : network port modify
readonly : network port show
all      : qos policy-group create
all      : qos policy-group modify
all      : qos policy-group show
readonly : security login create
readonly : security login delete
readonly : security login modify
readonly : security login role create
readonly : security login role delete
readonly : security login role modify
readonly : security login role show
readonly : security login role show-ontapi
all      : security login role show-user-capability
readonly : security login show
all      : set
readonly : snapmirror create
readonly : snapmirror list-destinations
readonly : snapmirror show
all      : snapmirror update-ls-set
readonly : storage aggregate create
readonly : storage aggregate modify
readonly : storage aggregate show
readonly : storage disk show
all      : storage failover modify
all      : storage failover show
readonly : system health alert modify
readonly : system health alert show
readonly : system health status show
readonly : system license delete
readonly : system license show
all      : system node autosupport invoke
readonly : system node modify
all      : system node run
readonly : system node show
readonly : version
all      : volume autosize
all      : volume clone create
all      : volume clone show
all      : volume create
all      : volume destroy
all      : volume efficiency modify
all      : volume efficiency off
all      : volume efficiency on
all      : volume efficiency show
all      : volume efficiency start
all      : volume efficiency stat
all      : volume efficiency stop
all      : volume file show-disk-usage
all      : volume modify
all      : volume offline
readonly : volume qtree create
readonly : volume qtree show
readonly : volume quota modify
readonly : volume quota report
readonly : volume quota show
all      : volume restrict
all      : volume show
all      : volume size
all      : volume snapshot create
all      : volume snapshot delete
all      : volume snapshot modify
all      : volume snapshot show
all      : volume unmount
readonly : vserver create
readonly : vserver export-policy create
readonly : vserver export-policy delete
all      : vserver export-policy rule create
all      : vserver export-policy rule delete
all      : vserver export-policy rule modify
all      : vserver export-policy rule setindex
all      : vserver export-policy rule show
readonly : vserver export-policy show
readonly : vserver fcp create
readonly : vserver fcp delete
readonly : vserver fcp initiator show
readonly : vserver fcp interface show
readonly : vserver fcp modify
readonly : vserver fcp show
readonly : vserver iscsi connection show
readonly : vserver iscsi create
readonly : vserver iscsi delete
all      : vserver iscsi interface accesslist add
readonly : vserver iscsi interface modify
readonly : vserver iscsi interface show
readonly : vserver iscsi modify
readonly : vserver iscsi session show
readonly : vserver iscsi show
readonly : vserver modify
readonly : vserver nfs create
readonly : vserver nfs delete
readonly : vserver nfs modify
readonly : vserver nfs show
all      : vserver nfs status
all      : vserver services name-service unix-group
all      : vserver services name-service unix-user
readonly : vserver show

NetApp ONTAP: Apply SACLs Using Vserver Security File-Directory

The following blog is an example of applying an everything SACL (CIFS audit policy) using the ‘vserver security file-directory’ command set.  Unfortunately, using ‘vserver security file-directory’, you cannot just add a SACL, you have to get the existing DACL, and then add the SACL and original DACL at the same time. In practice, setting NTFS SACLs from Windows is an easier approach (I’d recommend reading Justin Parisi's blog post here and especially the comments section.)
 
My ONTAP version here is 9.7.
 
Setting Up the Test Environment
 
My test structure is one volume with 2 folders:
vol1 > folder1 > folder2
And each folder has a text file in:
folder1file.txt and folder2file.txt
 
The permissions have been setup as so:
 
vol1:
  Everyone with ‘Read & execute’ access,
  applied to ‘folder, subfolder and files’,
  and Inheritance Disabled
 
folder1:
  ‘Domain Admins’ with ‘Full Control’,
  ‘Domain Users’ with ‘Read & execute’,
  applied to ‘folder, subfolder and files’,
  and Inheritance Disabled
 
folder2:
  ‘Domain Admins’ with ‘Full Control’,
  ‘Domain Users’ with ‘Modify’,
  applied to ‘folder, subfolder and files’,
  and Inheritance Disabled
 
Reviewing Current ACLs using ‘vserver security file-directory show’
 
The current ACLs as reviewed by ‘vserver security file-directory show’ are below:
 
Current /vol1 ACLs: 

ACLs: NTFS Security Descriptor
  Control:0x9504
  Owner:BUILTIN\Administrators
  Group:BUILTIN\Administrators
  DACL - ACEs
    ALLOW-Everyone-0x1200a9-OI|CI
 
Current /vol1/folder1 and folder1file.txt ACLs:
 
ACLs: NTFS Security Descriptor
  Control:0x9504
  Owner:BUILTIN\Administrators
  Group:DEMO\Domain Users
  DACL - ACEs
    ALLOW-DEMO\Domain Admins-0x1f01ff-OI|CI
    ALLOW-DEMO\Domain Users-0x1200a9-OI|CI
 
Current /vol1/folder1/folder2 and folder2file.txt ACLs:
 
ACLs: NTFS Security Descriptor
  Control:0x9504
  Owner:BUILTIN\Administrators
  Group:DEMO\Domain Users
  DACL - ACEs
    ALLOW-DEMO\Domain Admins-0x1f01ff-OI|CI
    ALLOW-DEMO\Domain Users-0x1301bf-OI|CI
 
Creating SACLs
 
We have 3 different permission sets, so we will need 3 NTFS Security Descriptors to rebuild the permissions above with a SACL.
 
Firstly, we create 3 NTFS Security Descriptors, each with our audit everyone and everything SACL (note, I don’t want inheritance, so not using the apply-to ‘sub-folders’.)
 
vserver security file-directory ntfs sacl add -ntfs-sd sdvol1 -access-type failure -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl add -ntfs-sd sdvol1 -access-type success -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
 
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder1 -access-type failure -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder1 -access-type success -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
 
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder2 -access-type failure -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder2 -access-type success -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
 
And verify these are correct using the below (outputs not included):
 
vserver security file-directory ntfs sacl show -ntfs-sd sdvol1
vserver security file-directory ntfs sacl show -ntfs-sd sdfolder1
vserver security file-directory ntfs sacl show -ntfs-sd sdfolder2
 
Removing Default DACLs
 
In the above, when we created our NTFS Security Descriptors, these come with a default set of DACLs. We don’t want these default DACLs so firstly we need to remove them. The default DACLs are seen when you run ‘vserver security file-directory ntfs dacl show -ntfs-sd SDNAME’:
 
Account Name           Access Access
--------------         ------ -------
BUILTIN\Administrators allow  full-control
BUILTIN\Users          allow  full-control
CREATOR OWNER          allow  full-control
NT AUTHORITY\SYSTEM    allow  full-control
 
To remove these default DACLs we run the below:
 
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account BUILTIN\Administrators -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account "CREATOR OWNER" -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account "NT AUTHORITY\SYSTEM" -access-type allow
 
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account BUILTIN\Administrators -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account "CREATOR OWNER" -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account "NT AUTHORITY\SYSTEM" -access-type allow
 
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account BUILTIN\Administrators -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account "CREATOR OWNER" -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account "NT AUTHORITY\SYSTEM" -access-type allow

And to confirm the DACLs are now clean and empty, run:
 
vserver security file-directory ntfs dacl show -ntfs-sd sdvol1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder2
 
Now we are ready to add our DACLs!
 
Creating DACLs
 
To create our DACLs as per ‘Setting up the test environment’:

vserver security file-directory ntfs dacl add -ntfs-sd sdvol1 -vserver svm1 -access-type allow -account Everyone -rights read-and-execute -apply-to this-folder,files
 
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder1 -vserver svm1 -access-type allow -account "DEMO\Domain Admins" -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder1 -vserver svm1 -access-type allow -account "DEMO\Domain Users" -rights read-and-execute -apply-to this-folder,files
 
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder2 -vserver svm1 -access-type allow -account "DEMO\Domain Admins" -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder2 -vserver svm1 -access-type allow -account "DEMO\Domain Users" -rights modify -apply-to this-folder,files
 
And to confirm the DACLs are as we want, run:
 
vserver security file-directory ntfs dacl show -ntfs-sd sdvol1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder2
 
Applying the DACL and SACL
 
We need to create a new ‘vserver security file-directory policy’, add tasks to it (one per level of the volume and folder hierarchy), then finally apply the policy and see it it’s worked! Here the tasks work downwards with the the volume having task index 1, and folders tasks index 2 and 3.
 
vserver security file-directory policy create -policy-name DACL_with_SACL_1 -vserver svm1
vserver security file-directory policy task add -vserver svm1 -path /vol1 -ntfs-sd sdvol1 -policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy task add -vserver svm1 -path /vol1/folder1 -ntfs-sd sdfolder1 -policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy task add -vserver svm1 -path /vol1/folder1/folder2 -ntfs-sd sdfolder2 -policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy task show -vserver svm1 -policy-name DACL_with_SACL_1
vserver security file-directory apply -vserver svm1 -policy-name DACL_with_SACL_1
job show -id 234
 
NOTE: We use ‘ntfs-mode replace’ which replaces permissions. I found ‘ignore’ simply won’t do anything when you run the apply (it does indeed ignore existing ACLs, but also doesn’t apply any of your new ACLs.) Didn’t want to use ‘propragate’ in this scenario (which is the default if you don’t specify ntfs-mode).
 
Did it Work As Expected? NO
 
Unfortunately, it did not work as expected. Yes, the audit SACLs are correct (actually perfect). The problem is that the ‘vserver security file-directory policy apply’ goes and enables inheritance on folders, which is not what we wanted. Which means that my folder2file.txt gets Everyone ‘Read & execute’ access inherited from /vol1. See the picture below.
 
Image: SACLs and DACLs applied using ‘vserver security file-directory’ (click to enlarge)

 
Conclusion
 
‘vserver security file-directory’ is useful for resetting permissions, say when permissions have been lost (like I did with PowerShell in 2015 www.cosonok.com/2015/10/using-data-ontap-apis-powershell-to-set.html), otherwise it is completely the wrong tool for setting NTFS SACLs and modifying DACLs.

Monday, 18 January 2021

NetApp VSC, VASA Provider, and SRA virtual appliance for ONTAP - Control Panel

Note: Using NetApp Virtual Storage Console for VMware version 7.2.1P1 here. But I have since checked and this is exactly the same in VSC 9.6.
 
The vSphere Plugin Registration is available at:
https://{IP or FQDN of your VSC}:8143/Register.html
 
There is also the ‘Control Panel’ available at (typical login username = administrator):
https:// {IP or FQDN of your VSC}:9083
 
Image: NetApp VSC, VASA Provider, and SRA virtual appliance for ONTAP - Control Panel:


The operations available from the Main Menu:

  • Web based CLI interface: Web based access to the command line interface for administrative tasks
  • Support: Generate a file bundle to submit to support
  • Inventory: Listing of all objects and information currently known in SRA Server database
  • Statistics: Listing of all counters and information regarding internal state
  • Right Now: See what operations are in flight right now
  • Logs: Realtime log file access
  • Logout: Logout
Build Release ...
Build Timestamp ...
System up since ...
Current time ...

Unified VSC Web Based CLI Interface Available Commands
  • cluster add
  • cluster delete
  • cluster ensure_pe
  • cluster list
  • cluster listcapabilities
  • cluster listcompliance
  • cluster listpes
  • cluster listprofiles
  • cluster rediscover
  • cluster sfmod
  • vp triggercontaineralarms
  • vp dr_readvvolmetadata
  • vp dr_writemetadata
  • vp dr_readcontainerscpmetadata
  • vp dr_deletecontainerscpmetadata
  • vserver add
  • vserver list
  • vserver delete
  • vp dr_recoverdb
  • vp dr_dbdump
  • container add_storage
  • container create
  • container delete
  • container delete_storage
  • container edit
  • container list
  • container listprofile
  • container liststorage
  • container setdefaultprofile
  • container createbyprofile
  • container resizebyprofile
  • container rebalance
  • profile applytomatchingstorage
  • profile create
  • profile delete
  • profile list
  • profile listcompliance
  • profile liststorage
  • profile listpotentialstorage
  • profile reverseengineer
  • profile set
  • sra processxml
  • vp reloadconfig
  • vp updateconfig
  • vp updategosluntypeconfig
  • vp listconfig
  • vp gosluntypeshow
  • vp annotatelog
  • vcenter register
  • vcenter sync
  • vcenter reloadvms
  • vcenter unregister
  • vcenter gethosts
  • vvol list
  • vvol listnonappdmmanaged
  • vvol listbind
  • vvol listcompliance
  • vvol listinformation
  • vvol liststorage
  • vvol proposeflexvol
  • vvol listattributesize
+ API Commands for simulating VMware interaction:
  • api bindingchangecomplete
  • api bindvirtualvolume
  • api cancelbindingchange
  • api canceltask
  • api clonevirtualvolume
  • api createmetavirtualvolume
  • api createvirtualvolume
  • api createswapvirtualvolume
  • api deletevirtualvolume
  • api fastclonevirtualvolume
  • api getcurrenttask
  • api gettaskupdate
  • api prepareforbindingchange
  • api preparetosnapshotvirtualvolume
  • api querystoragecontainer
  • api queryvirtualvolumeinfo
  • api resizevirtualvolume
  • api revertvirtualvolume
  • api setpecontext
  • api setStorageContainerContext
  • api snapshotvirtualvolume
  • api spacestatsforstoragecontainer
  • api unbindallvirtualvolumefromhost
  • api unbindvirtualvolume
  • api unbindvirtualvolumefromallhost
  • api updatestorageprofileforvirtualvolume
  • api updatevirtualvolumemetadata

Thursday, 14 January 2021

Unified VSC Appliance: Maintenance Shell/Console Menus, Registration & More...

In this blog post we display the NetApp Unified VSC Appliance (or VMware Tools for ONTAP - Virtual Storage Console, VASA Provider, and SRA) Maintenance Shell/Console Menus and vSphere Plugin Registration web page.

Note: I’m using Version 7.2.1P1 here as that’s what I had in the lab - I doubt these views have changed much in more recent versions.

Unified VSC Appliance: Maintenance Shell/Console Menus

Note: Login username ‘maint’

Main Menu:
----------
1 ) Application Configuration
2 ) System Configuration
3 ) Network Configuration
4 ) Support and Diagnostics

Application Configuration Menu:
-------------------------------
1 ) Display server status summary
2 ) Start Virtual Storage Console service
3 ) Stop Virtual Storage Console service
4 ) Start VASA Provider and SRA service
5 ) Stop VASA Provider and SRA service
6 ) Change 'administrator' user password
7 ) Re-generate certificates
8 ) Hard reset keyStore and certificates
9 ) Hard reset database
10) Change LOG level for Virtual Storage Console service
11) Change LOG level for VASA Provider and SRA service
12) Display TLS configuration
13) Enable TLS protocol
14) Disable TLS protocol

System Configuration Menu:
--------------------------
1 ) Reboot virtual machine
2 ) Shut down virtual machine (Disabled. Must be run on virtual machine console.)
3 ) Change 'maint' user password
4 ) Change time zone
5 ) Change NTP server
6 ) Disable SSH access (Disabled. Must be run on virtual machine console.)
7 ) Increase jail disk size (/jail)
8 ) Upgrade (Disabled. Must be run on virtual machine console.)
9 ) Install VMware Tools (Disabled. Must be run on virtual machine console.)

Network Configuration Menu:
---------------------------
1 ) Display IP address settings
2 ) Change IP address settings
3 ) Display domain name search settings
4 ) Change domain name search settings
5 ) Display static routes
6 ) Change static routes
7 ) Commit changes
8 ) Ping a host
9 ) Restore default settings

Support and Diagnostics Menu:
-----------------------------
1 ) Generate support bundle
2 ) Access diagnostic shell (Disabled. Must be run on virtual machine console.)
3 ) Enable remote diagnostic access (Disabled. Must be run on virtual machine console.)

Note: I’ve not included the:
x ) Exit
b ) Back

vSphere Plugin Registration
 
The vSphere Plugin Registration is available at:
https://{IP or FQDN of your VSC}:8143/Register.html
 
And this is what you’ll see:
 
Image: vSphere Plugin Registration: Plugin service information

 
Image: vSphere Plugin Registration: vCenter Server information

 
Image: vSphere Plugin Registration: vSphere Plugin Unregistration


Register the VASA Provider Extension

Note: This is vSphere 6.7 and VSC 7.2.1P1. The VASA Provider (VP) is enabled by default for new installs since VSC 9.6.

Image: Virtual Storage Console > Configuration > Manage Extensions


Image: Manage Extensions: Enable VASA Provider

You must log out of the vCenter Server, and then log in again to view the configured extensions.

Additional Information

How to tune memory settings of virtual appliance for VSC, VASA Provider, and SRA for scale and performance:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/Virtual_Storage_Console_for_VMware_vSphere/tune_memory_settings_of_VM_VSC%2C_VASA_Provider%2C_and_SRA_for_scale_and_performance


Wednesday, 13 January 2021

VMware Virtual Volumes (VVOLs) and NetApp ONTAP

Below are some links to get your started with VVOLs and NetApp ONTAP.
TR-4400 is probably the best starter resource, just it is a little old.
 
Usually, when looking for useful collateral I’ll start with these 3 sites:
1) NetApp Field Portal (NetApp Partners & Employees): https://fieldportal.netapp.com/
2) NetApp Insight 2020 content: https://insightdigital.netapp.com/content-library or Panopto link (for NetApp Partners & Employees)
3) Lab on Demand (mostly NetApp Partners & Employess): https://labondemand.netapp.com/ (also, since there is a big VMware element here, I'd check out https://labs.hol.vmware.com/)
 
Image: VM - Data Path - Protocol Endpoint - VVOL - Storage Container (enabled by VASA Provider and vCenter)


Image: A Couple of Protocol Endpoint LUNs Created by the NetApp VSC Provisioning a VVOL Datastore for SAN consisting of 2 flexvols


Image: Example of deployed files for a VM with one 16GB disk deployed with a VVOL on SAN VM Storage Policy (click to enlarge)

VVOLs on ONTAP: Starter Resources
 
Note: As I write this, 9.7.1P1 is the latest version of the Virtual Storage Console for VMware vSphere.
 
Image: ONTAP VASA Provider architecture

 
TR-4400: VMware vSphere Virtual Volumes with ONTAP
https://www.netapp.com/pdf.html?item=/media/13555-tr4400pdf.pdf

[YouTube] Provisioning a vVols Datastore with the Unified VSC
https://www.youtube.com/watch?v=KNtcVot5yd4

LoD: Virtual Storage Console 9.6 for VMware vSphere 6.7 v1.2

https://labs.hol.vmware.com/HOL-2105-02-HCI - Virtual Volumes (vVols) and Storage Policy Based Management (Not ONTAP but still useful)

Insight 2020: BRK-1262-2 VVOLs Disaster Recovery with ONTAP Tools and VMware SRM 8.3
 
TR-4597: VMware vSphere with ONTAP
https://www.netapp.com/pdf.html?item=/media/13550-tr4597pdf.pdf
 
Insight 2020: BRK-1260-2 Best Practices for VMware vSphere and NetApp ONTAP

LoD: Virtual Storage Console for VMware vSphere 6.7 v1.1-(VSC&VVOL)

LoD: Early Adopter Lab for SnapCenter with VMware vCenters in Enhanced Linked Mode v1.0


VVOLs on ONTAP: Further Resources
 
Docs & Knowledgebase > GPS (Guided Problem Solving) > Management Software > Virtual Storage Console for VMware
http://mysupport.netapp.com/NOW/products/vsc
https://mysupport.netapp.com/GPS/category/ECMLS2588119.html
 
Virtual Storage Console for VMware vSphere: Download:
https://mysupport.netapp.com/site/products/all/details/vsc/downloads-tab
 
Virtual Storage Console for VMware vSphere: Resources:
https://www.netapp.com/support-and-training/documentation/virtual-storage-console-documentation/
 
Virtual Storage Console for VMware vSphere 9.7: Documentation:
https://docs.netapp.com/vapp-97/index.jsp
Configuring vVols datastores:
https://docs.netapp.com/vapp-97/topic/com.netapp.doc.vsc-iag/GUID-74549A9B-2CC0-48AC-885C-4CCC27B7D271.html

Virtual Storage Console for VMware vSphere: Knowledge Base:
https://mysupport.netapp.com/site/article?lang=en&type=guide&page=%2FAdvice_and_Troubleshooting%2FData_Storage_Software%2FVirtual_Storage_Console_for_VMware_vSphere

VVOLs: Other References (Not ONTAP Specific)

Cormac Hogan: VVols (Virtual Volumes) posts:
https://cormachogan.com/virtual-volume-vvols/

Virtual Volumes and Storage Policy-Based Management for Databases:
https://blogs.vmware.com/virtualblocks/2015/12/14/virtual-volumes-and-storage-policy-based-management-for-databases/


VVOLs on ONTAP: Notes

Note: These notes are mostly from TR-4400 which last time I checked was a little old (says July 2018).

  • The VASA Provider requires the ONTAP FlexClone license.
  • The appliance has a built-in watchdog to ensure availability, and it can optionally be configured with the VMware High Availability or Fault Tolerance feature.
  • If the VASA Provider is not available, VMs using VVOLs will continue to run, however, new VVOL datastores and VVOLs cannot be created (VMs using VVOLs cannot be powered on)
  • The appliance should not be on VVOL storage.
  • For dashboard information ... the VASA Provider requires a dedicated installation of OnCommand API Services, and it cannot be shared with multiple VASA Provider instances.
  • Section 2.2 of TR-4400 lists ‘Best Practices
    1. Use the VASA provider for ONTAP to provision VVOL datastores and protocol endpoints.
    2. Evaluate the optimal number of FlexVol volumes for your environment.
    3. Keep Storage Capability Profiles simple.
    4. Consider using Max IOPS to control unknown or test VMs.
  • Using ONTAP VVOLs with vSphere is easy and follows published vSphere methods (see “Working with Virtual Volumes” under “vSphere Storage” in the VMware documentation for the ESXi Server).
  • VMware-managed snapshots are offloaded to space-efficient and fast ONTAP file or LUN clones.
  • One LIF per node for each switch/fabric connection.
  • Add the ONTAP cluster to the Virtual Storage Console under Storage Systems.
  • VVOLs can be protected using Commvault or Veeam. Using: VMware vSphere Storage APIs – Data Protection (formerly known as VMware vStorage APIs for Data Protection or VADP)
  • [2018-05] Two major benefits in using VVOLs with ONTAP (not as compelling with NFS, more so with SAN):
    • Policy-based management to speed VM provisioning and avoid mistakes
    • VM granular management on SAN (performance, QoS, etc)
  • It is a good practice to include multiple FlexVols in a VVOL datastore. Because FlexVols have LUN count restrictions that limit the number of virtual machines, having multiple FlexVols can increase performance (source)
  • Using standard hypervisor-based cloning on a standard datastore, the hypervisor and vCenter take on the overhead for the cloning operation. When cloning on a VVOL backed by NetApp storage, the entire clone creation operation is offloaded to the storage.
  • When a VM is on a VVOL backed by NetApp storage, a VM Snapshot operation in vCenter performs a backup using VMware vCenter, but it is different from a traditional VMware-based snapshot. Using VAAI, the task previously performed by the ESX host is now offloaded to the storage.
  • Steps to Provisioning a VVOL VM (source):
    1. Create a storage capability profile (SCP).
    2. Create a vVols datastore and associate the SCP to the datastore.
    3. Verify the datastore configurations.
    4. Create VM storage policies.
    5. Configure a virtual machine with VM storage policies.
  • New for 2020: VVOLs replication - supported beginning with VP 9.7.1, ONTAP 9.5 and SRM 8.3.
  • No support for VVOLs on NFS v4.1.
  • Virtual Storage Console for VMware renamed to ONTAP Tools for VMware vSphere starting with the 9.8 version.
  • As of ONTAP 9.7, VVOLs are not supported with NVMe-oF ONTAP with vSphere! (VMware itself does not currently support VVOLs with NVMe-oF, see: Requirements and Limitations of VMware NVMe Storage)
  • VMware's vSphere External Storage Evolution/Outlook is to VVOLs (VVOL-NVMe for block, VVOL-NFS for NAS)

Saturday, 9 January 2021

NetApp Certified Hybrid Cloud - Implementation Engineer (NS0-402)

When I was looking through the ‘Reference Document’ for the NetApp certifications (current link), the list of references that most interested me, was the list for ‘NetApp Certified Hybrid Cloud - Implementation Engineer (NS0-402)’. This certification does cover a vast range of  different products and technologies.
 
When I went through the reference links, some did not work (were old - a problem with IT certs in general, stuff goes out of date so quickly), some were duplicated, and some were way too broad to focus studies on; so I’ve reformed the references, removing duplicates and links that don’t work, and trying to put them in some order. The references have been separated them into three categories:
 
1) Blogs, White Papers and Other Articles
2) Documentation Sets
3) Broad References
 
1) Blogs, White Papers and Other Articles
 
Dealing with the Unexpected (Aug. 2019 Blog):
https://netapp.io/2019/08/05/dealing-with-the-unexpected/
 
Automated Data Cloning for Cloud-Based Testing of Software Applications (Feb. 2019 Blog):
https://cloud.netapp.com/blog/automated-data-cloning-for-cloud-based-testing
 
Getting Started with NetApp and Ansible: First Playbook Example (Oct. 2018 Blog):
https://netapp.io/2018/10/11/getting-started-with-netapp-and-ansible-first-playbook-example/
 
Consuming WFA Resources from Ansible (Jul. 2018 Blog):
https://netapp.io/2018/07/11/switching-to-ansible-from-wfa/
 
CloudShip Hybrid Cloud Reference Architecture: Migrating the Workflow Engine to the Cloud (April 2019 White Paper):
https://www.netapp.com/pdf.html?item=/media/19899-wp-7303.pdf
 
NetApp Cloud Insights: A New Way to Monitor Your Cloud Infrastructure (Feb. 2019 White Paper):
https://www.netapp.com/pdf.html?item=/media/12208-wp-cloud-insightspdf.pdf
 
The Twelve-Factor App:
https://12factor.net/
 
JSON Syntax:
https://www.w3schools.com/js/js_json_syntax.asp
 
JSON Data Types:
https://www.w3schools.com/js/js_json_datatypes.asp
 
JSON Arrays:
https://www.w3schools.com/js/js_json_arrays.asp
 
REST API Tutorial: HTTP Methods:
https://restfulapi.net/http-methods/
 
WHAT IS SOURCE CODE MANAGEMENT OR VERSION CONTROL?
https://www.linuxnix.com/what-is-source-code-management-or-version-control/
 
Continuous integration vs. continuous delivery vs. continuous deployment
https://www.atlassian.com/continuous-delivery/principles/continuous-integration-vs-delivery-vs-deployment
 
Kubernetes Concepts:
https://kubernetes.io/docs/concepts/
 
Kubernetes Persistent Volumes:
https://kubernetes.io/docs/concepts/storage/persistent-volumes/
 
GitHub Docs: About pull requests:
https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/about-pull-requests
 
GitHub: Prometheus: Default port allocations:
https://github.com/prometheus/prometheus/wiki/Default-port-allocations
 
NetApp Trident on GitHub:
https://github.com/NetApp/trident
 
Trident for Kubernetes:
https://netapp-trident.readthedocs.io/en/stable-v19.01/kubernetes/index.html
 
Kubernetes Design and Architecture Guide: Concepts and Definitions:
https://netapp-trident.readthedocs.io/en/stable-v19.04/dag/kubernetes/concepts_and_definitions.html
 
Kubernetes Storage Concepts: Persistent Volumes:
https://netapp-trident.readthedocs.io/en/stable-v19.04/dag/kubernetes/concepts_and_definitions.html#kubernetes-storage-concepts
 
StatefulSets:
https://netapp-trident.readthedocs.io/en/stable-v19.04/dag/kubernetes/concepts_and_definitions.html?highlight=shared#statefulsets
 
Kubernetes and Trident Objects: Object Overview:
https://netapp-trident.readthedocs.io/en/stable-v19.04/kubernetes/concepts/objects.html
 
Trident for Kubernetes > Concepts > Virtual Storage Pools:
https://netapp-trident.readthedocs.io/en/stable-v19.07/kubernetes/concepts/virtual_storage_pools.html
 
Trident: Backend configuration:
https://netapp-trident.readthedocs.io/en/stable-v19.07/kubernetes/operations/tasks/backends/index.html#backendconfiguration
 
Trident: Kubernetes: ONTAP (AFF/FAS/Select/Cloud): Choosing a driver:
https://netapp-trident.readthedocs.io/en/stable-v19.07/kubernetes/operations/tasks/backends/ontap.html
 
Trident: Kubernetes: Element (HCI/SolidFire):
https://netapp-trident.readthedocs.io/en/stable-v19.07/kubernetes/operations/tasks/backends/element.html
 
Trident installation modes:
https://netapp-trident.readthedocs.io/en/stable-v19.07/dag/kubernetes/deploying_trident.html#trident-installation-modes
 
Trident: Volume Operations: 8.5.1. Modifying Persistent Volumes:
https://netapp-trident.readthedocs.io/en/stable-v19.07/dag/kubernetes/integrating_trident.html#volume-operations
 
NetApp Trident: Managing Volumes: On-Demand Volume Snapshots
https://netapp-trident.readthedocs.io/en/stable-v19.07/kubernetes/operations/tasks/volumes.html
 
Upgrading Trident on Kubernetes?
https://netapp-trident.readthedocs.io/en/stable-v19.07/support/requirements.html
 
Trident: Docker: Volume Cloning
https://netapp-trident.readthedocs.io/en/latest/docker/use/volumes.html#volume-cloning
 
Cloud Insights > Kubernetes Data Collector:
https://docs.netapp.com/us-en/cloudinsights/task_config_telegraf_kubernetes.html
 
ONTAP port usage on a storage system:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-49D0B88F-42CF-4766-A688-1C77A0AE8BD5.html
 
Cloud Manager > Roles:
https://docs.netapp.com/us-en/occm/reference_user_roles.html
 
Cloud Manager policies for AWS, Azure, and GCP:
https://mysupport.netapp.com/site/info/cloud-manager-policies
 
Cloud Manager > Encrypting volumes with NetApp encryption solutions:
https://docs.netapp.com/us-en/occm/task_encrypting_volumes.html
 
Cloud Manager > WORM storage:
https://docs.netapp.com/us-en/occm/concept_worm.html#activating-worm-storage
 
Cloud Manager > Improving protection against ransomware:
https://docs.netapp.com/us-en/occm/task_protecting_ransomware.html
 
Cloud Manager > Encryption of data at rest:
https://docs.netapp.com/us-en/occm/concept_security.html#encryption-of-data-at-rest
 
Cloud Manager > Encrypting volumes with NetApp encryption solutions:
https://docs.netapp.com/us-en/occm/task_encrypting_volumes.html
 
Cloud Manager > Networking requirements for the Connector: Outbound Internet Access
https://docs.netapp.com/us-en/occm/reference_networking_cloud_manager.html#connection-to-target-networks
 
Cloud Manager > Replicating Data Between Systems (Replicating Data to and From the Cloud):
https://docs.netapp.com/us-en/occm/task_replicating_data.html#data-replication-requirements
 
Microsoft Azure: About Point-to-Site VPN:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
 
Guidelines for Azure NetApp Files network planning:
https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-network-topologies
 
Cloud Manager > Networking requirements for Cloud Volumes ONTAP in AWS:
https://docs.netapp.com/us-en/occm/reference_networking_aws.html
 
AWS VPN > Getting Started:
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
 
Cloud Sync > How Cloud Sync works:
https://docs.netapp.com/us-en/cloudsync/concept_architecture.html
 
Cloud Manager > Data tiering overview:
https://docs.netapp.com/us-en/occm/concept_data_tiering.html
 
Cloud Manager > Learn about Cloud Tiering (NetApp Service Connector):
https://docs.netapp.com/us-en/occm/concept_cloud_tiering.html
 
Cloud Manager > Managing data tiering from your clusters (Tiering Data from Additional Clusters):
https://docs.netapp.com/us-en/occm/task_managing_tiering.html
 
Cloud Manager > Replicating data between systems: What Replication Policies Do (Types of Replication Policies):
https://docs.netapp.com/us-en/occm/task_replicating_data.html#what-replication-policies-do
 
Cloud Manager > Discovering (and Managing) ONTAP clusters:
https://docs.netapp.com/us-en/occm/task_discovering_ontap.html
 
Authentication with NetApp Cloud Central
https://docs.netapp.com/us-en/occm/api.html#_authentication_with_netapp_cloud_central
 
Cloud Manager > Getting started with Cloud Volumes ONTAP for Azure:
https://docs.netapp.com/us-en/occm/task_getting_started_azure.html
 
Cloud Manager > Modifying Cloud Volumes ONTAP systems:
https://docs.netapp.com/us-en/occm/task_modifying_ontap_cloud.html
 
Cloud Sync > Managing sync relationships (Changing Sync Schedules):
https://docs.netapp.com/us-en/cloudsync/task_managing_relationships.html
 
Cloud Manager > Provisioning storage (Using FlexCache Volumes to Accelerate Data Access):
https://docs.netapp.com/us-en/occm/task_provisioning_storage.html#using-flexcache-volumes-to-accelerate-data-access
 
Quickstart: Set up Azure NetApp Files and create an NFS volume:
https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes?tabs=azure-portal
 
What is Cloud Sync?
https://docs.netapp.com/us-en/cloudsync/faq.html
 
Automating NetApp with Ansible:
https://www.ansible.com/integrations/infrastructure/netapp
 
Ansible Documentation: Using Variables:
https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html
 
Ansible Documentation: Loops:
https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
 
ansible.builtin.template – Template a file out to a remote server:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html
 
community.general.na_ontap_gather_facts – NetApp information gatherer:
https://docs.ansible.com/ansible/latest/collections/community/general/na_ontap_gather_facts_module.html#na-ontapgather-facts-module
 
na_ontap_interface – NetApp ONTAP LIF configuration:
https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_interface_module.html
 
Enabling SnapMirror on the Element cluster:
http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-sdbak%2FGUID-A7215166-3A2E-4832-9A16-23C7A94B2958.html
 
FlexCache in ONTAP: ONTAP 9.8
https://www.netapp.com/pdf.html?item=/media/7336-tr4743pdf.pdf
 
FabricPool Best Practices: ONTAP 9.8
https://www.netapp.com/media/17239-tr4598.pdf
 
SnapMirror Synchronous disaster recovery basics
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-dap%2FGUID-5080DA69-478E-40ED-87A8-CA506DD00C9D.html&lang=en
 
Elasticity in Cloud Computing: What It Is, and What It Is Not
https://www.usenix.org/system/files/conference/icac13/icac13_herbst.pdf
 
Amazon Lightsail Instance and Block Storage Service Level Agreement
https://aws.amazon.com/lightsail/sla-lightsail-instances-and-block-storage/
 
NetApp HCI for Private Cloud with Red Hat: NVA Design (May 2019 NVA):
https://www.netapp.com/pdf.html?item=/media/7042-nva1133designpdf.pdf
 
Kubernetes and Trident on NetApp HCI: Considerations and Known Issues:
https://kb.netapp.com/Advice_and_Troubleshooting/Cloud_Services/Trident_Kubernetes/Kubernetes_and_Trident_on_NetApp_HCI%3A_Considerations_and_Known_Issues
 
OpenStack: Image Service Overview
https://docs.openstack.org/glance/queens/install/get-started.html
 
2) Documentation Sets
 
Cloud Insights documentation:
https://docs.netapp.com/us-en/cloudinsights/index.html
 
NetApp API Documentation links for:
NetApp Cloud Central, Cloud Volumes Service for AWS, Cloud Volumes ONTAP, Cloud Sync, Virtual Desktop Service:
https://services.cloud.netapp.com/developer-hub
 
YAML:
https://yaml.org/
 
Ansible Documentation:
https://docs.ansible.com/
 
Git Documentation:
https://git-scm.com/docs
 
ONTAP 9.6 REST API online documentation:
https://library.netapp.com/ecmdocs/ECMLP2856304/html/index.html
 
Kubernetes Documentation:
https://kubernetes.io/docs/home/
 
Puppet Product documentation:
https://puppet.com/docs/
 
AWS Documentation:
https://docs.aws.amazon.com/index.html
 
Docker Documentation:
https://docs.docker.com/
 
StorageGRID 11.2: Grid Primer:
https://library.netapp.com/ecm/ecm_download_file/ECMLP2848265
 
StorageGRID 11.2: Administration Guide:
https://library.netapp.com/ecm/ecm_download_file/ECMLP2848253
 
StorageGRID NAS Bridge 2.2: Administration Guide:
https://library.netapp.com/ecm/ecm_download_file/ECMLP2848245
 
NetApp Product Documentation:
https://www.netapp.com/support-and-training/documentation/
 
Microsoft Documentation:
https://docs.microsoft.com/en-us/
 
3) Broad References
 
Azure NetApp Files:
https://cloud.netapp.com/azure-netapp-files
 
Cloud Sync Service:
https://cloud.netapp.com/cloud-sync-service
 
Cloud Backup Service:
https://cloud.netapp.com/cloud-backup
 
Terraform:
https://www.terraform.io/
 
Kubernetes: Production-Grade Container Orchestration:
https://kubernetes.io/
 
NetApp: thePub:
https://netapp.io/
 
The Linux Juggernaut:
https://www.linuxnix.com/
 
NetApp Knowledge Base:
https://kb.netapp.com/
 
Openstack:
https://www.openstack.org/
 
FlexPod Converged Infrastructure:
https://www.netapp.com/data-storage/flexpod/