Glutton for punishment: Using Plink to do Key Based Authentication from Windows

Occasionally, it’s good for everyone to question their own sanity. Using the Windows “cmd” command line utility for anything is one of those times. I have nothing against Windows, despite being a Linux administrator, but the command line utility is just, well, awful. It doesn’t resize well, it doesn’t line wrap well, it’s ugly, it’s just all around hard to use.

That being said, if you are a masochist you can use Plink, a utility provided by the same guy who does PuTTY, to do key based authention and remote execution of commands against a NetApp (or any host for that matter).

I’m going to assume you have installed the PuTTY suite of applications. Obviously Plink is required, but we will also need PuTTYgen for this exercise.

  1. First, get your private key. If you have already generated one (like in my previous post), then the simplest way is to show the contents (hint: cat ~/.ssh/id_rsa) and copy/paste them to a text file in a convenient location.
  2. Import the key to PuTTYgen, export it in the .ppk format. Start the utility, then click “Load” and browse to the file you created in step one. It will import the key and you will see something similar to the following:
    netapp_plink_1
    Click the “Save Private Key” button and pick your favorite location (make sure to remember!).
  3. Open a command prompt and enter your hell. Here is how to use Plink to execute commands via SSH from Windows:

    Whew! That’s a lot of typing! Here is what it looks like…
    netapp_plink_2

Stupid Bash Tricks for SSH

My last post explained how to set up SSH key based authentication for connecting to a NetApp. If you have multiple/many systems to administer this makes it easy to quickly connect to and execute commands against your systems.

However, I’m lazy. I don’t want to type ssh some_system_name or ssh some.ip.add.ress for every system. Also, on some of my systems I have to specify the private key and username to use for connecting, which further lengthens the amount of typing I have to do: ssh -i ~/.ssh/some_special_id my_account@some.netapp.lan.

I have found it to be convenient and easy to create bash aliases for these systems. It’s simple to do:

Now, whenever I type na01 version it will automatically expand the “na01” to be the full command.

To make the alias permanent, add it to .bashrc file in your home directory…

If you are feeling particularly fancy, you can configure SSH for autocomplete of the hostnames also.

SSH to a NetApp Using Key Based Authentication

EDIT 2014-03-03: An updated post for Clustered Data ONTAP is here.


I find it quite handy to use a *nix server as a management host for my NetApp systems. Using key based authentication and SSH the whole process is easy and secure. With the addition of bash aliases for the hosts, I can even quickly run commands against multiple hosts.

A couple of pre-requesites…you need to have either CIFS or NFS enabled and the root volume exported/shared. Also, you must have SSH enabled. I will refer you to the documentation on how to get these tasks done. I recommend you create a non-root user for any administrators to use for access (for accountability reasons). If you are ok with using root for everything, then don’t execute the following: useradmin user add some_username -g Administrators.

This will work with OnTAP 7 and OnTAP 8 7-mode. I haven’t had the priviledge of using a Clustered OnTAP system at this time, so I don’t know the process.

Read more

PowerShell: NetApp DataONTAP toolkit credentials management

I’ve had the pleasure of spending the last several days talking to the development team here at NetApp about the DataONTAP PowerShell Toolkit.  As a result we’ve all learned alot, one of the more interesting features they brought to my attention was the credential management solution included with the toolkit.  I found this very compelling, you see embedding credentials within a script is as old as scripting itself.  There was a time not too long ago when it was considered taboo.  However with PowerShell came access to the .net Security.Cryptography encryption/decryption methods.  Scripters have unknowingly been accessing said methods indirectly whenever they would use the credential management funcions that Hal amd BSonPosh wrote long ago.

Which brings me to the DataONTAP toolkit.  The Development team has steped it up a notch and included a full credential management solution with the latest version of the toolkit.  The way it works is first you need to save logon information by using the Add-NaCredential cmdlet to save the credentials for a given NetApp controller onto the local machine.  Then the next time you run the Connect-NaController cmdlet the credentials you previously saved will be used. So how do we use this new feature, and why do you care?

Read more

PowerShell: NetApp DataONTAP Toolkit v1.3 A PSProvider done right!

Within the PowerShell community there has been a lingering debate over modules and providers.  Initially everyone seemed compelled to do both. Personally, I’ve never been very impressed by third party providers.  Mainly because they always felt like a gimmick.  They forced the file system analog, and the results where not very good. They were buggy, slow, and didn’ t support the standard provider hooks.  This lead to many vendors never bothering, and focused instead on cmdlets.  I myself had come to the conclusion that providers where something for the PowerShell team, and third party ISV should just leave them alone.  Fortunately the provider in version 1.3 of the DataONTAP PowerShell toolkit has broken the mold and renewed my faith in providers!

Read more

NetApp: Change Virtual Storage Console (VSC) SSL Certificates

Glenn posited an interesting question this morning…how to change the SSL certificate that VSC uses to one that is signed by your CA so that the warning(s) would no longer appear. Turns out it’s significantly more difficult that it probably should be, but it is possible.

First, let me say that NetApp probably hates me doing this and will not support your VSC install in anyway should you modify the key. Also, keep in mind that any updates to VSC may over write the key, thus undoing any of this work. So, proceed at your own risk…

Read more

PowerCLI: Force NetApp Virtual Storage Console (VSC) to use a FQDN

First let me say, I love VCS, it took all of the complexity out of using NetApp storage in a vSphere environment.  I have been tolerating one annoyance for quite some time now, and this morning said annoyance broke VCS at a customer site. What’s wrong with VCS? Well, for some reason it forces you to register the plugin with vCenter using an IP address.  Due to an over-restrictive proxy configuration, which caused only fully qualified domain names(FQDN) worked. Any IP address was redirected to an web page that explained said over-restricted policy, because VCS is mainly a web page the use of an IP address broke everything.  I searched around a little, and found Williams Lams post on removing plug-ins with the MOB. Once I found the pivot point for Plug-ins, I searched the API Reference, and found the ExtensionManager object.   Now that I had the Object in hand, I fired up PowerCLI and in less than 10 min figured out how to manually adjust the URL VSC used. It was so easy that I think I’m going to try and slap together a quick module to manage plug-ins via PowerCLI, but in the meantime if you, like me, have been frustrated by VSCs use of an IP address… try this.

NetApp: Quick and dirty way to start the simulator at system startup

Being a primarily NetApp shop I do a fair amount of testing against their simulator before using any of the perl (and slowly PoSH) scripts against production systems. One of the things that I did a while ago was create a simple way of having the simulator(s) start when my virtual machine starts so that I don’t have to worry about logging in to start it.

NetApp’s documentation for the simulator states two ways of having it start when the server does: using screen to start it in the background, and the more “brute force” method of simply backgrounding the process when it’s started (by appending an ampersand to the end of the command). While both of these methods work, I wanted a way that I didn’t have to login to the system first in order to access the console of the simulator.

Read more

PowerShell: DataOnTAP and SID Convertions

This morning while standing up a new vScan A/V server I wanted to look up our McAfee service account.  I knew the account would be a domain account, and I knew it would be a member of the backup operators group on the filer.  With that in mind I ran the following.

Well that’s rather useless… Unfortunately, the OnTAP API doesn’t provide a means to convert a SID to a NTAccount.  This is normally accomplished via the “cifs lookup” command on the Ontap CLI, but that doesn’t help us much from the toolkit.  Fortunately .Net provides a native means to perform this conversion.  This isn’t new to anyone who has been following PowerShell for a while (//o// first posted these function way back in the Monad days), but that doesn’t make them any less useful!

Now that’s more like it!  This is what I Love about powershell.  In the past I would have had to push back on my sales rep, who would have inturn pushed back on the development team.  fast forward a year, and maybe I would have a workaround.  Or I would have had to try and glue a couple third party exe together (yuck). With PowerShell if I don’t like something I simply extend it in script.  No development, nothing complicated, just a couple line of PowerShell.  Best of all I can then provide this to the vendor as a concreate example of what I want in the next release (hint hint NetApp cifs lookup needs to be in the SDK!)

It really is just great stuff.
~Glenn

Cacti: Monitor protocol statistics for NetApp volumes

Update 2011-07-10:  Due to a template export error with Cacti, the import was failing for a lot of people. I apologize for taking so long to fix the templates, however they should be fixed now. Thank you to everyone who pointed out the errors and the fix in the comments.


I have made no secret that I use two applications daily to monitor my infrastructure: Nagios and Cacti. I have created a fair number of scripts (and hopefully publishing more soon) to help Nagios monitor the different parts of the infrastructure, however I haven’t published many of my Cacti scripts previously.

One of the most useful is the config that I use to monitor the different protocol stats for volumes. I created an indexed query so that the single script, and accompanying XML file, are capable of monitoring all the volumes, and I can select which graphs to create for each volume. The polling script is loosely based off of the multi-protocol realtime volume statistics script that I created some time ago.

Download the updated template and script(s) here.

Some examples…

Total Operations, Latency
total_ops
  
total_lat
CIFS Operations, Latency
cifs_ops
  
cifs_lat
NFS Operations, Latency
nfs_ops
  
nfs_lat
iSCSI Operations, Latency
iscsi_ops
  
iscsi_lat