Over the last several posts we have reviewed how to create and manage aggregates, SVMs, and volumes. All of that is great, but at this point you still can’t access that capacity to begin storing things. In this post we will discuss the various ways to access the volumes and the data inside them.
- Junctioning
- Export Policies
- NFS Exports
- CIFS/SMB Shares
- LUNs
- LUN Management
- iGroups
- LUN Mapping
Junctioning
A junction is the path which the volume is accessed by. Exports and CIFS/SMB shares are both “mounted” to the root of the storage virtual machine (SVM) using the junction path. That junction path is then used by storage consumers to access the volume and read/write data to it.
Let’s look at an example. If you have a volume, “volume1”, you can junction it however you like: “/volume1” would mean that, for NFS, the mount would be myNetApp.domain.com:/volume1
, or for CIFS/SMB, it would be \\myNetApp.domain.com\volume1
. If you had a second volume, creatively named “volume2”, you could junction it at the root as well (e.g. “/volume2”), or you could nest it under volume1, e.g. “/volume1/volume2”.
Additionally, you can name the junction whatever you want. The name of the volume and the junction name are completely separate entities and are not required to match.
1 2 3 4 5 6 7 8 9 10 11 |
# list junctions Get-NcVol | Select Vserver,Name,JunctionPath # junction a volume Get-NcVol $volumeName | Mount-NcVol -Junctionpath $newPath # unjunction a volume Get-NcVol $volumeName | Dismount-NcVol # change volume junction Get-NcVol $volumeName | Dismount-NcVol | Mount-NcVol -JunctionPath $newPath |
Export Policies
An export policy, despite the name, applies to both NFS exports and CIFS/SMB shares. The export policy is what determines the permissions for accessing the junction. Remember that these are specific to each SVM.
1 2 3 4 5 6 7 8 |
# list export policy assigned to volumes Get-NcVol | Select Vserver,Name,@{N="Export Policy"; E={ $_.VolumeExportAttributes.Policy }} # list rules for an export policy Get-NcVserver $svmName | Get-NcExportPolicy $policyName | Get-NcExportRule # create an export policy Get-NcVserver $svmName | New-NcExportPolicy $policyName |
We will discuss policy rules below and address them for each of the access protocols.
NFS Exports
NFS access is managed using export policy rules. Make sure that the NFS server has been started and the NFS version you want to use has been configured.
For VMware volumes, you will want to use “sys” or “all” for the RO, RW, and SU security flavors. For maximum security, create a new rule for each of the hosts which will be connecting to the export and set the client match rule to the ESXi host IP address. If you are using a private network for NFS traffic, using the subnet for that VLAN is also a safe bet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# create an export policy rule for NFS access $splat = @{ # e.g., "nfs", "nfsv3", "nfsv4". Can be more than one # using a list of comma separated values. "Protocol" = $protocol; # examples: 192.168.0.0/24, 0.0.0.0/0, etc. # it is, generally, a good idea to set this to be as restrictive # as is reasonable for security reasons. "ClientMatch" = $subnetRule; # any, none, krb5, ntlm, and sys are all valid values "ReadOnlySecurityFlavor" = $roRule; # same valid values as the Read-Only rule "ReadWriteSecurityFlavor" = $rwRule; # same valid values as the Read-Only rule "SuperUserSecurityFlavor" = $rootRule; } Get-NcVserver $svmName | Get-NcExportPolicy $policyName | New-NcExportRule @splat # remove a rule Get-NcVserver $svmName | Get-NcExportPolicy $policyName | Remove-NcExportRule -Index 2 # edit a rule Get-NcVserver $svmName | Get-NcExportPolicy $policyName | Get-NcExportRule -Index 1 | Set-NcExportRule -ReadOnlySecurityFlavor "any" |
CIFS/SMB Shares
CIFS/SMB shares provide Windows clients access to data. Make sure that you have enabled the CIFS server and are joined to an Active Directory domain for authentication/authorization services. Shares are created/destroyed using the Add-NcCifsShare
and Remove-NcCifsShare
cmdlets. Export policies are optional for CIFS/SMB as of cDOT 8.2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# view the CIFS/SMB server for an SVM Get-NcVserver $svmName | Get-NcCifsServer # disable SMB2 for a SVM Get-NcVserver $svmName | Get-NcCifsServer | Set-NcCifsOption -DisableSmb2 # enable SMB2 and SMB3 Get-NcVserver $svmName | Get-NcCifsServer | Set-NcCifsOption -EnableSmb2 -IsSmb3Enabled:$true # create a share Get-NcVserver $svmName | Add-NcCifsShare -Name $shareName -Path $junctionPath # create an export policy rule for CIFS/SMB access $splat = @{ # just like NFS, except we change the protocol here "Protocol" = "cifs"; # examples: 192.168.0.0/24, 0.0.0.0/0, etc. # it is, generally, a good idea to set this to be as restrictive # as is reasonable for security reasons. "ClientMatch" = $subnetRule; # any, none, krb5, ntlm, and sys are all valid values # any and ntlm make the most sense for a CIFS/SMB share "ReadOnlySecurityFlavor" = $roRule; # same valid values as the Read-Only rule "ReadWriteSecurityFlavor" = $rwRule; # same valid values as the Read-Only rule "SuperUserSecurityFlavor" = $rootRule; } Get-NcVserver $svmName | Get-NcExportPolicy $policyName | New-NcExportRule @splat |
My personal recommendation is to not use export policy rules to limit access to a share. NTFS permissions are a perfectly acceptable method of managing access to data. Plus, as a storage administrator, do you really want to be managing share permissions for the Windows admins?
LUNs
LUNs are the method of access for all block based protocols (FC, FCoE, iSCSI). They are created the same, however they are mapped to initiators slightly differently. Let’s look at creating a LUN, then we’ll look at iGroups, and finally mapping the LUNs.
- LUN Management
1234567891011121314151617181920212223242526272829# create a LUN$splat = @{# the LUN path still starts with "/vol"'Path' = "/vol/volumeName/lunName";# the size. you can use k, m, g, t to help'Size' = "10g";# standard os types...e.g. vmware, linux, windows_2008, etc.'OsType' = "vmware";# set the LUN to be thin provisioned'Unreserved' = $true;# cDOT 8.3 only, this enables several primitives such as UNMAP# and out-of-space notifications'ThinProvisioningSupportEnabled' = $true;}Get-NcVserver $svmName | New-NcLun @splat# move a LUNGet-NcVserver $svmName | Start-NcLunMove -Source $sourcePath -Destination $destinationPath# check LUN move progressGet-NcLunMove# get LUN detailsGet-NcLun -Path $lunPath | Format-List * - iGroups
1234567891011121314151617181920212223242526# list iGroupsGet-NcIgroup# get iGroups for an initiatorGet-NcIgroup | Where-Object {$_.Initiators.InitiatorName -contains $iqnOrWwpn} | Select-Object Name,Type,Protocol# create an iGroup$splat = @{'Name' = "MySpecialiGroup";# the protocol: iscsi, fcp, or mixed'Protocol' = "iscsi";# the OS of the clients, e.g. windows, linux, vmware'Type' = "vmware";}Get-NcVserver $svmName | New-NcIgroup @splat# add initiators to an iGroup"iqn.1998-01.com.vmware:host1","iqn.1998-01.com.vmware:host2","iqn.1998-01.com.vmware:host3","iqn.1998-01.com.vmware:host4" | Foreach-Object {Add-NcIgroupInitiator -Name $igroupName -Initiator $_ -VserverContext $svmName} - LUN Mapping
1234567891011# get iGroup for LUNGet-NcLun -Path $lunPath | Get-NcLunMap# get LUNs mapped to an iGroupGet-NcLunMap | Where-Object { $_.InitiatorGroup -eq $igroupName }# get LUNs mapped to a host initiatorGet-NcLunMapByInitiator -Initiator $hostInitiator# map a LUN to an iGroupGet-NcLun -Volume $volumeName | Add-NcLunMap -InitiatorGroup $igroupNameClustered Data ONTAP 8.3 will not show the LUN as accessible from all hosts by default. To add another host for LUN reporting (for example, when preparing to do a LUN move operation), you will need to explicitly add it to the map.
12345678# add a node reporting for a LUNAdd-NcLunMapReportingNodes -Path $lunPath -InitiatorGroup $igroupName -Nodes node3,node4# add all nodes to the reportingAdd-NcLunMapReportingNodes -Path $lunPath -InitiatorGroup $igroupName -All $true# remove a node for a LUNRemove-NcLunMapReportingNode -Path $lunPath -InitiatorGroup $igroupName -Nodes node1,node2