SSH to Clustered Data ONTAP using Key Authentication

This post is an update to the earlier post on key based authentication to a ONTAP 7-mode (or ONTAP 7) system. Clustered Data ONTAP’s authentication mechanism is different because it isn’t tied to each node, but rather the cluster itself.

To configure key based authentication for the cluster admin user, you will need to add the authentication method first:

Note that the above warning will occur after executing the command to warn you that a public key must be imported for the user before it can be used. Import the key using the following command:

Note that the -publickey option has double quotes around the public key text, and the key type prefix (ssh-rsa in this case) remains.

Doing this for Storage Virtual Machine admins/users is the same process, just change the appropriate options (-vserver and -username) to valid values.

Also note that you can have multiple keys (up to 99) for an individual user. If you want to enable the entire storage team to access the cluster admin account without having to worry about shared passwords or shared certificates, that is possible.

Clustered Data ONTAP Snapmirror – Removing a relationship from the source

Encountered a situation where the Snapmirror destination had been removed without properly cleaning up the source. This was on a clustered Data ONTAP 8.2 system where I could not delete a volume because of the Snapmirror relationship. This operation is performed from the source, so snapmirror show does not show any relationships (remember…snapmirror is managed from the destination).

Here is what I did to remove the Snapmirror snapshot and the relationship. First, show the destinations:

Once this information is available, you can simply call the snapmirror delete command with the above information to remove the relationship from the source:

The use of -force may be necessary if the destination is not reachable (check cluster peer show for peer status).

NetApp Virtual Storage Console Default Provisioning and Cloning Settings

As a VMware administrator, if you aren’t using Virtual Storage Console (it’s free!) to assist with administering your NetApp storage, you’re missing out on a great tool. It simplifies a lot of tasks through abstraction and a GUI. That being said, I know not everyone has that advantage, especially if you work for an organization where silos are still alive and well.

In order to facilitate best practices when it comes to creating datastores, whether FC/iSCSI LUNs or NFS, I want to publish the settings that VSC uses to create the volumes. As a VMware administrator, you can approach the storage team and ensure the volumes/LUNs/etc. are configured in this manner, or as the storage administrator this is the baseline for VSC configures them.

Remember that these are best practices / recommendations only. They ALWAYS come with the “it depends” caveat…every setup is different, so not all of these may be appropriate for you and your environment.

All of these settings are documented in the VSC Installation and Administration Guide. Additionally, justification and rationale can be found in TR-3749 and TR-4068, the two best practices guides for using vSphere and NetApp together.

Read moreNetApp Virtual Storage Console Default Provisioning and Cloning Settings

Changing the vCenter 5.5 Appliance Hostname

How to change the hostname of the vCenter appliance, including updating the self-signed SSL certificates…

  1. Log into the administrative web page for your appliance using your browser of choice. https://your.vcenter.appliance.ip:5480.
    vca_rename_1
  2. Browse to the Network -> Address tab. Update the hostname and click “Save Settings”.vca_rename_2
  3. Browse to the Admin tab. Toggle the “Certificate regeneration enabled” option to “Yes”.vca_rename_3
  4. Browse to the System tab, click the Reboot button.vca_rename_4
  5. Wait. Wait some more. Keep waiting. Ok, connect to the ESXi host directly and open the console. See…it’s still rebooting. (Why do ESXi and the VCA take so long to boot/reboot?)
  6. Once it’s back, log into the admin interface, browse to the Admin tab and ensure that the “Certificate regeneration enabled” option is set to “No”.

That’s it…simple, but a little time consuming. Any plugins (NetApp Virtual Storage Console, VMware Update Manager, etc.) may need to be re-registered with vCenter to ensure they are working correctly.

Linux Console Scrolling

A simple, but extremely useful, tip…I didn’t know about it for a long time, but now that I do it’s quite helpful.

In most linux consoles, including RHEL and it’s derivatives, SUSE, and Ubuntu (these are the ones I’ve tried) you can scroll up and down to view the console history by holding the Shift key and using Page Up/Page Down.

Unfortunately, it does not work with the cDOT console.

An Exploration of FlexVols that Underlay VMware Datastores

This post is a continuation of the series that I started with aggregates. FlexVols are created inside of an aggregate and are the logical assignment of the aggregate’s capacity to sub-containers. Think of a FlexVol as a folder on a file system with a quota applied to it…while that isn’t technically true, it get’s the gist across.

FlexVols are the data containers from which CIFS/NFS data (including virtual machines) is served, and/or LUNs are hosted from. They are the functional level for which many features are applied, such as deduplication, and provide logical separation for data sets. From a security point of view, no data in one volume is available from another, and even though the disks are shared, there are no shared blocks between volumes (even with deduplication).

Clustered Data ONTAP introduced the ability to move volumes between nodes in the cluster. I won’t preach about the benefits of cDOT, but there are many and they far outweigh the added complexity. This series is meant to stay focused on the data container settings, which are the same between 7-Mode and clustered Data ONTAP.

Before we begin, I want to note that TR-3749 and TR-4068 should always be the primary reference and guide when deploying VMware using NetApp storage.

Read moreAn Exploration of FlexVols that Underlay VMware Datastores

An Exploration of Aggregates that Underlay VMware Datastores

NetApp storage, much like ogres and onions, is made up of several layers. Regardless of using Data ONTAP 7-Mode or clustered Data ONTAP (cDOT), there are always aggregates which contain volumes which contain NFS/CIFS shares and/or LUNs. Aggregates are the physical grouping of disks into RAID groups on which all data is stored when using Data ONTAP, they are the foundation on which everything else rides.

Storage Layers

I am going to start examining those configurables which may, or may not, be important when hosting virtual machines. This will be broken into several parts, one for each of the layers:

All of these components are configured similarly with both 7-Mode and C-Mode. C-Mode adds another layer of abstraction, known as the Storage Virtual Machine, which enhances data mobility and manageability on the storage array, but that does not affect the settings on the actual data container constructs.

Each of these entities has configuration options and settings that can be tweaked, tuned, and adjusted for various scenarios. The defaults for these settings are conservative and capable of meeting a broad range of requirements, but they can also be changed to meet a variety of more specific needs for capacity, performance, ease of management, etc. Remember, just because a setting can be adjusted doesn’t mean that it needs to be. All environments are different, and there is rarely only a single “correct” way to configure your storage.

Before we begin, I want to note that TR-3749 and TR-4068 should always be the primary reference and guide when deploying VMware using NetApp storage.

Read moreAn Exploration of Aggregates that Underlay VMware Datastores

NetApp’s Integration with VMware’s Ecosystem

As I have transitioned from being a customer to being an employee with NetApp I have become aware of the breadth of integration between VMware and NetApp. I have realized that as a customer, I was only using a small amount of what is available. There are a lot of software bits-and-pieces, and documentation, that make life much easier for admins, and I have struggled to find a consolidated listing (maybe I haven’t looked hard enough…or asked the right people…?). This blog post is my attempt to provide a starting place for information regarding NetApp integration with VMware.

As I go through the process of learning, I hope to document as much as possible, and I invite you to follow along…hopefully we can all gain some insight into the resources available.

Firstly, always begin with TR-3749 and TR-4068. These are the primary references from NetApp regarding VMware integration…I highly recommend that if you have not already read them you do so now.

Read moreNetApp’s Integration with VMware’s Ecosystem

PowerShell: Recursively Show Group Membership for an Active Directory Object

Another PowerShell function to help identify user/group/computer information from Active Directory. This one will recursively show group membership for an Active Directory object.

Sample usage:

PowerShell: Recursively Show User Membership in an Active Directory Group

A little bit of PowerShell for you today. This function uses the Microsoft Active Directory cmdlets to query Active Directory and recursively list the users that are members. This is handy if you want to know all the users in a group without having to dig down through the groups in the ADUC (Active Directory Users and Computers) interface.

I have tested this on Windows 7, Server 2008, Server 2008 R2, and Server 2012. So long as the Active Directory module is installed (part of the RSAT package) then it should work.

First, let’s import the ActiveDirectory module:

Now we add the function to the environment:

And test it out:

Note that the function expects the Distinguished Name of the group…I think the above is the easiest way to pass that information, but I’m no expert 🙂

Also, this function does not deduplicate names…if a user is in multiple groups that are sub-members of the group, then their name will appear multiple times.