Security is one of those things that everyone knows they need to do, but it rarely gets done to the level that it should be. This, at least in my experience, is primarily because security makes general, day-to-day tasks more difficult. Take, for instance, rsh. Rsh by itself is a great time saver…admit it…it’s great to just be able to execute commands from your admin host and have the results returned back. You can parse them however you like using standard operating system tools like grep, awk, and sed, and best of all (or perhaps worst…) you don’t have to type the password repeatedly.
However, all of the benefits of rsh can be realized using ssh, it just takes a little more setup. But, I’m not going to get into that today. What if you just want a way to securely execute commands against your NetApp without consuming the sole connection to your your filer via ssh (you have telnet and rsh disabled, right?). What if you don’t want to enable ssh, telnet, or rsh but still want to have a pseudo command line? Assuming you have SSL (https) access enabled, you can use the Perl SDK to access, and execute commands against, your filer almost like you were telnet/ssh’d into it.
The magic comes from the undocumented system-cli SDK command. It allows you to execute almost any command just as though you were sitting at the console.
The great part is that with this, you can accomplish probably 99% or more of all tasks having only one access method enabled to your NetApp: the https/ssl option. SSH, RSH, telnet and HTTP can all be disabled.
I say almost because there are two types of commands that do not work using the below Perl script. The first type is non-terminating commands. These, at least off the top of my head, are primarily the stats show
commands with the –i
option specified. With the –i
option, the stats command repeats every number of seconds specified. Now, the caveat to this is that you can also specify a –c
option that limits the number of occurrences to the number specified. The downside to this is that if you issue a command like stats show –i 5 –c 5 volume:*:read_ops
then the command will take 25 seconds, at which point the results, as a whole, will be returned.
This also applies to issuing man
commands. Man will not return (at least with the simulator) to STDOUT, so system-cli doesn’t capture the output.
So, without any more pontificating by me, here is some sample output and the script. If you would like to see additional examples, let me know in the comments.
Read more