[NetApp] 7-mode single interface use multiple IP

ifconfig interface_name [-]alias address

<Create>
ifconfig e0a alias x.x.x.x

<Remove>
ifconfig e0a -alias x.x.x.x

** sample /etc/rc **
# Modify 2018-10-25 By xxxx
ifgrp create lacp bond0 -b rr e0a e0b e1a e1b
hostname Filer
ifconfig bond0 192.168.1.100 netmask 255.255.255.0 mediatype auto mtusize 9000
ifconfig bond0 alias 192.168.2.100
route add default 192.168.1.254 1
routed on
options dns.enable on
options nis.enable off
setflag smb_enable_2_1 1 # enable SMB2.1 is 1 ; disable is 0
savecore
priv set diag; setflag smb_enable_2_1 0; priv set

wrfile /etc/rc , then “Ctrl+c"

source /etc/rc

 


Reference : NetApp – Create and remove aliases

[Windows] How to flush kerberos tickets

有時為了存取Windows 或 NetApp 之類機器檔案伺服器,總是遇到驗證不過。老是叫使用者重開機或登出再登入這有點老套。或是使用者有耐心叫他等個九個小時等票證過期 .(Default kerberos tickets age 9 hours)

換個方式若能像ipconfig /release  或 ipconfig /flushdns 清除快取之類總是時效好一些。

CIFS / SMB在存取檔案伺服器與Windows Active Directory 驗證時是用kerberos。微軟在Vista後的版本都有內建清除kerberos tickets.

[after vistat os]

step01. cmd.exe

step02.klist  // check current 快取的票證有幾個 ; 再者用 klist tgt (票證授予票(ticket-granting ticket))查看詳細票證相關資訊

step03.klist purge

呼叫者登入識別碼: (0x0,0x3E7)
klist -li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

 

[Window XP & Windows Server 2003]

step01. download Windows Server 2003 Resource Kit Tools

step02. extract or perform ‘rktools.exe’

step03. klist.exe tickets // check current 快取的票證有幾個

step04. klist.exe purge

*補充*
啟用kerberos log
step01. regedit.exe

step02.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

step03.
Entry: LogLevel
Type: REG_DWORD
Default Value: 0 改為 1 (0x1)


Reference :

  1. Microsoft – Kerberos protocol registry entries and KDC configuration keys in Windows
  2. Microsoft – Kerberos Authentication Tools and Settings (事件代碼參考)
  3. Web Debug – Kerberos认证问题的调试试验
  4. Norman Bauer – How to purge Kerberos tickets of the system account
  5. zhulinu的专栏 – Windows登录日志详解
  6. 从kinit到kerberos安全机制
  7. MIRU-CH – How to update group membership without logoff / logon /restart

[NetApp] 2 nodes upper Data lif happen redundant migrate other node not work?

在一般Case案件大多安裝是一套NA,於同事發生一件案例是二套NA FAS8200等於有 4 nodes,在驗證Data Lifs過程會發生lif移到線路down port造成問題。

Sample : node1 & node 2 (pairs) ; node3 & node4 (pairs)

node1 – 拔除nic cable ,lif migrate to node3

node2 – 拔除nic cable , lif migrate to node1 (馬上GG,因為node1線路全部拔除)

Resolution :

::> net int modify -vserver {SVM} -lif {lif-name} -failover-policy broadcast-domain-wide // 預設 SVM Data Lif 都用 system-defined

** 共有五種 Failover policy **

  • broadcast-domain-wide :
    This is the default setting for the cluster management LIF.You would not want to assign this policy to node management LIFs or cluster LIFs because in those cases the ports must be on the same node.
  • system-defined :
    This is the default setting for data LIFs.This setting enables you to keep two active data connections from two unique nodes when performing software updates. It allows for rolling upgrades; rebooting either odd-numbered or even-numbered nodes at the same time.
  • local-only:
    This is the default setting for cluster LIFs and node management LIFs.

    This value cannot be changed for cluster LIFs.

  • sfo-partner-only :
    Only those ports in the failover group that are on the LIF’s home node and its SFO (storage failover) partner node.
  • disabled:
    The LIF is not configured for failover.


    Reference :
    NetApp – Types of failover policies

 

 

[Storage] 增加NetApp DOT 7.x / 8.x / 9.x Filer被ping (ICMP Packet) 數量

因客戶需求有APP需每秒輸送出1000個ICMP packet 數量來判別Filer是否存在;因為原廠預設是針對Client單一能每秒150 ICMP packets來防止DoS ( denial-of-service) 攻擊.因此需提升接受單一Client能每秒1000個ICMP Packet.

<< Resolution >>

7.x~8.x

[7 mode]
options ip.ping_throttle.drop_level <數量> // default 150 ; Maximum 4294967295 (42億多)

[Clustered mode]
<ONTAP 8.x>
::> system run -node {nodename} -command “options ip.ping_throttle.drop_level <數量>"
<ONTAP 9.x>
system run -node {nodename} -command “options ip.ping_throttle.drop.level  <數量>

假若要不設限可以設為 ‘0’
<ONTAP 8.x>
system run -node {nodename} -command “options ip.ping_throttle.drop_level 0

<ONTAP 9.x>
system run -node {nodename} -command “options ip.ping_throttle.drop.level 0"

Checking the ping throttling threshold status
::> netstat -p icmp

 


Reference :

1. NetApp – Increasing the ping throttling threshold value

2. NetApp Document ID : FA1394

[NetApp] ESXi NFS use Thin Provisioning

—–Pre-check—–
* NFSv3 must be enabled on the storage system
* NFSv4.1 is available only on ONTAP 9.0

* VMware vSphere 5.0 or later must be available
—–End————–

1.download NetApp VAAI Plug-in ; 載點 https://nt-ap.com/2HxiF4T

2.install NetApp VAAI Plug-In @ESXi
> esxcli software vib install -n NetAppNasPlugin -d /NetAppNasPlugin.zip

3.@NetApp type command
<clustered-mode>
::> vserver nfs modify –vserver {SVM-name} -vstorage enabled
<7-mode>
> options nfs.vstorage.enable on
<7-Mode CLI for vFiler units>
> vfiler run vfiler_name options nfs.vstorage.enable on

4. verify install state
> esxcli software vib list | grep -i netapp

5. verify vaai enable (value是否為 1 (enable);若否請到 6. )
> esxcfg-advcfg -g /DataMover/HardwareAcceleratedMove
> esxcfg-advcfg -g /DataMover/HardwareAcceleratedInit

6. enable vaai
> esxcfg-advcfg -s 1 /DataMover/HardwareAcceleratedInit
> esxcfg-advcfg -s 1 /DataMover/HardwareAcceleratedMove

7.(options verify)
> vmkfstools -Ph /vmfs/volumes/onc_src/
sample
> mkfstools -Ph /vmfs/volumes/46db973f-cca15877

 

[NetApp] Microsoft Windows Server 2012 use NFSv3 mount volume ,error “Network error – 53”

因客戶反應今日Windows Server 2012 R2 用NFSv3 掛載 NetApp FAS2552A 有錯誤訊息 “Network error – 53 "

當下確認幾點 :

1. Client with storage eachother ping > OK

2. confirm create temporary LIFs role belong ‘Data’

3.confirm SVMs options allowed-protocols have ‘nfs’

4.confirm export-policy & export-policy rule is OK

5.confirm Cluster-Mode ONTAP over than 8.3.x (PS: C-mode 8.3.1 just support NFSv3)

最後都沒問題原來是有幾個參數需調整這樣Windows NFSv3 mount才能運作

solution

step01.

::> set -privilege diagnostic

step02.

::*>vserver nfs show -vserver {SVM} -fields v3-ms-dos-client,enable-ejukebox,v3-connection-drop

(註)

v3-ms-dos-client (預設 disabled)

enable-ejukebox (預設 true)

v3-connection-drop (預設 enabled)

step03.

vserver nfs modify -vserver {SVM} -v3-ms-dos-client enabled -enable-ejukebox false -v3-connection-drop disabled

step04.

*Windows Client*

mount -o mtype=hard \\NetApp-NFS-LIF-IP\Volume Z:\

大功告成囉^O^

 

 

[NetApp] restrictions for anonymous users (IPC$)

有時弱掃NetApp IPC$ (PS: 禁止null session作訪問時) 或異常IPC$數值造成了Storage 歸類在處理Other JOBs進而造成CPU過高
Or

Solution
** Clustered-mode **

step01.
::>set -privilege advanced

step02.
> vserver cifs options modify -vserver {SVM} -restrict-anonymous no-access

no-restriction (Default) / 0 (7-mode)
no-enumeration / 1 (7-mode)
no-access (完全限制) / 2 (7-mode)

step03.
::*> vserver cifs options show -vserver {SVM}

step04.
::*> set -privilege admin
::>

(PS:改完會立即套用生效)

** 7-mode **

options cifs.restrict_anonymous 2

(註) Windows如何建立Null Session
C:\> net use \\IP_ADDRESS\ipc$ “" /user:""

 

Reference:

IPC$ 為共享"命名管道"的資源,它是為了讓進程間通信而開放的命名管道,可以通過驗證用戶名與密碼獲得相應的權限,在遠程管理計算機與查看計算機的共享資源時使用.

1. Configuring access restrictions for anonymous users (Clustered-mode)

2. Configuring access restrictions for anonymous users (7-mode)

[NetApp] 7-mode 8.2.4 disable SMB 2.1

確認目前SMB2.1是否開啟

> priv set diag; printflag smb_enable_2_1 (0=disabled, 1=enabled)

 

關閉SMB2.1

>priv set diag; setflag smb_enable_2_1 0; priv set

 

省事開關機都自動帶起的話就寫入/etc/rc

wrfile -a /etc/rc “priv set diag; setflag smb_enable_2_1 0; priv set"

PS:也適合8.1.1 / 8.1.3 / 8.1.4

 

Reference:

1. How to upgrade from Data ONTAP 8.2.1 to Data ONTAP 8.2.2 while keeping SMB 2.1 enabled (NetApp Article Number:000028057 )

2. Tracking down SMB 2.1 support in 8.1.x 7-Mode

 

 

 

[NetApp] 7-mode disable SMB 1.0

Beginning with Data ONTAP 8.2.5, you can disable the storage system’s SMB 1.0 server and client capabilities, if desired. It is enabled by default.

cifs control set smb1.enable off  // Server capability

cifs control set smb1.client.enable off // Client capability

 

Reference : NetApp Disable or Reenable SMB 1.0 // http://nt-ap.com/2qkRu5l