#╰・software

Sorry for jumping in the middle, but are there any additional spares on the partner controller that have ownership swapped?

You're good :).

The aggr is full / fully commited, and it's best to have a spare.

How do I check that? I don't know what a partner controller is

There's 2 controllers. you'd have to ssh into that controllers mgmt IP

I'm mostly worried about the fact that I deleted some data and the free space didn't go up. Does that have to do with previous versions that are still stored on disk?

It will take time to "clean up" and show free space

snapshots are seperate

you are showing aggr full, and 0 aggr snapshots, can we get a df -h on /vol/vol1 to see how much is used in the snap reserve there?

As Mike said, you are logged into filer2, if you have a filer1 that should be an HA partner, both nodes can access all disks in a system, but they are assigned to one node or the other specifically.

I can't recall a way to check for the partners IP in 7mode. do you Alan?

this filer is running as standalone filer afaik

can post an output of sysconfig -a

in a txt file, a screecap might be to long.

thx

so back to the snapshot.

snap list

but yeah, that does look like a single controller

you're probably going to have to delete snapshots at this point.

That snap reserve at 1007% shows it's eating into the real volume space you tried to free up deleting the files you wanted to clean up. vol1 is set to reserve 2% of space to hold snapshots, and currently you are using 21% of the volume space to hold snapshots... so 19% of your real volume is being eaten up by the data you tried to purge.

Can I adjust those snapshot settings? We don't need an hourly snapshot. Every 4 hours would be enough and then just one snapshot per dayor something like that

yes

I'd seek out whatever approvals you need to be clear to clean this up knowing that purging snapshots will not allow for data to be recovered from that point, and then start with a few of the older ones, likely to contain the most stale data. Give it a bit to see how much space it frees up in the volume.

Then yes, could set a more reasonable snapshot policy... 2 weeklies (sunday/midnight), 7 dailies (midnight each day), and then 6 hourly snapshots (1 every 4 hours throughout the day)

something like that

isn't that default?

been a while since I looked at 8.1 defaults 🙂

I think default is 3 weeklies and 6@4

same here

worth reading here - https://library.netapp.com/ecmdocs/ECMP1196991/html/GUID-8D7D39E4-AC1D-4C7A-8DE4-6DF8B88618DB.html

Thank you very much. I will read into this article and see what I can do 🙂

As a suggestion, you could enter the snap sched command in the following format "snap sched vol1 2 6 4@8,12,16,20" and it will keep the 2 prior sundays, one midnight for each of 6 days, and then 4 hourlies at 8am, noon, 4pm, and 8pm (business hours) each day.

here's delete snapshots - https://library.netapp.com/ecmdocs/ECMP1635994/html/GUID-8D6C53CE-57D2-4382-83E5-6F8A6911D058.html

I assume I could also just change the snap sched like Alan said and then the ones that are too old will be deleted anyway correct? I don't like delete commands.

They'd need to roll off based on their org schedule.

They will be deleted anyways, but weekly.7 won't fall off til this sunday at midnight when new weekly.0 is created... the space recovery with those existing snapshots will take a while, especially if your large data purge was recent

I haven't worked with 7 mode in a while, but If you put in the new schedule, then I believe the snapshots that don't conform to that new policy will be hung up (weekly.2-7) which are not in the new policy of only keeping two copies (weekly.0-1), and you will need to manually purge them anyways. Same I'm afraid goes for the extra dailies and hourlies.

ok I'll delete those manually then

thank you so much for the help

One other thing to be aware of, deleting a lot of data (like big old stale snapshots) can be pretty CPU intensive, so be ready to see a LOT of CPU activity, especially if we're talking terabytes.

Most people already left the office by the time I started deleting snapshots. Also I wouldn't know where to see CPU workload to begin with lol. Thanks for the info though.

@here @slender holly
I am facing an issue in NMSDK API . I have the 50 volumes in my ONTAP server then if I pass the max-records =5 parameter in the perf-object-instance-list-info-iter api call it will return the only the same 5 volume performance data in each api call. I never get the data of remaining volume. Can please someone suggest what should I do.
Please have a look at the below code snippets

perfInstances = self.oc.queryApi({'perf-object-instance-list-info-iter': [
                                             {'objectname': objectTypeForQuery}, {'max-records': max_records}, {'tag': next_tag}]}, output)

Thanks in advance.

Maybe ask this on the NetApp Slack: https://netapp.io/

It's more aimed at developers

We’re trying to get them to convert and come over here

Should try for Harvest too (which is on Slack)

Sorry for the late Reply
There are two ways to achive what you are trying to accomplish within NMSDK

First Option

Example this is your original request

<netapp >
<perf-object-instance-list-info-iter>
<objectname>volume</objectname>
<max-records>5</max-records>
</perf-object-instance-list-info-iter>
</netapp>

When you run the above API you will get at the end "<next-tag>" / "</next-tag>" copy that lines and create a new request something like this

<netapp>
<perf-object-instance-list-info-iter>
<objectname>volume</objectname>
<max-records>5</max-records>
<tag><perf-object-instance-list-info-iter-key-td>
<key-0>volume</key-0>
<key-1><add_volume_name_here></key-1>
<key-2><add_volume_uuid_here></key-2>
</perf-object-instance-list-info-iter-key-td></tag>
</perf-object-instance-list-info-iter>
</netapp>

The request above will fetch the next 5 volumes information

"Second Option"

Just go directly to the volume you need to fetch the perf data

<netapp>
<perf-object-instance-list-info-iter>
<objectname>volume</objectname>
** <max-records>5</max-records>**
<tag><perf-object-instance-list-info-iter-key-td>
<key-0>volume</key-0>
<key-1><add_volume_name_here></key-1>
<key-2><add_volume_uuid_here></key-2>
</perf-object-instance-list-info-iter-key-td></tag>
</perf-object-instance-list-info-iter>
</netapp>

Hope this will help

Hopefully this is the right channel for this. I am working on a Isilon to Netapp migration. Running CDOT 9.9.1P7, using DobiMigrate to migrate data. We have an application CIFS share that has some problems related to the fact some folders have periods at the end, Isilon doesn't care about this but DobiMigrate won't copy them since it violates NTFS rules.

I did some testing on Netapp side to trying to using a CIFS and also a NFS mount from a linux host to attempt to a create a folder with a period at the end on a NTFS style volume and it appears to work on linux but the folder doesn't appear properly in Windows.

Anyone happen to have suggestions? Sadly renaming the folder makes it disappear from the application (Symantec eDiscovery)

i don't think i ever ran into that issue. but DataDobi support has always been helpful with issues.

if no one here has an answer

There's a lotta odd stuff like that though when coming from OneFS

Hi All, I'm having some issues with getting CIF/SMB share working through my AFF-C190A. I have created the SVM and a felxvol but when I try to map the network drive locally it wont map it. I can ping the lif and nslookup shows it resolves to the correct IP, however if I add my domain credentials into windows credential manager manually, I can map the network drive. Does anyone have any ideas to why this maybe happening?

Any errors

?

just this

Fire up Wireshark and see what the actual error is. Anything in event log during that time?

Are you using domain or workgroup authentication

domain

Yeah this seems like a case where the error message isn't helpful.

my device is not on a domain although, which is why I have to specify credentials when mapping the network drive

Try firing up wireshark or the tcpdump command.

Oh.

let me get wireshark

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Network_error._Windows_cannot_access_CIFS_share._Check_the_spelling_of_the_name

That may be why.

et me check

its not setup in a workgroup

Hmm. Ok Wireshark it is.

Check your time. On the Netapp. On the host. On the domain controller. Make sure you have a RELIABLE time source and that everyone syncs to it

Make sure the time is correct by looking at the UTC time. Make sure time zones are correctly set

NTP server is set on ONTAP with the domain controllers so all times sync up

You are passing a local user account (packet 138 in the trace, ".\username" this is telling it to check the local machine database), you would have to create an account on the SVM with the same name and password for it to work or allow guest access.

https://docs.netapp.com/us-en/ontap/smb-admin/configure-guest-unix-user-task.html

Authentication path is Home Domain (where it is joined), Trusted Domains list, Local Database. If the account you are passing isn't in any of those then you won't get access by default

Thing is if I manually add my domain credentials on windows credential manager with the file path, I can access it

Yes, then Windows will authenticate with your domain account to that path

That is the same as mapping the drive and using the "as another user" option

so does that mean, I have to create a user account for all users in the business in the SVM

Not if they are domain users no

so I already have that unix user: pcuser, but no guest user

so if I add the pcuser to guest user that should work?

Only if you want non-domain guests to have access

If the users connecting are connecting from machines joined to the domain and they are logged in with domain accounts, it isn't needed

said users devices are not in the domain but they do login to the share with their domain account

Then they need to have the credentials in credential manager or map it using the option to map as another user

This is just by design in Windows

The first time they access it will ask to authenticate, if they use the domain account and click remember it will add it to credential manager anyway

so has it changed from ontap 8.2 to ontap 9? because on my old device which is on ontap 8.2 I can just type in on windows explore url the \path and it would prompt me to add my domain credentials in

This isn't an ONTAP issue, at least not from what is described.

This is just a Windows behaviour, my home NAS will do exactly the same thing

Likelihood is you've tried to authenticate as your local user at some point and Windows has just remembered it. You can try clearing out credential manager for any entries related to that path/device and it should prompt you again, but it's not always that easy. I've had a number of struggles with the way credential manager saves stuff at times.

Hello Team! Sorry if this is not the right place to ask. But here I go. I'm trying to download MccTiebreaker-MIB file, but I can't find it on the support download page, as this KB says: https://kb.netapp.com/Advice_and_Troubleshooting/Data_Protection_and_Security/MetroCluster/Where_can_I_find_the_MetroCluster_Tiebreaker_MIB_files

Also read in other source that mcc tiebreaker mibs are inside the netapp-mib file, but after downloaded it can't find anything related.

Windows isnt as cleaver at that, sometimes it works and sometimes it don't 😂

Yeah its a strange behaviour and there are a load of similar questions all over the net about how to get it to forget

Sometimes it's cached somewhere that isn't credential manager, like if you tried to login but didn't click remember username/password, its cached for that session some how and needs a clean reboot/shutdown

But also, a shutdown isn't always a shutdown in Windows. The "fast start-up" feature effectively suspends Windows somehow when you shut down, so when you bring it back up it will have the same state as it was before, even the uptime is the same

I had exactly the same thing happen when I was setting up my new NAS at home a month or two ago, and it took ages to get Windows to authenticate properly. The experience for non-domain machines is meh at times.

Yeah, this is going to be a blunder as I need to figure out how to get 500+ users added to credential manager

There's a note in the ontap mib that says it's bundled with the MCCTB software. I checked the 1.3 download and there's a mcctb-mib.jar in there.

That KB needs a bit of an update. I'll submit a req

Thanks a lot Mike! Oh ok so you mean if I unpacked the rpm file, there would be the mcctb-mib.jar file?

Yeah.

mike@palic-mac common % ls mcc* mcctb-mib.jar mcctb.jar mike@palic-mac common % pwd /Users/mike/Downloads/mcctb/opt/netapp/mcctb/lib/common palicm@palicm-mac-0 common %

if that's not it. i'll have to ask around to some mcc folks I know.

not ontap related but is there an easy way to unpack the rpm file from a windows or mac?

7-zip?

osx I used tar -xv file.rpm

oops.

tar -xf file.rpm

I'll try it thanks!

worked!

im having an issue on an older 9.1 system running into bug 895150 and the fix for resetting disk ownership isnt working kinda frustrating... its a 3220 ive been trying to decommission for like 3 years

Hey Lobster, if you still happen to have access to the Support Site, you can upgrade ONTAP 9.1 to a patch version that includes the fix?

Looking at the bug details, there is a workaround documented that focuses on resetting the interconnect link, assuming that is what is not working for you?

oh im just complaining out loud, this has occurred before, a planned failover resolves it after manually resetting disk ownership

im actively trying to not upgrade this particular cluster cause i want it to go away

lol

A quick little jump to 9.1P10 should take some of your pain away, but I get why that seems pointless when the system is marked for decom.

yah i mean i got a window to do a failover this weekend probably use that window to upgrade it would be the smarter play

I will leave that decision up to you 👍 😆

QTree's can someone provide some best practices and when to use or not to use them?

Depends on use case @pulsar yacht.

One of the Isilon clusters I am migrating is a used for SAS, we have Isilon folder /ifs/HOSTDEV/data{1,2,3,4} I was wonder if having a single volume name "HOSTDEV" and then Qtree's with data1, data2, data3 and data4 would be a good approach for it.

Unless I am mistaken does dedupe/compression occur at volume level so I figured I get the best results that way

have a FAS500F two node HA Pair

I am not a fan of single FlexVols.

You cannot scale very easily.

If you wanted to do a FlexGroup that way I'd support it.

generally speaking I have been doing 1 to 1 vol to share/export during my migrations

does dedupe/compression occur at a volume level or aggreate?

I have a customer that just moved off isilon to ONTAP as well. We used QTREEs on top of FlexGroup to "mimic" the way it was configure on isilon.

and with the 500f, i'm pretty sure you can run aggr level dedupe. (aka cross volume dedupe).

I think so too.

Been looking at 500f lately because of another case, so that sounds right.

is there a way to confirm aggr level dedupe is on?

hmm first look at a volume

no

cross vol inline is suppose to default for AFF systems which I though FAS500F is technically considered AFF but just using QLC drives

And has a little more latency.

I am confused.... this says true but individual vols show false

Cross-vol inline dedupe = aggr level

I guess the question is if these are on does the individual volume status showing false matter

ONTAP 9.11.1RC1 out now 🥳

With the April ‘22 DQP and FW a lot of the things that differentiated the A250 and FAS500f stepbrother are starting to coalesce. For example, running a 500f on 110v or the A250 running big QLC 15TB drives… it’s really a stance of supported config but im finding it all mostly works, functionally.

any info about new features?

https://www.netapp.com/data-management/oncommand-system-documentation/

^Bookmark that.... first link is release notes. Just updated today!

bad request! lol

Is that a good idea? Using the QLC on a A250? Just like there is an AFF optimization set there is also a QLC optimization set. Check out the output of: system node show -instance -node localhost (use diag mode to see the optimizations that can be set)

I mean it's better than spinning rust.

After updating to 9.8 we seem to get an event saying: "Cluster uses a self-signed certificate"

We haven´t seen this before and no other changes was done except moving to 9.8
The events and suggested actions in AIQOCUM usually refers to a KB that one can follow, but not this one.

It gives med this:

Install a certificate-authority (CA)-signed digital certificate for authenticating the cluster or storage virtual machine (Storage VM) as an SSL server.

To install a CA-signed digital certificate, download a certificate signing request (CSR). Follow your organization's procedure to request a digital certificate using the CSR from your organization's CA. Install the digital certificate in ONTAP.

To download a CSR, run the following ONTAP command:
security certificate generate-csr

To install the digital certificate obtained using the CSR from your organization's CA, run the following ONTAP command:
security certificate install -vserver <admin vserver name> -type server

To disable the existing certificate and enable the newly installed certificate, run the following ONTAP command:
security ssl modify -vserver <admin vserver name>

It doesn´t get more into detail, and I´m hessitate to modify any certificate before I can read up more on the issue.
Anyone know what it´s really about, any good links to a KB I can read up on?

The certificate is needed to use the GUI. Self signed or not. Needs to be there for ssl to work

If your organization uses a certificate authority then you should see about creating a certificate request for your system. If your ca allows, be sure to include the ip addresses for all node/cluster mgmt LIFs. I also like to include the short names and the fqdns for each of the cluster/node mgmt LIFs. That way you can use a short name, a long Name or an ip and have a valid certificate

Ontap 9.8 has arguments to allow “-ips “ and “-dns” that are comma separated when using the “security certificate generate-csr “ command

Hello guys

hello!

does anyone know if you can get Fpolicy to read from an CSV/XML file to block file known ransomware/malware extensions . Looking at this example there is a field which you can specify extensions (File Extensions to Include: mp3, mp4, flv, wmv).. There are public sites with lists of know extensions for ransomware.. i doubt i can add 9000 items to the fpolicy option.. https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FPolicy%3A_Native_File_Blocking

already? lol i have a love/hate relationship with the cadence...

should be able to with external scripting seems like a good use case ill try it and let you know.

oh are you using the powershell module ?

also... inclusion lists are gonna be a lot shorter than exclusion lists (we use whitelist for CIFS shares using FSRM on windows file servers for example)

im not using anything yet.. I was just looking at the process.. if you have a look at sites like https://fsrm.experiant.ca they have the lists.. i doubt the field for entering characters would allow 4000+ entries

using ontap ssh shell im (99%) sure that you wont be able to, however using the powershell toolkiet (just a powershell module) you can write it as a powershell script and have it reference a csv

Question what are pro’s/con’s of using Mixed mode permissions on a volume? Does Ontap maintain NTFS and posix permissions separately?

Or Unified permissions for that matter

sorry for coming back a week later - the FAS500 is not an AFF.. even though it's got all flash drives.

https://www.netapp.com/media/27436-tr-4887.pdf - page 26 - "As a best practice, NetApp does not recommend a mixed security style unless your application has a direct requirement."

when mixed permissions are set for a volume, the effective permissions for a given directory tree or file is based on the last application/platform to change them

some applications get annoyed if they are not what they expect

Thanks.. but GUI works ans has always done.

If I run a 'security certificate show -vserver <admin vserver name>' I can see that I have a server certificate with Expiration Date: Mon Sep 24 15:38:08 2029

So I don´t understand why I should create a new one and disable the current one

@weak spoke Ok what about Unified permission style, i am trying to figure out Multiprotocol issues coming from Isilon to Netapp

i believe Unified is going away.

I was just part of a large isilon -> ontap move, I think we only used mixed on 1 volume over the 1000's that were moved.

and that was after extensive testing/troubleshooting

what's the issues you're having?

i have a couple of messy MP shares/exports that have complex permissions and our Unix systems are not using rfc2307 attribs

so trying to figure out how to perserve the current setup on netapp is proving to be a pain in the ass

don't recall that specificlly. let me check my notes/email

actually unified does not even show as a option in 9.9.1 for volume modify/create

even though the docs reference it

9.4 or before

https://docs.netapp.com/us-en/ontap/nfs-admin/security-styles-their-effects-concept.html

specific to infinite vols

what doc you looking at?

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-991%2Fvolume__create.html

under sec style it has unified listed

huh, just talked with someone internally. That does need corrected. it's not an option even under diag in later versions.

i'll submit a req to update that.

It was only on infinivols IIRC

if I set NTFS security style, can you add NFSv4 ACL's to that?

should be.

i'm checking here - https://www.netapp.com/pdf.html?item=/media/27436-tr-4887.pdf

There is another PPT slidedeck on multi-protocol permissions that deeply explains the ONTAP method. Ask your SE for it.

your Insight one?

or another one

Another one.

https://giphy.com/gifs/mtvema-2020-mtv-emas-qgri3D9sTwCUGMcT8L

https://tenor.com/view/only-one-there-can-be-only-one-highlander-gif-12213479

https://tenor.com/view/only-one-alone-there-can-be-only-one-one-and-only-pointing-dr-strange-gif-14539643

Why does that look like the Wish version of Dr. Strange.

bootleg version of the movie

its the spanish soap opera version

SOLO UNO

Don Solo Uno

@quaint ether Thank you reviewing that document to see if it can help provide some guidance to me.

Another question... we have a volume/share that we migrated a few weeks back permissions where fine but it looks someone cowboyed it and completely locked us Storage Admins and our access management team out of the share. What is the best way to reset the NTFS permissions to "Everyone" so can re-apply them correctly and remove access for the cowboys

Also sent a note to my SE about the referenced PPT slidedeck

I know there is a KB on that.

That’s not what I said. I said it needs a certificate. Expired or not. Without a certificate the GUI will not work

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_reset_NTFS_permissions_from_the_ONTAP_CLI

This seems to be what I need

Yup. I remember auditing it a few weeks ago.

so i had a minute and got this cobbled together, I have not tested it at all and im not super familiar with fpolicy but i hope it helps convey how you can reference a CSV (or txt file in this case) in a powershell command agains the netapp. ```$controllerSettings = @{
name = "controlleraddress";
username = "superduperadmin";
password = "wordofpassing"
}
$policyName = "block"

$fileExtensions = get-content "file-extensions.txt"
$fileExtensions = $fileExtensions -replace '\s+', ''

$securePassword = convertTo-SecureString -AsPlainText -force $controllerSettings.password
$credential = new-object management.automation.pscredential $controllerSettings.username, $securePassword
$controller = connect-NcController -Name $controllerSettings.name -Credential $credential -add -ErrorAction stop

New-NaFpolicy -Name $policyName -Controller $controller
Set-NaFpolicyExtensionList $policyName "include" $fileExtensions -Controller $controller
Enable-NaFpolicy -Name $policyName -Controller $controller ``` (Where file-exensions.txt is a list of extensions)

https://tenor.com/view/borat-borat-very-nice-verynice-thumbs-up-gif-25080066

Sorry, I thought you answered why we get the Warning event in OCUM. As we haven´t seen those before 9.8

And we have a valid cert.

The warning is a suggestion to use a certificate which is publicly trusted or trusted by your CA. This is a best practice in general. In terms of encryption both are the same.

A self signed certicate is perfectly fine if you don't want a public/private certificate. Some companies simply have a policy to use trusted certificates for all internal services. The only important part is to make sure it still valid and not expired.

Read this (1min Google): https://www.securew2.com/blog/public-vs-private-certificate-authority

Hello, I am new to Storage and learning on tap in Udemy. I am currently setting up ontap simulation on my laptop. But I ran into a problem. After setting creating my clusters and checked them, the seems to be working perfectly. But I cannot ping them from my Mac terminal or even ssh to them. Has anyone have this issue? If yes, how can I rectify this issue? Thanks

running them in fusion or workstation?

Fusion

First guess would be networking. Fusion NAT subnets are randomly generated at install.

Fusion, for some brain dead reason, doesn't let you specify the network settings for the nat network. So you can either create an alternate on a different vmnet if you want something specific, or figure out what subnet the installer picked and make sure to use that range for your lifs. Or you can hack away at the config files if you really want to beat it into submission.

Has anyone had an issue entering an IdP URI for SAML configuration which contains a question mark from the SP console? It just seems to interpret the '?' character as asking for help, with or without quotes around the URI

Admittedly I haven't spent a lot of time searching, but a quick search didn't turn anything up. I'm running ONTAP 9.8P11

Hi there! I am kind of new to working with Storage Arrays or NetApp.
A while ago i bought an old but fully working FAS2220 Array for cheap to play around with. The Storage Array is fully equipped with 2Tb drives and even has the 10Gb option. However, since i don't have a company to note in the form on NetApp.com i can't download ONTAP that easily (i think i need it right?). Now, is there any way i can optain a compatible copy of ONTAP or should i just take the drives and resell it? Thanks in advance!

Hey @lethal cypress this Discord is probably not the right place for asking that sort of question. You need an active support entitlement/contract in order to access the newer versions of ONTAP and licenses. Technically speaking you can connect the Disk Shelves to a server and use it as JBOD but more folks over on Reddit at /r/homelab might be able to help you out there. The controllers themselves though 100% need a license so are somewhat worthless to you without active support entitlement.

From a practical standpoint keeping a FAS running in the home lab will be challenging on a few fronts: first you need the ontap software, and you need the license keys, neither of which are transferable entitlements. So even if you set up a business login and tried to associate the serial you wouldn’t get access to either. And eventually you’ll need spares, which is a whole other set of problems.

Not to mention it's probably going to pull 4-6 amps on 110v in the household homelab, spiking your power bill. #AskMeHowIKnow

#getsolarnotcoal lol

The Tesla 3 draws more power than a FAS2552. just sayin'

And hence my fascination with labbing on NUCs 🙂

An HA pair pulling ~40 watts under some load. OTS on ESX, moved the mediator to the Pi. A bit of a science project, but it does the job.

One of my customers wants us to support mediator/tiebreaker on RPi.. not an unreasonable ask 😮

I tried to get a PVR for a customer and the PM at the time wouldn't even entertain the idea. but that was a couple of PMs ago, so ping me next week, I'll dig out my notes.

I'm gonna try build a NUC ADS lab this year when I have some time

this is a lab size i can get behind.

Maybe we can tell ourselves we’re not allowed to do that until our big PCs are finished.

Haha, I was looking at that today and thinking, really should get that finished. Might see next week if I can fit it in, we have some time off

ADS is waiting on me to rebuild the DL380 in the garage.

So just to be safe

There isn't a way to get access to the OnCommand System Manager software without registering a product right?

System Manager can be accessed natively/locally from the box itself. Once you configure a cluster IP, just put that into a browser with https

well this will sound weird, but I've got the naj-1001 from a public dumpster and the only things with it were the 24 1.2tb drives and the backplates

and i'm really only interested in resetting, formatting, reusing and especially understanding it because i'm very interested in it generally as a student (it powers on and communicates with the router, but it dosen't get a ip)
but learning how to understand it without any guides or software is hard

so do you maybe have any ideas what to do with it?

This looks like a FAS2552S (single controller). Remove the blue cable, that's not needed (ACP for external shelves).

Don’t plug it into your router yet. Get one of these and connect it to your computer.

https://amzn.to/3mMQMb3

Plug the Cat5 Jack into the IOIOI port and the USB into your computer. Then download PuTTY and follow the instructions to connect. I’ve got a video connecting and updating via console here:

https://youtu.be/TeYJE19Iqh4

okay thanks a lot!

Hello! Recently we have an quick outage on our data center due to power loss. Our NetApp storages went down. I notice that our FAS6040 booted automatically. While our FAS8300 must be accessed first via serial or SP then run boot_ontap to proceed with the boot. Is there a way to boot it on the loader prompt automatically? Without accessing and running the command? Thank you

It's set to true by default, so someone has modified that at some point.

at the LOADER prompt, type this:

savenv
boot_ontap

Can that be done on the CLI without rebooting to Loader prompt?

I think you can also set environment variables through systemshell but I wouldn't recommend it.

Alright I will just stick with the takeover then reboot to modify that

Don't forget to do both nodes! 🙂

set d;systemshell * sudo kenv -p "AUTOBOOT"="true"

Be brave 🙂

https://tenor.com/view/the-simpsons-homer-simpson-bush-hide-bye-gif-16150806

for bonus points do it mid-day. /s

pls no

I've got a question about enabling NAE. I successfully set up the onboard key manager and successfully created a volume and converted it to an NVE for testing. After I was satisfied with the results, I tried to enable NAE following this guide: https://docs.netapp.com/us-en/ontap/encryption-at-rest/enable-aggregate-level-encryption-nve-license-task.html
I'm on version 9.7. When I execute the command
storage aggregate modify -aggregate aggr1 -node EXEC01 -encrypt-with-aggr-key true I get "Error: invalid argument "-node""
If I leave out the -node switch and node name I get:
command failed: Failed to modify the aggregate "aggr1" since it contains non-encrypted volumes. Run the "volume show
-encrypt false" command to get the list of non-encrypted volumes. Convert all of them to NVE (NetApp Volume Encryption) volumes and try
again later.
I must be doing something wrong, because that sounds like I need to convert all volumes to NVE and then I can convert to NAE?

Anybody got any ideas? I saw the commands to "Create" the NAE aggregate on the link above, but I felt like since I already had an established appliance and aggregates that wasn't the command for me.

What happens when you do "vol show -encrypt false"?

It shows me every single volume.

(I'd paste it but there are a LOT)

Aggregate Size Available Used% State #Vols Nodes RAID Status

aggr1
27.87TB 10.63TB 62% online 13 EXEC01 raid_dp,
normal

Like that.

I think I pasted that from a different command I was using, sorry. They all look like this when I issue the command you mentioned:
Vserver Volume Aggregate State Type Size Available Used%

EXEC2CIFS1
DEXA aggr1
online RW 400GB 223.9GB 41%

"vol show -encrypt true"?

true says:
There are no entries matching your query.

(I deleted the NVE volume when I was done with it, so it's not weird it isn't showing here)

I found this KB
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Protection_and_Security/MetroCluster/How_to_enable_NAE_aggregate-level_encryption_with_an_SVM_root_volume_or_MDV_CRS_volume
Which is exactly what I'm seeing... but I'm not exactly clear on what the fix is based on the article.

We do not have a MetroCluster, by the way.

Hmm. I think the command is slightly off in the documentation because -node isn't valid.

Yeah... when I took that part out is when I saw the "failed to modify the aggregate" message.

so you had one new NVE volume inside that aggr and then deleted it

and currently you don't have any NVE vols inside the aggr, right?

check the recovery-queue, is it still there?

It says plaintext vols aren't supported in NAE aggrs.

do you have a SVM root volume in that aggr?

I'm thinking you convert each vol to encrypted then you can convert to NAE vols after the aggregate is encrypted.

Ahh... we do have the root volume in there

Actually, I stand corrected.

when I do storage aggregate show:

Aggregate Size Available Used% State #Vols Nodes RAID Status

aggr1
27.87TB 10.62TB 62% online 13 EXEC01 raid_dp,
normal
CLUSTER_01_root
368.4GB 17.85GB 95% online 1 EXEC01 raid_dp,
normal

I think I'm understanding correctly that my SVM root is in a different aggr than the one I'm trying to encrypt.

So, NVE each volume, then run through the NAE process when done?

I don't often do encryption, but I don't think that's really necessary, I think you should be able to go from unencrypted aggr to NAE aggr directly

but not if there are SVM root vols, MDV vols or at least one NVE vol inside

I'll check the recovery queue

check if your previously deleted NVE volume is really gone

yeah

Also, ensure there no offline volumes (such as deleted volume, waiting to be deleted) on the aggregate to be encrypted:
::> vol show -aggregate <aggr_name>

it says in the KB-article

I did find my NVE volume in the queue and purged it. I looked through all 12 volumes that are displayed from vol show -aggregate aggr1 and they all say "online" but I still get the same error when I try to enable the NAE on that aggr.

The process is, encrypt all the volumes and then turn on aggregate encryption and it will switch them to the aggregate key rather than individual volume keys

Ahh

Okie dokie, thank you guys!

You can’t encrypted a non empty aggregate without all the volumes being encrypted first

huh, is that still the case?

Yeah it’s in the encryption power guide

What a great name for a very boring topic 🙂

I have only used this discord channel a few times and everybody in here has been phenomenally helpful.

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A_NetApp_Volume_Encryption_and_NetApp_Aggregate_Encryption

Point 4 in Config section

It’s not really changed much. The only difference in newer versions of ONTAP is that we now enable encryption by default when you enable the onboard key manager. So if you setup a new system and enable OKM during aggregate creation they will default be NAE

If you want to disable that, there’s an option documented here https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_disable_default_encryption_in_ONTAP__9.7

ah nice, thx

I need some help regarding below error:-

Nblade.CifsOperationTimedOut: Detected a timed out CIFS operation. SMB command for this operation: SMB2_COM_CREATE, Number of times this command was suspended: 6, Number of times this command was restarted: 0, Last CSM error during this operation: CSM_OK, Remote blade UUID: dsdsd-dssds-c (node-1), Is QoS enabled: QoS_disabled, Last nBlade error during this operation: 410 (Spinnp op has timed out in WAFL), Client IP address: x.x.x.x, Local IP address: y.y.y.y, Target Vserver ID: 2222, Target disk's DSID: 1111, Target Vserver Name: svm_sdsdsdsdsds

I am not sure the operation is timed on the wafl or from the client IP and why it is failed ?

You need to look at the whole system performance to check. If you have AIQUM do you see any latency?

Thanks Paul for replying. I don't have AIQUM but only cli access and it is difficult to identify when this issue occurs. I checked from qos statistics volume latency that was in microseconds.

Question I am having a brain fart... trying to remember what path to run a ls against using system node run -node * -command ls /blah to get a SVM volume list

though it was /clus

systemshell, not run. also the first output is svms. /clus/svm will get volumes
system node systemshell -node * -command "ls /clus"

How much is scala a necessity in netapp programming/engineering?

For a job?

yea

lets say cloud engineering or data science

What is difference between the volume throughput and workload throughput ? In my performance archives both have different read/write values at the same time

Are you using QOS policies by any chance?

yeah we are using QOS policies

we have only one volume per policy.

It would depend on the product/team you would apply for/work for. The job descriptions/adverts are generally pretty accurate on what skill set we would be asking for. It is worth taking a look through them.

Workload level is the nblade. If you have indirect i/o it will only count the node level i/o for that volume to that node.

Hi guys, quick question: it seems that the checksums listed on the download page for the shelf fw do not match those of the file. Is this a problem on my end? Can someone check this?

Let me check on that

I got what you got. My MD5 doesn't match either. I'll get this run through the support site team and will update you.

Thanks Drew!

@celest creek - The mismatch has been resolved. The checksums on the site have been updated and now match the ones you and I produced.

Thanks for letting us know! 🙂

Thank you so much! @brazen jetty !

Thanks Marcel!

Hey guys, have few question!

A customer considering introducing Object Storage, and they are curious about the below things.

They are currently using IBM NAS storage, and IBM has suggested that there is a solution that allows x86 servers to be used as object storage through Software!

Anyway the customer seems to be worried about the price issue, but they want to know if NetApp has such software! Can we install and use Solidfire OS on the x86 server? (like ONTAP Select)

Hi @sturdy orbit - for Object Storage we would steer people towards StorageGRID. StorageGRID can be installed on systems using RHEL or Centos - we have how-to information available at https://docs.netapp.com/us-en/storagegrid-116/rhel/index.html

Many thanks! i will read document kk

StorageGRID supports S3 operations - SolidFire is more software defined block storage via iSCSI. We have sold solidfire for whitebox in the past, but I don't think it's currently available

If you'd like to get in touch with some of our StorageGRID specialists, please drop me an email - alex.dawson@netapp.com and I'll reach out to them for you

Ohhh I got it! Thank you Alex.

no problem! feel free to ask any questions in here too about storagegrid

will do!

“X86 servers running object storage through software”. This is Rubrik and Cohesity’s M.O. as well. And it’s not as good as one would hope. Slapping some software on a Supermicro box and calling it Enterprise is tricky.

Tricky is one way of putting it.

Hey guys

Could someone tell me the process to rebalance the vvol used NFS, I used the command "container rebalance -container_name=VOLUME_VVOL" but it says that it is not supported by NFS datastore.

Hi @eternal dome we have an intenral KB article that speaks to this scenario so you may want to contact support to get some help on this.

Hi Ross,
Thanks for replying, I'll open a ticket for that case,

Can i snapmirror from an 8080 to an 8040? assuming they've got the same version of ontap

The destination has to be the same or greater version of ONTAP, but assuming they’re the same version, yes absolutely.

@modern summit here's the full supportability matrix - https://docs.netapp.com/us-en/ontap/data-protection/compatible-ontap-versions-snapmirror-concept.html#snapmirror-dr-relationships

has anyone who is running S3 in ONTAP worked out how the split the flexgroup over 2 aggregates and is there a NetApp document which steps out how to do this ?

hi there! Flexgroup constituent volumes can be moved per the instructions at https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/"Operation_not_supported"_error_when_tried_to_move_FlexGroup_to_new_Aggregate

thanks @weak spoke just digging a bit deeper and it appears its already split over 2, 350TB aggrs which are only 50 and 60% used.. back to the move some old regular volumes off different aggrs and pay more attention reading the full aggrs

hey all, I am trying to update my SSL certificates to our new wildcard cert on an AFF-250. I have the certificates added to the config, however the netapp is still using the original self signed certificate. Do I just delete the existing certificate and replace it with the server/client certificates that i have uploaded or how do I go about telling the netapp to use a different certificate other than the one it is currently using? Will deleting the current self signed certificate have any impact my netapp being able to host/serve data (I am running NFS and iSCSI on this array).

Are you referring to updating the SSL cert for the cluster management LIF ?

NetApp have a pretty good KB here

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_and_configure_SSL_Certificates

The whole SSL certs in ONTAP needs to be simplified and NetApp need to add a simple update/renew/regenerate from System Manager

ok glad its not just me! yes the management LIF

ill check it out thanks for the info

so i already have followed that exact article, it does not mention how to replace an existing certificate. I have already gone though that entire process, and the certs show up if i run security certificate show-user-installed, the current ssl certificate is showing up as well as the one i just added, however if i delete my current certificate i do not see any way to go and tell ONTAP to select the certificate that I just added as the main one to use

unless i am just missing something, which is likley

certificates can be renewed in system manager starting with ontap 9.10.1

@undone belfry i see where that is, I am running ONTAP 9.11.1RC1

however the certificate that ONTAP is using for the SSL of the management LIF is not showing up in the certificate management part of the GUI

not sure why

so i wouldn't expect it to show as the management lif. it should show as the cluster certificate.
if you're going through the gui and want to go from a self signed cert to a ca signed cert, you'd basically be installing a new cert.

Awesome.. good to know when we eventually upgrade to 9.10.1

Under Cluster > Settings > Certificates > Client/Server Certificates

for some reason the list of certificates is not matching up with what I am seeing in the console

i beleive when going from self signed to ca signed, i needed to switch the certificate used on the cli using the ssl modify command

after that, renewal could be completely in the gui

so here is my situation, this netapp was setup years before I ever joined my current employer. The cert expired in 2018 if that gives you any idea. We recently got a new wildcard certificate for our domain and I was asked to make sure all of the assets my group is responsible for are updated with this new wildcard ssl. All the other stuff is already done, it's just these netapps that are stuck using a self signed cert from 2018

do you happen to know what the command to switch the certificate is? I am pretty sure thats what i am looking for

right. i think that one bit can't be done from the gui. but it's been about a month since i last tried it.
'ssl modify' is what you're looking for. one of those kbs had it as a step for the cli process, i'm looking for it

ahh, thats probabally why i was not finding anything i was assuming it was going to be security certificate command

security ssl modify -server-enabled true -vserver <svm name> -ca <auth> -serial <serial>

we've been updating those kbs and it wasn't where i remembered 🙂

next time you renew though, you should be able to go through system manager from start to finish. the only hiccup i remember was going from self signed to ca signed

so quick question for the -ca <auth> option, when I am looking at the context sensitve help on my netapp, the -ca options shows -ca <text (size 1..256)> ]

do I literally type the name of the CA where the cert is from?

it's one of the fields in the certificate.
try:
security certificate show -fields vserver,common-name,serial,ca,type,expiration -type server

Ah I see that. Ok, let me give it a try

yes, it should be your root ca, but there are several ways i've seen it done, so it's just easier to look to make sure of the exact name

by the way, these commands are in this kb if you need to find it again for any reason
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_a_Self-Signed_SSL_certificate_in_ONTAP_9.10.0_and_earlier

hi i have a question i have the fas2550 but i don't have a netapp system setup to install and activate my storage

7mode setup correct? I don't think it's required.

do you have the license keys though?

yes i have it only i can't see the ip of
and it is done on 7mode setup

I think that download is so old it's been pulled from the site.
You can try a manual install/configure of the system. If it's still under support, you can see about requesting CDOT keys and convert it to that.

here's the 8.2 7mode setup guide - https://library.netapp.com/ecm/ecm_download_file/ECMP1155590

I see ONTAP 9.11.1 now has iSCSI LIF failover.. Does this mean if you setup IFgrps you only now need to add one connection to you ISCSI guest, Normally i add as many connections as there is nodes in the cluster..

hi I have checked everything and I still can't see the ip because it still needs to be preinstalled with the system setup of NetApp then I can see it

are you able to connect via serial cable?

Just to be clear iSCSI like FC LIF failover is an ASA only feature. I personally have only ever dealt with FCP but I consider the concepts when it comes to SAN architecture the same. Normally I always had 2 x N ( N being the number of controllers / nodes on the storage system ) in terms of LIF connections to the host. So assuming a single HA pair I would have a total of 4 LIFs ( iSCSI or FCP, doesn't matter ) with each node being cabled to each network for redundancy. iSCSI like FCP LIF failover is to help minimize path downtime to reduce the impact to the host MPIO. It is not a replacement to providing redundant paths to your storage array.
https://docs.netapp.com/us-en/ontap/san-admin/asa-iscsi-lif-fo-task.html#about-enabling-iscsi-lif-failover

yes it works the com port and i can also read what should i do now to install everything