#┊・ontap-api

looks like this doc explains how to set it up webhook form ONTAP 9.10 https://docs.netapp.com/us-en/ontap/pdfs/sidebar/EMS_configuration.pdf

Is it possible to use the api via curl command with private/public key pair authentication?

it does not appear to be possible. allowed auth types for ontapi are password, domain, nsswitch, cert, and saml. the ones most used are password, domain and saml.

::> security login create -username octeam -application ontapi -authentication-method
password domain nsswitch cert saml

Your can use a SSL certificate with HTTPS. I don't know about curl, but that will work with our Ansible module na_ontap_restit (and na_ontap_zapit).

You can see if this helps https://github.com/NetApp/harvest/blob/main/docs/AuthAndPermissions.md

Hey, anyone know if there is a volume attribute or way to filter out MetroCluster metadata volumes that are returned by the /private/cli/volumes endpoint when using advanced privilege? I see they start with "MDV_CRS_" so could use naming convention but want to see if there is a better way.

Does anyone know if there a pre-cluster API that returns the intracluster LIFs automatically created?
The /cluster/nodes API does not return the IPs necessary for the cluster creation API.
https://library.netapp.com/ecmdocs/ECMLP2874708/html/index.html#/cluster/nodes_get
Console from lab:

cluster1-01::> network interface show -role cluster
    cluster      cluster-mgmt 
cluster1-01::> network interface show -role cluster
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----
Cluster
            clus1        up/up    169.254.241.186/16 cluster1-01   e0a     true
            clus2        up/up    169.254.247.23/16  cluster1-01   e0b     true
            clus3        up/up    169.254.86.128/16  cluster1-01   e0c     true
            clus4        up/up    169.254.180.242/16 cluster1-01   e0d     true
4 entries were displayed.

cluster1-01::>

API:

https://cluster1-01/api/cluster/nodes?return_records=true&return_timeout=15
{
  "records": [
    {
      "uuid": "8eb0365d-173f-11ed-954d-00a0985cb457",
      "name": "cluster1-02"
    },
    {
      "uuid": "9a968ea4-173f-11ed-a196-00a0985d172e",
      "name": "cluster1-01"
    }
  ],
  "num_records": 2
}

I was able to pull this from the OCSM API slide-out:
https://cluster1-01/api/cluster/nodes?fields=name%2Cmodel%2Cstate%2Cha%2Cversion%2Cserial_number%2Cmembership%2Ccluster_interfaces%2Cmanagement_interfaces%2Cmetrocluster&membership=available

{
  "records": [
    {
      "uuid": "8eb0365d-173f-11ed-954d-00a0985cb457",
      "name": "cluster1-02",
      "serial_number": "701427000490",
      "model": "FAS8040",
      "version": {
        "full": "9.8P10",
        "generation": 9,
        "major": 8,
        "minor": 0
      },
      "state": "up",
      "membership": "available",
      "cluster_interfaces": [
        {
          "ip": {
            "address": "169.254.102.148"    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
          }
        }
      ],
      "ha": {
        "partners": [
          {
            "uuid": "9a968ea4-173f-11ed-a196-00a0985d172e",
            "name": "cluster1-01"
          }
        ]
      },
      "_links": {
        "self": {
          "href": "/api/cluster/nodes/8eb0365d-173f-11ed-954d-00a0985cb457"
        }
      }
    }
[[truncated]]

can you use the ontap-api to create a new cluster?

@dawn apex Yes, the REST API allows you to create a cluster by sending a POST request to the /cluster endpoint. REST Docs for more info here: https://library.netapp.com/ecmdocs/ECMLP2856304/html/index.html#/cluster/cluster_create

Thank you!!!

is there a API to automate the Admin password of the cluster every quarter for example

There is not an API that will cycle your password for you. However, you can change your password by calling PATCH /api/security/accounts/{owner.uuid}/{name} and passing a body like {"password": "new_password"}

I have created a snapmirror relationship of policy type - vault
and when I try to retrieve the same via api there are no records, as api can only return "sync" or "async" policy type. In short, how do i get snapvault relationships via api?

As you noted, only "sync", "async", or "continuous" is supported by the API for policy types on a snapmirror relationship. However, I did find this recent bug report which is related: https://mysupport.netapp.com/site/bugs-online/product/ONTAP/BURT/1406963.

Until you are running a version of ONTAP that has support for other types, you can use the CLI passthrough to list snapmirror relationships as well. The request for that would look like GET https://<mgmt_ip>/api/private/cli/snapmirror?policy_type=vault (if you wanted to limit it to only returning vault types.

Oh, okay. I will have a look into it. Thank you so much!

Ontap API experts, we have a community forum post relating to the ONTAP REST API , wanted to see if anyone could spend a few minutes to help out a customer with their query - https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/Powershell-ONTAP-update-reboot-of-node-fails-the-script/td-p/437443

@inland otter I will take a look today

Can someone tell @ which ontap version zapi falls out of ontap?

If I remember right ONTAP 9.12.1 will be the last one and 9.13.1 has only REST

here is the CPC about the zapi deprecation:
https://mysupport.netapp.com/info/communications/ECMLP2880232.html?access=a

I see a large section of perf calls that have no equivalent in the ONTAPI to REST API map: https://library.netapp.com/ecm/ecm_download_file/ECMLP2879870 page 255. What is the new method to gather this data?

does this help? https://docs.netapp.com/us-en/ontap-automation/migrate/performance-counters.html#accessing-performance-counters-using-the-ontap-rest-api

for the category section I am looking at the perf-object APIs

What is the last OS that has XML for ONTAPI?

Powershell - ONTAP update - reboot of no...

I need somebody please help me to explain a mechanism about using tools outside ONTAP to set up SnapShots, possibly WFA/Powershell. I didn't mean I prefer or am interested in such tools, but this is an existing tool set up long time ago by a consultant, and I would like to know how it works. Here is what I konw of, somehow it used WFA to call Powershell to setup SnapShots. ONTAP cann't see any configurations, only can be seen on the WFA server. The consultant said, the mechanism doesn't need WFA, but need it to run Powershell, and doesn't need to use ONTAP snapshot policy. Can you please help me what this mechanism is, how it works? As ZAPI and then WFA is going away, can such mechanism continue to work without using WFA (ex, only use Powershell, as he said no need to sue WFA)?

Hey David, so we have PowerShell cmdlets that let you do all sorts of different activities using the ONTAP REST API (which is replacing the ZAPI). The Powershell cmdlets do include capability to manage snapshots and snapshot policies.

Here is a link to our latest PowerShell Toolkit release - https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/NetApp-PowerShell-Toolkit-9-11-1-2208-released/td-p/437915

@inland otter Thanks for the infor. NetApp PowerShell Toolkit essentially uses ONTAP SnapShot Policy to manage SnapShots. After a SnapShot policy and a volume were created by PowerShell, and then If I wanted to know what SnapShot policy is associated with the volume, I can use command "vol show -volume vol_x -field snapshot_policy" to display. However, the mechanism that I described here is not related to ONTAP SnapShot policy. In our case here, if I run the same command, I got "none" on SnapShot Policy. Without SnapShot Policy how SnapShots and retentions have been created and cycled? That is the part I don't understand. I was told WFA and PowerShell has been used. But, I don't understand how it works without using ONTAP SnapShot Policy? I would imagine there is WFA DB to maintain configuration data similar to SnapShot Policy?

rosscntap7671 Thanks for the infor

I am looking for further information regarding ontap_api for volumes:
For online volumes it allows you to return the integer for space available. For offline volumes that option is not available at all, is there a way to return a 0 interger for space available on offline volumes.
The other question is, for mixed or error state volumes is the option for space available there?

For the first question, no, when a field is unset the API does not return any sort of default values for it. Instead it will just omit the field. This can't be changed from the server side, but you can write your code to assume if the space.available field isn't present to use 0 if that helps your application logic.

For the second question, I don't have a good way to test, but I would guess the answer is no. If the volume cannot be queried because it's in some error state, then just like when it's offline that data won't be read and will not be returned.

That was my assumptions as well. Thank you.

where can I get dataontp powershell cmd

https://www.powershellgallery.com/packages/NetApp.ONTAP/9.11.1.2208

I am not able to run that on linux because pssnapin issue. Isn't there any support for Linux?

Import-Module: Could not load type 'System.Management.Automation.PSSnapIn' from assembly 'System.Management.Automation, Version=7.2.1.500, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

Let me look into that, it should work as the recent versions all support PowerShell Core.

would be extremely helpful otherwise I have to rewrite everything using python

thank you - I was actually able to import the module, just not this module https://www.powershellgallery.com/packages/DataONTAP/9.8.0
I was wondering if they both are same.

However that also throws error
Connect-NaController: Unable to load shared library 'kernel32.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libkernel32.dll: cannot open shared object file: No such file or directory

They are similar modules in that they contain many of the same commandlets and are both meant for automating ONTAP. However, verison 9.8.0 of the DataONTAP module was the last version to not support PowerShell Core. The newer module, NetApp.ONTAP was first released with version 9.9.1 and support for PowerShell Core. The newest release of NetApp.ONTAP (9.11.1.2208) also supports REST when the version of ONTAP that it is communicating with does (and automatically falls back to ONTAPI when it doesn't).

Is this the place to ask questions related to the restapi?

I'm trying to walk through a volume and pull the file system analytics data. (https://{}/api/storage/volumes/{}/files/{}??type=directory&fields=*&order_by=name".format(cluster, vol_uuid, path)
I started with the examples files and I can pull the top two levels of files and directories but I am stuck moving any further down. I believe my issue us related to not knowing how the path is delineated for sub directories. If I use a '/' I receive [{'error': {'message': 'API not found', 'code': '3'}}]

I have some very large CIFS shares with old data. My end goal is to build a csv file with all files and dirs along with the m/c/a times so old files can be manually archived or removed.

Any assistance in moving beyond this sticking point would be appreciated.

I believe I just figured it out. I have to use %2F

It seems a bit off that the path has to be submitted with '%2F' but when requested it returns a '/' so if you want to pull the path and spit it back into the next request you have to do a string.replace()

Use HtmlDecode(string) and HtmlEncode(string)

You're correct that you will need to encode the path to have it interpreted correctly. %2F is the HTML encoding for / which is why that worked. I do recommend that you use whatever encoding function your language/library provides for you as there can be other special characters that also need encoded.

If you are using Python (guessing from the syntax above), you can make use of the netapp-ontap library which helps to handle a lot of those sorts of tasks for you. You can find it at https://pypi.org/project/netapp-ontap

Thank you very much.

How can we confirm our NodeJS libraries with AWS SDK is compliant to NetApp S3 Restful APIs, we wanted to confirm if we are using the right the libraries. Reviewing the documentation we are using support functions from NetApp, the “Put-Object”. We are having issues within application making the correct calls to NetApp ONTAP storage to S3. We have stood up a container pod with tools like AWS CLI, and able to move files in NetApp Storage, but still unsuccessful from our application to upload documents. We receive following error, “The s3 command not implemented”. From our application, we can connect, as we can list all the documents in S3, but not able upload/delete documents.

Is there an ansible collection to configure esxi shelf before configuring ontap

Hi Expert, is there any API that can current list of NFS connected clients?
The same command is as follow:
nfs connected-clients show

Pop over to #╭・ansible🔒 and drop this in there. Might get a quicker response

I just dug through the REST swagger and couldn’t find anything. Let’s ping @pastel bough and see if he knows. There’s definitely some stuff under ‘/protocols/nfs/services’ but I didn’t see that specifically.

Thanks Nick! I dug through the SWAGGER UI and cannot find the same thing!

this can be used as an alternative , see if this helps

https://192.168.0.101/api/private/cli/nfs/connected-clients

{
"records": [
{
"node": "cluster1-02",
"vserver": "svm1",
"data_lif_ip": "192.168.0.132",
"client_ip": "192.168.0.61",
"volume": "nfs",
"protocol": "nfs4.1"
},
{
"node": "cluster1-02",
"vserver": "svm1",
"data_lif_ip": "192.168.0.132",
"client_ip": "192.168.0.61",
"volume": "svm1_root",
"protocol": "nfs3"
},
{
"node": "cluster1-02",
"vserver": "svm1",
"data_lif_ip": "192.168.0.132",
"client_ip": "192.168.0.61",
"volume": "svm1_root",
"protocol": "nfs4.1"
}
],
"num_records": 3
}

Thanks @dry niche

This helps! Is there any document that can help me find this API URL?

https://netapp.io/2020/11/09/private-cli-passthrough-ontap-rest-api/

Hi @turbid nova, Harvest added that feature a couple of days ago https://github.com/NetApp/harvest/pull/1297 available in nightly

Hi all, I am trying to execute a diag level command via private cli->

vserver config override -command "net int create -vserver test -lif test1 -service-policy default-data-files -address 192.168.0.191 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0d" .

Is it even supported? If so maybe the way I am invoking it is incorrect, can anyone provide some guidance?

[root@awx ~]# curl --location --request POST 'https://192.168.0.10/api/private/cli/vserver/config/override' --header 'Authorization: Basic YWRtaWxxxxxx' --header 'Content-Type: application/json' --data-raw '{
"command": "net int create -vserver test -lif test1 -service-policy default-data-files -address 192.168.0.191 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0d"
}' -k
{
"error": {
"message": ""vserver config override" is not a recognized command.",
"code": "5636122"
}
}[root@awx ~]#

You can add ?privilege_level=diagnostic at the end of the path to access diagnostic commands just like you might type set diagnostic in the CLI

Anyone experienced (or know how to troubleshoot) that the domain part of the login is dropped for RestAPI calls to ONTAP?
I embed the credentials in the call header and have verified that it is including the domain part like DOMAIN\user but I get "User is not authorized" which I believe is because the DOMAIN part is omitted as seen in the Audit log. It works for other accounts with the same script.

Also, it worked with the same script and account like two weeks ago and I don't think I've changed more than the password.

Do you have a full log of the REST commands? netapp_ontap.utils has a couple of parameters to add logging. You can set the following:
‘netapp_ontap.utils.DEBUG = 1’
‘netapp_ontap.utils.LOG_ALL_API_CALLS = 1’

Sorry, not using the Client library just "Invoke-RestMethod" in Powershell

No worries, I haven’t used that command myself. Let me do a bit of digging and get back to you

Much appreciated, pulling my hair here.

Hi Everyone, I have a basic question as I have not done this before. I'm looking to prototype collecting performance metrics. most of these provide values that need to be calculated after the response. Are there any examples for this beyond swagger?

Hi @rough nacelle that's what https://github.com/NetApp/harvest does via ZAPI and REST. Might be worth taking a look at for ideas or as something to use to collect ONTAP performance metrics (I work on Harvest)

That may be part of the future conversation but that is not the goal right now since it would be installing new SW with an associated integration effort. The desire is to get the counters and intgrate them directly into an application dashboard without middleware

Can you show me the auth header you are using?

Sure, it's pretty standard:

$encodedCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($credPair))
$header = @{ Authorization = "Basic $encodedCredentials" }```

I just solved my issue; turns out ONTAP accepts "¤" as a password character seemingly everywhere but API calls.
So after I switched out that character the API calls work fine again. Thank you for the effort though, @karmic furnace

No problem, happy your problem is solved

Is there an ontap api python client library and curl command equivalent of 'volume snapshot restore-file'?

A PATCH /api/storage/volumes/{uuid} endpoint has query parameters that can be used for that called restore_to.path and restore_to.restore_path. For the Python library, that would be using the Volume resource's patch() method.

Ty!

is this the place to ask about REST api ?

hi @signal slate it sure is

in this doc it shows that the router-id has no REST equivelent, is that something that will be added soon? working with BGP we will need that as an option. https://library.netapp.com/ecm/ecm_download_file/ECMLP2879870

I did a quick search for internal issues that were open or filed, but I didn't see any current requests or plans regarding that API/field. At the top of the document that you linked, there is a link that says "we want to hear from you". Going to that page will give you a form to ask for the field to be implemented and your usecase for it and that request gets forwarded to the team that owns the endpoint.

If this is an issue that is currently blocking you, you can use the CLI passthrough and get/set the field that way. The request might look something like curl -ku admin:password -X POST -d '{"node": "node1", "asn": 1234, "router_id": 5.6.7.8}' https://1.2.3.4/api/private/cli/network/bgp/config

More information about how to use REST to execute CLI commands can be found in the REST docs in the section "Using the private CLI passthrough with the ONTAP REST API": https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html

If you use Python, you can also use the netapp_ontap library to send CLI passthrough commands and you can find some examples in https://library.netapp.com/ecmdocs/ECMLP2882316/html/resources/cli.html

thanks for the reply @pastel bough do you know if there is a way to track requests made to that "we want to hear from you" link? As i have made a couple of those already and have no way of knowing if they are being addressed or when they may be implemented, or if they are deemed not relevant. I will submit a request for this issue as well. Thanks again

I'm not sure about tracking the status of a request. I'll bring that up internally. I agree that would be useful, but I'm not sure they designed the process with that sort of two way tracking in mind. At the moment, the best way I could suggest would be to file the request and then create a ticket with support asking about its status and let them be the mediator. Not a great solution and introduces some communication delays, but that's what I know for now. I'll ask around and see if we can do better.

Hello, how through REST, could we add or modify allowed-addresses inside a service-policy. It looks like it's not yet possible or i miss something?

Hello how through REST could we add or

If you need a hand I am happy to help. Shoot me a teams or email with more detail about what your are trying to do and I will try to get you started - assuming we can find the metrics etc.

Hello guys,
I’ve been using a python script to create volumes with snaplock (at destination) + snap vault initialization.

It doesn’t work anymore and the issue seems to have started since we upgraded in 9.10.1 because from that version snaplock can be set at volume level with non-snaplock aggregates.
By default volumes are non-snaplock at the creation.
But the Python module does’nt allow to post snaplock options on non-snaplock volumes and cannot patch snaplock option on existing volume neither.

Any thought ?

Are you using the netapp_ontap Python module? If so, it would be useful to enable logging and provide an example of the request and response that it is sending that used to work and doesn't now.

Hello,

I'am updating some Ansible playbooks from ZAPI to REST.

Using na_ontap_rest_info module, I can't get the snapshot size.

This used to be exposed by the ZAPI as the total field using na_ontap_info

With na_ontap_rest_info which uses the REST API, it is no more visible.

Some other fields are no more reporrted for snapshots

How can I get this information through the API.

?

My playbook is :

• name: Get NetApp info1
  netapp.ontap.na_ontap_rest_info:
  <<: login
  use_rest: Always
  fields:
  - ''
  - 'size'
  - 'volume'
  - 'create_time'
  - 'expiry_time'
  # - 'access_time' # Fails
  # - 'access-time' # Fails
  - 'state'
  - 'snaplock_expiry_time'
  #- 'busy' # Fails
  #- 'total' # Fails
  gather_subset:
  - storage/volumes/snapshots
  owning_resource:
  volume_name: "{{ item }}"
  svm_name: "vs_{{ target }}"

With ZAPI, I could collect fields named access-time, busy, total.

I also noticed that the size field reported by the REST API is matching the afs_used in the ZAPI output using na_ontap_info.

The afs_used (with ZAPI) is named size (with REST).

Looking closely at the meaning, it seems better to expose total than afs_used|size

This also means that the snapshot reserve is useless if we cant find the snapshot total size.

What do you make of this ?

I also tried with restit to access directly some fields without any success.

I also wonder if the API can be queried directly to get the list of exported fields of the API.

Under the volume endpoint (/api/storage/volumes), each volume has a space.snapshot object that contains some of the information you might be looking for.

You can also use the CLI passthrough (/api/private/cli/snapshot) if you need access to fields that are not exposed in REST but are part of the CLI.

If there are improvements that need to be made to cover gaps in functionality between ONTAPI and REST, you can submit a ticket using the link at the top of the ONTAPI to REST mapping document which is at https://library.netapp.com/ecm/ecm_download_file/ECMLP2882104

Thx Robert.

I've just filled the form linked with "We want to hear from you"

https://forms.office.com/Pages/ResponsePage.aspx?id=oBEJS5uSFUeUS8A3RRZbOtlEKM3rNwBHjLH8dubcgOVURVM2UzIzTkQzSzdTU0pQRVFFRENZWlAxNi4u

My request to have the fields exposed is submitted.

I could use the CLI but I'am currently using Ansible.

Getting information and parsing the CLI output seems challeging unless a JSON output could be requested.

The CLI passthrough output is JSON so parsing it shouldn't be any more of a challenge than any other endpoint. I'm not sure how our Ansible modules handle the CLI passthrough, but #ansible should know.

Ok, thx

NetApp ONTAP S3 Rest APIs

What do you mean exactly with CLI ?

I have playbooks as the below one:

• name: Online SVM
  na_ontap_command:
  hostname: "{{ nas_hostname }}"
  username: "{{ nas_username }}"
  password: "{{ nas_password }}"
  command: ['vserver', 'start', '-vserver', 'vs_{{ target }}']
  return_dict: true
  https: true
  validate_certs: false

It uses na_ontap_command which calls the CLI as a Netapp administrator does.

But I get the following message:

TASK [ds-role-nas_CRUD : Online SVM] ********************************************************************************************************************************************************************************************************
[WARNING]: The module only supports ZAPI and is deprecated, and will no longer work with newer versions of ONTAP when ONTAPI is deprecated in CY22-Q4
[WARNING]: netapp.ontap.na_ontap_rest_cli should be used instead.
changed: [localhost]

So it suggests that the na_ontap_command will be unusable in the coming months

I am suggesting to use whatever command uses the REST CLI passthrough endpoints. Those would be the paths under /api/private/cli/... which the REST docs describe in the section titled "Using the private CLI passthrough with the ONTAP REST API": https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.hml

Based on the message, that sounds like netapp.ontap.na_ontap_rest_cli to me, but I don't use Ansible and can't give much advice.

Thx Robert.

I'am testing with netapp.ontap.na_ontap_rest_cli instead of na_ontap_command

• name: Online SVM
  netapp.ontap.na_ontap_rest_cli:
  hostname: "{{ nas_hostname }}"
  username: "{{ nas_username }}"
  password: "{{ nas_password }}"
  command: ['vserver', 'start', '-vserver', 'vs_{{ target }}']
  verb: 'POST'
  #verb: 'PATCH'
  https: true
  validate_certs: false

TASK [ds-role-nas_CRUD : Online SVM] ********************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error: {'message': 'API not found', 'code': '3'}"}

So I used netapp.ontap.na_ontap_rest_cli.

There is no more deprecated warning

But the ''API not found' message pops up

I can't help debug usage of the Ansible modules, but the folks in the #ansible can. If there's a way to have it log the HTTP request/response, that would be more useful to me.

Yes, sure

I've just raised the question in the #ansible room

Thx

Hello Team, i need to perform a snapmirror initialize with option -source-snapshot, does this require the use of REST CLI passthrough?

No, that is supported without the passthrough. You would make a POST request to the /api/snapmirror/relationships/{relationship.uuid}/transfers endpoint as shown in the documentation examples here: https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.hml#/snapmirror/snapmirror_relationship_transfer_create

For the record:

1. command: ['vserver', 'start', '-vserver', 'vs{{ target }}'] , this should be command: 'vserver/start'
2. API calls can be traced, following https://github.com/ansible-collections/netapp.ontap/wiki/Debugging#tracing-zapi-and-rest-api-calls

I've been tasked with uninstalling "netapp_lib" from a host.
Sounds easy but when running "python3 -m pip uninstall netapp-lib" it says it needs to remove "/usr/local/LICENSE.txt" which is an Apache license file.
Is this intended?

I ve been tasked with uninstalling

How many concurrent snapshots can be created per volume?

I do not see any reason why the REST API would impose additional restrictions on the number of snapshots you could create on a volume.

This KB says that ONTAP will support up to 1023 snapshots on a volume at a time (9.4 and up): https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Maximum_number_of_snapshots_supported_by_ONTAP

But how many can be created at the same time (different users snapshotting the same volume)?

The exact answer is pretty complex because ONTAP will run requests in parallel when it can or queue them up for a period of time if it is already too busy. I wouldn't try to limit the calls from the client side based on any hard-coded number.

Thank you!

Is there a limit on the amount of concurrent REST api calls?

I need to use APIs to extend snaplock-expiry-time on a series of snapshots. Any thoughts ?

looks like snaplock-expiry-time is read only in REST for some reason, so I was trying to hack my way through /private/cli

Woot !! Doc is actually useful 🙂 as modify-snaplock-expiry-time isn't a standard verb, POST must be used.

Hi team, one of our customer wants aggregates logical used space. This is not available via any REST API calls. In CLI we can get this information via set adv, and aggregate show-efficiency command.

storage aggregate show-efficiency -fields total-logical-used, total-physical-used

When I try show-efficiency with private CLI it says API not found. How to execute above command via private CLI?

this works for me

https://192.168.0.101/api/private/cli/aggr/show-efficiency?fields=total-logical-used,total-physical-used

{
"records": [
{
"aggregate": "cluster1_01_SSD_1",
"total_logical_used": 890575491072,
"total_physical_used": 81528520704
},
{
"aggregate": "cluster1_02_SSD_1",
"total_logical_used": 892675547136,
"total_physical_used": 81444265984
}
],
"num_records": 2
}

what is the ontap version? I'm using 9.9.1 still getting API not found error

9.10

Hello,

I need to convert the following command to REST CLI Ansible:

['vserver', 'cifs', 'domain', 'preferred-dc', 'add', '-vserver', 'vs_{{ target }}', '-domain', '{{ nas_ad_domain }}', '-preferred-dc', "{{ nas_infra_servers[site].dc | join(',') }}"]

I tried different playbooks, but could find the right command to use with REST CLI.

The playbook is

• name: "Set preferred DC for AD domain"
  netapp.ontap.na_ontap_rest_cli:
  hostname: "{{ nas_hostname }}"
  username: "{{ nas_username }}"
  password: "{{ nas_password }}"
  https: true
  validate_certs: false
  command: '/protocols/cifs/domains/{{ svm_uuid }}/preferred-domain-controllers'
  verb: 'POST'
  params: { 'vserver': 'vs_{{ target }}', 'domain': '{{ nas_ad_domain }}' }
  body: {'domain': '{{ nas_ad_domain }}', 'server_ip': "{{ nas_infra_servers[site].dc | join(',') }}" }

The response is :

TASK [ds-role-nas_CRUD : Set preferred DC for AD domain] ************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error: {'message': 'API not found', 'code': '3'}"}

The API is not found

I did some similar conversions from CLI to REST CLI, but for this one, I can't find the "command" (An API in fact) to use.

ONTAP 9.11.1P1

Ansible collection: 21.23.0

according to the doc : "For any commands where the last verb is hyphenated and begins with one of these verbs (for example, “show-space” or “delete-all”), you must remove the verb and following hyphen from the path."

So I tried a GET /api/private/cli/storage/aggregate/efficiency No errors, but I just get the aggregate names

That's 9.8 btw

yeah, this command is an actual command and doesn't return any local used data

I'am trying to use the following API to set the prefered domain controller on a SVM with:

• name: "Set preferred DC for AD domain"
  netapp.ontap.na_ontap_restit:
  hostname: "{{ nas_hostname }}"
  username: "{{ nas_username }}"
  password: "{{ nas_password }}"
  https: true
  validate_certs: false
  api: '/protocols/cifs/domains/{{ svm_uuid }}/preferred-domain-controllers'
  method: POST
  body:
  fqdn: "{{ nas_prefered_dc_fqdn }}"
  server_ip: "{{ nas_prefered_dc }}"

But I get the following error :

TASK [ds-role-nas_CRUD : Set preferred DC for AD domain] ************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "error_code": "655366", "error_message": "Invalid domain controller 10.24.128.11", "msg": "Error when calling '/protocols/cifs/domains/d46c0599-4941-11ed-816f-d039ea02f1ae/preferred-domain-controllers': {'target': 'server_ip'}", "response": null, "status_code": 400}

What does mean an 'Invalid domain controller' ?

I suppose the fqdn and the server_ip are those of the Domain Controllers

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Adding_preferred-dc_fails_with_"Error%3A_command_failed%3A_Invalid_domain_controller" did you check those ?

Yann,

Thx for your response

I've been using this command with the following playbook :

• name: "Set preferred DC for AD domain with ZAPI"
  na_ontap_command:
  hostname: "{{ nas_hostname }}"
  username: "{{ nas_username }}"
  password: "{{ nas_password }}"
  https: true
  validate_certs: false
  command: ['vserver', 'cifs', 'domain', 'preferred-dc', 'add', '-vserver', 'vs_{{ target }}', '-domain', '{{ nas_ad_domain }}', '-preferred-dc', "{{ nas_prefered_dc }}"]

But I have to migrate from ZAPI to REST

So, I need to convert above command to REST

And you're positive it works on the system ? Maybe that's not an ansible/rest problem, maybe ONTAP connaot join the domain

Yes, It has worked, using nas_prefered_dc = server1,server2,server3

I've tried using REST CLI buut couldn't figure out the private CLI command

So I've been advised by Ansible Netapp team to use REST IT

I need to set a list of Domain Controllers are preferred.

I'm just wondering if your current setup for some reason prevents this to run, even unsing ONTAP CLI

It works with CLI and na_ontap_command playbooks.

These use the ZAPI

I wonder why we have to provide both IP and FQDN.

It seems we can only set 1 IP with 1 FQDN. In my case, I have a list of Domain Controllers

I don't see fqdn in the doc, but that might be an earlier version

ah sorry

ONTAP 9.11.1P1

Ansible collection 21.23.0

there is a discrepency in the doc, they say "domain" at some place

I think fqdn is your domain name

Trying now with AD domain instead of Domain Controller FQDN.

Yes I think that's your problem

it would match that error

It works

fqdnis an odd way to name it indeed

🙂

\o/

How can set several DC ip ?

Try calling it one more time

Is this what the doc calls "Bulk POST" ?

"In the case of bulk POST requests, the create operation should be performed serially ..."

In the POST for url /protocols/cifs/domains/{svm.uuid}/preferred-domain-controllers

At the "Impotant notes" section

Yes, in doubt I would use that

Ok, I 'am going to try then. Just the time to set the loop

It works 🙂

\o//

Thx a lot 👍

@dry niche, thanks for the info. I was able to test this successfully in 9.10 ONTAP.

@pastel bough, is there any options to retrieve this data for ONTAP versions before 9.10?

https://library.netapp.com/ecmdocs/ECMLP2856304/html/index.html#/storage/disk_collection_get
Is there any parameters that I can use to know whether a storage disk is failed or not.

I set the "state" filter to "broken", is this correct?

@mortal minnow , The domain controllers endpoints were added in 9.10 so prior to that you could use the CLI passthrough

@turbid nova , at that same link, if you click on the Model tab in the Responses section, you can navigate the model to the disk.state field which is a string enum that has 11 possible values. "broken" seems correct to me but there are other states you might be interested in as well.

Rob, My question was regarding aggr show-efficiency via REST CLI. It working in 9.10 but not on 9.9 or previous versions

Oh, my mistake. If there's a bug preventing it from working in the CLI passthrough, then I don't know of another way to retrieve it via REST. But you could file a ticket with support to have it fixed and try to get that targeted to a 9.9 patch.

Got it! Thanks Robert!

Hello,

I'am trying to collect some snapshot fields with restit module:

• name: Get NetApp info
  netapp.ontap.na_ontap_restit:
  <<: *login
  api: '/storage/volumes/30c4ad8b-4a4e-11ed-9676-d039ea02e536/snapshots'
  method: GET
  query:
  fields: expiry_time

The command runs but does not show the expiry_time which is requested

The documentation for GET /storage/volumes/{volume.uuid}/snapshots exposes the expiry_time field

The REST docs say that expiry_time is not required to be set on every snapshot. Are you sure the snapshots you are looking at have one set? If it's not set, ONTAP doesn't return the field.

Thx Robert.

They do not have expiry time

I was expecting a null value

It works once the expiry_time is set.

How can I get following fields:

• access_time
• total
• busy
• cumulative-percentage-of-total-blocks
• cumulative-percentage-of-used-blocks
• percentage-of-total-blocks
• percentage-of-used-blocks
• dependency

?

I've tried with :

• name: Get NetApp info
  netapp.ontap.na_ontap_restit:
  <<: *login
  api: '/storage/volumes/30c4ad8b-4a4e-11ed-9676-d039ea02e536/snapshots'
  method: GET
  query:
  fields: expiry_time,access_time,total,busy

But the fields are not recognized

My purpose is to get the same output as the CLI command.

You might want to look through the ONTAPI to REST mapping document. Some of those fields are implemented in REST but under different names (e.g. total is size) and some are not present (e.g. percentage-of-total-blocks). The mapping document has those name changes as well as a notes column if there is more information about it.

snapshot show

If it says NO REST EQUIVALENT, you'll need to use the CLI passthrough if you're trying to 100% get the same thing as the CLI.

I had a look at it. I may have overlooked some details.

I noticed that total and size seem different

The size seems to match what was previously afs_used.

which is the size required for a restore of the snapshot

It does not match the total value as reported with ZAPI.

For the missing fields, I've tried with the REST CLI:

• name: Get NetApp info HERE
  netapp.ontap.na_ontap_rest_cli:
  <<: *login
  command: 'snapshot'
  verb: 'GET'
  params: {'vserver': 'vs_{{ target }}'}

You could submit that as feedback via the form at the top. It would probably be a good idea if they updated it to put that in the comments. If you want to get the same value as total then, you'll probably have to get it from the passthrough.

I already did it.

I submitted the form :

https://forms.office.com/Pages/ResponsePage.aspx?id=oBEJS5uSFUeUS8A3RRZbOtlEKM3rNwBHjLH8dubcgOVURVM2UzIzTkQzSzdTU0pQRVFFRENZWlAxNi4u

Will I get a feedback ?

I listed the missing field in the form

With the rest_cli above, I've not succeeded to fetch the fields.

May be I should provide some params to specify the fields requested

But the doc states that field: '*' is not supported with rest cli

With the below syntax, it fails:

• name: Get NetApp info HERE
  netapp.ontap.na_ontap_rest_cli:
  <<: *login
  command: 'snapshot'
  verb: 'GET'
  params: {'vserver': 'vs_{{ target }}', 'fields': 'total'}

Yes, you cannot use ?fields=* with the CLI passthrough, you need to explicitly list each field that you need. total doesn't work in the CLI either which is why it won't work in the CLI passthrough. If I run snapshot show -fields total, I get an error back saying that it's an invalid argument. I do see a size field in the CLI though.

Perhaps it's only called total in ONTAPI?

That indeed looks to be the case. I believe in the CLI total is called size-kb. Doing some testing and those seem to line up. So in your playbook you should be able to say 'fields': 'size-kb'

Thx

It works with size-kb

Do you know how to get a feedback about the request I submitted for having more fields reported ?

I logged it last Friday

I don't think there is a good way to see status or feedback of those requests right now. However, I did bring it up and it's being worked on/discussed internally.

It's good to know.

Need to wait then

Thx

Do we support MFA with REST APIs? That is when MFA is enabled on the ONTAP cluster.

You can create accounts that use the applications.second_authentication_method with the /api/security/accounts endpoint, but the documentation there says An optional additional authentication method for MFA. This only works with SSH as the application. It is ignored for all other applications.

Sorry I was not clear. I'm not looking at using REST to enable MFA (I think we added this already). But once MFA is enabled, how can customers use REST APIs?

REST is considered an application (the http application), so the second part of that indicates that it does not support MFA. Only the CLI does (via ssh).

Regarding my snaplock expiry time question here and on #ansible, I did a thing : https://github.com/ybizeul/ontap-extend-snaplock-expiry/

We’re looking into implementing the User Voice platform so that these kinds of requests and feedbacks can be voted on and tracked. It’s mostly used in the consumer and OSS space, so there’s some extra diligence to do for larger enterprise software.

My 2 cents on this is Microsoft do similar and it honestly feels like an empty voice. They funnel all feedback through to User Voice, and respond from time to time, but then you can see some highly voted options go 1Year+ with no update or indication of whether its made it in the feature pipeline.

But, I think it's a good idea so we can give more people a place to give feedback on features etc, that the community can collectively comment and vote on. Be awesome to see it rolled out! 🙂

I’ve seen quite a few of them implemented in ADO from the UV feedback, it really does depend on the product as to how well it works

Hello,

When creating a whole new SVM, using REST (ONTAP 9.11.1 P1 - Ansible collection 21.23.0), I observe the following situation :

• name: REST set NIS servers
  netapp.ontap.na_ontap_rest_cli:
  hostname: "{{ nas_hostname }}"
  username: "{{ nas_username }}"
  password: "{{ nas_password }}"
  https: true
  validate_certs: false
  command: 'vserver/services/name-service/nis-domain'
  verb: 'PATCH'
  params: {'vserver': 'vs_{{ target }}', 'domain': 'mydomain'}
  body: { 'active': True, 'nis-servers': '{{ nis_servers_array }}' }

If the NIS setup is new, the above playbook does nothing

There is no error reported

When I use the 'GET' verb, the NIS configuration (domain and servers) is empty.

I have 4 NIS serverrs to declare.

If I set the NIS domain and one NIS server with the GUI, and then I run the above playbook, the 3 other NIS servers are declared.

So, It seems required to set at least the NIS domain and one NIS server in order to be able to add the 3 other NIS servers using the playbook show above.

Is this expected ? Or what I'am doing wrong ?

That sounds expected. You can't modify something that doesn't exist and the PATCH verb aligns to the CLI modify command.

Indeed, I should use POST

It works 🙂

Thx Robert

But when I replay the play, it fails because it is not idempotent.

Sure thing.

I should test before then

Right, it wouldn't be since you can't create the same thing twice. You would have to check if it exists first and create if it doesn't if that's the behavior you want (or just always send the create and then handle the error).

Yes

Regarding the PATCH verb, may be it should fail when it does not exist already.

I had overlooked the result of the play initially because there was no error reported.

I would have thought it would. Can you provide the HTTP logs showing the request and response when using PATCH?

Yes. How do I collect the log ?

You'll have to consult the documentation for the Ansible modules you are using. I'm assuming there will be some way you can do that pretty easily.

I've found the debug knob

feature_flags:
trace_apis: true

Here is the HTTP log :

2022-10-17 14:58:13,777 DEBUG sending: {'method': 'GET', 'url': 'https://abcnapmgt002sas/api/cluster', 'verify': False, 'params': {'fields': ['version']}, 'timeout': 60, 'json': None, 'headers': {'X-Dot-Client-App': 'netapp.ontap.na_o
ntap_rest_cli/21.23.0'}, 'auth_args': {'auth': ('admin', '')}}
2022-10-17 14:58:13,781 DEBUG Starting new HTTPS connection (1): abcnapmgt002sas:443
2022-10-17 14:58:13,819 DEBUG https://abcnapmgt002sas:443 "GET /api/cluster?fields=version HTTP/1.1" 200 165
2022-10-17 14:58:13,820 DEBUG None: b'{\n "version": {\n "full": "NetApp Release 9.11.1P1: Tue Aug 09 13:13:19 UTC 2022",\n "generation": 9,\n "major": 11,\n "minor": 1\n },\n "_links": {\n "self": {\n "href": "
/api/cluster"\n }\n }\n}'
2022-10-17 14:58:13,821 DEBUG sending: {'method': 'PATCH', 'url': 'https://abcnapmgt002sas/api/private/cli/vserver/services/name-service/nis-domain', 'verify': False, 'params': {'vserver': 'vs_ansitest002sas', 'domain': 'abcdefghij'}, '
timeout': 60, 'json': {'active': True, 'nis-servers': ['10.80.97.117', '10.80.166.37', '10.80.98.136', '10.80.66.0']}, 'headers': {'X-Dot-Client-App': 'netapp.ontap.na_ontap_rest_cli/21.23.0'}, 'auth_args': {'auth': ('admin', '***')}}
2022-10-17 14:58:13,822 DEBUG Starting new HTTPS connection (1): abcnapmgt002sas:443
2022-10-17 14:58:13,860 DEBUG https://abcnapmgt002sas:443 "PATCH /api/private/cli/vserver/services/name-service/nis-domain?vserver=vs_ansitest002sas&domain=dassault HTTP/1.1" 200 22
2022-10-17 14:58:13,861 DEBUG None: b'{\n "num_records": 0\n}'

The point is that It does not really "create" even with a POST. This looks like more a change of configuration on the SVM itself which does exist already.

The PATCH could be routed to the POST entry point

Btw this is your design.

You're trying to call the nis-domain create CLI, is that right? That would be why you'd want to use a POST. Perhaps I'm not understanding which CLI command you were trying to call.

The "num_records": 0 response to PATCH could be considered a "failure" depending on your application's requirements/expectations.

Yes, I'am trying to execute a "nis-domain create"

I would expect something like a 404 against a none existing resource used with a PATCH

num_records looks closer to a content size in return

Or number of records changed

But Ansible semantic may be somehow different

The behavior of the CLI passthrough can be a bit different than the rest of the API because it is a fairly light wrapper around the CLI which knows how to translate to and from JSON.

The num_records: 0 is exactly saying that, the "number of records changed".

Ok

Thx

Robert, do you know if there are any plans for the CLI wrapper to support 'system node run' type commands in the future, or should we just use SSH for these?

There are currently no plans that I know of to add support for system node run or systemshell commands as part of the CLI passthrough. I think SSH will be your best option if you need to execute commands in those shells.

I'm looking for the right automation tools to do the following and it seems there are many to chose from:

• create new NFS exports
• build new SVMs
• update configuration settings on multiple SVMs/filers, including passwords, ssh keys, accounts, ntp servers, quotas, etc

Some of this seems be a good candidate for Ansible but is it the best tool to invest my time into learning? Is cfengine a choice for some settings (since we use it here for Linux configs)? Some of the bits require bits to be run on Linux (eg, exports). No automation from Windows please... Linux only.

Suggestions greatly appreciated!

Hi Team.

I'm looking FlexGroup Snapshot autodelete scripts.
I just checked NetApp Ontap GitHub but I'm new to python so i can't create python script 😂😂😂

Does anyone has Snapshot autodelete scripts ?

** FlexGroup Volume dosen't support snapshot autodelete

Please DM me or tag me.
Regards.

is there the api for getting 'volume file show-inode' path? or any way to obtain this info please?

To find out that kind of information, here's what I do:

1. Run the command security login role show-ontapi -command "volume file show-inode" on the ONTAP CLI
2. Note any ONTAPI that it lists as related
3. Search the ONTAPI to REST mapping document for that ONTAPI and see which REST endpoints are relevant

You can find the mapping document here: https://library.netapp.com/ecm/ecm_download_file/ECMLP2882104

In cases where there is no related REST endpoint, you can use the CLI passthrough to call CLI commands via REST. See the section of the REST docs titled "Using the private CLI passthrough with the ONTAP REST API" in the documentation here: https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html

Excellent info. This is a time saver!!! ☺️

Ansible should be able to handle most of this. And it's not limited to ONTAP, it would handle linux as well.

I want to confirm what i'm seeing on the ansible side is correct the rest side.

• Data SVM -- can make GET call to svm/svms
• admin SVM -- can not make GET call to svm/svms

Is this correct?

Authorization to call various endpoints is based on user/role and not directly on SVM. Can you describe what you mean by "admin SVM"? Are you using the admin user with the admin role (both are created when the cluster first boots) or are you using a user/role combo that you created separately? If so, does that role have access to that endpoint?

By default, the admin user (who has the admin role) can call all endpoints.

Sorry i worded that wrong. User is the same (admin user) in both cases. The resource is owned by admin svm, so we are tyring to get the UUID of the admin svm.
Under the cover there will be a call to
svm/svms to get the uuid of the svm.name the user passed in
and then a call to protocols/vscan/<svm.uuid>/scanner-pools

If the admin_svm in this case ontap97 is passed in we find 0 svms

ontap97::> vserver show
Admin Operational Root
Vserver Type Subtype State State Volume Aggregate

---

ansibleSVM data default running running ansibleSVM aggr0
root
ontap97 admin - - - - -
ontap97-01 node - - - - -
test-svm-peer
data default running running test_svm aggr0
peer_root

So the call to svm/svms with svn.name set to ontap97 return no records.
carchi@carchi-mac-1 test_playbooks (master) $ ansible-playbook test_na_ontap_rest_info_owning_resouce.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'

PLAY [Test owning_resource] ***********************************************************************

TASK [Get vscan] **********************************************************************************
[WARNING]: record: None
[WARNING]: error: None
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error vserver ontap97 not found."}

The /api/svm/svms endpoint only lists data SVMs, so it's not a matter of users, roles, or permissions in this case.

Typically, APIs where the resource can be owned by either a data SVM or the cluster allow the svm property to be omitted when it should be owned by the cluster. The /api/protocols/vscan endpoint doesn't seem to do that based on my reading of the documentation though so I do see why you're looking for it.

I believe in this case you might want to use the CLI passthrough to get the uuid of ontap97 like this: GET /api/private/cli/vserver?vserver=ontap97&fields=uuid or more generically without first knowing the name GET /api/private/cli/vserver?type=admin&fields=uuid

ok that is what @rough lichen was going to look in to for this playbook.

Are we saying that protocols/vscan/<svm.uuid>/scanner-pools requires the UUID of an admin SVM, but REST can't provide it natively?

Not exactly. If the vscan was created with the admin SVM UUID, then the scanner-pools endpoint under it does require it, yes. But if it was created with a data SVM UUID then it doesn't require it.

Additionally, a GET on /api/protocols/vscan is going to return the UUID of whatever each was created with so you can get that info from the endpoint where it was created. What I am saying is that /api/svm/svms does not return non-data SVMs.

Hi, Ihac who uses the powershell toolkit and script with commands like as an example "new-NcExportRule".
I found a lab guide for Powershell with ONTAP REST API and commands like "ONTAP-APICALL -method GET ....".

My question is related to the REST API transition. Once it is done, are there any adjustment needed for the customer scripts to be future ready or can they still run the old "new-NcExportRule" commands in the future as well (with ONTAP versions which are higher then 9.12).

Starting with the 9.11.1.2208 version of the PowerShell Toolkit (released in August of this year), it now supports both ONTAPI and REST as transport mediums. In your example, New-NcExportRule will use ONTAPI if the cluster it is talking to is 9.9.1 or earlier, but will use REST if it is 9.10.1 or greater. Thus, most calls using the library do not need to change as ONTAP moves forward with the REST transition.

Anyone notices a lot of the powershell snapmirrors cmdlets mostly work as is with FXsOntap but most of them do what told but echos warnings like,
New-NcSnapmirror -xxx
New-NcSnapmirror: [404]: entry doesn't exist

Invoke-NcSnapmirrorResync -xxx
Invoke-NcSnapmirrorResync: [404]: entry doesn't exist
Invoke-NcSnapmirrorResync: [404]:Not able to process job response

Remove-NcSnapmirro -xxx
Remove-NcSnapmirror: [404]: entry doesn't exist

They are really working as it does what told but just echos those 404 errors. Make it hard to trap if it really an error or not now.

Can I provide the UUID to the vscan module? Or do I have to create a workaround with the rest cli module?

So, we hit this issue also with the ansible module for SSL certificates. We can work with the module with data SVMs but not with the admin SVM. Have you planned to also provide the UUID for the admin SVM? I don't want to replace certificates on more than 100 clusters + CVOs manually 😉

I think the best advice I have for you is that if an endpoint is not meeting your functional needs, you create a ticket with support asking for what would help you get your work done.

There are no plans to my knowledge to expose the admin SVM via the API.

Hello, everyone. I'm an OpenStack developer and I'm interacting with a customer that is using FC with multiple HA pairs. Customer is having a problem during LUN attachment beacuse of the way NetApp Cinder driver retrieves the WWPNs.

In the Cinder driver, all the WWPNs from the SVM are returned when the ZAPI 'fcp-port-name-get-iter' is called, but we are trying to figure out if there is a way of filtering these WWPNs according to the location of the LUN, that is, we want to know in which HA pair the LUN is located and retrive only the WWPNs from that HA pair.

Does anyone know if this is possible to be done in ONTAP, using ZAPI calls?

@pastel bough A case is already open on this. I vote for it 😉 as it would support our 100% automation strategy

I'm a little late to the game but I came across this KB on how to open an API RFE:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_request_a_feature_for_ONTAP_REST_API
It has a little template to provide the Support Engineer for the RFE.

With the SSL certificate module, if you omit vserver, or keep it as vserver: , we will work at the cluster scope.

Hi all, with the NLF(License file v2), I want to add the license through REST API call using /cluster/licensing/licenses
I saw the document with the post body for 26-character keys example:
{
"keys": [
"AMEPOSOIKLKGEEEEDGNDEKSJDE"
]
}
What will be the body example for NLF?
Should I add the whole json as the body?

something like this in body to add more licenses.
{
"keys": [ "key1", "key2", "key3"]
}

Yes but what is the format for NLF file not the 26-character key

There's an example in the REST docs showing how you would do the same thing with an NLF file (the example is titled "Installing a NLF license" and is located in the DOC /cluster/licensing/licenses section). You will need to copy the contents in place of they 28-character key. So something like

{
  "keys": ["{\statusResp\": {\"snStatus\": \"Active\"..."]
}

I used ... above, but you will need to put the whole contents of the file into a single string, making sure to escape any double quotes or backslashes in the file.

Hello,

Would you have an update about the request I submitted about adding missing fields ?

Hey, Remi. I sent you a DM regarding this request.

HI Laurent, Sorry for the late response, I was out for a week. I will try it. Thank you.

is there a rest api for forwarding all the syslogs?

@astral current , I believe you are looking for the /api/security/audit/destinations API. You can configure ONTAP to forward the auditing information to remote syslog server(s) with that endpoint.

Helo Robert,

What is a DM ? Do you sent it by email ?

Sorry, I mean Direct Message. I sent you a message directly in Discord.

Ah ok, I've seen it and sent you an email

Hi @pastel bough, while creating SVMs via REST API, I see the protocol allowed options is not effective.

I tried creating a SVM with NFS protocol only and I see the allowed protocol still has all the protocols supported by ONTAP.
Get call also show all protocols are allowed.

"nfs": {
"allowed": true,
"enabled": true
},
"cifs": {
"allowed": true,
"enabled": false
},
"iscsi": {
"allowed": true,
"enabled": false
},
"fcp": {
"allowed": true,
"enabled": false
},

Found that we need to explicitly define protocols are not needed to achieve desired results. But since allowed options is supported only from 9.9.1 and above, not sure how to deal this for 9.6 to 9.8 versions.

{
"name": "sdm_svm",
"nfs": {
"allowed": true,
"enabled": true
},
"cifs": {
"allowed": false,
"enabled": false
},
"iscsi": {
"allowed": false,
"enabled": false
},
"fcp": {
"allowed": false,
"enabled": false
}
}

Okay i shall look into that Robert. Thank you so much!

Also, to add on to this, the data services always show only "data-nfs" no matter what services is been passed in the payload

Thats right! Just noticed it!

Did some additional testing now for iscsi, fcp and nfs. Though nfs, iscsi, fcp services are enabled vserver shows only nfs and iscsi data services. Not sure if this a bug. @pastel bough any idea on this?

Same case with both 9.8/9.9.1.

In addition to the fcp field, did you also specify the fc_interfaces field? The documentation lists it as having fc_interfaces.data_protocol which sounds like it might have something to do with what you're highlighting.

Hi everyone, when I list snapshot policies from rest api(/api/storage/snapshot_policies)) via cluster management port, only part of policies or no policies are retuned. but actually I do have some more policies on my cluster and if I list them by SDK I can get them all. do you have any insight?
My cluster is running with Release 9.7P7

only one record is returned but I have 6 on my cluster

Hi @chilly orchid no doubt someone from the team will provide some advice. In the meantime, if you run the following CLI command from the same cluster, does it show the 6 policies? "volume snapshot policy show"

@inland otter yes, CLI showing 6 entries

and what is interesting is if I list policies by /api/private/cli/snapshot/policy I can get all

@chilly orchid Not my area of focus, but from a little reading, I'm thinking you may need to increase the return timeout. I've got a KB: https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/REST_API_GET_request_'snapmirror_relationships'_provides_intermitent_results

and the 9.7 rest api reference says the query parameter is return_timeout , default is 15 seconds. Maybe try 30 ?

https://library.netapp.com/ecmdocs/ECMLP2862544/html/

Thanks for looking this, but return_timeout is not helping here, and I ran debug smdb table snapshot_policy_rest_api show on cluster, showing only 1 entry..

I would def contact support then @chilly orchid

^ agreed

Hi..
I have problems installing security certificate using POST request (I am using Python)
I am unable to load the intermediate certificates because (I have 2 certs in the chain) when I load them into the intermediate_certificates json object as string as per the requirement, it just gives me the error "Failed to read the certificate due to incorrect formatting" If I remove all the line breaks '\n' in the string and provide the data manually, then it works.
Is this a known problem?
Or is there a way to load the cert data as string without line breaks? Thanks!

Hi @pastel bough , I'm trying to use CLI passthrough automation LIF modify option. But getting LIF is not support in the body of a PATCH

Could you please let me know is the CLI passthrough expecting?

CLI command "net int modify -lif sdm_svm_lif1 -vserver sdm_svm -address 10.216.4.83"

Hi RBlackhart6081 I m trying to use CLI

Hi @pastel bough , I see there are no equivalent for "force-subnet-association" or "subnet name" options in network REST APIs which is a supported option in CLI and ZAPI.

Giving an Ip address from the subnet cause API to fail. One my customer is using subnet configuration on ONTAP. How to achieve this in REST APIs?

You will want to consult the ONTAPI to REST mapping document. There are notes there about both of those fields.

I tried the api call from Postman and it's working without issues

But using NetApp's restit module errors saying "error_message": "The specified IP address "10.216.4.83" is in use by subnet "Demo" in IPspace "4294967295"."

Yeah, looking at https://library.netapp.com/ecm/ecm_download_file/ECMLP2874886. It just says not rest equivalent

It says that fail_if_subnets_conflict is the equivalent (although opposite value)

Ah, I see you're looking at an outdated version. Check the latest version of the document.

The field was added in 9.11

If you're running a version prior to that, I think you'll have to use the passthrough.

Could you please provide me link to latest REST API mapping document?

Weird issue is the POST call in 9.10 is working from postman, but failing from ansible

Not sure what is the issue

The links for all documents are on https://devnet.netapp.com/restapi.php

above api call was issued to ontap 9.10

no error

Let me check in ansible forum why this difference

My bad, in postman I was using different ip which was not in subnet so it worked.

Thanks @pastel bough !

What is the thought behind the confusion in ONTAP Rest API when it comes to Snapmirror relationship schedules?
Seems to be unsupported but then it's also not supported to have a Snapmirror policy with a single rule have a schedule. Why can't I use a Snapmirror relationship schedule?

Hey Guy, I am new to the NetApp API, we are setup to use SAML for our ONTAP Web Access. Trying to use the api now and getting User is not authorized for the local account with basic Auth. Do i need to get a token somehow since i have SAML setup? I did google and found stuff for the storageGRID but not ONTAP API. Thank you in advance

Hi @pastel bough , what could be reason for api to fail with message, 'Fetching remote information from the destination cluster failed. Reason: Cross-cluster access is restricted.', 'code': '13303892'? for snapmirror/relationships api

I am running 9.10 and was wondering why vserver security file-directoy rest api is not present? I can use cli passthru, but it has been throwing errors due to bad SIDS found.

The Snapmirror policy created using REST API("snapmirror/policies") and ZAPI is showing change in polict type for the same input parameter.
POST - "snapmirror/policies"
{'name': 'ansible_policy', 'svm': {'name': 'ansible_snap'}, 'type': 'async'}
GET - "snapmirror/policies"
{ 'vserver': 'ansible_snap', 'policy_name': 'ansible_policy', 'policy_type': 'async_mirror'}

cli output
test910::> snapmirror policy show -vserver ansible_snap -policy ansible_policy
Vserver: ansible_snap
SnapMirror Policy Name: ansible_policy
SnapMirror Policy Type: mirror-vault

api - snapmirror/policies
is REST type: async equivalent to ZAPI type: mirror_vault?

setting async in REST POST returns mirror_vault in ZAPI get.

Hi Team, what policy does snapmirror REST API supports for async-mirror. It failed pretty much for all default snapmirror policies for async-mirror?

Hi Team what policy does snapmirror REST

Web app to view reports

Hi @pastel bough , I don't see "default-site" param for CIFS server support in REST API till ONTAP 9.12. Are we planning to release it?

Customer informed this option is need to route the calls only to preferred AD servers which helps to avoid unnecessary alerts that servers are not reachable when non preferred servers are reached.

Hello, i am having trouble authentication with basic auth via postman to get into my API. Comes back with not authorized. I have checked the permissions of my user and it does have http. We are setup for SAML/2FA. Just wondering the steps i need to take to get authenticated in. THank you in advance

My user has ONtAPI & HTTP as Password,SAML

@pastel bough Any idea why the OnCommand API Services is no longer available on the Support site? I see it was archived and removed last May - but ONTAP Tools for VMware still requires it for ONTAP 9.6 or earlier systems to support vVols.

Hello, how can I get the defined scheduler from a snapmirror relationship via python rest api.
Simular to the ontap CLI command: snapmirror show -fields schedule.

I am trying to get the quota report from NetApp python module:
netapp_ontap.resources.quota_report
And I gave the index and volume.uuid as request body,
and it shows the error:
Not Found for url: https://10.129.56.20:443/api/storage/quota/reports/281474976710656'): "281474976710656" is an invalid value for field "volume.uuid" (<UUID>)

It is the error of wrong url,
the correct url should be api/storage/quota/reports/<volume_uuid>/<index>
Have anyone meet the error before?

Hi RBlackhart6081 I don t see default

This has been asked many times before, I have no idea what the Rest API devs have against snapmirror relationship schedules.

Hello. We upgraded a cluster to ONTAP 9.10.1P8 a few days ago. Since then we have had persistent problems with slow snapshot creates and deletes through the REST API (and possibly otherwise). For example, the backup script issued asynchronous deletes on a snapshot on 16 volumes and polled for the result. Four minutes and 20 seconds later, the cluster responded to one of the delete requests with error 1638538, "Cannot determine the status of the Snapshot copy delete operation for "backup_20221126_1900" on volume "myvol001" in Vserver "myvserver". Verify that the copy was deleted. If necessary, try the operation again." We have seen this message's sibling on snapshot creates too. The NetApp knowledge base does not mention this message much. Prior to the upgrade, that delete might have taken at most 15 seconds. Could anyone suggest where to look next?

Hello,

Using ONTAP 9.11.1P1 and Ansible collection 21.24.1 (Ansible is unrelated to the issue observed as per the API observed)

When I create a qtree without specifying the export policy, a somhow "random" export policy (already existing) is used anyway.

Is this the expected behaviour (confusing anyway) ?

Traces :

sending: {'method': 'POST', 'url': 'https://abvnapmgt002sas/api/storage/qtrees', 'verify': False, 'params': {'return_timeout': 10}, 'timeout': 60, 'json': {'volume': {'name': 'ansitest002sas_data03'}, 'svm': {'name': 'vs_ansitest002sas'}, 'name': 'qtree09', 'security_style': 'unix', 'unix_permissions': '755'}, 'headers': {'X-Dot-Client-App': 'na_ontap_qtree/21.24.1'}, 'auth_args': {'auth': ('admin', '--------------------------')}}

Using the UI, I can see the qtree has been created using an export policy which was not specified in the Ansible command and which is not listed in the arguments of the API call.

The export policy used has been created many commands before the one I used to create the current qtree.

Hello

I'm trying to set a SnapMirror Policy at the cluster level using REST, but I'm getting 'message': '"svm.uuid" is a required field', 'code': '2', 'target': 'svm.uuid'
this is with ONTAP 9.11.1. I don't see a scope attribute.

Same issue with 9.12.1. POST requires a vserver, and succeeds with the cluster vserver. But GET fails if the cluster vserver name is present, but succeeds with scope: 'cluster'.

Hi Robert, yes I’m using netapp_ONTAP module.
Here is the script :

    #Create volume
    resource = Volume()
    resource.name = VOLUME[0]
    resource.svm = {'name': vserver}
    resource.aggregates = [{'name': aggr}]
    resource.state = "online"
    resource.type = "DP"      
    resource.size = volsize
    resource.autosize = {'mode': "grow", 'maximum': volmaxautosize, 'minimum': volsize, 'grow_threshold': 75,'shrink_threshold': 40}
    resource.efficiency = {'compression': "inline", 'compaction': "inline"}
    resource.encryption = {'enabled': "True"}
    resource.guarantee = {'type': "none"}
    resource.snaplock.type = "compliance"
    resource.snaplock.default = "P30D"
    resource.post()

And here is the error :

Exception has occurred: AttributeError
The 'snaplock' field has not been set on the Volume. Try refreshing the object by calling get().

I don’t find any other way to set the snaplock field. Even though I’m creating the volume on a snaplock aggregate…

Before 9.10.1 I was able to create the volume and then set the snaplock options.

Since 9.10.1 it requires to set the snaplock option during volume creation and cannot be changed later on.

Hello everybody,
Could someone clarify a doubt for me because I am new to this part of development, I am trying to create a new SVM and I wanted to use a parameter that is not listed in the swagger documentation, the doubt would be if in fact only what is listed is supported? parameter I wanted would be "rootvolume-security-style".

Why would you change the root volume security?

I noticed the same thing.

Can you authenticate and manually get to that end point? What's the %27 as a Character?

In my environment I segregate the SVM by protocol, for CIFS SVM I usually change it to NTFS, I believe it is easier for the end user to manage the ACL's directly through Windows.

Oh you are not talking about CDOT root, or are you? You don't need to set that there for customers to be able to manage their own security. You can just set it on the volume itself with security-style, as long as the customers have permission on share acl and ntfs acl they are ok.

the point here is that when you set the security style for the root volume, the rest of the volumes added to the SVM automatically inherit that security style... it's just easier to set it once when you create the SVM and its root volume when you know the rest of the SVM is going to use the one or the other security style

Exactly, tks

I'm not seeing the ability to set this via REST on SVM creation. You could modify the SVM root volume after the SVM creation via a separate REST call.

@karmic sky Looks like there was a RFE to allow modification of the SVM root volume settings as part of the SVM creation. That parameter is currently only available via volume REST calls. You could work with your account team to pursue RFE 1426972

Thanks for the info, I'll check that out.

Hi everyone I hope this is the right space for this,
reading the documentation at https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_cifs_module.html about the na_ontap_cifs module, I see that share_properties is not supported with REST.
Is there any roadmap to support this or another module that I can't find?
Thank you for your help 🙂

yes there is an internal story to add support for share_properties options in REST.

Thank you very much

Hi there,
Is there please a place to download older versions of Powershell toolkit?
A customer tried to upgrade but now has many broken scripts.

hi, when talking to an SVM LIF, how can i retrieve the ontap version? /api/cluster?fields=version doesnt seem to work on SVM LIFs?

https://www.powershellgallery.com/packages/NetApp.ONTAP/

Scroll down to "Version History"

Hello Folks,
Does anyone have some info about this ?
Any plan to have this module updated ?

hi when talking to an SVM LIF how can i

Hello,

Using Ontap 9.11.1 + Ansible collection 22.0.1, I can create SVM with language en_US.utf_8 but not en_US.

Using en_US, I get the following error :

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error in create: calling: svm/svms: got {'message': 'Non-UTF8 language(s) not supported.', 'code': '13434885'}."}

Is the error caused by Ontap or Ansible ?

Has en_US been removed and replaced eventually by en_US_utf_8 inside Ontap storage server ?

What about volumes ? Do they support en_US with Ansible ? Or only en_US.utf_8 is usable with Ansible ?

This is an error reported by ONTAP. Our Ansible module is just passing the value as is.

Thx for your response.

From CLI, it works with en_US.

Would it be the behaviour is different between CLI and API ?

I can remember that at some point, none UTF-8 charset would be removed.

Testing this directly from Swagger, REST doesn't allow it.

{
"error": {
"message": "Non-UTF8 language(s) not supported.",
"code": "13434885"
}
}

Hey, just in case I've missed something in the docs, is there an attribute to check if an ONTAP volume is part of an ONTAP_S3 flexgroup specifically?

Thx for this test. So Ansible just transfer the language setting request. This means Ontap has deprecated the support of en_US.

Hello folks, I'm trying to get snapshot delta through REST api private/cli, anyone done that before ?

curl -k -u admin:Netapp01 "https://cluster1/api/private/cli/volume/snapshot/delta?vserver=docker&volume=rancher_trident&snapshot1=daily.2023-01-06_0010&snapshot2=daily.2023-01-07_0010"
{
  "error": {
    "message": "API not found",
    "code": "3"
  }
}

with @lean shoal - we found an interesting one with pulling specific fields back
So if you query the API with any filter (such as https://netapp8375309.usda.gov/api/storage/volumes?fields=nas.security_style,create_time,svm.name&svm=oirnasxkoir00)
you don't get back nas.security_style

now if we run the same query but without the svm=xxyyzz filter, (such as https://netapp8375309.usda.gov/api/storage/volumes?fields=nas.security_style,create_time,svm.name)
you get back results as expected

what it seems it that (at least in 9.9) the with filter query is hitting the ***volume_rest_sql *** table where the without filter query is hitting the volume_rest query, and in the volume_rest_sql the nas.security_style field is not fully populated except on volumes which were created after 9.9

debug smdb table **volume_rest **show -fields nas.security_style
uuid nas.security_style
------------------------------------ ------------------
009eded8-a64d-42dd-8e21-16074ddbd49f unix

debug smdb table **volume_rest_sql **show -fields nas.security_style
uuid nas.security_style
------------------------------------ ------------------
009eded8-a64d-42dd-8e21-16074ddbd49f -

Case #2009148562 for anyone interested

Thanks for this George, it does appear to have been addressed in 9.10

Double-verifying with PM for ya though. Stand by…

@weary hawk might be able to weigh-in

I copied my output to the case notes.

FYI this is SESG George, so we have strict policies on who can even see the cases to begin with.

roger, thanks!

Hi. I'm not familiar to file servers/netapp, sorry if the question is dumb. as a developer I've a need to remove specified user's permission via REST API from all folders in an environment where we have 300k+ folders/files.

as far as I see DELETE -> /protocols/file-security/permissions/{svm.uuid}/{path}/acl/{user} does this need

but is it possible to do this for all paths in a share?

if the user doesn't has access right on the specified root path, the delete call doesn't work for this root folder and gives an error as entry not found even if the user has access on the sub folders.

so, should we really loop through all files/subfolders(think about inheritance is not the case and user might have access on different paths) and check if the user has access on that file/folder?

Is this NFS or SMB?

NFS. Ontap 9.9.1

For NFS you would usually mount the export from a host with root permissions on the file system and then recursively chmod/chown to make the changes you want. Not change it directly on the NetApp.

Hi all, I'm trying to speed up api/protocols/nfs/connected-clients where one SVM has over 20,000 connected clients. Should pretty=false speed up the returned response?

Sooo. After some testing, I'm getting some pretty inconsistent timings but oddly found that the equivalent private/cli query seems to consistently outperform. Below are three different tests using powershell's invoke-restmethod and a while loop to hit the next tag when it shows up.

# /api/protocols/nfs/connected-clients?svm.name=vserver-x01&return_timeout=90&return_records=true&fields=protocol&pretty=true
# /api/protocols/nfs/connected-clients?svm.name=vserver-x01&return_timeout=90&return_records=true&fields=protocol&pretty=false
# /api/private/cli/nfs/connected-clients?vserver=vserver-x01&return_timeout=90&return_records=true&fields=protocol&pretty=false

00:03:00.7959929    Records 40754    pretty=true
00:06:07.3100540    Records 40923    pretty=false # 6 minutes?
00:02:28.0131384    Records 40769    pretty=false & private/cli/nfs/connected-clients

One odd difference between the first two queries and the private/cli query is that the private/cli query always returned 10,000 records on the first call, while the other two returned very low numbers for the first call and for the 6 minute run above, it didnt return 10k records until the 4th nexttag (only, 61, 93 and 75 records for the first three).

Any thoughts on how to make this ... more consistent? I'm not looking to blast the cluster with multi-threaded REST queries, but would it better to tweak things like:
max_records, timeout or perhaps even split the queries into filtered node groups?

btw this is ontap 9.8P11

IMO API calls take more horsepower because of the encryption SSL uses I think is more intensive than SSH. Plus with SSH if you use keyfile auth, you can even possibly multithread the results if you have multiple parallel SSH commands running.

Who uses API Webhook for alerting / event forwarding, any experiences / gotchas / thoughts?

I do for a different service, not ONTAP. Are you asking about ONTAP specifically?

Yes ONTAP.... My new customer started using this. I am trying to grasp my head around what kind of things I can expect 🙂