On our production Storage we have encryption enabled.
Then we apply the encryption only where required, so not for every volume and least of all SVM root volumes.
Hence, is it possible to create SVM with unencrypted root volume?
#SVM with unencrypted root volume
cunning oar
mild prism
depends on whether you're using NAE or NVE
but for the SVM root volumes it doesn't matter anyways since there's no data stored on them, only the junctions for the other volumes
mild prism
In any case, I guess you need to manually change the encryption of the root volume later (same as with the CLI) since you cannot specify a non-default encryption when creating an SVM
cunning oar
it's not so simple. It's clear I can do everything by cli but I would like to be able to do the same even with ansible. With ansible if I try to define the root aggregate and name this fails
" "msg": "REST API currently does not support 'root_volume, root_volume_aggregate, root_volume_security_style'""
if I try to confine the SVM within a specific aggregate with aggr_list: aggr1 it creates the root volume wherever he wants
then if I try to move the root volume without encryption (encrypt: false) it fails
"Error moving volume svm11_fs_test_root: calling: storage/volumes/513cfae7-dd80-11ef-bb6c-d039eab57aa8: got {'message': 'The destination aggregate "xxxxxxx" does not have NAE (NetApp Aggregate Encryption) enabled. NAE volumes are not supported in such aggregates.', 'code': '196608312'}."
therefore I'm not able to create the SVM where I would like nor to change the root volume disabling its encryption
mild prism
you can always tunnel CLI commands through ansible as a workaround
but again, is it worth the trouble just for disabling encryption on a volume where no data actually resides?
I would just leave it encrypted in that case
cunning oar
As we have also two aggregates with NAE for the only snaplock volumes while all the others aggregates are without NAE this is an issue because I won't be able to move the root volume anymore and this because it is encrypted. Without encryption I can treat the volumes as I want
Actually the additional issue is that I can't create the root volume within a preferred aggregate as we can do in the past with ansible
And yes, I could tunnel CLI commands through ansible even if I would avoid that approach
mild prism
okay, sorry, I still don't understand completely. So your actual issue is that ansible creates the SVM's root volume on the wrong aggregate?
If so, you can specify the aggregate where the root volume is created via the root_volume_aggregate parameter for the na_ontap_svm module
you will need to set the module to use ONTAPI (as seen in your error message above, REST API doesn't support that yet)
as for the error when moving the volume, yes, that looks like a limitation in the ansible module, normally you should be able to move a volume out of an NAE aggregate by setting -encrypt-with-aggr-key to false, but that is apparently not available in the module (yet?)
again, on the CLI this is possible, so that could be a workaround for you
cunning oar
I changed all my scripts (grafana,powershell,ansible) using ONLY REST APIs and not ONTAPI ...anymore. And this is the reason why I'm posting here.. if is it possible at least to re-introduce the root settings in ansible. This would be enough to avoid any issue. it would be a plus to specify encrypt: false too. meanwhile I'm going to use the cli workaround
mild prism
yeah, if you are dead set on only using REST, then there's currently no solution, just the CLI workaround. I don't see why the backend API matters that much (ONTAPI vs REST) though, since you're not using the API directly anyway...
In any case, I'm sure these additional options will appear at some point in the REST API (it is still being developed and expanded all the time) so at some point I'm sure you can remove that workaround. If you need a quicker resolution or SLA, I guess you can always open a case and get it prioritized that way
cunning oar
no worries I'll wait. This said, I can agree with you about ONTAPI-REST but ONTAPI is coming out soon as far as I know. 16 release is already without. Thank you !
mild prism
no worries I'll wait. This said, I can agree with you about ONTAPI-REST but ONTA...
ONTAPI was confirmed to be available at least until 9.18.1, possibly even longer. 9.18.1 will probably be GA early next year, and from then it will be supported for 3+ years, so you have until 2029 or 2030 with ONTAPI support. No need to jump the gun and turn it off early, if it is something that you require
but yes, you have to enable it manually on 9.16.1 unless you've already been using it during the (I think) 90 days prior to the upgrade to 9.16.1