[ppt]title slide with picture · web viewcontrolpoint retention of business records with hpe...
TRANSCRIPT
Copyright 2016 Hewlett Packard Enterprise Development LP
HPE 3PAR File Persona v1.3Delta Training
July 2016
3PAR StoreServ Management Console
SMB NFS REST
File Persona
Confidential – For Training Purposes Only 2
Learning objectives
After completing this course, you should be able to:
– List the new features of HPE 3PAR File Persona Software v1.3
– Describe how the new features improve the functionality of HPE File Persona Software 1.3
– Identify command and menu or pane changes caused by the new features.
– Describe how the new features affect the StoreServ system management.
Confidential – For Training Purposes Only 3
Agenda
– HPE 3PAR File Persona v1.3 overview and changes– Expanded ISV solutions
– Larger File system size (64 TB FPG)
– FTP support
– Updated On-Disk Version
– Backup/Restore ACL Preservation
– Cross Protocol Access
– File Lock Enterprise Mode
– Online FSCK
– Antivirus Enhancements.
– Object Access API Enhancements
Confidential – For Training Purposes Only 5
HPE 3PAR File Persona v1.3 Overview and changes
– HPE File Persona v1.3 is part of 3PAR OS 3.2.2 MU3 patch
– The 3.2.2 MU3 patch is supported on all platforms supporting File Persona– 7000c Family
– 8000 Family
– 20000 Family
– Closes some gaps in customer expected features and behaviors
– Improved cross-protocol access and locking behavior for a multi-protocol environment
– Expands the green zone with data preservation and governance use case
– Provides general quality improvements and enhancements in the area of FSCK, Antivirus and Object Access API.
Confidential – For Training Purposes Only 6
HPE 3PAR File Persona v1.3 overview and changesList of enhancements in File Persona v1.3
– Resolution of a number of bugs and change requests
– Expanded ISV solutions
– Larger File system size (64 TB FPG)
– FTP support
– On Disk Upgrade to support the new functionality
– Configuration Backup/Restore ACL Preservation
Confidential – For Training Purposes Only 7
HPE 3PAR File Persona v1.3 overview and changesList of enhancements in File Persona v1.3
Enhancements covered in separate sections
– NTFS security mode File Stores to allow cross-protocol access with multiple writers and User Mapping support
– New feature File Lock Enterprise Mode
– Online File System Check
– Sophos Endpoint Protection Antivirus support
– Antivirus Bulk-Quarantine
– Object Access API enhancements
Confidential – For Training Purposes Only 8
HPE 3PAR File Persona v1.3 overview and changesSpectrum of workloads and uses
File Persona
Block Persona
Home directories and user/group shares
Content management and collaboration
Data preservation and governance
Virtualization Databases Applications
SMB, NFS, FTP, REST
FC, FCoE, iSCSI
Confidential – For Training Purposes Only 9
HPE 3PAR File Persona v1.3 overview and changesExpanded green zone
Expanded green zone with three new validated solutions
Home directories & user shares
- User and group/corporate shares
- Home directory consolidation for physical desktops and VMware Horizon virtual desktops
Content management & collaboration- Content management and collaboration for
SharePoint with AvePoint DocAve
- Enterprise file sync and share with Citrix ShareFile
Data preservation & governance- Structured data optimization with HPE Structured Data
Manager
- Unstructured data governance with HPE Storage Optimizer and HPE ControlPoint
- Retention of business records with HPE Records Manager
- Enterprise information archiving with Commvault & Veritas Enterprise Vault
- Video surveillance with Genetec Omnicast and Milestone Xprotect, Verint Nextiva
- Real time business analytics for scale-out SAP HANA TDI shared infrastructure
Not to be used for anything not listed as green zone, for example:- Databases- Virtualization
- HPC applications- Video editing and media streaming
Confidential – For Training Purposes Only 10
HPE 3PAR File Persona v1.3 overview and changesLarger file system size
Larger file system size – 64TiB FPG for simpler scaling of large data sets within a single file share
3.2.1 MU1 3.2.2 3.2.2 MU2 3.2.2 MU3 Patch
32 32 326464
128 128 128128
256
512 512
FPG size (TiB)Per node pair capacity (TiB)Max system capacity (TiB)
NewJan 2015
Aug 2015
2X
Feb 2016
4X
2X
Confidential – For Training Purposes Only 11
HPE 3PAR File Persona v1.3 overview and changesFTP support
– FTP File Share support in addition to SMB, NFS, HPE 3PAR AccessAPI File Share support.
– FTP File Share supported features include:– Upload, download, append, rename, and delete files
– Create, rename, and delete directories
– Enumerate files
– Get current working directory.
– FTP File Share defined parameters are:– Access permissions
– Enabling/disabling local/anonymous users
– FTPS related SSL options
– HPE recommends using secure FTP (FTPS) for security reasons
Confidential – For Training Purposes Only 12
HPE 3PAR File Persona v1.3 overview and changesFTP support
– The FTP protocol can be used to perform the following tasks over a file system storage share:– FTP in both non-secure and secure mode
– SMB (AD, LDAP, Local Auth) and anonymous user access
– Read-only mode
– FTP File Share with one or more VIF IP address
– VFS IP for one FTP share only
– Add/delete IP in FTP File Share
– Modification of configuration options (like disable SSL, enable anonymous)
– Home directory based on UNIX user names
– The following options are specific to the createfshare ftp [options <arg>] subcommand:
-ssl {true|false} specifies if SSL is enabled. The default is false.NOTE: To enable SSL, the VFS must have a valid certificate configured.
HPE 3PAR File Persona v1.3 overview and changesOn-Disk Version - Update
– On-disk version is used to distinguish the set of functionality available on File Provisioning Groups (FPGs) from different software versions
– On-disk version history:– On-disk version in previous releases was 11.0
– On-disk version in 3.2.2 MU2 was 12.0
– On-disk version in 3.2.2 MU3 patch for new FPGs is 12.1
– Newer software versions will support older FPG versions.
– Older software versions will not support newer on-disk versions.
– On-disk minor-version upgrade capability is provided for 11.0 to 11.1 and 12.0 to 12.1
– On-disk major-version upgrade capability will be provided in software version 3.2.3
Confidential – For Training Purposes Only 13
Confidential – For Training Purposes Only 14
HPE 3PAR File Persona v1.3 overview and changesNew features requiring new On-Disk Version
3.2.1MU1 3.2.2 3.2.2 MU2 3.2.2 MU3 Patch
FPG v11.0 FPG v11.0
FPG v11.0
FPG v12.0 FPG v12.1
FPG v11.0
FPG v11.1
FPG v12.0Only OS upgrade path
Default for new FPGs
Base feature set introduced for File
Persona
Base feature set introduced for File
Persona
Quota accounting excluding
snapshots;Pre-enablement for Online FSCK and
File Lock
Online FSCK;File Lock;
Dedicated security modes;
Cross-protocol locking
FPG v11.0 FPG v11.0 FPG v12.0 FPG v12.1
upgrade FPG v11.0 to FPG v11.1 to enable Quota accounting excluding
snapshots;
On-disk upgrade path
Only OS upgrade path
Confidential – For Training Purposes Only 15
HPE 3PAR File Persona v1.3 overview and changesFeatures requiring new On-Disk version
FPGs with newer on-disk versions cannot be activated on older software versions
– Need to account for this is Remote Copy of VVs making up FPGs
– Remote Copy and failover will continue to operate with mixed software versions, as long as on-disk version stays at a level compatible to both
– Until both sites have been upgraded to the new software, do not use newer on-disk version
HPE 3PAR File Persona v1.3 overview and changesRemote Copy On-Disk version upgrade sequence
Confidential – For Training Purposes Only 16
Site 1A
B’
Site 2A’
B
2. Upgrade Site 1 to 3.2.2 MU3 patch
Site 1A
B’
Site 2A’
B
3. Upgrade Site 2 to 3.2.2 MU3 patch
Site 1A
B’
Site 2A’
B
C C’
4. Create new FPG with ODV 12.1 Upgrade others to 11.1
Site 1A
B’
Site 2A’
B
1. Cross Replication on 3.2.2
Software – 3.2.2
Software – 3.2.2 MU3 patch
On Disk – 11.0
On Disk – 11.1
On Disk – 12.0
HPE 3PAR File Persona v1.3 overview and changesOn-Disk version verification7450_25_8_6 cli% showfpg ------(GB)-------FPG -Mountpath- -Size-- Available ActiveStates -DefaultCpg- ---------VVs--------- State VersiontestFpg0 /testFpg0 1024.00 1023.35 ACTIVATED SSD_r6 testFpg0.1 degraded 12.0*----------------------------------------------------------------------------------------------------- 2 total 1026.00 1025.19
7450_25_8_6 cli% showfpg -d testFpg0------------------File Provisioning Group---------------------File Provisioning Group : testFpg0…Upgrade State : UPGRADABLEVersion : 12.0…SegmentNumber FSCKState FSCKPhaseRequired 1 NOT_REQUIRED NONE
Confidential – For Training Purposes Only 17
HPE 3PAR File Persona v1.3 overview and changesOn-Disk Version Health7450_25_8_6 cli% showfpg ------(GB)-------FPG -Mountpath- -Size-- Available ActiveStates -DefaultCpg- ---------VVs--------- State VersiontestFpg0 /testFpg0 1024.00 1023.35 ACTIVATED SSD_r6 testFpg0.1 degraded 12.0*----------------------------------------------------------------------------------------------------- 2 total 1026.00 1025.19
7450_25_8_6 cli% checkhealth -detail fsChecking fsComponent ------Description------- Qtyfs File Services FPG issues 1 Component -Identifier- --------------------------Description--------------------------fs testFpg0 testFpg0 : On-disk version for segment is not up to date. Some features may not be available in the current on-disk version. Corrective Action: Upgrade segment to the newest supported on-Disk version.
Confidential – For Training Purposes Only 18
HPE 3PAR File Persona v1.3 overview and changesOn-Disk Version Upgrade7450_25_8_6 cli% setfpg -upgrade testFpg0This action will upgrade the current on disk version of the FPG to the latest supported version.select y=yes n=no : y8778
Confidential – For Training Purposes Only 19
Confidential – For Training Purposes Only 20
HPE 3PAR File Persona v1.3 overview and changesOn-Disk Version Upgrade & Downgrade Considerations
– No On-Disk version upgrade from 11.x to 12.x in this release
– Before attempting a software revert, usage of the following items would need to first be removed from the system:– FPGs with on-disk version 12.1
– If reverting to a version before 3.2.2 MU2, additionally:– FPGs with on-disk version 11.1
– Configuration backups taken with 3.2.2 MU3 can only be restored on 3.2.2 MU3 or newer software
Confidential – For Training Purposes Only 21
HPE 3PAR File Persona v1.3 overview and changesOn-Disk Upgrade Troubleshooting – Error Messages
– Could not perform ODU for FPG {0} because segment has the latest supported version
– FPG {0} has to be mounted, not frozen, and not isolated to run ODU
– ODU task already running for FPG {0} on segment(s) {1}
– Segment(s) number {0} is not valid
– Could not perform ODU for FPG {0} because segment has the latest supported version
– Target on-Disk version {0} is not valid
– ODU cannot start during software upgrade/revert
– ODU cannot start on FPG {0} because there is no sufficient disk space.
Confidential – For Training Purposes Only 22
HPE 3PAR File Persona v1.3 overview and changesSystem Configuration backup/restore
– System configuration contains info for all the File Stores and File Shares within a VFS
– Backup and restore using backupfsconf and restorefsconf CLI utilities
– System configuration backup is done separately from the data backup
– Backup/restore process varies based on backup software
– MD5 checksum for configuration backup data integrity
– Share folder permissions are not restored in version 1.2
File Provisioning
Group
Hive/Config Store
Virtual File Servers
Hive/Config Store .admin File Store 1 File Store 2
Files
Config-backup
Files
Share1 (Http)
Share1 (NFS)
fpg_vfs_configbackup.tar
Share2 (CIFS)
Files
Security Mode
OwnershipACL (share
folder)
Confidential – For Training Purposes Only 23
HPE 3PAR File Persona v1.3 overview and changesConfiguration Backup/Restore ACL Preservation
– Previously, when backing up share configuration for a VFS using “backupfsconf”, only the share configuration was backed up, not the ACL on the underlying folder
– During restore, an administrator would need to manually configure the ACLs again
– In 3.2.2 MU3 patch, the backup will now contain the ACLs for the underlying folders supporting the shares
– The syntax from the CLI is unchanged, so no updates to the usage are required
• Security mode (Cross Protocol) for File Store• ACL’s for Share folders• POSIX attributes for share folders
New data backed up and restored
Confidential – For Training Purposes Only 24
HPE 3PAR File Persona v1.3 overview and changesACL Backup Internals
• Security mode for each File Store
Cross protocol
• Listing all File Stores and collecting the security mode set on each File Store
• Listing all shares including HTTP, NFS and CIFS• Collecting ACLs for every share path
• # getfattr --absolute-names -n system.ade_acl <sharepath>
ACL changes
• Ownership details for each share folder• # stat --printf='%U:%G' /fpg/vfs/fstore/share5
POSIX attributes
Confidential – For Training Purposes Only 25
HPE 3PAR File Persona v1.3 overview and changesACL Restore Internals
• Set Security mode for each File Store
Cross protocol
• Modify/Set ACLs on Restore.• # setfattr -n system.ade_acl –v <shareACL> <sharepath>
ACL changes
• Modify Ownership.• # chown user2:Administrators <sharepath>
POSIX attributes
Confidential – For Training Purposes Only 27
Cross-protocol accessBenefit
– Most NAS customers want multi-protocol access for common data on the storage controller allowing simultaneous Read/Write access ensuring data integrity.
– Prior to v1.3, multi-protocol access in File Persona was limited to one protocol with read/write access and the secondary protocols with read only access due to lack of cross-protocol locking.
– File Persona v1.3 allows customers to access data from more than one protocol with read/write access using cross-protocol locking ensuring NFS clients can access the files opened by SMB clients through share mode locks.
– File Persona v1.3 provides dedicated security mode for a preferred protocol avoiding other protocols to overwrite the permissions on the files in a specific File Store.
Primary protocol Access Secondary protocol Access
SMB RW NFS RO
NFS RW SMB RO
HTTP RW SMB/NFS RO
Confidential – For Training Purposes Only 28
Cross-protocol accessChallenge
– Lack of preferred access for a specific protocol for simplifying cross-protocol management– Allowing different protocols to overwrite directory permissions at share level complicates predicting
permissions.– Allowing both SMB and UNIX Protocol clients change permissions could cause fidelity loss and
inconsistency with preferred protocol semantics.– Lack of cross protocol locking support leaves data vulnerable for data loss.Solution:– Configurable security mode per File Store to provide near native user experience for preferred protocol
based on security mode.– Default ACL is consistent and predictable.– Restriction on permission changes from non-preferred clients to prevent fidelity loss.– SMB share mode locks are honored across all protocols to prevent data loss for SMB shares– The Default ACL for share folders is security mode-specific, irrespective of the share protocol
Confidential – For Training Purposes Only 29
Cross-protocol accessImplementation
Two different security modes configurable at file-store level:
– LEGACY – Backward compatibility with file stores created with File Persona v1.2 or earlier. Only one protocol can Read/Write and others can Read-only. Access permission change are allowed from both Windows and UNIX clients.
– NTFS – Preferred access mode for Windows clients. UNIX clients may see surprises. Read/Write access is allowed for both Windows and UNIX clients. No restrictions apply for Windows clients. Windows inheritance rules apply. UNIX clients cannot perform permission-setting operations.
Legacy mode
FPG
NTFS mode
FPG
All File Stores in Legacy mode File Stores with different security mode co-exist
UpgradeFSt1 FSt2FSt1 FSt2 Legacy mode
FPG version 12.0 and prior
FSt3
FPG version 12.0 and 12.1
Cross-protocol accessLEGACY security mode
– Files/folders will have the precedence for either NTFS ACLs or POSIX ACLs, based on permissions last applied– If permissions last applied are from SMB clients, then NTFS ACLs are
dominant and NFS clients are presented the translated POSIX ACLs for security checks and vice-versa.
– Default permissions for new files follow Windows rules for SMB clients and POSIX rules for NFS clients
– R/W access for one protocol and R/O for others for a share
– Permission changing allowed from both SMB and NFS clients– chances of overwriting NTFS ACLs from NFS
– File names can be case insensitive for SMB clients and case sensitive for NFS clients – chances of overwriting files if file names in the same directory differ only in
case
Confidential – For Training Purposes Only 30
Best practice:
– Use the Legacy mode for backwards compatibility only or for single protocol share for NFS/Object access
Confidential – For Training Purposes Only 31
Cross-protocol accessLEGACY security mode behavior
Unexpected ACL behavior on Windows side if the directories created from Linux clients
– Everyone group appearing on the dir created from NFS– Group1 now allowed on the dir created from NFS
31
ACLs on directory created from Linux client
ACLs on shared File Store with Legacy security mode
Unpredictable behavior from NFS clients
ACLs on directory created from Windows client
Confidential – For Training Purposes Only 32
Cross-protocol accessNTFS Security Mode
– Enforces NTFS style security behavior on files/folders in a File Store
– Files/folders will maintain full fidelity NTFS ACLs
– Default permissions for new files will follow Windows inheritance rules always
– RW access allowed for both SMB and NFS clients via shared mode locks
– Permission changing not allowed from NFS clients
– File names can be case insensitive as expected by SMB clients
– For SMB clients the ACLs and enforcement will match 100% to the permissions expected from Windows.
– For NFS clients the translated POSIX ACLs for security checks are presented
Best practice:
– Use NTFS security mode for a Windows dominant environment
Confidential – For Training Purposes Only 33
Cross-protocol accessNTFS security mode behavior
ACLs on shared File Store with NTFS security mode
Expected ACL inheritance on Windows side even if the directories created from Linux clients
– No change on the inherited ACLs
ACLs on directory created from Linux client
ACLs on directory created from Windows client
Same behavior as Windows
Confidential – For Training Purposes Only 34
Cross-protocol accessNTFS Security Mode: Permissions Enforcement
Permissions and ownership of file objects can only be modified via one of the following methods:
– The Windows ACL from a Windows clients, if the user has the required permissions to modify Windows ACLs
– The system’s Converged ACL via the HPE 3PAR CLI, but only for directories in the root of a share (share folders)
The system’s Converged ACL will preserve the fidelity of:
– The ACL visible/modified from the Windows Client
– The ACL visible/modified via the HPE 3PAR CLI
When a new file object (file or directory) is created, Windows inheritance rules get applied to determine the object’s new ownership and permissions. Therefore, when accessing the file system via an SMB share from a Windows Client, the ACLs and enforcement will match 100% to the permissions expected from Windows.
Confidential – For Training Purposes Only 35
Cross-protocol accessNTFS Security Mode: Permissions Enforcement
When accessing the file system via a UNIX interface, like an NFS share, the server synthesizes the on-disk ACL to a UNIX ACL.
– The server translates the higher fidelity ACL to its best approximation of UNIX ACLs.
– The resulting granted permissions could be more restrictive than the Windows ACL permissions.
– Permissions that users can grant when accessing files on an NTFS File Store via an NFS or HTTP client should be understood when crafting an ACL in the root folder of the share.
The following table describes the mapping of the system converged ACL permissions bits to Windows and UNIX ACLs.
Confidential – For Training Purposes Only 36
Cross-protocol accessMapping of Converged ACLs to NTFS and POSIX ACLs
Converged ACL (3PAR CLI and GUI) NTFS ACLs POSIX ACLs (perm bits)
r ReadData/ListDirectories ReadData/List Folders r: ReadFile/ListDirn ReadNamedAttributes ReadExtendedAttributesx ExecuteFile/TraverseDirectory ExecuteFile/TraverseFolder x: ExecuteFile/TraverseDirectory
w WriteData /CreateFiles WriteData/CreateFiles w: Write file object (all 4 “waTN” required to have ‘w’ for write on directory)
a AppendData /CreateDirectories AppendData/CreateFolders
T WriteAttributes WriteAttributesN WriteNamedAttributes WriteExtendedAttributesD DeleteChild (dirs only) DeleteSubfoldersAndFiles (all 5 “waTND” required to have ‘w’ for write on
directory)o ChangeOwnership (of file/dir) TakeOwnership - Ignored - t ReadAttributes ReadAttributesc ReadACLs ReadPermissionsC Write ACLs ChangePermissionsd Delete object Delete
Cross-protocol accessShare Folder Permissions
– The Default Permissions in the Share Folder are specific to the security mode, independent of the protocol flavor of the share.
– The Default Permissions at the Share Folder might be different or more restrictive than in previous releases, but the administrators now have the option to modify the permissions at the share folder via the HPE 3PAR administration Command Line Interface (CLI).
Confidential – For Training Purposes Only 37
Cross-protocol accessDefault Share Folder Permissions
A default share can be created either in the root of a File Store or in a subdirectory below the File Store root. If a share is created in a sub-directory, the directory permissions are inherited from the parent directory. Assuming that the administrator has done no modifications to the Share Folder permissions, the default Share Folder permissions logic is as a follows:
If a Default Share is created in the root of a File Store:
– From a Windows Client:– Everyone has permissions to mount and traverse to the mount point from a Windows client (non-inheritable
permissions)
– Only SYSTEM@NT_AUTHORITY (equivalent to root in Windows), and members of the Administrators group in the Windows domain have additional permissions such as full-control and inheritable permissions.
– From an NFS Client (or any UNIX client):– Everyone has permissions to traverse to the mount point (non-inheritable permissions)
– Only members of the Administrators group (if client has joined the same domain as server node) have additional permissions such as full-control and inheritable permissions
Confidential – For Training Purposes Only 38
Cross-protocol accessDefault Share Folder Permissions
If a Default Share is created in a subdirectory below the File Store root, share directory permissions are inherited from the parent directory:
– From a Windows Client:– Only SYSTEM@NT_AUTHORITY (equivalent to root in Windows), and members of the Administrators group in the
Windows domain have full-control and inheritable permissions
– From an NFS Client (or any UNIX client):– Only members of the Administrators group (if same domain as server node) have full-control and inheritable
permissions
Note: NFS Clients cannot change permissions (independent of default ACL – by definition of the NTFS Security Mode)
Confidential – For Training Purposes Only 39
Cross-protocol accessCross Protocol Locking
Confidential – For Training Purposes Only 40
SMB user NFS user
Shared locksR/W access
R/W access
NTFS security mode
– Allows simultaneous read/write access to the same file using shared mode locks in NTFS security mode
– SMB client opens a file for RW access, other protocols are denied for write/delete/rename access
– NFSv4 opens a file for RW access – SMB clients are denied write access, but can rename/delete
Restrictions for cross-protocols:
– Cross-protocol locking not HA aware
– Advisory locks for NFSv3
– Support for SMB only operations– Byte range locks– SMB oplocks and leases must be disabled (default) – Windows Alternate Data Streams (ADS)
Confidential – For Training Purposes Only 41
Cross-protocol accessExample open( , )access requested access granted to others
open(rw, r) open(ro, r)
open(rw, r) write(…) close
open(rw, r) write(…) close
client1
client2
open(rw, r) write(…)
open(rw, r) write(…) close
closedata loss: client2 still thinks its data is
stored, but it was overwritten.
client1
client2
WITH LOCKING
NO LOCKING
data consistent: client2 can only write after reading
the latest changes from client1.
Confidential – For Training Purposes Only 42
Cross-protocol accessAdministration - CLI for security mode management
– Set the security mode while creating a file store. createfstore [–secmode {ntfs | legacy} [-secop_errsuppress {true | false}]] [-comment <comment>] [-fpg <fpgname>] <vfs> <fstore>
– Modify file store attribute to suppress errors during permission changes from UNIX: setfstore [-fpg <fpgname>] [-secop_errsuppress {true|false}] [-comment <comment>] <vfs> <fstore>
– Display file store attributes related to security modeshowfstore [-fpg <fpgname> [-vfs <vfs> [-fstore <fstore>]]] [-securityoptions]
– Cross Protocol Locking does not require any explicit configuration.
Confidential – For Training Purposes Only 43
Cross-protocol accessExample: Managing Share Directory Permissions in the NTFS security mode
– Create a file store in the NTFS Security Mode:
createfstore –secmode ntfs –fpg fpg0 vfs0 ntfs_fstore
– Create an SMB share in the same directory or any directory below the file store:createfshare smb –fstore ntfs_fstore –allowperm Everyone:fullcontrol –
sharedir my_shared_dir smb_share0
– The resulting permissions on the share directory will be based on Windows permissions inheritance rules, default:
showfshare smb –dirperm –vfs vfs0 –fstore ntfs_filestore smb_share0 Share Name : smb_sare0 Sharepath : /fpg0/vfs0/ntfs_filestore/ my_shared_dir Owner : root Group : Administrators Modebits : 770 --------------------------ACL--------------------------- Type Flags Principal Permissions A I OWNER@ rwaDdxtTnNcCoy A fdI OWNER@ rwaDdxtTnNcCoy A fdgI GROUP@ rwaDdxtTnNcCoy A fdiI CREATOR^OWNER@ rwaDdxtTnNcCoy
Note: The –allowpmerm Everyone:fullontrol in the createfshare command refers to smb share permissions, and NOT to the directory ALCs
Confidential – For Training Purposes Only 44
Cross-protocol accessManaging Share Directory Permissions in the NTFS security mode
– If desired, change owner/ group of the share directory using the CLI, for example:
setfshare smb -owner AD_domain\\share_owner -group AD_domain\\admin_group -fstore ntfs_fstore smb_share0
– If desired, change ACL of the share directory using the CLI, for example:
setfshare smb –acl +A:g:home_dir_group@AD_domain:raxtnc -fstore ntfs_fstore smb_share0
– If desired, create additional shares on the same directory. For cross-protocol access, can create a different protocol export, for example:
createfshare nfs –fstore ntfs_fstore –options rw,nohide –sharedir my_shared_dir nfs_share
NOTE: Unlike previous releases, the order of protocol share creation, or content in the directory, is no longer a concern. The ACL on the existing (shared) folder WILL NOT be overwritten with creation of new shares.
Confidential – For Training Purposes Only 45
Cross-protocol accessConfiguration rules, installation, upgrade and downgrade considerations
– With On disk version 12.1, new file stores created will have explicit security mode.
– File Stores created prior to upgrade are in LEGACY security mode implicitly.
– When creating file store with an earlier version of SSMC:– No option to select security mode
– File stores would be created in LEGACY security mode.
Note: If NTFS security mode is desired this must be set with setfstore command before creating any data.
Confidential – For Training Purposes Only 46
Cross-protocol accessSupported authentication providers
To ensure coherent cross-protocol access, each protocol’s client and server should resolve names to the same IDs and SIDs. Supported authentication providers are:
– Active Directory (AD) configured using one of the following two modes– Un-provisioned Mode
• Users UID/GID get synthesized.
– RFC2307 Mode• Each user and group object in active directory has UID and GID in Unix attributes.• Adoption requires configuring each object in active directory with UNIX attributes – Risky and not a user-friendly option.
– LDAP– POSIX Schema
• Users SID get synthesized
– Samba Schema• User and group object in LDAP has corresponding SID in LDAP.• Adaption requires configuring each object in LDAP with SID as required. – Risky and not a user-friendly option.
Cross-protocol accessFile Persona-supported authentication providers
Best practice:
– For Legacy security mode– Use Active Directory authentication with RFC2307 for cross-protocol access
– Unless cross-protocol access by same user is required, keep RFC 2307 disabled
– For NTFS security mode– Use Active Directory authentication with RFC2307 for cross-protocol access
– Unless cross-protocol access by same user is required, keep RFC 2307 disabled
– If using LDAP authentication, use samba schema for cross-protocol access
The authorization and name service software used by the client should be able to synthesize IDs using the same logic as Local Security Authority Subsystem Service (LSASS) when an AD is in un-provisioned mode or LDAP is in POSIX schema.
To overcome this, File Persona adds a name-mapping capability.
Confidential – For Training Purposes Only 47
Confidential – For Training Purposes Only 48
Cross-protocol accessUser Mapping Modes overview
File Persona v1.3 adds a name-mapping capability with different Join and Replace rules to map an AD user to an LDAP user and create an account with all the necessary ID and SID attributes to provide expected access across SMB and POSIX protocol.
User mapping between providers maps a user from an authentication provider to another user in the same or different providers:
– Static Mapping - Explicit mapping of a user to another user through a rule.
– Dynamic Mapping - User from one provider is mapped to a user with the same name from another provider without an explicit mapping rule
Cross-protocol accessUser Mapping rules
Confidential – For Training Purposes Only 49
Operator Description Notes
=> Unidirectional Replace rule for static mapping.
Once the “From” user is authenticated, the given operator Replaces the “From” user’s identity with the “To” user’s identity.If the “To” user is missing any part of the identity or if the AD provider is in RFC2307 mode and the UID or primary GID is missing a rule, a failure will be reported.If the “To” user is an LDAP user and LDAP is configured in a POSIX schema, the SID will be synthesized. If the “To” user is an AD user and the AD is configured to be in un-provisioned mode, UID/GID will be synthesized.This type of mapping consolidates cross-protocol access to the same AD or LDAP account. It consolidates common access across-protocols without duplicating accounts and group memberships across name services.
== Bidirectional Join rule for static and dynamic mapping.
The operator Joins the native IDs of the “From” user and the “To” user.There is no positional relationship based on the rule as it’s a bidirectional rule.If an AD user logs in, the user’s identity includes the SID for the AD user and UID/GID of the mapped LDAP user. If an LDAP user logs in, the user’s identity includes UID/GID of the LDAP user and SID of the mapped AD user.By using a wild card for both “From” and “To”, instead of a specific name this rule can be used to support dynamic mapping. For example, * == * would result in any user from a provider to be mapped to another user with the same name from another provider.
Confidential – For Training Purposes Only 50
Cross-protocol accessUser Mapping modes
STATIC Mapping
– Rules– From User => To User – Replace the identity of the “From” user to “To” user. Missing ID is synthesized. Modeled
after Samba-style mapping. So, typically you would map an AD user to LDAP user. Not good for bi-directional mapping. Since it is an identity transformation, there is no need for group mapping.
– From User == To User – Joins “From” users identity to “To” user’s identity. Works well for bi-directional mapping. Synthesized IDs not used. Also needs an explicit mapping of primary group or any other supplemental group that needs to be mapped. Can be used with both user and group names.
– Use case– Map users with different names across providers
– Need to be placed first to override a dynamic-mapping entry
Confidential – For Training Purposes Only 51
Cross-protocol accessUser Mapping modes
Dynamic Mapping
– Rules– *==* - Any name with the same characters is mapped to the same name from a different provider with no domain
component. Characters are treated as case-independent. Applies to both user and group names that are same across providers.
– Use case– Map users with same name across providers automatically without an explicit rule.
Confidential – For Training Purposes Only 52
Cross-protocol accessUser Mapping rules
Example of when to use Dynamic-Mapping Rules, instead of Static-Mapping rules
DOM\user1 == LDAP\user1DOM\user2 == LDAP\user2DOM\priGroupUsers1-5 == LDAP\priGroupUsers1-5
In this example, there is static mapping between user 1 and user 2. This requires a mapping of the primary groups for user and user. The user names and group names are the same, so the following dynamic mapping rule can be used in place of the three static mapping rules:
* == *
Confidential – For Training Purposes Only 53
Cross-protocol accessUser Mapping usability flow
To enable user mapping, the mapping configuration file must be first imported to the cluster.
– Mapping file must be created with valid mapping entries on the client storage area.
– Once this file is created, it can be imported to the cluster using “–importconf” option of the “usermap” subcommand.
– If the entries specified in the file are correct, then the file will be imported to the cluster.
– Once this is done we can enable user mapping by using the option –enable.– Enabling without importing the file will throw an error.
– Note that enabling and disabling user mapping includes restart of SMB server and may cause interruption to the SMB services.
– Once the mapping is enabled we can see the status of it using “showfs -usermap” command. We can also see the profile of the mapped user/group entries by providing the options to this subcommand.
– The “showfs -usermap” subcommand is also used to copy all the user/group entries of the given provider or mapping configuration to the client storage.
Confidential – For Training Purposes Only 54
Cross-protocol accessUser Mapping file
– Rules are evaluated in the order in which they appear in the mapping file until there is a match.
– Once a rule is matched, the processing stops.
– The typical placement of rules in a mapping file will be as follows:
1. Static Mapping rules may need to be placed first. It could be either a uni-directional replace or bi- directional join/merge rule depending on the deployment scenario. This would allow for overriding subsequent dynamic rule.
2. Dynamic mapping rule to map users and groups with same name across providers.
In all the above rules, if a rule is matched, but the “To name” is not resolvable, it results in failure.
Confidential – For Training Purposes Only 55
Cross-protocol accessUser and Group Enumeration Support
Support for enumerating user and group objects, to enable migration from unprovisioned mode.
– Enumerate users and groups by provider to a file.
– Enumerate a specific user or group including mapped user.
– Use case– Check the validity of a mapping by enumerating a specific user.
– Options to migrate from un-provisioned mode:
1. Enumerate the user and group objects to find the synthesized ID and configure another authentication provider with synthesized IDs and setup mapping between those users.
2. Enumerate the user and group objects to find the synthesized ID and change the ownership of the file/directory objects from synthesized IDs to the ones in Active Directory in RFC2307 mode or LDAP in Samba Schema.
– setfs usermap command initiates the enumeration process
– showfs usermap command can be used to exported enumerated data
Confidential – For Training Purposes Only 56
Cross-protocol accessUser Mapping support in File Persona 1.3 - manageability
– Mapping file can be imported through setfs usermap command
– Mapping file has to be imported to enable user mapping.
– Imported mapping file can be exported to view the content or to modify and reimport.
– Any time a mapping file change is imported or when user mapping is enabled from disabled state, setfs auth clearcache must be issued to clear the name caches.
– If a specific user’s mapping is modified, and there is already a session established for that user, the user needs to disconnect the client session prior to applying the map and reconnect after applying the map once the cache is cleared.
– Enumeration of user and group objects by provider can be initiated by setfs export command.
– showfs export can be used to export the file containing the results.
– showfs command also supports displaying individual user/group objects.
Cross-protocol accessUser Mapping commands
A new subcommand “usermap” is added to “setfs”, “showfs”, command with options
Confidential – For Training Purposes Only 57
CLI Commands Functionality
setfs usermap [-f] -importconf < filepath_on_client> Imports user mapping configuration from the file specified.
setfs usermap –export {users|groups} –provider <provider> Exports users/groups of the specified provider.
setfs usermap [-f] –enable {true|false} Enables/Disables user-mapping configuration.
showfs –usermap Displays user-mapping status
showfs -usermap [-username <username> | -groupname <groupname> | -userid <uid|sid> | -groupid <gid|sid>] [-d]
Displays mapped profiles of individual user/group entries.
showfs –usermap-export {users|groups} –provider <provider> -file <filepath_on_client>
Copies all exported users/groups entries of the given provider to the client storage.
showfs –usermap-exportconf -file <filepath_on_client>}
Exports and copies mapping configuration to the client storage.
File Lock Enterprise ModeFile Lock for data retention
Confidential – For Training Purposes Only 59
WORMLegal HoldRetention
• Administrators can only extend the retention period of a file and/or delete a retained file
• Retention profiles like autocommit period, and legal holds supported
• Ensures data integrity via checksum validation for WORM files
• Uses system clock to enforce retention policies
Configured and managed at VFS or File Store level
Protects against accidental, premature, or malicious deletion and modification of data
Provides data retention for any period of time as required by legal statute or internal policy
Enterprise mode
File Lock enterprise modeBenefit
– Retention of files for certain periods of time is a mandatory requirement in Health care, Banking, Finance etc. , where records must be retained to a period specified as per the Govt. or Industry regulatory requirements.
– Data retention is intended for sites that need to archive Read-only files for business purposes and to ensure that files can not be modified or deleted for a specific retention period.
– To ensure that WORM and retained files remain unchanged, it is important to run a data validation scan periodically.
– These features are qualified extensively with ISV partners like GE Healthcare, Genetech, AgFa, Commvault etc.
Confidential – For Training Purposes Only 60
Confidential – For Training Purposes Only 61
File Lock Enterprise ModeFeatures
– Snaplock Protocol – from NFS, CIFS and HTTP commands like chmod 444 (Posix) can be used to convert a normal file to WORM; set atime to a future value in order to set the retention period.
– Validation scans –Validation on an FStore or a VFS profile can be enabled. This allows the FS to generate checksum for retained files for periodic validation through a scheduled validation scan.
– Autocommit – An Autocommit period can be defined in the profile. This essentially means that once a file is not accessed (read\write) for a period greater than the Autocommit period then the file automatically transitions to a retained state.
– Legal Hold – A special admin commands can be used to place a “Hold” on a file. This essentially retains the file indefinitely until the “Hold” is “Cleared”.– Enables files to be retained indefinitely
– File cannot be moved, modified, or deleted regardless of the retention period
– File reverts to its original retention period when legal hold is revoked
– Multiple legal hold is not supported
Confidential – For Training Purposes Only 62
File Lock Enterprise ModeRetention Policy
Note– If the default retention period is set to zero, the file automatically becomes WORM.
– If the default retention period is set to a value greater than zero, the files become WORM-retained.
Retention Period Description
Default If a specific retention period is not applied to a file
Minimum Shortest amount of time that a WORM file can be retained
Maximum Longest retention period a file can have once committed to WORM
Autocommit Any unchanged files automatically become WORM or WORM-retained when this period expires
Confidential – For Training Purposes Only 63
File Lock Enterprise ModeThe State Diagram
File set to RO or autocommit timer expires
Retained until retention period expires
Apply legal hold
File on hold cannot be deleted regardless of retention period
File can be deleted from a WORM state
Apply legal hold
ImmutableNormal file WORM Retained
On hold
Confidential – For Training Purposes Only 64
File Lock Enterprise ModeFile states
Files in a FileStore can be in any of the following states:
– ..
State DescriptionNormal A file is normal when it is created in read-only mode or read/write mode, and it can
be modified and deleted at any time.Write-Once Read-Many (WORM)
Once a file is created (written) it is converted into a read-only file with no writing permissions thereafter. This file is called a Write-Once Read-Many (WORM) file. A WORMed file’s content and Permissions/ACLs can NEVER be modified.
WORM-retained A WORM file becomes a WORM-Retained file when a specific retention period is applied to it. The file is a WORM file until the retention period expires. Throughout the duration of the retention period the file cannot be modified and deleted.
WORM-Held The administrator can apply a legal hold on a WORM file. This file is called a WORM-Held file. Once a WORM file is put on hold, the file cannot be modified or deleted until the hold is released or revoked
Confidential – For Training Purposes Only 65
File Lock Enterprise ModeImplementation
– The archive features in File Persona supports WORM, Retention and Data Validation features at a file- store granularity
– These features are available through standard protocols, such as NFS, CIFS and HTTP – this is traditionally known as SnapLock protocol semantics (chmod 444 OR attrib –R like commands honored from protocols)
– Retention attributes or profiles can be set at an Fstore granularity and support the following attributes:– Min retention period– Max retention period,– Default retention period – Autocommit period (optional if Autocommit is required) – Validation.
– Validation scans can be run on a single fstore or even at a granularity of a directory or a share level
– Backup and Recovery options through Virtual XATTRs allow integration of both share based backup and NDMP based backups
Confidential – For Training Purposes Only 66
File Lock Enterprise ModeAdministration (CLI)
The 3PAR CLI commands to support File Lock Enterprise Mode categorized into following groups:
– setfsarchive
– showfsarchive
– startfsarchive
– stopfsarchive
– removefsarchive
Various operations supported by the CLI are explained in the slides that follow.
Confidential – For Training Purposes Only 67
File Lock Enterprise ModesetfsarchiveConfigures the retention policy– setfsarchive pol [-mode {enterprise} -defperiod <defaultperiod> -minperiod <minperiod> -maxperiod <maxperiod> -autocommperiod <retentionautocommitperiod>] [-retenvalidation {enable|disable}] [-fstore <fstorename>] [-fpg <fpgname>] <vfs>
Enable or disable the inheritance at the FSTORE level– setfsarchive pol_inherit -inheritance {enable|disable} -fstore <fstorename> [-fpg <fpgname>] <vfs>
Sets/releases legal hold for the file specified– setfsarchive legalhold {-set |-clear} [-basepath <basepath>] {-files <filepath>[,<filepath>]… | -inputfile <pathoffile>} [-fpg <fpgname>] <vfs>
Changes the retention expiration date for the specified retained file(s)– setfsarchive retention [-basepath <basepath>] {-files <filepath>[,<filepath>]… | -inputfile <pathoffile>} -expdate <expirydate> [-fpg <fpgname>] <vfs>
Confidential – For Training Purposes Only 68
File Lock Enterprise ModeshowfsarchiveDisplays the retention policy for the files in the file provisioning group at the VFS or File Store level– showfsarchive pol [-fstore <fstorename>] [-fpg <fpgname>] [ <vfs>]
List the retention setting for the specified file at the given path or for all the files at the given path– showfsarchive files [-basepath <basepath>] {-files <filepath>[,<filepath>]… | -inputfile <pathoffile>} [-fpg <fpgname>] <vfs>
Displays the information of the data validation scan– showfsarchive scan [-exportsummary] -fstore <fstorename> [-jobid <jobid>] [-fpg <fpgname>] <vfs>
Displays if FPG is retention enabled or not– showfsarchive retention <fpgname>
Confidential – For Training Purposes Only 69
File Lock Enterprise ModestartfsarchiveStarts the data validation scan on the file provisioning group at the File Store level on the path given:– startfsarchive scan [-path <path>] [-fpg <fpgname>] -fstore <fstorename> <vfs>
Resumes the halted data validation scan:– startfsarchive scan - resume <jobid> [-fpg <fpgname>] -fstore <fstorename> <vfs>
Confidential – For Training Purposes Only 70
File Lock Enterprise ModestopfsarchiveStops the already running data validation scan:– stopfsarchive scan [-f] [-fpg <fpgname>] -fstore <fstorename> <vfs> <jobid>
Pauses the already running data validation scan:– stopfsarchive scan -pause [-fpg <fpgname>] -fstore <fstorename> <vfs> <jobid>
Confidential – For Training Purposes Only 71
File Lock Enterprise ModeremovefsarchiveDeletes the specified retained/Wormed file(s):– removefsarchive files [-basepath <basepath>] {-files <filepath>[,<filepath>]… | -inputfile <pathoffile>} [-fpg <fpgname>] <vfs>
Removes the retention period for the file specified:– removefsarchive retention [-basepath <basepath>] {-files <filepath>[,<filepath>]… | -inputfile <pathoffile>} [-fpg <fpgname>] <vfs>
Removes the data validation scan job:– removefsarchive scan [-fpg <fpgname>] -fstore <fstorename> <vfs> <jobid>
Confidential – For Training Purposes Only 72
File Lock Enterprise ModeUpgrade and downgrade considerations
– FilePersona releases are controlled by separate software versions and on-disk version(ODV).
– File Lock Enterprise Mode is new feature on FilePersona 1.3 release and any new FPG created on 1.3 version gets an ODV of 12.1.
– Any older version (like 1.2 with ODV 12.0) can be upgraded to 1.3. But the existing FPG will continue to have ODV 12.0 until a separate on-disk upgrade performed.
– File Lock Enterprise Mode profiles can be set on FPG which has an ODV version of 12.1.
– On-disk revert is not supported now on FilePersona; any of the software revert from 1.3 will be vetoed until deletion of FPGs with ODV 12.1
Confidential – For Training Purposes Only 73
File Lock Enterprise ModeTroubleshooting
Enable WORM related logging from Filesystem ( Issue the command from VM which has FPG mounted)
– rtool debug trace 0x0400000000000000LL
Specifcy the debug output location
– rtool debug trace_destination
Enable debug mode for WORM admin commands (Issued the command from active node)
– pm_server_config -c com.hp.storage.pml.file.archiving.api.ArchivingLog -v debug -p
List of logs to check for admin commands
– /var//log/pml/HpArchivingPlugin.log
– /var//log/pml/master.log
Confidential – For Training Purposes Only 74
File Lock Enterprise ModeTroubleshooting
Validation scan related logs will available under /var/log/ade.
– validation.dbg
– validation.err
– validation.info
Confidential – For Training Purposes Only 76
Online FSCKTo minimize downtime for FS consistency checking
• Adaptive File System delivers high data integrity by design and is proven robust
• In case a FSCK is ever needed, it is online• Minimal recovery downtime
– Offline checks limited to metadata necessary to mount file system
– Most consistency checks online with file system active and serving data
• Limited data unavailability – Most corruptions fixed in background or on access– Unavailability limited to corruptions that cannot be
fixed on access
Time
File system offline
Previously with offline FSCK
File system online
Now with online FSCKPre-
mount
Offline verification andcorrection of minimalmetadata to mount
Online verification with inline correction
of corruptions
Completely offlineverification and correction
of corruptions
Complements inherent robustness of the HPE Adaptive File System
Exe
cute
d by
sup
port
only
Confidential – For Training Purposes Only 77
Online FSCKFeatures
– Online File system metadata validation and correction.
– Online FSCK will fix the metadata inconsistencies where possible. If there are certain corruptions that can't be fixed online, it would require offline FSCK
– Minimize Downtime for FS Consistency Checking
– Allow normal FS operations during Online FSCK
– Minimal Performance Impact on user File IO (open/read/write) operations
– Prevent propagation of corruption. Do not allow inconsistent object to be accessed!
– Ability re-construct lost+found name space entries for VFS and File Store.
– Dynamic Progress Reporting via 3PAR CLI
– Ability to restart after system crash or in case of FPG failover – Progress Check Pointing.
Confidential – For Training Purposes Only 78
Online FSCKFunction
– An unverified and potentially inconsistent FS is made available for Online FSCK operations
– Validates and corrects any metadata required to bring the file system, i.e. mount, online.
– Local properties of objects and global properties of FS structures consistency checked and verified on demand or in background thread– VFS/FileStore checking happens on priority once FS is mounted.
– VFS/FileStore found consistent or are corrected inline made available.
– Object consistency is checked on-demand on access– Made available if found consistent
– Made available if it can be corrected inline (Most inconsistencies can be corrected inline immediately!)
– If it cannot be corrected inline, object denied access (EACCESS error)
– Correction carried out later during last phase of Online FSCK and object made available.
– Progress check pointing supports restart from where it left in case of node crash or FPG failover.
Confidential – For Training Purposes Only 79
Online FSCKWhen to run FSCK?
– HPE Tech Support will run FSCK either in response to FSCK alert event generated by the file system itself or in case of certain FS errors.
– If a metadata inconsistency is detected by File system module in an active file system. File System services will send an FSCK event with ALERT level to 3PAR event system.– The event will show up in the “showalert” CLI command and the “Alerts” tab in the GUI.
– There are certain error scenarios, besides the ones where file system raises FSCK alert, such cases require FSCK. – For example, failure to activate the FPG either due to transaction log replay failure or due to metadata inconsistency
detected while activating the FPG or an internal error is received when doing some VFS(Mtree)/FileStore(Stree) admin operation.
– Repeated VM node crash while activating the FPG – crash due to in-consistent transaction log record.
Confidential – For Training Purposes Only 80
Online FSCKHow to run Online FSCK?
Verify the state of the filesystemshowfpg -d hpe_fpg– If filesystem is DEACTIVATED, nothing needs to be done.
– If filesystem is ACTIVATED, it can be gracefully DEACTVATED using the following command
setfpg -deactivate hpe_fpg
– If graceful deactivation is not successful, perform a force deactivation of the filesystem. Filesystem will stay activated, but will be isolated and frozen.
setfpg -deactivate hpe_fpg -forced
Confidential – For Training Purposes Only 81
Online FSCKHow to run Online FSCK?
Use 3PAR CLI command “cli startfsck online <fpg_name>” to start Online FSCK on required FPG.
– # cli startfsck online hpe_fpg
– This command returns the task id to the user.
– Using showtask –d <task id> command one can check the status of the online FSCK task.
– # cli showfsck -d <tasked> command should be used for detailed Online FSCK progress report,
Confidential – For Training Purposes Only 82
Online FSCKAdministration
– When FS detects metadata inconsistency, FPG FSCKState will be set to FSCK_REQUIRED and further attempts to activate the FPG will fail with FSCK required.
root@1617507-1 Mon Dec 07 15:09:54:~# showfpg ------(GB)-------FPG -Mountpath- -Size-- Available ActiveStates -DefaultCpg- -VVs-- State Versionfpg1 /fpg1 4096.00 4093.60 FAILED_TO_MOUNT NL_r5 fpg1.1 failed 12.1------------------------------------------------------------------------------------- 1 total 4096.00 4093.60 root@1617507-1 Mon Dec 07 15:10:18:~# showfpg -d fpg1------------------File Provisioning Group---------------------File Provisioning Group : fpg1Active path : /fpg1Active State : FAILED_TO_MOUNTFreeze State : NOT_FROZENIsolation State : ACCESSIBLEUpgrade State : OKVersion : 12.1FsGeneration : 1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Filesystem Number : 1Size (GB) : 4096.00Free (GB) : 4093.60Available (GB) : 4093.60Used (GB) : 2.40Files : 320298Files Free : 8867822269Default CPG : NL_r5VVs : fpg1.1Primary Node : 0Alternate Node : 1Current Node : 0Comment : -State : failed SegmentNumber FSCKState FSCKPhaseRequired 1 FSCK_REQUIRED PHASE0_AND_PHASE1 Domain Owner FsName Filesets VVIDs Nodes IpFsTypecf9b4c81-3ebd-4699-9c57-6e6577c2fdd9 0 fpg1 fileset1 222 1,0 ADE Volume VVID Nodes Capacity(GB)fpg1.1 222 1,0 4096.00
Confidential – For Training Purposes Only 83
Online FSCKFPG activation failures examplecli% showfpg ------(GB)-------FPG -Mountpath- -Size-- Available ActiveStates -DefaultCpg- -VVs-- Statefpg1 /fpg1 1024.00 1022.78 DEACTIVATED FC_r0 fpg1.1 failed
cli% showalertId : 81State : NewMessage Code: 0x0720001Catalog-Key : filesystem-event:filesystem.cmd.mount.failedTime : 2015-08-18 11:07:03 ISTSeverity : MajorType : File Provisioning GroupMessage : File Provisioning Group:3743175153205572185:fpg1 Failed (NEEDS_SERVICE)Details : FPG Event: FPG fpg1 mount failed on host node1fs. Reason: Verify storage health and run FSCK phase 0 and 1
cli% setfpg –f -activate fpg111901
3paravatar19-ganjihal cli% waittask -v 11901 Id Type Name Status Phase Step -------StartTime------- ------FinishTime------- -Priority- -User--11901 background_command setfpg_task failed --- --- 2015-08-18 12:07:35 IST 2015-08-18 12:07:36 IST n/a 3paradm Detailed status:2015-08-18 12:07:35 IST Created task.2015-08-18 12:07:35 IST Updated Executing "setfpg_task" as 1:101612015-08-18 12:07:36 IST Updated Activating FPG fpg12015-08-18 12:07:36 IST Error Failed to activate fpg1: FPG fpg1 has one or more unavailable segments. Verify storage health and run FSCK phase 0 and 12015-08-18 12:07:36 IST Error Task exited with status 12015-08-18 12:07:36 IST Failed Could not complete task.Task has failed
DEACTIVATEDFAILED_TO_MOUNT
Confidential – For Training Purposes Only 84
Online FSCK
– Start Online FSCK via “cli startfsck online <fpg>”
# cli startfsck online fpg111856
Note down the above task id ‘11856’ returned.
– Now, FSCKState should be ONFSCK_RUNNING
– Use task id returned by “cli startfsck” for further checking Online FSCK progress details and task status.
root@1617507-1 Mon Dec 07 15:12:10:~# cli startfsck online fpg111856
root@1617507-1 Mon Dec 07 15:13:21:~# showfpg ------(GB)-------FPG -Mountpath- -Size-- Available ActiveStates -DefaultCpg- -VVs-- State Versionfpg1 /fpg1 4096.00 819.20 ACTIVATED NL_r5 fpg1.1 normal 12.1---------------------------------------------------------------------------------- 1 total 4096.00 819.20root@1617507-1 Mon Dec 07 15:13:25:~# showfpg -d fpg1------------------File Provisioning Group---------------------File Provisioning Group : fpg1Active path : /fpg1Active State : ACTIVATEDFreeze State : NOT_FROZENIsolation State : ACCESSIBLEUpgrade State : OKVersion : 12.1FsGeneration : 1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Filesystem Number : 1Size (GB) : 4096.00Free (GB) : 819.20Available (GB) : 819.20Used (GB) : 3276.80Files : 160155Files Free : 1774593746Default CPG : NL_r5VVs : fpg1.1Primary Node : 0Alternate Node : 1Current Node : 0Comment : -State : normal SegmentNumber FSCKState FSCKPhaseRequired 1 ONFSCK_RUNNING NONE Domain Owner FsName Filesets VVIDs Nodes IpFsTypecf9b4c81-3ebd-4699-9c57-6e6577c2fdd9 0 fpg1 fileset1 222 1,0 ADE
Confidential – For Training Purposes Only 85
Online FSCKHow to check Online FSCK task status and progress details?– Use task id returned by # cli startfsck
for further checking Online FSCK progress details and task status.
– # cli showfsck [-d] <task_id> - Prints detailed Online FSCK progress report. Where “-d” option can be used to display more details regarding online FSCK phases, file and segment details.
root@1617507-1 Mon Dec 07 15:13:54:~# cli showfsck -d 11856-----------------FPG Online FSCK Status------------------FPG : fpg1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Active State : ACTIVATEDOnline FSCK Status : RUNNING 85%Start Time : 2015-12-07 15:11:12 ISTComment :----------------------Segment 1 Details----------------------- Quarantined/ Pending/Components Total Verified Discrepancies RemainingVFS Status 2 1 0 1File Store 16 8 0 8File Stats for Segment 163216 163214 0 2 -------------------VFS Phase Details-------------------Name Status CompletedVFS Metadata Validation Phase COMPLETED 100%VFS Namespace Validation - 1st Pass COMPLETED 100%VFS Namespace Validation - 2nd Pass PENDING 0%
-------------------FStore Phase Details-------------------Name Status CompletedFSTORE Metadata Validation Phase COMPLETED 100%FSTORE Namespace Validation - 1st Pass COMPLETED 100%FSTORE Namespace Validation - 2nd Pass PENDING 0% ------------------File Progress Details-------------------Name Status CompletedInitializing online fsck metadata COMPLETED 100%Checking mcells(inodes) COMPLETED 100%Checking orphan inodes COMPLETED 100%Checking inode corruption list COMPLETED 100%Checking tag free list COMPLETED 100%Checking orphan tag[s] COMPLETED 100%Checking namespace connectivity RUNNING 20% (32643/163217)Checking ACL's PENDING 0%Checking DDL entries PENDING 0%Sending notifications PENDING 0%
root@1617507-1 Mon Dec 07 15:11:48:~# cli showfsck 11856 -----------------FPG Online FSCK Status------------------FPG : fpg1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Active State : ACTIVATEDOnline FSCK Status : RUNNING 85%Start Time : 2015-12-07 15:11:12 ISTComment :
Confidential – For Training Purposes Only 86
Online FSCKHow to check Online FSCK task status and progress details?
Once the Online FSCK completes, showfsck command will have following output
root@1617507-1 Mon Dec 07 15:13:56:~# cli showfsck -d 11856-----------------FPG Online FSCK Status------------------FPG : fpg1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Active State : ACTIVATEDOnline FSCK Status : COMPLETED 100%Start Time : 2015-12-07 15:11:12 ISTComment :
Once 3PAR startfsck task completes with status ‘done’ then showfsck states that task is already completed and FSCKState will move to not_required from onfsck_running that marks the completion of online fsck job.
root@1617507-1 Mon Dec 07 15:16:30:~# cli showfsck -d 11856Task 11856 is already completed. root@1617507-1 Mon Dec 07 15:16:44:~# showtask
Id Type Name Status Phase Step -------StartTime------- ------FinishTime------- -Priority- -User-- 11856 background_command startfsck_task done --- --- 2015-12-07 15:11:12 IST 2015-12-07 15:16:25 IST n/a 3parsvc
Confidential – For Training Purposes Only 87
Online FSCKConfiguration rules, installation, upgrade and downgrade considerations
– Online FSCK can only be initiated on deactivated FPG
– Online FSCK is supported on File Persona Group with on-disk version 12.1 onwards.
– Online FSCK is not supported for File Persona Group (FPG) with on-disk version 11.0 and 12.0
This feature is supported on currently shipping 3PAR platforms running 3.2.2 MU3 release with File Persona Release v1.3.
Confidential – For Training Purposes Only 88
Online FSCKPerformance impact
– File access might be faster, if the file being accessed is already checked by online FSCK and inode is still in page cache.
– There is a slight performance impact, if the file being accessed is checked on demand.
– There is a noticeable performance impact, if recursive files listing (ls -ltR) is performed on directory tree with millions of files.
Confidential – For Training Purposes Only 89
Online FSCKGotchas
– Online FSCK can’t be initiated on FPG which is almost FULL i.e. 100% used.Id : 21State : NewMessage Code: 0x0720001Catalog-Key : filesystem-event:filesystem.notification.fs.fullTime : 2016-02-02 15:42:01 ISTSeverity : InformationalType : File Provisioning GroupMessage : File Provisioning Group:8903413616047350074:ofsck Normal (NEEDS_SERVICE)Details : FPG Event: FPG ofsck usage reaches 80% of its capacity. FPG performance may decrease significantly as it becomes increasingly full.
– Once Online FSCK is started, currently there is no way to abort Online FSCK, but it can be stopped by forced deactivation and then it is mandatory to run offline FSCK.
– While Online FSCK in progress following 3PAR level alert might be raised regarding FPG usage, this is normal and FPG usage comes back to normal once the Online FSCK completes storage bit map checking.
– Online FSCK will fix the metadata inconsistencies where possible. if there are certain corruptions that can't be fixed online, it would require offline FSCK.
Confidential – For Training Purposes Only 90
Online FSCKTroubleshooting
– What files to gather (file name and path)– As part of Online FSCK execution following log file gets generated on Current Node which owns the FPG.
/var/log/ade/online_fsck.<domain_name>.log
– Commands to run and what output to collect“cli collectfs create <collect_name>”
Confidential – For Training Purposes Only 91
Online FSCKTroubleshooting
– If online FSCK fails to start due to insufficient free space, then the following error will be displayed
root@1633434-1 Tue Jan 12 15:01:21:~# showtask -d 9045 Id Type Name Status Phase Step -------StartTime------- ------FinishTime------- -Priority- -User--9045 background_command startfsck_task done --- --- 2016-01-12 14:56:55 IST 2016-01-12 14:57:27 IST n/a 3parsvc Detailed status:2016-01-12 14:56:55 IST Created task.2016-01-12 14:56:55 IST Updated Executing "startfsck_task" as 1:305872016-01-12 14:56:56 IST Updated Executing online FSCK2016-01-12 14:56:56 IST Updated PML task: e09ab72d8e964168a0c427793e4633162016-01-12 14:57:27 IST Error FSCK execution failed: Unknown Task Status: state EXCEPTION startTime 2016-01-12T09:28:09.318Z endTime 2016-01-12T09:28:40.168Z status {FPG fpg1 mount failed. Error: Not enough free space to run Online FSCK.}2016-01-12 14:57:27 IST Completed scheduled task.
– What does each error message mean?– If online FSCK fails to start due to insufficient space, then offline FSCK should be run.
Confidential – For Training Purposes Only 92
Online FSCKTroubleshooting
Online FSCK task states
‘fsckState’ for the given FPG will transition from one state to another during the lifecycle of FPG requiring FSCK. ‘showfpg –d <fpg>’ command can be used to check the current ‘fsckState’ as shown in following example.
root@1617507-1 Mon Dec 07 15:10:18:~# showfpg -d fpg1------------------File Provisioning Group---------------------File Provisioning Group : fpg1Active path : /fpg1Active State : FAILED_TO_MOUNTFreeze State : NOT_FROZENIsolation State : ACCESSIBLEUpgrade State : OKVersion : 12.1FsGeneration : 1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Filesystem Number : 1Size (GB) : 4096.00Free (GB) : 4093.60Available (GB) : 4093.60Used (GB) : 2.40Files : 320298Files Free : 8867822269Default CPG : NL_r5VVs : fpg1.1Primary Node : 0Alternate Node : 1Current Node : 0Comment : -State : failed SegmentNumber FSCKState FSCKPhaseRequired 1 FSCK_REQUIRED PHASE0_AND_PHASE1 Domain Owner FsName Filesets VVIDs Nodes IpFsTypecf9b4c81-3ebd-4699-9c57-6e6577c2fdd9 0 fpg1 fileset1 222 1,0 ADE Volume VVID Nodes Capacity(GB)fpg1.1 222 1,0 4096.00
Confidential – For Training Purposes Only 93
Online FSCKTroubleshooting
Online FSCK task states
‘fsckState’: the FSCK state for the FPG segment in general.
Possible values include:– NOT_REQUIRED: the segment is healthy and therefore FSCK is not needed.
– FSCK_REQUIRED: the segment is unavailable. Admin must run Online or Offline FSCK on the segment to make the segment available.
– ONFSCK_RUNNING: the FPG is mounted and Online FSCK is running on the segment.
– ONFSCK_STOPPED: Online FSCK is stopped on the segment because the FPG was umounted while Online FSCK was still running.
– OFFLINE_FSCK_REQUIRED: the segment is unavailable. Online FSCK was run on the segment and failed. Admin must run Offline FSCK on the segment to make the segment available.
– OFFLINE_FSCK_RUNNING: the FPG is umounted and Offline FSCK is currently running on the segment.
Confidential – For Training Purposes Only 94
Online FSCKTroubleshooting
‘fsckPhaseRequired’ (this field applies only to running Offline FSCK): the Offline FSCK phases that are currently required for the FPG segment. Possible values:
– NONE: the segment is available and therefore the FPG can be mounted. No Offline FSCK phase is required.
– PHASE0_AND_PHASE1: the segment is unavailable and therefore the FPG cannot be mounted. Offline FSCK phase 0 and phase 1 are required.
– PHASE1: the segment is unavailable and therefore the FPG cannot be mounted. Offline FSCK phase 1 is required.
root@1617507-1 Mon Dec 07 15:10:18:~# showfpg -d fpg1------------------File Provisioning Group---------------------File Provisioning Group : fpg1Active path : /fpg1Active State : FAILED_TO_MOUNTFreeze State : NOT_FROZENIsolation State : ACCESSIBLEUpgrade State : OKVersion : 12.1FsGeneration : 1UUID : cc584d78-ba20-49aa-9f14-8e6f7886ad94Filesystem Number : 1Size (GB) : 4096.00Free (GB) : 4093.60Available (GB) : 4093.60Used (GB) : 2.40Files : 320298Files Free : 8867822269Default CPG : NL_r5VVs : fpg1.1Primary Node : 0Alternate Node : 1Current Node : 0Comment : -State : failed SegmentNumber FSCKState FSCKPhaseRequrired 1 FSCK_REQUIRED PHASE0_AND_PHASE1 Domain Owner FsName Filesets VVIDs Nodes IpFsTypecf9b4c81-3ebd-4699-9c57-6e6577c2fdd9 0 fpg1 fileset1 222 1,0 ADE Volume VVID Nodes Capacity(GB)fpg1.1 222 1,0 4096.00
Confidential – For Training Purposes Only 96
Antivirus Overview
– Policy based antivirus scanning over SMB, NFS and HTTP (used by Object Access (REST) API) protocols– Exclusion AV policies at the VFS level and override policies at File Store level – Supports up to 50 virus scan servers for redundancy and improved throughput performance
– Antivirus software supported using iCAP integration– SYMANTEC, MCAFEE, TRENDMICRO or SOPHOS– single AV vendor solution at a time per system
– Supports on-access and on demand scanning – AV statistics (files scanned, files infected, files quarantined)
3PAR StoreServ
Request to access a file Notifies the AV servers
File is scanned and results sent back
Access granted or denied based on scan results
NFS/SMB/HTTP ICAP
Client PCs Antivirus Scan Servers
Confidential – For Training Purposes Only 97
Antivirus EnhancementsWith File Persona v1.3
– New vendor support – Sophos VSE vendor (Virus Scan Engine)
– Works same as current vendors
– Need physical machine with internet connectivity
– Works across all platforms
– Selective quarantine bulk operation– Flexibility to operate on a subset of infected files in a VFS or File Store
– Choose infected files based on the exportlist(either VFS or File store specific)
– New field in quarantine command ”quar_file” to support the subset
– Exportlist has a limit of 3k files.
– Works across all platforms
Confidential – For Training Purposes Only 98
Antivirus EnhancementsNew vendor - Sophos
– In Unity 1.2, vendor supported are SYMANTEC, MCAFEE and TRENDMICRO.
– In Unity 1.3, new vendor SOPHOS supported along with existing SYMANTEC, MCAFEE and TRENDMICRO.
setfsav pol [-scan {enable|disable|inherit}] [-vendor <vendor_name>] [-fileop {open|openclose|inherit}] [-unavail {allow|deny|inherit}] [-excludesize {<size>|inherit}] [-excludeext {<ext>[,<ext>...]|inherit}] [-inheritall] [-fpg <fpgname>] [-fstore <fstore>] <vfs>
-vendor <vendor_name> Specifies the antivirus vendor name. Valid values are SYMANTEC, MCAFEE, TRENDMICRO or SOPHOS. Only valid in VFS context.
Confidential – For Training Purposes Only 99
Antivirus EnhancementsNew vendor - Sophos
Example using AV 3par console
root@1633429-0 Mon Feb 08 16:03:07:~# showfsav
Vendor IpAddress PortNum StatusSOPHOS 10.2.22.2 1344 UP------------------------------- 1 totalroot@1645431-1 Tue Sep 01 04:19:50:~# setfsav pol -scan enable -vendor SOPHOS -fileop open -unavail allow -excludesize 10 -excludeext htm,jpg vfs1root@1645431-1 Tue Sep 01 04:19:50:~# showfsav pol vfs1 -----Exclude------VFS FileStore - Vendor- Scan FileOp Unavail Size(MB) Extensionvfs1 - SOPHOS ON OPEN ALLOW 10 htm,jpg----------------------------------------------------------------------------------- 1 total
root@1645431-1 Tue Sep 01 04:19:50:~#
Confidential – For Training Purposes Only 100
Antivirus enhancementsNew vendor - Sophos
For improved performance, tuning is needed for Sophos VSE
threadcount - 32 maxqueuedsessions – 1024 ~ 1280
Confidential – For Training Purposes Only 101
Antivirus EnhancementsSelective quarantine bulk operation
Currently Quarantine operations (move/delete/reset/list) are performed on all the infected files within a VFS or file store.
CLI Enhancement - Flexibility to operate on a subset of infected files in a VFS or File Store.
– 3PAR CLI adds ‘quar_file’ option to supply a subset of quarantined files.– Movesetfsav quar move -fpg fpg1 -quar_file <quar_fpg1_vfs1_move.txt> vfs1
– Deletesetfsav quar delete -fpg fpg1 -quar_file <quar_fpg1_vfs1_delete.txt> vfs1
– Resetsetfsav quar reset -fpg fpg1 -quar_file <quar_fpg1_vfs1_reset.txt> vfs1
Confidential – For Training Purposes Only 102
Antivirus EnhancementsSelective quarantine bulk operation
Flow Diagram
Confidential – For Training Purposes Only 103
Antivirus EnhancementsSelective quarantine bulk operation
Syntax: setfsav quar {exportlist|move|reset|delete} [-fpg <fpgname>] [-fstore <fstore>] [-quar_file <filepath>] <vfs>
Option-quar_file <filepath> Takes full path of file, present in .admin store, which contains list of all
quarantined files to be operated upon for move, reset or delete. This option can only be used with move, reset and delete operations.
move Move each file contained in the file provided on the –quar_file option to default location (.admin/AV/Quarantine folder in specifed VFS) with timestamp.
reset Reset quarantined files listed in file provided under specified vfs/fstoredelete Delete quarantined files listed in file provided under specified vfs/fstore<vfs> Virtual file server name
Confidential – For Training Purposes Only 104
Antivirus EnhancementsSelective quarantine bulk operation
Example – using AV 3par console
File system : fpg1 ; VFS name : vfs1 ; Fsstore : fstore1/fstore2
List of infected file in vfs1: setfsav quar exportlist vfs1
Make the container files in .admin share: \.admin\AV\Quarantine\quar_fpg1_vfs1_move.txt\.admin\AV\Quarantine\quar_fpg1_vfs1_reset.txt\.admin\AV\Quarantine\quar_fpg1_vfs1_delete.txt
Execute flexible bulk operation: setfsav quar move -fpg fpg1 -quar_file .admin/AV/Quarantine/quar_fpg1_vfs1_move.txt vfs1setfsav quar delete -fpg fpg1 -quar_file .admin/AV/Quarantine/quar_fpg1_vfs1_delete.txt vfs1setfsav quar reset -fpg fpg1 -quar_file .admin/AV/Quarantine/quar_fpg1_vfs1_reset.txt vfs1
Confidential – For Training Purposes Only 106
Object Access API Clients access through the SMB and NFS protocol and Object Access API
SMB 3.0, 2.1, 2.0, and 1.0 protocols for
Microsoft Windows and Apple OS X
NFSv4 and v3 protocols for Linux and UNIX
Object Access (REST) API for custom cloud apps
Confidential – For Training Purposes Only 107
Object Access API HPE 3PAR Object Access API Support
The File Persona software also supports access to directories and files using the HPE 3PAR Object Access API. Using the HTTP protocol, you can integrate direct file access into applications.
The object access API supports the following operations (v1.2):
– Creating, replacing, renaming, downloading, retrieving information about, and deleting a file
– Creating, retrieving content and information about, and deleting a directory
– Changing owner and user permissions
– Changing groups
– Setting, retrieving, and removing extended attributes
– Committing data to a disk
Confidential – For Training Purposes Only 108
Object Access API EnhancementsNew features
File Copy feature (includes directory) – Supports copying a file to another file and location in the share.– Supports copying a directory and all of its contents recursively (as in "cp -R …") to a new directory name
and location in the share.– Feature uses posix copy semantics.Partial File Access feature– Supports byte range operations allowing an application to retrieve a portion of the file without downloading
the entire file– Supports byte range operations allowing an application to modify a portion of the file without writing the
entire file.– Uses HTTP Range header to specify the bytes to be read/written to in a fileStatistics– Supports HTTP Daemon statistics collection to enable integration into the perf stat.– Uses apache mod_status to get the statistics which will be provided to perfmonitor.
Confidential – For Training Purposes Only 109
Object Access API EnhancementsAdministration (File Copy)
Copying a file to another file and location. Uses PUT method.PUT http://IP/v1/shareurl/path/file?cmd=cp&destination=<string>&overwrite=<bool>&preserve=<bool>
– destination - is valid local path within the http share boundary (stree).
– overwrite - Causes file to be overwritten if already present. Default is false.
– preserve - Causes default file attributes (mode,ownership,timestamps ) to be preserved during copy. Default is false.
Copying a directory and all of its contents recursively. Uses PUT method.PUT http://IP/v1/shareurl/path/dir_to_be_copied?cmd=cp&destination=<string>&recursive=<bool> &overwrite=<bool> & preserve=<bool>
– destination - is valid local path within the http share boundary (stree).
– recursive - Causes files and sub-directories to be copied recursively. Default is false
– overwrite - Causes file to be overwritten if already present. Default is false.
– preserve - Causes default file attributes (mode,ownership,timestamps ) to be preserved during copy. Default is false.
Confidential – For Training Purposes Only 110
Object Access API EnhancementsAdministration (Partial File Access)
Byte Range operations can be used to retrieve a portion of the file. Support Range header and uses GET Method.GET http://IP/v1/shareurl/path/file -u <user>:<pass> -H "Range: bytes=<start>-<end>“-k --verbose
Byte range specified in file retrieve request refers to offsets of file specified as part of resource URL. Doesn’t support multi byte ranges.
Examples of byte-ranges-specifier values:– The first 500 bytes (byte offsets 0-499, inclusive): bytes=0-499
– The second 500 bytes (byte offsets 500-999, inclusive): bytes=500-999
– The final 500 bytes (byte offsets 9500-9999, inclusive): bytes=-500 Or: bytes=9500-
Confidential – For Training Purposes Only 111
Object Access API EnhancementsAdministration (Partial File Access)
Byte Range operations to modify a portion of the file. Uses PUT method
POST "http://IP/v1/shareurl/t1.txt" --data '----' -u <user>:<pass> -H "Range: bytes=<start>-<end>“ -H "Content-Type: text/xml“ -k --verbose
Assuming a file that has to be updated (t1.txt) contains following text 1234567890, and supplied chunk data is always 4 dashes(----)
1. Command will apply chunk data to file t1.txt, within offsets specified by byte rangePOST "http://10.21.14.13/v1/urlmyshare/t1.txt" --data '----' -k --verbose -u http_user1:hpinvent -H "Range: bytes=1-4" -H "Content-Type: text/xml“
– Contents of updated file: 1----67890
2. Command will apply chunk data to file t1.txt, starting at byte offset 2 in target file t1.txt specified by byte range.
POST "http://10.21.14.13/v1/urlmyshare/t1.txt" --data '----' -k --verbose -u http_user1:hpinvent -H "Range: bytes=2-" -H "Content-Type: text/xml"
– Contents of updated file: 12----7890
Confidential – For Training Purposes Only 112
Object Access API EnhancementsAdministration (Statistics)
– perfmonitor executes runs every minute and provides fm_perfMonitor utility to display the stats for http to the user.
– CLI commands can be used to get the http statistics.– “statfs -http” continuously displays the statistics for each interval of 1 minute by default.
statfs –http [-item <number> -d <secs> -node <nodeid> [,<nodeid>]... -verbose]Option Description
-http Displays HTTP statistics.
-iter <number> Specifies that the statistics are to stop after the indicated number of iterations using an integer from 1 through 2147483647.
-d <secs>Specifies the interval in seconds that statistics are sampled from using an integer from 1 through 2147483. If no count is specified, the command defaults to 60 seconds. Information will only be updated every 6 seconds, times of less will redisplay same information.
-node <nodeid>[,<nodeid>]... Specifies the node on which to report statistics.
-verbose Specifies that all statistics will be displayed. Each statistic will be displayed on a line each.
Confidential – For Training Purposes Only 113
Object Access API EnhancementsAdministration (Statistics)
– “srstatfshttp” gives a historical data. By default, the report for past 12 hours is displayed with a high sampling frequency of 5 minutes
srstatfshttp [-attime -btsecs <secs> -etsecs <secs> -hires –hourly –daily –groupby <node> -node <node>[,<node>...] -sortcol <col>[,<dir>][:<col>[,<dir>]...]]
-attimePerformance is shown at a particular time interval, specified by the -etsecs option, with one row per object group described by the -groupby option. Without this option performance is shown versus time, with a row per time interval.
-btsecs <secs> Select the begin time in seconds for the report.
-etsecs <secs> Select the end time in seconds for the report. If -attime is specified, select the time for the report.
-hires Select high resolution samples (5 minute intervals) for the report. This is the default.
-hourly Select hourly samples for the report.
-daily Select daily samples for the report.
-groupby <groupby>[,<groupby>...]For -attime reports, generate a separate row for each combination of <groupby> items. Each <groupby> must be different and one of the following: NODE The controller node
-node <node>[,<node>...] Limit the data to that corresponding to one of the specified nodes.
-sortcol <col>[,<dir>][:<col>[,<dir>]...] Sorts command output based on column number (<col
Confidential – For Training Purposes Only 114
Object Access API EnhancementsAdministration (Statistics)
There are total of nine counters for http statistics. Currently there is no option to enable or disable specific counters.
CLI Output Name XML Tag name from PML DescriptionTotal accesses TotalAccess Total number of accesses to the Object shareTotal KBserved TotalkBytesServed Total number of bytes served in Kilo Bytes
Apache cpuload ApacheCPULoad CPU percentage used by the Apache(httpd) process
Server uptime ServerUptime Uptime since the last restart of the httpd server
Requests/sec RequestsPerSec Average umber of requests served per second
bytes/sec BytesPerSec Average number of Bytes per second
bytes/request BytesPerRequest Average number of Bytes per request
Worker_count Busy BusyWorkerCount Number of Busy httpd workers
Worker_count Idle IdleWorkerCount Number of idle httpd workers
Scoreboard ScoreboardRepresentation on the server's current state.It’s a bunch of 58 characters by default, it can go all the way to 128 characters.
Confidential – For Training Purposes Only 115
Object Access API EnhancementsConfiguration rules, installation, upgrade and downgrade considerations
– Copy, partial file access and statistics features are available on installation of File Persona v1.3 or upgrade to File Persona v1.3. There is no configuration involved.
– These features doesn’t prevent upgrade/downgrade.
– There is no noticeable performance impact from having the copy, partial file access and statistics features.
– Partial File Access does not support multi-byte range.
– No provision to disable/enable counters of http in statistics
Confidential – For Training Purposes Only 116
Object Access API EnhancementsTroubleshooting (Copy Feature)
– Errors are returned as appropriate HTTP errors codes with accompanying JSON error information in the response.
– If Copy is terminated in the middle of an operation due to an interrupt or error files or file hierarchies may be only partially copied and files and directories may have incorrect permissions or access and modification times.
– While using copy for a file, if there exists a file with same name as the source file in the destination, cp operation will overwrite the pre-existent file only if “overwrite=true” is specified in the request
– While using copy for directory and it’s contents (files & dir), if there exists a file with same name as the source file in the destination, cp operation will overwrite the pre-existent file only if “overwrite=true” is specified in the request.
Confidential – For Training Purposes Only 117
Object Access API EnhancementsTroubleshooting (Partial File access Feature)
Errors are returned as appropriate HTTP errors codes with accompanying JSON error information in the response. Below are status codes.
HTTP Status Code Reason
200 or 204 When operation was successful
400 Invalid Range header
404 File not found
416 Request Range not satisfiable (end byte being lower than the start byte)
Confidential – For Training Purposes Only 118
Object Access API EnhancementsTroubleshooting (Statistics)
– ‘statfs -http’ command will continuously display the performance report for each interval of 1 minute by default. This period can be changed by specifying the –d option.
– srstatfshttp command samples frequency and duration for report can be modified by using -hires/-hourly/-daily and -btsecs/-etsecs respectively.
Learning check 1
What are the primary workloads addressed by File Persona? (Select three)
A. Home directories and user/group shares
B. Video editing and media streaming
C. Virtualization
D. Content management & collaboration
E. Data preservation & governance
F. Databases
Confidential – For Training Purposes Only 120
?
Learning check 1
What are the primary workload addressed by File Persona? (Select three)
A. Home directories and user/group shares
B. Video editing and media streaming
C. Virtualization
D. Content management & collaboration
E. Data preservation & governance
F. Databases
Confidential – For Training Purposes Only 121
Learning check 2
Which On-Disk version upgrade is possible in 3PAR OS 3.2.2 MU3 release? (Select two)
A. On-disk version 11 to 11.1
B. On-disk version 11 to 12
C. On-disk version 11.1 to 12.1
D. On-disk version 12 to 12.1
Confidential – For Training Purposes Only 122
?
Learning check 2
Which On-Disk version upgrade is possible in 3PAR OS 3.2.2 MU3 release? (Select two)
A. On-disk version 11 to 11.1
B. On-disk version 11 to 12
C. On-disk version 11.1 to 12.1
D. On-disk version 12 to 12.1
Confidential – For Training Purposes Only 123
Learning check 3
Which protocol can be used to get access to files or directories over the network? (Select all that apply)
A. SMB
B. NFS
C. FTP
D. FTPS
E. HTTP
F. iSCSI
Confidential – For Training Purposes Only 124
?
Learning check 3
Which protocol can be used to get access to files or directories over the network? (Select all that apply)
A. SMB
B. NFS
C. FTP
D. FTPS
E. HTTP
F. iSCSI
Confidential – For Training Purposes Only 125
Learning check 4
If LEGACY security mode is configured which of the following statements are true? (Select one)
A. File names are case insensitive, regardless of accessing protocol.
B. File names are case sensitive, regardless of accessing protocol.
C. File names are case insensitive when accessed from Windows clients and case sensitive when accessed from POSIX clients.
D. File names are case sensitive when accessed from Windows clients and case insensitive when accessed from POSIX clients.
Confidential – For Training Purposes Only 126
?
Learning check 4
If LEGACY security mode is configured which of the following statements are true? (Select one)
A. File names are case insensitive, regardless of accessing protocol.
B. File names are case sensitive, regardless of accessing protocol.
C. File names are case insensitive when accessed from Windows clients and case sensitive when accessed from POSIX clients.
D. File names are case sensitive when accessed from Windows clients and case insensitive when accessed from POSIX clients.
Confidential – For Training Purposes Only 127
Learning check 5
What are the possible states of a Files in a FileStore? (Select three)
A. Normal
B. Normal-retained
C. WORM
D. WORM-retained
Confidential – For Training Purposes Only 128
?
Learning check 5
What are the possible states of a Files in a FileStore? (Select three)
A. Normal
B. Normal-retained
C. WORM
D. WORM-retained
Confidential – For Training Purposes Only 129
Learning check 6
How to prevent a WORM file to be deleted? (Select two)
A. No action required.
B. Set retention period to a value greater than zero.
C. Use startfsarchive command.
D. Set legal hold for the file
Confidential – For Training Purposes Only 130
?
Learning check 6
How to prevent a WORM file to be deleted? (Select two)
A. No action required.
B. Set retention period to a value greater than zero.
C. Use startfsarchive command.
D. Set legal hold for the file
Confidential – For Training Purposes Only 131
Learning check 7
What are features of Online FSCK? (Select three)
A. Metadata validation and correction
B. User-data validation and correction
C. Normal FS operations are allowed during FSCK
D. Minimized Downtime for FS consistency checking
Confidential – For Training Purposes Only 132
?
Learning check 7
What are features of Online FSCK? (Select three)
A. Metadata validation and correction
B. User-data validation and correction
C. Normal FS operations are allowed during FSCK
D. Minimized Downtime for FS consistency checking
Confidential – For Training Purposes Only 133
Learning check 8
Who and when FSCK should run? (Select one)
A. User on a regular base.
B. Administrator before starting a full backup.
C. Administrator after creating a new FPG.
D. HPE Tech Support either in response to FSCK alert event generated by the file system itself or in case of certain FS errors.
Confidential – For Training Purposes Only 134
?
Learning check 8
Who and when FSCK should run? (Select one)
A. User on a regular base.
B. Administrator before starting a full backup.
C. Administrator after creating a new FPG.
D. HPE Tech Support either in response to FSCK alert event generated by the file system itself or in case of certain FS errors.
Confidential – For Training Purposes Only 135
Learning check 9
What is a function of User Mapping in File Persona? (Select one)
A. To join File Persona nodes to an Active Directory domain
B. To map an AD user to an LDAP user and create an account to provide access across SMB and POSIX protocols.
C. To use LDAP to authenticate File Persona users and groups.
D. To set the authentication provider stacking order.
Confidential – For Training Purposes Only 136
?
Learning check 9
What is a function of User Mapping in File Persona? (Select one)
A. To join File Persona nodes to an Active Directory domain
B. To map an AD user to an LDAP user and create an account to provide access across SMB and POSIX protocols.
C. To use LDAP to authenticate File Persona users and groups.
D. To set the authentication provider stacking order.
Confidential – For Training Purposes Only 137
Learning check 10
What are Static User Mapping characteristics? (Select two)
A. Maps users with different names across providers.
B. Maps users with same name across providers.
C. Need to be placed first in the mapping file to override a dynamic mapping entry.
D. Only bidirectional (==) operator can be used.
Confidential – For Training Purposes Only 138
?
Learning check 10
What are Static User Mapping characteristics? (Select two)
A. Maps users with different names across providers.
B. Maps users with same name across providers.
C. Need to be placed first in the mapping file to override a dynamic mapping entry.
D. Only bidirectional (==) operator can be used.
Confidential – For Training Purposes Only 139