fcadmin

July 7th, 2009

Table of Contents

NAME

fcadmin – Commands for managing Fibre Channel adapters.

SYNOPSIS

fcadmin command argument

DESCRIPTION

The fcadmin utility manages the Fibre Channel adapters used by the storage subsystem. Use these commands to show link and loop level protocol statistics, list the storage devices connected to the filer, and configure the personality of embedded adapters.

USAGE

fcadmin config
[ <adapter_name> ... ]

fcadmin config
[ -? ]
[ -e | -d ]
[ -t {target|initiator|unconfigured} ] [ <adapter_name> ... ]

fcadmin [link_stats|fcal_stats|device_map] <adapter_name>

DESCRIPTION

The fcadmin link_stats, fcal_stats and device_map commands are identical to the fcstat command options. For more information, see fcstat

The fcadmin config command configures the personality of embedded Fibre channel (FC) adapters. When no arguments are given, the fcadmin config command returns configuration information about all of the embedded FC adapter(s) on the filer. Embedded FC adapters always appear in slot 0. If no embedded FC adapters exist, the fcadmin config command is not supported and an error is returned.

The fcadmin config command displays the following information:

Adapter:
An adapter name of the form Xy, where X is zero and y is a letter (e.g. 0a or 0c).

Type: The type of adapter: initiator or target. The adapter type is determined by which device driver controls the adapter. When the storage initiator driver is attached, the adapter is an initiator. When the FCP target mode driver is attached, the adapter is a target. A filer reboot is required to attach a new driver when the adapter type is changed. The storage initiator driver is attached prior to any configuration changes. The default adapter type is initiator.

Status:
The status of the adapter, online or offline, reported from the attached driver. Before changing the adapter type, the status must indicate that the adapter is offline.

State: The configuration state of the adapter. Use the configuration state to track changes in the the type and state of the adapter.

The following configuration states exist:

CONFIGURED
The adapter is configured and the specified driver is attached. This is the normal operating state.

UNCONFIGURED
The adapter is forced offline by the attached driver and cannot be used. This state is only valid when the initiator driver is attached (the adapter Type is initiator).

PENDING
An adapter Type and/or State change is pending. A filer reboot is required for the change to take effect. While in the PENDING state, the adapter is forced offline by the attached driver and cannot be used.

There are three possible PENDING substates: (target), (initiator), and (unconfigured). When changing the adapter type from initiator to target, the adapter moves to the PENDING (target) state. When changing the adapter type from target to initiator, the adapter moves to the PENDING (initiator) state. The PENDING (unconfigured) state means that a change is pending that will affect both the type and state of the adapter. The PENDING (unconfigured) state only occurs when the target driver is attached to the adapter (the adapter ype is target) and a change has been made to move the adapter to the UNCONFIGURED state. When the initiator driver is attached, no reboot is required to change between the CONFIGURED and UNCONFIGURED state.

DISPLAYS

Example output:
  filer> fcadmin config                      Local   Adapter Type      State                  Status   —————————————————     0a   initiator  CONFIGURED             online     0b   initiator  UNCONFIGURED           offline     0c   initiator  PENDING (target)       offline     0d   target     PENDING (unconfigured) offline 

OPTIONS

-?
Provides online help for the fcadmin config command.

-e
Enables the adapter by calling the attached driver’s online routine. When the adapter type is initiator, it has the same effect as the storage enable adapter command. When the adapter type is target, it has the same effect as the fcp config up command. Enabling the adapter changes the adapter status from offline to online.

-d
Disables the adapter by calling the attached driver’s offline routine. When the adapter type is initiator, it has the same effect as the storage disable adapter command. When the adapter type is target, it has the same effect as calling the fcp con_fig down command. Disabling the adapter changes the adapter status from online to offline.

-t type
Changes the adapter type and/or state. Valid type arguments are initiator, target, and unconfigured. Before changing the adapter configuration with this option, the adapter must be offline. You can take the adapter offline in a number of ways. If using the -d option does not work, use the utilities for the attached driver. You can also force the adapter offline by removing the FC cable from the adapter port at the back of the filer. If a filer reboot is required to change the adapter configuration following the use of this option, the adapter moves to the PENDING (type) state to indicate that a reboot is required.

adapter_name
The name of one or more adapters, separated by spaces. When no other option is provided, the specified adapter(s) configuration displays. If no adapter_name argument is provided, the configurations of all adapters display.

NOTES

Automatic Reconfiguration
Under some circumstances, the filer may boot with the wrong driver attached. When this happens the embedded adapters are reprogrammed to their proper type and state and the filer is automatically rebooted to attach the correct driver. Before rebooting, the fci.config.autoReboot EMS message displays on the console. Events that can cause this problem include maintenance head swaps, use of the console set-defaults command, and other operations that affect the filer’s boot environment state.

Repair
When DataONTAP is fully initialized and running, configuring an adapter with the fcadmin config utility records the adapter configuration in both the filer’s boot environment and on-disk, in the filer’s root volume. Following a console set_defaults operation, a maintenance head swap, or other event that destroys the boot environment state, the initiator driver is attached to all embedded adapters during boot. This ensures that all storage loops are discovered during boot. After the filer’s root volume comes online, the boot environment configuration is checked against the on-disk configuration information. If a misconfiguration is detected, the boot environment information is restored and the filer automatically reboots to attach the correct drivers and restore the original configuration. This provides consistency between maintenance head swaps and other events which destroy the boot environment.

Maintenance Mode Operation
You can use the fcadmin config utility while in Maintenance Mode. After changing the adapter configuration in Maintenance Mode, a reboot is required for the change to take effect. When run from Maintenance Mode, no on-disk configuration information can be stored because the filer’s root volume is unavailable. To account for this, the fcadmin config utility indicates that the boot environment configuration needs to be recorded ondisk during a subsequent reboot. After changing the adapter configuration in Maintenance Mode, the boot environment configuration becomes canonical. Otherwise, the on-disk configuration is canonical.

New Installations
Following a new installation of Data ONTAP, the ondisk configuration information is undefined. When this condition is encountered, then the boot environment configuration becomes canonical and the ondisk configuration is programmed to match the existing boot environment configuration. In this way the embedded adapter configuration is preserved across new installations. To modify this behavior you must perform a console set-defaults operation, and/or use the fcadmin config utility in Maintenance Mode to change the configuration, prior to installing Data ONTAP.

CLUSTER CONSIDERATIONS

Symmetric target adapter configuration needed in a CFO: To support the FCP cfmodes partner, standby, mixed, and dual_fabric, both filers must share a symmetric adapter configuration. For example, if adapters 0a and 0c are configured as a target on one CFO filer, then adapters 0a and 0c must be configured as a target on the partner filer. Non-symmetric adapter configurations cause service interruptions during CFO takeover and giveback.

Use of fcadmin config during takeover: After a takeover occurs, you can use the fcadmin config utility to read the partner head’s on-disk configuration information. When this is done, only the adapter type and state are reported. The online/offline status cannot be reported because no hardware is present. You can use this functionality to determine the partner head’s embedded port configuration prior to doing a giveback. You cannot change the adapter type and state when run from partner mode.

Example output:

  dopey(takeover)> partner fcadmin config    Warning: The system has been taken over. Adapter configuration is not possible.                      Partner   Adapter Type      State                  Status   —————————————————     0a   initiator  CONFIGURED.            —     0b   initiator  UNCONFIGURED           —     0c   target     CONFIGURED             —     0d   target     CONFIGURED             —    Maintenance head swaps in a CFO:    During a maintenance head swap procedure in a CFO,  the embedded adapter configuration   must be changed before doing a giveback to avoid FCP service interruptions. When the   embedded adapters are used for FCP target mode operation in a CFO,  boot   the new head into Maintenance Mode prior to doing the first giveback and use   the fcadmin config utility to restore the adapter configuration.   For more information about Maintenance Mode operation,  see  floppyboot.   EMS MESSAGES   fci.config.offline:           The fci.config.offline message displays anytime  an          adapter  fails to come online because of a mismatch          in the configuration state.           _NF_NF_          For example:            surf> storage enable adapter 0a           Host adapter 0a enable failed           Tue Aug 3 16:13:46 EDT [surf: fci.config.offline:notice]: Fibre channel adapter 0a is offline because it is in the PENDING (target) state. 

fci.config.state:

The fci.config.state message displays anytime an adapter has changed states:

  For example:    surf> fcadmin config -t target 0a   A reboot is required for the new adapter configuration to take effect.   Mon Aug    2 14:53:04 EDT [surf: fci.config.state:notice]: Fibre channel initiator adapter 0a is in the PENDING (target) state. 

fci.config.needsReboot:

The fci.config.needsReboot message displays when a service is started while there are adapters in the PENDING state waiting for reconfiguration:

  For example:       surf> fcp start      FCP service is running      Thu Aug 5 16:09:27 EDT [surf: fci.config.needsReboot:warning]: Reboot the filer for Fibre channel target adapter(s) 5a 5b to become available. 

fci.config.autoReboot:

Under some circumstances, the filer automatically reboots to ensure the adapter configuration is correct. The fci.config.autoReboot message displays to notify the user of this condition. This condition is normally only encountered after a maintenance head swap procedure.

fci.config.error:

This message indicates an error has occured during the Auto-reconfiguration process. The specified adapter(s) will be unavailable until the problem is fixed.

fcp.service.config:

The fcp.service.config message displays anytime the FCP service is started on a platform which supports fc configuration but no target adapters are present.

ERRORS

"The system has been taken over. Adapter configuration is not possible.”

"platform does not support FC adapter configuration”

"adapter adapter_name is not configurable”

"can’t find adapter adapter_name

"can’t configure adapter adapter_name to type type

"invalid boardType value

"invalid adapterType value

"Invalid type argument: type

"internal error”

"can’t determine adapter adapter_name status”

"adapter adapter_name must be offline before changing configuration”

"adapter adapter_name failed to come online”

"adapter adapter_name failed to go offline”

"failed to configure adapter adapter_name to the <offline or online> state”

"adapter adapter_name is in use. Must set adapter offline by storage disable adapter command, or disconnect cable.”

BUGS

Under some circumstances an adapter can not be put offline with the fcadmin config -d command. When this happens use the associated driver utility, fcp config or storage disable adapter, to change the adapter status or remove the cable from the adapter port at the back of the filer.

SEE ALSO

cf , fcp , storage , san , floppyboot , fcstat


Table of Contents











7-mode Manual Pages , , , ,

exports

July 7th, 2009

Table of Contents

NAME

exports – directories and files exported to NFS clients

SYNOPSIS

/etc/exports

DESCRIPTION

The /etc/exports file contains a list of export entries for all file system paths that Data ONTAP exports automatically when NFS starts up. The /etc/exports file can contain up to 10, 240 export entries. Each export entry can contain up to 4, 096 characters, including the end-of-line character. To specify that an export entry continues onto the next line, you must use the line continuation character "\”.

An export entry has the following syntax:

Each export entry is a line in the following format:

pathname -option[, option ] …

The following list describes the fields in an export entry:

pathname
path name of a file or directory to be exported.

option
the export option specifying how a file or directory is exported.

You can specify an option in one of the following formats:

actual=path
Specifies the actual path to use when a NFS client attempts to mount the original path. This option is useful for moving mount points without reconfiguring the clients right away. Note that while the exported pathname need not exist, the pathname given as a parameter to actual must exist.

anon=uid|name If a request comes from user ID of 0 (root user ID on the client), use uid as the effective user ID unless the client host is included in the root option. The default value of uid is 65534. To disable root access, set uid to 65535. To grant root access to all clients, set uid to 0. The user ID can also be specified by a name string corresponding to an entry in /etc/passwd.

nosuid
If a request tries to set either with either setuid or setgid or if a special file, i.e., block or character type via mknod, then nosuid disallows that request. The default mode is to allow such requests.

ro | ro=hostname[:hostname]…
A pathname can be either exported ro to all hosts or to a set of specified hosts.

rw | rw=hostname[:hostname]…
A pathname can be either exported rw to all hosts or to a set of specified hosts. If no access modifiers are provided, then the default is rw.

root=hostname[:hostname]…
Give root access only to the specified hosts. Note that there is no -root option, i.e., this option always takes at least one hostname as a parameter.

sec=secflavor[:secflavor]…
Allow access to the mounted directory only using the listed security flavors. If no sec directive is provided, then the default of sys is applied to the export. The sec directive may appear multiple times in a rule, which each appearance setting the context of the following directives: anon, nosuid, ro, root, and rw. The contexts apply in order. If only one security context is provided in an export, then it applies regardless of where it appears in the export. Note that any given secflavor can only appear once in an export rule.

The supported security flavors are:

sys
for Unix(tm) style security based on uids and gids

krb5
for Kerberos(tm) Version 5 authentication.

krb5i
for Kerberos(tm) Version 5 integrity service

krb5p
for Kerberos(tm) Version 5 privacy service

The Kerberos(tm) authentication service verifies the identity of the users accessing the filer on all accesses, and also verifies to the client that the responses are from the filer. The integrity service provides a strong assurance that the messages have not been tampered with. The privacy service ensures that messages intercepted on the wire cannot be read by any other party. The integrity and privacy services both include authentication. The default security flavor is sys.

The security flavor of none can also be applied to an export. If the client uses this flavor, then all requests get the effective UID of the anonymous user. Also, if a request arrives with a security context which is not present in the export, and none is allowed, then that request is treated as if it arrived with the flavor of none.

HOSTNAMES

A host is allowed to mount an export if it has either ro or rw access permissions.

A hostname is described as:

[-][machine name|netgroup|machine IP|subnet|DNS domain]

Where, `-’ indicates that the host is to be denied access.

A machine name is an alphanumeric string.

A netgroup is also an alphanumeric string and describes a group of machine names. If NIS is not enabled, then each netgroup must be defined in the /etc/netgroup file. If NIS is enabled, then each netgroup may either be in a NIS mapping or defined in the /etc/netgroup file.

If a netgroup occurs in both NIS and /etc/netgroup, then the ordering given in /etc/nsswitch.conf determines which definition is used.

A netgroup can be differentiated from a hostname by prepending an `@’ to the name. When an entry begins with an `@’, ONTAP treats it as netgroup and not a hostname. When an entry does not begin with `@’, the handling depends on the setting of the option nfs.netgroup.strict.

If nfs.netgroup.strict is set, then the `@’ determines whether an entry is either a netgroup or a hostname. In this case, when an entry appears without a prepended `@’, it is assumed to be a hostname, i.e., it cannot be a netgroup.

If nfs.netgroup.strict is not set, then an entry with `@’ will still only denote a netgroup, but the absence of the `@’ does not determine that an entry is a host.

The use of the nfs.netgroup.strict option eliminates spurious netgroup lookups (which can be helpful to performance). If it is not used, backwards compatibility with export specifications in which netgroups are not specified with an `@’ is retained.

A machine IP is in dotted decimal format: AAA.BBB.CCC.DDD

A subnet is in the forms:

dotted_IP/num_bits
The dotted_IP field is a subnet number. The num_bits field specifies the size of the subnet by the number of leading bits of the netmask.

"[network] subnet [netmask] netmask” The subnet field is the subnet number. The netmask field is the netmask. Note that the keywords network and netmask are optional.

A DNS domain starts with a `.’ and is alphanumeric.

If there is a machine name and a netgroup with the same name, then the hostname is assumed to be the name of a machine.

In UNIX, it is illegal to export a directory that has an exported ancestor in the same file system. Data ONTAP does not have this restriction. For example, you can export both the /vol/vol0 directory and the /vol/vol0/home directory. In determining permissions, the filer uses the longest matching prefix.

DUPLICATE DETECTION

Neither the same path nor the same file handle can be advertised for exports. We restrict the path names to make mounts unique and the file handle restriction makes per NFS request checking also be unique.

As the /etc/exports file is parsed and the same path is determined to be used for exporting, then the last instance of the export rule is stored in memory. Note that different path names may evaluate to the same advertised path:

/home

/vol/vol0/home

/vol/vol0/home/ontap/..

The addition of actual complicates the rules for determining what gets exported. If an export uses -actual, then neither the advertised path nor the actual storage path may be duplicated in memory.

ACCESS RULES

There is no set ordering of options, but as the ro and rw options interact, there is a strict interpretation of these options:

1) -rw is the default if -ro, -ro=, -rw, and -rw= are all not present.

2) If only -rw= is present, ro is not the default for all other hosts. This rule is a departure from pre-6.5 semantics.

3) -ro, ro= and -rw, rw= are errors.

4) -ro=A, rw=A is an error

5) -ro=A, rw=-A is an error

6) -ro=-A, rw=A is an error

7) The position of -rw, -rw= -ro, and -ro= in the options does not have any significance

8) -ro trumps -rw

9) -ro= trumps -rw

10) -rw= trumps -ro

11) A specific host name in either -ro= or -rw= overrides a grouping in the other access specifier.

12) -ro= trumps -rw=

13) Left to right precedence, which determines `-’ and the order we go across the wire.

Note, "A trumps B" means that option A overrules option B.

ACCESS RULES EXAMPLES

Given the following netgroups:

farm pets (alligator, , ) livestock workers

pets (dog, , ) (cat, , ) (skunk, , ) (pig, , ) (crow, , )

livestock
(cow, , ) (pig, , ) (chicken, , ) (ostrich, , )

workers
(dog, , ) (horse, , ) (ox, , ) (mule, , )

predators
(coyote, , ) (puma, , ) (fox, , ) (crow, , )

We can illustrate the access rules thusly:

/vol/vol0 -anon=0

All hosts have rw access, and root at that.

/vol/vol0 -root=horse, rw

All hosts have rw access, but only horse has root access.

/vol/vol0 -anon=0, rw=horse

Only horse has access and it is rw. Note the departure from the prior rule format, in which all other hosts would by default have ro access.

/vol/vol0 -anon=0, ro, rw=horse

All hosts have ro access, except horse, which has rw access.

/vol/vol1 -ro=@workers, rw=@farm:canary /vol/vol1 -rw=@farm:canary, ro=@workers

All hosts in the netgroup farm have rw access, except dog, horse, ox, and mule. All of which have ro access. In addition, canary has rw access to the export. Note that both lines are identical with respect to determining access rights.

/vol/vol2 -ro=@pets, rw

All hosts have rw access, except for dog, cat, skunk, pig, and crow, all of which have ro access.

/vol/vol2 -ro=-@pets, rw

All hosts have rw access, except for dog, cat, skunk, pig, and crow, all of which have no access at all.

By rule #9, all members of the netgroup pets are denied rw access. By negation, all members of the netgroup pets are denied ro access.

/vol/vol2 -ro, rw=@pets:canary

All hosts have ro access, except for canary, dog, cat, skunk, pig, and crow, all of which have rw access.

/vol/vol2 -ro, rw=-@pets:canary

All hosts have ro access, except for canary which has rw access.

/vol/vol2 -ro, rw=@pets:@farm:canary

All hosts have ro access, except for canary and all hosts in the netgroups pets and farm, which all have rw access.

/vol/vol2 -ro, rw=-@pets:@farm:canary

All hosts have ro access, except for all hosts in the netgroup farm, excluding all hosts in the netgroup pets, which have rw access. The host canary also has rw access.

If the host cat wants to write to /vol/vol2, by rule #10, we first check the -rw= access list. By rule #13, we check for access in order of -@pets, @farm, and finally canary. We match cat in the netgroup pets and therefore cat is denied rw access. It will however be granted ro access.

/vol/vol2 -ro, rw=@farm:-@pets:canary

Effectively, all hosts have ro access, except for canary and all hosts in the netgroup farm, which all have rw access.

If the host cat wants to write to /vol/vol2, by rule #10, we first check the -rw= access list. By rule #13, we check for access in order of @farm, -@pets, and finally canary. We match cat in the netgroup farm, by expansion, and therefore cat is granted rw access.

/vol/vol2a -rw=@pets:-@workers, ro=@livestock

By rule #12, cow, pig, chicken, and ostrich all have ro access.

By rule #13, dog, cat, and skunk all have rw access.

By negation, horse, ox, and mule have no rw access and by rule #2, they have no access at all.

/vol/vol2a -rw=-@workers:pets, ro=@livestock

By rule #12, cow, pig, chicken, and ostrich all have ro access.

By rule #13, negation, and rule #2, dog, horse, ox, and mule have no access.

cat and skunk have rw access.

/vol/vol3 -ro=@pets, rw=@farm:lion

All hosts in the netgroup farm have rw access, except for all hosts in the netgroup pets, which all have ro access. In addition, the host lion has rw access.

If the host cat wants to write to /vol/vol3, by rule #12, we first check the -ro= access list. We match cat in the netgroup pets and therefore we deny rw access.

/vol/vol4 -ro=10.56.17/24, rw=10.56/16

All hosts in the subnet 10.56/16 have rw access, except those in the subnet 10.56.17/24, which have ro access.

/vol/vol17
-ro=10.56.17/24, rw=10.56.17.5:10.56.17.6:farm

All hosts in the subnet 10.56.17/24 have ro access, except, by rule #11, for 10.56.17.5 and 10.56.17.6, which have rw access. If the hosts in the netgroup farm are on the 10.56.17/24 subnet, they have ro access, else they have rw access. Rule #11 allows for specific hosts to be excluded from a range provided by a group. Since it makes no sense to compare netgroups to subnets, we do not allow exceptions by groups.

/vol/vol19
-ro=10.56.17.9:.frogs.fauna.mycompany.com, \\ rw=.fauna.mycompany.com

All hosts in the subdomain .fauna.mycompany.com get rw access, except those in the subdomain Note that we determine this result from rule #12 and not rule #11; we do not evaluate if one grouping construct is a subset of another. If 10.56.17.9 is in the subdomain .fauna.mycompany.com, then by rule #11, it gets ro access.

/vol/vol21 -ro=10.56.17.9, rw=-pets:farm:skunk

Rule #11 interacts with rules #5 and #6 in an interesting way, if a host is mentioned in an export by either name or IP, then it appears that it will always be granted the access given by whether it is in -ro= or -rw=. However, rule #13 still applies. Thus, 10.56.17.9 always gets ro access, but in this case by rule #13, skunk is denied access to the mount. Since skunk is a member of the netgroup pets, and pets is denied rw access by negation, skunk is denied access.

/vol/vol5
-ro=.farm.mycompany.com, sec=krb5, rw, anon=0

If the secflavor is sys, then all hosts in the DNS subdomain of .farm.mycompany.com are granted ro access. If the secflavor is krb5, then all hosts are granted rw access.

/vol/vol6 -sec=sys:none, rw, sec=krb5:krb5i:k4b5p, rw, anon=0

If the secflavor is sys or none, then all hosts are granted rw access, but effectively all root access is blocked. If the secfla_vor is from one of the secure krb5, krb5i, or krb5p, then rw and effectively root access are both granted.

UPGRADING

Exports defined prior to ONTAP 6.5 contain a different option, -access, which defined which hosts were permitted to mount an export. With the newer finer grained options, and by allowing more flexibility such as netgroups in the options, -access has been removed as an option.

Another significant change is that -ro is no longer the default if -rw= is present as an option.

During the upgrade process, the /etc/exports file is converted to the newer format.

The rules for upgrading to the new format are:

1) -root= options stay the same

2) No access list => -rw

3) -access=X => -rw=X

4) -ro => -ro

5) -access=X, ro => -ro=X

6) -rw=X => -rw=X

This is more secure than the change -rw=X, ro.

Remember from Access Rule #2, -ro is never a default.

If the less restrictive form is desired, then the option needs to be manually changed. Note that if an export file has a mix of old and new style options, the more secure new style option of -rw=X can not be differentiated from the less secure option of -rw=X(, ro) with the implicit ro modifier. To solve this problem, we always interpret -rw=X in the most secure format.

7) -access=Y, rw=X => -rw=X, ro=(Y-X)
There is a potential to remove write access here, but we keep the most secure translation.

In all cases, we preserve ordering inside an option.

UPGRADE EXAMPLES

/vol/vol0 -anon=0
By rule #2, this becomes:

/vol/vol0 -rw, anon=0

/vol/vol3 -ro By rule #4, this becomes:

/vol/vol3 -ro

/vol/vol0/home -rw=dog:cat:skunk:pig:mule By rule #6, this becomes:

/vol/vol0/home -rw=dog:cat:skunk:pig:mule

Note that by the access rules given above, all other hosts are denied ro access.

Since the upgrade code does not know about netgroups and netgroups used to not be allowed inside the -rw host list, this could be rewritten as:

/vol/vol0/home -rw=@pets

Also, if the security style is desired to be the older style, this could be further rewritten as:

/vol/vol0/home -ro, rw=@pets

/vol/vol1
-access=pets:workers:alligator:mule, \\ rw=dog:cat:skunk:pig:horse:ox:mule

By rule #7, this becomes:

/vol/vol1
-ro=pets:workers:alligator, \\ rw=dog:cat:skunk:pig:horse:ox:mule

This can be rewritten as:

/vol/vol1
-ro=pets:workers:alligator, \\ rw=pets:workers

And should be:

/vol/vol1 -ro=alligator, rw=@pets:@workers

AUTOMATIC EDITING

The /etc/exports file is changed by ONTAP for any of the following conditions:

vol create
A default entry is added for the new volume. If an admin host had been defined during the setup process, access is restricted to that host, otherwise all hosts have access to the new volume.

vol rename
All entries which have either a pathname or an -actual pathname which matches the old volume name are changed to be that of the new volume name.

vol destroy
All entries which have either a pathname or an -actual pathname which matches the old volume name are removed from the file.

upgrade
During every invocation of exportfs -a, the exports file is checked for old style formatting. If this style is found, the exports file is upgraded to follow the current formatting.

Please note that when we upgrade exports which contain subnets, we always rewrite the subnets in the compact format of dotted_IP/num_bits.

If the option nfs.export.auto-update is disabled, then the automatic updates for the vol commands will not take place. Instead the need for manual updates is syslogged.

ACCESS CACHE

A new feature in ONTAP 6.5 is the access cache, which allows netgroups to appear in -ro=, -rw=, and -root= options. Each time a request arrives from a host, it refers to an exported path. To avoid lengthy delays, we first check for that host and path in the cache to determine if we will accept or reject the request. If there is cache miss, we reject the request and do name resolution in another thread. On the next request, we should get a cache hit (i.e., the hit or miss depends on network traffic).

The time that a entry lives in the cache is determined by the two options:

nfs.export.neg.timeout
dictates how long an entry which has been denied access lives

nfs.export.pos.timeout
dictates how long an entry which has been granted access lives

There are several ways that the cache can be flushed:

exportfs -f
Flushes the entire access cache.

exportfs -f pathname
Flushes the cache for the longest leading prefix match for the path.

Also, any command which alters an export entry will result in the access cache for that export being flushed. E.g., exportfs -au, exportfs -a, exportfs -io -rw /vol/vol1, etc.

As the access cache is designed to eliminate name service lookups, entries inside it can become stale when the name services are modified. For example, if a netgroup is changed or a DNS server is found to have corrupt maps. If the access cache is found to have stale data, then either parts of it or all of it must be flushed. If the stale data applies to only a few exports, then each may be flushed with the exportfs -f pathname command. The entire cache may be cleared with the exportfs -f command.

Note that the same effect may be had by using commands to reload the exports table. In prior versions of ONTAP, either the exportfs -au; exportfs -a command sequence or a simple exportfs -a command was commonly used to clear away exports issues. While these can be used to clear the access cache, they can also result in extra work and lead to very small windows when an export is unavailable.

TROUBLESHOOTING

All mount requests, and NFS requests, come across the wire with an IP address and not the hostname. In order for an address to be converted to a name, a reverse lookup must be performed. Depending on the contents and ordering in /etc/nsswitch.conf, DNS, NIS, and/or /etc/hosts may be examined to determine the mapping.

A common problem with reverse DNS lookups is the existence of a mapping from name to IP, but not IP to name.

The option nfs.mountd.trace can be turned on to help debug access requests. Note that as this option can be very verbose and it writes to the syslog, care should be taken to only enable it while trying to resolve an access problem.

Another useful tool is to use exportfs -c to check for access permissions.

DEPRECATED FEATURES

All exported pathnames which do not begin with a leading "/vol/" or "/etc/" pathname are being deprecated.

WARNINGS

Exporting the root volume as / can be misleading to some automounters.

FILES

/etc/hosts host name database

/etc/nsswitch.conf determines name resolution search order

SEE ALSO

exportfs , reboot , hosts , netgroup , nsswitch.conf , options , passwd


Table of Contents






















7-mode Manual Pages , , , ,

exportfs

July 7th, 2009

Table of Contents

NAME

exportfs – exports or unexports a file system path, making it available or unavailable, respectively, for mounting by NFS clients.

SYNOPSIS

exportfs

exportfs [ -v ] [ -io options ] path

exportfs -a [ -v ]

exportfs -b [ -v ] enable | disable save | nosave allhosts | clientid[:clientid...] allpaths | path[:path...]

exportfs -c [ -v ] clientaddr path [ [ ro | rw | root ] [ sys | none | krb5 | krb5i | krb5p ] ]

exportfs -d [ -v ] [ 6.4 | 6.5 ]

exportfs -f [ -v ] [path]

exportfs -h | -r [ -v ]

exportfs -p [ -v ] [options] path

exportfs -q | -s | -w | -z [ -v ] path

exportfs -u [ -v ] path | -a

DESCRIPTION

Use the exportfs command to perform any of the following tasks:

* Export or unexport a file system path.

* Add an export entry to or remove an export entry from the /etc/exports file.

* Export or unexport all file system paths specified in the /etc/exports file.

* Enable or disable fencing of specific NFS clients from specific file system paths.

* Check whether an NFS client has a specific type of access to a file system path.

* Flush entries from the access cache.

* Revert the /etc/exports file to a format compatible with a previous Data ONTAP release.

* Display exported file system paths and export options.

* Display the actual file system path corresponding to an exported file system path.

* Save exported file system paths and their export options into a file.

OPTIONS

(none)
Displays all exported file system paths.

path
Exports a file system path without adding a corresponding export entry to the /etc/exports file. To override any export options specified for the file system path in the /etc/exports file, specify the -io options followed by a comma-delimited list of export options. For more information about export options, see exports . Note: To export a file system path and add a corresponding entry to the /etc/exports file, use the -p option instead.

-a
Exports all file system paths specified in the /etc/exports file. To export all file system paths specified in the /etc/exports file and unexport all file system paths not specified in the /etc/exports file, use the -r option instead. Note: Data ONTAP reexports a file system path only if its persistent export options (those specified in the /etc/exports file) are different from its current export options, thus ensuring that it does not expose NFS clients unnecessarily to a brief moment during a reexport in which a file system path is not available.

-b
Enables or disables fencing of specific NFS clients from specific file system paths, giving the NFS clients read-only or read-write access, respectively. To enable fencing, specify the enable option; to disable fencing, specify the disable option. To update the /etc/exports file, specify the save option; otherwise, specify the nosave option. To affect all NFS clients, specify the allhosts option; otherwise, specify a colon-delimited list of NFS client identifiers. To affect all exported file system paths, specify the allpaths option; otherwise, specify a colon-delimited list of file system paths. Data ONTAP drains all of the NFS requests in its queue before it enables or disables fencing, thereby ensuring that all file writes are atomic. Note: When you enable or disable fencing, Data ONTAP moves the NFS client to the front of its new access list (rw= or ro=). This reordering can change your original export rules.

-c
Checks whether an NFS client has a specific type of access to a file system path. You must specify the IP address of the NFS client (hostip) and the exported (not actual) file system path (path). To check whether the NFS client has read-only, read-write, or root access to the file system path, specify the ro, rw, or root option, respectively. If you do not specify an access type, Data ONTAP simply checks whether the NFS client can mount the file system path. If you specify an access type, you can also specify the NFS client’s security type: sys, none, krb5, krb5i, or krb5p. If you do not specify a security type, Data ONTAP assumes the NFS client’s security type is sys. Note: If Data ONTAP does not find an entry in the access cache corresponding to the file system path and (2) the NFS client’s IP address, access type, and security type, Data ONTAP determines the NFS client’s host name from its IP address (for example, it performs a reverse DNS lookup), (2) checks the NFS client’s host name, access type, and security type against the file system path’s export options, and (3) adds the result to the access cache as a new entry.

-d
Reverts the /etc/exports file to a format compatible with a previous Data ONTAP release. Specify the 6.4 option or 6.5 option to revert the /etc/exports file to a format compatible with the Data ONTAP 6.4 release or Data ONTAP 6.5 release, respectively. Before reverting the /etc/exports file, Data ONTAP backs it up under /etc/exports.pre.revert. Note: Always check the reverted /etc/exports file before accepting it. Reverting an /etc/exports file that uses features not supported in a previous Data ONTAP release can lead to unexpected results. For more information about reverting the /etc/exports file, see exports .

-f
Flushes entries from the access cache. To flush access cache entries corresponding to a specific file system path, specify the file system path; otherwise, to flush all access cache entries, do not specify a file system path. Note: To control when access cache entries expire automatically, set the nfs.export.harvest.timeout, nfs.export.neg.timeout, and nfs.export.pos.timeout options. For more information about these options, see options .

-h
Displays help for all exportfs options.

-i
Ignores the options specified for a file system path in the /etc/exports file. If you do not specify the -i option with the -o option, Data ONTAP uses the options specified for the file system path in the /etc/exports file instead of the options you specify on the command line.

-o
Specifies one or more export options for a file system path as a comma-delimited list. For more information about export options, see exports . Note: To override the options specified for the file system path in the /etc/exports file, you must specify the -i and -o options together.

-p
Exports a file system path and adds a corresponding export entry to the /etc/exports file. If you do not specify any export options, Data ONTAP automatically exports the file system path with the rw and -sec=sys export options. Use the -p option to add a file system path to the /etc/exports file without manually editing the /etc/exports file. Note: Data ONTAP exports the file system paths specified in the /etc/exports file every time NFS starts up (for example, when the filer reboots). For more information, see exports .

-q
Displays the export options for a file system path. Use the -q option to quickly view the export options for a single file system path without manually searching through the /etc/exports file. In addition to displaying the options, it also displays the ruleid for each "rule" in the export. This ruleid is used to display the in-memory and on-disk access cache for each "rule”. Rule is a set of host access permissions defined for a security flavor in an export and a ruleid uniquely identifies a rule for the duration when a filer is up. e.g.
   exportfs -q /vol/vol0    /vol/vol0  -sec=krb5, (ruleid=2), rw 
This means that the filesystem /vol/vol0 is exported via the rule "rw" and this rule has a ruleid of 2.
   exportfs -q /vol/vol1    /vol/vol1  -sec=sys, (ruleid=2), rw,            sec=krb5, (ruleid=10), ro=172.16.27.0/24, rw=172.16.36.0/24 
This means that the filesystem /vol/vol1 is exported via the rule "rw" (ruleid 2) to everyone who is coming with AUTH_SYS security and is also exported via the rule "ro=172.16.27.0/24, rw=172.16.36.0/24" (ruleid 10) to everyone coming in with Kerberos.

-r
Exports all file system paths specified in the /etc/exports file and unexports all file system paths not specified in the /etc/exports file. To export all file system paths specified in the /etc/exports file without unexporting any file system paths, use the -a option instead. Note: Data ONTAP reexports a file system path only if its persistent export options (those specified in the /etc/exports file) are different from its current export options, thus ensuring that it does not expose NFS clients unnecessarily to a brief moment during a reexport in which a file system path is not available.

-s
Displays the actual file system path corresponding to an exported file system path. Note: Unless a file system path is exported with the -actual option, its actual file system path is the same as its exported file system path.

-u
Unexports a file system path. To unexport a single file system path, specify the path; otherwise, to unexport all file system paths specified in the /etc/exports file, specify the -a option. Note: The -u option does not remove export entries from the /etc/exports file. To unexport a file system path and remove its export entry from the /etc/exports file, use the -z option instead.

-v
Specifies that Data ONTAP should be verbose. Use the -v option with any other option. For example, specify the -v option with the -a option to specify that Data ONTAP should display all file system paths that it exports.

-w
Saves exported file system paths and their export options into a file.

-z
Unexports a file system path and removes its export entry from the /etc/exports file. Use the -z option to remove a file system path from the /etc/exports file without manually editing the /etc/exports file. Note: By default entries are actually commented out and not removed from the /etc/exports file. To change the behaviour to actually remove entries switch off the nfs.export.exportfs_comment_on_delete option. For more information see options .

OPERANDS

clientaddr
An NFS client’s IP address.

clientid
One of the following NFS client identifiers: host name, IP address, netgroup, subnet, or domain name. For more information, see exports .

options
A comma-delimited list of export options. For more information, see exports .

path
A file system path: for example, a path to a volume, directory, or file.

EXTENDED DESCRIPTION

When you export a file system path, specify the -p option to add a corresponding entry to the /etc/exports file; otherwise, specify the -i and -o options to override any export options specified for the file system path in the /etc/exports file with the export options you specify on the command line.

When you specify the -b option (or the rw=, ro=, or root= export option), you must specify one or more NFS client identifiers as a colon-delimited list. An NFS client identifier is a host name, IP address, netgroup, subnet, or domain name. For more information about client identifiers, see exports .

Unlike UNIX systems, Data ONTAP lets you export a file system path even if one of its ancestors has been exported already. For example, you can export /vol/vol0/home even if /vol/vol0 has been exported already. However, you must never export an ancestor with fewer access controls than its children. Otherwise, NFS clients can mount the ancestor to circumvent the children’s access controls. For example, suppose you export /vol/vol0 to all NFS clients for read-write access (with the rw export option) and /vol/vol0/home to all NFS clients for read-only access (with the ro export option). If an NFS client mounts /vol/vol0/home, it has read-only access to /vol/vol0/home. But if an NFS client mounts /vol/vol0, it has read-write access to vol/vol0 and /vol/vol0/home. Thus, by mounting /vol/vol0, an NFS client can circumvent the security restrictions on /vol/vol0/home.

When an NFS client mounts a subpath of an exported file system path, Data ONTAP applies the export options of the exported file system path with the longest matching prefix. For example, suppose the only exported file system paths are /vol/vol0 and /vol/vol0/home. If an NFS client mounts /vol/vol0/home/user1, Data ONTAP applies the export options for /vol/vol0/home, not /vol/vol0, because /vol/vol0/home has the longest matching prefix.

Managing the access cache
Whenever an NFS client attempts to access an exported file system path, Data ONTAP checks the access cache for an entry corresponding to the file system path and (2) the NFS client’s IP address, access type, and security type. If an entry exists, Data ONTAP grants or denies access according to the value of the entry. If an entry does not exist, Data ONTAP grants or denies access according to the result of a comparison between the file system path’s export options and (2) the NFS client’s host name, access type, and security type. In this case, Data ONTAP looks up the client’s host name (for example, Data ONTAP performs a reverse DNS lookup) and adds a new entry to the access cache. To manually add access cache entries, use the -c option.

Note: The access cache associates an NFS client’s access rights with its IP address. Therefore, changes to an NFS client’s host name will not change its access rights until the access cache is flushed. Data ONTAP automatically flushes an access cache entry when its corresponding file system path is exported or unexported or (2) it expires. To control the expiration of access cache entries, set the nfs.export.harvest.timeout, nfs.export.neg.timeout, and nfs.export.pos.timeout options. For more information about these options, see options . To manually flush access cache entries, use the -f option.

Running exportfs on a vFiler unit
To run exportfs on a vFiler (TM) unit, use the vfiler run command. All paths you specify must belong to the vFiler unit. In addition, all IP addresses you specify must be in the vFiler unit’s ipspace. For more information, see vfiler .

Debugging mount and access problems
To debug mount and access problems, temporarily set the nfs.mountd.trace option to on and (2) monitor related messages that Data ONTAP displays and logs in the /etc/messages file. Some common access problems include:

* Data ONTAP cannot determine an NFS client’s host name because it does not have a reverse DNS entry for it. Add the NFS client’s host name to the DNS or the /etc/hosts file.

* The root volume is exported with a file system path consisting of a single forward slash (/), which misleads some automounters. Export the file system path using a different file system path name.

Exporting Origin Filer for FlexCache
Exporting a volume using the /etc/exports file does not affect whether the volume is available to a FlexCache volume; To enable a volume to be a FlexCache origin volume, use the the flexcache.access option.

EXAMPLES

Exporting file system paths
Each of the following commands exports /vol/vol0 to all hosts for read-write access:

  exportfs -p /vol/vol0   exportfs -io rw /vol/vol0 

Each of the following commands exports /vol/vol0 to all hosts for read-only access:

  exportfs -p ro /vol/vol0   exportfs -io ro /vol/vol0 

Each of the following commands exports /vol/vol0 to all hosts on the 10.45.67.0 subnet with the 255.255.255.0 netmask for read-write access:

  exportfs -io rw=10.45.67.0/24 /vol/vol0   exportfs -io rw=”network 10.45.67.0 netmask 255.255.255.0″ /vol/vol0   exportfs -io rw=”10.45.67.0 255.255.255.0″ /vol/vol0 

The following command exports /vol/vol0 to the hosts in the trusted netgroup for root access, the hosts in the friendly netgroup for read-write access, and all other hosts for read-only access:

  exportfs -io ro, root=@trusted, rw=@friendly /vol/vol0 

The following command exports all file system paths specified in the /etc/exports file:

  exportfs -a 

The following command exports all file system paths specified in the /etc/exports file and unexports all file system paths not specified in the /etc/exports file:

  exportfs -r 

Unexporting file system paths
The following command unexports /vol/vol0:

  exportfs -u /vol/vol0 

The following command unexports /vol/vol0 and removes its export entry from the /etc/exports file:

  exportfs -z /vol/vol0 

The following command unexports all file system paths:

  exportfs -ua 

Displaying exported file system paths
The following command displays all exported file system paths and their corresponding export options:

  exportfs 

The following command displays the export options for /vol/vol0:

  exportfs -q /vol/vol0 

Enabling and disabling fencing
Suppose /vol/vol0 is exported with the following export options:

  -rw=pig:horse:cat:dog, ro=duck, anon=0 

The following command enables fencing of cat from /vol/vol0:

  exportfs -b enable save cat /vol/vol0 

Note: cat moves to the front of the ro= list for /vol/vol0:

  -rw=pig:horse:dog, ro=cat:duck, anon=0 

The following command disables fencing of cat from /vol/vol0:

  exportfs -b disable save cat /vol/vol0 

Note: cat moves to the front of the rw= list for /vol/vol0:

  -rw=cat:pig:horse:dog, ro=duck, anon=0 

Checking an NFS client’s access rights
The following command checks whether an NFS client with an IP address of 192.168.208.51 and a security type of sys can mount /vol/vol0:

  exportfs -c 192.168.208.51 /vol/vol0 

The following command checks whether an NFS client with an IP address of 192.168.208.51 and a security type of none has read-only access to /vol/vol0:

  exportfs -c 192.168.208.51 /vol/vol0 ro none 

Flushing entries from the access cache
The following command flushes all entries from the access cache:

  exportfs -f 

The following command flushes all entries for /vol/vol0 from the access cache:

  exportfs -f /vol/vol0 

Reverting the /etc/exports file
The following command reverts the /etc/exports file to a format compatible with the Data ONTAP 6.5 release:

  exportfs -d 6.5 

Note: Before reverting the /etc/exports file, Data ONTAP backs it up under /etc/exports.pre.revert.

Displaying an actual file system path
The following example displays the actual file system path corresponding to /vol/vol0:

  exportfs -s /vol/vol0 

Note: The actual file system path will be the same as the exported file system path unless the file system path was exported with the -actual option.

Saving file system paths
The following example saves the file system paths and export options for all currently and recently exported file paths into /etc/exports.recent:

  exportfs -w /etc/exports.recent 

SEE ALSO

ipspace , options , vfiler , exports , hosts , netgroup , passwd


Table of Contents














7-mode Manual Pages , , , ,

fpolicy

July 7th, 2009

Table of Contents

NAME

fpolicy – configure file policies

SYNOPSIS

fpolicy

fpolicy help [ <command> ]

fpolicy create <PolicyName> <PolicyType>

fpolicy destroy <PolicyName>

fpolicy disable <PolicyName>

fpolicy enable <PolicyName> [-f]

fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show } <PolicyName>

fpolicy ext[ension] { exc[lude] | inc[lude] } { add|remove|set } <PolicyName> <ext>[, <ext>]*

fpolicy mon[itor] { add | remove | set } <PolicyName> [-p { cifs | nfs | cifs, nfs }] [-f] <op-spec>[, <op_spec>]*

fpolicy options <PolicyName> required [ on | off ]

fpolicy options <PolicyName> secondary_servers [<IP_address>[, <IP-address>]*]

fpolicy options <PolicyName> cifs_setattr [ on | off ]

fpolicy options <PolicyName> reqcancel_timeout [ <timeout_in-secs> ]

fpolicy options <PolicyName> serverprogress_timeout [ <timeout-in-secs> ]

fpolicy options <PolicyName> cifs_disconnect_check [ on off ]

fpolicy servers show <PolicyName>

fpolicy servers stop <PolicyName> <IP-address>

fpolicy show <PolicyName>

fpolicy vol[ume] { inc[lude] | exc[lude] } { reset | show | eval } <PolicyName>

fpolicy vol[ume] { inc[lude] | exc[lude] } { add | remove | set } <PolicyName> <vol_spec>[, <vol_spec>]*

DESCRIPTION

The fpolicy command enables control and configuration of file policies.

USAGE

fpolicy

Displays FPolicy settings and provides summary information about policies.

fpolicy help [ <command> ]

Displays information about specific commands available in the FPolicy subsystem of the storage system. A list of commands, or syntax for a specific command, can be obtained.

fpolicy create <PolicyName> <PolicyType>

Creates a new policy. Policy names must be unique. The only file policy type supported is "screen” (file screening).

fpolicy destroy <PolicyName>

Destroys an existing policy.

fpolicy disable <PolicyName>

Disables a policy.

fpolicy enable <PolicyName> [-f]

Enables a policy. The -f force flag forces the policy to be enabled even if there are no servers available to enforce the policy.

fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show } <PolicyName>
fpolicy ext[ension] { exc[lude] | inc[lude] } { add|remove|set } <PolicyName> <ext>[, <ext>]*

<ext>[, <ext>]* is a comma separated list of extensions. The maximum length allowed for a single extension is 260 characters. Upto 255 extensions can be specified in a list.The include list determines if a given file should be screened. The exclude list determines if a given file should not be screened. If an extension is listed on both the exclude and the include list, files with that extension are not screened. If an extension is not listed on either the include list or the exclude list, files with that extension are not screened. The character ? is a wild card. When it is not the last character, it matches any single character. When it is the last character, or part of a trailing sequence of ? , it matches any number of characters (0, 1 or more).

fpolicy extensions { include | exclude } show <PolicyName>

Displays the current file extension list.

fpolicy extensions { include | exclude } reset <Policy_Name>

Resets the file extension list to the default list.

fpolicy extensions { include | exclude } set <PolicyName> <ext>[, <ext>]*

Specifies a new extension list which replaces the current list.

fpolicy extensions { include | exclude } add <PolicyName> <ext>[, <ext>]*

Adds new entries to the current file extension list.

fpolicy extensions { include | exclude } remove <Policy_Name> <ext>[, <ext>]*

Removes entries from the current file extension list.

fpolicy mon[itor] { add | remove | set } <PolicyName> [-p { cifs | nfs | cifs, nfs }] [-f] <op-spec>[, <op_spec>]*

Typically the list of operations monitored by a file policy is set by an FPolicy server for the policy. However, the list of operations can be configured with the fpolicy monitor command. Note that if an FPolicy server sets the list after this command is entered, the FPolicy server will override the effect of this command.
Operations may be added or removed from an existing list of operations, or the existing list may be discarded and set to a new list. Note that some FPolicy servers may not function correctly if their set of designated operations is changed. For example, an FPolicy server may wish to match file opens with file closes and malfunction if it stops receiving notifications of files that are closed. By default all protocols are selected. A subset of protocols can be chosen by providing a comma separated list following the -p flag. The -f force flag causes the command to be executed even if there are no servers available to enforce the policy. <op_spec>[, <op_spec>]* is a comma separated list of operations for which the policy will receive notifications. Supported values are all, none, close, create, create_dir, delete, delete_dir, getattr, link, lookup, open, read, rename, rename_dir, setattr, symlink, write. Note: Selecting read or write is rarely desirable. Notification for operations which occur frequently have a detrimental effect on performance.

fpolicy options <PolicyName>

Displays the current values of the file policy options.

fpolicy options <PolicyName> required [ on | off ]

Displays the current setting for the required option. If set to "on”, user requests are denied if a file policy server is not available to implement the policy. If set to "off”, user requests are allowed when it is not possible to apply the policy to the file because no file policy server is available.

fpolicy options <PolicyName> secondary_servers [ <server_list> ]

Displays the current setting for the secondary_servers option. If a comma separated list of IP addresses is provided, the current list is replaced by the new list. The storage system avoids the use of secondary servers to enforce file policies unless there are no primary servers available.

fpolicy options <PolicyName> cifs_setattr [ on | off ]

Displays the current setting for the cifs_setattr option. If set to "on" then CIFS requests to change file security descriptor will be screened by the policy. File security descriptor changes that will be screened are file owner change, file primary owner group change, changes in SACL and DACL. If set to "off" cifs security descriptor change requests will not be screened by the policy. By default option is set to "off”.

fpolicy options <PolicyName> reqcancel_timeout [ <timeout_in-secs> ]

Set or display the value of reqcancel_timeout for the policy. This is the maximum time allowed to an FPolicy server to screen a request. Upon timeout, the screen request is cancelled from the FPolicy server. A value of 0 implies that the feature is disabled. The default value is 0.

fpolicy options <PolicyName> serverprogress_timeout [ <timeout-in-secs> ]

Set or display the value of serverprogress_timeout for the policy. This is the maximum time an FPolicy server can remain unresponsive while processing the maximum allowed number of screen requests. Upon timeout, the unresponsive FPolicy server will be disconnected from the storage system. A value of 0 implies that the feature is disabled. The default value is 0.

fpolicy options <PolicyName> cifs_disconnect_check [ on off ]

Set or display the value of cifs_disconnect_check for the policy. If this option is enabled, CIFS requests associated with disconnected sessions will not be sent to FPolicy servers for screening. The default setting for this option is "off”.

fpolicy servers show <PolicyName>

Displays a list of FPolicy servers which have offered to apply file policies for the storage system, or terminates the connection to a specified server. Each fpolicy server that registers for a policy can enable optional parameters.

fpolicy servers stop <PolicyName> <IP-address>

fpolicy servers show <PolicyName> will print all the options enabled by the fpolicy server in the "Options enabled:" field. Following are the options that can be enabled by the fpolicy server.

version2
fpolicy server is using version 2 of the fpolicy interface. Version 2 enables read redirect and support for NFS version 4 protocol (See the SDK for more details).

size_and_owner
File size and owner information is included with the the fpolicy event notification. Size reported to the fpolicy server will be the logical file size. Owner information will be reported in Windows SID format. If the file has windows security descriptor, the owner information will be based on it. If the file has no windows security descriptor, storage system will try to get an equivalent windows SID from Unix UID information and report it to the fpolicy server. If this translation of windows SID from Unix UID fails, storage system will report the well known CREATOR_OWNER SID to the fpolicy server.

async fpolicy server needs asynchronous screen request notifications. When fpolicy server registers for asynchronous notifications, storage system will notify fpolicy server about the file events as and when they occur but does not wait for the response from fpolicy server. The storage system will complete the cifs/nfs request immediately after sending fpolicy screen notification to the fpolicy server.

snapid fpolicy server needs the snapshot ID of the file being accessed. A snapshot ID is a persistent identifier that can be used to identify a snapshot of a a file system. The active filesystem has a distinct snapshot ID.

fpolicy show <PolicyName>

Displays status for <PolicyName> which will include operations configured for the policy, extentions monitored by the policy, fpolicy servers registered for the policy and the options enabled by each fpolicy server. It will indicate the total number of requests screened by the fpolicy server, number of requests blocked by the fpolicy server and number of requests blocked locally for the given policy. This CLI will also inform that fpolicy servers registered for this policy need inode to pathname translation for NFS screen requests and if they need notifications for offline files only.

fpolicy vol[ume] { inc[lude] | exc[lude] } { reset | show | eval } <PolicyName>
fpolicy vol[ume] { inc[lude] | exc[lude] } { add | remove | set } <PolicyName> <vol_spec>[, <vol_spec>]*

<vol_spec>[, <vol_spec>]* is a comma separated list of storage system volumes. Regular expressions including wildcard characters ? and * are also supported. The include volume list specifies which volumes the policy applies to. The exclude volume list specifies which volumes are not monitored by the policy. When an exclude list is specified any volumes not excluded are controlled by the policy. If both lists are specified for a policy the exclude list takes precedence and the include list is ignored. If neither volume list is set, the policy is applied to all volumes.

fpolicy vol[ume] { inc[lude] | exc[lude] } add <PolicyName> <vol_spec>[, <vol_spec>]*

Adds new entries to the current volume list.

fpolicy vol[ume] { inc[lude] | exc[lude] } remove <Policy_Name> <vol_spec>[, <vol_spec>]*

Removes entries from the current volume list.

fpolicy vol[ume] { inc[lude] | exc[lude] } set <Policy_Name> <vol_spec>[, <vol_spec>]*

Specifies a new volume list which replaces the current list.

fpolicy vol[ume] { inc[lude] | exc[lude] } reset <Policy_Name>

Resets the volume list to an empty list.

fpolicy vol[ume] { inc[lude] | exc[lude] } show <Policy_Name>

Displays the current volume list.

fpolicy vol[ume] { inc[lude] | exc[lude] } eval <Policy_Name>

Prints the list of volumes that this policy applies to.

EXAMPLE(S)

         fpolicy extensions include set p1 C?? 

This command will cause storage system to screen the files ABC.C, ABC.CPP, ABC.C++, ABC.CPLUS and so on for policy p1.

         fpolicy extensions include set p1 C? 
This command will cause storage system to screen the files ABC.C, ABC.CP and so, but not ABC.CPP for policy p1.

         fpolicy extensions include set p1 A?C 
This command will cause storage system to screen the files XYZ.ABC, XYZ.ACC and so but not XYZ.APP for policy p1.

         fpolicy extensions include set p1 ? 
This command will cause storage system to screen the files ABC.A, ABC.C, ABC and so on, but not ABC.AC p1.

VFILER CONSIDERATIONS

When run from a vFiler context, (e.g. via the vfiler run command), fpolicy operates on the affected vFiler.

SEE ALSO

vfiler


Table of Contents







7-mode Manual Pages , , , ,

floppyboot

July 7th, 2009

Table of Contents

NAME

floppyboot – describes the menu choices at the floppy boot prompt

SYNOPSIS

1 Normal boot

2 Boot without /etc/rc

3 Change password

4 Initialize all disks OR Initialize owned disks OR Assign ownership and initialize disks for root volume OR No disks assigned (use `disk assign’ from Maintenance Mode)

5 Maintenance mode

DESCRIPTION

floppy boot is a Data ONTAP mode that is entered after booting from a floppy disk or after hitting Control-C at the appropriate point during a hard-disk boot.

After initiating a floppy boot, a menu of choices is presented that allows for the selection of the desired type of boot.

OPTIONS

option 1: Normal boot
This causes a normal full boot sequence to be done, after which the system behaves just as if a boot from hard disk had been done.

option 2: Boot without /etc/rc
This does a normal boot, but bypasses execution of the /etc/rc file. Following this, the system is running normally, but without the configuration normally provided to it in the /etc/rc file. The commands in the /etc/rc file can be typed manually to bring the system fully operational. Generally, this command is used when there is something in the /etc/rc file which is causing the filer to misbehave. Often, only an ifconfig command and an nfs on or a cifs restart command are done manually, allowing NFS or CIFS to become operational; then the /etc/rc file is edited to remove the offending lines, and then the system is rebooted.

option 3: Change password
This allows the filer password to be changed. It is usually used when the administrator has forgotten the current password, and so cannot use the online passwd command.

option 4: Initialize all disks
This commands zeroes all the filer’s disks and re-enters the setup menu. It is typically used only once, at system installation time. This option asks for confirmation; once confirmed, there is no way to retrieve data previously on the disks. Zeroing the disks may take time (sometimes hours), depending on how many disks there are, whether they need to be zeroed or not, and what capacity each has.

On systems with software-based disk ownership, option 4 initializes disks that are assigned to the system. If no disks have been assigned on systems other than V-Series systems, the software attempts to assign a minimum set of disks for the aggregate containing the root volume. After disks are assigned, they are zeroed and the user enters the setup menu. For V-Series systems the user must use option 5 to assign at least one disk (LUN) from the storage subsystem, then use option 4 to create the root volume. After disks are assigned, they are zeroed and the setup menu is entered.

option 5: Maintenance mode boot
This enters a mode in which a small subset of commands are available, and is usually employed to diagnose hardware (often disk-related) problems. In maintenance mode, WAFL aggregates and traditional volumes are recognized but are not used, the /etc/rc file is not interpreted, and few system services are started. NFS and CIFS cannot be used. Disk reconstructions do not occur. No filesystem upgrade occurs, even if the system is newer than the OS release previously installed.

CLUSTER CONSIDERATIONS

It is generally recommended that clustering be explicitly disabled or that the other system be halted (to the `ok’ prompt, or powered off) before entering the various floppy boot menu choices on this system. Failure to do this can sometimes result in takeovers by the other node while in maintenance mode; this is usually undesirable.

SEE ALSO

disk , download , rc , fcdiag , fcstat , fctest , halt , ifconfig , nfs , vol , aggr

NOTES

A floppy boot menu choice affects only a single boot of the OS. In order to continue to boot the same version of the OS from the hard disk in the future, you must intall that OS on the hard disk using the untar installation process and the download command.


Table of Contents






7-mode Manual Pages , , , ,

flexcache

July 7th, 2009

Table of Contents

NAME

flexcache – commands for administering FlexCache volumes

SYNOPSIS

flexcache help [subcommand]

flexcache fstat path

flexcache eject path [-f]

flexcache stats [ -C [volname]] [ -S [volname] [-c [clientname]]] [-z]

DESCRIPTION

The flexcache command is used to administer FlexCache volumes. FlexCache volumes are housed on the caching filer, and are cached copies of separate volumes, which are on a different filer (henceforth referred to as the origin filer). Clients access the FlexCache volume as they would access any other volume exported over NFS. FlexCache must be licensed on the caching filer, and is not required for the origin filer. The current version of FlexCache only supports client access via NFSv2 and NFSv3.

For more information on volumes, see vol .

USAGE

flexcache help [subcommand]

Displays help on the specified flexcache subcommand.

flexcache fstat path

Display statistics about the object cached at path. path must be given as a canonical pathname. That is, to display information on the file bar, residing on cache volume foo, one would use the path /vol/foo/bar. fstat avoids fetching attribute information for files that aren’t already present in the cache. Note however that all directories given in path will be fetched in order to perform the required lookups. In addition to the traditional UNIX stat information, specific information used by the caching algorithms is displayed. In particular, the number of 1K blocks the file is consuming on the caching volume, and the last time the file was updated on the cache. fstat can be used on any path on the appliance.

flexcache eject path [-f]

Eject the given file from the cache. The path must be specified in the same manner as in the flexcache fstat command. The -f option ejects the file without prompting the user for confirmation.

flexcache stats [ -C [volname]] [ -S [volname] [-c [clientname]]] [-z]

The -C option on the caching filer displays client side bandwidth savings and hit/miss statistics for volname, or for all mapped FlexCache volumes if volname is unspecified. The -S option on the origin filer displays server side statistics for volname if one is supplied or for all origin volumes otherwise. If -c is also supplied, statistics for each caching client are also displayed. If clientname is specified then information for that client only is displayed. The -c option is only valid with the -S option and the global option flexcache.per_client_stats must be set to on. The -z
option zeroes all the statistics for all FlexCache volumes.

SEE ALSO

vol


Table of Contents


7-mode Manual Pages , , , ,

filestats

July 7th, 2009

Table of Contents

NAME

filestats – collect file usage statistics

SYNOPSIS

filestats [-g] [-u] [async] [ ages <ages> ] [ expr <expression> ] [ timetype {a, m, c, cr} ] [ sizes <sizes> ] snapshot <snapshot_name> [ style <style> ] [ volume <vol_ume_name> ] [ file <output_file> ]

DESCRIPTION

The filestats utility provides a summary of file usage within a volume. It must be used on a snapshot, and the only required argument is the snapshot name. The volume name defaults to "vol0" if not specified. If the volume you are examining is named otherwise, specify the name explicitly.

The output of this command will contain a breakdown of the total number of files and their total size. You can control the set of ages and sizes that get used for this breakdown, with the "ages" and "sizes" arguments. The output also contains a breakdown of file usage by user-id and group-id.

The first line of the summary contains:

INODES
The total number of inodes scanned (this includes free and used inodes).

COUNTED_INODES
The total number of inodes included in the totals because they are in use (and because they satisfy the "expr” expression, if that option is used).

TOTAL_BYTES
The total number of bytes in the counted files.

TOTAL_KB
The total number of kilobytes consumed by the blocks of the counted files.

OPTIONS

The following options are supported.

async Run the scan independently of the console, best used with the file option. Care should be used to minimize the number of asynchronous scans running simultaneously. More than one can be a big drain on system performance.

-g
A per-group breakdown will be generated, containing separate tables of ages and sizes for each group id.

-u
A per-user breakdown will be generated, containing separate tables of ages and sizes for each user id.

ages ages
Specifies the breakdown of ages, as a set of commaseparated time values. The values are in seconds, but as a convenience you can add an H or D suffix to a number to get hours and days. For example, "900, 4H, 7D" would produce a breakdown with 4 categories – files accessed in the last 15 minutes, files accessed in the last four hours, files accessed in the last week, and all other files.

expr expression
(Warning, use of this option can be inefficient, and result in very long-running execution times.) This lets you specify a boolean expression that will be evaluated for each inode encountered, and if the expression is true, then the inode will be selected and included in the various breakdowns of file usage. The expression can contain "variables”, which are merely the name of an inode attribute enclosed in curly braces. For example, {size} is evaluated as the size of the current inode. The valid inode attributes that you can use in expressions are:

tid
The tree id (for qtrees).

type
The file type (numeric, currently).

perm
Permissions.

flags
Additional flags.

nlink
Count of hard links.

uid
User id (numeric) of file owner.

gid
Group id (numeric) of file owner.

size
Size in bytes.

blkcnt
Size in blocks.

gen
Generation number.

atime
Time of last read or write (in seconds).

mtime
Time of last write (in seconds).

ctime
Time of last size/status change (in seconds).

crtime
Time file was created (in seconds).

atimeage
Age of last read or write (Now atime).

mtimeage
Age of last write (Now – mtime).

ctimeage
Age of last size/status change (Now ctime).

crtimeage
Age of file creation (Now – crtime).

timetype timetype
This lets you specify the type of time that will be used in the "age" comparison. Valid values for timetype are

a
Access time

m
Modification time

c
Change time (last size/status change)

cr
Creation time

sizes sizes
Specifies the breakdown of sizes, as a comma-separated set of size values. The values are in bytes, but as a convenience you can add a K, M, or G suffix to a number to get kilobytes, megabytes, and gigabytes. For example, "500K, 2M, 1G" would produce a breakdown with 4 categories – files less than 500K, files less than 2 megabytes, files less than 1 gigabyte, and all other files.

To produce a breakdown that includes all unique file sizes,
specify "*" for the sizes value.

style style
Controls the style of output – the possible value for style are "readable" (the default), "table” (colon-separated values suitable for processing by programs), and "html”.

file output_file
Instead of printing the results on the console, print the results in output_file. The output_file will be created in the /etc/log directory.

EXAMPLES

1. Produce default file usage breakdowns for snapshot hourly.1 of volume vol0.

filestats volume vol0 snapshot hourly.1

2. Produce file usage breakdowns by monthly age values:

filestats volume vol0 snapshot hourly.1 ages "30D, 60D, 90D, 120D, 150D, 180D”

3. Produce file usage breakdowns for inodes whose size is less than 100000 bytes and whose access time is less than a day old:

filestats volume vol0 snapshot hourly.1 expr "{size}<100000&&{atimeage}<86400)”

NOTES

On large volumes, this command may take a few minutes to execute. During that time, CPU usage will be high, often 100%. The impact of that CPU usage should be low, because the command is implemented in Java which has low priority. However, disk access to the inode file will have an effect on the throughput of file serving.

Currently, the expression-evaluating code does not do any optimizations, so although you can use arithmetic expressions, it is most efficient if you do not. Of course, it’s most efficient if you don’t use the expr option at all.


Table of Contents








7-mode Manual Pages , , , ,

file

July 7th, 2009

Table of Contents

NAME

file – manage individual files

SYNOPSIS

file

file reservation <path> [ enable | disable ]

DESCRIPTION

The file command is used to set special options and features on files.

USAGE

The reservation subcommand can be used to query the space reservation settings for the named file, or to modify those settings. With no further modifiers, the command will report the current setting of the space reservation flag for a file. This tells whether or not space is reserved to fill holes in the file and to overwrite existing portions of the file that are also stored in a snapshot. Specifying enable or disable will turn the reservation setting on or off accordingly for the file.

SEE ALSO

qtree , vol ,


Table of Contents

Copyright © 1994-2008 NetApp, Inc. Legal Information

7-mode Manual Pages , , , ,

fctest

July 7th, 2009

Table of Contents

NAME

fctest – test Fibre Channel environment

SYNOPSIS

fctest [ -B ] [ -t minutes ] [ -v ] [ adapter ]

fctest -T [ -t minutes ] [ -v ] adapter

fctest [ -R ] [ -W ] [ -A ] [ -V ] [ -B ] [ -t minutes ] [ -n sects ] [ -v ] [ -s <shelf-list> ] [ -d <disk-list> ] [ -a <adapter-list> ]

DESCRIPTION

Use the fctest command to test Fibre Channel adapters and disks on an appliance. This command provides a report of the integrity of your Fibre Channel environment. It is only available in maintenance mode. By default, it takes about 5 minutes to complete.

The -R option executes a sequential read test with optionally specified large block size (default is 1024kb per I/O).

The -W option executes a sequential write test with optionally specified large block size (default is 1024kb per I/O).

The -A option executes a test that alternates between writes and reads with optionally specified large block size (default is 1024kb per I/O). No data verification is peformed.

The -V option executes a sequential write verify test which uses 4kb per I/O operation. This is identical to the way fctest would function on previous releases.

The -T option executes a test that alternates between writes and reads with varying I/O sizes. It also steps through permutations of shelves on the specified loop. If -t minutes is specified, each iteration of the test will run for the specified time. This test is a continuous test and will run until stopped via ^C.

The -n option is used to optionally specify the number of sectors to be read for each I/O of the -R, -A or -W option. The number of sectors used by the the -V command is fixed at 8 (4kb) and cannot be altered.

The -d option allows for running fctest over a specific set of disks in the system by specifying a disk list of the form: <disk-name1> <disk-name2>

The -s option allows for running fctest over all disks contained in a specific shelf by specifying a shelf list of the form: <a>:<m> [<b>:<n> ...] where <m> and <n> are integer shelf ids and <a> and <b> are the PCI slot numbers of the Fibre Channel Adapter(s) the shelves are connected to. (on board adapter is slot 0a) Hint: use fcadmin device_map to get slot locations.

The -a option allows for running fctest over a specific set of Fibre Channel adapters in the system by specifying an adapter list of the form: <slot1> <slot2> … <slotN>.

If the -v option is specified, the output is verbose.

If the -B option is specified, disks attached to the Fibre Channel loop via their B ports will also be tested.

By default, the test runs for about 5 minutes. However, if the [ -t minutes ] option is used, the test will run for the specified duration. If [ -t 0 ] is specified, the test will run CONTINUOUSLY until stopped with a ^C.

If the adapter or disk-list, adapter-list and shelf-list arguments are missing, all Fibre Channel adapters and disks in the system are tested. Otherwise, only the specified adapter and disks attached to it are tested.

When finished, fctest prints out a report of the following values for each Fibre Channel adapter tested:

1. Number of times loss of synchronization was detected in that adapter’s Fibre Channel loop.

2. Number of CRC errors found in Fibre Channel packets.

3. The total number of inbound and outbound frames seen by the adapter.

4. A "confidence factor" on a scale from 0 to 1 that indicates the health of your Fibre Channel system as computed by the test. A value of 1 indicates that no errors were found. Any value less than 1 indicates there are problems in the Fibre Channel loop that are likely to intefere with the normal operation of your appliance. For more information see the Easy Installation Instructions for your specific filer or your Fibre Channel Storage Shelf Guide.

If the confidence factor is reported as less than 1, please go through the troubleshooting checklist for Fibre Channel loop problems in the document "Easy Installation Instructions for NetApp Filers" and re-run the fctest command after making any suggested modifications to your Fibre Channel setup. If the problem persists, please call your Customer Support telephone number.

The actual arithmetic that is used to compute the confidence factor is as follows:

The number of Fibre Channel errors is obtained by adding the number of underrun, CRC, Synchronization and link failure errors with all errors weighted the same.

The allowable number of errors by the Fibrechannel protocol is calculated by adding fibre channel frames (inbound + outbound) and then multiplying by 2048 bytes per frame and dividing by the BER of 1e-12 converted to bytes at 1e-11.

The confidence factor is calculated as follows:

if total errors = 0 then confidence factor = 1.0

if total errors < allowable errors then confidence factor = 0.99

if total errors > allowable errors then confidence factor is decremented by .01 for each error seen which the protocol error rate does not allow.

CLUSTER CONSIDERATIONS

In a clustered configuration, only disks on a filer’s primary loop (the A loop) are tested, unless the -B option is specified. If -B is specified, disks on the B loop are tested as well.

EXAMPLES

The following command runs fctest for 5 minutes doing a sequential alternating write and read test in verbose mode on all Fibre Channel adapters in the system, while testing only those disks which are attached via their A ports:

fctest -v

The following command runs fctest for an hour doing a sequential write test in verbose mode, using 1024kb I/O blocks while testing disks attached to adapter 8 via both A and B ports:

fctest -W -v -B -t 60 -a 8

The following command runs fctest for 5 minutes doing a sequential read test on all disks in shelf 0 on adapter 7.

fctest -R -s 7:0

The following command runs fctest continuously (until stopped) doing a sequential write test of 512kb I/O’s to all disks on shelf 1 on adapter 7, shelf 2 on adapter 7, disks 7.0 and 7.1 and all disks on adapter 8.

fctest -W -n 1024 -t 0 -d 7.0 7.1 -s 7:1 7:2 -a 8

The following command runs fctest continuously (until stopped) doing an alternating sequential write/read test with varying I/O sizes across all shelf permutations in the loop attached to adapter 7 for 4 minutes on each iteration.

fctest -T -t 4 7


Table of Contents

7-mode Manual Pages , , , ,

fsecurity_status

July 7th, 2009

Table of Contents

NAME

fsecurity_status – Displays the status of outstanding fsecurity jobs

SYNOPSIS

fsecurity status [<job id>]

DESCRIPTION

The fsecurity status command displays the current status of any outstanding fsecurity jobs as well as the completion status of the previous 15 jobs. If a job id is specified, more detailed status of that particular job will be displayed.

EXAMPLES

  toaster> fsecurity status    [Active jobs]     Job  Status   Current  Total  Type   Subtype  Mode       Path     1002 Working  2        2      NTFS   Normal   Propagate  /vol/vol0/secure     1003          –        –      –      –        –          –     [History - Previous 15 jobs]     Job  Status   Tasks Definition     1001 Success  1     /vol/vol0/templates/security-base.conf    toaster> fsecurity status 1002    [Status - Job 1002]     Overall Status: Working     Definition: /vol/vol0/templates/secure_ntfs.conf     Task  Status   Type   Subtype  Mode       Path     1     Success  NTFS   Normal   Propagate  /vol/vol0/ntfs     2     Working  NTFS   Normal   Propagate  /vol/vol0/secure 


Table of Contents

Copyright © 1994-2008 NetApp, Inc. Legal Information

7-mode Manual Pages , , , ,



This site is not affiliated or sponsored in anyway by NetApp or any other company mentioned within.

© 2009-2014 Chris Kranz All Rights Reserved
This site is not affiliated or sponsored in anyway by NetApp or any other company mentioned within.