NetApp | A NetApp Technical Diary

dlm

July 7th, 2009

Comments Off

NAME

dlm – Administer Dynamically Loadable Modules

SYNOPSIS

dlm [ list | load objectfile | unload objectfile ]

The dlm command administers dynamically loadable modules (DLMs). A DLM is an independent section of Data ONTAP code (an object file) implementing a particular optional or configuration-dependent functional component.

OPTIONS

list

Lists the names of currently loaded modules and their base addresses. The Data ONTAP kernel itself is treated as a module and this is always listed first. For example:

   kernel                           at 0x0xfffffc0000200000   /etc/modules/foo.mod             at 0x0x00000004444900b8

load: Instructs the system to load a module identified by the name objectfile. See below for the form of this name.

unload: Requests the system to unload the module object_file. This may fail if the module is in use.

Note: in normal use, there should never be a need to use the load or unload options since modules are loaded automatically when required.

FILES

Modules are object files which reside in the root filesystem in the /etc/modules directory. The full objectfile name of a module is of the form /etc/modules/foo.mod

Table of Contents

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
FILES

Rate this post:

Rating: 0.0/10 (0 votes cast)

Manual Pages dlm, man, manual, NetApp, ONTAP

disk_fw_update

July 7th, 2009

2 comments

Table of Contents

NAME

disk_fw_update – update disk firmware

SYNOPSIS

disk_fw_update < disk_list >

DESCRIPTION

Use the disk_fw_update command to manually update firmware on all disks or a specified list of disks on a filer. Each filer is shipped with a /etc/disk_fw directory that contains the latest firmware versions. Because this command makes disks inaccessible for up to five minutes after the start of its execution, network sessions that use the filer must be closed down before running the disk_fw_update command. This is particularly true for CIFS sessions that might be terminated while this command is executed.

For Data ONTAP 6.0 and later, the firmware is downloaded automatically to disks with previous versions of firmware. For information on automatic firmware update downloads, see AUTOMATIC vs. MANUAL FIRMWARE DOWNLOAD.

On configurations using software-based disk ownership both automatic and manual downloads update firmware only for those disks owned by the local filer. Disks owned by the partner filer are updated when the automatic download or the manual disk_fw_update command is executed on that particular node. Disks that are owned by neither filer are not updated. To update all disks, you must assign ownership to the unowned disks before running the disk_fw_update command.

Ignore any warning messages issued while the disk firmware is being updated.

To download the firmware to every disk, use the disk_fw_update command without arguments. To download the firmware to a particular list of disks, specify the disk names in the command. The disk names are in the form of cahnnel_name.disk_ID. For example, if you want to update firmware on disk ID 0, 1 and 3 on adapter 8, enter the following command:

disk_fw_update 8.0 8.1 8.3

The command applies to both SCSI disks and Fibre Channel disks.

If you need to view the current firmware versions, enter the sysconfig -v command. The following example displays a partial output from the sysconfig -v command, where the firmware version for the disk is NA01:

slot 8: Fibre Channel Host Adapter 8 (QLogic 2200 rev. 5, 64-bit, L-port, ) Firmware rev: 2.1.20 Host Loop Id: 7 FC Node Name: 2:000:00e08b:00c702 Cacheline size: 8 FC Packet size: 2048 SRAM parity: Yes External GBIC: Yes 0: NETAPP X225_ST336704FC NA01 34.5GB ( 71687368 512B/sect)

The firmware files are stored in the /etc/disk_fw directory. The firmware file name is in the form of prod_uct_ID.revision.LOD. For example, if the firmware file is for Seagate disks with product ID X225_ST336704FC and the firmware version is NA02, the file name is X225_ST336704FC.NA02.LOD. The revision part of the file name is the number against which the filer compares each disk’s current firmware version. If the filer in this example contains disks with firmware version NA01, the /etc/disk_fw/X225_ST336704FC.NA02.LOD file is downloaded to every disk when you execute this command.

NOTE ABOUT SOME FIBRE CHANNEL DISKS

Updating firmware on certain Fibre Channel disks can create an open-loop condition that can only be cleared by turning the power of the affected shelf or shelves off and then on. For example, the Seagate 9GB ST39175FC and Seagate 18GB ST118202FC tend to exhibit problems during firmware updates.

An open-loop condition is characterized by the inability of the filer to access disk drives. Warning messages indicating an open-loop condition, which you need to clear, typically appear on the console that are similar to the following messages:

ispfc: Loop break detected on Fibre Channel adapter 7. If not healed in 30 seconds, the system may be halted. -or- [ispfc_main:warning]: Loop break detected on Fibre Channel adapter 7. -or- ispfc: Fibre Channel adapter 7 appears to be unattached/disconnected. If adapter is in use, check cabling and seating of LRC cards in disk shelves.

AUTOMATIC vs MANUAL FIRMWARE DOWNLOAD

For Data ONTAP 6.0 or later, firmware is automatically downloaded to those disks with previous versions of firmware following a system boot or disk insertion. The firmware:

– Is not automatically downloaded to the filer’s partner filer in a cluster. – Is not automatically downloaded to unowned disks on filers configured to use software-based disk ownership. – For Data ONTAP 7.0.1 or later a new registry entry controls how the automatic firmware download feature works: If raid.background_disk_fw_update.enable is set to off, disk_fw_update will run as in previous releases of Data ONTAP. If raid.background_disk_fw_update.enable is set to on, disk_fw_update will only automatically update to filesystem disks contained in RAID4 volumes. Firmware updates for spares and filesystem disks contained within RAID-DP, mirrored RAID-DP and mirrored RAID4 volumes will be done in a non-disruptive manner in the background after boot. Firmware download for these disks will be done sequentially by temporarily offlining them one at a time for the duration of the download. Once firmware is updated, the disk will be onlined and restored back to normal operation mode.

During an automatic download to a clustered environment, the firmware is not downloaded to a cluster partner’s disk.
Automatic downloads to a cluster are unsuccessful with certain disk drives. In such cases, you may need to manually execute the disk_fw_update command to update the disks in a cluster.
When you manually key in the disk_fw_update command, the firmware is:

– Updated on every disk regardless of whether it is on the A-loop, the B-loop, or in a clustered environment. – If the filer is configured in a software-based disk ownership system only disks owned by this filer are updated.

Follow the instructions in HOW TO UPDATE FIRMWARE FOR A CLUSTER to ensure that the updating process is successful.
Data ONTAP 6.1 and later supports redundant path configurations for disks in a non-clustered configuration. Firmware is automatically downloaded to disks on the Aloop or B-loop of redundant configurations that are not configured in a cluster and are not configured to use software-based disk ownership.

AUTOMATIC BACKGROUND FIRMWARE UPDATE
In Data ONTAP 7.0.1 or later, firmware can be updated in the background so clients are not impacted by the firmware update process. This functionality is controlled by the registry entry raid.background_disk_fw_update.enable. The default value for this option is on.
When
disabled or set to "off”, disk_fw_update will update firmware in automated mode just like on previous releases of Data ONTAP. Namely all disks which are downrev will be updated regardless of if they are SPARE or filesystem disks.
When
enabled or set to "on”, background disk_fw_update will update firmware in automated mode only to disks which can be offlined successfully from active filesystem raid groups and from the spare pool. For filesystem disks, this capability currently exists within volumes of type RAIDDP, mirrored RAID-DP, and mirrored RAID4. To ensure a faster boot process, no firmware will be downloaded to spares and filesystem disks contained in the above volume types. However, firmware updates for disks within RAID4 volumes will be done at boot. RAID4 volumes can be temporarily (or permanently) upgraded to RAID-DP to automatically enable background firmware update capability.
This provides the highest degree of safety available, without the cost of copying data from each disk in the system twice. Disks are offlined one at a time and then firmware is updated on them. The disk is onlined after the firmware update and a mini/optimized reconstruct happens for any writes which occurred while the disk was offline. Background disk firmware update will not occur for a disk if its containing raid group or volume is not in a normal state (e.g if the volume/plex is offline or the raid group is degraded). However, due to the continuous polling nature of background disk firmware update, firmware updates will resume once the raid group/plex/volume is restored to a normal mode. Similarly, background disk firmware updates are suspended for the duration of any reconstruction within the system.

CLUSTER CONSIDERATIONS
When you are running a clustered configuration, do not attempt takeovers or givebacks during the execution of the disk_fw_update command.
If you use the manual disk_fw_update command on a filer that belongs to a cluster, the filer downloads the firmware to its disks and its partner’s disks, unless the filers are configured for software-based disk ownership. In that configuration firmware is only downloaded to disks the filer owns.
The automatic firmware download only takes place on a filer’s local disks.
For cluster failover configurations, clustering must be enabled and the CFO interconnect must be linked.

HOW TO UPDATE FIRMWARE FOR A CLUSTER
The automatic download of firmware updates can lead to problems when filers are configured in a clustered environment.
Known disk manufacturer limitations on certain disks further contribute to problems with firmware updates. For this reason, Data ONTAP does not allow firmware updates by automatic download to disk models with known limitations when a filer is configured in a clustered environment.
Disks with known limitations can only accept firmware updates if the disk_fw_update command is executed manually. You may need to enter and run the command yourself. However, no matter which disks your clustered filers use, it’s safest to update firmware this way.
Use the following procedure to successfully update your disk firmware in a clustered environment:

1. Make sure that the filers are not in takeover or giveback mode. 2. Install the new disk firmware on Filer A’s disks by issuing the disk_fw_update command on Filer A. 3. Wait until the disk_fw_update command completes on Filer A, and then install the new disk firmware on Filer B’s disks by issuing the disk_fw_update command on Filer B. Alternatively, if the registry entry raid.background_disk_fw_update is enabled then one simply needs to allow the cluster partners to update firmware one disk at a time in automated background mode.

SEE ALSO
partner

Table of Contents

NAME

SYNOPSIS

DESCRIPTION

NOTE ABOUT SOME FIBRE CHANNEL DISKS

AUTOMATIC vs MANUAL FIRMWARE DOWNLOAD

AUTOMATIC BACKGROUND FIRMWARE UPDATE

CLUSTER CONSIDERATIONS

HOW TO UPDATE FIRMWARE FOR A CLUSTER

SEE ALSO

Read more... (1629 words, estimated 6:31 mins reading time)

Manual Pages disk_fw_update, man, manual, NetApp, ONTAP

disktest

July 7th, 2009

Comments Off

Table of Contents

NAME

disktest – Disk Test Environment

SYNOPSIS

disktest [ -B ] [ -t minutes ] [ -v ] [ adapter ]

disktest -T [ -t minutes ] [ -v ] adapter

disktest [ -R ] [ -W ] [ -A ] [ -WV ] [ -V ] [ -B ] [ -t minutes ] [ -n sects ] [ -v ] [ -s <shelf-list> ] [ -d <disk-list> ] [ -a <adapter-list> ]

DESCRIPTION

Use the disktest command to test all types of disks on an appliance. This command provides a report of the integrity of your storage environment. It is only available in maintenance mode. By default, it takes about 5 minutes to complete.

The -R option executes a sequential read test with optionally specified large block size (default is 1024kb per I/O).

The -W option executes a sequential write test with optionally specified large block size (default is 1024kb per I/O).

The -A option executes a test that alternates between writes and reads with optionally specified large block size (default is 1024kb per I/O). No data verification is peformed.

The -WV option executes a sequential write verify test which uses 4kb per I/O operation. This is identical to the way disktest would function with -V option on previous releases.

The -V option executes a sequential SCSI verify test which uses 10MB per operation. This test will run for one complete pass to verify all sectors on the disk regardless of -T option.

The -T option executes a test that alternates between writes and reads with varying I/O sizes. It also steps through permutations of shelves on the specified loop. If -t minutes is specified, each iteration of the test will run for the specified time. This test is a continuous test and will run until stopped via ^C.

The -n option is used to optionally specify the number of sectors to be read for each I/O of the -R, -A or -W option. The number of sectors used by the the -WV command is fixed at 8 (4kb) and cannot be altered. The number of sectors used by the -V command is fixed at 20480 (10MB) to increase throughput and cannot be altered.

The -d option allows for running disktest over a specific set of disks in the system by specifying a disk list of the form: <disk-name1> <disk-name2>

The -s option allows for running disktest over all disks contained in a specific shelf by specifying a shelf list of the form: <a>:<m> [<b>:<n> ...] where <m> and <n> are integer shelf ids and <a> and <b> are the PCI slot numbers of the Adapter(s) the shelves are connected to. (on board adapter is slot 0a) Hint: use fcadmin device_map to get slot locations.

The -a option allows for running disktest over a specific set of adapters in the system by specifying an adapter list of the form: <slot1> <slot2> … <slotN>.

If the -v option is specified, the output is verbose.

If the -B option is specified, disks attached to a Fibre Channel loop via their B ports will also be tested.

By default, the test runs for about 5 minutes. However, if the [ -t minutes ] option is used, the test will run for the specified duration. If [ -t 0 ] is specified, the test will run CONTINUOUSLY until stopped with a ^C.

If the adapter or disk-list, adapter-list and shelf-list arguments are missing, all adapters and disks in the system are tested. Otherwise, only the specified adapter and disks attached to it are tested.

When finished, disktest prints out a report of the following values for each Fibre Channel adapter tested:

1. Number of times loss of synchronization was detected in that adapter’s Fibre Channel loop.

2. Number of CRC errors found in Fibre Channel packets.

3. The total number of inbound and outbound frames seen by the adapter.

4. A "confidence factor" on a scale from 0 to 1 that indicates the health of your disk system as computed by the test. A value of 1 indicates that no errors were found. Any value less than 1 indicates there are problems in the Fibre Channel loop that are likely to intefere with the normal operation of your appliance. For more information see the Easy Installation Instructions for your specific filer or your storage shelf guide.

If the confidence factor is reported as less than 1, please go through the troubleshooting checklist for Fibre Channel loop problems in the document "Easy Installation Instructions for NetApp Filers" and re-run the disktest command after making any suggested modifications to your Fibre Channel setup. If the problem persists, please call your Customer Support telephone number.

The actual arithmetic that is used to compute the confidence factor is as follows:

The number of errors is obtained by adding the number of underrun, CRC, Synchronization and link failure errors with all errors weighted the same.

The allowable number of errors by the Fibrechannel protocol is calculated by adding fibre channel frames (inbound + outbound) and then multiplying by 2048 bytes per frame and dividing by the BER of 1e-12 converted to bytes at 1e-11.

The confidence factor is calculated as follows:

if total errors = 0 then confidence factor = 1.0

if total errors < allowable errors then confidence factor = 0.99

if total errors > allowable errors then confidence factor is decremented by .01 for each error seen which the protocol error rate does not allow.

When finished, disktest prints out a report of the following values for each adapter tested:

1. Number of Write operations performed on an adapter.

2. Number of Read operations performed on an adapter.

3. IOPS (I/O’s per second) performed on an adapter.

4. Data rate in MB/S of the adapter.

5. Data transfer size per I/O operation on the adapter.

6. Number of soft (recovered) errors on the adapter.

7. Number of hard (unrecoverable) errors on the adapter.

8. A "confidence factor" on a scale from 0 to 1 that indicates the health of your disk system as computed by the test. A value of 1 indicates that no errors were found. Any value less than 1 indicates there are problems in the loop or bus or disk that are likely to intefere with the normal operation of your appliance. For more information see the Easy Installation Instructions for your specific filer or your storage shelf guide.

If the confidence factor is reported as less than 1, and a disk is reporting hard errors, you may want to proactively fail that disk or call your Customer Support telephone number.

The actual arithmetic that is used to compute the confidence factor is as follows:

The number of errors is obtained by adding the number of hard and soft errors from the disk with all errors weighted the same.

The allowable number of errors is zero for SCSI devices.

The confidence factor is calculated as follows:

if total errors = 0 then confidence factor = 1.0

if total errors > 0 then confidence factor is decremented by .01 for each error seen.

CLUSTER CONSIDERATIONS

In a clustered configuration, only disks on a filer’s FCAL primary loop (the A loop) are tested, unless the -B option is specified. If -B is specified, disks on the B loop are tested as well.

EXAMPLES

The following command runs disktest for 5 minutes doing a sequential alternating write and read test in verbose mode on all adapters in the system, while testing only those disks which are attached via their A ports:

disktest -v

The following command runs disktest for an hour doing a sequential write test in verbose mode, using 1024kb I/O blocks while testing disks attached to adapter 8 via both A and B ports:

disktest -W -v -B -t 60 -a 8

The following command runs disktest for 5 minutes doing a sequential read test on all disks in shelf 0 on adapter 7.

disktest -R -s 7:0

The following command runs disktest continuously (until stopped) doing a sequential write test of 512kb I/O’s to all disks on shelf 1 on adapter 7, shelf 2 on adapter 7, disks 7.0 and 7.1 and all disks on adapter 8.

disktest -W -n 1024 -t 0 -d 7.0 7.1 -s 7:1 7:2 -a 8

The following command runs disktest continuously (until stopped) doing an alternating sequential write/read test with varying I/O sizes across all shelf permutations in the loop attached to adapter 7 for 4 minutes on each iteration.

disktest -T -t 4 7

Table of Contents

NAME
SYNOPSIS
DESCRIPTION
CLUSTER CONSIDERATIONS
EXAMPLES

Read more... (1447 words, estimated 5:47 mins reading time)

Manual Pages disktest, man, manual, NetApp, ONTAP

fcstat

July 7th, 2009

Comments Off

Table of Contents

NAME

fcstat – Fibre Channel stats functions

SYNOPSIS

fcstat link_stats [ channel_name ]

fcstat fcal_stats [ channel_name ]

fcstat device_map [ channel_name ]

DESCRIPTION

Use the fcstat command to show (a) link statistics maintained for all drives on a Fibre Channel loop, (b) internal statistics kept by the Fibre Channel driver, and (c) a tenancy and relative physical position map of drives on a Fibre Channel loop.

SUB-COMMANDS: link_stats

All disk drives maintain counts of useful link events. The link_stats option displays the link event counts and this information can be useful in isolating problems on the loop. Refer to the event descriptions and the example below for more information.

link failure count
The drive will note a link failure event if it cannot synchronize its receiver PLL for a time greater than R_T_TOV, usually on the order of milliseconds. A link failure is a loss of sync that occurred for a long enough period of time and therefore resulted in the drive initiating a Loop Initialization Primitive (LIP). Refer to loss of sync count below.

underrun count
Underruns are detected by the Host Adapter (HA) during a read request. The disk sends data to the HA through the loop and if any frames are corrupted in transit, they are discarded by the HA as it has received less data than expected. The driver reports the underrun condition and retries the read. The cause of the underrun is downstream in the loop after the disk being read and before the HA.

loss of sync count
The drive will note a loss of sync event if it loses PLL synchronization for a time period less than R_T_TOV and thereafter manages to resynchronize. This event generally occurs when a component, before the disk, reports loss of sync up to and including the previous active component in the loop. Disks that are on the shelf borders are subject to seeing higher loss of sync counts than disks that are not on a border.

invalid CRC count
Every frame received by a drive contains a checksum that covers all data in the frame. If upon receiving the frame the checksum does not match, the invalid CRC counter is incremented and the frame is "dropped”. Generally, the disk which reports the CRC error is not at fault but a component between the Host Adapter (which originated the write request) and the reporting drive, corrupted the frame.

frame in count/ frame out count
These counts represent the total number of frames received and transmitted by a device on the loop. The number of frames received by the Host Adapter is equal to the sum of all of the frames transmitted from all of the disks. Similarly, the number of frames transmitted by the Host Adapter is equal to the sum of all frames received by all of the disks.

The occurrence of any of the error events may result in loop disruption. A link failure is considered the most serious since it may indicate a transmitter problem that is affecting loop signal integrity upstream of the drive. These events will typically result in frames being dropped and may result in data underruns or SCSI command timeouts.

Note that loop disruptions of this type, even though potentially resulting in data underruns and/or SCSI command timeouts, will not result in data corruption. The host adapter driver will detect such events and will retry the associated commands. The worst-case effect is a negligible drop in performance.

All drive counters are persistent across filer reboots and drive resets and can only be cleared by power-cycling the drives. Host adapter counters, e.g. underruns, are reset with each reboot.

SUB-COMMANDS: fcal_stats

The Fibre Channel host adapter driver maintains statistics on various error conditions, exception conditions, and handler code paths executed. In general, interpretation of the fields requires understanding of the internal workings of the driver. However, some of the counts kept on a per drive basis, (e.g. device_underrun_cnt, device_over_run_cnt, device_timeout_cnt) may be helpful in identifying potentially problematic drives.

Counts are not persistent across filer reboots.

SUB-COMMANDS: device_map

A Fibre Channel loop, as the name implies, is a logically closed loop from a frame transmission perspective. Consequently, signal integrity problems caused by a component upstream will be seen as problem symptoms by components downstream.

The relative physical position of drives on a loop is not necessarily directly related to their loop IDs (which are in turn determined by the drive shelf IDs). The device_map sub-command is helpful therefore in determining relative physical position on the loop.

Two pieces of information are displayed, (a) the physical relative position on the loop as if the loop was one flat space, and (b) the mapping of devices to shelves, to aid in quick correlation of disk ID with shelf tenancy.

EXAMPLE OF USE

Diagnosing a possible problem using fcstat

Suppose a running filer is experiencing problems indicative of loop signal integrity problems. For example, the syslog shows SCSI commands being aborted (and retried) due to frame parity/CRC errors.

To isolate the faulty component on this loop, we collect the output of link_stats and device_map.

toaster> fcstat link_stats 4

Loop Link Underrun Loss of Invalid Frame In Frame Out ID Failure count sync CRC count count count count count 4.29 0 0 180 0 787 2277 4.28 0 0 26 0 787 2277 4.27 0 0 3 0 787 2277 4.26 0 0 13 0 788 2274 4.25 0 0 27 0 779 2269 4.24 0 0 2 0 787 2277 4.23 0 0 11 0 786 2274 4.22 0 0 83 0 786 2274 4.21 0 0 3 0 786 2274 4.20 0 0 11 0 786 2274 4.19 0 0 14 0 779 2277 4.18 0 0 26 0 786 2274 4.17 0 0 10 0 787 2274 4.16 0 0 90 0 779 2269 4.45 0 0 12 0 183015 179886 4.44 0 0 16 0 1830107 17990797 4.43 0 0 7 11 1829974 17988806 4.42 0 0 13 33 1968944 18123526 4.41 0 0 14 23 1843636 17989836 4.40 0 0 13 11 1828782 17990036 4.39 0 0 14 138 4740596 18459648 4.38 0 0 11 27 1832428 17133866 4.37 0 0 43 22 1839572 17994200 4.36 0 0 13 130 4740446 18468932 4.35 0 0 11 23 1844301 17994200 4.34 0 0 14 25 1832428 17133866 4.33 0 0 26 29 1839572 17894220 4.32 0 0 110 31 1740446 18268912 4.61 0 0 50 23 1844301 17994200 4.60 0 0 12 21 1830150 18188148 4.59 0 0 16 19 1830107 17990997 4.58 0 0 7 27 1829974 17988904 4.57 0 0 13 25 1968944 18123526 4.50 0 0 14 19 1843636 17889830 4.49 0 0 13 22 1828782 18090042 4.48 0 0 114 130 4740596 18459648 4.ha 0 0 1 0 396255820 51468458

toaster> fcstat device_map 4

   Loop Map for channel 4:    Translated Map: Port Count 37                     7  29  28  27  26  25  24  23  22  21  20  19  18  17  16  45                    44  43  42  41  40  39  38  37  36  35  34  33  32  61  60  59                    58  57  50  49  48   Shelf mapping:                   Shelf 1:  29  28  27  26  25  24  23  22  21  20  19  18  17  16                   Shelf 2:  45  44  43  42  41  40  39  38  37  36  35  34  33  32                   Shelf 3:  61  60  59  58  57  XXX XXX XXX XXX XXX XXX 50  49  48

From the output of device_map we see the following

Drive 29 is the first component on the loop immediately downstream from the host adapter. (Note that the host adapter port (7) will always appear first on the position map.)

Shelf 3 has 6 slots that do not have any disks, which are represented by `XXX’. If the slot showed `BYP’, then the slot is bypassed by an embedded switched hub (ESH).

Shelf 1 is connected to shelf 2 between drives 16 and 45. Shelf 2 is connected to shelf 3 between drives 32 and 61.

From the output of link_stats we can see the following

There is a higher loss of sync count for the drive connected to the host adapter. Since every filer reboot involves reinitialization of the host adapters, we expect the first drive on the loop to see a higher loss of sync count.

Disks 4.16 through 4.29 are probably spares as they have relatively small frame counts.

CRC errors are first reported by drive 4.43. Assuming that there is only one cause of all the CRC errors, then the failing component is located between the Host Adapter and drive 4.43.

Since drive 4.43 is in shelf 2, it is possible that the errors are being caused by faulty components connecting the shelves. In order to isolate the problem, we want to see if it is related to any of the shelf connection points. We can do this by running a disk write test on the first shelf of disks using the following command (This command is only available in maintenance mode so it will be necessary to reboot.)

*> disktest -W -s 4:1

       where:        W       Write workload since CRC errors only occur on writes        s 4:1   test only shelf 1 on adapter 4

If errors are seen testing shelf 1, then it is likely that the faulty component is either the cable or the LRC between the host adapter and the first drive. If no errors are seen testing shelf 1, then the test should be run on shelf 2. If errors are seen testing shelf 2, the faulty component could be the connection between shelf 1 and 2. A plan of action would involve (a) replacing cables between shelves 1 and 2, or HA and shelf 1, and (b) replacing LRCs at faulty connection point.

Example of a link status for Shared Storage configurations

The following link staus shows a Shared Storage configuration

ferris> fcstat link_stats

   Targets on channel 4a:   Loop                Link  Underrun   Loss of   Invalid    Frame In   Frame Out    ID              Failure     count      sync       CRC       count       count                      count               count     count   4a.80                  1         0         9         0           0           0   4a.81                  1         0         3         0           0           0   4a.82                  1         0        13         0           0           0   4a.83                  1         0         3         0           0           0   4a.84                  1         0         3         0           0           0   4a.86                  1         0         3         0           0           0   4a.87                  1         0         3         0           0           0   4a.88                  1         0         3         0           0           0   4a.89                  1         0         3         0           0           0   4a.91                  1         0        10         0           0           0   4a.92                  1         0         3         0           0           0   4a.93                  1         0       264         0           0           0   Initiators on channel 4a:   Loop                Link  Underrun   Loss of   Invalid    Frame In   Frame Out    ID              Failure     count      sync       CRC       count       count                      count               count     count   4a.0 (self)            0         0         0         0           0           0   4a.7 (toaster)         0         0         0         0           0           0

From the output of link_stats we see the following

The local filer has a loop id of 0 on this loop, and the filer named toaster has a loop id of 7 on this loop.

Example of a device map for Shared Storage configurations

The following device map shows a Shared Storage configuration

ferris> fcstat device_map

  Loop Map for channel 4a:   Translated Map: Port Count 14                     0  80  81  82  83  84  86  87  88  89  91  92  93   7   Shelf mapping:                   Shelf 5:  93  92  91 XXX  89  88  87  86 XXX  84  83  82  81  80     Initiators on this loop:                     0 (self)  7 (toaster)

From the output of device_map we see the following

Both slot 6a and 6b are attached to Shelves 1 and 6.

Each loop has four filers conncted to it. On both loops, the loop id of filer `ha15′ is 0, the loop id of the local filer, `ha16′, is 1, the loop id of filer `ha17′ is 2, the loop id of the local filer, `ha18′, is 7.

Example of a device map for switch attached drives

The following device map shows a configuration where a set of shelves is connected via a switch

toaster> fcstat device_map

  Loop Map for channel 9:   Translated Map: Port Count 43                     7  32  33  34  35  36  37  38  39  40  41  42  43  44  45  16                    17  18  19  20  21  22  23  24  25  26  27  28  29  64  65  66                    67  68  69  70  71  72  73  74  75  76  77   Shelf mapping:                   Shelf 1:  29  28  27  26  25  24  23  22  21  20  19  18  17  16                   Shelf 2:  45  44  43  42  41  40  39  38  37  36  35  34  33  32                   Shelf 4:  77  76  75  74  73  72  71  70  69  68  67  66  65  64      Loop Map for channel sw2:0:   Translated Map: Port Count 15                   126  93  92  89  91  90  88  87  86  85  84  83  80  82  81    Shelf mapping:                   Shelf 5:  93  92  91  90  89  88  87  86  85  84  83  82  81  80

From the output of device_map we see the following

The first set of shelves is connected to a host adapter in slot 9.

The disks of shelf 5 are connected via a switch `sw2′ at its port 0. The switch port is 126 and appears first in the translated map.

CLUSTER CONSIDERATIONS

Statistics are maintained symmetrically for primary and partner loops.

Table of Contents

NAME
SYNOPSIS
DESCRIPTION
SUB-COMMANDS: link_stats
SUB-COMMANDS: fcal_stats
SUB-COMMANDS: device_map
EXAMPLE OF USE
CLUSTER CONSIDERATIONS

Read more... (2238 words, estimated 8:57 mins reading time)

Manual Pages fcstat, man, manual, NetApp, ONTAP

fcp

July 7th, 2009

Comments Off

Table of Contents

NAME

fcp – Commands for managing Fibre Channel target adapters and the FCP target protocol.

SYNOPSIS

fcp command argument …

DESCRIPTION

The fcp family of commands manages the Fibre Channel Target adapters and the FCP target protocol. These commands can start and stop FCP target service, up and down the target adapters, show protocol statistics and list client adapters connected to the filer.

FCP service must be licensed before the fcp command can be used to manage FCP services. If FCP service is not license, then the fcp command will return an error.

USAGE

fcp config [ adapter [ up | down ] [ partner { adapter | None } | -partner ] [ mediatype { ptp | auto | loop } ] [ speed { 1 | 2 | 4 | auto } ] ]

Configures the Fibre Channel target adapters. When no arguments are given or if only the adapter argument is given, the config subcommand returns configuration information about the adapter(s).

The adapter argument is of the form Xy or Xy_z where X and z are integers and y is a letter (for example 4a or 4a_1). The format depends on the system cfmode setting. When the system cfmode is set to standby, partner or single_image the format is Xy. When the system cfmode is set to mixed or dual_fabric the format is Xy_z. The latter introduces multiple virtual target adapters associated with a physical adapter. Xy_0 is the local port which serves local traffic. Xy_1 is the standby port which takes over the partner WWPN/WWNN during a cluster takeover. Xy_2 is the partner port which will ship SCSI commands over the cluster interconnect to the partner, when not in takeover mode. This will continue to serve data on the partner’s behalf when in takeover mode.

The up and down keywords can bring the adapter online or take the adapter offline. If FCP service is not running, then the adapters are automatically offlined. They cannot be onlined again until FCP service is started by the fcp start command.

The partner option sets the name of the partner adapter which the local adapter should takeover.

To prevent the adapter from taking over any partner adapter port, the keyword None is given as an argument to the partner option.

The -partner option removes the name of the partner adapter which the local adapter should takeover and allows the adapter to takeover a default adapter, based on the cfmode of the configuration. If the system is running in standby mode, then the default adapter for the "b" ports is the "a" port of the partner adapter with the same pci slot number. The default adapter for "a" ports is None. When in mixed, dual_fabric, or single_image mode, the default adapter for a given port is the partner adapter with the same name. 4a will takeover 4a and 5b will takeover 5b. When an adapter is taking over the default partner adapter, changing the cfmode will automatically update the default adapter for a given port.

The mediatype option has been deprecated for clustered filers unless running in the single_image cfmode. Single node systems, and clustered systems running in fcp cfmode single_image can still use the mediatype keyword to set the link topology.

The speed option is used to set the Fibrechannel link speed of an adapter. Adapters that support 4Gb/s can be set to 1, 2, 4 or auto. Adapters that support 2Gb/s can be set to 1, 2 or auto. By default, the link speed option is set to auto to enable auto negotiation. Setting the link speed to a specific value disables auto negotiation. Under certain conditions, a speed mismatch will prevent the adapter from coming online. Note that the actual link speed is reported in the output of fcp show adapter -v, in the Link Data Rate field, while the speed setting is reported in the output of fcp config.

fcp help sub_command

Displays the Help information for the given sub_command.

fcp nodename [ -f ] [ nodename ]

Establishes the nodename which the Fibre Channel target adapters register in the fabric. This nodename is in the form of a Fibre Channel world wide name, which is in the form XX:XX:XX:XX:XX:XX:XX:XX where X is a hexadecimal digit. The current nodename of the filer can be displayed if the nodename argument is not given.

All FCP adapters must be down before the nodename can be changed. When selecting a new nodename, use the following format to fit with NetApp’s registered names: 50:0a:09:80:8X:XX:XX:XX where XX:XX:XX is some integral value. If the -f flag is given, the format of the nodename does not need to comply with the above format.

fcp portname show [ -v ]

Displays a list of WWPNs used by local Fibre Channel target adapters and names of the corresponding adapters. If the -v flag is given, it also displays valid, but unused, WWPNs for local Fibre Channel target adapters. These WWPNs are marked as unused in the output.

This command only applies to local Fibre Channel target adapters in standby or single_image cfmode. It does not apply to standby adapters in standby cfmode.

fcp portname set adapter wwpn

Assigns a new WWPN to an adapter. You must offline and then online the adpter using the fcp config command before and after changing its WWPN. The WWPN must be one of the valid and unused WWPNs displayed by the fcp portname show -v command. The original WWPN of this adapter is reset to be unused.

This command only applies to local Fibre Channel target adapters in standby or single_image cfmode.

fcp portname swap adapter1 adapter2

Swaps WWPNs of two local Fibre Channel target adapters in standby or single_image cfmode. You must offline and then online adapter1 and adapter2 using the fcp config command before and after changing their WWPNs.

This command only applies to local Fibre Channel target adapters in standby or single_image cfmode.

fcp show adapter [ -v ] [ adapter ]

If no adapter name is given, information about all adapters are shown.

This command displays information such as nodename/portname and link state about the adapter.

If the -v flag is given, this command displays additional information about the the adapters.

fcp show cfmode

This command displays the current cfmode setting.

fcp show initiator [ -v ] [ adapter ]

If no adapter name is given, information about all initiators connected to all adapters are shown.

The command displays the portname of initiators that are currently logged in with the the Fibre Channel target adapters. If the portname is in an initiator group setup through the igroup command, then the group name is also displayed. Similarly, all aliases set with the fcp wwpn-alias command for the portname are displayed as well.

If the -v flag is given, the command displays the Fibre Channel host address and the nodename/portname of the initiators as well.

fcp stats [ -z ] [ adapter ]

If no adapter name is given, information about all initiators connected to all adapters are shown. The -z option zeros all statistics except `Initiators Connected’.

The command displays statistics about the Fibre Channel target adapters and the VTIC partner adapter.

These are the Fibre Channel target adapter statistics.

Read Ops: This counts the number SCSI read ops received by the HBA.

Write Ops: This counts the number SCSI write ops received by the HBA.

Other Ops: This counts the number other SCSI ops received by the HBA.

KBytes In; This counts the KBytes of data received by the HBA.

KBytes Out: This counts the KBytes of data sent by the HBA.

Adapter Resets: This counts the number of adapter resets occurred.

Frame Overruns: This counts the frame overruns detected by the adapter during write requests.

Frame Underruns: This counts the frame underruns detected by the adapter during read requests.

Initiators Connected: This counts the total number of initiators connected to this target adapter.

Link Breaks: Ihis records the number of times that the link breaks.

LIP Resets: This counts the number of times that a selective Reset LIP (Loop Initialization Primitive) occurred. LIP reset is used to preform a verndorspecific reset at the loop port specified by the AL-PA value.

SCSI Requests Dropped: This reports the number of SCSI requests being dropped.

Spurious Interrupts: This reports the spurious interrupt counts.

Total Logins/Total Logouts: This counts the times of initiators added/removed. Each time a new initiator is added, the total logins is incremented by 1. Each time an initiator is removed, the total logouts is incremented by 1.

CRC Errors: This reports the total CRC errors occurred.

Queue Depth: This counts the queue depth on the target HBA.

These are the stats for the VTIC adapter

Read Ops: This counts the number SCSI read ops received from the partner.

Write Ops: This counts the number SCSI write ops received from the partner.

Other Ops: This counts the number other SCSI ops received from the partner.

KBytes In; This counts the KBytes of data received from the partner.

KBytes Out: This counts the KBytes of data sent by the partner.

out_of_vtic_cmdblks,: out_of_vtic_msgs,

out_of_vtic_resp_msgs,: out_of_bulk_msgs, out_of_bulk_buffers, out_of_r2t_buffers: These are counters that track various out of resource errors.

The remaining statistics count the different messages exchanged by the VTIC adapters on filer in a cluster.

fcp stats -i interval [ -c count ] [ -a | adapter ]

Displays statistics about fcp adapters over the given interval. The interval is given in seconds. If no adapter is specified, all adapters, with nonzero statistics, are shown.

The -c option will cause the stats to stop after count intervals.

The -a option will cause all HBAs to be listed, including HBAs with zero statistics. This option can not be used if an adapter is specified.

The statistics are

r/s: The number of SCSI read operations per second.

w/s: The number of SCSI write operations per second.

o/s: The number of other SCSI operations per second.

ki/s: Kilobytes per second receive traffic for the HBA

ko/s: Kilobytes per second send traffic for the HBA.

asvc_t: Average in milliseconds to process a request through the HBA.

qlen: The average number of outstanding requests pending.

hba: The name of the HBA

fcp start

Starts FCP service. When FCP service is started, the adapters brought online.

fcp status

Displays status information about whether FCP service is running or not.

fcp stop

Stops FCP service and offlines the Fibre Channel target adapters.

On clustered systems, fcp stop will shutdown adapters on one head, but the adapters on the partner node are not affected. If any adapter on the partner node is running in partner mode, they can export the local filer’s luns. In order to prevent all access to the luns on one head, all adapters, on both local and partner filer nodes, need to be stopped.

The cf disable does not stop any fcp scsi commands from being sent to the partner filer via the interconnect.

fcp wwpn-alias set [ -f ] alias wwpn

Set an alias for a wwpn (WorldWide PortName). The alias can be no more than 32 characters long and may include A-Z, a-z, 0-9, `_’, ‘-’, ‘.’, ‘{‘, ‘}’ and no spaces. You may use these aliases in the other fcp and igroup commands that use initiator portnames. Please note that you may set multiple aliases for a wwpn, but only one wwpn per alias. To reset the wwpn associated with with an alias the -f option must be used.

You may set upto 1024 aliases in the system.

fcp wwpn-alias remove { -a alias … | -w wwpn }

Removes all alias(es) set for a given wwpn or all alias(es) provided.

fcp wwpn-alias show [ -a alias | -w wwpn ]

Display all aliases and the corresponding wwpn’s if no arguments are supplied. The -a displays the wwpn associated with the alias if set. The -w option displays all aliases associated with the wwpn

CLUSTER CONSIDERATIONS

When the system is not in takeover mode, the adapters running on the local node will be online to monitor the state of the link. These adapters cannot be offlined by the fcp config command, nor can they be displayed with the fcp show commands. The nodename/portname they register with a fabric are different from the filer’s nodename/portname. The mediatype and partner configurations under the fcp config command can be set on these adapters.

Once takeover occurs, these adapters will initialize with the partner node’s nodename/portname and can be managed through the partner command.

The fcp show cfmode command only applies to clustered filers.

fcdiag

July 7th, 2009

Comments Off

Table of Contents

NAME

fcdiag – Diagnostic to assist in determining source of loop instability

SYNOPSIS

fcdiag

DESCRIPTION

This command has been removed from Data ONTAP. Please use the disktest command or run Diagnostics from floppy disk, PC card or flash in order to diagnose FC-AL related problems.

Table of Contents

NAME
SYNOPSIS
DESCRIPTION

Rate this post:

Rating: 10.0/10 (1 vote cast)

Manual Pages fcdiag, man, manual, NetApp, ONTAP

fcadmin

July 7th, 2009

Comments Off

Table of Contents

NAME

fcadmin – Commands for managing Fibre Channel adapters.

SYNOPSIS

fcadmin command argument …

DESCRIPTION

The fcadmin utility manages the Fibre Channel adapters used by the storage subsystem. Use these commands to show link and loop level protocol statistics, list the storage devices connected to the filer, and configure the personality of embedded adapters.

USAGE

fcadmin config
[ <adapter_name> ... ]

fcadmin config
[ -? ]
[ -e | -d ]
[ -t {target|initiator|unconfigured} ] [ <adapter_name> ... ]

fcadmin [link_stats|fcal_stats|device_map] <adapter_name>

DESCRIPTION

The fcadmin link_stats, fcal_stats and device_map commands are identical to the fcstat command options. For more information, see fcstat

The fcadmin config command configures the personality of embedded Fibre channel (FC) adapters. When no arguments are given, the fcadmin config command returns configuration information about all of the embedded FC adapter(s) on the filer. Embedded FC adapters always appear in slot 0. If no embedded FC adapters exist, the fcadmin config command is not supported and an error is returned.

The fcadmin config command displays the following information:

Adapter:
An adapter name of the form Xy, where X is zero and y is a letter (e.g. 0a or 0c).

Type: The type of adapter: initiator or target. The adapter type is determined by which device driver controls the adapter. When the storage initiator driver is attached, the adapter is an initiator. When the FCP target mode driver is attached, the adapter is a target. A filer reboot is required to attach a new driver when the adapter type is changed. The storage initiator driver is attached prior to any configuration changes. The default adapter type is initiator.

Status:
The status of the adapter, online or offline, reported from the attached driver. Before changing the adapter type, the status must indicate that the adapter is offline.

State: The configuration state of the adapter. Use the configuration state to track changes in the the type and state of the adapter.

The following configuration states exist:

CONFIGURED: The adapter is configured and the specified driver is attached. This is the normal operating state.

UNCONFIGURED: The adapter is forced offline by the attached driver and cannot be used. This state is only valid when the initiator driver is attached (the adapter Type is initiator).

PENDING: An adapter Type and/or State change is pending. A filer reboot is required for the change to take effect. While in the PENDING state, the adapter is forced offline by the attached driver and cannot be used.

There are three possible PENDING substates: (target), (initiator), and (unconfigured). When changing the adapter type from initiator to target, the adapter moves to the PENDING (target) state. When changing the adapter type from target to initiator, the adapter moves to the PENDING (initiator) state. The PENDING (unconfigured) state means that a change is pending that will affect both the type and state of the adapter. The PENDING (unconfigured) state only occurs when the target driver is attached to the adapter (the adapter ype is target) and a change has been made to move the adapter to the UNCONFIGURED state. When the initiator driver is attached, no reboot is required to change between the CONFIGURED and UNCONFIGURED state.

DISPLAYS

Example output:

  filer> fcadmin config                      Local   Adapter Type      State                  Status   —————————————————     0a   initiator  CONFIGURED             online     0b   initiator  UNCONFIGURED           offline     0c   initiator  PENDING (target)       offline     0d   target     PENDING (unconfigured) offline

OPTIONS

-?: Provides online help for the fcadmin config command.

-e: Enables the adapter by calling the attached driver’s online routine. When the adapter type is initiator, it has the same effect as the storage enable adapter command. When the adapter type is target, it has the same effect as the fcp config up command. Enabling the adapter changes the adapter status from offline to online.

-d: Disables the adapter by calling the attached driver’s offline routine. When the adapter type is initiator, it has the same effect as the storage disable adapter command. When the adapter type is target, it has the same effect as calling the fcp con_fig down command. Disabling the adapter changes the adapter status from online to offline.

-t type: Changes the adapter type and/or state. Valid type arguments are initiator, target, and unconfigured. Before changing the adapter configuration with this option, the adapter must be offline. You can take the adapter offline in a number of ways. If using the -d option does not work, use the utilities for the attached driver. You can also force the adapter offline by removing the FC cable from the adapter port at the back of the filer. If a filer reboot is required to change the adapter configuration following the use of this option, the adapter moves to the PENDING (type) state to indicate that a reboot is required.

adapter_name: The name of one or more adapters, separated by spaces. When no other option is provided, the specified adapter(s) configuration displays. If no adapter_name argument is provided, the configurations of all adapters display.

NOTES

Automatic Reconfiguration
Under some circumstances, the filer may boot with the wrong driver attached. When this happens the embedded adapters are reprogrammed to their proper type and state and the filer is automatically rebooted to attach the correct driver. Before rebooting, the fci.config.autoReboot EMS message displays on the console. Events that can cause this problem include maintenance head swaps, use of the console set-defaults command, and other operations that affect the filer’s boot environment state.

Repair
When DataONTAP is fully initialized and running, configuring an adapter with the fcadmin config utility records the adapter configuration in both the filer’s boot environment and on-disk, in the filer’s root volume. Following a console set_defaults operation, a maintenance head swap, or other event that destroys the boot environment state, the initiator driver is attached to all embedded adapters during boot. This ensures that all storage loops are discovered during boot. After the filer’s root volume comes online, the boot environment configuration is checked against the on-disk configuration information. If a misconfiguration is detected, the boot environment information is restored and the filer automatically reboots to attach the correct drivers and restore the original configuration. This provides consistency between maintenance head swaps and other events which destroy the boot environment.

Maintenance Mode Operation
You can use the fcadmin config utility while in Maintenance Mode. After changing the adapter configuration in Maintenance Mode, a reboot is required for the change to take effect. When run from Maintenance Mode, no on-disk configuration information can be stored because the filer’s root volume is unavailable. To account for this, the fcadmin config utility indicates that the boot environment configuration needs to be recorded ondisk during a subsequent reboot. After changing the adapter configuration in Maintenance Mode, the boot environment configuration becomes canonical. Otherwise, the on-disk configuration is canonical.

New Installations
Following a new installation of Data ONTAP, the ondisk configuration information is undefined. When this condition is encountered, then the boot environment configuration becomes canonical and the ondisk configuration is programmed to match the existing boot environment configuration. In this way the embedded adapter configuration is preserved across new installations. To modify this behavior you must perform a console set-defaults operation, and/or use the fcadmin config utility in Maintenance Mode to change the configuration, prior to installing Data ONTAP.

CLUSTER CONSIDERATIONS

Symmetric target adapter configuration needed in a CFO: To support the FCP cfmodes partner, standby, mixed, and dual_fabric, both filers must share a symmetric adapter configuration. For example, if adapters 0a and 0c are configured as a target on one CFO filer, then adapters 0a and 0c must be configured as a target on the partner filer. Non-symmetric adapter configurations cause service interruptions during CFO takeover and giveback.

Use of fcadmin config during takeover: After a takeover occurs, you can use the fcadmin config utility to read the partner head’s on-disk configuration information. When this is done, only the adapter type and state are reported. The online/offline status cannot be reported because no hardware is present. You can use this functionality to determine the partner head’s embedded port configuration prior to doing a giveback. You cannot change the adapter type and state when run from partner mode.

Example output:

dopey(takeover)> partner fcadmin config Warning: The system has been taken over. Adapter configuration is not possible. Partner Adapter Type State Status ————————————————— 0a initiator CONFIGURED. — 0b initiator UNCONFIGURED — 0c target CONFIGURED — 0d target CONFIGURED — Maintenance head swaps in a CFO: During a maintenance head swap procedure in a CFO, the embedded adapter configuration must be changed before doing a giveback to avoid FCP service interruptions. When the embedded adapters are used for FCP target mode operation in a CFO, boot the new head into Maintenance Mode prior to doing the first giveback and use the fcadmin config utility to restore the adapter configuration. For more information about Maintenance Mode operation, see floppyboot. EMS MESSAGES fci.config.offline: The fci.config.offline message displays anytime an adapter fails to come online because of a mismatch in the configuration state. _NF_NF_ For example: surf> storage enable adapter 0a Host adapter 0a enable failed Tue Aug 3 16:13:46 EDT [surf: fci.config.offline:notice]: Fibre channel adapter 0a is offline because it is in the PENDING (target) state.

fci.config.state:
The fci.config.state message displays anytime an adapter has changed states:

For example: surf> fcadmin config -t target 0a A reboot is required for the new adapter configuration to take effect. Mon Aug 2 14:53:04 EDT [surf: fci.config.state:notice]: Fibre channel initiator adapter 0a is in the PENDING (target) state.

fci.config.needsReboot:
The fci.config.needsReboot message displays when a service is started while there are adapters in the PENDING state waiting for reconfiguration:

For example: surf> fcp start FCP service is running Thu Aug 5 16:09:27 EDT [surf: fci.config.needsReboot:warning]: Reboot the filer for Fibre channel target adapter(s) 5a 5b to become available.

fci.config.autoReboot:
Under some circumstances, the filer automatically reboots to ensure the adapter configuration is correct. The fci.config.autoReboot message displays to notify the user of this condition. This condition is normally only encountered after a maintenance head swap procedure.
fci.config.error:
This message indicates an error has occured during the Auto-reconfiguration process. The specified adapter(s) will be unavailable until the problem is fixed.
fcp.service.config:
The fcp.service.config message displays anytime the FCP service is started on a platform which supports fc configuration but no target adapters are present.

ERRORS
"The system has been taken over. Adapter configuration is not possible.”
"platform does not support FC adapter configuration”
"adapter adapter_name is not configurable”
"can’t find adapter adapter_name”
"can’t configure adapter adapter_name to type type”
"invalid boardType value”
"invalid adapterType value”
"Invalid type argument: type”
"internal error”
"can’t determine adapter adapter_name status”
"adapter adapter_name must be offline before changing configuration”
"adapter adapter_name failed to come online”
"adapter adapter_name failed to go offline”
"failed to configure adapter adapter_name to the <offline or online> state”
"adapter adapter_name is in use. Must set adapter offline by storage disable adapter command, or disconnect cable.”

BUGS
Under some circumstances an adapter can not be put offline with the fcadmin config -d command. When this happens use the associated driver utility, fcp config or storage disable adapter, to change the adapter status or remove the cable from the adapter port at the back of the filer.

SEE ALSO
cf , fcp , storage , san , floppyboot , fcstat

Table of Contents

NAME

SYNOPSIS

DESCRIPTION

USAGE

DESCRIPTION

DISPLAYS

OPTIONS

NOTES

CLUSTER CONSIDERATIONS

EMS MESSAGES

ERRORS

BUGS

SEE ALSO

Read more... (1915 words, estimated 7:40 mins reading time)

Manual Pages fcadmin, man, manual, NetApp, ONTAP

exports

July 7th, 2009

5 comments

Table of Contents

NAME

exports – directories and files exported to NFS clients

SYNOPSIS

/etc/exports

DESCRIPTION

The /etc/exports file contains a list of export entries for all file system paths that Data ONTAP exports automatically when NFS starts up. The /etc/exports file can contain up to 10, 240 export entries. Each export entry can contain up to 4, 096 characters, including the end-of-line character. To specify that an export entry continues onto the next line, you must use the line continuation character "\”.

An export entry has the following syntax:

Each export entry is a line in the following format:

pathname -option[, option ] …

The following list describes the fields in an export entry:

pathname: path name of a file or directory to be exported.

option: the export option specifying how a file or directory is exported.

You can specify an option in one of the following formats:

actual=path: Specifies the actual path to use when a NFS client attempts to mount the original path. This option is useful for moving mount points without reconfiguring the clients right away. Note that while the exported pathname need not exist, the pathname given as a parameter to actual must exist.

anon=uid|name If a request comes from user ID of 0 (root user ID on the client), use uid as the effective user ID unless the client host is included in the root option. The default value of uid is 65534. To disable root access, set uid to 65535. To grant root access to all clients, set uid to 0. The user ID can also be specified by a name string corresponding to an entry in /etc/passwd.

nosuid: If a request tries to set either with either setuid or setgid or if a special file, i.e., block or character type via mknod, then nosuid disallows that request. The default mode is to allow such requests.

ro | ro=hostname[:hostname]…
A pathname can be either exported ro to all hosts or to a set of specified hosts.

rw | rw=hostname[:hostname]…
A pathname can be either exported rw to all hosts or to a set of specified hosts. If no access modifiers are provided, then the default is rw.

root=hostname[:hostname]…
Give root access only to the specified hosts. Note that there is no -root option, i.e., this option always takes at least one hostname as a parameter.

sec=secflavor[:secflavor]…
Allow access to the mounted directory only using the listed security flavors. If no sec directive is provided, then the default of sys is applied to the export. The sec directive may appear multiple times in a rule, which each appearance setting the context of the following directives: anon, nosuid, ro, root, and rw. The contexts apply in order. If only one security context is provided in an export, then it applies regardless of where it appears in the export. Note that any given secflavor can only appear once in an export rule.

The supported security flavors are:

sys: for Unix(tm) style security based on uids and gids

krb5: for Kerberos(tm) Version 5 authentication.

krb5i: for Kerberos(tm) Version 5 integrity service

krb5p: for Kerberos(tm) Version 5 privacy service

The Kerberos(tm) authentication service verifies the identity of the users accessing the filer on all accesses, and also verifies to the client that the responses are from the filer. The integrity service provides a strong assurance that the messages have not been tampered with. The privacy service ensures that messages intercepted on the wire cannot be read by any other party. The integrity and privacy services both include authentication. The default security flavor is sys.

The security flavor of none can also be applied to an export. If the client uses this flavor, then all requests get the effective UID of the anonymous user. Also, if a request arrives with a security context which is not present in the export, and none is allowed, then that request is treated as if it arrived with the flavor of none.

HOSTNAMES

A host is allowed to mount an export if it has either ro or rw access permissions.

A hostname is described as:

[-][machine name|netgroup|machine IP|subnet|DNS domain]

Where, `-’ indicates that the host is to be denied access.

A machine name is an alphanumeric string.

A netgroup is also an alphanumeric string and describes a group of machine names. If NIS is not enabled, then each netgroup must be defined in the /etc/netgroup file. If NIS is enabled, then each netgroup may either be in a NIS mapping or defined in the /etc/netgroup file.

If a netgroup occurs in both NIS and /etc/netgroup, then the ordering given in /etc/nsswitch.conf determines which definition is used.

A netgroup can be differentiated from a hostname by prepending an `@’ to the name. When an entry begins with an `@’, ONTAP treats it as netgroup and not a hostname. When an entry does not begin with `@’, the handling depends on the setting of the option nfs.netgroup.strict.

If nfs.netgroup.strict is set, then the `@’ determines whether an entry is either a netgroup or a hostname. In this case, when an entry appears without a prepended `@’, it is assumed to be a hostname, i.e., it cannot be a netgroup.

If nfs.netgroup.strict is not set, then an entry with `@’ will still only denote a netgroup, but the absence of the `@’ does not determine that an entry is a host.

The use of the nfs.netgroup.strict option eliminates spurious netgroup lookups (which can be helpful to performance). If it is not used, backwards compatibility with export specifications in which netgroups are not specified with an `@’ is retained.

A machine IP is in dotted decimal format: AAA.BBB.CCC.DDD

A subnet is in the forms:

dotted_IP/num_bits
The dotted_IP field is a subnet number. The num_bits field specifies the size of the subnet by the number of leading bits of the netmask.

"[network] subnet [netmask] netmask” The subnet field is the subnet number. The netmask field is the netmask. Note that the keywords network and netmask are optional.

A DNS domain starts with a `.’ and is alphanumeric.

If there is a machine name and a netgroup with the same name, then the hostname is assumed to be the name of a machine.

In UNIX, it is illegal to export a directory that has an exported ancestor in the same file system. Data ONTAP does not have this restriction. For example, you can export both the /vol/vol0 directory and the /vol/vol0/home directory. In determining permissions, the filer uses the longest matching prefix.

DUPLICATE DETECTION

Neither the same path nor the same file handle can be advertised for exports. We restrict the path names to make mounts unique and the file handle restriction makes per NFS request checking also be unique.

As the /etc/exports file is parsed and the same path is determined to be used for exporting, then the last instance of the export rule is stored in memory. Note that different path names may evaluate to the same advertised path:

/home

/vol/vol0/home

/vol/vol0/home/ontap/..

The addition of actual complicates the rules for determining what gets exported. If an export uses -actual, then neither the advertised path nor the actual storage path may be duplicated in memory.

ACCESS RULES

There is no set ordering of options, but as the ro and rw options interact, there is a strict interpretation of these options:

1) -rw is the default if -ro, -ro=, -rw, and -rw= are all not present.

2) If only -rw= is present, ro is not the default for all other hosts. This rule is a departure from pre-6.5 semantics.

3) -ro, ro= and -rw, rw= are errors.

4) -ro=A, rw=A is an error

5) -ro=A, rw=-A is an error

6) -ro=-A, rw=A is an error

7) The position of -rw, -rw= -ro, and -ro= in the options does not have any significance

8) -ro trumps -rw

9) -ro= trumps -rw

10) -rw= trumps -ro

11) A specific host name in either -ro= or -rw= overrides a grouping in the other access specifier.

12) -ro= trumps -rw=

13) Left to right precedence, which determines `-’ and the order we go across the wire.

Note, "A trumps B" means that option A overrules option B.

ACCESS RULES EXAMPLES

Given the following netgroups:

farm pets (alligator, , ) livestock workers

pets (dog, , ) (cat, , ) (skunk, , ) (pig, , ) (crow, , )

livestock
(cow, , ) (pig, , ) (chicken, , ) (ostrich, , )

workers
(dog, , ) (horse, , ) (ox, , ) (mule, , )

predators
(coyote, , ) (puma, , ) (fox, , ) (crow, , )

We can illustrate the access rules thusly:

/vol/vol0 -anon=0

All hosts have rw access, and root at that.

/vol/vol0 -root=horse, rw

All hosts have rw access, but only horse has root access.

/vol/vol0 -anon=0, rw=horse

Only horse has access and it is rw. Note the departure from the prior rule format, in which all other hosts would by default have ro access.

/vol/vol0 -anon=0, ro, rw=horse

All hosts have ro access, except horse, which has rw access.

/vol/vol1 -ro=@workers, rw=@farm:canary /vol/vol1 -rw=@farm:canary, ro=@workers

All hosts in the netgroup farm have rw access, except dog, horse, ox, and mule. All of which have ro access. In addition, canary has rw access to the export. Note that both lines are identical with respect to determining access rights.

/vol/vol2 -ro=@pets, rw

All hosts have rw access, except for dog, cat, skunk, pig, and crow, all of which have ro access.

/vol/vol2 -ro=-@pets, rw

All hosts have rw access, except for dog, cat, skunk, pig, and crow, all of which have no access at all.

By rule #9, all members of the netgroup pets are denied rw access. By negation, all members of the netgroup pets are denied ro access.

/vol/vol2 -ro, rw=@pets:canary

All hosts have ro access, except for canary, dog, cat, skunk, pig, and crow, all of which have rw access.

/vol/vol2 -ro, rw=-@pets:canary

All hosts have ro access, except for canary which has rw access.

/vol/vol2 -ro, rw=@pets:@farm:canary

All hosts have ro access, except for canary and all hosts in the netgroups pets and farm, which all have rw access.

/vol/vol2 -ro, rw=-@pets:@farm:canary

All hosts have ro access, except for all hosts in the netgroup farm, excluding all hosts in the netgroup pets, which have rw access. The host canary also has rw access.

If the host cat wants to write to /vol/vol2, by rule #10, we first check the -rw= access list. By rule #13, we check for access in order of -@pets, @farm, and finally canary. We match cat in the netgroup pets and therefore cat is denied rw access. It will however be granted ro access.

/vol/vol2 -ro, rw=@farm:-@pets:canary

Effectively, all hosts have ro access, except for canary and all hosts in the netgroup farm, which all have rw access.

If the host cat wants to write to /vol/vol2, by rule #10, we first check the -rw= access list. By rule #13, we check for access in order of @farm, -@pets, and finally canary. We match cat in the netgroup farm, by expansion, and therefore cat is granted rw access.

/vol/vol2a -rw=@pets:-@workers, ro=@livestock

By rule #12, cow, pig, chicken, and ostrich all have ro access.

By rule #13, dog, cat, and skunk all have rw access.

By negation, horse, ox, and mule have no rw access and by rule #2, they have no access at all.

/vol/vol2a -rw=-@workers:pets, ro=@livestock

By rule #12, cow, pig, chicken, and ostrich all have ro access.

By rule #13, negation, and rule #2, dog, horse, ox, and mule have no access.

cat and skunk have rw access.

/vol/vol3 -ro=@pets, rw=@farm:lion

All hosts in the netgroup farm have rw access, except for all hosts in the netgroup pets, which all have ro access. In addition, the host lion has rw access.

If the host cat wants to write to /vol/vol3, by rule #12, we first check the -ro= access list. We match cat in the netgroup pets and therefore we deny rw access.

/vol/vol4 -ro=10.56.17/24, rw=10.56/16

All hosts in the subnet 10.56/16 have rw access, except those in the subnet 10.56.17/24, which have ro access.

/vol/vol17
-ro=10.56.17/24, rw=10.56.17.5:10.56.17.6:farm

All hosts in the subnet 10.56.17/24 have ro access, except, by rule #11, for 10.56.17.5 and 10.56.17.6, which have rw access. If the hosts in the netgroup farm are on the 10.56.17/24 subnet, they have ro access, else they have rw access. Rule #11 allows for specific hosts to be excluded from a range provided by a group. Since it makes no sense to compare netgroups to subnets, we do not allow exceptions by groups.

/vol/vol19
-ro=10.56.17.9:.frogs.fauna.mycompany.com, \\ rw=.fauna.mycompany.com

All hosts in the subdomain .fauna.mycompany.com get rw access, except those in the subdomain Note that we determine this result from rule #12 and not rule #11; we do not evaluate if one grouping construct is a subset of another. If 10.56.17.9 is in the subdomain .fauna.mycompany.com, then by rule #11, it gets ro access.

/vol/vol21 -ro=10.56.17.9, rw=-pets:farm:skunk

Rule #11 interacts with rules #5 and #6 in an interesting way, if a host is mentioned in an export by either name or IP, then it appears that it will always be granted the access given by whether it is in -ro= or -rw=. However, rule #13 still applies. Thus, 10.56.17.9 always gets ro access, but in this case by rule #13, skunk is denied access to the mount. Since skunk is a member of the netgroup pets, and pets is denied rw access by negation, skunk is denied access.

/vol/vol5
-ro=.farm.mycompany.com, sec=krb5, rw, anon=0

If the secflavor is sys, then all hosts in the DNS subdomain of .farm.mycompany.com are granted ro access. If the secflavor is krb5, then all hosts are granted rw access.

/vol/vol6 -sec=sys:none, rw, sec=krb5:krb5i:k4b5p, rw, anon=0

If the secflavor is sys or none, then all hosts are granted rw access, but effectively all root access is blocked. If the secfla_vor is from one of the secure krb5, krb5i, or krb5p, then rw and effectively root access are both granted.

UPGRADING

Exports defined prior to ONTAP 6.5 contain a different option, -access, which defined which hosts were permitted to mount an export. With the newer finer grained options, and by allowing more flexibility such as netgroups in the options, -access has been removed as an option.

Another significant change is that -ro is no longer the default if -rw= is present as an option.

During the upgrade process, the /etc/exports file is converted to the newer format.

The rules for upgrading to the new format are:

1) -root= options stay the same

2) No access list => -rw

3) -access=X => -rw=X

4) -ro => -ro

5) -access=X, ro => -ro=X

6) -rw=X => -rw=X

This is more secure than the change -rw=X, ro.

Remember from Access Rule #2, -ro is never a default.

If the less restrictive form is desired, then the option needs to be manually changed. Note that if an export file has a mix of old and new style options, the more secure new style option of -rw=X can not be differentiated from the less secure option of -rw=X(, ro) with the implicit ro modifier. To solve this problem, we always interpret -rw=X in the most secure format.

7) -access=Y, rw=X => -rw=X, ro=(Y-X)
There is a potential to remove write access here, but we keep the most secure translation.

In all cases, we preserve ordering inside an option.

UPGRADE EXAMPLES

/vol/vol0 -anon=0
By rule #2, this becomes:

/vol/vol0 -rw, anon=0

/vol/vol3 -ro By rule #4, this becomes:

/vol/vol3 -ro

/vol/vol0/home -rw=dog:cat:skunk:pig:mule By rule #6, this becomes:

/vol/vol0/home -rw=dog:cat:skunk:pig:mule

Note that by the access rules given above, all other hosts are denied ro access.

Since the upgrade code does not know about netgroups and netgroups used to not be allowed inside the -rw host list, this could be rewritten as:

/vol/vol0/home -rw=@pets

Also, if the security style is desired to be the older style, this could be further rewritten as:

/vol/vol0/home -ro, rw=@pets

/vol/vol1: -access=pets:workers:alligator:mule, \\ rw=dog:cat:skunk:pig:horse:ox:mule

By rule #7, this becomes:

/vol/vol1: -ro=pets:workers:alligator, \\ rw=dog:cat:skunk:pig:horse:ox:mule

This can be rewritten as:

/vol/vol1: -ro=pets:workers:alligator, \\ rw=pets:workers

And should be:

/vol/vol1 -ro=alligator, rw=@pets:@workers

AUTOMATIC EDITING

The /etc/exports file is changed by ONTAP for any of the following conditions:

vol create
A default entry is added for the new volume. If an admin host had been defined during the setup process, access is restricted to that host, otherwise all hosts have access to the new volume.

vol rename
All entries which have either a pathname or an -actual pathname which matches the old volume name are changed to be that of the new volume name.

vol destroy
All entries which have either a pathname or an -actual pathname which matches the old volume name are removed from the file.

upgrade
During every invocation of exportfs -a, the exports file is checked for old style formatting. If this style is found, the exports file is upgraded to follow the current formatting.

Please note that when we upgrade exports which contain subnets, we always rewrite the subnets in the compact format of dotted_IP/num_bits.

If the option nfs.export.auto-update is disabled, then the automatic updates for the vol commands will not take place. Instead the need for manual updates is syslogged.

ACCESS CACHE

A new feature in ONTAP 6.5 is the access cache, which allows netgroups to appear in -ro=, -rw=, and -root= options. Each time a request arrives from a host, it refers to an exported path. To avoid lengthy delays, we first check for that host and path in the cache to determine if we will accept or reject the request. If there is cache miss, we reject the request and do name resolution in another thread. On the next request, we should get a cache hit (i.e., the hit or miss depends on network traffic).

The time that a entry lives in the cache is determined by the two options:

nfs.export.neg.timeout
dictates how long an entry which has been denied access lives

nfs.export.pos.timeout
dictates how long an entry which has been granted access lives

There are several ways that the cache can be flushed:

exportfs -f
Flushes the entire access cache.

exportfs -f pathname
Flushes the cache for the longest leading prefix match for the path.

Also, any command which alters an export entry will result in the access cache for that export being flushed. E.g., exportfs -au, exportfs -a, exportfs -io -rw /vol/vol1, etc.

As the access cache is designed to eliminate name service lookups, entries inside it can become stale when the name services are modified. For example, if a netgroup is changed or a DNS server is found to have corrupt maps. If the access cache is found to have stale data, then either parts of it or all of it must be flushed. If the stale data applies to only a few exports, then each may be flushed with the exportfs -f pathname command. The entire cache may be cleared with the exportfs -f command.

Note that the same effect may be had by using commands to reload the exports table. In prior versions of ONTAP, either the exportfs -au; exportfs -a command sequence or a simple exportfs -a command was commonly used to clear away exports issues. While these can be used to clear the access cache, they can also result in extra work and lead to very small windows when an export is unavailable.

TROUBLESHOOTING

All mount requests, and NFS requests, come across the wire with an IP address and not the hostname. In order for an address to be converted to a name, a reverse lookup must be performed. Depending on the contents and ordering in /etc/nsswitch.conf, DNS, NIS, and/or /etc/hosts may be examined to determine the mapping.

A common problem with reverse DNS lookups is the existence of a mapping from name to IP, but not IP to name.

The option nfs.mountd.trace can be turned on to help debug access requests. Note that as this option can be very verbose and it writes to the syslog, care should be taken to only enable it while trying to resolve an access problem.

Another useful tool is to use exportfs -c to check for access permissions.

DEPRECATED FEATURES

All exported pathnames which do not begin with a leading "/vol/" or "/etc/" pathname are being deprecated.

WARNINGS

Exporting the root volume as / can be misleading to some automounters.

FILES

/etc/hosts host name database

/etc/nsswitch.conf determines name resolution search order

exportfs

July 7th, 2009

Comments Off

Table of Contents

NAME

exportfs – exports or unexports a file system path, making it available or unavailable, respectively, for mounting by NFS clients.

SYNOPSIS

exportfs

exportfs [ -v ] [ -io options ] path

exportfs -a [ -v ]

exportfs -b [ -v ] enable | disable save | nosave allhosts | clientid[:clientid...] allpaths | path[:path...]

exportfs -d [ -v ] [ 6.4 | 6.5 ]

exportfs -f [ -v ] [path]

exportfs -h | -r [ -v ]

exportfs -p [ -v ] [options] path

exportfs -q | -s | -w | -z [ -v ] path

exportfs -u [ -v ] path | -a

DESCRIPTION

Use the exportfs command to perform any of the following tasks:

* Export or unexport a file system path.

* Add an export entry to or remove an export entry from the /etc/exports file.

* Export or unexport all file system paths specified in the /etc/exports file.

* Enable or disable fencing of specific NFS clients from specific file system paths.

* Check whether an NFS client has a specific type of access to a file system path.

* Flush entries from the access cache.

* Revert the /etc/exports file to a format compatible with a previous Data ONTAP release.

* Display exported file system paths and export options.

* Display the actual file system path corresponding to an exported file system path.

* Save exported file system paths and their export options into a file.

OPTIONS

(none): Displays all exported file system paths.

path: Exports a file system path without adding a corresponding export entry to the /etc/exports file. To override any export options specified for the file system path in the /etc/exports file, specify the -io options followed by a comma-delimited list of export options. For more information about export options, see exports . Note: To export a file system path and add a corresponding entry to the /etc/exports file, use the -p option instead.

-a: Exports all file system paths specified in the /etc/exports file. To export all file system paths specified in the /etc/exports file and unexport all file system paths not specified in the /etc/exports file, use the -r option instead. Note: Data ONTAP reexports a file system path only if its persistent export options (those specified in the /etc/exports file) are different from its current export options, thus ensuring that it does not expose NFS clients unnecessarily to a brief moment during a reexport in which a file system path is not available.

-b: Enables or disables fencing of specific NFS clients from specific file system paths, giving the NFS clients read-only or read-write access, respectively. To enable fencing, specify the enable option; to disable fencing, specify the disable option. To update the /etc/exports file, specify the save option; otherwise, specify the nosave option. To affect all NFS clients, specify the allhosts option; otherwise, specify a colon-delimited list of NFS client identifiers. To affect all exported file system paths, specify the allpaths option; otherwise, specify a colon-delimited list of file system paths. Data ONTAP drains all of the NFS requests in its queue before it enables or disables fencing, thereby ensuring that all file writes are atomic. Note: When you enable or disable fencing, Data ONTAP moves the NFS client to the front of its new access list (rw= or ro=). This reordering can change your original export rules.

-c: Checks whether an NFS client has a specific type of access to a file system path. You must specify the IP address of the NFS client (hostip) and the exported (not actual) file system path (path). To check whether the NFS client has read-only, read-write, or root access to the file system path, specify the ro, rw, or root option, respectively. If you do not specify an access type, Data ONTAP simply checks whether the NFS client can mount the file system path. If you specify an access type, you can also specify the NFS client’s security type: sys, none, krb5, krb5i, or krb5p. If you do not specify a security type, Data ONTAP assumes the NFS client’s security type is sys. Note: If Data ONTAP does not find an entry in the access cache corresponding to the file system path and (2) the NFS client’s IP address, access type, and security type, Data ONTAP determines the NFS client’s host name from its IP address (for example, it performs a reverse DNS lookup), (2) checks the NFS client’s host name, access type, and security type against the file system path’s export options, and (3) adds the result to the access cache as a new entry.

-d: Reverts the /etc/exports file to a format compatible with a previous Data ONTAP release. Specify the 6.4 option or 6.5 option to revert the /etc/exports file to a format compatible with the Data ONTAP 6.4 release or Data ONTAP 6.5 release, respectively. Before reverting the /etc/exports file, Data ONTAP backs it up under /etc/exports.pre.revert. Note: Always check the reverted /etc/exports file before accepting it. Reverting an /etc/exports file that uses features not supported in a previous Data ONTAP release can lead to unexpected results. For more information about reverting the /etc/exports file, see exports .

-f: Flushes entries from the access cache. To flush access cache entries corresponding to a specific file system path, specify the file system path; otherwise, to flush all access cache entries, do not specify a file system path. Note: To control when access cache entries expire automatically, set the nfs.export.harvest.timeout, nfs.export.neg.timeout, and nfs.export.pos.timeout options. For more information about these options, see options .

-h: Displays help for all exportfs options.

-i: Ignores the options specified for a file system path in the /etc/exports file. If you do not specify the -i option with the -o option, Data ONTAP uses the options specified for the file system path in the /etc/exports file instead of the options you specify on the command line.

-o: Specifies one or more export options for a file system path as a comma-delimited list. For more information about export options, see exports . Note: To override the options specified for the file system path in the /etc/exports file, you must specify the -i and -o options together.

-p: Exports a file system path and adds a corresponding export entry to the /etc/exports file. If you do not specify any export options, Data ONTAP automatically exports the file system path with the rw and -sec=sys export options. Use the -p option to add a file system path to the /etc/exports file without manually editing the /etc/exports file. Note: Data ONTAP exports the file system paths specified in the /etc/exports file every time NFS starts up (for example, when the filer reboots). For more information, see exports .

-q

Displays the export options for a file system path. Use the -q option to quickly view the export options for a single file system path without manually searching through the /etc/exports file. In addition to displaying the options, it also displays the ruleid for each "rule" in the export. This ruleid is used to display the in-memory and on-disk access cache for each "rule”. Rule is a set of host access permissions defined for a security flavor in an export and a ruleid uniquely identifies a rule for the duration when a filer is up. e.g.

   exportfs -q /vol/vol0    /vol/vol0  -sec=krb5, (ruleid=2), rw

This means that the filesystem /vol/vol0 is exported via the rule "rw" and this rule has a ruleid of 2.

   exportfs -q /vol/vol1    /vol/vol1  -sec=sys, (ruleid=2), rw,            sec=krb5, (ruleid=10), ro=172.16.27.0/24, rw=172.16.36.0/24

This means that the filesystem /vol/vol1 is exported via the rule "rw" (ruleid 2) to everyone who is coming with AUTH_SYS security and is also exported via the rule "ro=172.16.27.0/24, rw=172.16.36.0/24" (ruleid 10) to everyone coming in with Kerberos.

-r: Exports all file system paths specified in the /etc/exports file and unexports all file system paths not specified in the /etc/exports file. To export all file system paths specified in the /etc/exports file without unexporting any file system paths, use the -a option instead. Note: Data ONTAP reexports a file system path only if its persistent export options (those specified in the /etc/exports file) are different from its current export options, thus ensuring that it does not expose NFS clients unnecessarily to a brief moment during a reexport in which a file system path is not available.

-s: Displays the actual file system path corresponding to an exported file system path. Note: Unless a file system path is exported with the -actual option, its actual file system path is the same as its exported file system path.

-u: Unexports a file system path. To unexport a single file system path, specify the path; otherwise, to unexport all file system paths specified in the /etc/exports file, specify the -a option. Note: The -u option does not remove export entries from the /etc/exports file. To unexport a file system path and remove its export entry from the /etc/exports file, use the -z option instead.

-v: Specifies that Data ONTAP should be verbose. Use the -v option with any other option. For example, specify the -v option with the -a option to specify that Data ONTAP should display all file system paths that it exports.

-w: Saves exported file system paths and their export options into a file.

-z: Unexports a file system path and removes its export entry from the /etc/exports file. Use the -z option to remove a file system path from the /etc/exports file without manually editing the /etc/exports file. Note: By default entries are actually commented out and not removed from the /etc/exports file. To change the behaviour to actually remove entries switch off the nfs.export.exportfs_comment_on_delete option. For more information see options .

OPERANDS

clientaddr: An NFS client’s IP address.

clientid: One of the following NFS client identifiers: host name, IP address, netgroup, subnet, or domain name. For more information, see exports .

options: A comma-delimited list of export options. For more information, see exports .

path: A file system path: for example, a path to a volume, directory, or file.

EXTENDED DESCRIPTION

When you export a file system path, specify the -p option to add a corresponding entry to the /etc/exports file; otherwise, specify the -i and -o options to override any export options specified for the file system path in the /etc/exports file with the export options you specify on the command line.

When you specify the -b option (or the rw=, ro=, or root= export option), you must specify one or more NFS client identifiers as a colon-delimited list. An NFS client identifier is a host name, IP address, netgroup, subnet, or domain name. For more information about client identifiers, see exports .

Unlike UNIX systems, Data ONTAP lets you export a file system path even if one of its ancestors has been exported already. For example, you can export /vol/vol0/home even if /vol/vol0 has been exported already. However, you must never export an ancestor with fewer access controls than its children. Otherwise, NFS clients can mount the ancestor to circumvent the children’s access controls. For example, suppose you export /vol/vol0 to all NFS clients for read-write access (with the rw export option) and /vol/vol0/home to all NFS clients for read-only access (with the ro export option). If an NFS client mounts /vol/vol0/home, it has read-only access to /vol/vol0/home. But if an NFS client mounts /vol/vol0, it has read-write access to vol/vol0 and /vol/vol0/home. Thus, by mounting /vol/vol0, an NFS client can circumvent the security restrictions on /vol/vol0/home.

When an NFS client mounts a subpath of an exported file system path, Data ONTAP applies the export options of the exported file system path with the longest matching prefix. For example, suppose the only exported file system paths are /vol/vol0 and /vol/vol0/home. If an NFS client mounts /vol/vol0/home/user1, Data ONTAP applies the export options for /vol/vol0/home, not /vol/vol0, because /vol/vol0/home has the longest matching prefix.

Managing the access cache
Whenever an NFS client attempts to access an exported file system path, Data ONTAP checks the access cache for an entry corresponding to the file system path and (2) the NFS client’s IP address, access type, and security type. If an entry exists, Data ONTAP grants or denies access according to the value of the entry. If an entry does not exist, Data ONTAP grants or denies access according to the result of a comparison between the file system path’s export options and (2) the NFS client’s host name, access type, and security type. In this case, Data ONTAP looks up the client’s host name (for example, Data ONTAP performs a reverse DNS lookup) and adds a new entry to the access cache. To manually add access cache entries, use the -c option.

Note: The access cache associates an NFS client’s access rights with its IP address. Therefore, changes to an NFS client’s host name will not change its access rights until the access cache is flushed. Data ONTAP automatically flushes an access cache entry when its corresponding file system path is exported or unexported or (2) it expires. To control the expiration of access cache entries, set the nfs.export.harvest.timeout, nfs.export.neg.timeout, and nfs.export.pos.timeout options. For more information about these options, see options . To manually flush access cache entries, use the -f option.

Running exportfs on a vFiler unit
To run exportfs on a vFiler (TM) unit, use the vfiler run command. All paths you specify must belong to the vFiler unit. In addition, all IP addresses you specify must be in the vFiler unit’s ipspace. For more information, see vfiler .

Debugging mount and access problems
To debug mount and access problems, temporarily set the nfs.mountd.trace option to on and (2) monitor related messages that Data ONTAP displays and logs in the /etc/messages file. Some common access problems include:

* Data ONTAP cannot determine an NFS client’s host name because it does not have a reverse DNS entry for it. Add the NFS client’s host name to the DNS or the /etc/hosts file.

* The root volume is exported with a file system path consisting of a single forward slash (/), which misleads some automounters. Export the file system path using a different file system path name.

Exporting Origin Filer for FlexCache
Exporting a volume using the /etc/exports file does not affect whether the volume is available to a FlexCache volume; To enable a volume to be a FlexCache origin volume, use the the flexcache.access option.

EXAMPLES

Exporting file system paths
Each of the following commands exports /vol/vol0 to all hosts for read-write access:

exportfs -p /vol/vol0 exportfs -io rw /vol/vol0

Each of the following commands exports /vol/vol0 to all hosts for read-only access:

exportfs -p ro /vol/vol0 exportfs -io ro /vol/vol0

Each of the following commands exports /vol/vol0 to all hosts on the 10.45.67.0 subnet with the 255.255.255.0 netmask for read-write access:

exportfs -io rw=10.45.67.0/24 /vol/vol0 exportfs -io rw=”network 10.45.67.0 netmask 255.255.255.0″ /vol/vol0 exportfs -io rw=”10.45.67.0 255.255.255.0″ /vol/vol0

The following command exports /vol/vol0 to the hosts in the trusted netgroup for root access, the hosts in the friendly netgroup for read-write access, and all other hosts for read-only access:

exportfs -io ro, root=@trusted, rw=@friendly /vol/vol0

The following command exports all file system paths specified in the /etc/exports file:

exportfs -a

The following command exports all file system paths specified in the /etc/exports file and unexports all file system paths not specified in the /etc/exports file:

exportfs -r

Unexporting file system paths
The following command unexports /vol/vol0:

exportfs -u /vol/vol0

The following command unexports /vol/vol0 and removes its export entry from the /etc/exports file:

exportfs -z /vol/vol0

The following command unexports all file system paths:

exportfs -ua

Displaying exported file system paths
The following command displays all exported file system paths and their corresponding export options:

exportfs

The following command displays the export options for /vol/vol0:

exportfs -q /vol/vol0

Enabling and disabling fencing
Suppose /vol/vol0 is exported with the following export options:

-rw=pig:horse:cat:dog, ro=duck, anon=0

The following command enables fencing of cat from /vol/vol0:

exportfs -b enable save cat /vol/vol0

Note: cat moves to the front of the ro= list for /vol/vol0:

-rw=pig:horse:dog, ro=cat:duck, anon=0

The following command disables fencing of cat from /vol/vol0:

exportfs -b disable save cat /vol/vol0

Note: cat moves to the front of the rw= list for /vol/vol0:

-rw=cat:pig:horse:dog, ro=duck, anon=0

Checking an NFS client’s access rights
The following command checks whether an NFS client with an IP address of 192.168.208.51 and a security type of sys can mount /vol/vol0:

exportfs -c 192.168.208.51 /vol/vol0

The following command checks whether an NFS client with an IP address of 192.168.208.51 and a security type of none has read-only access to /vol/vol0:

exportfs -c 192.168.208.51 /vol/vol0 ro none

Flushing entries from the access cache
The following command flushes all entries from the access cache:

exportfs -f

The following command flushes all entries for /vol/vol0 from the access cache:

exportfs -f /vol/vol0

Reverting the /etc/exports file
The following command reverts the /etc/exports file to a format compatible with the Data ONTAP 6.5 release:

exportfs -d 6.5

Note: Before reverting the /etc/exports file, Data ONTAP backs it up under /etc/exports.pre.revert.

Displaying an actual file system path
The following example displays the actual file system path corresponding to /vol/vol0:

exportfs -s /vol/vol0

Note: The actual file system path will be the same as the exported file system path unless the file system path was exported with the -actual option.

Saving file system paths
The following example saves the file system paths and export options for all currently and recently exported file paths into /etc/exports.recent:

exportfs -w /etc/exports.recent

fpolicy

July 7th, 2009

1 comment

Table of Contents

NAME

fpolicy – configure file policies

SYNOPSIS

fpolicy

fpolicy help [ <command> ]

fpolicy create <PolicyName> <PolicyType>

fpolicy destroy <PolicyName>

fpolicy disable <PolicyName>

fpolicy enable <PolicyName> [-f]

fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show } <PolicyName>

fpolicy ext[ension] { exc[lude] | inc[lude] } { add|remove|set } <PolicyName> <ext>[, <ext>]*

fpolicy mon[itor] { add | remove | set } <PolicyName> [-p { cifs | nfs | cifs, nfs }] [-f] <op-spec>[, <op_spec>]*

fpolicy options <PolicyName> required [ on | off ]

fpolicy options <PolicyName> secondary_servers [<IP_address>[, <IP-address>]*]

fpolicy options <PolicyName> cifs_setattr [ on | off ]

fpolicy options <PolicyName> reqcancel_timeout [ <timeout_in-secs> ]

fpolicy options <PolicyName> serverprogress_timeout [ <timeout-in-secs> ]

fpolicy options <PolicyName> cifs_disconnect_check [ on off ]

fpolicy servers show <PolicyName>

fpolicy servers stop <PolicyName> <IP-address>

fpolicy show <PolicyName>

fpolicy vol[ume] { inc[lude] | exc[lude] } { reset | show | eval } <PolicyName>

fpolicy vol[ume] { inc[lude] | exc[lude] } { add | remove | set } <PolicyName> <vol_spec>[, <vol_spec>]*

DESCRIPTION

The fpolicy command enables control and configuration of file policies.

USAGE

fpolicy

Displays FPolicy settings and provides summary information about policies.

fpolicy help [ <command> ]

Displays information about specific commands available in the FPolicy subsystem of the storage system. A list of commands, or syntax for a specific command, can be obtained.

fpolicy create <PolicyName> <PolicyType>

Creates a new policy. Policy names must be unique. The only file policy type supported is "screen” (file screening).

fpolicy destroy <PolicyName>

Destroys an existing policy.

fpolicy disable <PolicyName>

Disables a policy.

fpolicy enable <PolicyName> [-f]

Enables a policy. The -f force flag forces the policy to be enabled even if there are no servers available to enforce the policy.

fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show } <PolicyName>
fpolicy ext[ension] { exc[lude] | inc[lude] } { add|remove|set } <PolicyName> <ext>[, <ext>]*

<ext>[, <ext>]* is a comma separated list of extensions. The maximum length allowed for a single extension is 260 characters. Upto 255 extensions can be specified in a list.The include list determines if a given file should be screened. The exclude list determines if a given file should not be screened. If an extension is listed on both the exclude and the include list, files with that extension are not screened. If an extension is not listed on either the include list or the exclude list, files with that extension are not screened. The character ? is a wild card. When it is not the last character, it matches any single character. When it is the last character, or part of a trailing sequence of ? , it matches any number of characters (0, 1 or more).

fpolicy extensions { include | exclude } show <PolicyName>

Displays the current file extension list.

fpolicy extensions { include | exclude } reset <Policy_Name>

Resets the file extension list to the default list.

fpolicy extensions { include | exclude } set <PolicyName> <ext>[, <ext>]*

Specifies a new extension list which replaces the current list.

fpolicy extensions { include | exclude } add <PolicyName> <ext>[, <ext>]*

Adds new entries to the current file extension list.

fpolicy extensions { include | exclude } remove <Policy_Name> <ext>[, <ext>]*

Removes entries from the current file extension list.

fpolicy mon[itor] { add | remove | set } <PolicyName> [-p { cifs | nfs | cifs, nfs }] [-f] <op-spec>[, <op_spec>]*

Typically the list of operations monitored by a file policy is set by an FPolicy server for the policy. However, the list of operations can be configured with the fpolicy monitor command. Note that if an FPolicy server sets the list after this command is entered, the FPolicy server will override the effect of this command.
Operations may be added or removed from an existing list of operations, or the existing list may be discarded and set to a new list. Note that some FPolicy servers may not function correctly if their set of designated operations is changed. For example, an FPolicy server may wish to match file opens with file closes and malfunction if it stops receiving notifications of files that are closed. By default all protocols are selected. A subset of protocols can be chosen by providing a comma separated list following the -p flag. The -f force flag causes the command to be executed even if there are no servers available to enforce the policy. <op_spec>[, <op_spec>]* is a comma separated list of operations for which the policy will receive notifications. Supported values are all, none, close, create, create_dir, delete, delete_dir, getattr, link, lookup, open, read, rename, rename_dir, setattr, symlink, write. Note: Selecting read or write is rarely desirable. Notification for operations which occur frequently have a detrimental effect on performance.

fpolicy options <PolicyName>

Displays the current values of the file policy options.

fpolicy options <PolicyName> required [ on | off ]

Displays the current setting for the required option. If set to "on”, user requests are denied if a file policy server is not available to implement the policy. If set to "off”, user requests are allowed when it is not possible to apply the policy to the file because no file policy server is available.

fpolicy options <PolicyName> secondary_servers [ <server_list> ]

Displays the current setting for the secondary_servers option. If a comma separated list of IP addresses is provided, the current list is replaced by the new list. The storage system avoids the use of secondary servers to enforce file policies unless there are no primary servers available.

fpolicy options <PolicyName> cifs_setattr [ on | off ]

Displays the current setting for the cifs_setattr option. If set to "on" then CIFS requests to change file security descriptor will be screened by the policy. File security descriptor changes that will be screened are file owner change, file primary owner group change, changes in SACL and DACL. If set to "off" cifs security descriptor change requests will not be screened by the policy. By default option is set to "off”.

fpolicy options <PolicyName> reqcancel_timeout [ <timeout_in-secs> ]

Set or display the value of reqcancel_timeout for the policy. This is the maximum time allowed to an FPolicy server to screen a request. Upon timeout, the screen request is cancelled from the FPolicy server. A value of 0 implies that the feature is disabled. The default value is 0.

fpolicy options <PolicyName> serverprogress_timeout [ <timeout-in-secs> ]

Set or display the value of serverprogress_timeout for the policy. This is the maximum time an FPolicy server can remain unresponsive while processing the maximum allowed number of screen requests. Upon timeout, the unresponsive FPolicy server will be disconnected from the storage system. A value of 0 implies that the feature is disabled. The default value is 0.

fpolicy options <PolicyName> cifs_disconnect_check [ on off ]

Set or display the value of cifs_disconnect_check for the policy. If this option is enabled, CIFS requests associated with disconnected sessions will not be sent to FPolicy servers for screening. The default setting for this option is "off”.

fpolicy servers show <PolicyName>

Displays a list of FPolicy servers which have offered to apply file policies for the storage system, or terminates the connection to a specified server. Each fpolicy server that registers for a policy can enable optional parameters.

fpolicy servers stop <PolicyName> <IP-address>

fpolicy servers show <PolicyName> will print all the options enabled by the fpolicy server in the "Options enabled:" field. Following are the options that can be enabled by the fpolicy server.

version2
fpolicy server is using version 2 of the fpolicy interface. Version 2 enables read redirect and support for NFS version 4 protocol (See the SDK for more details).

size_and_owner
File size and owner information is included with the the fpolicy event notification. Size reported to the fpolicy server will be the logical file size. Owner information will be reported in Windows SID format. If the file has windows security descriptor, the owner information will be based on it. If the file has no windows security descriptor, storage system will try to get an equivalent windows SID from Unix UID information and report it to the fpolicy server. If this translation of windows SID from Unix UID fails, storage system will report the well known CREATOR_OWNER SID to the fpolicy server.

async fpolicy server needs asynchronous screen request notifications. When fpolicy server registers for asynchronous notifications, storage system will notify fpolicy server about the file events as and when they occur but does not wait for the response from fpolicy server. The storage system will complete the cifs/nfs request immediately after sending fpolicy screen notification to the fpolicy server.

snapid fpolicy server needs the snapshot ID of the file being accessed. A snapshot ID is a persistent identifier that can be used to identify a snapshot of a a file system. The active filesystem has a distinct snapshot ID.

fpolicy show <PolicyName>

Displays status for <PolicyName> which will include operations configured for the policy, extentions monitored by the policy, fpolicy servers registered for the policy and the options enabled by each fpolicy server. It will indicate the total number of requests screened by the fpolicy server, number of requests blocked by the fpolicy server and number of requests blocked locally for the given policy. This CLI will also inform that fpolicy servers registered for this policy need inode to pathname translation for NFS screen requests and if they need notifications for offline files only.

fpolicy vol[ume] { inc[lude] | exc[lude] } { reset | show | eval } <PolicyName>
fpolicy vol[ume] { inc[lude] | exc[lude] } { add | remove | set } <PolicyName> <vol_spec>[, <vol_spec>]*

<vol_spec>[, <vol_spec>]* is a comma separated list of storage system volumes. Regular expressions including wildcard characters ? and * are also supported. The include volume list specifies which volumes the policy applies to. The exclude volume list specifies which volumes are not monitored by the policy. When an exclude list is specified any volumes not excluded are controlled by the policy. If both lists are specified for a policy the exclude list takes precedence and the include list is ignored. If neither volume list is set, the policy is applied to all volumes.

fpolicy vol[ume] { inc[lude] | exc[lude] } add <PolicyName> <vol_spec>[, <vol_spec>]*

Adds new entries to the current volume list.

fpolicy vol[ume] { inc[lude] | exc[lude] } remove <Policy_Name> <vol_spec>[, <vol_spec>]*

Removes entries from the current volume list.

fpolicy vol[ume] { inc[lude] | exc[lude] } set <Policy_Name> <vol_spec>[, <vol_spec>]*

Specifies a new volume list which replaces the current list.

fpolicy vol[ume] { inc[lude] | exc[lude] } reset <Policy_Name>

Resets the volume list to an empty list.

fpolicy vol[ume] { inc[lude] | exc[lude] } show <Policy_Name>

Displays the current volume list.

fpolicy vol[ume] { inc[lude] | exc[lude] } eval <Policy_Name>

Prints the list of volumes that this policy applies to.

EXAMPLE(S)

         fpolicy extensions include set p1 C??

This command will cause storage system to screen the files ABC.C, ABC.CPP, ABC.C++, ABC.CPLUS and so on for policy p1.

fpolicy extensions include set p1 C? This command will cause storage system to screen the files ABC.C, ABC.CP and so, but not ABC.CPP for policy p1.

fpolicy extensions include set p1 A?C This command will cause storage system to screen the files XYZ.ABC, XYZ.ACC and so but not XYZ.APP for policy p1.