HP IBRIX X9000 Network Storage System File System User Guide Abstract This guide describes how to configure and manage X9000 Software file systems and how to use NFS, CIFS, FTP, and HTTP to access file system data. The guide also describes the following file system features: quotas, remote replication, snapshots, data retention and validation, data tiering, and file allocation.
© Copyright 2009, 2012 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Using X9000 Software file systems...............................................................8 File system operations................................................................................................................8 File system building blocks.......................................................................................................10 Configuring file systems...........................................................................................................
Deleting segments, volume groups, and physical volumes........................................................42 Deleting file serving nodes and X9000 clients.......................................................................42 Checking and repairing file systems..........................................................................................42 Analyzing the integrity of a file system on all segments...........................................................
Permissions in a cross-protocol CIFS environment.........................................................................90 How the CIFS server handles UIDs and GIDs.........................................................................90 Permissions, UIDs/GIDs, and ACLs.......................................................................................91 Changing the way CIFS inherits permissions on files accessed from Linux applications................92 Troubleshooting CIFS..........................
Pausing a remote replication task.......................................................................................131 Resuming a remote replication task....................................................................................132 Querying remote replication tasks......................................................................................132 Replicating WORM/retained files...........................................................................................
Preparing the snapshot partition........................................................................................169 Registering for snapshots..................................................................................................170 Discovering LUNs in the array............................................................................................170 Reviewing snapshot storage allocation................................................................................
1 Using X9000 Software file systems File system operations The following diagram highlights the operating principles of the X9000 file system. The topology in the diagram reflects the architecture of the HP X9320, which uses a building block of server pairs (known as couplets) with SAS attached storage. In the diagram: • There are four file serving nodes, SS1–SS4. These nodes are also called segment servers. • SS1 and SS2 share access to segments 1–4 through SAS connections to a shared storage array.
2. 3. (Specifically, a segment need not be a complete, rooted directory tree). Segments can be any size and different segments can be different sizes. The location of files and directories within particular segments in the file space is independent of their respective and relative locations in the namespace. For example, a directory (Dir1) can be located on one segment, while the files contained in that directory (File1 and File2) are resident on other segments.
1) 2) c. 8. The segment server initiating the operation can read files directly from the segment across the SAN; this is called a SAN READ. The segment server initiating the operation routes writes over the IP network to the segment server owning the segment. That server then writes data to the segment. All reads and writes must be routed over the IP network between the segment servers. Step 7 assumed that the server had to go to a segment to read a file.
• Data retention and validation. Data retention ensures that files cannot be modified or deleted for a specific retention period. Data validation scans can be used to ensure that files remain unchanged. See “Managing data retention and validation” (page 134). • Antivirus support. This feature is used with supported Antivirus software, allowing you to scan files on an X9000 file system. See “Configuring Antivirus support” (page 152). • X9000 software snapshots.
2 Creating and mounting file systems This chapter describes how to create file systems and mount or unmount them. Creating a file system You can create a file system using the New Filesystem Wizard provided with the GUI, or you can use CLI commands. The New Filesystem Wizard also allows you to create an NFS export or a CIFS share for the file system. Using 32-bit or 64-bit mode A file system can be created to use either 32-bit or 64-bit mode.
On the Configure Options dialog box, enter a name for the file system, and specify the appropriate configuration options.
If data retention will be used on the file system, enable it and set the retention policy on the WORM/Data Retention dialog box. See “Managing data retention and validation” (page 134) for more information. The default retention period determines whether you can manage WORM (non-retained) files as well as WORM-retained files. (WORM (non-retained) files can be deleted at any time; WORM-retained files can be deleted only after the file's retention period has expired.
If you want to create data retention reports, click Enable Report Data Generation. Use the default schedule, or click Modify to open the Report Data Generation Schedule dialog box and configure your own schedule.
The Default File Shares page allows you to create an NFS export and/or a CIFS share at the root of the file system. The default settings are used. See “Using NFS” (page 48) and “Using CIFS” (page 69) for more information. Review the Summary to ensure that the file system is configured properly. If necessary, you can return to a dialog box and make any corrections. Configuring additional file system options The New Filesystem wizard creates the file system with the default settings for several options.
The Data Retention tab allows you to change the data retention configuration. The file system must be unmounted. See “Configuring data retention on existing file systems” (page 138) for more information. NOTE: Data retention cannot be enabled on a file system created on X9000 software 5.6 or earlier versions. Instead, create a new file system on X9000 software 6.0 or later, and then copy or move files from the old file system to the new file system.
In the commands, the –t option specifies a tier. TIERNAME can be any alphanumeric, case-sensitive, text string. Tier assignment is not affected by other options that can be set with the ibrix_fs command. NOTE: A tier is created whenever a segment is assigned to it. Be careful to spell the name of the tier correctly when you add segments to an existing tier. If you make an error in the name, a new tier is created with the incorrect tier name, and no error is recognized.
To mount or remount a file system, select it on the Filesystems panel and click Mount. You can select several mount options on the Mount Filesystem dialog box. To remount the file system, click remount.
CLI procedures The CLI commands are executed immediately on file serving nodes. For X9000 clients, the command intention is stored in the active Fusion Manager. When X9000 software services start on a client, the client queries the active Fusion Manager for any commands. If the services are already running, you can force the client to query the Fusion Manager by executing either ibrix_client or ibrix_lwmount -a on the client, or by rebooting the client.
NOTE: A file system must be mounted on the file serving node that owns the root segment (that is, segment 1) before it can be mounted on any other host. X9000 Software automatically mounts a file system on the root segment when you mount it on all file serving nodes in the cluster. The mountpoints must already exist.
Limiting file system access for X9000 clients By default, all X9000 clients can mount a file system after a mountpoint has been created. To limit access to specific X9000 clients, create an access entry. When an access entry is in place for a file system (or a subdirectory of the file system), it enters secure mode, and mount access is restricted to clients specified in the access entry. All other clients are denied mount access.
In addition, when specifying a hostgroup, the root user can be limited to RO access by adding the root_ro parameter.
3 Setting up quotas Quotas can be assigned to individual users or groups, or to a directory tree. Individual quotas limit the amount of storage or the number of files that a user or group can use in a file system. Directory tree quotas limit the amount of storage and the number of files that can be created on a file system located at a specific directory tree. Note the following: • Although it is best to set up quotas when you create a file system, you can configure them at any time.
On the GUI, select the file system and then select Quotas from the lower Navigator. On the Quota Summary bottom panel, click Modify. To enable quotas from the CLI, run the following command: ibrix_fs -q -E -f FSNAME Setting user and group quotas Before configuring quotas, the quota feature must be enabled on the file system and the file system must be mounted. NOTE: For the purpose of setting quotas, no UID or GID can exceed 2,147,483,647. Setting user quotas to zero removes the quotas.
To configure a group quota, select the file system where the quotas will be configured. Next, select Quotas > Group Quotas from the lower Navigator, and then, on the Group Quota Usage Limits bottom panel, click Set. Group quotas can be identified by either the group name or GID. Specifying quota limits is optional. To change user or group quotas, select the appropriate user or group on the Quota Usage Limits bottom panel, and then select Modify.
CLI procedure Use the following commands to set quotas for users and groups: • Set a quota for a single user: ibrix_edquota -s -u “USER” -f FSNAME [-M SOFT_MEGABYTES] [-m HARD_MEGABYTES] [-I SOFT_FILES] [-i HARD_FILES] • Set a quota for a single group: ibrix_edquota -s -g “GROUP” -f FSNAME [-M SOFT_MEGABYTES] [-m HARD_MEGABYTES] [-I SOFT_FILES] [-i HARD_FILES] Enclose the user or group name in single or double quotation marks.
To change a directory tree quota, select the directory tree on the Quota Usage Limits bottom panel, and then click Modify. CLI procedure To create a directory tree quota and assign usage limits, use the following command: ibrix_edquota -s -d NAME -p PATH -f FSNAME -M SOFT_MEGABYTES -m HARD_MEGABYTES -I SOFT_FILES -i HARD_FILES The -f FSNAME option specifies the name of the file system. The -p PATH option specifies the pathname of the directory tree.
Using a quotas file Quota limits can be imported into the cluster from the quotas file, and existing quotas can be exported to the file. See “Format of the quotas file” (page 29) for the format of the file. Importing quotas from a file From the GUI, select the file system, select Quotas from the lower Navigator, and then click Import.
A,{type},{block_hardlimit},{block_soft-limit},{inode_hardlimit},{inode_softlimit},{id} B,{type},{block_hardlimit},{block_soft-limit},{inode_hardlimit},{inode_softlimit},"{name}" C,{type},{block_hardlimit},{block_soft-limit},{inode_hardlimit},{inode_softlimit}, "{name}","{path}" The fields in each line are: {type} Either 0 for a user quota; 1 for a group quota; 2 for a directory tree quota. {block_hardlimit} The maximum number of 1K blocks allowed for the user, group, or directory tree.
To run an online quota check from the GUI, select the file system and then select Online quota check from the lower Navigator. On the Task Summary panel, select Start to open the Start Online quota check dialog box and select the appropriate mode. The Task Summary panel displays the progress of the scan. If necessary, select Stop to stop the scan.
Troubleshooting quotas Recreated directory does not appear in directory tree quota If you create a directory tree quota on a specific directory and delete the directory (for example, with rmdir/rm -rf) and then recreate it on the same path, the directory does not count as part of the directory tree, even though the path is the same. Consequently, the ibrix_onlinequotacheck command does not report on the directory.
4 Maintaining file systems This chapter describes how to extend a file system, rebalance segments, delete a file system or file system component, and check or repair a file system. The chapter also includes file system troubleshooting information. Best practices for file system performance It is important to monitor the space used in the segments making up the file system.
Viewing physical volume information Use the following command to view information about physical volumes: ibrix_pv -l The following table lists the output fields for ibrix_pv -l. Field Description PV_Name Physical volume name. Regular physical volume names begin with the letter d. The names of physical volumes that are part of a mirror device begin with the letter m. Both are numbered sequentially. Size (MB) Physical volume size, in MB.
Viewing logical volume information To view information about logical volumes, use the ibrix_lv -l command. The following table lists the output fields for this command. Field Description LV_NAME Logical volume name. LV_SIZE Logical volume size, in MB. FS_NAME File system to which this logical volume belongs. SEG_NUM Number of this segment (logical volume) in the file system. VG_NAME Name of the volume group created on this physical volume, if any.
Field Description EXPORT_CONTROL_ENABLED Yes if enabled; No if not. QUOTA_ENABLED Yes if enabled; No if not. RETENTION If data retention is enabled, the retention policy is displayed. DEFAULT_BLOCKSIZE Default block size, in KB. CAPACITY Capacity of the file system. FREE Amount of free space on the file system. AVAIL Space available for user files. USED PERCENT Percentage of total storage occupied by user files. FILES Number of files that can be created in this file system.
Field Description BACKUP Backup host name. TYPE Segment type. MIXED means the segment can contain both files and directories. TIER Tier to which the segment was assigned. LAST_REPORTED Last time the segment state was reported. HOST_NAME Host on which the file system is mounted. MOUNTPOINT Host mountpoint. PERMISSION File system access privileges: RO or RW. Root_RO Specifies whether the root user is limited to read-only access, regardless of the access setting.
On the CLI, use the ibrix_fs command to extend a file system. Segments are added to the file serving nodes in a round-robin manner. If tiering rules are defined for the file system, the -t option is required. Avoid expanding a file system while a tiering job is running. The expansion takes priority and the tiering job is terminated.
segments, and then moves files from sources to destinations to bring each candidate source segment as close as possible to the calculated utilization threshold. The final absolute percent usage in the segments depends on the average file size for the target file system. If you do not specify any sources or destinations for a rebalance task, candidate segments are sorted into sources and destinations and then rebalanced as evenly as possible.
Rebalancing segments from the CLI To rebalance all segments, use the following command. Include the -a option to run the rebalance operation in analytical mode.
Viewing the status of rebalance tasks Use the following commands to view status for jobs on all file systems or only on the file systems specified in FSLIST: ibrix_rebalance -l [-f FSLIST] ibrix_rebalance -i [-f FSLIST] The first command reports summary information. The second command lists jobs by task ID and file system and indicates whether the job is running or stopped. Jobs that are in the analysis (Coordinator) phase are listed separately from those in the implementation (Worker) phase.
To delete a file system, use the following command: ibrix_fs -d [—R] f FSLIST For example, to delete file systems ifs1 and ifs2: ibrix_fs -d -f ifs1,ifs2 If data retention is enabled on the file system, include the -R option in the command.
The ibrix_fsck command can detect and repair file system inconsistencies. File system inconsistencies can occur for many reasons, including hardware failure, power failure, switching off the system without proper shutdown, and failed migration. The command runs in four phases and has two running modes: analytical and corrective. You must run the phases in order and you must run all of them: • Phase 0 checks host connectivity and the consistency of segment byte blocks and repairs them in corrective mode.
Run phase 2: ibrix_fsck -p 2 -f FSNAME [-s LVNAME] [-c] [-o "options"] The command can be run on the specified file system or optionally only on segment LVNAME. Use -o to specify any options. Run phase 3: ibrix_fsck -p 3 -f FSNAME [-c] Clearing the INFSCK flag on a file system To clear the INFSCK flag, use the following command: ibrix_fsck -f FSNAME -C Troubleshooting file systems ibrix_pv -a discovers too many or too few devices This situation occurs when file serving nodes see devices multiple times.
File system alert is displayed after a segment is evacuated When a segment is successfully evacuated, a segment unavailable alert is displayed in the GUI and attempts to mount the file system will fail. There are several options at this point: • Mark the evacuated segment as bad (retired), using the following command. The file system state changes to okay and the file system can now be mounted. However, the operation marking the segment as bad cannot be reversed.
state_flags .................... SEGMENT_LOCAL SEGMENT_PREFERED SEGMENT_DHB
ibrix_fs -c failed with "Bad magic number in super-block" If a file system creation command fails with an error such as the following, the command may have failed to preformat the LUN.
5 Using NFS To allow NFS clients to access an X9000 file system, the file system must be exported. You can export a file system using the GUI or CLI. By default, X9000 file systems and directories follow POSIX semantics and file names are case-sensitive for Linux/NFS users. If you prefer to use Windows semantics for Linux/NFS users, you can make a file system or subdirectory case-insensitive. Exporting a file system Exporting a file system makes local directories available for NFS clients to mount.
Use the Settings window to specify the clients allowed to access the share. Also select the permission and privilege levels for the clients, and specify whether the export should be available from a backup server. The Advanced Settings window allows you to set NFS options on the share. On the Host Servers window, select the servers that will host the NFS share. By default, the share is hosted by all servers that have mounted the file system.
The Summary window shows the configuration of the share. You can go back and revise the configuration if necessary. When you click Finish, the export is created and appears on the File Shares panel. Export a file system using the CLI To export a file system from the CLI, use the ibrix_exportfs command: ibrix_exportfs -f FSNAME -h HOSTNAME -p CLIENT1:PATHNAME1,CLIENT2:PATHNAME2,.. [-o "OPTIONS"] [-b] The options are as follows: Option Description –f FSNAME The file system to be exported.
Unexporting a file system A file system should be unexported before it is unmounted. On the GUI, select the file system, select NFS Exports from the lower Navigator, and then select Unexport. On the CLI, use the following command: ibrix_exportfs -f FSNAME -U -h HOSTNAME -p CLIENT:PATHNAME [-b] Using case-insensitive file systems By default, X9000 file systems and directories follow POSIX semantics and file names are case-sensitive for Linux/NFS users.
To set case insensitivity from the CLI, use the following command: ibrix_caseinsensitive -s -f FSNAME -c [ON|OFF] -p PATH Viewing the current setting for case insensitivity Select Report Current Case Insensitivity Setting on the New Case Insensitivity Task dialog box to view the current setting for a file system or directory. Click Perform Recursively to see the status for all descendent directories of the specified file system or directory.
2:0:/fs_test1/samename-T/samename: TRUE 2:0:DONE The next sample log file is for a change in case insensitivity: 0:0:31849:Case Insensitivity is turned ON for the following directories 1:0:/fs_test2/samename-true 2:0:/fs_test2/samename-true/samename 3:0:/fs_test2/samename-true/samename/samename-snap 3:0:DONE The first line of the output contains the PID for the process and reports the action taken. The first column specifies the number of directories visited.
6 Configuring authentication for CIFS, FTP, and HTTP X9000 software supports several services for authenticating users accessing shares on X9000 file systems: • Active Directory (supported for CIFS, FTP, and HTTP) • Active Directory with LDAP ID mapping as a secondary lookup source (supported for CIFS) • LDAP (supported for CIFS) • Local Users and Groups (supported for CIFS, FTP, and HTTP) Local Users and Groups can be used with Active Directory or LDAP.
Using LDAP as the primary authentication method Requirements for LDAP users and groups X9000 supports only OpenLDAP. If you are using LDAP or LDAP ID mapping for authentication, follow these requirements when setting up users and groups: • UID and GID values cannot be set to less than 1. • Use the uid schema attribute to add user account names. • Use the cn schema attribute to add group account names. • UID and GIDs must be stored in UidNumber and GidNumber schema attributes.
Nonvirtual attribute name Value Description LdapWriteDN DN name string Limited write DN credentials. HP recommends that you do not use cn=Manager credentials. Instead, use an account DN with very restricted write permissions to the LdapConfigurationOU and beneath. LDAPWritePassword Unencrypted password string. Password for the LdapWriteDN account. LDAP encrypts the string on storage. schematype Samba, posix, or user defined Supported schema for the OpenLDAP server.
The wizard displays the configuration pages corresponding to the option you selected. • Active Directory. See “Active Directory” (page 57). • LDAP. See “LDAP” (page 59). • LDAP ID Mapping. See “LDAP ID mapping” (page 58). • Local Groups. See “Local Groups” (page 61). • Local Users. See “Local Users” (page 62). • Share Administrators. See “Windows Share Administrators” (page 64). • Summary. See “Summary” (page 64).
If you want to use LDAP ID mapping as a secondary lookup for Active Directory, select Enabled with LDAP ID Mapping and AD in the Linux Static User Mapping field. When you click Next, the LDAP ID Mapping dialog box appears. LDAP ID mapping If the system cannot locate a UID/GID in Active Directory, it searches for the UID/GID in LDAP. On the LDAP ID Mapping dialog box, specify the appropriate search parameters.
Enter the following information on the dialog box: LDAP Server Host Enter the server name or IP address of the LDAP server host. Port Enter the LDAP server port (TCP port 389 for unencrypted or TLS encrypted; 636 for SSL encrypted). Base of Search Enter the LDAP base for searches. This is normally the root suffix of the directory, but you can provide a base lower down the tree for business rules enforcement, ACLs, or performance reasons. For example, ou=people,cd=enx,dc=net.
Enter the following information in the remaining fields: Bind DN Enter the LDAP user account used to authenticate to the LDAP server to read data, such as cn=hpx9000-readonly-user,dc=enxt,dc=net. This account must have privileges to read the entire directory. Write credentials are not required. Write OU Enter the OU (organizational unit) on the LDAP server to which configuration entries can be written. This OU must be pre-provisioned on the remote LDAP server.
NOTE: If LDAP is the primary authentication service, Windows clients such as Explorer or MMC plugins cannot be used to add new users. Local Groups Specify local groups allowed to access shares. On the Local Groups page, enter the group name and, optionally, the GID and RID. If you do not assign a GID and RID, they are generated automatically. Click Add to add the group to the list of local groups. Repeat this process to add other local groups.
NOTE: If Local Users and Groups is the primary authentication service, Windows clients such as Explorer or MMC plugins cannot be used to add new users. Local Users Specify local users allowed to access shares. On the Local Users page, enter a user name and password. Click Add to add the user to the Local Users list. When naming local users, you should be aware of the following: 62 • User names must be unique. The new name cannot already be used by another user or group.
To provide account information for the user, click Advanced. The default home directory is /home/ and the default shell program is /bin/false.
NOTE: If Local Users and Groups is the primary authentication service, Windows clients such as Explorer or MMC plugins cannot be used to add new users. Windows Share Administrators If you will be using the Windows Share Management MMC plug-in to manage CIFS shares, enter your share administrators on this page. You can skip this page if you will be managing shares entirely from the X9000 Management Console.
You cannot change the UID or RID for a Local User account. If it is necessary to change a UID or RID, first delete the account and then recreate it with the new UID or RID. The Local Users and Local Groups panels allow you to delete the selected user or group. Configuring authentication from the CLI You can configure Active Directory, LDAP, LDAP ID mapping, or Local Users and Groups.
ibrix_ldapconfig -a -h LDAPSERVERHOST [-P LDAPSERVERPORT] -b LDAPBINDDN -p LDAPBINDDNPASSWORD -w LDAPWRITEOU -B LDAPBASEOFSEARCH -n NETBIOS -E ENABLESSL [-f CERTFILEPATH] [-c CERTFILECONTENTS] The options are: -h LDAPSERVERHOST The LDAP server host (server name or IP address). -P LDAPSERVERPORT The LDAP server port. -b LDAPBINDDN The LDAP bind Distinguished Name. For example: cn=hpx9000-readonly-user,dc=enxt,dc=net. -p LDAPBINDDNPASSWORD The LDAP bind password.
-p LDAPBINDDNPASSWORD The LDAP bind password. -m MAXWAITTIME The maximum amount of time to allow the search to run. -M MAXENTRIES The maximum number of entries (the default is 10). -n Case sensitivity for name searches (the default is false, or case-insensitive). -s Search the LDAP scope base (search the base level entry only). -o LDAP scope one (search all entries in the first level below the base entry, excluding the base entry).
Delete a Local Group account: ibrix_localgroups -d -g GROUPNAME 68 Configuring authentication for CIFS, FTP, and HTTP
7 Using CIFS The IBRIX CIFS server implementation allows you to create file shares for data stored on the cluster. The CIFS server provides a true Windows experience for Windows clients. A user accessing a file share on an X9000 system will see the same behavior as on a Windows server. IMPORTANT: CIFS and X9000 Windows clients cannot be used together because of incompatible AD user to UID mapping. You can use either CIFS or X9000 Windows clients, but not both at the same time.
NOTE: Click CIFS Settings to configure SMB signing on this server. See “Configuring SMB signing ” (page 75) for more information.
Health Status Condition Not Monitored Monitoring is disabled N/A The active Fusion Manager could not communicate with other file serving nodes in the cluster Disable monitoring and stop the CIFS monitoring daemon: ibrix_cifsmonitor –u [–h HOSTLIST] Restart CIFS service monitoring: ibrix_cifsmonitor –c [–h HOSTLIST] CIFS shares Windows clients access file systems through CIFS shares. You can use the X9000 GUI or CLI to manage shares, or you can use the Microsoft Management Console interface.
On the Permissions page, specify permissions for users and groups allowed to access the share.
Click Add to open the New User/Group Permission Entry dialog box, where you can configure permissions for a specific user or group. The completed entries appear in the User/Group Entries list on the Permissions page. On the Client Filtering page, specify IP addresses or ranges that should be allowed or denied access to the share. NOTE: This feature cannot be used if your network includes packet filters, a NAT gateway, or routers.
bitmask is 1–32. The completed entry appears on the Client IP Filters list on the Client Filtering page. On the Advanced Settings page, enable or disable Access Based Enumeration and specify the default create mode for files and directories created in the share. The Access Based Enumeration option allows users to see only the files and folders to which they have access on the file share. On the Host Servers page, select the servers that will host the share.
Configuring SMB signing The SMB signing feature specifies whether clients must support SMB signing to access CIFS shares. You can apply the setting to all servers, or to a specific server. To apply the same setting to all server, select File Shares from the Navigator and click Settings on the File Shares panel. To apply a setting to a specific server, select that server on the GUI, select CIFS from the lower Navigator, and click Settings. The dialog is the same for both selection methods.
When configuring SMB signing, note the following: • SMB2 is always enabled. • Use the Required check box to specify whether SMB signing (with either SMB1 or SMB2) is required. • The Disabled check box applies only to SMB1. Use this check box to enable or disable SMB signing with SMB1. You should also be aware of the following: • The File Share Settings dialog box does not display whether SMB signing is currently enabled or disabled.
On the CIFS Shares panel, click Add or Modify to open the File Shares wizard, where you can create a new share or modify the selected share. Click Delete to remove the selected share. Click CIFS Settings to configure global file share settings; see “Configuring SMB signing ” (page 75)) for more information. You can also view CIFS shares for a specific file system. Select that file system on the GUI, and then select CIFS Shares from the lower Navigator.
Use the -A ALLOWCLIENTIPSLIST or –E DENYCLIENTIPSLIST options to list client IP addresses allowed or denied access to the share. Use commas to separate the IP addresses, and enclose the list in quotes. You can include an optional bitmask to specify entire subnets of IP addresses (for example, ibrix_cifs -A “192.186.0.1,102.186.0.2/16”). The default is "", which allows (or denies) all IP addresses.
NOTE: To use MMC to manage CIFS shares, you must be authenticated as a user with share modification permissions. NOTE: If you will be adding users with the MMC, the primary authentication method must be Active Directory. NOTE: The permissions for CIFS shares managed with the MMC cannot be changed with the X9000 Management Console GUI or CLI. Connecting to cluster nodes When connecting to cluster nodes, use the procedure corresponding to the Windows operating system on your machine.
Windows Vista, Windows 2008, Windows 7: Complete the following steps: 1. Open the Start menu and enter mmc in the Start Search box. You can also enter mmc in a DOS cmd window. 2. On the User Account Control window, click Continue. 3. On the Console 1 window, select File > Add/Remove Snap-in. 4. On the Add or Remove Snap-ins window, select Shared Folders and click Add. 5.
The following example gives share management privileges to a single user: ibrix_auth -t -S 'share admins=[domain\user1]' If you specify multiple administrators, use commas to separate the users. For example: ibrix_auth -t -S 'share admins=[domain\user1, domain\user2, domain\user3]' Adding CIFS shares CIFS shares can be added with the MMC, using the share management plug-in. When adding shares, you should be aware of the following: • The share path must include the X9000 file system name.
To add a new share, select Shares > New Share and run the Create A Shared Folder Wizard. On the Folder Path panel, enter the path to the share, being sure to include the file system name. When you complete the wizard, the new share appears on the Computer Management window.
Deleting CIFS shares To delete a CIFS share, select the share on the Computer Management window, right-click, and select Delete. Linux static user mapping with Active Directory Linux static user mapping (also called UID/GID mapping or RFC2307 support) allows you to use LDAP as a Network Information Service. Linux static user mapping must be enabled when you configure Active Directory for user authentication (see “Configuring authentication for CIFS, FTP, and HTTP” (page 54)).
Installing Identity Management for UNIX To install Identity Management for UNIX on a domain controller running Windows Server 2003 R2, see the following Microsoft TechNet Article: http://technet.microsoft.com/en-us/library/cc778455(WS.10).aspx To install Identity Management for UNIX on a domain controller running Windows Server 2008 R2, see the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/cc731178.
The following article provides more information about modifying attributes in the Active Directory global catalog: http://support.microsoft.com/kb/248717 Assigning attributes To set POSIX attributes for users and groups, start the Active Directory Users and Computers GUI on the Domain Controller. Open the Administrator Properties dialog box, and go to the UNIX Attributes tab. For users, you can set the UID, login shell, home directory, and primary group. For groups, set the GID.
Consolidating SMB servers with common share names If your SMB servers previously used the same share names, you can consolidate the servers without changing the share name requested on the client side. For example, you might have three SMB servers, SRV1, SRV2, and SRV3, that each have a share named DATA. SRV3 points to a shared drive that has the same path as \\SRV1\DATA; however, users accessing SRV3 have different permissions on the share. To consolidate the three servers, we will take these steps: 1.
Client utilities such as net use will report the requested share name, not the new share name. Mapping old share names to new share names Mappings are defined in the /etc/likewise/vhostmap file. Use a text editor to create and update the file. Each line in the file contains a mapping in the following format: VIF (or VhostName)|oldShareName|newShareName If you enter a VhostName, it will be changed to a VIF internally.
CIFS users cannot view directory tree quotas. Differences in locking behavior When CIFS clients access a share from different servers, as in the X9000 Software environment, the behavior of byte-range locks differs from the standard Windows behavior, where clients access a share from the same server. You should be aware of the following: • Zero-length byte-range locks acquired on one file serving node are not observed on other file serving nodes.
Restore operations If a file has been deleted from a directory that has Previous Versions, the user can recover a previous version of the file by performing a Restore of the parent directory. However, the Properties of the restored file will no longer list those Previous Versions. This condition is due to the X9000 snapshot infrastructure; after a file is deleted, a new file in the same location is a new inode and will not have snapshots until a new snapshot is subsequently created.
CIFS shadow copy restore during node failover If a node fails over while a CIFS shadow copy restore is in progress, the user may see a disruption in the restore operation. After the failover is complete, the user must skip the file that could not be accessed. The restore operation then proceeds. The file will not be restored and can be manually copied later, or the user can cancel the restore operation and then restart it.
but will not be inherited or propagated. The CIFS server also does not map POSIX ACLs to be compatible with Windows ACLs on a file. These permission mechanisms have some ramifications for setting up shares, and for cross-protocol access to files on an X9000 system. The details of these ramifications follow. Permissions, UIDs/GIDs, and ACLs The X9000 Software CIFS server does not attempt to maintain two permission/access schemes on the same file.
the share, and are not inherited downward into the share directory tree. For true Windows-like behavior, the creator of a share must access the root of the share and set the desired ACLs on it manually (using Windows Explorer or a command line tool such as ICACLS). This process is somewhat unnatural for Linux administrators, but should be fairly normal for Windows administrators.
occur for 15 to 20 minutes. The client's copy will then continue without error if the retry timeout has not expired. To work around this situation, take one of these steps: • Stop and restart the Likewise process on the affected file serving node: # /opt/likewise/bin/lwsm stop lwreg && /etc/init.d/lwsmd stop # /etc/init.d/lwsmd start && /opt/likewise/bin/lwsm start srvsvc • Power down the file serving node before failing it over, and do failback operations only during off hours.
8 Using FTP The FTP feature allows you to create FTP file shares for data stored on the cluster. Clients access the FTP shares using standard FTP and FTPS protocol services. IMPORTANT: Before configuring FTP, select an authentication method (either Local Users or Active Directory). See “Configuring authentication for CIFS, FTP, and HTTP” (page 54) for more information. An FTP configuration consists of one or more configuration profiles and one or more FTP shares.
On the Config Profile page, select an existing configuration profile or create a new profile, specifying a name and defining the appropriate parameters.
On the Host Servers page, select the servers that will host the configuration profile. On the Settings page, configure the FTP parameters that apply to the share. The parameters are added to the file serving nodes hosting the configuration profile. Also enter the IP addresses and ports that clients will use to access the share. For High Availability, specify the IP address of a VIF having a VIF backup. NOTE: The allowed ports are 21 (FTP) and 990 (FTPS).
On the Users page, specify the users to be given access to the share. IMPORTANT: Ensure that all users who are given read or write access to shares have sufficient access permissions at the file system level for the directories exposed as shares.
To define permissions for a user, click Add to open the Add User to Share dialog box. Managing the FTP configuration Select File Shares > FTP from the Navigator to display the current FTP configuration. The FTP Config Profiles panel lists the profiles that have been created. The Shares panel shows the FTP shares associated with the selected profile.
Use the buttons on the panels to modify or delete the selected configuration profile or share. You can also add another FTP share to the selected configuration profile. Use the Modify FTP Share dialog box if you need to allow NAT connections on the share. Managing FTP from the CLI FTP is managed with the ibrix_ftpconfig and ibrix_ftpshare commands. For detailed information, see the HP IBRIX X9000 Network Storage System CLI Reference Guide.
Modify a configuration profile: ibrix_ftpshare -m SHARENAME –c PROFILENAME [-f FSNAME -p dirpath] -I IP-Address:Port [–u USERLIST] [-S SETTINGLIST] Delete a configuration profile: ibrix_ftpconfig –d PROFILENAME View an FTP share: ibrix_ftpshare -i SHARENAME –c PROFILENAME [–v level] List FTP shares associated with a specific profile: ibrix_ftpshare -l –c PROFILENAME [–v level] List FTP shares associated with a specific file system: ibrix_ftpshare -l –f FSNAME [–v level] Modify an FTP share: ibrix_ftpshare -
Accessing shares Clients can access an FTP share by specifying a URL in their browser (Internet Explorer or Mozilla Firefox). In the following URLs, IP_address:port is the IP (or virtual IP) and port configured for the share.
For Active Directory users (specify the user as in this example: ASM2k3.
9 Using HTTP The HTTP feature allows you to create HTTP file shares for data stored on the cluster. Clients access the HTTP shares using standard HTTP and HTTPS protocol services. IMPORTANT: Before configuring HTTP, select an authentication method (either Local Users or Active Directory). See “Configuring authentication for CIFS, FTP, and HTTP” (page 54) for more information. The HTTP configuration consists of a configuration profile, a virtual host, and an HTTP share.
• Ensure that all users who are given read or write access to HTTP shares have sufficient access permissions at the file system level for the directories exposed as shares. • For High Availability, when specifying IP addresses for accessing a share, use IP addresses for VIFs having VIF backups. See the administrator guide for your system for information about creating VIFs. Managing HTTP from the GUI Configuring HTTP Use the Add New File Share Wizard to configure HTTP.
On the Host Servers page, select the servers that will host the configuration profile.
On the Virtual Host page, enter a name for the virtual host and specify an SSL certificate and domain name if used. Also add one or more IP addresses:ports for the virtual host. For High Availability, specify a VIF having a VIF backup.
On the Settings page, set the appropriate parameters for the share. Note the following: • When specifying the URL Path, do not include http:// or any variation of this in the URL path. For example, /reports/ is a valid URL path. • When the WebDAV feature is enabled, the HTTP share becomes a readable and writable medium with locking capability. The primary user can make edits, while other users can only view the resource in read-only mode.
On the Users page, specify the users to be given access to the share. IMPORTANT: Ensure that all users who are given read or write access to shares have sufficient access permissions at the file system level for the directories exposed as shares.
To allow specific users read access, write access, or both, click Add. On the Add Users to Share dialog box, assign the appropriate permissions to the user. When you complete the dialog, the user is added to the list on the Users pge. The Summary panel presents an overview of the HTTP configuration. You can go back and modify any part of the configuration if necessary. When the wizard is complete, users can access the share from a browser.
The users will see an index of the share (if the browseable property of the share is set to true), and can open and save files. For more information about accessing shares and uploading files, see “Accessing shares” (page 113). Managing the HTTP configuration Select File Shares > HTTP from the Navigator to display the current HTTP configuration. The HTTP Config Profiles panel lists the profiles that have been created. The Vhosts panel shows the virtual hosts associated with the selected profile.
ibrix_httpconfig –a profile1 –h node1,node2 -S “wblocksize=,rblocksize=” You can also set the values on the Modify HTTP Profile dialog box: Managing HTTP from the CLI On the command line, HTTP is managed by the ibrix_httpconfig, ibrix_httpvhost, and ibrix_httpshare commands. For detailed information, see the HP IBRIX X9000 Network Storage System CLI Reference Guide.
Managing the HTTP configuration View a configuration profile: ibrix_httpconfig -i PROFILENAME [-v level] Modify a configuration profile: ibrix_httpconfig -m PROFILENAME [-h HOSTLIST] [-S SETTINGLIST] Delete a configuration profile: ibrix_httpconfig -d PROFILENAME View a virtual host: ibrix_httpvhost -i VHOSTNAME -c PROFILENAME [-v level] Modify a virtual host: ibrix_httpvhost -m VHOSTNAME -c PROFILENAME -I IP-Address:Port [-S SETTINGLIST] Delete a virtual host: ibrix_httpvhost -d VHOSTNAME -c PROFILENAME Vi
Accessing shares Clients access an HTTP share by specifying a URL in their browser (Internet Explorer or Mozilla Firefox). In the following URLs, IP_address:port is the IP (or virtual IP) and port configured for the share.
• Download a file using HTTP protocol: curl -u http://IP_address/dils/urlpath -o path to download>// • Download a file using HTTPS protocol: curl --cacert -u https://IP_address:port/urlpath/ -o path to download>// Configuring Windows clients to access HTTP WebDAV shares Complete the following steps to set up and access WebDAV enabled shares: • Verify the entry in the Windows hosts file.
• When creating certificates, verify that the hostname matches the Vhost name. When creating a certificate, the hostname should match the Vhost name or the domain name issued when mapping a network drive or opening the file directly using the URL such as https:// storage.hp.com/share/foo.docx. • Consider the assigned IP address when mapping a network drive on Windows. When mapping a network drive in Windows, if the IP address assigned to the Vhost is similar to the format 10.2.4.
1. 2. 3. 4. 5. 6. 7. Disconnect the network drive. In Windows, select Start > Run and enter regedit. Increase FileAttributeLimitInBytes from the default value of 1000000 to 10000000 (by a factor of 10). Increase FileSizeLimitInBytes 10 times by adding one extra zero. Save the registry and quit. Reboot the Windows system. Map the network drive to allow you to access the WebDAV share containing large files.
10 Managing SSL certificates Servers accepting FTPS and HTTPS connections typically provide an SSL certificate that verifies the identity and owner of the web site being accessed. You can add your existing certificates to the cluster, enabling file serving nodes to present the appropriate certificate to FTPS and HTTPS clients. X9000 Software supports PEM certificates. When you configure the FTP share or the HTTP vhost, select the appropriate certificate.
1. Generate a private key: openssl genrsa -des3 -out server.key 1024 You will be prompted to enter a passphrase. Be sure to remember the passphrase. 2. Remove the passphrase from the private key file (server.key). When you are prompted for a passphrase, enter the passphrase you specified in step 1. cp server.key server.key.org openssl rsa -in server.key.org -out server.key rm -f server.key.org 3. Generate a Certificate Signing Request (CSR): openssl req -new -key server.key -out server.csr 4.
Adding a certificate to the cluster To add an existing certificate to the cluster, click Add on the Certificates panel. On the Add Certificate dialog box, enter a name for the certificate. Use a Linux command such as cat to display your concatenated certificate file. For example: cat server.pem Copy the contents of the file to the Certificate Content section of the dialog box. The copied text must include the certificate contents and the private key in PEM encoding.
Exporting a certificate If necessary, you can display a certificate and then copy and save the contents for future use. This step is called exporting. Select the certificate on the Certificates panel and click Export. To export a certificate from the CLI, use this command: ibrix_certificate -e -c CERTNAME Deleting a certificate To delete a certificate from the GUI, select the certificate on the Certificates panel, click Delete, and confirm the operation.
11 Using remote replication This chapter describes how to configure and manage the Continuous Remote Replication (CRR) service. Overview The CRR service provides a method to replicate changes in a source file system on one cluster to a target file system on either the same cluster (intra-cluster replication) or a second cluster (inter-cluster replication). Both files and directories are replicated with remote replication, and no special configuration of segments is needed.
NOTE: Run-once can also be used to replicate a single software snapshot. This must be done on the GUI. You can replicate to a remote cluster (an intercluster replication) or the same cluster (an intracluster replication). Using intercluster replications Intercluster configurations can be continuous or run-once: • Continuous: asynchronously replicates the initial state of a file system and any changes to it. Snapshots cannot be replicated.
NOTE: cluster. • If a different file system is used for the target, the linkage can go back to the original To replicate a directory or snapshot on a file system covered by continuous replication, first pause the continuous task and then initiate a run-once replication task. For information about configuring intercluster replications, see “Configuring the target export for replication to a remote cluster” (page 123).
Select the file system on the GUI, and then select Remote Replication Exports from the lower Navigator. On the Remote Replication Exports bottom panel, select Add. The Create Remote Replication Export dialog box allows you to specify the target export for the replication. The mount point of the file system is displayed as the default export path. You can add a directory to the target export. The Server Assignments section allows you to specify server assignments for the export.
The Remote Replication Exports panel lists the replication exports you created for the file system. Expand Remote Replication Exports in the lower Navigator and select the export to see the configured server assignments for the export. You can modify or remove the server assignments and the export itself. CLI procedure NOTE: This procedure does not apply to intracluster replication. Use the following commands to configure the target file system for remote replication: 1.
FSNAME is the target file system to be exported. The –p option exports a directory located under the root of the specified file system (the default is the root of the file system). The -C option specifies the source cluster containing the file system to be replicated. Include the -P option if you do not want this command to set the server assignments. You will then need to identify the server assignments manually with ibrix_crr_nic, as described in the next section.
Additional reports are available for the active replication tasks. In the lower Navigator, expand Active Tasks > Remote Replication to see a list of active tasks (crr-25 in the following example). Select Overall Status to see a status summary. Select Server Tasks to display the state of the task and other information for the servers where the task is running.
For a run-once replication, either specify the source directory or click Use a snapshot and then select the appropriate Snap Tree and snapshot. For both continuous and run-once replications, supply the target side information. Select the target cluster and target export, which must already be configured. If the remote cluster is not in the Target Cluster selection list, you will need to register the cluster. Select New to open the Add Remote Cluster dialog box.
For a run-once replication, either specify the source directory or click Use a snapshot and then select the appropriate Snap Tree and snapshot. For both continuous and run-once replications, supply the target side information. Select the appropriate target file system and optionally enter a target directory in that file system. IMPORTANT: If you specify a target directory, be sure that it does not overlap with a previous replication using the same target export.
Pausing or resuming a replication task To pause a task, select it on the Remote Replication Tasks panel and click Pause. When you pause a task, the status changes to PAUSED. Pausing a task that involves continuous data capture does not stop the data capture. You must allocate space on the disk to avoid running out of space because the data is captured but not moved. To resume a paused replication task, select the task and click Resume.
option, the replication starts at the root of the file system. The run-once job terminates after the replication is complete; however, the job can be stopped manually, if necessary. Use -P to specify an optional target directory under the target export.
Resuming a remote replication task Use the following command to resume a continuous or run-once replication task with the specified task ID. Use the ibrix_task -l command to obtain the appropriate ID. ibrix_crr -r –n TASKID Querying remote replication tasks Use the following command to list all active replication tasks in the cluster, optionally restricted by the specified file system and servers.
1. 2. 3. 4. 5. Stop write traffic to the local site. Wait for all remote replication queues to drain. Stop remote replication on the local site. Reconfigure shares as necessary on the remote site. The cluster name and IP addresses (or VIFs) are different on the remote site, and changes are needed to allow clients to continue to access shares. Redirect write traffic to the remote site. When the local cluster is healthy again, take the following steps to perform a failback from the remote site: 1.
12 Managing data retention and validation The data retention and validation feature is intended for sites that need to archive read-only files for business purposes. Data retention ensures that files cannot be modified or deleted for a specific retention period. Data validation scans can be used to ensure that files remain unchanged. Overview Data retention must be enabled on a file system.
Default retention period. If a specific retention period is not applied to a file, the file will be retained for the default retention period. The setting for this period determines whether you can manage WORM (non-retained) files as well as WORM-retained files: • To manage both WORM (non-retained) files and WORM-retained files, set the default retention period to zero. To make a file WORM-retained, you will need to set the atime to a date in the future.
storage. A scheduled scan will quit immediately if it detects that a scan of the same file system is already running. You can schedule periodic data validation scans, and you can also run on-demand scans. Enabling file systems for data retention and validation You can enable a new or an existing file system for data retention and, optionally, validation.
Check Enable Data Validation to schedule periodic scans on the file system. Use the default schedule, or select Modify to open the Data Validation Scan Schedule dialog box and configure your own schedule. Check Enable Data Validation to schedule periodic scans on the file system. Use the default schedule, or select Modify to open the Report Data Generation Schedule dialog box and configure your own schedule.
The retenMode option is required and is either enterprise or relaxed. You can specify any, all, or none of the period options. retenDefPeriod is the default retention period, retenMinPeriod is the minimum retention period, and retenMaxPeriod is the maximum retention period. The retenAutoCommitPeriod option specifies that files will become WORM or WORM-retained if they are not changed during the specified period. (If the default retention period is set to zero, the files become WORM.
To enable data retention on an existing file system using the CLI, run this command: ibrix_fs -W -f FSNAME -o "retenMode=,retenDefPeriod=,retenMinPeriod=, retenMaxPeriod=" To use the autocommit feature on an existing file system, first upgrade the file system to enable autocommit: ibrix_reten_adm -u -f FSNAME Then set the autocommit period on the file system with the -o "retenAutoCommitPeriod=" option.
========================= { … } RETENTION : Enterprise [default=15d,mininum=1d,maximum=5y] Changing the retention profile for a file system The file system must be unmounted when you make changes to the retention profile. After unmounting the file system, click Modify on the WORM/Data Retention panel to open the Modify WORM/Data Retention dialog box and then make your changes.
See the touch(1) documentation for the time/date formats allowed with the -d option. You can also enter the following on a Linux command line to see the acceptable date/time strings for the touch command: info "Date input formats" Windows. Windows does not include a touch command. Instead, use a third-party tool such as cygwin or FileTouch to set the access time to the future.
To administer files from the CLI, use the ibrix_reten_adm command. IMPORTANT: Do not use the ibrix_reten_adm command on a file system that is not enabled for data retention. Specifying path lists When using the GUI or the ibrix_reten_adm command, you need to specify paths for the files affected by the retention action. The following rules apply when specifying path lists: • A path list can contain one or more entries, separated by commas.
Setting or removing a legal hold When a legal hold is set on a retained or WORM file, the file cannot be deleted until the hold is released, even if the retention period has expired. On the WORM/Data Retention – File Administration dialog box, select Set a Legal Hold and specify the appropriate file. To remove a legal hold from a file, Remove a Legal Hold and specify the appropriate file. When the hold is removed, the file is again under the control of its original retention policy.
system is in Relaxed retention mode (not Enterprise), the exact date/time can be in the past, in which case the file immediately expires from retention and becomes WORM but no longer retained. See the Linux date(1) man page for a description of the valid date/time formats for the expire_time parameter. Removing the retention period When you remove the retention period from a retained file, the file becomes a WORM file.
Go to the Schedule tab to specify when you want to run the scan. Starting an on-demand validation scan You can run a validation scan at any time. Select the file system on the GUI, and then select Active Tasks from the lower navigator. Click New to open the Starting a New Task dialog box. Select Data Validation as the Task Type. When you click OK, the Start a new Validation Scan dialog box appears. Change the path to be scanned if necessary and click OK.
To start an on-demand validation scan from the CLI, use the following command: ibrix_datavalidation -s -f FSNAME [-d PATH] Viewing, stopping, or pausing a scan Scans in progress are listed on the Active Tasks panel on the GUI. If you need to halt the scan, click Stop or Pause on the Active Tasks panel. Click Resume to resume the scan. To view the progress of a scan from the CLI, use the ibrix_task command. The -s option lists scheduled tasks.
Meta hash: 80f68a53bb4a49d0ca19af1dec18e2ff0cf965da Data hash: d64492d19786dddf50b5a7c3bebd3fc8930fc493 The showvms command displays the hash sums stored for the file. For example: # /usr/local/ibrix/sbin/showvms rhnplugin.
The utilization report summarizes how storage is utilized between retention states and free space. The next example shows the first page of a utilization report broken out by tiers. The results for each tier appear on a separate page. The total size scales automatically, and is reported as MB, GB, or TB, depending on the size of the file system or tier. A data validation report shows when files were last validated and reports any mismatches. A mismatch can be either content or metadata.
Generating and managing reports To run an unscheduled report from the GUI, select Filesystems in the upper Navigator and then select WORM/Data Retention in the lower Navigator. On the WORM/Data Retention panel, click Run a Report. On the Run a WORM/Data Protection Summary Report dialog box, select the type of report to view, and then specify the output format. If an error occurs during report generation, a message appears in red text on the report. Simply run the report again.
ibrix_reports -s -f FILESYSTEM Then run the following command to generate the specified report: ibrix_reports -g -f FILESYSTEM -n NAME -o OUTPUT FORMAT Use the -n option to specify the type of report, where NAME is one of the following; • retention • retention_by_tier • validation • validation by tier • utilization • utilization_by_tier The output format specified with -o can be csv or pdf.
Backup support for data retention The supported method for backing up and restoring WORM/retained files is to use NDMP with DMA applications. Other backup methods will back up the file data, but will lose the retention configuration. Troubleshooting data retention Attempts to edit retained files can create empty files It you attempt to edit a WORM file in the retained state, applications such as the vi editor will be unable to edit the file, but can leave empty temp files on the file system.
13 Configuring Antivirus support The X9000 antivirus feature can be used with supported Antivirus software, which must be run on systems outside the cluster. These systems are called external virus scan engines. To configure the Antivirus feature on an X9000 cluster, complete these steps: 1. Add the external virus scan engines to be used for virus scanning. You can schedule periodic updates of virus definitions from the virus scan engines to the cluster nodes. 2. Enable Antivirus on file systems. 3.
On the CLI, use the ibrix_avconfig command to configure Antivirus support. Use the ibrix_av command to update Antivirus definitions or view statistics. Adding or removing external virus scan engines The Antivirus software is run on external virus scan engines. You will need to add these systems to the Antivirus configuration.
ibrix_avconfig -d -F Disable Antivirus on specific file systems: ibrix_avconfig -d -f FSLIST Updating Antivirus definitions You should update the virus definitions on the cluster nodes periodically. On the GUI, click Update ClusterWide ISTag on the Antivirus Settings panel. The cluster then connects with the external virus scan engines and synchronizes the virus definitions on the cluster nodes with the definitions on the external virus scan engines.
To set the policy from the CLI, use this command: ibrix_avconfig -u -g A|D Defining protocol-specific policies For certain file sharing protocols (currently only CIFS), you can specify the file operations that trigger a scan (open, close, or read). There are three policies: • OPEN — Scan on open. • CLOSE — Scan on close. • BOTH — Scan on open and close. To set the policy, select Protocol Scan Settings from the lower Navigator. The AV Protocol Settings panel then displays the current setting.
on their file extension or size. To configure exclusions on the GUI, click Exclusion on the AV Enable Disable panel. On the Exclusion Property dialog box, select the file system and then specify the directory path where the exclusion is to be applied. By default, when exclusions are set on a particular directory, all of its child directories inherit those exclusions.
On the CLI, use the following options to specify exclusions with the ibrix_avconfig command: • -x FILE_EXTENSION — Excludes all files having the specified extension, such as .jpg. If you specify multiple extensions, use commas to separate the extensions. • -s FILE_SIZE — Excludes all files larger than the specified size (in MB). • -N — Does not exclude any files in the directory hierarchy.
The CLI commands are: View statistics from all cluster nodes: ibrix_av -l -s Delete statistics from all nodes: ibrix_av -d -s Antivirus quarantines and software snapshots The quarantine utility has the following limitations when used with snap files.
The quarantine utility displays both the snap name (which still has the original name), and the new filename, although they are same file.
14 Creating X9000 software snapshots The X9000 software snapshot feature allows you to capture a point-in-time copy of a file system or directory for online backup purposes and to simplify recovery of files from accidental deletion. Software snapshots can be taken of the entire file system or selected directories. Users can access the filesystem or directory as it appeared at the instant of the snapshot. NOTE: To accommodate software snapshots, the inode format was changed in the X9000 6.0 release.
To enable a directory tree for snapshots, click Add on the Snap Trees panel. You can create a snapshot directory tree for an entire file system or a directory in that file system. When entering the directory path, do not specify a directory that is a parent or child of another snapshot directory tree. For example, if directory /dir1/dir2 is a snapshot directory tree, you cannot create another snapshot directory tree at /dir1 or /dir1/dir2/dir3.
Modifying a snapshot schedule You can change the snapshot schedule at any time. On the Snap Trees panel, select the appropriate snap tree, select Modify, and make your changes on the Modify Snap Tree dialog box. Managing software snapshots To view the snapshots for a specific directory tree, select the appropriate directory tree on the Snap Trees panel, and then select Snapshots from the lower Navigator.
To take a snapshot from the CLI, use the following command: ibrix_snap -c -f FSNAME -P SNAPTREEPATH -n NAMEPATTERN SNAPTREEPATH is the full directory path starting from the root of the file system. The name that you specify is appended to the date of the snapshot. The following words cannot be used in the name, as they are reserved for scheduled snapshots: Hourly Daily Weekly Monthly You will need to manually delete on-demand snapshots when they are no longer needed.
2011-06-01T140000_hourly 2011-06-01T150000_hourly 2011-06-01T160000_hourly 2011-06-01T170000_hourly 2011-06-01T180000_hourly 2011-06-01T220000_hourly 2011-06-01T230000_hourly 2011-06-02T000000_hourly 2011-06-02T010000_hourly 2011-06-02T020000_hourly 2011-06-02T060000_hourly 2011-06-02T070000_hourly 2011-06-02T080000_hourly 2011-06-02T090000_hourly Users having access to the root of the snapshot directory tree (in this example, /ibfs1/users/) can navigate the /ibfs1/users/.
to copy files from the snapshot directory to a local or remote directory (see “Starting a replication task” (page 127)). Deleting snapshots Scheduled snapshots are deleted automatically according to the retention schedule specified for the snapshot tree; however you can delete a snapshot manually if necessary. You also need to delete on-demand snapshots manually. Deleting a snapshot does not free the file system space that was used by the snapshot; you will need to reclaim the space.
Select New on the Task Summary panel to open the New Snapshot Space Reclamation Task dialog box. On the General tab, select a reclamation strategy: • Maximum Space Reclaimed. The reclamation task recovers all snapped space eligible for recovery. It takes longer and uses more system resources than Maximum Speed. This is the default. • Maximum Speed of Task. The reclamation task reclaims only the most easily recoverable snapped space.
To stop a running reclamation task, click Stop on the Task Summary panel. Managing reclamation tasks from the CLI To start a reclamation task from the CLI, use the following command: ibrix_snapreclamation -r -f FSNAME [-s {maxspeed | maxspace}] [-v] The reclamation task runs immediately; you cannot create a recurring schedule for it.
Moving files between snap trees Files created on, copied, or moved to a snap tree directory can be moved to any other snap tree or non-snap tree directory on the same file system, provided they are not snapped. After a snapshot is taken and the files have become part of that snapshot, they cannot be moved to any other snap tree or directory on the same file system. However, the files can be moved to any snap tree or directory on a different file system. Backing up snapshots Snapshots are stored in a .
15 Creating block snapshots The block snapshot feature allows you to capture a point-in-time copy of a file system for online backup purposes and to simplify recovery of files from accidental deletion. The snapshot replicates all file system entities at the time of capture and is managed exactly like any other file system. NOTE: You can use either the software method or the block method to take snapshots on a file system. Using both snapshot methods simultaneously on the same file system is not supported.
NOTE: If the snapshot store is too small, the snapshot will eventually exceed the available space (unless you detect this and manually increase storage). If this situation occurs, the array software deletes the snapshot resources and the X9000 Software snapshot feature invalidates the snapshot file system. Although you can monitor the snapshot and manually increase the snapshot store as needed, the safest policy is to initially provision enough space to last for the expected lifetime of the snapshot.
The type of storage array determines the maximum number of snapshots you can keep and mount per file system.
Under Snapshot Configuration, select New to create a new snapshot scheme. The Create Snapshot Scheme dialog box appears.
On the General tab, enter a name for the strategy and then specify the number of snapshots to keep and mount on a daily, weekly, and monthly basis. Keep in mind the maximums allowed for your array type. Daily means that one snapshot is kept per day for the specified number of days. For example, if you enter 6 as the daily count, the snapshot feature keeps 1 snapshot per day through the 6th day. On the 7th day, the oldest snapshot is deleted.
For either template, enter one or more of the following variables. The variables must be enclosed in braces ({ }) and separated by underscores (_). The template can also include text strings. When a snapshot is created using the templates, the variables are replaced with the following values. Variable Value fsname File system name shortdate yyyy_mm_dd fulldate yyyy_mm_dd_HHmmz + GMT When you have completed the scheme, it appears in the list of snapshot schemes on the Create Snapshot dialog box.
ibrix_vs_snap_strategy -c -n NAME -k KEEP -m MOUNT [-N NAMESPEC] [-M MOUNTSPEC] The options are: -n NAME The name for the snapshot scheme. -k KEEP The number of snapshots to keep per file system. For the P2000 G3 MSA System/MSA2000 G2 array, the maximum is 32 snapshots per file system. For P4000 G2 storage systems, the maximum is 32 snapshots per file system. For P4000 G2 storage systems, the maximum is 32 snapshots per file system.
To see details about a specific automated snapshot scheme, use the following command: ibrix_vs_snap_strategy -i -n NAME Deleting an automated snapshot scheme A snapshot scheme can be deleted only from the CLI. Use the following command: ibrix_vs_snap_strategy -d -n NAME Managing block snapshots This section describes how to manage individual snapshots.
Viewing snapshot information Use the following commands to view snapshot information from the CLI. Listing snapshot information for all hosts The ibrix_vs_snap -l command displays snapshot information for all hosts. Sample output follows: ibrix_vs_snap -l NAME ----snap1 NUM_SEGS -------3 MOUNTED? -------No GEN --6 TYPE ---msa CREATETIME ---------Wed Oct 7 15:09:50 EDT 2009 The following table lists the output fields for ibrix_vs_snap -l. Field Description NAME Snapshot name.
The following table lists the output fields for ibrix_vs_snap -i. Field Description SEGMENT Snapshot segment number. OWNER The file serving node that owns the snapshot segment. LV_NAME Logical volume. STATE State of the snapshot. BLOCK_SIZE Block size used for the snapshot. CAPACITY (GB) Size of this snapshot file system, in GB. FREE (GB) Free space on this snapshot file system, in GB. AVAIL (GB) Space available for user files, in GB.
The next window shows a CIFS client accessing the snapshot file system .fs1_snap1. The original file system is mapped to drive X.
Troubleshooting block snapshots Snapshot reserve is full and the MSA2000 is deleting snapshot volumes When the snapshot reserve is full, the MSA2000 will delete snapshot volumes on the storage array, leaving the device entries on the file serving nodes. To correct this situation, take the following steps: 1. Stop I/O or any applications that are reading or writing to the snapshot file systems. 2. Log on to the active Fusion Manager. 3. Unmount all snapshot file systems. 4.
16 Using data tiering A data tier is a logical grouping of file system segments. After creating tiers containing the segments in the file system, you can use the data tiering migration process to move files from the segments in one tier to the segments in another tier. For example, you could create a primary data tier for SAS storage and another tier for SATA storage. You could then migrate specific data from the SAS tier to the lower-cost SATA tier.
In this example, filesystem ifs1 has four segments and no tiering information is currently defined. We will create two tiers, Tier1 and Tier2, and we will assign two segments to each tier. On the Segments panel, select the segments for the tier and click Assign to Tier. On the Assign to Tier dialog box, specify a name for the tier. When you repeat the operation to place other file system segments in a tier, the dialog box allows you to add the segments to an existing tier or to create a new tier.
Defining the primary tier All new files are written to the primary tier, which is typically the tier built on the fastest storage. Use the following command to define the primary tier: ibrix_fs_tune -f FILESYSTEM -h SERVERS -t TIERNAME The following example specifies Tier1 as the primary tier: ibrix_fs_tune -f ifs1 -h ibrix1a,ibrix1b -t Tier1 This policy takes precedence over any other file allocation polices defined for the filesystem.
The Data Tiering Rules panel lists the existing rules for the file system. To create a rule, click Create. On the Create Data Tiering Rule dialog box, select the source and destination tier and then define a rule. The rule can move files between any two tiers. When you click OK, the rule is checked for correct syntax. If the syntax is correct, the rule is saved and appears on the Data Tiering Rules panel. The following example shows the three rules created for the example.
Additional rule examples The following rule migrates all files from Tier2 to Tier1: name="*" The following rule migrates all files in the subtree beneath the path. The path is relative to the mountpoint of the file system. path=testdata2 The next example migrates all mpeg4 files in the subtree. A logical “and” operator combines the rules: path=testdata4 and name="*mpeg4" The next example narrows the scope of the rule to files owned by users in a specific group. Note the use of parentheses.
Click Details to see summary information about the task. Changing the tiering configuration with the GUI The following restrictions apply when changing the configuration: • You cannot modify the tiering configuration for a filesystem while an active migration task is running. • You cannot move segments between tiers, assign them to new tiers, or unassign them from tiers while an active migration task is running or while any rules exist that apply to the segments.
Removing a segment from a tier You can remove a segment from a tier, without assigning it to another tier. Select the file system from the Filesystems panel and expand Segments in the lower Navigator to list the tiers in the file system. Select the tier containing the segment. On the Tier Segments panel, select the segment and click Unassign. Configuring tiers and migrating data using the CLI Use the ibrix_tier command to manage tier assignments and to list information about tiers.
Assigning segments to tiers First determine the segments in the file system and then assign them to tiers. Use the following command to list the segments: ibrix_fs -f FSNAME –i For example (the output is truncated): [root@ibrix01a ~]# ibrix_fs -f ifs1 –i . . SEGMENT ------1 2 3 4 . . OWNER -------ibrix01b ibrix01a ibrix01b ibrix01a LV_NAME ------ilv1 ilv2 ilv3 ilv4 STATE ----OK OK OK OK BLOCK_SIZE ---------4,096 4,096 4,096 4,096 CAPACITY(GB) -----------3,811.11 . . . 3,035.67 3,811.11 3,035.
ibrix_migrator -A -f FSNAME -r RULE -S SOURCE_TIER -D DESTINATION_TIER The following rule migrates all files that have not been modified for 30 minutes from Tier1 to Tier2: [root@ibrix01a ~]# ibrix_migrator -A -f ifs1 -r 'mtime older than 30 minutes' -S Tier1 -D Tier2 Rule: mtime
[root@ibrix01a testdata1]# ibrix_task -i -n Migrator_163 Operation: Migrator_163 ======================= Task Summary ============ Task Id : Migrator_163 Type : Migrator File System : ifs1 Submitted From : root from Local Host Run State : STOPPED Active? : No EXIT STATUS : OK Started At : Jan 17, 2012 10:32:55 Coordinator Server : ibrix01b Errors/Warnings : Dentries scanned : 1025 Number of Inodes moved : 1002 Number of Inodes skipped : 1 Avg size (kb) : 525 Avg Mb Per Sec : 16 Number of errors : 0 Stoppin
Deleting a tiering rule Before deleting a rule, run the ibrix_migrator -l [-f FSNAME] -r command and note the ID assigned to the rule. Then use the following command to delete the rule: ibrix_migrator -d -f FSNAME -r RULE_ID The -r option specifies the rule ID. For example: [root@ibrix01a ~]# ibrix_migrator -d -f ifs2 -r 2 Writing tiering rules A tiering policy consists of one or more rules that specify how data is migrated from one tier to another.
Use the following qualifiers for relative times and dates: • Relative time: Enter in rules as year or years, month or months,week or weeks, day or days, hour or hours. • Relative date: Use older than or younger than. The rules engine uses the time the ibrix_migrator command starts execution as the start time for the rule. It then computes the required time for the rule based on this start time. For example, ctime older than 4 weeks refers to that time period more that 4 weeks before the start time.
The rule in the following example is based on the file’s last modification time, using a relative time period. All files whose last modification date is more than one month in the past are moved. # ibrix_migrator -A -f ifs2 -r 'mtime older than 1 month' -S T1 -D T2 In the next example, the rule is modified to limit the files being migrated to two types of graphic files. The or expression is enclosed in parentheses, and the * wildcard is used to match filename patterns.
files will be encountered at the beginning of the job, causing space on tier 2 to be consumed faster than on tier 1. Once a destination tier is full, obviously no further movement in that direction is possible. These rules in these two examples are ambiguous because they give rise to possible conflicting file movement. It is the user’s responsibility to write unambiguous rules for the data tiering policy for their file systems.
17 Using file allocation This chapter describes how to configure and manage file allocation. Overview X9000 Software allocates new files and directories to segments according to the allocation policy and segment preferences that are in effect for a client. An allocation policy is an algorithm that determines the segments that are selected when clients write to a file system. File allocation policies File allocation policies are set per file system on each file serving node and on X9000 clients.
Standard segment preferences and allocation policies Name Description Comment ALL Prefer all of the segments available in the file system for new files and directories. This is the default segment preference. It is suitable for most use cases. LOCAL Prefer the file serving node’s local segments for new files and directories. No writes are routed between the file serving nodes in the cluster.
An X9000 client or X9000 file serving node (referred to as “the host”) uses the following precedence rules to evaluate the file allocation settings that are in effect: • The host uses the default allocation policies and segment preferences: The RANDOM policy is applied, and a segment is chosen from among ALL the available segments.
Setting file and directory allocation policies from the CLI Allocation policy names are case sensitive and must be entered as uppercase letters (for example, RANDOM). Set a file allocation policy: ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} –s LVNAMELIST –p POLICY [-S STARTSEGNUM] The following example sets the ROUNDROBIN policy for files only on file system ifs1 on file serving node s1.hp.com, starting at segment ilv1: ibrix_fs_tune -f ifs1 -h s1.hp.
Creating a pool of preferred segments from the CLI A segment pool can consist of individually selected segments, all segments local to a file serving node, or all segments. Clients will apply the allocation policy that is in effect for them to choose a segment from the segment pool. NOTE: Segments are always created in the preferred condition. If you want to have some segments preferred and others unpreferred, first select a single segment and prefer it. This action unprefers all other segments.
Tuning allocation policy settings To optimize system performance, you can globally change the following allocation policy settings for a file system: • File allocation policy. IMPORTANT: Certain allocation policies are deprecated. See “File allocation policies” (page 195) for a list of standard allocation policies. • Starting segment number for applying changes. • Preallocation: number of KB to preallocate for files. • Readahead: number of KB in a file to pre-fetch.
HOSTNAME mak01.hp.
18 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
19 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
Glossary ACE Access control entry. ACL Access control list. ADS Active Directory Service. ALB Advanced load balancing. BMC Baseboard Management Configuration. CIFS Common Internet File System. The protocol used in Windows environments for shared folders. CLI Command-line interface. An interface comprised of various commands which are used to control operating system responses. CSR Customer self repair. DAS Direct attach storage.
SELinux Security-Enhanced Linux. SFU Microsoft Services for UNIX. SID Secondary controller identifier number. SNMP Simple Network Management Protocol. TCP/IP Transmission Control Protocol/Internet Protocol. UDP User Datagram Protocol. UID Unit identification. VACM SNMP View Access Control Model. VC HP Virtual Connect. VIF Virtual interface. WINS Windows Internet Naming Service. WWN World Wide Name. A unique identifier assigned to a Fibre Channel device. WWNN World wide node name.
Index Symbols /etc/likewise/vhostmap file, 87 32-bit mode, disable, 41 32-bit mode, enable, 12 A Active Directory configure, 57 configure from CLI, 65 Linux static user mapping, 83 use with LDAP ID mapping, 54 Antivirus configure, 152 enable or disable, 153 file exclusions, 155 protocol scan settings, 155 statistics, 157 unavailable policy, 154 virus definitions, 154 virus scan engine, 152 add, 153 remove, 153 authentication Active Directory, 54 configure from CLI, 65 configure from GUI, 56 Local Users, 54
data validation compare hash sums, 146 on-demand scans, 145 resolve scan errors, 147 schedule scans, 144 stop or pause, 146 view scan results, 146 data validation scans, 135 directory tree quotas create, 27 delete, 31 disk space information, 37 document related documentation, 202 documentation providing feedback on, 203 E Export Control, enable, 16, 22 F file allocation allocation policies, 195 evaluation of allocation settings, 196 list policies, 200 segment preferences, 195 set file and directory polici
M quotas CIFS shares, 87 configure email notifications, 31 delete, 31 directory tree, 27 enable, 24 export to file, 29 import from file, 29 online quota check, 30 operation of, 24 quotas file format, 29 troubleshoot, 32 user and group, 25 start run-once task, 131 stop task, 130, 131 troubleshooting, 133 view tasks, 126, 132 WORM/retained files, 132 retention, data autocommit period, 135 backup support, 151 data validation scans, 135 enable on file system, 136 file administration, 141 change retention peri
create, 176 defined, 169 delete, 176 discover LUNs, 170 list storage allocation, 170 mount, 176 register the snapshot partition, 170 set up the snapshot partition, 169 troubleshooting, 180 view information about, 177 snapshots, software access, 163 backup, 168 defined, 160 delete, 165 on-demand snapshots, 162 reclaim file system space, 165 replicate, 128 restore files, 164 schedule, 161 snap trees configure, 160 move files, 168 remove snapshot authorization, 167 schedule snapshots, 161 space usage, 163 view