NetApp ONTAP 9.6 New Features and Functions (plus some new hardware!)

Untitled 2
NetApp announced ONTAP 9.6 with new features and functions as well as a new mid-level NVMe hardware platform, the all NVMe A320.

  • (Going forward) All version of ONTAP will be “long term supported”
  • New (and renamed) version of ONTAP System Manager that is based on REST APIs   
  • Simpler FlexGroup management
  • Adaptive QoS support for NVMe/FC (maximums)  
  • Additional host support for NVMe
  • FabricPool tiers to Google and Alibaba clouds
  • FlexCache extended to use with Cloud Volumes ONTAP
  • FlexGroups on MetroCluster.
  • Larger ONTAP Select “Premium XL” license  
  • Over-the-wire encryption with SnapMirror and FlexCache
  • Per tenant / SVM encryption key management
  • Aggregate-level encryption which enables aggregate level dedupe with NVE
  • Entry level AFF and FAS MetroCluster over IP 
  • Easy deploy plugin for ONTAP Select in VMware
  • SnapMirror Synchronous support for NFSv4, SMB2 & 3
  • Self Encrypting Drives (SED) NVMe SSDs

Now let’s look at a few of my favorites:

New ONTAP Support Policy
Going forward all ONTAP releases will be “long term supported.” Previously, “even” versions were short term supported (one year)  and “odd” versions were long term supported (three years). The new support policy will be fully support for three years, limited support for two years, and “self-service” support for three years after.

FlexGroups
FlexGroups operate as a “scale-out NAS container” utilizing a single NAS point to allow access and automatic load distribution across multiple constituents, which rests on multiple aggregates across the ONTAP cluster. In ONTAP 9.6, support for MetroCluster (FC and IP) is now supported and can be created on existing MetroCluster deployments after upgrading to ONTAP 9.6. Additional Out-Of-Space protection was also introduced; this is called in to action when one of the constituents gets a little fuller than the others. It will end up “borrowing” space (up to 1%) from the other constituents to allow the write to complete.   

Over-the-Wire Encryption With Snapmirror and FlexCache
Snapmirror has been around since just about the dawn of NetApp. Tried and true, it’s the backbone of replication and migration in ONTAP systems. Now with ONTAP 9.6, SnapMirror and Snapmirror Synchronous  is encrypted (TLS v1.2) end to end and is enabled by default on all new SnapMirror relationships.  End-to-end encryption is also now available on the new version of FlexCache, which made its debut with ONTAP 9.5. FlexCache is a feature of ONTAP that allows you to extend and/or accelerate data access within a cluster or more, typically across the WAN to remote clusters.

Aggregate-Level Encryption:
NetApp Volume Encryption was introduced back in ONTAP 9.1 as a quick and easy way to get encryption at rest on ONTAP.  Shortly after, aggregate level dedupe was introduced back in 9.2. The downside was that you could not do NVE and ALD at the same time due to each volume being encrypted with a different key for security.  However, with ONTAP 9.6 you’re given the option to encrypt at a aggregate level, giving each volume the same key (technically), so ALD is able to read all the blocks across the volume.

Entry Level AFF and FAS MetroCluster of IP:
The A220 and FAS2750 will now support MetroCluster over IP (MCC-IP) which was initially only available on the larger A700 and FAS900 system, and then later on for the mid-level A300 and 8200 systems. This gives the entry level solutions the ability to utilize MetroCluster of IP functionality. To further lower the entry cost of MCC IP, new deployments of MCC IP are able to use existing switches within the customers datacenter for the ISL.  (Note: Certain requirements are required for this option.  Please contact your NetApp Partner or NetApp Rep for further details. )

New Platform AFF A320 All NVMe Controller
The A320 is the mid-level version of the all NVMe A800 that debuted last year and offers the same end-to-end NVMe connectivity. Onboard are 8x 100GbE (can also support 40GbE) ports for connectivity and shelf expansion. Ports “e0a” and “e0d” are reserved for shared cluster and HA interconnects. Each controller has two expansion slots that can be configured with either the 4 port 10GbE networking, or the 4 port 32Gb FC or 25/100GbE RoCE. Along with the release of the A320, there will be an all NVMe expansion shelf,  the NS224 that will be available.

A320

Rear view of the A320 each controller has 8x 100GbE ports + 2 expansion slots.  

A320_rear

NetApp CIFS Auditing: Applying SACLs via CLI

There are a number of different reasons why someone would want to enable auditing on file shares. “Legal” anything is probably the biggest reason; you’ll be able to tell who did what to which file and when. However, let’s say you just want to know who deleted a file or folder. Here’s a quick explanation of how that might look.

Part 1: Enable auditing on NetApp ONTAP.

1: Create the audit volume:

CLUSTER::> vol create -vserver CIFS -volume AUDITLOG -aggregate n1_aggr_SATA1 -size 10G -state online -policy default -junction-path /AUDITLOG -security-style ntfs -type RW -snapshot-policy none

You might also want to create a hidden “admin only” share for the audit volume,  so that you are able to access the logs.

2: Create the audit policy on the SVM.  

CLUSTER::> vserver audit create -vserver CIFS -destination /AUDITLOG -events file-ops,cifs-logon-logoff -format xml -rotate-size 100MB -rotate-limit 4

The -rotate-size and -rotate-limit can require some adjusting depending on how active your CIFS shares are and how far you want to go back.  Also, if you are using an external collector, you can leave rotate size at 100MB and -rotate-limit at 0.

Note:  You can also use the “evtx” file format,  however there currently is an unpatched bug where it doesn’t format the EVTX file correctly – https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=906536

3: Enable auditing on the SVM.

CLUSTER:>>vserver audit enable -vserver CIFS

At this point you should see auditing enabled on the SVM.  

CLUSTER::> vserver audit show
Vserver     State Event Types        Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS   true file-ops,  xml /AUDITLOG cifs-logon-logoff, audit-policy- change

Part 2:  The SACLs

Now we need to add the SACLs, and there are two ways to do this.  The first and most common method is via the Windows GUI by going to:

Properties -> Security -> Advanced -> Auditing.  

The second method is via the ONTAP CLI.  There are a few advantages by doing it in this method. Most notably, it’s quicker to apply through the file structure, and you don’t have to deal with the Windows GUI.   

1: Adding which SACLs you want to audit

Here are two examples of what you can audit. “-Rights full-control”  will audit everything, including the advanced rights.

CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_full -access-type success -account Everyone -rights full-control -apply-to this-folder,sub-folders,files

Using “full-control”  would make a very active and large audit log.  However, let’s say you just want to know when a user deletes something. You can just specify “delete” under the -advanced-rights flag like this:  

CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_delete -access-type success -account Everyone -advanced-rights delete -apply-to this-folder,sub-folders,files

To verify the SACL rule has been created correctly, run the show command.  This rule will enable auditing for everyone in the domain, when they successfully delete a folder, subfolder or files.

CLUSTER::>vserver security file-directory ntfs sacl show
Vserver: CIFS
NTFS Security Descriptor Name: audit_delete
Account Name     Access Access         Apply To     Type Rights
--------------   ------- -------           -----------
Everyone         success delete          this-folder, sub-folders, files

2: Creating the security policy  

CLUSTER::>vserver security file-directory policy create -vserver CIFS -policy-name audit_delete     

3: Adding the security policy to a task   

CLUSTER::>vserver security file-directory policy task add -vserver CIFS -policy-name audit_delete -path /testvol -security-type ntfs -ntfs-mode propagate -ntfs-sd audit_delete

4: Applying the security policy

CLUSTER::>vserver security file-directory apply -vserver CIFS -policy-name audit_delete 

[Job 978] Job is queued: Fsecurity Apply. Use the "job show -id 978" command to view the status of this operation.

At this point, it might take some time to apply the SACLs to every object in the volume.   You can monitor the progress using the “job show” command and the correct job ID.

For further information, or more detailed options, please reference the vserver file-directory command set in the ONTAP documentation.

 

What’s it like to write a tech cert test; contributing to the NetApp NCDA.

My wife dropped me off at O’hare for my flight to Raleigh-Durham. Upon arrival to the hotel, I met a couple of members of the NetApp United crew at the bar. (This will become the theme for the week,  as well as keeping tidy.*)

*We would later learn, that tidy is Welsh slang for a few things depending on context.      

Donny, me and Alun at the hotel bar.

It’s all about Psychometrics:  “the science of measuring mental capacities and processes.”

On the first day, we learned the details of how to write a test and what makes a good question versus a bad question.  So what actually goes in to writing a technology based certification test? Short answer; a lot. The long answer, a question is made up of the “stem” (aka the question),  the answer(s), and the distractors. All parts need to be well thought out, including the distractors. For this we were not allowed to create faux distractors either. Everything has to be a valid answer in the realm of NetApp. And adding even more difficulty, the questions need to be written geared towards a Minimally Acceptable Candidate (MAC). The MAC for the NCDA is considered someone with 6-12 months of ONTAP administrator experience that requires some supervision.  

The NCDA NS0-160 Team

The NCDA NS0-160 Team

Before we could write any new questions,  we needed to review the test blueprint. The blueprint is an outline of various parts of the certification test.  In this case, it was which parts of NetApp ONTAP did we want to include when testing the MAC. Some examples were things like general ONTAP and FAS design and functionality to basic SnapMirror functions and even some higher level functions like Metrocluster.   

Once the blueprint and the number of questions was confirmed, it was time to start writing questions. I learned that writing questions specifically, writing good questions, is actually a lot harder than I originally thought.  Oddly enough, the hardest part was coming up with the distractors, .e.g. the wrong answers. You don’t want to make it too obvious or easy,  and generally speaking even the distractors should be valid. For example, if your answers are a series of commands, each command needs to be valid inside of ONTAP, or any technology that’s referenced needs to be valid tech that existed, or once existed inside of the NetApp universe.  

Once all of the questions are written, then the real “fun” begins. It’s times like these that I think back to one of my very favorite quotes I learned back in my Rock Climbing and Alpine days.  

“It doesn’t have to be fun for you to be having fun.”

Each question needed to be tech-reviewed by all us SME’s in the room, as well as noted with valid references to NetApp documentation. After each question passed the first round of tech review, there’s a second pass of all the questions that needed to be re-reviewed and edited. The second time through went by quicker than the first for sure, due to the reduced number of questions. Once all the questions were finalized,  we reviewed and weighted the questions.

img_3337-e1548296041140.jpg

From the NetApp Cafe

Switching to the subject of food for a minute (because it is never far from my mind), I was super impressed with the NetApp RTC Cafe.   Each day there was always something delicious (and healthy) to be had at the various stations.

Each evening required some good R&R.  Good food, drink, and company were a welcome respite from the brain drain.   I am happy to report, I finally found a BBQ joint (Backyard BBQ Pit) I truly enjoyed in the Raleigh-Durham area.   More importantly, lots of locally brewed beer was ONTAP at most of the local establishments we visited.

BBQ

BBQ Plate

On Friday, it was (sadly) time to head home.   What a good week of making new friends from around the world, learning, and having fun while working!  

Flying home

Flying home.

Hello World

So, ever get a great idea in your head and then go to carry it out only to realize you might have embarked on a much bigger journey than you bargained for?  Yeah… staring at a blank page is kind of like that.  Here I sit trying to write my first blog entry and get this party started, and whoosh.  All the air and ideas slipped right on out of my brain.

I envision this blog’s purpose to be a place to reflect on technology, primarily data center infrastructure, with some random bits of nerd thrown in. Professionally, I’ve been in the IT industry for twenty years, but the geek force has been with me since birth.