Behind the Scenes: Episode 50 – Cisco Live Recap? Nah. FlexPod Infomercial!

Welcome to the Episode 50, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

A few weeks ago, I thought about making Episode 50 some big event. Confetti, balloons, special celebrity guests. Then inertia set in, as well as the notion that none of us are very “showy” guys. So, instead, we welcomed Glenn back from Cisco Live/vacation to talk about Cisco Live.

What we got instead was a missive on the new FlexPod offering. We just wound Glenn up and let him go…

Artist’s rendition of Glenn

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

 

You can listen here:

Advertisements

The Joy of Sec: Realmd

Recently, the esteemed Jonathan Frappier (@jfrappier) posted an article on setting up Kerberos for use with Ansible. My Kerberos senses started to tingle…

While Jonathan was referring to Ansible, it made me remember that this question comes up a lot when trying to use Kerberos with Linux clients.

Kerberos isn’t necessarily easy

When using Kerberos with Active Directory and Windows clients, it’s generally pretty straightforward, as the GUI does most of the work for you. When you add a Windows box to a domain, the SPN and machine account principal is auto-populated from the AD KDC.

The keytab file gets ported over to the client and, provided you have a valid Windows login, you can start using Kerberos without ever actually knowing you are using it. In fact, most people don’t realize they’re using it until it breaks.

Additionally, even if Kerberos isn’t working in Windows, there is the fallback option of NTLM authentication, so if you can’t get a ticket to access a share, you could always use the less secure auth method (unless you disabled it in the domain).

As a result, in 90% of the cases, you never even have to think about Kerberos in a Windows-only environment, much less know how it works. I know this from experience as a Windows administrator in my earlier IT days. Once I started working for NetApp support, I realized how little I actually knew about how Windows authentication worked.

So, say what you will about Windows, but it is *way* simpler in most cases for daily tasks like authentication.

Linux isn’t necessarily hard

One of the main things I’ve learned about Linux as I transitioned from solely being a “Windows guy” into a hybrid-NAS guy is that Linux isn’t really that hard. It’s just… different.

And by “different,” I mean it in terms of management. The core operating systems of Windows and Linux are essentially identical in terms of functionality:

• They both boot from a kernel and load configurations via config files
• They both leverage file system partitions and services
• They both can be run on hardware or software (virtualized)
• They both require resources like memory and CPU

The main differences between the two, in my opinion, are the open source aspect and the way you manage them. Naturally, there are a ton of other differences and I’m not interested in debating the merits of the OS. My point is simply this: Linux is only hard if you aren’t familiar with it.

That said, some things in Linux can be very manual processes. Kerberos configuration, for example, used to be a very convoluted process. In older Linux clients, you had to roughly do the following to get it to work:

• Create a user or machine account in the KDC manaually (the Kerberos principal)
• Assign SPNs manually to the principal
• Configure the desired enctypes on the principal manually
• Create the keytab for the principal manually (using something like ktpass)
• Copy the keytab to the Linux client
• Install the keytab to the client manually (using something like ktutil)
• Configure the client to use secure NFS and configure the KDC realm information manually
• Start the GSSD service manually and configure it to start on boot
• Configure DNS
• Ensure the time skew is within 5 minutes/configure NTP
• Configure LDAP on the NFS client manually

That’s all off the top of my head. I’m sure I’m missing something, mainly because that’s a LONG LIST. But, Linux is getting better and automating more of these tasks. CentOS7/RHEL7 took a big leap in that regard by including realmd.

If you’re looking for the easiest way to configure Kerberos…

Use realmd. It’s brilliant.

It automates most the Kerberos client configuration tasks I listed above. Sure, you still have to install it and a few other tools (like SSSD, Kerberos workstation, etc) and configure the realm information, NTP and DNS settings, but after that, it’s as simple as running “realm join.”

This acts a lot like a Windows domain join in that it:

• Creates a machine account for you
• Creates the SPNs for you
• Creates the keytab for you
• Adds the keytab file to the client manually
• Configures SSSD to use Windows AD for LDAP/Identity management for you

Super simple. I cover it in the next update of TR-4073 (update to that coming soon… stay tuned) as it pertains to NetApp storage systems, but there are plenty of how-to guides for just the client portion out there.

Happy Kerberizing!

Behind the Scenes: Episode 49 – Data Governance and Operational Point Objectives

Welcome to the Episode 49, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

This week, we dug up a podcast recording from the April-May time frame, where we spoke with the Storage Service Design team and Ken Socko about Data Governance and Operational Point Objectives. The concept is not only protecting data, but also securing it, as well as delivering a more efficient recovery plan.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

The official blog is here:

http://community.netapp.com/t5/Technology/Tech-ONTAP-Podcast-Episode-49-Data-Governance-amp-Operational-Point-Objectives/ba-p/121643

You can listen here:

Spreading the love: Load balancing NAS connections in ONTAP

I can be a little thick at times.

I’ll get asked a question a number of times, answer the question, and then forget the most important action item – document the question and answer somewhere to refer people to later, when I inevitably get asked the same question.

Some of the questions I get asked about fairly often as the NetApp NFS Technical Marketing Engineer involve DNS, which is only loosely associated with NFS. Go figure.

But, because I know enough about DNS to have written a blog post on it and a Technical Report on our Name Services Best Practices (and I actually respond to emails), I get asked.

These questions include:

• What’s round robin DNS?
• What other load balancing options are  there?
• What is on-box DNS in clustered Data ONTAP?
• How do I ensure data access is local?
• How do I set it up?
• When would I use on-box DNS vs DNS round robin?

So, in this blog, I’ll try to answer most of those at a high level. For more detail, see the new TR-4523: DNS Load Balancing in ONTAP.

What’s round robin DNS?

Remember when you were in school and you played “duck duck goose“? If you didn’t, click the link on the term and read about it.

But essentially, the game is: everyone sits in a circle, someone walks around the circle and taps each person and says “duck” and then when they want to initiate the chase, they yell “GOOSE!” and run around the circle to sit before the person catches them.

That’s essentially round robin DNS.

You create multiple A/AAAA records, associate with the same host name and away you go! The DNS server will deliver a different IP address for each request of the hostname, in ABCD/ABCD fashion. No real rhyme or reason, just first come/first serve.

What other DNS load balancing options are there?

There are 3rd party load balance appliances, such as F5 Big IP (not an endorsement, just an example). But, those cost money and require administration.

In ONTAP, however, there is a not-so-well-known feature for DNS load balancing called “on-box DNS load balancing” that is intended to incorporate intelligent load balancing for DNS requests into a cluster.

What is on-box DNS load balancing?

On-box DNS load balancing in ONTAP uses a patented algorithm to determine the best possible data LIFs on the best possible nodes to return to clients.

Basically, it looks a bit like this:

The client will make a DNS request to the DNS servers in its configuration.

The DNS server will notice that the request is from a specific zone and use its zone forwarder to pass that request to the cluster data LIFs acting as name servers.

The cluster will leverage its DNS application process and a weight file to determine which IP addresses out of the ones configured to be used in that DNS zone should be used.

The algorithm factors in CPU utilization, throughput, etc when making the determination.

The data LIF IP address is passed back to the DNS server, then to the client.

Easy peasy.

How do I ensure data locality?

The short answer: With on-box DNS, you can’t. But does it matter?

In clustered Data ONTAP, if you have multiple nodes and multiple data LIFs, you might end up landing on a node’s data LIF that is not local to the volume being requested. That can incur a slight latency penalty as the request traverses the backend cluster network.

In a majority of cases, this penalty is negligible to clients and applications, but with latency-sensitive applications (especially in flash environments), this penalty can hurt a little. Using local network connections to data volumes for NAS uses a concept of “fast path” that bypasses things that the remote connections need to do. I cover this in a little more detail in TR-4067 and in TECH::Data LIF best practices for NAS in cDOT 8.3.

In cases where you absolutely *need* data access to be local to the node, you would need to mount those local data LIFs specifically. Create A/AAAA records with node names incorporated to help discern which LIFs are on which nodes.

But in most cases, it doesn’t hurt to have remote traffic – in my 5 years in support, I never fixed a performance issue by making data access local to the node.

How do I set it up?

It’s pretty straightforward. I cover it in detail in TR-4523: DNS Load Balancing in ONTAP. In that TR, I cover Active Directory and BIND environments.

For a simple summary:

1. Configure data LIFs in your storage virtual machine to use -dns-zone [zone name]
2. Select data LIFs in your storage virtual machine that will act as name servers and listen for DNS queries on port 53 with “-listen-for-dns-query true”. I’d recommend multiple LIFs to provide fault tolerance.
3. Add a DNS forwarding zone (subdomain in BIND, delegation or conditional forwarder in AD) on the DNS server. Use the data LIFs acting as name servers in the configuration and use the zone specified in -dns-zone.
4. Add PTR records for the LIFs as needed.

That’s about it.

When to use on-box DNS vs Round Robin DNS?

This is one of the trickier questions I get, because it’s ultimately due to preference.

However, there are some guidelines…

• If the cluster is 1 or 2 nodes in size, it probably makes sense from a administration perspective to simply use round robin DNS.
• If the cluster is larger than 2 nodes or will eventually scale out to more than 2 nodes, it probably makes sense to get the forwarding zones set up and use on-box DNS.
• If you require data locality or plan on using features such as NFS node referrals, SMB node referrals or pNFS, then the load balance choice doesn’t matter much – the locality features will override the DNS request.

Conclusion

So there you have it – the quick and dirty rundown of using DNS load balancing for NAS connections. I’m personally a big fan of on-box DNS as a feature because of the notion of intelligent calculation of “best available” IP addresses.

If you have any questions about the feature or the new TR-4523, please comment below.

NetApp stuff you should be using: NetAppDocs

Sometimes, there are NetApp tools out there that no one really knows about – including people who work at NetApp. And it’s unfortunate, as there are some pretty great tools out there.

One tool in particular – NetAppDocs.

What is it?

NetAppDocs is:

A PowerShell module and contains a set of functions that automate the creation of NetApp® site design documentation. NetAppDocs can generate Excel, Word and PDF document types. The data contained in the output documents can be sanitized for use in sites where the data may be sensitive.

The tool/guide was written by NetApp PSC Jason Cole and can be found here (requires a NetApp internal or partner login. No customers yet. Sorry. 😦 ):

http://mysupport.netapp.com/tools/download/ECMP12505953DT.html?productID=62107

What can I use it for?

The intent of the NetAppDocs tool is to automate documentation based on specific storage configurations. The idea is that, while documentation tries to fit all use cases, it’s not perfect and cannot adapt to varying configurations. By using this tool, we can generate a set of docs that cover specific configurations.

Another use case that came up recently on our DLs at NetApp was to document the default options for ONTAP in an easy to find, easy to read format. While the man pages keep most of this information, it can be time consuming to trawl through the pages and pages of docs out there. With this tool, once a cluster is installed, simply run it and get the default option settings right off the bat.

Additionally, the data collected can be useful for support cases where ASUP isn’t sending to NetApp for whatever reason.

This tool works with ONTAP running in 7-Mode or clustered Data ONTAP. You can even use it in secure sites easily and sanitize the data for external consumption!

How to use it

Because this is a PowerShell tool, you’d install it on a server running PowerShell. Refer to the tool’s documentation to find what the minimum PS version to use. In the case of NetAppDocs 3.1, the following is recommended:

1. Microsoft Windows® 32-bit/64-bit computer
2. Microsoft Windows PowerShell 3.0 or higher
3. Microsoft .Net Framework 4.0 or higher
4. NetApp Data ONTAP PowerShell Toolkit (included in the zip file or install package)
5. NetApp Data ONTAP 7.2.x, 7.3.x, 8.0.x (7-Mode), 8.1.x, 8.2.x and 8.3.x
6. Internal NetApp connection and SSO login required for ASUP data collection

The installation is simple; just a simple .msi and some mouse clicks. This essentially installs the necessary PowerShell cmdlets and scripts.

Then, follow the instructions in the guide to allow PowerShell execution and import the module.

PS C:\> Import-Module NetAppDocs

To view the HTML documentation after the tools are installed:

PS C:\> Show-NtapDocsHelp

In those docs, there are usage examples, functions and other helpful information.

You can also get help via PowerShell:

PS C:\> Get-Command -Module NetAppDocs

If you have a NetApp login, go check it out today and let them know what you think of it at mailto: ng-NetAppDocs-support@netapp.com.

Behind the Scenes: Episode 48 – ONTAP 9 Manageability

Welcome to the Episode 48, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

This is the final episodes for ONTAP 9 month on the podcast.

This week, we talk about manageability tools with Director of Technical Marketing, Joel Kaufman (@thejoelk). We were supposed to have Vidula Aiyer on to discuss headroom, but she had some technical difficulties with Skype. Perhaps we can have her on another time…

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

The official blog is here:

http://community.netapp.com/t5/Technology/Tech-ONTAP-Podcast-Episode-48-ONTAP-9-Manageability-Tools/ba-p/121322

The podcast episode is here:

Top vBlog 2016 Results are in! Where did we land?

Every year, Eric Siebert (@ericsiebert) puts in a ton of work to collect and rank the top virtualization blogs. Last year, my blog made the (long) list in its first year. This year, I was hoping to crack the top 50. I don’t do a ton of virtualization posts, but I do sprinkle in a few here and there.

Out of 321 blogs, I made #80! Not too shabby.

I also was eligible for the top storage blog category. I thought I’d do decently in that category, but only ended up getting #13 out of 24. I did somehow manage to edge out Stephen Foskett. ¯\_(ツ)_/¯

As for the Tech ONTAP Podcast… dead last. 😦

Thanks to all the hard work from Eric Siebert, as well as Eric Wright (@discoposse), who helped out a bunch on the rankings, as well as helped sponsor via VMTurbo.

Speaking of Eric, he landed at #39 on the list, and totally trounced Tech ONTAP for top podcast. I was lucky enough to be a guest on that podcast a few weeks prior:
https://www.podbean.com/media/player/6fkp9-600ea5

Other notables:

• vMiss stayed in the top 30!
• NetApp A-Team member Michael Cade hit #120 on his first try!

 

Behind the Scenes: Episode 46 – FlexGroups!

Welcome to the Episode 46, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

This is yet another in the series of episodes for ONTAP 9 month on the podcast.

Be sure to check out the post on FlexGroups here:

FlexGroups: An evolution of NAS

This week, we get to chat about my newest pet project, FlexGroups. In addition to my work on NFS and Name Services, I am picking up this new and exciting NAS enhancement. Look for more information on this blog soon, as well as at Insight!

We brought in the Product Managers for FlexGroups, Sunitha Rao and Shriya Paramkusam, as well as the principal developer on FlexGroups, Richard Jernigan. Richard is a long time NetApp developer who has worked on previous iterations of distributed filesystems in ONTAP.

FlexGroups are a new distributed NAS filesystem, intended to provide up to 20PB of capacity, 400 billion (!) files and automated load balancing to ensure your cluster gets even distribution of load. I’ll be writing up a new blog post soon about them in more detail.

But for now, check out the podcast…

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

The official blog is here:

http://community.netapp.com/t5/Technology/Tech-ONTAP-Podcast-Episode-46-FlexGroups/ba-p/120858

The podcast episode is here: