Behind the Scenes: Episode 71 – SPC-1 benchmark and the A700s

Welcome to the Episode 71, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

We decided to do a mid-week release of the podcast to talk about the brand new AFF platform, as well as the insanely high results from the SPC-1 benchmark test! We bring in the performance team, featuring Chad Morgenstern and Jim Laing, to talk numbers. Then, we invite Mr. Flash, Andy Grimes (@andy_ntap_flash),  to give us the lowdown on the new compact beast, the A700s.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

Advertisements

Behind the Scenes: Episode 70 – SnapCenter 2.0

Welcome to the Episode 70, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

This week on the podcast, we welcome NetApp Technical Marketing Engineer John Spinks (@jbspinks) to talk about the latest release of SnapCenter and how it’s improving backup management!

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

Mixed perceptions with NetApp multiprotocol NAS access

EDIT: As the original post for this was super long, I’ve since broken it up into a 2 part post. I moved the vserver security information to the following post:

Managing ACLs via the ONTAP Command Line

NetApp’s ONTAP operating system is one of the few storage operating systems out there that supports data access from both CIFS/SMB and NFS clients. NetApp’s been doing this for a long time – longer than I’ve been there, and I’m going on 10 years!

Despite the fact that it’s been around so long and is one of *the* core competencies in ONTAP, it’s one of the most frequently misunderstood configurations I see. When I was in support, it was one of the biggest case generators. As the NFS TME, it’s one of the most common emails I get that customers need assistance on.

I can tell you what it’s not….

Multiprotocol NAS is NOT “Mixed Mode”

Many people use this terminology for describing access from multiple clients. Unfortunately, it only adds to the confusion, because there is also a security style called “mixed” (see below) and that makes people associate the two and then they start setting mixed security styles when they don’t need to…

So, call it what it is – Multiprotocol NAS. 🙂

What’s so hard about it?

The reason it seems to confound so many people is two fold:

  • Windows administrators are generally not UNIX-savvy
  • UNIX administrators are generally not Windows-savvy

To truly understand multiprotocol NAS, you either have to know both Windows and UNIX file systems/security sematics pretty well, or be open to the fact that Windows and UNIX have similarities and differences.

That said, when you do understand how it works and get it configured properly, it’s a pretty powerful tool for serving data for multiple client types.

There’s currently a Multiprotocol TR in the works, but will be a ways out. However, I just dealt with a recent multiprotocol NAS issue and wanted to do a brain dump before the information got stale and I had to revisit it. This blog is intended to be a quick hit guide to multiprotocol NAS in ONTAP. Some of the ideas will make their way into official TR format.

What makes multiprotocol NAS possible in ONTAP?

ONTAP is fairly agnostic when it comes to file systems and ACL styles. SMB and NFS clients use different security semantics, but the general concepts of those are the same.

Users, groups, permissions.

From there, things tend to skew a bit. Windows uses NTFS security concepts. NFS clients use mode bits for NFSv3/NFSv4.x or ACLs for NFSv4.x. NFSv3 had the concept of POSIX ACLs, but ONTAP doesn’t support those.

The issue is that NTFS ACLs are more complex than mode bits, but match up pretty nicely with NFSv4.x ACLs. Mode bits only do Read, Write, eXecute (RWX), so Windows ACLs don’t match up 1 to 1, especially when you have “special permissions” in the mix. As a result, when dealing with ONTAP file systems, we have the concept of a security style that helps us choose the style of ACL we want to implement. The choices we have:

  • NTFS – NTFS ACLs only
  • UNIX – UNIX style permissions only
  • Mixed – UNIX or NTFS permissions, depending on who last changed permissions
  • Unified (Infinite Volume only)

To properly address permissions, ONTAP has to pick one security style over the other. This allows the storage system to decide which direction a user will map to determine the correct permissions. After all, what’s the point of permissions if they don’t work properly?

User mapping

ONTAP is not unique in the concept of user mapping, but it is still a concept that gets people confused on occasion.

Essentially, to get the proper permissions on a NetApp storage system, a client must first pass a “test” in the form of initial authentication.

The initial test is “Who are you?”

The storage system needs to know that the user you are claiming to be is actually you. There are varying degrees of how secure this test is, mostly dependent on the protocol you’re using, but the bottom line is this: authentication helps us get a user name. That user name allows us to map to another user name, depending on the volume security style.

In general:

  • SMB clients always map to a UNIX user because ONTAP is UNIX-based, even if NTFS security style is in use
  • If no name mapping rules or 1:1 name mappings exist, SMB users map to a default UNIX user set in CIFS options (pcuser/65534 by default)
  • 65534 is “nobody” or “nfsnobody” in most UNIX clients
  • NFS clients only map to Windows users when the security style is NTFS
  • NFS clients cannot chmod or chown on NTFS style volumes; SMB clients cannot take ownership or change ACLs on UNIX style volumes

One a user has authenticated, the permissions can be discerned based on access control lists. One can see those ACLs via the CLI of the storage system with “vserver security file-directory show.”

cluster::*> vserver security file-directory show -vserver parisi -path /cifs

                 Vserver: parisi
               File Path: /cifs
       File Inode Number: 64
               Security Style: ntfs
         Effective Style: ntfs
          DOS Attributes: 10
  DOS Attributes in Text: ----D---
 Expanded Dos Attributes: -
            UNIX User Id: 0
           UNIX Group Id: 0
          UNIX Mode Bits: 777
  UNIX Mode Bits in Text: rwxrwxrwx
                    ACLs: NTFS Security Descriptor
                          Control:0x8004
                            Owner:BUILTIN\Administrators
                            Group:BUILTIN\Administrators
                            DACL - ACEs
                             ALLOW-Everyone-0x1f01ff
                             ALLOW-Everyone-0x10000000-OI|CI|IO

User/name mapping is one of the most important pieces of the multiprotocol NAS puzzle. Get that part right and most everything else is easy.

Name mapping can be done either locally (via name mapping rules) or with LDAP. TR-4073 covers this sort of thing in pretty finite detail.

Name services/LDAP

The easiest way to handle name mapping in ONTAP for multiprotocol NAS is to leverage a name service server like LDAP. When dealing with both SMB and NFS, the most logical choice is to use the existing Active Directory infrastructure to host UNIX identities. While you can host name mapping rules for users that don’t have the same UNIX and Windows names, it’s best to try to have UNIX and Windows user names match 1:1. (I.e., DOMAIN\nfsdudeabides == nfsdudeabides in UNIX).

TR-4073 covers LDAP and TR-4379 covers name service best practices, for your reference.

Mixed Security Style

Fun fact – Mixed security style isn’t truly “mixed.” When you use mixed security style, it’s always either NTFS or UNIX security style at any given moment. This is known as the “effective” security style, which can be seen in “vserver security file-directory show.”

cluster::*> vserver security file-directory show -vserver parisi -path /cifs

                 Vserver: parisi
               File Path: /cifs
       File Inode Number: 64
               Security Style: ntfs
         Effective Style: ntfs

The “effective” style changes based on  the last permission change. If an NFS client does a chmod or chown, the mixed security style volume changes to effective UNIX security style. If an SMB client changes owner or sets an ACL, the effective security style changes to NTFS. When these effective styles change, how the storage does name mapping changes (ie; win-unix to unix-win, etc).

Is mixed security style recommended?

Generally speaking, you don’t want file systems changing something behind the scenes without the knowledge of the storage administrators. Plus, these changes can affect functionality, and even access. As a result, mixed security style is generally not recommended. The only time you’d want to use mixed security style is if your environment requires the ability for clients or applications to change permissions from both NFS and SMB. And even then, if you do set up mixed security style, consider limiting the ability for regular users to take ownership or change permissions on folders and files via NTFS ACLs.

Otherwise, I personally recommend picking either NTFS or UNIX and sticking with it. That choice would be based on how you want your users to manage their ACLs, as well as how granular you want control to be on those file systems. For example, mode bits in UNIX only allow setting an owner, group and everyone else. There’s no way to set multiple groups with different access on the object unless you use NFSv4 or NTFS ACLs.

I usually prefer NTFS because you get the granularity, as well as the GUI functionality many users are accustomed to.

If you do decide to use mixed security style, keep the following in mind:

  • If a volume is using mixed security style and the effective style gets flipped from NTFS to UNIX and then back to NTFS by way of the clients, the previous NTFS ACLs are lost.
  • When a volume flips from UNIX effective to NTFS effective, you get the mode bit translation. For example, if the UNIX volume was 755, you get “Owner – Full Control” and “Everyone – Read/Execute” as Windows ACLs. 700 gives “Owner – Full Control” only.
  • Administrator always gets added onto the ACL with Read/Write access when we flip to NTFS from UNIX.
  • With mixed security style, there are two types of owners – UNIX owner and Windows owner. When Windows “takes ownership,” the UNIX owner does not change.
  • When the effective style of the volume is NTFS, UNIX clients will see permissions as 777 unless the NFS server option ntacl-display-permissive-perms is set to “disabled.”

For information on how to manage permissions in ONTAP, see the following post:

Managing ACLs via the ONTAP Command Line

Be on the lookout for a multiprotocol TR in the future that covers this and more!

Got any questions? Feel free to post in the comments!

Behind the Scenes: Episode 69 – SolidFire: Year in Review

Welcome to the Episode 69, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

This week on the podcast, we invited Amy Lewis (@CommsNinja) and Andy Banta (@andybanta) to give us their thoughts on the past year after the SolidFire acquisition by NetApp. We also discuss the new Element OS, Fluorine.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

 

Behind the Scenes: Episode 68 – Big Data, Hadoop and NoSQL on NetApp

Welcome to the Episode 68, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

This week on the podcast, we welcome NetApp Technical Marketing Engineer Karthikeyan Nagalingam (Karthikeyan.Nagalingam@netapp.com) to discuss Big Data solutions like Hadoop, Spark and NoSQL and how they fit into the NetApp portfolio. We also talk Big Data 101 – what it is, how it’s used and how it’s best implemented.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

https://soundcloud.com/techontap_podcast/episode-68-big-data-hadoop-nosql-on-netapp

Ransomware, NetApp and You

The world is a nefarious place. All you have to do is read the latest headlines to see why.

As the use of the Internet has expanded to include things like cloud and the Internet of Things, the number of threats have also expanded. Computer viruses, root kits, spoofing, phishing, spear phishing, denial of service attacks, hacking, Nigerian princes promising a million dollars to your 75 year old mother in law… all of these things are challenges that IT professionals face every day.

One of the nastier security issues out there is something called “ransomware.” It’s exactly what it sounds like – someone gets control of your data via one of the aforementioned ways and encrypts it and holds it ransom, usually for payment in dollars or bitcoin. It’s the Internet version of “Taken” and it often requires someone with a very particular set of skills to combat.

69718596602d11906ebc9004d38b4d6cdea2f1eec494dda537d49f3aac4e52c6

How do you combat ransomware?

There are essentially two ways to combat ransomware:

  1. Threat prevention via securing your networks, authentication and user education.
  2. Restoring from backup (wait. Did we backup???)

NetApp has long been known for its superior Snapshot technology, but with ransomware, it now has a new use case.

If you store your data on NetApp storage and keep a regular cadence of snapshots, you can recover nearly instantaneously from ransomware attacks and be back in business in minutes. Snapshots are readonly, so they can’t be modified by attackers. If someone locks your data up, unlock it by rolling back to happier times, such as when your data was not being held hostage by ransomware.

Matt Watts (@mtjwatts) recently did an excellent job coming up with “10 Good Reasons” for NetApp with regard to ransomware protection. Here is the infographic:

whynetapp

NetApp won’t necessarily prevent ransomware, but they can help get you out of a sticky situation.

In addition to the above, NetApp Security Technical Marketing Engineer Andrae Middleton (Andrae.Middleton@netapp.com) wrote up a Technical Report on Ransomware and NetApp that will be out very soon. You can find that here:

http://www.netapp.com/us/media/tr-4572.pdf

Andrae also has some other useful NetApp security related documentation here:

DS-3846: Security Features in ONTAP 9

TR-4569 Security Hardening Guide for ONTAP 9

We also had Andrae on the Tech ONTAP podcast, along with NetApp A-Team member Jarett Kulm (@jk47theweapon):

 

ONTAP 9.1 is now generally available (GA)!

Back in October, ONTAP 9.1 RC1 was released. Tons of new features were added, which I covered in ONTAP 9.1 RC1 is now available!

woohoo-for-pinterest-cd0xix-clipart

Some of the major features included:

Now, ONTAP 9.1 is officially GA. For information on what GA means:

http://mysupport.netapp.com/NOW/products/ontap_releasemodel/

You can find it here:

http://mysupport.netapp.com/NOW/download/software/ontap/9.1

Also, check out the documentation center:

docs.netapp.com/ontap-9/index.jsp

Happy upgrading!

If you’re interested in building your own ONTAP 9.x simulator, check out:

http://www.flackbox.com/netapp-simulator/

Introducing the NetApp FlexGroup Best Practice Guide!

meaning-of-vault-boy-thumbs-up-jpg

A while back, I wrote a blog post on the new scale out file system feature called NetApp FlexGroup. In that blog, I went over some of the details of what a FlexGroup volume is, where they’re used, etc.

ONTAP 9.1RC2 recently was released, which added SMB protocol support. And today, TR-4571: NetApp FlexGroup Best Practices and Implementation Guide is publicly available!

Have a look at the TR and send comments or questions to flexgroups-info@netapp.com, or post them to this blog’s comments section.

Happy reading!

Behind the Scenes: Episode 67 – Trident and Kubernetes

Welcome to the Episode 67, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

The Tech ONTAP podcast team kicks off 2017 with a new episode on Trident, a Kubernetes capable storage orchestrator available on the NetApp Pub. We brought NetApp Technical Director Garrett Mueller (@innergy) to discuss the new tool with Andrew.

If you’re interested in learning more about Kubernetes, check out the podcast we did with Kelsey Hightower (Episode 53).

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here: