Behind the Scenes: Episode 98 – SnapCenter 3.0

Welcome to the Episode 98, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

This week on the podcast, we check in with John Spinks, SnapCenter TME, to find out what’s in SnapCenter 3.0 – just in time for its release!

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

Encrypt your NFS packets end to end with krb5p and ONTAP 9.2!

NFS has always had a running joke about security, with a play on the acronym stating that NFS was “Not For Security.”

With NFSv3 and prior, there was certainly truth to that, especially when NFS was mounted without Kerberos. But even using Kerberos in NFSv3 wasn’t necessarily secure, as it only was applied to the NFS packets and not the extraneous services like NLM, NSM, mountd, etc.

NFSv4.x improved NFS security greatly by implementing a single port, ACLs, ID domain names and more tightly integrated support for Kerberos, among other improvements. However, simple krb5 authentication by itself only encrypts the initial mounts and not the NFS packets themselves.

That’s where stronger Kerberos modes like krb5i and krb5p come into play. From the RedHat man pages:

sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.

sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.

sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most performance overhead.

krb5p = privacy

The p in krb5p stands for “privacy,” and it does that by way of Kerberos encryption of the NFS conversation end-to-end, via the specified encryption strength. The strongest you can currently use is AES-256. ONTAP 9.0 and later supports krb5p and AES-256 encryption. Krb5p is similar to SMB3 encryption/signing and sealing in its functionality.

Krb5p is also similar to SMB3 encryption in its performance impact; doing encryption of thousands of packets is expensive and can create CPU bottlenecks, unless…

AES-NI Offloading

AES-NI offloading is a feature available on specific Intel CPUs that allow encryption processing to use hardware acceleration instructions to offload processing for encryption. This allows the encryption to be done separately to alleviate performance bottlenecks.

From Intel’s site:

Intel® AES New Instructions (Intel® AES NI) is a new encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in the Intel® Xeon® processor family and the Intel® Core™ processor family.

Comprised of seven new instructions, Intel® AES-NI gives your IT environment faster, more affordable data protection and greater security; making pervasive encryption feasible in areas where previously it was not.

ONTAP 9.1 provided support for AES-NI offloading for SMB3 encryption, which greatly improved performance. But krb5p offloading was only added as of ONTAP 9.2. If you plan on using the end-to-end encryption functionality in NFS with krb5p, use ONTAP 9.2 or later. For more information on what other features are in ONTAP 9.2, see the following post:

ONTAP 9.2RC1 is available!

Krb5p performance in ONTAP 9.0 vs. ONTAP 9.2

Krb5p support was added in ONTAP 9.0, but the performance was pretty awful, due to the lack of AES-NI support.

Here are some graphs using SIO with different flavors of Kerberos and AUTH_SYS in ONTAP 9.0. (All using NFSv4.1)

In ONTAP 9.0, krb5p wasn’t ever able to achieve above 12k IOPS for 4k reads in these SIO tests, and what it was able to achieve, it did it at some pretty severe latency. Krb5i did a little better, but krb5 and auth_sys performed way better.

Test environment was:

  • FAS8080 (AFF numbers coming soon)
  • 12 RHEL 6.7 clients

4K sequential reads in ONTAP 9.0:

krb5-ontap9-4k-read

Writes are even worse for krb5p in ONTAP 9.0 – we didn’t even get to 10k.

4K sequential writes in ONTAP 9.0:

krb5-ontap9-4k-write

For 8K sequential reads in ONTAP 9.0, latency is about the same. Fewer ops, but that’s because we’re doing the same amount of work in bigger I/O chunks.

8K sequential reads in ONTAP 9.0:

krb5-ontap9-8k-read.png

8K sequential writes in ONTAP 9.0:

krb5-ontap9-8k-write.png

NOTE: ONTAP 9.1 was not tested, but I’d expect similar performance, as we don’t do AES-NI offloading for NFS in that release.

ONTAP 9.2 Kerberos 5p Performance – Vastly improved

Now, let’s compare those same tests to ONTAP 9.2 with the AES-NI offloading and other performance enhancements. In the graphs below, there are a few things to point out.

  • Much more predictable performance for krb5i and krb5p as IOPS increase
  • Lower latency in 9.2 at high IOPS for krb5 than in 9.0
  • No real peak IOPS for krb5i/krb5p; these security flavors are able to keep up with sys and krb5 for sheer maximum IOPS
  • Sub millisecond latency for NFS at high IOPS (~50k) in most workloads, regardless of the security flavor
  • AES-NI offloading and NFS performance improvements in ONTAP 9.2 are pretty substantial

4K Sequential Reads in ONTAP 9.2:

krb5-ontap92-4k-read.png

4K Sequential Writes in ONTAP 9.2:

krb5-ontap92-4k-write.png

8K sequential reads in ONTAP 9.2:

krb5-ontap92-8k-read.png

8K sequential writes in ONTAP 9.2:

krb5-ontap92-8k-write.png

Conclusion

With ONTAP 9.2, you can now get enterprise class security with Kerberos 5p along with performance that doesn’t kill your workloads. If you’re doing NFS with any flavor of Kerberos, it makes a ton of sense to upgrade to ONTAP 9.2 to receive the performance benefits from AES-NI offloading. Keep in mind that upgrading ONTAP is non-disruptive to NFSv3, as it’s stateless, but will be slightly disruptive to CIFS/SMB and NFSv4.x workloads, due to the statefulness of the protocols.

Behind the Scenes: Episode 97 – ONTAP Analytics and Telemetry Service (OATS)

Welcome to the Episode 97, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

This week on the podcast, we’re talking ONTAP Analytics in the cloud and the new OATS product with a crew of performance folks including Greg Keller (@kellergc, Sr. Director, Performance Engineering), Matt Hambrick (Director of Performance Engineering) and Fred Peiffer (Performance Characterization Engineer/Architect). Find out how OATS is using existing performance data and machine learning to teach a system how to analyze and resolve performance issues, as well as how you can use OATS for your environment.

You can find OATS in the AWS Marketplace at: https://aws.amazon.com/marketplace/pp/B072JRLP87?qid=1497912376310&sr=0-10&ref_=srh_res_product_title

For an example of how to use OATS, see the following ONTAP recipe: https://community.netapp.com/t5/Data-ONTAP-Discussions/ONTAP-Recipes-Correlate-EMS-Messages-and-Performance-Metrics-with-NetApp-OATS/td-p/132184

For a short video, see:

To contact the team, email ng-oats-info@netapp.com.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

“Alexa, play NetApp’s Podcast…”

Amazon’s Alexa has been in and out of the news, both for its usefulness, as well as for some flaws.

220px-hal9000-svg

One of the cool things about Alexa is the ability to create programs and automation that ties directly into the device, such as controlling other devices connected to the internet.

One of NetApp’s software developers, Jungsook Yang, has taken Alexa and created automation for it to play the latest Tech ONTAP podcast episodes!

From Jungsook:

The podcast skill is live. The invocation name is ‘Netapp podcast’.

You can say, “Alexa, ask netapp podcast to start”, “Alexa, ask netapp podcast to help.” “Alexa, open netapp podcast.

And say “Alexa, pause” or “Alexa, resume” to pause and resume.

Currently, the automatic feed doesn’t work, though. Until I fix that part, I have to manually update the code whenever a new feed is introduced.

Pretty cool stuff! The product is currently “beta” and will be undergoing improvements. If you have feedback, send it to podcast@netapp.com or leave a comment!

Thanks a ton to Jungsook for this innovation!

How to host FTP-accessed data in ONTAP

I’m an official ONTAP chef!

maxresdefault[1]

That’s right; I created an ONTAP recipe, which shows you how to use NetApp ONTAP storage systems to host data for FTP shares.

You can find it here:

https://community.netapp.com/t5/Data-ONTAP-Discussions/ONTAP-Recipes-Work-around-the-lack-of-FTP-support-in-ONTAP-with-CIFS-SMB-or-NFS/m-p/132757

Keep in mind that native FTP support is not in ONTAP, so for the foreseeable future, use FTP VMs and CIFS/NFS shares. You can also use a similar approach to hosting HTTP data.

If you absolutely need native FTP/HTTP services in ONTAP, 7-Mode will be the way to go.

If you have any questions about the recipe, leave a comment here or on the recipe.

Running VMware on ONTAP? Why you should consider upgrading to ONTAP 9.2.

ontap-vmware.png

VMworld is right around the corner, so it’s a good time to remind folks about the goodness that is ONTAP + VMware.

ONTAP already has enterprise class storage for VMware, with support for both NFS and FCP/iSCSI on the same cluster to host VMware datastores. ONTAP also has robust support for VMware friendly features, such as VVols 1.0, VAAI, inline deduplication/compaction/compression, vSphere integration via the Virtual Storage Console, backing up VMs with SnapCenter, FlexClones, SRA plugins and much more!

For more information on VMware with ONTAP see:

ONTAP 9.2 went GA a couple weeks ago and included some nice new features that fit very well into virtualization workloads. When you upgrade ONTAP, you are able to do it non-disruptively, especially for VMware environments. Plus, NetApp’s internal predictive analysis points to ONTAP 9.2 having the highest quality of the available ONTAP releases out there, so there’s not a lot of reason *not* to upgrade to ONTAP 9.2.

Now, for those features…

Aggregate Inline Deduplication

If you’re not familiar with deduplication, it’s a storage feature that allows blocks that are identical to rely on pointers to a single block instead of having multiple copies of the same blocks.

This is all currently done inline (as data is ingested) only, and currently  on All Flash FAS systems by default. The space savings come in handy in workloads such as ESXi datastores, where you may be applying OS patches across multiple VMs in multiple datastores hosted in multiple FlexVol volumes. Aggregate inline deduplication brings an average additional ~1.32:1 ratio of space savings for VMware workloads. Who doesn’t want to save some space?

At a high level, this animation shows how it works:

aid-animation2

Quality of Service (QoS) Minimums/Guaranteed QoS

In ONTAP 8.2, NetApp introduced Quality of Service maximums to allow storage administrators to apply policies to volumes – and even files like luns or VMs – to prevent bully workloads from affecting other workloads in a cluster.

Last year, NetApp acquired SolidFire, which has a pretty mean QoS of its own where it actually approaches QoS from the other end of the spectrum – guaranteeing a performance floor for workloads that require a specific service level.

qos

I’m not 100% sure, but I’m guessing NetApp saw that and said “that’s pretty sweet. Let’s do that.”

So, they have. Now, ONTAP 9.2 has a maximum and a minimum/guaranteed QoS for storage administrators and service providers. (Guarantees only for SAN currently) For VMware environments, storage administrators can now easily apply floors and ceilings to VMs to maximize their SLAs for their end users and customers.

Check out a video on it here:

We also did a podcast on it here:

ONTAP Select enhancements

ONTAP Select is NetApp’s software-defined version of ONTAP software. Select allows you to “select” whatever server hardware platform you want to run your storage system on (see what they did there?).

ONTAP Select has been around for a while, first in the form of ONTAP Edge. In ONTAP 9.0, it was re-branded to Select and NetApp started adding additional functionality to extend the use case for the solution outside of “edge” cases, such as remote offices.

Select runs on a hypervisor, usually ESXi. ONTAP 9.2 added some functionality that could be appealing to storage administrators.

These include:

  • 2-node HA support
  • FlexGroup volume support
  • Improved performance
  • Easier deployment
  • ESX Robo license
  • Single node ONTAP Select vNAS with VSAN and iSCSI LUN support
  • Inline deduplication support

Three of the more compelling bullets above (to me, at least) for VMware environments are 2-node HA, the ability to use ESX ROBO licenses and the vNAS support with vSAN.

If you’re already using vSAN in your environments, you’ll know that they don’t do file protocols like CIFS/SMB or NFS. Instead, they use a proprietary protocol that is intended to speak only to VMs. While that’s great for datastores, it limits what sort of tasks the vSAN can be used for.

With ONTAP Select running on top of a vSAN, you can present NAS shares to clients, host NFS datastores, etc, without having to buy new hardware. Not only that, but you can also present datastores via vSAN on the same ONTAP Select instance.

vnas.png

Pretty nifty, eh?

From the NetApp vNAS Solution Brief:

Starting with ONTAP Select 9.2, the ONTAP Select vNAS solution also supports
VMware HA, vMotion, and Distributed Resources Scheduler (DRS). After deployment
of a single-node cluster that uses external storage or consumes a vSAN datastore,
the node can be moved through VMware vMotion, HA, or DRS actions. The ONTAP
Select Deploy utility can detect these movements, and updates its internal database
to continue normal management of the node.

For more information on ONTAP select, see:

Got questions or feedback? Insert them in the comments below!

Behind the Scenes: Episode 96 – Death of the Specialized Admin

Welcome to the Episode 96, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

This week, we invited the Storage Janitor/Undertaker, Andy Banta (@andybanta) and NetApp SolidFire Developer Advocate Josh Atwell (@josh_atwell) to discuss how the role of the specialized admin is evolving. We also chat about VVols and where NetApp fits into that technology.

Be sure to also check out the NetApp Pub for all the latest developer content!

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

Behind the Scenes: Episode 95 – Security Update: WannaCry and Petya/NotPetya!

Welcome to the Episode 95, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016This week on the podcast, we kick off a series of quarterly security update episodes to reflect the ever-changing security and vulnerability landscape. We cover WannaCry, Petya/NotPetya and basic security best practices you can follow to help protect against threats. We join some of the NetApp security team, including Kevin Ryan from PSIRT at NetApp (psirt@netapp.com) and Security TME Andrae Middleton (andrae@netapp.com), as well as esteemed NetApp A-Team member, Paul Stringfellow. Paul is the technical director at Gardner Systems in the UK. You can find his blog and podcast at https://techstringy.wordpress.com/.

Fun fact: Andrae really did lose a finger. He got it reattached and is on the mend.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here:

ONTAP 9.2 is Generally Available! (GA)

ONTAP 9 is on a new cadence model, which brings a new release every 6 months. In May, we saw ONTAP 9.2RC1 release. Today, ONTAP 9.2GA is available here!

http://mysupport.netapp.com/NOW/download/software/ontap/9.2

upgraded

Feature highlights

I cover the new stuff in a bit more depth in the ONTAP 9.2RC1 blog post, but here’s a short list of the new features in ONTAP 9.2GA:

  • Aggregate inline deduplication
  • FabricPools
  • QoS Minimums
  • ONTAP Select enhancements (2 node HA, iSCSI LUN support, ESX ROBO license)
  • Simplification and usability enhancements
  • 800TB aggregates
  • ADPv2 for FAS
  • NetApp Volume Encryption on FlexGroup volumes

Generally, there are no feature changes between an RC and a GA release, but for 9.2, FabricPools add support for tiering from a SnapMirror destination volume in 9.2GA.

So there you have it! The latest release of ONTAP! Post your thoughts or questions in the comments below!

 

Behind the Scenes: Episode 94 – #FlexPodSF

Welcome to the Episode 94, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”

group-4-2016

FlexPod SF was just officially announced at Cisco Live in Las Vegas this week! For videos of the event, check them out here:

This week on the podcast, we discuss the latest NetApp converged offering, FlexPod with SolidFire, also known as FlexPod SF! Join us as we welcome @vMiss33, Melissa Palmer, and NetApp SolidFire Product Manager Brett Siclair to talk about what FlexPod SF is and what it means for your next generation datacenter.

Finding the Podcast

The podcast is all finished and up for listening. You can find it on iTunes or SoundCloud or by going to techontappodcast.com.

Also, if you don’t like using iTunes or SoundCloud, we just added the podcast to Stitcher.

http://www.stitcher.com/podcast/tech-ontap-podcast?refid=stpr

I also recently got asked how to leverage RSS for the podcast. You can do that here:

http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss

You can listen here: