Wednesday, February 11, 2015

Isilon | How to configure SmartLock



SmartLock

What it is:


SmartLock is based on WORM (Write Once Read Many) approach. It provides non-rewritable, non-erasable feature which helps in protecting your data against accidental or intentional erasure. It is very useful for archived files that you need to retain for audit & compliance purpose; specially in Banking and Healthcare business units.

Advantage:


It helps you in storage space savings as you protect data at the directory level while in traditional WORM backup complete tape is utilized.


Steps to configure:

1) Check the license:

# isi license

2) Set the compliance clock

# isi worm cdate set

3) Create the root folder - All subfolders and files adopt the same retention settings as the root folder. So carefully decide your File System Hierarchy

# isi worm mkdir --path=<path of the file system>

3) Set the retention period

# isi worm modify --default-retention <time period> --min-retention <time period> -- max-retention <time period> --autocommit-offset <time period>--path=<file system path> 

Note: Time period=4Y/ 3M ( 4 years / 3 months )

4) View SmartLock directory:

# isi worm domains list
# isi worm domains view <path>

5) Commit a file to a WORM state through UNIX;

# chmod ugo-w <file system path>

6) Commit a file to a WORM state through Windows Explorer:

# Select file/folder 
# Righ-click and go to properties and then general tab
# Select Read-Only option and click OK

7) Delete a file committed to a WORM state

you can delete WORM committed file before expiration date using root or compliance administrator privilege. 

Use the below command to set the privilege option for a particular directory:

# isi worm domains modify --path=<file system path> --privileged-delete true

Note: If privilege-delete option is OFF then you can't delete file until retention period is over.

8) View the status of WORM files:

# isi worm files view <path> 



Happy Learning!

Wednesday, February 4, 2015

Isilon | GHOST Vulnerability














Isilon and GHOST Vulnerability

A recently discovered, which has been named GHOST, impact only Isilon InsightIQ 1.0 through 3.1 - which is the latest, and OneFS is not affected by this. You can get the complete list effected products at knowledge base article available at EMC website.

What it is: 

GNU C Library's earlier version are vulnerable to a buffer overflow in the gethostbyname() function. Documentation is available at here

It is recommended to upgrade the versions of  "gblic" to the latest available version. All versions earlier than 2.18 are vulnerable.

Latest glibc package is available at here

How to upgrade the gblic:

# sudo yum upgrade <rpm path>

or

# sudo yum upgrade gblic

reboot the server after upgrading the rpm

# sudo reboot now


Redhat documentation is available at here

Also read InsightIQ 3.1 upgrade

Happy Learning!

Tuesday, February 3, 2015

Isilon | How to setup SMB and NFS shares








Managing SMB and NFS service on Isilon array


Also read Isilon storage provisioning


SMB Service


Create new SMB share

# isi smb shares create SHARENAME --path=/ifs/data/SHARENAME --create-path --browsable=true --description="SHARENAME"  

Where --create-path option is used to create the path /ifs/data/SHARENAME, don't use it if it is already existing.

While you can give individual user level permission to a share so that specific user can access it but it is not recommended; instead always try to give access to via active directory groups because it is easy to manage a list AD groups instead of hundreds/thousands of users.

Share Permission

isi smb shares permission create SHARENAME --group "domain\domain users" --permission-type allow --permission full --zone <zone name>

List the permissions

# isi smb share permission list SHARENAME --zone=<zone name> 

Modify SMB shares path

isi smb shares modify SHARENAME  --path=<new path>  --zone=<zone name>

Delete SMB share

# isi smb shares delete SHARENAME --zone=<zone name> 



NFS Service



To check the global settings and service status

# isi nfs settings global view 

Output:

NFSv3 Enabled: Yes
NFSv4 Enabled: No
NFS Service Enabled: Yes

Command to enable or disable the service

isi nfs settings global modify --nfsv3-enabled <no/yes> 

To check the current exports

# isi nfs exports list

To check any specific exportfs entry

# isi nfs exports view <number>

Create NFS export

# isi nfs exports create --clients=<IP/Server name> --root-clients=<IP/Server name> --description="useful comment" --paths=<path> --security-flavors=unix

Check for NFS export error

# isi nfs exports check

Modify the export entry

# isi nfs exports modify <export number --add-read-write-clients <IP/Server name>

To delete the export entry 

# isi nfs exports delete <export number>

use --force option for deleting forcefully

Below are the commands to create, modify,delete and list NFS aliases

# isi nfs aliases create /<alias name> /<share path> --zone <zone name>
# isi nfs aliases modify /<alias name> --zone <zone name> --name /<new alias name> 
# isi nfs aliases delete /<alias name> --zone <zone name> 
# isi nfs aliases list 


View an NFS alias

# isi nfs aliases view /<alias name> --zone <zone name> --check



Happy Learning!

Monday, February 2, 2015

Isilon | Secure your Isilon cluster

Security
















Well what to say about this topic because when it comes to security you want action and not a speech. 

By default /ifs – the root folder of the OneFS file system is exported via an NFS export and an SMB share.

The NFS Export should be modified to prevent unwanted access to the root of the File system by limiting the NFS export client and root access to one or two servers only.


1. First of list the current export settings and find the id of /ifs (usually it is at no.1 in the list)

# isi nfs exports list

ID   Paths                            Description
----------------------------------------------------------------------------------
1    /ifs
2    /ifs/<>                          random export 
3    /ifs/IIQ_store                   InsightIQ datastore
----------------------------------------------------------------------------------
Total: 3


2. Clear any clients that have access to the /ifs export:

#isi nfs exports modify --id=1 --clear-clients --clear-root-clients

where id is the id of /ifs export entry

3. Confirm there are no clients with access to the /ifs export:

# isi nfs exports view 1
                     ID: 1
                  Paths: /ifs
            Description: Default export
                Clients: -
           Root Clients: -
      Read Only Clients: -
     Read Write Clients: -
     Unresolved Clients: -
               All Dirs: No
             Block Size: 8.0K

4.  Add  sever you want to have access to /ifs :

# isi nfs exports modify --id=1 --clients=<Sever IP> --root-clients=<Server IP> --description="Secured server access"

5. View the new access rights: 

Example:
#isi nfs exports view 1
                     ID: 1
                  Paths: /ifs
            Description: Secured server access
                Clients: <IP address>
           Root Clients: <IP address>
      Read Only Clients: -
     Read Write Clients: -
     Unresolved Clients: -
               All Dirs: Yes
             Block Size: 8.0K
           Can Set Time: Yes

The SMB share permissions should also be changed to secure mode so that only authorized administrators can have access to it only.


1. To secure the SMB share pointing to /ifs run the following commands:

List all shares:

#isi smb shares list
Share Name     Path
-----------------------------------------------
ifs           /ifs

2. Rename the ifs share adding a $ to make a hidden share:

#isi smb shares modify --share=ifs --name=ifs$

3. Modify permissions with access to the ifs$ share - make it restricted so that only authorized user can access it.

Format:

#isi smb shares permission create --share=ifs$ <user> --permission=change --permission-type=allow 

Example:

#isi smb shares permission create --share=ifs$ Administrator --permission=full --permission-type=allow 

4. Remove default permissions:

#isi smb shares permission delete --share=ifs$ --wellknown=Everyone


5. Once completed check the status:

# isi smb shares permission list --share=ifs$


Happy Learning!

Isilon | Storage provisioning

Storage Provisioning



The picture says it all about the about the topic!


Yesterday i shared my views on the Isilon file system architecture... F/S architecture what i thought about it and the ways to keep it simple and better.

After creating the file system architecture the next question that anyone will think of is how do i provision the storage? Well it is very simple as technology is meant to be available for everyone and by keeping it simple you can target a larger audience.

No Hassle

With Isilon you don't have to be a thinker; when it comes to provisioning the storage space and you need not to decide what layout in terms of aggregate, volume, qtree and RAID configuration, etc.


Being efficient

Isilon allows you to be more efficient and you just need to choose the file system hierarchy under which you wish to provision the new storage space and create a directory for that; after which you can apply smart quotas on the directory as per the size and it is completed...  Just two steps makes your life easier and more efficient



Below are the steps for storage provisioning:

# Go to the directory level where you wish you provision the new storage space and create a new directory:

# cd /ifs/<>/<>/<>/<>/

Where <> is the name of the sub-directories that you may have

# mkdir <name of the directory>

where <name of the directory> is the name of the new storage area you wish to provision

# isi quota quotas create --path=/ifs/<>/<>/<> --type=directory --hard-threshold=<quota limit> --advisory-threshold=<soft quota> --container=1

# Apply the notification rules by going to File system management -- > SmartQuotas --> Settings then option "Hard Limit notification rules"

Once completed you can update your record for tracking purpose.


Also read SMB and NFS services

Happy Learning!

Sunday, February 1, 2015

Isilon | Design your own file system architecture

















Today i'll be taking you back to graduation days where we studied about the data structure, arrays, queues, etc in our computer science classes.

Reason is simple... Simplicity has it's own charm.

And when it comes to designing your file system architecture then there is no substitute of simplicity. The more simple the better it is & you will have less trouble when it grows- less trouble in managing, administering and in tracking the growth pattern.

EMC Isilon array comes has a huge potential to tackle growth of your NAS environment. It takes only 3 nodes to form a cluster and it can go up to 144 nodes. With each node not only you add storage capacity but you also add the computing power & performance. Each node adds resources like disk, memory & throughput. A clusters storage capacity can range from 18 TB to a maximum of greater than 30 PB. So when you want to design the file system that can have such a huge capacity then a brain storming session is a must before you start.

 But what it has to do with the graduation days where we studied computer science ?

The answer is simple- Apply what you studied.

EMC's Isilon file system is not a different file system and it has just combined the functional blocks of a file system i.e. a file system, volume manager and data protection under a single naming unit called OneFS. By doing so it has eliminate the need of creating aggregates, volume, qtrees, etc (that we normally do in other NAS products mainly NetApp) and kept the basics simple i.e just one root directory under which you create and store everything.

Now the liability lies on you to design such a architecture which not only fulfills your current requirement but should be able to accommodate your future needs.  And you can achieve it by following what you studied i.e. a tree data structure.



Take /ifs (root file system of Isilon cluster) as root of your tree and after which you create as many as branches and sub-branches as you want...

What you can do is 

1) Leave /ifs as it is
2) Create branches as per the requirement like organization name, regions, etc
3) Have multiple sub-branches for different organization units, departments, etc
4) Each sub-branch can have their own directory structure based on teams, sub-departments and work units.

How to share it with clients

1) NFS Clients: Decide the level at which you want to share the exports and make the relevant entry in exportfs file.
2) CIFS clients: Decide the level at which you want to create the DFS mapping and create the relevant DFS paths.

Security:

You can achieve this by giving relevant permissions at the UNIX directory/file level and by adding appropriate AD group to a CIFS share.


Also read SMB & NFS shares and Isilon storage provisioning

PS: There will be many others ways to design your file system architecture and this is only one of it. Architecture always vary from requirement to requirement.


Happy Learning!


Scripting makes your life easier !







Thought of the day was make your life easier... Learn and Develop



Why ??


A day before yesterday i ran into situation where i thought how can I've a check in place which can -

  • Check the status of service running on the server 
  • And the utilization level of a particular file system.

Though i'm a newbie in scripting and still exploring the world of automation but i was able to write a small code which does the required work.

What it does:

It checks the service status of a particular Linux OS service & the utilization level of the specified file system and send the output at the specified mail id.

How you can use it:

1) Copy it and save it in a .sh or .py format
2) Change the file permission to executable. You can do it by using the command

# chmod 700 <file_name>

3) You can either execute it manually or schedule it via cron / autosys jobs.

Happy Learning!


Script::

############################
#
# Script: To check the service status and file system utilization
#

# Date: 2015-01-30

#
# Version Update: 1.0 Piyush Chawla            
#
############################

TODAY=$(date)
HOST=$(hostname)
service=<service name>
email=<email id>

status=`df -kh /<File System> | awk '$1 !~ /^Filesystem/ { sub("%$", "", $5); print $4}'`

if (( $(ps -ef | grep -v grep | grep $service | wc -l) > 0 ))
then
subject="$TODAY status for $HOST"
echo "$service at $HOST host is running and File system utilization is at $status" | mail -s "$subject" $email
else
subject="$TODAY status for $HOST"
echo "$service at $HOST is stopped, kindly check! and file system utilization is at $status" | mail -s "$subject" $email
fi



Isilon | InsightIQ 3.1 upgrade






EMC Isilon InsightIQ Upgrade


What it is InsightIQ:

It is a performance monitoring and reporting tool.

What it does:

It gives a ability to check the performance of the monitored clusters, it allows you to monitor the performance based on the per-client, per-protocol and per-operations so that you can easily diagnose and troubleshoot the issue. It also provides you an ability to generate reports based on your requirements like - quota reporting for charge back purpose.


IIQ compatibility chart:



IIQ upgrade level:


Before you plan your upgrade do make a note of your server configuration & installed rpm and compare it with the system and software checklist given in IIQ installation guide.

By now you must have heard about the heartbleed bug in OpenSSL - OpenSSL bug , which affects any OpenSSL version between 1.0.1 up to and including 1.0.1g. Though it doesn't effect most of EMC products but you should check current OpenSSL version by using below command

# rpm -qa | grep -i openssl

This shows the installed OpenSSL version and current version that are not effected are

openssl-devel-1.0.1e-16.el6_5.7.x86_64
openssl-1.0.1e-16.el6_5.7.x86_64

In case if you are running on older version then simply upgrade to the latest. But EMC's InsightIQ dependency package makes your life easier by providing all the rpm which is needed to be upgraded. So instead of installing each rpm one by one, you can simply download the IIQ dependency package from EMC website and install it prior to your upgrade. 


Below are the steps to upgrade IIQ on linux machine:

Step 1: Download the package from EMC website and save it.

Step 2: Check and confirm that the server matches the system and software requirement mentioned in the Isilon InsightIQ installation guide.

Step 3: Check the current version of the InsightIQ package installed and plan your deployment accordingly

<server_name># rpm -qa | grep isilon

Step 4: Check if yum is confirmed on the sever or not

<server_name># yum list all | grep isilon

Step 5: run the below command to upgrade IIQ:

<server_name># sudo yum upgrade <path>

where path is the path of iiq3.1 rpm file

PS: the upgrade process might take few hours and console will appears as frozen.. so DON'T cancel the process and wait for the upgrade to finish.

Step 6: In case if the system ask you to upgrade the data store then you can do it by using the below command-

#update_iiq_datastore

Step 7: Once the upgrade is finished then you can perform clean up using

# sudo yum clean


Happy Learning!

#Isilon

About me...

Welcome to my blog, my name is Piyush Chawla and i'm currently employed by EMC as a Storage Engineer working in Malaysia.

Constructive and useful comments are welcome. Spam and abusive comments will not be posted.


DISCLAIMER:
The views expressed on my blogs are strictly my own and does not represent the opinions or views of any corporation. Please always check official documentation to verify technical information.