HP IBRIX X9000 Network Storage System File System …h20628. · ibrix_mountpoint -c [-h HOSTLIST]...

HP IBRIX X9000 Network Storage SystemFile System User Guide

AbstractThis guide describes how to configure and manage X9000 Software file systems and how to use NFS, CIFS, FTP, and HTTPto access file system data. The guide also describes the following file system features: quotas, remote replication, snapshots,data retention and validation, data tiering, and file allocation. The guide is intended for system administrators managing X9300Network Storage Gateway systems, X9320 Network Storage Systems, X9720 Network Storage Systems, and X9730 NetworkStorage Systems. For the latest X9000 guides, browse to http://www.hp.com/support/manuals. In the storage section, selectNAS Systems and then select HP X9000 Network Storage Systems from the IBRIX Storage Systems section.

HP Part Number: TA768-96061Published: June 2012Edition: 8

http://www.hp.com/support/manuals

© Copyright 2009, 2012 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, CommercialComputer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shallnot be liable for technical or editorial errors or omissions contained herein.

Acknowledgments

Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

Revision History

DescriptionSoftwareVersion

DateEdition

Initial release of HP X9000 File Serving Software5.3.1November 20091

Updated license and quotas information5.3.2December 20092

Added information about file cloning, CIFS, directory tree quotas, the Statistics tool,and GUI procedures

5.4.0April 20103

Removed information about the Statistics tool5.4.1July 20104

Added information about authentication, CIFS, FTP, HTTP, SSL certificates, and remotereplication

5.5.0December 20105

Updated CIFS, FTP, HTTP, and snapshot information5.6April 20116

Added or updated information about data retention and validation, software snapshots,block snapshots, remote replication, HTTP, case insensitivity, quotas

6.0September 20117

Added or updated information about file systems, file share creation, rebalancingsegments, remote replication, user authentication, CIFS, LDAP, data retention, datatiering, file allocation, quotas, Antivirus software

6.1June 20128

Contents1 Using X9000 Software file systems...............................................................8

File system operations................................................................................................................8File system building blocks.......................................................................................................10Configuring file systems...........................................................................................................10Accessing file systems.............................................................................................................11

2 Creating and mounting file systems.............................................................12Creating a file system..............................................................................................................12

Using 32-bit or 64-bit mode................................................................................................12Using the New Filesystem Wizard........................................................................................12Configuring additional file system options.............................................................................16Creating a file system using the CLI......................................................................................17

File limit for directories............................................................................................................18Managing mountpoints and mount/unmount operations..............................................................18

GUI procedures.................................................................................................................18CLI procedures..................................................................................................................20Mounting and unmounting file systems locally on X9000 clients...............................................21

Limiting file system access for X9000 clients...............................................................................22Using Export Control...............................................................................................................22

3 Setting up quotas.....................................................................................24How quotas work...................................................................................................................24Enabling quotas on a file system and setting grace periods..........................................................24Setting user and group quotas .................................................................................................25Setting directory tree quotas.....................................................................................................27Using a quotas file..................................................................................................................29

Importing quotas from a file................................................................................................29Exporting quotas to a file....................................................................................................29Format of the quotas file.....................................................................................................29

Using online quota check........................................................................................................30Configuring email notifications for quota events..........................................................................31Deleting quotas......................................................................................................................31Troubleshooting quotas............................................................................................................32

4 Maintaining file systems............................................................................33Best practices for file system performance...................................................................................33Viewing information about file systems and components...............................................................33

Viewing physical volume information....................................................................................34Viewing volume group information.......................................................................................34Viewing logical volume information......................................................................................35Viewing file system information............................................................................................35Viewing disk space information from a Linux X9000 client.......................................................37

Extending a file system............................................................................................................37Rebalancing segments in a file system.......................................................................................38

How rebalancing works......................................................................................................38Rebalancing segments on the GUI........................................................................................39Rebalancing segments from the CLI......................................................................................40Tracking the progress of a rebalance task.............................................................................40Viewing the status of rebalance tasks....................................................................................41Stopping rebalance tasks....................................................................................................41

Disabling 32-bit mode on a file system......................................................................................41Deleting file systems and file system components.........................................................................41

Deleting a file system..........................................................................................................41

Contents 3

Deleting segments, volume groups, and physical volumes........................................................42Deleting file serving nodes and X9000 clients.......................................................................42

Checking and repairing file systems..........................................................................................42Analyzing the integrity of a file system on all segments...........................................................43Clearing the INFSCK flag on a file system.............................................................................44

Troubleshooting file systems......................................................................................................44ibrix_pv -a discovers too many or too few devices..................................................................44Cannot mount on an X9000 client.......................................................................................44NFS clients cannot access an exported file system..................................................................44User quota usage data is not being updated.........................................................................44File system alert is displayed after a segment is evacuated.......................................................45SegmentNotAvailable is reported.........................................................................................45SegmentRejected is reported...............................................................................................45ibrix_fs -c failed with "Bad magic number in super-block"........................................................47

5 Using NFS...............................................................................................48Exporting a file system............................................................................................................48

Unexporting a file system....................................................................................................51Using case-insensitive file systems ............................................................................................51

Setting case insensitivity for all users (NFS/Linux/Windows)....................................................51Viewing the current setting for case insensitivity......................................................................52Clearing case insensitivity (setting to case sensitive) for all users (NFS/Linux/Windows)..............52Log files............................................................................................................................52Case insensitivity and operations affecting directories.............................................................53

6 Configuring authentication for CIFS, FTP, and HTTP.......................................54Using Active Directory with LDAP ID mapping............................................................................54Using LDAP as the primary authentication method.......................................................................55

Requirements for LDAP users and groups...............................................................................55Configuring LDAP for X9000 software..................................................................................55

Configuring authentication from the GUI....................................................................................56Viewing or changing authentication settings...............................................................................64Configuring authentication from the CLI.....................................................................................65

Configuring Active Directory ...............................................................................................65Configuring LDAP..............................................................................................................65Configuring LDAP ID mapping.............................................................................................66Configuring Local Users and Groups authentication................................................................67

7 Using CIFS..............................................................................................69Configuring file serving nodes for CIFS......................................................................................69Starting or stopping the CIFS service and viewing CIFS statistics....................................................69Monitoring CIFS services.........................................................................................................70CIFS shares............................................................................................................................71

Configuring CIFS shares with the GUI...................................................................................71Configuring SMB signing ...................................................................................................75Managing CIFS shares with the GUI.....................................................................................76Configuring and managing CIFS shares with the CLI...............................................................77Managing CIFS shares with Microsoft Management Console...................................................78

Linux static user mapping with Active Directory...........................................................................83Configuring Active Directory................................................................................................83Assigning attributes............................................................................................................85

Consolidating SMB servers with common share names................................................................86CIFS clients............................................................................................................................87

Viewing quota information..................................................................................................87Differences in locking behavior............................................................................................88CIFS shadow copy.............................................................................................................88

4 Contents

Permissions in a cross-protocol CIFS environment.........................................................................90How the CIFS server handles UIDs and GIDs.........................................................................90Permissions, UIDs/GIDs, and ACLs.......................................................................................91Changing the way CIFS inherits permissions on files accessed from Linux applications................92

Troubleshooting CIFS...............................................................................................................928 Using FTP................................................................................................94

Best practices for configuring FTP..............................................................................................94Managing FTP from the GUI....................................................................................................94

Configuring FTP ................................................................................................................94Managing the FTP configuration..........................................................................................98

Managing FTP from the CLI......................................................................................................99Configuring FTP ................................................................................................................99Managing the FTP configuration..........................................................................................99

The vsftpd service.................................................................................................................100Starting or stopping the FTP service manually...........................................................................100Accessing shares..................................................................................................................101

9 Using HTTP............................................................................................103Best practices for configuring HTTP.........................................................................................103Managing HTTP from the GUI................................................................................................104

Configuring HTTP.............................................................................................................104Managing the HTTP configuration......................................................................................110

Tuning the socket read block size and file write block size .........................................................110Managing HTTP from the CLI.................................................................................................111

Configuring HTTP.............................................................................................................111Managing the HTTP configuration......................................................................................112

Starting or stopping the HTTP service manually.........................................................................112Accessing shares..................................................................................................................113Configuring Windows clients to access HTTP WebDAV shares....................................................114Troubleshooting HTTP............................................................................................................115

10 Managing SSL certificates......................................................................117Creating an SSL certificate.....................................................................................................117Adding a certificate to the cluster............................................................................................119Exporting a certificate...........................................................................................................120Deleting a certificate.............................................................................................................120

11 Using remote replication........................................................................121Overview............................................................................................................................121

Continuous or run-once replication modes...........................................................................121Using intercluster replications.............................................................................................122Using intracluster replications............................................................................................123File system snapshot replication..........................................................................................123

Configuring the target export for replication to a remote cluster...................................................123GUI procedure................................................................................................................123CLI procedure..................................................................................................................125

Configuring and managing replication tasks on the GUI............................................................126Viewing replication tasks...................................................................................................126Starting a replication task.................................................................................................127Pausing or resuming a replication task................................................................................130Stopping a replication task................................................................................................130

Configuring and managing replication tasks from the CLI...........................................................130Starting a remote replication task to a remote cluster............................................................130Starting an intracluster remote replication task.....................................................................131Starting a run-once directory replication task.......................................................................131Stopping a remote replication task.....................................................................................131

Contents 5

Pausing a remote replication task.......................................................................................131Resuming a remote replication task....................................................................................132Querying remote replication tasks......................................................................................132

Replicating WORM/retained files...........................................................................................132Configuring remote failover/failback.......................................................................................132Troubleshooting remote replication..........................................................................................133

12 Managing data retention and validation..................................................134Overview............................................................................................................................134

WORM and WORM-retained files.....................................................................................134Data retention attributes for a file system.............................................................................134Data validation scans.......................................................................................................135

Enabling file systems for data retention and validation...............................................................136Viewing the retention profile for a file system.......................................................................139Changing the retention profile for a file system.....................................................................140

Managing WORM and retained files......................................................................................140Creating WORM and WORM-retained files........................................................................140Viewing the retention information for a file..........................................................................141File administration............................................................................................................141

Running data validation scans................................................................................................144Scheduling a validation scan.............................................................................................144Starting an on-demand validation scan...............................................................................145Viewing, stopping, or pausing a scan.................................................................................146Viewing validation scan results..........................................................................................146Viewing and comparing hash sums for a file.......................................................................146Handling validation scan errors.........................................................................................147

Creating data retention reports...............................................................................................147Generating and managing reports.....................................................................................149Generating reports from the CLI.........................................................................................149

Using hard links with WORM files..........................................................................................150Using remote replication........................................................................................................150Backup support for data retention...........................................................................................151Troubleshooting data retention................................................................................................151

13 Configuring Antivirus support..................................................................152Adding or removing external virus scan engines.......................................................................153Enabling or disabling Antivirus on X9000 file systems...............................................................153Updating Antivirus definitions.................................................................................................154Configuring Antivirus settings.................................................................................................154Viewing Antivirus statistics......................................................................................................157Antivirus quarantines and software snapshots...........................................................................158

14 Creating X9000 software snapshots........................................................160File system limits for snap trees and snapshots..........................................................................160Configuring snapshot directory trees and schedules...................................................................160

Modifying a snapshot schedule.........................................................................................162Managing software snapshots................................................................................................162

Taking an on-demand snapshot.........................................................................................162Determining space used by snapshots................................................................................163Accessing snapshot directories...........................................................................................163Restoring files from snapshots............................................................................................164Deleting snapshots...........................................................................................................165

Moving files between snap trees.............................................................................................168Backing up snapshots............................................................................................................168

15 Creating block snapshots.......................................................................169Setting up snapshots.............................................................................................................169

6 Contents

Preparing the snapshot partition........................................................................................169Registering for snapshots..................................................................................................170Discovering LUNs in the array............................................................................................170Reviewing snapshot storage allocation................................................................................170

Automated block snapshots....................................................................................................170Creating automated snapshots using the GUI......................................................................171Creating an automated snapshot scheme from the CLI..........................................................174Other automated snapshot procedures................................................................................175

Managing block snapshots....................................................................................................176Creating an on-demand snapshot......................................................................................176Mounting or unmounting a snapshot..................................................................................176Recovering system resources on snapshot failure...................................................................176Deleting snapshots...........................................................................................................176Viewing snapshot information............................................................................................177

Accessing snapshot file systems..............................................................................................178Troubleshooting block snapshots.............................................................................................180

16 Using data tiering.................................................................................181Configuring data tiers...........................................................................................................181

Assigning segments to tiers...............................................................................................181Defining the primary tier...................................................................................................183

Creating a tiering policy for a file system.................................................................................183Running a migration task.......................................................................................................185Changing the tiering configuration with the GUI.......................................................................186Configuring tiers and migrating data using the CLI....................................................................187Changing the tiering configuration with the CLI.........................................................................190Writing tiering rules..............................................................................................................191

Rule attributes..................................................................................................................191Operators and date/time qualifiers....................................................................................191Rule keywords.................................................................................................................192Migration rule examples...................................................................................................192Ambiguous rules..............................................................................................................193

17 Using file allocation..............................................................................195Overview............................................................................................................................195

File allocation policies......................................................................................................195How file allocation settings are evaluated...........................................................................196When file allocation settings take effect on X9000 clients......................................................197Using CLI commands for file allocation...............................................................................197

Setting file and directory allocation policies.............................................................................197Setting file and directory allocation policies from the CLI.......................................................198

Setting segment preferences...................................................................................................198Creating a pool of preferred segments from the CLI..............................................................199Restoring the default segment preference.............................................................................199

Tuning allocation policy settings.............................................................................................200Listing allocation policies.......................................................................................................200

18 Support and other resources...................................................................202Contacting HP......................................................................................................................202Related information...............................................................................................................202HP websites.........................................................................................................................202Subscription service..............................................................................................................202

19 Documentation feedback.......................................................................203Glossary..................................................................................................204Index.......................................................................................................206

Contents 7

1 Using X9000 Software file systemsFile system operations

The following diagram highlights the operating principles of the X9000 file system.

The topology in the diagram reflects the architecture of the HP X9320, which uses a building blockof server pairs (known as couplets) with SAS attached storage. In the diagram:

• There are four file serving nodes, SS1–SS4. These nodes are also called segment servers.

• SS1 and SS2 share access to segments 1–4 through SAS connections to a shared storagearray.

• SS3 and SS4 share access to segments 5-8 through SAS connections to a shared storagearray.

• One client is accessing the name space using NAS protocols.

• One client is using the proprietary X9000 client.The following steps correspond to the numbering in the diagram:1. The “namespace” of the file system is a collection of segments. Each segment is simply a

repository for files and directories with no implicit namespace relationships among them.

8 Using X9000 Software file systems

(Specifically, a segment need not be a complete, rooted directory tree). Segments can be anysize and different segments can be different sizes.

2. The location of files and directories within particular segments in the file space is independentof their respective and relative locations in the namespace. For example, a directory (Dir1)can be located on one segment, while the files contained in that directory (File1 and File2)are resident on other segments. The selection of segments for placing files and directories isdone dynamically when the file/directory is created, as determined by an allocation policy.The allocation policy is set by the system administrator in accordance with the anticipatedaccess patterns and specific criteria relevant to the installation (such as performance andmanageability). The allocation policy can be changed at any time, even when the file systemis mounted and in use. Files can be redistributed across segments using a rebalancing utility.For example, rebalancing can be used when some segments are too full while other have freecapacity, or when files need to be distributed across new segments.

3. Segment servers are responsible for managing individual segments of the file system. Eachsegment is assigned to one segment server and each server may own multiple segments, asshown by the color coding in the diagram. Segment ownership can be migrated betweenservers with direct access to the storage volume while the file system is mounted. For example,Seg1 can be migrated between SS1 and SS2 but not to SS3 or SS4.Additional servers can be added to the system dynamically to meet growing performanceneeds, without adding more capacity, by distributing the ownership of existing segments forproper load balancing and utilization of all servers. Conversely, additional capacity can beadded to the file system while in active use without adding more servers—ownership of thenew segments is distributed among existing servers. Servers can be configured with failoverprotection, with other servers being designated as standby servers that automatically takecontrol of a server’s segments if a failure occurs.

4. Clients run the applications that use the file system. Clients can access the file system eitheras a locally mounted cluster file system using the X9000 Client or using standard networkattached storage (NAS) protocols such as NFS and Common Internet File System (CIFS).

5. Use of the X9000 Client on a client system has some significant advantages over the NASapproach—specifically, the X9000 Client driver is aware of the segmented architecture ofthe file system and, based on the file/directory being accessed, can route requests directly tothe correct segment server, yielding balanced resource utilization and high performance.However, the X9000 Client is available only for a limited range of operating systems.

6. NAS protocols such as NFS and CIFS offer the benefits of multi-platform support and low costof administration of client software, as the client drivers for these protocols are generallyavailable with the base operating system. When using NAS protocols, a client must mountthe file system from one (or more) of the segment servers. As shown in the diagram, all requestsare sent to the server from which the share is mounted, which then performs the requiredrouting.

7. Any segment server in the namespace can access any segment. There are three cases:a. Selected segment is owned by the segment server initiating the operation (for example,

SS1 accessing Seg1).b. Selected segment is owned by another segment server but is directly accessible at the

block level by the segment server initiating the operation (for example, SS1 accessingSeg3).

c. Selected segment is owned by another segment server and is not directly accessible bythe segment server initiating the operation (for example, SS1 accessing Seg5).

Each case is handled differently. The data paths are shown in heavy red broken lines in thediagram:a. The segment server initiating the operation services the read or write request to the local

segment.b. In this case, reads and writes take different routes:

File system operations 9

1) The segment server initiating the operation can read files directly from the segmentacross the SAN; this is called a SAN READ.

2) The segment server initiating the operation routes writes over the IP network to thesegment server owning the segment. That server then writes data to the segment.

c. All reads and writes must be routed over the IP network between the segment servers.8. Step 7 assumed that the server had to go to a segment to read a file. However, every segment

server that reads a file keeps a copy of it cached in its memory regardless of which segmentit was read from (in the diagram, two servers have cached copies of File 1). The cachedcopies are used to service local read requests for the file until the copy is made invalid, forexample, because the original file has been changed. The file system keeps track of whichservers have cached copies of a file and manages cache coherency using delegations, whichare X9000 file system metadata structures used to track cached copies of data and metadata.

File system building blocksA file system is created from building blocks. The first block comprises the underlying physicalvolumes, which are combined in volume groups. Segments (logical volumes) are created from thevolume groups. The built-in volume manager handles all space allocation considerations involvedin file system creation.

Configuring file systemsYou can configure your file systems to use the following features:

• Quotas. This feature allows you to assign quotas to individual users or groups, or to a directorytree. Individual quotas limit the amount of storage or the number of files that a user or groupcan use in a file system. Directory tree quotas limit the amount of storage and the number offiles that can be created on a file system located at a specific directory tree. See “Setting upquotas” (page 24).

• Remote replication. This feature provides a method to replicate changes in a source file systemon one cluster to a target file system on either the same cluster or a second cluster. See “Usingremote replication” (page 121).

10 Using X9000 Software file systems

• Data retention and validation. Data retention ensures that files cannot be modified or deletedfor a specific retention period. Data validation scans can be used to ensure that files remainunchanged. See “Managing data retention and validation” (page 134).

• Antivirus support. This feature is used with supported Antivirus software, allowing you to scanfiles on an X9000 file system. See “Configuring Antivirus support” (page 152).

• X9000 software snapshots. This feature allows you to capture a point-in-time copy of a filesystem or directory for online backup purposes and to simplify recovery of files from accidentaldeletion. Users can access the filesystem or directory as it appeared at the instant of thesnapshot. See “Creating X9000 software snapshots” (page 160).

• Block Snapshots. This feature uses the array capabilities to capture a point-in-time copy of afile system for online backup purposes and to simplify recovery of files from accidental deletion.The snapshot replicates all file system entities at the time of capture and is managed exactlylike any other file system. See “Creating block snapshots” (page 169).

• Data tiering. This feature allows you to set a preferred tier where newly created files will bestored. You can then create a tiering policy to move files from initial storage, based on fileattributes such as such as modification time, access time, file size, or file type. See “Usingdata tiering” (page 181).

• File allocation. This feature allocates new files and directories to segments according to theallocation policy and segment preferences that are in effect for a client. An allocation policyis an algorithm that determines the segments that are selected when clients write to a filesystem. See “Using file allocation” (page 195).

Accessing file systemsClients can use the following standard NAS protocols to access file system data:

• NFS. See “Using NFS” (page 48) or more information.

• CIFS. See “Using CIFS” (page 69) for more information.

• FTP. See “Using FTP” (page 94) for more information.

• HTTP. See “Using HTTP” (page 103) for more information.You can also use X9000 clients to access file systems. Typically, these clients are installed duringthe initial system setup. See the HP IBRIX X9000 Network Storage System Installation Guide formore information.

Accessing file systems 11

2 Creating and mounting file systemsThis chapter describes how to create file systems and mount or unmount them.

Creating a file systemYou can create a file system using the New Filesystem Wizard provided with the GUI, or you canuse CLI commands. The New Filesystem Wizard also allows you to create an NFS export or aCIFS share for the file system.

Using 32-bit or 64-bit modeA file system can be created to use either 32-bit or 64-bit mode. In 32-bit mode, clients can runboth 32-bit and 64-bit applications. In 64-bit mode, clients can run only 64-bit applications. If allfile system clients (NFS, CIFS, and X9000 clients) will run only 64-bit applications, HP recommendsthat you use 64-bit mode because more inodes will be available per segment for the applications.For information about enabling 32-bit mode, see “Configuring additional file system options”(page 16). File systems created with 32-bit mode compatibility can be converted later to allowclients to run 64-bit applications (see “Disabling 32-bit mode on a file system” (page 41)). This isa one-time-only operation and cannot be reversed. If clients may need to run a 32-bit application,do not disable 32-bit mode.

Using the New Filesystem WizardTo start the wizard, click New on the Filesystems top panel. The wizard includes several steps anda summary, starting with selecting the storage for the file system.

NOTE: For details about the prompts for each step of the wizard, see the GUI online help.

On the Select Storage dialog box, select the storage that will be used for the file system. If yourcluster includes storage that has not yet been discovered by the X9000 software, click Discover.

12 Creating and mounting file systems

On the Configure Options dialog box, enter a name for the file system, and specify the appropriateconfiguration options.

Creating a file system 13

If data retention will be used on the file system, enable it and set the retention policy on theWORM/Data Retention dialog box. See “Managing data retention and validation” (page 134) formore information.

The default retention period determines whether you can manage WORM (non-retained) files aswell as WORM-retained files. (WORM (non-retained) files can be deleted at any time;WORM-retained files can be deleted only after the file's retention period has expired.)To manage only WORM-retained files, set the default retention period to a non-zero value.WORM-retained files then use this period by default; however, you can assign a different retentionperiod if desired.To manage both WORM (non-retained) and WORM-retained files, uncheck Set Default RetentionPeriod. The default retention period is then set to 0 seconds. When you make a WORM file retained,you will need to assign a retention period to the file.The Set Auto-Commit Period option specifies that files will become WORM or WORM-retained ifthey are not changed during the specified period. (If the default retention period is set to zero, thefiles become WORM. If the default retention period is set to a value greater than zero, the filesbecome WORM-retained.) To use this feature, check Set Auto-Commit Period and specify the timeperiod. The minimum value for the autocommit period is five minutes, and the maximum value isone year. If you plan to keep normal files on the file system, do not set the autocommit period.Optionally, check Enable Data Validation to schedule periodic scans on the file system. Use thedefault schedule, or click Modify to open the Data Validation Scan Schedule dialog box andconfigure your own schedule.


If you want to create data retention reports, click Enable Report Data Generation. Use the defaultschedule, or click Modify to open the Report Data Generation Schedule dialog box and configureyour own schedule.


The Default File Shares page allows you to create an NFS export and/or a CIFS share at the rootof the file system. The default settings are used. See “Using NFS” (page 48) and “Using CIFS”(page 69) for more information.

Review the Summary to ensure that the file system is configured properly. If necessary, you canreturn to a dialog box and make any corrections.

Configuring additional file system optionsThe New Filesystem wizard creates the file system with the default settings for several options. Youcan change these settings on the Modify Filesystem Properties dialog box, and can also configuredata tiering and file allocation on the file system. To open the dialog box, select the file system onthe Filesystems panel. Select Summary from the lower Navigator, and then click Modify on theSummary panel.The General tab allows you to enable quotas, Export Control, and 32-bit compatibility mode onthe file system.When Export Control is enabled on a file system, by default, X9000 clients have no access to thefile system. Instead, the system administrator grants the clients access by executing theibrix_mount command. Enabling Export Control does not affect access from a file serving nodeto a file system (and thereby, NFS/CIFS client access). File serving nodes always have RW access.


The Data Retention tab allows you to change the data retention configuration. The file system mustbe unmounted. See “Configuring data retention on existing file systems” (page 138) for moreinformation.

NOTE: Data retention cannot be enabled on a file system created on X9000 software 5.6 orearlier versions. Instead, create a new file system on X9000 software 6.0 or later, and then copyor move files from the old file system to the new file system.

The Allocation, Segment Preference, and Host Allocation tabs are used to modify file allocationpolicies and to specify segment preferences for file serving nodes and X9000 clients. See “Usingfile allocation” (page 195) for more information.

Creating a file system using the CLIThe ibrix_fs command is used to create a file system. It can be used in the following ways:

• Create a file system with the specified segments (segments are logical volumes):ibrix_fs -c -f FSNAME -s LVLIST [-t TIERNAME] [-a] [-q] [-oOPTION1=VALUE1,OPTION2=VALUE2,...] [-t TIERNAME] [-FFMIN:FMAX:FTOTAL] [-D DMIN:DMAX:DTOTAL]

• Create a file system and assign specify segments to specific file serving nodes:ibrix_fs -c -f FSNAME -S LV1:HOSTNAME1,LV2:HOSTNAME2,... [-a] [-q][-o OPTION1=VALUE1,OPTION2=VALUE2,...] [-t TIERNAME] [-FFMIN:FMAX:FTOTAL] [-D DMIN:DMAX:DTOTAL]

• Create a file system from physical volumes in a single step:ibrix_fs -c -f FSNAME -p PVLIST [-a] [-q] [-oOPTION1=VALUE1,OPTION2=VALUE2,...] [-t TIERNAME] [-FFMIN:FMAX:FTOTAL] [-D DMIN:DMAX:DTOTAL]


In the commands, the –t option specifies a tier. TIERNAME can be any alphanumeric, case-sensitive,text string. Tier assignment is not affected by other options that can be set with the ibrix_fscommand.

NOTE: A tier is created whenever a segment is assigned to it. Be careful to spell the name of thetier correctly when you add segments to an existing tier. If you make an error in the name, a newtier is created with the incorrect tier name, and no error is recognized.

To enable data retention on the file system, include the following -o options:–o "retenMode=<mode>,retenDefPeriod=<period>,retenMinPeriod=<period>,retenMaxPeriod=<period>,retenAutoCommitPeriod=<period>"

For example:ibrix_fs -o "retenMode=Enterprise,retenDefPeriod=5m,retenMinPeriod=2,retenMaxPeriod=30y,retenAutoCommitPeriod=1d" -c -f ifs1 -s ilv_[1-4] -a

Creating a file system manually from physical volumesThis procedure is equivalent to using ibrix_fs to create a file system from physical volumes ina single step. Instead of a single command, you build the file system components individually:1. Discover the physical volumes in the system. Use the ibrix_pv command.2. Create volume groups from the discovered physical volumes. Use the ibrix_vg command.3. Create logical volumes (also called segments) from volume groups. Use the ibrix_lv

command.4. Create the file system from the new logical volumes. Use the ibrix_fs command.See the HP IBRIX X9000 Network Storage System CLI Reference Guide for details about thesecommands.

File limit for directoriesThe maximum number of files in a directory depends on the length of the file names, and also thenames themselves. The maximum size of a directory is approximately 4GB (double indirect blocks).An average file name length of eight characters allows about 12 million entries. However, becausedirectories are hashed, it is unlikely that a directory can contain this number of entries. Files witha similar naming pattern are hashed into the same bucket. If that bucket fills up, another file cannotbe created there, even if free space is available elsewhere in the directory. If you try to createanother file with a different name, it may succeed, but randomly.

Managing mountpoints and mount/unmount operations

GUI proceduresWhen you use the New Filesystem Wizard to create a file system, you can specify a name for themountpoint and indicate whether the file system should be mounted after it is created. The wizardwill create the mountpoint if necessary. The Filesystems panel shows the file systems created onthe cluster.To view the mountpoint information for a file system, select the file system on the Filesystems panel,and click Mountpoints in the lower Navigator. The Mountpoints panel shows the hosts that havemounted the file system, the name of the mountpoint, the access (RW or RO) allowed to the host,and whether the file system is mounted.


To mount or remount a file system, select it on the Filesystems panel and click Mount. You canselect several mount options on the Mount Filesystem dialog box. To remount the file system, clickremount.

The available mount options are:

• atime: Update the inode access time when a file is accessed

• nodiratime: Do not update the directory inode access time when the directory is accessed

• nodquotstatfs: Disable file system reporting based on directory tree quota limitsYou can also view mountpoint information for a particular server. Select that server on the Serverspanel, and select Mountpoints from the lower Navigator. To delete a mountpoint, select thatmountpoint and click Delete.

Managing mountpoints and mount/unmount operations 19

CLI proceduresThe CLI commands are executed immediately on file serving nodes. For X9000 clients, the commandintention is stored in the active Fusion Manager. When X9000 software services start on a client,the client queries the active Fusion Manager for any commands. If the services are already running,you can force the client to query the Fusion Manager by executing either ibrix_client oribrix_lwmount -a on the client, or by rebooting the client.If you have configured hostgroups for your X9000 clients, you can apply a command to a specifichostgroup. For information about creating hostgroups, see the administration guide for your system.

Creating mountpointsMountpoints must exist before a file system can be mounted. To create a mountpoint on file servingnodes and X9000 clients, use the following command.ibrix_mountpoint -c [-h HOSTLIST] -m MOUNTPOINT

To create a mountpoint on a hostgroup , use the following command:ibrix_mountpoint -c -g GROUPLIST -m MOUNTPOINT

Deleting mountpointsBefore deleting mountpoints, verify that no file systems are mounted on them. To delete a mountpointfrom file serving nodes and X9000 clients, use the following command:ibrix_mountpoint -d [-h HOSTLIST] -m MOUNTPOINT

To delete a mountpoint from specific hostgroups, use the following command:ibrix_mountpoint -d -g GROUPLIST -m MOUNTPOINT

Viewing mountpoint informationTo view mounted file systems and their mountpoints on all nodes, use the following command:ibrix_mountpoint -l

Mounting a file systemFile system mounts are managed with the ibrix_mount command. The command options andthe default file system access allowed for X9000 clients depend on whether the optional ExportControl feature has been enabled on the file system (see “Using Export Control” (page 22) formore information). This section assumes that Export Control is not enabled, which is the default.


NOTE: A file system must be mounted on the file serving node that owns the root segment (thatis, segment 1) before it can be mounted on any other host. X9000 Software automatically mountsa file system on the root segment when you mount it on all file serving nodes in the cluster. Themountpoints must already exist.

Mount a file system on file serving nodes and X9000 clients:ibrix_mount -f FSNAME [-o {RW|RO}] [-O MOUNTOPTIONS] -h HOSTLIST -m MOUNTPOINT

Mount a file system on a hostgroup:ibrix_mount -f FSNAME [-o {RW|RO}] -g GROUP -m MOUNTPOINT

Unmounting a file systemUse the following commands to unmount a file system.

NOTE: Be sure to unmount the root segment last. Attempting to unmount it while other segmentsare still mounted will result in failure. If the file system was exported using NFS, you must unexportit before you can unmount it (see “Exporting a file system” (page 48)).

To unmount a file system from one or more file serving nodes, X9000 clients, or hostgroups:ibrix_umount -f FSNAME [-h HOSTLIST | -g GROUPLIST]

To unmount a file system from a specific mountpoint on a file serving node, X9000 client, orhostgroup:ibrix_umount -m MOUNTPOINT [-h HOSTLIST | -g GROUPLIST]

Mounting and unmounting file systems locally on X9000 clientsOn both Linux and Windows X9000 clients, you can locally override a mount. For example, if theFusion Manager configuration database has a file system marked as mounted for a particularclient, that client can locally unmount the file system.

Linux X9000 clientsTo mount a file system locally, use the following command on the Linux X9000 client. A FusionManager name (fmname) is required only if this X9000 client is registered with multiple FusionManagers.ibrix_lwmount -f [fmname:]fsname -m mountpoint [-o options]

To unmount a file system locally, use one of the following commands on the Linux X9000 client.The first command detaches the specified file system from the client. The second command detachesthe file system that is mounted on the specified mountpoint.ibrix_lwumount -f [fmname:]FSNAMEibrix_lwumount -m MOUNTPOINT

Windows X9000 clientsUse the Windows X9000 client GUI to mount file systems locally. Click the Mount tab on the GUIand select the cluster name from the list (the cluster name is the Fusion Manager name). Then, enterthe name of the file system, select a drive, and click Mount.If you are using Remote Desktop to access the client and the drive letter is not displayed, log outand log back in. This is a known limitation of Windows Terminal Services when exposing newdrives.To unmount a file system on the Windows X9000 client GUI, click the Umount tab, select the filesystem, and then click Umount.

Managing mountpoints and mount/unmount operations 21

Limiting file system access for X9000 clientsBy default, all X9000 clients can mount a file system after a mountpoint has been created. To limitaccess to specific X9000 clients, create an access entry. When an access entry is in place for afile system (or a subdirectory of the file system), it enters secure mode, and mount access is restrictedto clients specified in the access entry. All other clients are denied mount access.Select the file system on the Filesystems top panel, and then select Client Exports in the lowernavigator. On the Create Client Export(s) dialog box, select the clients or hostgroups that will beallowed access to the file system or a subdirectory of the file system.

To remove a client access entry, select the affected file system on the GUI, and then select ClientExports from the lower Navigator. Select the access entry from the Client Exports display, and clickDelete.On the CLI, use the ibrix_exportfs command to create an access entry:ibrix_exportfs –c –f FSNAME –p CLIENT:/PATHNAME,CLIENT2:/PATHNAME,...

To see all access entries that have been created, use the following command:ibrix_exportfs –c –l

To remove an access entry, use the following command:ibrix_exportfs –c —U –f FSNAME –p CLIENT:/PATHNAME,CLIENT2:/PATHNAME,...

Using Export ControlWhen Export Control is enabled on a file system, by default, X9000 clients have no access to thefile system. Instead, the system administrator grants the clients access by executing theibrix_mount command.Enabling Export Control does not affect access from a file serving node to a file system (and thereby,NFS/CIFS client access). File serving nodes always have RW access.To determine whether Export Control is enabled, run ibrix_fs -i or ibrix_fs -l. The outputindicates whether Export Control is enabled.To enable Export Control, include the -C option in the ibrix_fs command:ibrix_fs -C -E -f FSNAME

To disable Export Control, execute the ibrix_fs command with the -C and -D options:ibrix_fs -C -D -f FSNAME

To mount a file system that has Export Control enabled, include the ibrix_mount -o {RW|RO}option to specify that all clients have either RO or RW access to the file system. The default is RO.


In addition, when specifying a hostgroup, the root user can be limited to RO access by addingthe root_ro parameter.

Using Export Control 23

3 Setting up quotasQuotas can be assigned to individual users or groups, or to a directory tree. Individual quotaslimit the amount of storage or the number of files that a user or group can use in a file system.Directory tree quotas limit the amount of storage and the number of files that can be created on afile system located at a specific directory tree. Note the following:

• Although it is best to set up quotas when you create a file system, you can configure them atany time. Configuring quotas later on requires that you unmount the file system, which impactssystem availability.

• You can assign quotas to a user, group, or directory on the GUI or from the CLI. You can alsoimport quota information from a file.

• If a user has a user quota and a group quota for the same file system, the first quota reachedtakes precedence.

• Nested directory quotas are not supported. You cannot configure quotas on a subdirectorydifferently than the parent directory.

• The existing quota configuration can be exported to a file at any time.

NOTE: HP recommends that you export the quota configuration and save the resulting filewhenever you update quotas on your cluster.

How quotas workA quota is delimited by hard and soft storage limits defined either in megabytes of storage or asa number of files. The hard limit is the maximum storage (in terms of file size and number of files)allotted to a user or group. The soft limit specifies the number of megabytes or files that, whenreached, starts a countdown timer that runs until the hard storage limit is reached or the graceperiod elapses, whichever happens first. (The default grace period is seven days.) When the timerstops for either reason, the user or group cannot store any more data and the system issues quotaexceeded messages at each write attempt.

NOTE: Quota statistics are updated on a regular basis (at one-minute intervals). At each update,the file and storage usage for each quota-enabled user, group, or directory tree is queried, andthe result is distributed to all file serving nodes. Users or groups can temporarily exceed their quotaif the allocation policy in effect for a file system causes their data to be written to different fileserving nodes during the statistics update interval. In this situation, it is possible for the storageusage visible to each file serving node to be below or at the quota limit while the aggregate storageuse exceeds the limit.

There is a delay of several minutes between the time a command to update quotas is executedand when the results are displayed by the ibrix_edquota -l command. This is normal behavior.

Enabling quotas on a file system and setting grace periodsBefore you can set quota limits, quotas must be enabled on the file system. You can enable quotaswhen you create the file system or at a later time.

24 Setting up quotas

On the GUI, select the file system and then select Quotas from the lower Navigator. On the QuotaSummary bottom panel, click Modify.

To enable quotas from the CLI, run the following command:ibrix_fs -q -E -f FSNAME

Setting user and group quotasBefore configuring quotas, the quota feature must be enabled on the file system and the file systemmust be mounted.

NOTE: For the purpose of setting quotas, no UID or GID can exceed 2,147,483,647.Setting user quotas to zero removes the quotas.

GUI procedureTo configure a user quota, select the file system where the quotas will be configured. Next, selectQuotas > User Quotas from the lower Navigator, and then, on the User Quota Usage Limits bottompanel, click Set. User quotas can be specified by either the user name or ID. Specifying quotalimits is optional.

Setting user and group quotas 25

To configure a group quota, select the file system where the quotas will be configured. Next, selectQuotas > Group Quotas from the lower Navigator, and then, on the Group Quota Usage Limitsbottom panel, click Set. Group quotas can be identified by either the group name or GID. Specifyingquota limits is optional.

To change user or group quotas, select the appropriate user or group on the Quota Usage Limitsbottom panel, and then select Modify.


CLI procedureUse the following commands to set quotas for users and groups:

• Set a quota for a single user:ibrix_edquota -s -u “USER” -f FSNAME [-M SOFT_MEGABYTES] [-m HARD_MEGABYTES] [-I SOFT_FILES] [-i HARD_FILES]

• Set a quota for a single group:ibrix_edquota -s -g “GROUP” -f FSNAME [-M SOFT_MEGABYTES] [-m HARD_MEGABYTES] [-I SOFT_FILES] [-i HARD_FILES]

Enclose the user or group name in single or double quotation marks.

Setting directory tree quotasDirectory tree quotas limit the amount of storage and the number of files that can be created on afile system located at a specific directory tree. Before configuring directory tree quotas, the quotafeature must be enabled on the file system and the file system must be mounted.

NOTE: When you create a directory tree quota, the system also runs ibrix_onlinequotacheckcommand in DTREE_CREATE mode.

GUI procedureTo configure a directory tree quota, select the file system where the quotas will be configured.Next, select Quotas > Directory Quotas from the lower Navigator, and then, on the Directory TreeQuota Usage Limits bottom panel, click Create to open the Create Directory Tree Alias dialog box.For Name (Alias), enter a unique name for the directory tree quota. The name cannot contain acomma (,) character.

Setting directory tree quotas 27

To change a directory tree quota, select the directory tree on the Quota Usage Limits bottom panel,and then click Modify.

CLI procedureTo create a directory tree quota and assign usage limits, use the following command:ibrix_edquota -s -d NAME -p PATH -f FSNAME -M SOFT_MEGABYTES -mHARD_MEGABYTES -I SOFT_FILES -i HARD_FILES

The -f FSNAME option specifies the name of the file system. The -p PATH option specifies thepathname of the directory tree. If the pathname includes a space, enclose the portion of thepathname that includes the space in single quotation marks, and enclose the entire pathname indouble quotation marks. For example:-p "/fs48/data/'QUOTA 4'"

The -n NAME option specifies a unique name for the directory tree quota. The name cannot containa comma (,) character.Use -M SOFT_MEGABYTES and -m HARD_MEGABYTES to specify soft and hard limits for themegabytes of storage allowed on the directory tree. Use -I SOFT_FILES and -i HARD_FILESto specify soft and hard limits for the number of files allowed on the directory tree.If you are creating multiple directory tree quotas, you can import the quotas from a file. The systemthen uses batch processing to create the quotas. If you add the quotas individually, you will needto wait for ibrix_onlinequotacheck to finish after creating each quota.


Using a quotas fileQuota limits can be imported into the cluster from the quotas file, and existing quotas can beexported to the file. See “Format of the quotas file” (page 29) for the format of the file.

Importing quotas from a fileFrom the GUI, select the file system, select Quotas from the lower Navigator, and then click Import.

From the CLI, use the following command to import quotas from a file, where PATH is the path tothe quotas file:ibrix_edquota -t -p PATH -f FSNAME

Exporting quotas to a fileFrom the GUI, select the file system, select Quotas from the lower Navigator, and then click Export.

From the CLI, use the following command to export the existing quotas information to a file, wherePATH is the pathname of the quotas file:ibrix_edquota -e -p PATH -f FSNAME

Format of the quotas fileThe quotas file contains a line for each user, group, or directory tree assigned a quota. When youadd quota entries, the lines must use one of the following formats. The “A” format specifies a useror group ID. The “B” format specifies a user or group name, or a directory tree that has alreadybeen assigned an identifier name. The “C” format specifies a directory tree, where the path exists,but the identifier name for the directory tree will not be created until the quotas are imported.

Using a quotas file 29

A,{type},{block_hardlimit},{block_soft-limit},{inode_hardlimit},{inode_softlimit},{id}B,{type},{block_hardlimit},{block_soft-limit},{inode_hardlimit},{inode_softlimit},"{name}"C,{type},{block_hardlimit},{block_soft-limit},{inode_hardlimit},{inode_softlimit},"{name}","{path}"

The fields in each line are:{type}

Either 0 for a user quota; 1 for a group quota; 2 for a directory tree quota.{block_hardlimit}

The maximum number of 1K blocks allowed for the user, group, or directory tree. (1 MB =1024 blocks).

{block_soft-limit}

The number of 1K blocks that, when reached, starts the countdown timer.{inode_hardlimit}

The maximum number of files allowed for the user, group, or directory tree.{inode_softlimit}

The number of files that, when reached, starts the countdown timer.{id}

The UID for a user quota or the GID for a group quota.{name}

A user name, group name, or directory tree identifier.{path}

The full path to the directory tree. The path must already exist.

NOTE: When a quotas file is imported, the quotas are stored in a different, internal format.When a quotas file is exported, it contains lines using the internal format. However, when addingentries, you must use the A, B, or C format.

Using online quota checkOnline quota checks are used to rescan quota usage, initialize directory tree quotas, and removedirectory tree quotas. There are three modes:

• FILESYSTEM_SCAN mode. Use this mode in the following scenarios:

You turned quotas off for a user, the user continued to store data in a file system, andyou now want to turn quotas back on for this user.

◦

◦ You are setting up quotas for the first time for a user who has previously stored data ina file system.

◦ You renamed a directory on which quotas are set.

◦ You moved a subdirectory into another parent directory that is outside of the directoryhaving the directory tree quota.

• DTREE_CREATE mode. After setting quotas on a directory tree, use this mode to take intoaccount the data used under the directory tree.

• DTREE_DELETE mode. After deleting a directory tree quota, use this mode to unset quota IDson all files and folders in that directory.

CAUTION: When ibrix_onlinequotacheck is started in DTREE_DELETE mode, it removesquotas for the specified directory. Be sure not to use this mode on directories that should retainquota information.


To run an online quota check from the GUI, select the file system and then select Online quotacheck from the lower Navigator.On the Task Summary panel, select Start to open the Start Online quota check dialog box andselect the appropriate mode.

The Task Summary panel displays the progress of the scan. If necessary, select Stop to stop thescan.To run an online quota check in FILESYSTEM_SCAN mode from the CLI, use the following command:ibrix_onlinequotacheck –s –S -f FSNAME

To run an online quota check in DTREE_CREATE mode, use this command:ibrix_onlinequotacheck -s -c -f FSNAME -p PATH

To run an online quota check in DTREE_DELETE mode, use this command:ibrix_onlinequotacheck -s -d -f FSNAME -p PATH

The command must be run from a file serving node that has the file system mounted.

Configuring email notifications for quota eventsIf you would like to be notified when certain quota events occur, you can set up email notificationfor those events. On the GUI, select Email Configuration. On the Events Notified by Email panel,select the appropriate events and specify the email addresses to be notified.

Deleting quotasTo delete quotas from the GUI, select the quota from the appropriate Quota Usage Limits paneland then click Delete. To delete quotas from the CLI, use the following commands.To delete quotas for a user, use the following command:ibrix_edquota -D -u UID [-f FSNAME]

To delete quotas for a group, use the following command:ibrix_edquota -D -g GID [-f FSNAME]

To delete the entry and quota limits for a directory tree quota, use the following command:ibrix_edquota -D -d NAME -f FSNAME

The -d NAME option specifies the name of the directory tree quota.

Configuring email notifications for quota events 31

Troubleshooting quotas

Recreated directory does not appear in directory tree quotaIf you create a directory tree quota on a specific directory and delete the directory (for example,with rmdir/rm -rf) and then recreate it on the same path, the directory does not count as partof the directory tree, even though the path is the same. Consequently, theibrix_onlinequotacheck command does not report on the directory.

Moving directoriesAfter moving a directory into or out of a directory containing quotas, run theibrix_onlinequotacheck command as follows:

• After moving a directory from a directory tree with quotas (the source) to a directory withoutquotas (the destination), take these steps:1. Run ibrix_onlinequotacheck in DTREE_CREATE mode on the source directory tree

to remove the usage information for the moved directory.2. Run ibrix_onlinequotacheck in DTREE_DELETE mode on the directory that was

moved to delete residual quota information.

• After moving a directory from a directory without quotas (the source) to a directory tree withquotas (the destination), take this step:1. Run ibrix_onlinequotacheck in DTREE_CREATE mode on the destination directory

tree to add the usage for the moved directory.

• After moving a directory from one directory tree with quotas (the source) to another directorytree with quotas (the destination), take these steps:1. Run ibrix_onlinequotacheck in DTREE_CREATE mode on the source directory tree

to remove the usage information for the moved directory.2. Run ibrix_onlinequotacheck in DTREE_CREATE mode on the destination directory

tree to add the usage for the moved directory.


4 Maintaining file systemsThis chapter describes how to extend a file system, rebalance segments, delete a file system or filesystem component, and check or repair a file system. The chapter also includes file systemtroubleshooting information.

Best practices for file system performanceIt is important to monitor the space used in the segments making up the file system. If segments arefilled to 90% or greater and the segments are actively being used based on the file system allocationpolicy, performance degradation is likely because of extra housekeeping tasks incurred in the filesystem. Also, at this point, automatic write behavior changes can cause all new creates to go tothe segment with the most available capacity, causing a slowdown.To maintain file system performance, follow these recommendations:

• If segments are approaching 85% full, either expand the file system with new segments orclean up the file system.

• If only a few segments are between 85% and 90% and other segments are much lower, runa rebalance task. However, if those few segments are at 90% or higher, it is best to adjustthe file system allocation policy to exclude the full segments from being used. Then initiate arebalance task to balance the full segments out onto other segments with more available space.When the rebalance task is complete and all segments are below the 85% threshold, you canreapply the original file system allocation policy.

The GUI displays the space used in each segment. Select the file system, and then select Segmentsfrom the lower Navigator.

Viewing information about file systems and componentsThe Filesystems top panel on the GUI displays comprehensive information about a file system andits components. This section describes how to view the same information from the command line.

Best practices for file system performance 33

Viewing physical volume informationUse the following command to view information about physical volumes:ibrix_pv -l

The following table lists the output fields for ibrix_pv -l.

DescriptionField

Physical volume name. Regular physical volume names begin with the letter d. The names of physicalvolumes that are part of a mirror device begin with the letter m. Both are numbered sequentially.

PV_Name

Physical volume size, in MB.Size (MB)

Name of volume group created on this physical volume, if any.VG name

Not applicable for this release.RAID type

Not applicable for this release.RAID host

Not applicable for this release.RAID device

Not applicable for this release.Network host

Not applicable for this release.Network port

Viewing volume group informationTo display summary information about all volume groups, use the ibrix_vg -l command:ibrix_vg -l

The VG_FREE field indicates the amount of group space that is not allocated to any logical volume.The VG_USED field reports the percentage of available space that is allocated to a logical volume.To display detailed information about volume groups, use the ibrix_vg -i command. The -gVGLIST option restricts the output to the specified volume groups.ibrix_vg -i [-g VGLIST]

The following table lists the output fields for ibrix_vg -i.

DescriptionField

Volume group name.Name

Volume group size in MB.Size (MB)

Free (unallocated) space, in MB, available on this volume group.Free (MB)

Percentage of total space in the volume group allocated to logical volumes.Used (percentage)

File system to which this logical volume belongs.File System Name

Name of the physical volume used to create this volume group.Physical Volume Name

Size, in MB, of the physical volume used to create this volume group.Physical Volume Size

Names of logical volumes created from this volume group.Logical Volume Name

Size, in MB, of each logical volume created from this volume group.Logical Volume Size

Number of times the structure of the file system has changed (for example, new segmentswere added).

File System Generation

Number of this segment (logical volume) in the file system.Segment Number

File serving node that owns this logical volume.Host Name

Operational state of the file serving node. See the administration guide for your system fora list of the states.

State

34 Maintaining file systems

Viewing logical volume informationTo view information about logical volumes, use the ibrix_lv -l command. The following tablelists the output fields for this command.

DescriptionField

Logical volume name.LV_NAME

Logical volume size, in MB.LV_SIZE

File system to which this logical volume belongs.FS_NAME

Number of this segment (logical volume) in the file system.SEG_NUM

Name of the volume group created on this physical volume, if any.VG_NAME

Linux lvcreate options that have been set on the volume group.OPTIONS

Viewing file system informationTo view information about all file systems, use the ibrix_fs -l command. This command alsodisplays information about any file system snapshots.The following table lists the output fields for ibrix_fs -l.

DescriptionField

File system name.FS_NAME

State of the file system (for example, Mounted).STATE

Total space available in the file system, in GB.CAPACITY (GB)

Amount of space used in the file system.USED%

Number of files that can be created in this file system.Files

Percentage of total storage used by files and directories.FilesUsed%


GEN

Number of file system segments.NUM_SEGS

To view detailed information about file systems, use the ibrix_fs -i command. To viewinformation for all file systems, omit the -f FSLIST argument.ibrix_fs -i [-f FSLIST]

The following table lists the file system output fields reported by ibrix_fs -i.

DescriptionField

Number of segments.Total Segments

State of the file system (for example, Mounted).STATE

Not applicable for this release.Mirrored?

Yes indicates that the file system is 32-bit compatible; the maximum number of segments(maxsegs) allowed in the file system is also specified. No indicates a 64-bit file system.

Compatible?


Generation

File system ID for NFS access.FS_ID

Unique X9000 Software internal file system identifier.FS_NUM

Viewing information about file systems and components 35

DescriptionField

Yes if enabled; No if not.EXPORT_CONTROL_ENABLED

Yes if enabled; No if not.QUOTA_ENABLED

If data retention is enabled, the retention policy is displayed.RETENTION

Default block size, in KB.DEFAULT_BLOCKSIZE

Capacity of the file system.CAPACITY

Amount of free space on the file system.FREE

Space available for user files.AVAIL

Percentage of total storage occupied by user files.USED PERCENT

Number of files that can be created in this file system.FILES

Number of unused file inodes available in this file system.FFREE

Number of KB a file system preallocates to a file; default: 1,024 KB.Prealloc

Number of KB that X9000 Software will pre-fetch; default: 512 KB.Readahead

Number of KB that X9000 Software pre-fetches under NFS; default: 256 KB.NFS Readahead

Allocation policy assigned on this file system. Defined policies are: ROUNDROBIN,STICKY, DIRECTORY, LOCAL, RANDOM, and NONE. See “File allocation policies”(page 195) for information on these policies.

Default policy

The first segment to which an allocation policy is applied in a file system. If a segmentis not specified, allocation starts on the segment with the most storage space available.

Default start segment

NA.File replicas

NA.Dir replicas

Possible root segment inodes. This value is used internally.Mount Options

Current root segment number, if known. This value is used internally.Root Segment Hint

Possible segment numbers for root segment replicas. This value is used internally.Root Segment Replica(s) Hint

Snapshot strategy, if defined.Snap FileSystem Policy

The following table lists the per-segment output fields reported by ibrix_fs -i.

DescriptionField

Number of segments.SEGMENT

The host that owns the segment.OWNER

Logical volume name.LV_NAME

The current state of the segment (for example, OK or UsageStale).STATE

Default block size, in KB.BLOCK_SIZE

Size of the segment, in GB.CAPACITY (GB)

Free space on this segment, in GB.FREE (GB)

Space available for user files, in GB.AVAIL (GB)

Inodes available on this segment.FILES

Free inodes available on this segment.FFREE

Percentage of total storage occupied by user files.USED%


DescriptionField

Backup host name.BACKUP

Segment type. MIXED means the segment can contain both files and directories.TYPE

Tier to which the segment was assigned.TIER

Last time the segment state was reported.LAST_REPORTED

Host on which the file system is mounted.HOST_NAME

Host mountpoint.MOUNTPOINT

File system access privileges: RO or RW.PERMISSION

Specifies whether the root user is limited to read-only access, regardless of the access setting.Root_RO

Lost+found directoryWhen browsing the contents of X9000 Software file systems, you will see a directory namedlost+found. This directory is required for file system integrity and should not be deleted.

Viewing disk space information from a Linux X9000 clientBecause file systems are distributed among segments on many file serving nodes, disk space utilitiessuch as df must be provided with collated disk space information about those nodes. The FusionManager collects this information periodically and collates it for df.X9000 software includes a disk space utility, ibrix_df, that enables Linux X9000 clients toobtain utilization data for a file system. Execute the following command on any Linux X9000 client:ibrix_df

The following table lists the output fields for ibrix_df.

DescriptionField

File system name.Name

Number of blocks in the file system.CAPACITY

Number of unused blocks of storage.FREE

Number of blocks available for user files.AVAIL

Percentage of total storage occupied by user files.USED PERCENT

Number of files that can be created in the file system.FILES

Number of unused file inodes in the file system.FFREE

Extending a file systemYou can extend a file system from the GUI or the CLI.

NOTE: If a continuous remote replication (CRR) task is running on a file system, the file systemcannot be extended until the CRR task is complete.If the file system uses tiers, verify that no tiering task is running before executing the file systemexpansion commands. If a tiering task is running, the expansion takes priority and the tiering taskis terminated.

Select the file system on the Filesystems top panel, and then select Extend on the Summary bottompanel. The Extend Filesystem dialog box allows you to select the storage to be added to the filesystem. If data tiering is used on the file system, you can also enter the name of the appropriatetier.

Extending a file system 37

On the CLI, use the ibrix_fs command to extend a file system. Segments are added to the fileserving nodes in a round-robin manner. If tiering rules are defined for the file system, the -t optionis required. Avoid expanding a file system while a tiering job is running. The expansion takespriority and the tiering job is terminated.Extend a file system with the logical volumes (segments) specified in LVLIST:ibrix_fs -e -f FSNAME -s LVLIST [-t TIERNAME]

Extend a file system with segments created from the physical volumes in PVLIST:ibrix_fs -e -f FSNAME -p PVLIST [-t TIERNAME]

Extend a file system with specific logical volumes on specific file serving nodes:ibrix_fs -e -f FSNAME -S LV1:HOSTNAME1,LV2:HOSTNAME2...

Extend a file system with the listed tiered segment/owner pairs:ibrix_fs -e -f FSNAME -S LV1:HOSTNAME1,LV2:HOSTNAME2,... -t TIERNAME

Rebalancing segments in a file systemSegment rebalancing involves redistributing files among segments in a file system to balancesegment utilization and server workload. For example, after adding new segments to a file system,you can rebalance all segments to redistribute files evenly among the segments. Usually, you willwant to rebalance all segments, possibly as a cron job. In special situations, you might want torebalance specific segments. Segments marked as bad (that is, segments that cannot be activatedfor some reason) are not candidates for rebalancing.A file system must be mounted when you rebalance its segments.If necessary, you can evacuate segments (or logical volumes) located on storage that will beremoved from the cluster, moving the data on the segments to other segments in the file system.You can evacuate a segment with the GUI or the ibrix_evacuate command. For moreinformation, see the HP IBRIX X9000 Network Storage System CLI Reference Guide or theadministrator guide for your system.

How rebalancing worksDuring a rebalance operation on a file system, files are moved from source segments to destinationsegments. X9000 Software calculates the average aggregate utilization of the selected source


segments, and then moves files from sources to destinations to bring each candidate source segmentas close as possible to the calculated utilization threshold. The final absolute percent usage in thesegments depends on the average file size for the target file system. If you do not specify anysources or destinations for a rebalance task, candidate segments are sorted into sources anddestinations and then rebalanced as evenly as possible.If you specify sources, all other candidate segments in the file system are tagged as destinations,and vice versa if you specify destinations. Following the general rule, X9000 Software will calculatethe utilization threshold from the sources, and then bring the sources as close as possible to thisvalue by evenly distributing their excess files among all destinations. If you specify sources, onlythose segments are rebalanced, and the overflow is distributed among all remaining candidatesegments. If you specify destinations, all segments except the specified destinations are rebalanced,and the overflow is distributed only to the destinations. If you specify both sources and destinations,only the specified sources are rebalanced, and the overflow is distributed only among the specifieddestinations.If there is not enough aggregate room in destination segments to hold the files that must be movedfrom source segments in order to balance the sources, X9000 Software issues an error messageand does not move any files. The more restricted the number of destinations, the higher the likelihoodof this error.When rebalancing segments, note the following:

• To move files out of certain overused segments, specify source segments.

• To move files into certain underused segments, specify destination segments.

• To move files out of certain segments and place them in certain destinations, specify bothsource and destination segments.

Rebalancing segments on the GUISelect the file system on the GUI, expand Active Tasks in the lower Navigator, and select Rebalancer.Select New on the Task Summary panel to open the Start Rebalancing dialog box.

The Rebalancer can determine how to distribute the data, or, if necessary, you can select the sourcesegments, destination segments, or both for the rebalancing task.

Rebalancing segments in a file system 39

Rebalancing segments from the CLITo rebalance all segments, use the following command. Include the -a option to run the rebalanceoperation in analytical mode.ibrix_rebalance -r -f FSNAME

To rebalance by specifying specific source segments, use the following command:ibrix_rebalance -r -f FSNAME [[-s SRCSEGMENTLIST] [-S SRCLVLIST]]

For example, to rebalance segments 2 and 3 only and to specify them by segment name:ibrix_rebalance -r -f ifs1 -s 2,3

To rebalance segments 1 and 2 only and to specify them by their logical volume names:ibrix_rebalance -r -f ifs1 -S ilv1,ilv2

To rebalance by specifying specific destination segments, use the following command:ibrix_rebalance -r -f FSNAME [[-d DESTSEGMENTLIST] [-D DESTLVLIST]]

For example, to rebalance segments 3 and 4 only and to specify them by segment name:ibrix_rebalance -r -f ifs1 -d 3,4

To rebalance segments 3 and 4 only and to specify them by their logical volume names:ibrix_rebalance -r -f ifs1 -D ilv3,ilv4

Tracking the progress of a rebalance taskYou can use the GUI or CLI to track the progress of a rebalance task. As a rebalance taskprogresses, usage approaches an average value across segments, excluding bad segments thatare not candidates for rebalancing or segments containing files that are in heavy use during theoperation.To track the progress of a rebalance task on the GUI, select the file system, and then selectRebalancer from the lower Navigator. The Task Summary displays details about the rebalancetask. Also examine Used (%) on the Segments panel for the file system.To track rebalance job progress from the CLI, use the ibrix_fs -i command. The output listsdetailed information about the file system. The USED% field shows usage per segments.


Viewing the status of rebalance tasksUse the following commands to view status for jobs on all file systems or only on the file systemsspecified in FSLIST:ibrix_rebalance -l [-f FSLIST]

ibrix_rebalance -i [-f FSLIST]

The first command reports summary information. The second command lists jobs by task ID andfile system and indicates whether the job is running or stopped. Jobs that are in the analysis(Coordinator) phase are listed separately from those in the implementation (Worker) phase.

Stopping rebalance tasksYou can stop running or stalled rebalance tasks. If Fusion Manager cannot stop the task for somereason, you can force the task to stop. Stopping a task poses no risks for the file system. The systemcompletes any file migrations that are in process when you issue the stop command. Dependingon when you stop a task, segments might contain more or fewer files than before the operationstarted.To stop a rebalance task on the GUI, select the file system, and then select Rebalancer from thelower Navigator. Click Stop on the Task Summary to stop the task.To stop a task from the CLI, first execute ibrix_rebalance -i to obtain the TASKID, and thenexecute the following command:ibrix_rebalance -k -t TASKID [-F]

To force the task to stop, include the -F option.

Disabling 32-bit mode on a file systemIf your cluster clients are converting from 32-bit to 64-bit applications, you can disable 32-bit modeon the file system, which enables 64-bit mode. (For information about 64-bit mode, see “Using32-bit or 64-bit mode” (page 12).)To determine whether 64-bit mode is enabled on a file system, execute the command ibrix_fs-i. If the output reports Compatible? : No, 64-bit mode is enabled.

NOTE: A file system using 64-bit mode cannot be changed to use 32-bit mode. If there is achance that clients will need to run a 32-bit application, do not disable 32-bit mode.

To disable 32-bit mode, complete these steps:1. Unmount the file system.2. On the GUI, select the file system and click Modify on the Summary bottom panel. On the

Modify Filesystems Properties dialog box, select Disable 32 Bit Compatibility Mode.From the CLI, execute the following command:ibrix_fs -w -f FSNAME

3. Remount the file system.

Deleting file systems and file system components

Deleting a file systemBefore deleting a file system, unmount it from all file serving nodes and clients. (See “Unmountinga file system” (page 21).) Also delete any exports.

CAUTION: When a file system is deleted from the configuration database, its data becomesinaccessible. To avoid unintended service interruptions, be sure you have specified the correct filesystem.

Disabling 32-bit mode on a file system 41

To delete a file system, use the following command:ibrix_fs -d [—R] f FSLIST

For example, to delete file systems ifs1 and ifs2:ibrix_fs -d -f ifs1,ifs2

If data retention is enabled on the file system, include the -R option in the command. For example:ibrix_fs -d -R -f ifs2

Deleting segments, volume groups, and physical volumesWhen deleting segments, volume groups, or physical volumes, you should be aware of the following:

• A segment cannot be deleted until the file system to which it belongs is deleted.

• A volume group cannot be deleted until all segments that were created on it are deleted.

• A physical volume cannot be deleted until all volume groups created on it are deleted.If you delete physical volumes but do not remove the physical storage from the network, the volumesmight be rediscovered when you next perform a discovery scan on the cluster.To delete segments:ibrix_lv -d -s LVLIST

For example, to delete segments ilv1 and ilv2:ibrix_lv -d -s ilv1,ilv2

To delete volume groups:bin/ibrix_vg -d -g VGLIST

For example, to delete volume groups ivg1 and ivg2:ibrix_vg -d -g ivg1,ivg2

To delete physical volumes:ibrix_pv -d -p PVLIST [-h HOSTLIST]

For example, to delete physical volumes d1, d2, and d3:ibrix_pv -d -p d[1-3]

Deleting file serving nodes and X9000 clientsBefore deleting a file serving node, unmount all file systems from it and migrate any segments thatit owns to a different server. Ensure that the file serving node is not serving as a failover standbyand is not involved in network interface monitoring. To delete a file serving node, use the followingcommand:ibrix_server -d -h HOSTLIST

For example, to delete file serving nodes s1.hp.com and s2.hp.com:ibrix_server -d -h s1.hp.com,s2.hp.com

To delete X9000 clients, use the following command:ibrix_client -d -h HOSTLIST

Checking and repairing file systemsThe ibrix_fsck command analyzes inconsistencies in a file system.

CAUTION: Do not run ibrix_fsck in corrective mode without the direct guidance of HP Support.If run improperly, the command can cause data loss and file system damage.

CAUTION: Do not run e2fsck (or any other off-the-shelf fsck program) on any part of a filesystem. Doing this can damage the file system.


The ibrix_fsck command can detect and repair file system inconsistencies. File systeminconsistencies can occur for many reasons, including hardware failure, power failure, switchingoff the system without proper shutdown, and failed migration.The command runs in four phases and has two running modes: analytical and corrective. You mustrun the phases in order and you must run all of them:

• Phase 0 checks host connectivity and the consistency of segment byte blocks and repairs themin corrective mode.

• Phase 1 checks segments and repairs them in corrective mode. Results are stored locally.

• Phase 2 checks the file system and repairs it in corrective mode. Results are stored locally.

• Phase 3 moves files from lost+found on each segment to the global lost+found directoryon the root segment of the file system.

If a file system shows evidence of inconsistencies, contact HP Support. A representative will askyou to run ibrix_fsck in analytical mode and, based on the output, will recommend a courseof action and assist in running the command in corrective mode. HP strongly recommends that youuse corrective mode only with the direct guidance of HP Support. Corrective mode is complex anddifficult to run safely. Using it improperly can damage both data and the file system. Analyticalmode is completely safe, by contrast.

NOTE: During an ibrix_fsck run, an INFSCK flag is set on the file system to protect it. If anerror occurs during the job, you must explicitly clear the INFSCK flag (see “Clearing the INFSCKflag on a file system” (page 44)), or you will be unable to mount the file system.

Analyzing the integrity of a file system on all segmentsObserve the following requirements when executing ibrix_fsck:

• Unmount the file system for phases 0 and 1 and mount the file system for phases 2 and 3.

• Turn off automated failover by executing ibrix_host -m -U -h SERVERNAME.

• Unmount all NFS clients and stop NFS on the servers.Use the following procedure to analyze file system integrity:Runs phase 0 in analytic mode:ibrix_fsck -p 0 -f FSNAME [-s LVNAME] [-c]

The command can be run on the specified file system or optionally only on the specified segmentLVNAME.Run phase 1 in analytic mode:ibrix_fsck -p 1 -f FSNAME [-s LVNAME] [-c] [-B BLOCKSIZE] [-bALTSUPERBLOCK]

The command can be run on file system FSNAME or optionally only on segment LVNAME. Thisphase can be run with a specified block size and an alternate superblock number. For example:ibrix_fsck -p 1 -f ifs1 -B 4096 -b 12250

NOTE: If phase 1 is run in analytic mode on a mounted file system, false errors can be reported.

Checking and repairing file systems 43

Run phase 2:ibrix_fsck -p 2 -f FSNAME [-s LVNAME] [-c] [-o "options"]

The command can be run on the specified file system or optionally only on segment LVNAME. Use-o to specify any options.Run phase 3:ibrix_fsck -p 3 -f FSNAME [-c]

Clearing the INFSCK flag on a file systemTo clear the INFSCK flag, use the following command:ibrix_fsck -f FSNAME -C

Troubleshooting file systems

ibrix_pv -a discovers too many or too few devicesThis situation occurs when file serving nodes see devices multiple times. To prevent this, modifythe LVM2 filter in /etc/lvm/lvm.conf to filter only on devices used by X9000 Software. Thiswill change the output of lvmdiskscan.By default, the following filter finds all devices:filter = [ "a/.*/" ]

The following filter finds all sd devices:filter = [ "a|^/dev/sd.*|", "r|^.*|" ]

Contact HP Support if you need assistance.

Cannot mount on an X9000 clientVerify the following:

• The file system is mounted and functioning on the file serving nodes.

• The mountpoint exists on the X9000 client. If not, create the mountpoint locally on the client.

• Software management services have been started on the X9000 client (see “Starting andstopping processes” in the administrator guide for your system).

NFS clients cannot access an exported file systemAn exported file system has been unmounted from one or more file serving nodes, causing X9000software to automatically disable NFS on those servers. Fix the issue causing the unmount andthen remount the file system.

User quota usage data is not being updatedRestart the quota monitor service to force a read of all quota usage data and update usage countsto the file serving nodes in your cluster. Use the following command:ibrix_qm restart


File system alert is displayed after a segment is evacuatedWhen a segment is successfully evacuated, a segment unavailable alert is displayed in the GUIand attempts to mount the file system will fail. There are several options at this point:

• Mark the evacuated segment as bad (retired), using the following command. The file systemstate changes to okay and the file system can now be mounted. However, the operationmarking the segment as bad cannot be reversed.ibrix_fs -B -f FSNAME {-n RETIRED_SEGNUMLIST | -s RETIRED_LVLIST}

• Keep the evacuated segment in the file system. Take one of the following steps to enablemounting the file system:

◦ Use the force option (-X) when mounting the file system:ibrix_mount –f myFilesystem –m /myMountpoint –X

◦ Clear the “unavailable segment” flag on the file system with the ibrix_fsck commandand then mount the file system normally:ibrix_fsck -f FSNAME -C -s LVNAME_OF_EVACUATED_SEG

SegmentNotAvailable is reportedWhen writes to a segment do not succeed, the segment status may change toSegmentNotAvailable on the GUI and an alert message may be generated. To correct thissituation, take the following steps:1. Identify the file serving node that owns the segment. This information is reported on the

Filesystem Segments panel on the GUI.2. Fail over the file serving node to its standby. See the administration guide for your system for

more information about this procedure.3. Reboot the file serving node.4. When the file serving node is up, verify that the segment, or LUN, is available.If the segment is still not available, contact HP Support.

SegmentRejected is reportedThis alert is generated by a client call for a segment that is no longer accessible by the segmentowner or file serving node specified in the client's segment map. The alert is logged to the Iad.logand messages files. It is usually an indication of an out-of-date or stale segment map for the affectedfile system and is caused by a network condition. Other possible causes are rebooting the node,unmounting the file system on the node, segment migrations, and, in a failover scenario, stale IAD,an unresponsive kernel, or a network RPC condition.To troubleshoot this alert, check network connectivity among the nodes, ensuring that the networkis optimal and any recent network conditions have been resolved. From the file system perspective,verify segment maps by comparing the file system generation numbers and the ownership for thosesegments being rejected by the clients.Use the following commands to compare the file system generation number on the local file servingnodes and the clients logging the error./usr/local/ibrix/bin/rtool enumseg <FSNAME> <SEGNUMBER>

For example:rtool enumseg ibfs1 3segnum=3 of 4 ----------- fsid ........................... 7b3ea891-5518-4a5e-9b08-daf9f9f4c027 fsname ......................... ibfs1 device_name .................... /dev/ivg3/ilv3 host_id ........................ 1e9e3a6e-74e4-4509-a843-c0abb6fec3a6 host_name ...................... ib50-87 <-- Verify owner of segment ref_counter .................... 1038

Troubleshooting file systems 45

state_flags .................... SEGMENT_LOCAL SEGMENT_PREFERED SEGMENT_DHB <SEGMENT_ ORPHAN_LIST_CREATED (0x00100061) write_WM ....................... 99129 4K-blocks (387 Mbytes) create_WM ...................... 793033 4K-blocks (3097 Mbytes) spillover_WM ................... 892162 4K-blocks (3485 Mbytes) generation ..................... 26 quota .......................... usr,grp,dir f_blocks ....................... 0011895510 4K-blocks (==0047582040 1K-blocks, 46466 M) f_bfree ........................ 0011785098 4K-blocks (==0047140392 1K-blocks, 46035 M) f_bused ........................ 0000110412 4K-blocks (==0000441648 1K-blocks, 431 M) f_bavail ....................... 0011753237 4K-blocks (==0047012948 1K-blocks, 45911 M) f_files ........................ 6553600 f_ffree ........................ 6552536 used files (f_files - f_ffree).. 1064 Segment statistics for 690812.89 seconds : n_reads=0, kb_read=0, n_writes=0, kb_written=0, n_creates=2, n_removes=0

Also run the following command:/usr/local/ibrix/bin/rtool enumfs <FSNAME>

For example:rtool enumfs ibfs11:---------------- fsname ......................... ibfs1 fsid ........................... 7b3ea891-5518-4a5e-9b08-daf9f9f4c027 fsnum .......................... 1 fs_flags........................ operational total_number_of_segments ....... 4 mounted ........................ TRUE ref_counter .................... 6 generation ..................... 26 <–– FS generation number for comparison alloc_policy.................... RANDOM dir_alloc_policy................ NONE cur_segment..................... 0 sup_ap_on....................... NONE local_segments ................. 3 quota .......................... usr,grp,dir f_blocks ....................... 0047582040 4K-blocks (==0190328160 1K-blocks) f_bfree ........................ 0044000311 4K-blocks (==0176001244 1K-blocks) f_bused ........................ 0003581729 4K-blocks (==0014326916 1K-blocks) f_bavail ....................... 0043872867 4K-blocks (==0175491468 1K-blocks) f_files ........................ 26214400 f_ffree ........................ 26212193 used files (f_files - f_free)... 2207 FS statistics for 0.0 seconds : n_reads=0, kb_read=0, n_writes=0, kb_written=0, n_creates=0, n_removes=0

Use the output to determine whether the FS generation number is in sync and whether the fileserving nodes agree on the ownership of the rejected segments. In the rtool enumseg output,check the state_flags field for SEGMENT_IN_MIGRATION, which indicates that the segmentis stuck in migration because of a failover.Typically, if the segment has a healthy state flag on the file serving node that owns the segmentand all file serving nodes agree on the owner of the segment, this is not a file system or file servingnode issue. If a state flag is stale or indicates that a segment is in migration, call HP Support fora recovery procedure.Otherwise, the alert indicates a file system generation mismatch. Take the following steps to resolvethis situation:1. From the active Fusion Manager, run the following command to propagate a new file system

segment map throughout the cluster. This step takes a few minutes.ibrix_dbck -I -f <FSNAME>

2. If problems persist, try restarting the client's IAD:/usr/local/ibrix/init/ibrix_iad restart


ibrix_fs -c failed with "Bad magic number in super-block"If a file system creation command fails with an error such as the following, the command may havefailed to preformat the LUN.# ibrix_fs -c -f fs1 -s seg1_4Calculated owner for seg1_4 : glory22failed command (/usr/local/ibrix/bin/tuneibfs -F3e2a9657-fc8b-46b2-96b0-1dc27e8002f3 -H glory2 -G 1 -N 1 -S fs1 -R 1/dev/vg1_4/seg1_4 2>&1) status (1) output: (/usr/local/ibrix/bin/tuneibfs: Badmagic number in super-block while trying to open /dev/vg1_4/seg1_4 Couldn'tfind valid filesystem superblock. /usr/local/ibrix/bin/tuneibfs 5.3.461 RpcVersion:5 Rpc Ports base=IBRIX_PORTS_BASE (Using EXT2FS Library version 1.32.1)[ipfs1_open] reading superblock from blk 1 )

Iad error on host glory2

To work around the problem, recreate the segment on the failing LUN. To identify the LUN associatedwith the failure, run a command such as the following on the first server in the system:# ibrix_pv -l -h glory2PV_NAME SIZE(MB) VG_NAME DEVICE RAIDTYPE RAIDHOST RAIDDEVICE------- -------- ------- --------------- -------- -------- ----------d1 131070 vg1_1 /dev/mxso/dev4a d2 131070 vg1_2 /dev/mxso/dev5a d3 131070 vg1_3 /dev/mxso/dev6a d5 23551 vg1_5 /dev/mxso/dev8a d6 131070 vg1_4 /dev/mxso/dev7a

The Device column identifies the LUN number. In this example, the volume group vg1_4 is createdfrom LUN 7. Recreate the segment and then run the file system creation command again.

Troubleshooting file systems 47

5 Using NFSTo allow NFS clients to access an X9000 file system, the file system must be exported. You canexport a file system using the GUI or CLI. By default, X9000 file systems and directories followPOSIX semantics and file names are case-sensitive for Linux/NFS users. If you prefer to use Windowssemantics for Linux/NFS users, you can make a file system or subdirectory case-insensitive.

Exporting a file systemExporting a file system makes local directories available for NFS clients to mount. The FusionManager manages the table of exported file systems and distributes the information to the /etc/exports files on the file serving nodes. All entries are automatically re-exported to NFS clientsand to the file serving node standbys unless you specify otherwise.On the exporting file serving node, configure the number of NFS server threads based on theexpected workload. The default is 8 threads. If the node will service many clients, you can increasethe value to 16 or 64. To configure server threads, use the following command to change thedefault value of RPCNFSDCOUNT in the /etc/sysconfig/nfs file from 8 to 16 or 64.ibrix_host_tune –C –h HOSTS –o nfsdCount=64

A file system must be mounted before it can be exported.

NOTE: When configuring options for an NFS export, do not use the no_subtree_checkoption. This option is not compatible with the X9000 software.

Export a file system using the GUIUse the Add a New File Share Wizard to export a file system. Select File Shares from the Navigator,and click Add on the File Shares panel to open the wizard. On the File Share window, select thefile system to be exported, select NFS as the file sharing protocol, and enter the export path.

48 Using NFS

Use the Settings window to specify the clients allowed to access the share. Also select the permissionand privilege levels for the clients, and specify whether the export should be available from abackup server.

The Advanced Settings window allows you to set NFS options on the share.

On the Host Servers window, select the servers that will host the NFS share. By default, the shareis hosted by all servers that have mounted the file system.

Exporting a file system 49

The Summary window shows the configuration of the share. You can go back and revise theconfiguration if necessary. When you click Finish, the export is created and appears on the FileShares panel.

Export a file system using the CLITo export a file system from the CLI, use the ibrix_exportfs command:ibrix_exportfs -f FSNAME -h HOSTNAME -p CLIENT1:PATHNAME1,CLIENT2:PATHNAME2,..[-o "OPTIONS"] [-b]

The options are as follows:

DescriptionOption

The file system to be exported.–f FSNAME

The file serving node containing the file system to be exported.-h HOSTNAME

The clients that will access the file system can be a single file serving node, fileserving nodes represented by a wildcard, or the world (:/PATHNAME). Note that

-p CLIENT1:PATHNAME1,CLIENT2:PATHNAME2,..

world access omits the client specification but not the colon (for example, :/usr/src).

The default Linux exportfs mount options are used unless specific options areprovided. The standard NFS export options are supported. Options must be enclosed

-o "OPTIONS"

in double quotation marks (for example, -o "ro"). Do not enter an FSID= orsync option; they are provided automatically.

By default, the file system is exported to the NFS client’s standby. This optionexcludes the standby for the file serving node from the export.

-b

For example, to provide NFS clients *.hp.com with read-only access to file system ifs1 at thedirectory /usr/src on file serving node s1.hp.com:ibrix_exportfs -f ifs1 -h s1.hp.com -p *.hp.com:/usr/src -o "ro"

To provide world read-only access to file system ifs1 located at /usr/src on file serving nodes1.hp.com:ibrix_exportfs -f ifs1 -h s1.hp.com -p :/usr/src -o "ro"

50 Using NFS

Unexporting a file systemA file system should be unexported before it is unmounted. On the GUI, select the file system, selectNFS Exports from the lower Navigator, and then select Unexport.On the CLI, use the following command:ibrix_exportfs -f FSNAME -U -h HOSTNAME -p CLIENT:PATHNAME [-b]

Using case-insensitive file systemsBy default, X9000 file systems and directories follow POSIX semantics and file names arecase-sensitive for Linux/NFS users. (File names are always case-insensitive for Windows clients.)If you prefer to use Windows semantics for Linux/NFS users, you can make a file system orsubdirectory case-insensitive. Doing this prevents a Linux/NFS user from creating two files thatdiffer only in case (such as foo and FOO). If Windows users are accessing the directory, two fileswith the same name but different case might be confusing, and the Windows users may be ableto access only one of the files.

CAUTION: Caution is advised when using this feature. It breaks POSIX semantics and can causeproblems for Linux utilities and applications.

Before enabling the case-insensitive feature, be sure the following requirements are met:

• The file system or directory must be created under the X9000 File Serving Software 6.0 orlater release.

• The file system must be mounted.

Setting case insensitivity for all users (NFS/Linux/Windows)The case-insensitive setting applies to all users of the file system or directory.Select the file system on the GUI, expand Active Tasks in the lower Navigator, and select CaseInsensitivity On the Task Summary bottom panel, click New to open the New Case InsensitivityTask dialog box. Select the appropriate action to change case insensitivity.

NOTE: When specifying a directory path, the best practice is to change case insensitivity at theroot of a CIFS share and to avoid mixed case insensitivity in a given share.

Using case-insensitive file systems 51

To set case insensitivity from the CLI, use the following command:ibrix_caseinsensitive -s -f FSNAME -c [ON|OFF] -p PATH

Viewing the current setting for case insensitivitySelect Report Current Case Insensitivity Setting on the New Case Insensitivity Task dialog box toview the current setting for a file system or directory.Click Perform Recursively to see the status for all descendent directories of the specified file systemor directory.From the CLI, use the following command to determine whether case-insensitivity is set on a filesystem or directory:ibrix_caseinsensitive -i -f FSNAME -p PATH [-r]

The -r option includes all descendent directories of the specified path.

Clearing case insensitivity (setting to case sensitive) for all users (NFS/Linux/Windows)When you set the directory tree to be case insensitive OFF, the directory and all recursivesubdirectories are again case sensitive, restoring the POSIX semantics for Linux users.

Log filesA new task is created when you change case insensitivity or query its status recursively. A log fileis created for each task and an ID is assigned to the task. The log file is placed in the directory/usr/local/ibrix/log/case_insensitive on the server specified as the coordinatingserver for the task. Check that server for the log file.

NOTE: To verify the coordinating server, select File System > Inactive Tasks. Then select the taskID from the display and select Details.

The log file names have the format IDtask.log, such as ID26.log.The following sample log file is for a query reporting case insensitivity:0:0:26275:Reporting Case Insensitive status for the following directories1:0:/fs_test1/samename-T: TRUE

52 Using NFS

2:0:/fs_test1/samename-T/samename: TRUE2:0:DONE

The next sample log file is for a change in case insensitivity:0:0:31849:Case Insensitivity is turned ON for the following directories1:0:/fs_test2/samename-true2:0:/fs_test2/samename-true/samename3:0:/fs_test2/samename-true/samename/samename-snap3:0:DONE

The first line of the output contains the PID for the process and reports the action taken. The firstcolumn specifies the number of directories visited. The second column specifies the number of errorsfound. The third column reports either the results of the query or the directories where caseinsensitivity was turned on or off.

Displaying and terminating a case insensitivity taskTo display a task, use the following command:# ibrix_task -l

For example:# ibrix_task -lTASK ID TYPE FILE SYSTEM SUBMITTED BY TASK STATUS IS COMPLETED? EXIT STATUS STARTED AT ENDED AT----------- ------- ----------- -------------------- ----------- ------------- ----------- --------------

------- --------caseins_237 caseins fs_test1 root from Local Host STARTING No Jun 17, 2011

11:31:38

To terminate a task, run the following command and specify the task ID:# ibrix_task -k -n <task ID>

For example:# ibrix_task -k -n caseins_237

Case insensitivity and operations affecting directoriesA newly created directory retains the case-insensitive setting of its parent directory. When you usecommands and utilities that create a new directory, that directory has the case-insensitive settingof its parent. This situation applies to the following:

• Windows or Mac copy and paste

• tar/untar

• compress/uncompress

• cp -R

• rsync

• Remote replication

• xcopy

• robocopy

• Restoring directories and folders from snapshotsThe case-insensitive setting of the source directories is not retained on the destination directories.Instead, the setting for the destination file system is applied. However, if you use a command suchas the Linux mv command, a Windows drag and drop operation, or a Mac uncompress operation,a new directory is not created, and the affected directory retains its original case-insensitive setting.

Using case-insensitive file systems 53

6 Configuring authentication for CIFS, FTP, and HTTPX9000 software supports several services for authenticating users accessing shares on X9000 filesystems:

• Active Directory (supported for CIFS, FTP, and HTTP)

• Active Directory with LDAP ID mapping as a secondary lookup source (supported for CIFS)

• LDAP (supported for CIFS)

• Local Users and Groups (supported for CIFS, FTP, and HTTP)Local Users and Groups can be used with Active Directory or LDAP.

NOTE: Active Directory and LDAP cannot be used together.

You can configure authentication from the GUI or CLI. When you configure authentication withthe GUI, the selected authentication services are configured on all servers. The CLI commandsallow you to configure authentication differently on different servers.

Using Active Directory with LDAP ID mappingWhen LDAP ID mapping is a secondary lookup method, the system reads CIFS client UIDs andGIDs from LDAP if it cannot locate the needed ID in an AD entry. The name in LDAP must matchthe name in AD without respect for case or pre-appended domain.If the user configuration differs in LDAP and Windows AD, the LDAP ID mapping feature uses theAD configuration. For example, the following AD configuration specifies that the primary groupfor user1 is Domain Users, but in LDAP, the primary group is group1.

LDAP ConfigurationAD configuration

user1uid:user1user:

1010uidNumber:Domain Usersprimary group:

1001 (group1)gidNumber:not specifiedUNIX uid:

Domain Userscn:not specifiedUNIX gid:

1111gidNumber:

The Linux id command returns the primary group specified in LDAP:user: user1primary group: group1 (1001)

LDAP ID mapping uses AD as the primary source for identifying the primary group and allsupplemental groups. If AD does not specify a UNIX GID for a user, LDAP ID mapping looks upthe GID for the primary group assigned in AD. In the example, the primary group assigned in ADis Domain Users, and LDAP ID mapping looks up the GID of that group in LDAP. The lookupoperation returns:user: user1primary group: Domain Users (1111)

AD does not force the supplied primary group to match the supplied UNIX GID.The supplemental groups assigned in AD do not need to match the members assigned in LDAP.LDAP ID mapping uses the members list assigned in AD and ignores the members list configuredin LDAP.

54 Configuring authentication for CIFS, FTP, and HTTP

Using LDAP as the primary authentication method

Requirements for LDAP users and groupsX9000 supports only OpenLDAP. If you are using LDAP or LDAP ID mapping for authentication,follow these requirements when setting up users and groups:

• UID and GID values cannot be set to less than 1.

• Use the uid schema attribute to add user account names.

• Use the cn schema attribute to add group account names.

• UID and GIDs must be stored in UidNumber and GidNumber schema attributes.

Configuring LDAP for X9000 softwareTo configure LDAP, complete the following steps:1. Update a configuration template on the remote LDAP server.2. Run the configuration script on the remote LDAP server.3. Configure LDAP authentication on the cluster nodes.

Update the template on the remote LDAP serverOpenLDAP ships with three configuration templates:

• customized-schema-template.conf

• samba-schema-template.conf

• posix-schema-template.conf

Make a copy of the template corresponding to the schema your LDAP server supports, and updatethe copy with your configuration information.Customized template. Provide values (equivalent names) for all virtual attributes in the configuration.For example:mandatory; virtual; uid; your-schema-equivalent-of-uidoptional; virtual; homeDirectory; your-schema-equivalent-of-homeDirectory

Samba template. Enter the required attributes for Samba/POSIX templates. You can use the defaultvalues specified in the “Map (mandatory) variables” and “Map (Optional) variables” sections ofthe template.POSIX template. Enter the required attributes for Samba/POSIX templates. Also remove or commentout the following virtual attributes:# mandatory; virtual; SID;sambaSID# mandatory; virtual; PrimaryGroupSID;sambaPrimaryGroupSID# mandatory; virtual; sambaGroupMapping;sambaGroupMapping

Required attributes for Samba/POSIX templates

DescriptionValueNonvirtual attributename

Helps identify the configuration version uploaded. Potentiallyused for reports, audit history, and troubleshooting.

Any arbitrary stringVERSION

A FQDN or IP. Typically, it is a front-ended switch or an IPLDAP proxy/balancer name/address for multiple backendhigh-availability LDAP servers.

IP Address stringLDAPServerHost

The LDAP OU (organizational unit) to which configurationentries can be written. This OU must exist on the server andmust be readable and writable using LDAPWriteDN.

Writable OU name stringLdapConfigurationOU

Using LDAP as the primary authentication method 55

DescriptionValueNonvirtual attributename

Limited write DN credentials. HP recommends that you do notuse cn=Manager credentials. Instead, use an account DN with

DN name stringLdapWriteDN

very restricted write permissions to the LdapConfigurationOUand beneath.

Password for the LdapWriteDN account.Unencrypted password string.LDAP encrypts the string onstorage.

LDAPWritePassword

Supported schema for the OpenLDAP server.Samba, posix, or user definedschema

schematype

Run the configuration script on the remote LDAP serverThe X9000 gen_ldap-lwtools.sh script performs the configuration based on the template youupdated (UserConf.conf in the examples). Run the following command to validate your changes:sh /opt/likewise/bin/gen_ldap-lwtools.sh UserConf.conf –v

If the configuration looks okay, run the command with added security by removing all temporaryfiles:sh /opt/likewise/bin/gen_ldap-lwtools.sh UserConf.conf -rm

If you need to troubleshoot the configuration, run the command as follows:sh /opt/likewise/bin/gen_ldap-lwtools.sh UserConf.conf

Configure LDAP authentication on the cluster nodesYou can configure LDAP authentication from the GUI, as described in the next section, or by usingthe ibrix_ldapconfig command (see “Configuring LDAP” (page 65).

Configuring authentication from the GUIYou can use the Authentication Wizard to perform the initial configuration or to modify it at a latertime. Select Cluster Configuration > File Sharing Authentication from the Navigator to open theFile Sharing Authentication Settings panel. This panel shows the current authentication configurationon each server.

Click Authentication Wizard to start the wizard. On the Configure Options page, select theauthentication service to be applied to the servers in the cluster.


The wizard displays the configuration pages corresponding to the option you selected.

• Active Directory. See “Active Directory” (page 57).

• LDAP. See “LDAP” (page 59).

• LDAP ID Mapping. See “LDAP ID mapping” (page 58).

• Local Groups. See “Local Groups” (page 61).

• Local Users. See “Local Users” (page 62).

• Share Administrators. See “Windows Share Administrators” (page 64).

• Summary. See “Summary” (page 64).

Active DirectoryEnter your domain name, the Auth Proxy username (an AD domain user with privileges to join thespecified domain; typically a Domain Administrator), and the password for that user. Thesecredentials are used only to join the domain and do not persist on the cluster nodes. Optionally,you can enable Linux static user mapping; for more information see “Linux static user mappingwith Active Directory” (page 83).

NOTE: When you successfully configure Active Directory authentication, the machine is part ofthe domain until you remove it from the domain, either with the ibrix_auth -n command orwith Windows tools. Because Active Directory authentication is a one-time event, it is not necessaryto update authentication if you change the proxy user information.

Configuring authentication from the GUI 57

If you want to use LDAP ID mapping as a secondary lookup for Active Directory, select Enabledwith LDAP ID Mapping and AD in the Linux Static User Mapping field. When you click Next, theLDAP ID Mapping dialog box appears.

LDAP ID mappingIf the system cannot locate a UID/GID in Active Directory, it searches for the UID/GID in LDAP.On the LDAP ID Mapping dialog box, specify the appropriate search parameters.


Enter the following information on the dialog box:

Enter the server name or IP address of the LDAP server host.LDAP Server Host

Enter the LDAP server port (TCP port 389 for unencrypted or TLS encrypted; 636 for SSL encrypted).Port

Enter the LDAP base for searches. This is normally the root suffix of the directory, but you canprovide a base lower down the tree for business rules enforcement, ACLs, or performance reasons.For example, ou=people,cd=enx,dc=net.

Base of Search

Enter the LDAP user account used to authenticate to the LDAP server to read data. This accountmust have privileges to read the entire directory. Write credentials are not required. For example,scn=hpx9000-readonly-user,dc=enxt,dc=net.

Bind DN

Enter the password for the LDAP user account.Password

Enter the maximum number of entries to return from the search (the default is 10). Enter 0 (zero)for no limit.

Max Entries

Enter the local maximum search time-out value in seconds. This value determines how long theclient will wait for search results.

Max Wait Time

Select the level of entries to search:LDAP Scope• base: search the base level entry only

• sub: search the base level entry and all entries in sub-levels below the base entry

• one: search all entries in the first level below the base entry, excluding the base entry

If LDAP searches should be case sensitive, check this box.Namesearch CaseSensitivity

LDAPEnter the server name or IP address of the LDAP server host and the password for the LDAP useraccount.

NOTE: LDAP cannot be used with Active Directory.


Enter the following information in the remaining fields:

Enter the LDAP user account used to authenticate to the LDAP server to read data, such ascn=hpx9000-readonly-user,dc=enxt,dc=net. This account must have privileges to readthe entire directory. Write credentials are not required.

Bind DN

Enter the OU (organizational unit) on the LDAP server to which configuration entries can be written.This OU must be pre-provisioned on the remote LDAP server. The LDAPBindDN credentials must be

Write OU

able to read (but not write) from the LDAPWriteOU. For example,ou=x9000Config,ou=configuration,dc=enxt,dc=net.

This is normally the root suffix of the directory, but you can provide a base lower down the tree forbusiness rules enforcement, ACLs, or performance reasons. For example,ou=people,cd=enx,dc=net.

Base of Search

Enter any string that identifies the X9000 host, such as X9000.NetBIOS Name

If your LDAP configuration requires a certificate for secure access, click Edit to open the LDAPdialog box. You can enter a TLS or SSL certificate. When no certificate is used, the Enable SSLfield shows Neither TLS or SSL.


NOTE: If LDAP is the primary authentication service, Windows clients such as Explorer or MMCplugins cannot be used to add new users.

Local GroupsSpecify local groups allowed to access shares. On the Local Groups page, enter the group nameand, optionally, the GID and RID. If you do not assign a GID and RID, they are generatedautomatically. Click Add to add the group to the list of local groups. Repeat this process to addother local groups.When naming local groups, you should be aware of the following:

• Group names must be unique. The new name cannot already be used by another user orgroup.

• The following names cannot be used: administrator, guest, root.


NOTE: If Local Users and Groups is the primary authentication service, Windows clients such asExplorer or MMC plugins cannot be used to add new users.

Local UsersSpecify local users allowed to access shares. On the Local Users page, enter a user name andpassword. Click Add to add the user to the Local Users list.When naming local users, you should be aware of the following:

• User names must be unique. The new name cannot already be used by another user or group.

• The following names cannot be used: administrator, guest, root.


To provide account information for the user, click Advanced. The default home directory is /home/<username> and the default shell program is /bin/false.


NOTE: If Local Users and Groups is the primary authentication service, Windows clients such asExplorer or MMC plugins cannot be used to add new users.

Windows Share AdministratorsIf you will be using the Windows Share Management MMC plug-in to manage CIFS shares, enteryour share administrators on this page. You can skip this page if you will be managing sharesentirely from the X9000 Management Console.

To add an Active Directory or LDAP share administrator, enter the administrator name (such asdomain\user1 or domain\group1) and click Add to add the administrator to the WindowsShare Administrators list.To add an existing Local User as a share administrator, select the user and click Add.

SummaryThe Summary page shows the authentication configuration. You can go back and revise theconfiguration if necessary. When you click Finish, authentication is configured, and the detailsappear on the File Sharing Authentication panel.

Viewing or changing authentication settingsExpand File Sharing Authentication in the lower Navigator, and then select an authenticationservice to display the current configuration for that service. On each panel, you can start theAuthentication Wizard and modify the configuration if necessary.


You cannot change the UID or RID for a Local User account. If it is necessary to change a UID orRID, first delete the account and then recreate it with the new UID or RID. The Local Users andLocal Groups panels allow you to delete the selected user or group.

Configuring authentication from the CLIYou can configure Active Directory, LDAP, LDAP ID mapping, or Local Users and Groups.

Configuring Active DirectoryTo configure Active Directory authentication, use the following command:ibrix_auth -n DOMAIN_NAME –A AUTH_PROXY_USER_NAME@domain_name [-P AUTH_PROXY_PASSWORD] [-S SETTINGLIST] [-h HOSTLIST]

RFC2307 is the protocol that enables Linux static user mapping with Active Directory. To enableRFC2307 support, use the following command:ibrix_cifsconfig -t [-S SETTINGLIST] [-h HOSTLIST]

Enable RFC2307 in the SETTINGLIST as follows:rfc2307_support=rfc2307

For example:ibrix_cifsconfig -t -S "rfc2307_support=rfc2307"

To disable RFC2307, set rfc2307_support to unprovisioned. For example:ibrix_cifsconfig -t -S "rfc2307_support=unprovisioned"

IMPORTANT: After making configuration changes with the ibrix_cifsconfig -t -Scommand, use the following command to restart the CIFS services on all nodes affected by thechange.ibrix_server –s –t cifs –c restart [–h SERVERLIST]

Clients will experience a temporary interruption in service during the restart.

Configuring LDAPUse the ibrix_ldapconfig command to configure LDAP as the authentication service for CIFSshares.

IMPORTANT: Before using ibrix_ldapconfig to configure LDAP on the cluster nodes, youmust configure the remote LDAP server. For more information, see “Configuring LDAP for X9000software” (page 55).

Add an LDAP configuration and enable LDAP:

Configuring authentication from the CLI 65

ibrix_ldapconfig -a -h LDAPSERVERHOST [-P LDAPSERVERPORT] -b LDAPBINDDN-p LDAPBINDDNPASSWORD -w LDAPWRITEOU -B LDAPBASEOFSEARCH -n NETBIOS -EENABLESSL [-f CERTFILEPATH] [-c CERTFILECONTENTS]

The options are:

The LDAP server host (server name or IP address).-h LDAPSERVERHOST

The LDAP server port.-P LDAPSERVERPORT

The LDAP bind Distinguished Name. For example:cn=hpx9000-readonly-user,dc=enxt,dc=net.

-b LDAPBINDDN

The LDAP bind password.-p LDAPBINDDNPASSWORD

The LDAP write Organizational Unit, or OU (for example,ou=x9000Config,,ou=configuration,dc=enxt,dc=net).

-w LDAPWRITEOU

The LDAP base for searches (for example, ou=people,cd=enx,dc=net).-B LDAPBASEOFSEARCH

The NetBIOS name, such as X9000.-n NETBIOS

The type of certificate required. Enter 0 for no certificate, 1 for TLS, or 2 for SSL.-E ENABLESSL

The path to the TLS or SSL certificate file, such as /usr/local/ibrix/ldap/key.pem.

-f CERTFILEPATH

The contents of the certificate file. Copy the contents and paste them between quotes.-c CERTFILECONTENTS

Modify an LDAP configuration:ibrix_ldapconfig -m -h LDAPSERVERHOST [-P LDAPSERVERPORT] [e|D] [-bLDAPBINDDN] [-p LDAPBINDDNPASSWORD] [-w LDAPWRITEOU] [-BLDAPBASEOFSEARCH] [-n NETBIOS] [-E ENABLESSL] [-f CERTFILEPATH] [-cCERTFILECONTENTS]

View the LDAP configuration:ibrix_ldapconfig -i

Delete LDAP settings for an LDAP server host:ibrix_ldapconfig -d -h LDAPSERVERHOST

Enable LDAP:ibrix_ldapconfig -e -h LDAPSERVERHOST

Disable LDAP:ibrix_ldapconfig -D -h LDAPSERVERHOST

Configuring LDAP ID mappingUse the ibrix_ldapidmapping command to configure LDAP ID mapping as a secondary lookupsource for Active Directory. LDAP ID mapping can be used only for CIFS shares.Add an LDAP ID mapping:ibrix_ldapidmapping -a -h LDAPSERVERHOST -B LDAPBASEOFSEARCH [-PLDAPSERVERPORT] [-b LDAPBINDDN] [-p LDAPBINDDNPASSWORD] [-m MAXWAITTIME][-M MAXENTRIES] [-n] [-s] [-o] [-u]

This command automatically enables LDAP RFC 2307 ID Mapping. The options are:

The LDAP server host (server name or IP address).-h LDAPSERVERHOST

The LDAP base for searches (for example, ou=people,cd=enx,dc=net).-B LDAPBASEOFSEARCH

The LDAP server port (TCP port 389).-P LDAPSERVERPORT

The LDAP bind Distinguished Name (the default is anonymous). For example:cn=hpx9000-readonly-user,dc=enxt,dc=net.

-b LDAPBINDDN


The LDAP bind password.-p LDAPBINDDNPASSWORD

The maximum amount of time to allow the search to run.-m MAXWAITTIME

The maximum number of entries (the default is 10).-M MAXENTRIES

Case sensitivity for name searches (the default is false, or case-insensitive).-n

Search the LDAP scope base (search the base level entry only).-s

LDAP scope one (search all entries in the first level below the base entry, excludingthe base entry).

-o

LDAP scope sub (search the base-level entries and all entries below the base level).-u

Display information for LDAP ID mapping:ibrix_ldapidmapping -i

Enable an existing LDAP ID mapping:ibrix_ldapidmapping -e -h LDAPSERVERHOST

Disable an existing LDAP ID mapping:ibrix_ldapidmapping -d -h LDAPSERVERHOST

Configuring Local Users and Groups authenticationUse ibrix_auth to configure Local Users authentication. Use ibrix_localusers andibrix_localgroups to manage user and group accounts.Configure Local Users authentication:ibrix_auth -N [-h HOSTLIST]

Be sure to create a local user account for each user that will be accessing CIFS, FTP, or HTTPshares, and create at least one local group account for the users. The account information is storedinternally in the cluster.Add a Local User account:ibrix_localusers -a -u USERNAME -g DEFAULTGROUP -p PASSWORD [-h HOMEDIR][-s SHELL] [-i USERINFO] [-U USERID] [-S RID] [-G GROUPLIST]

Modify a Local User account:ibrix_localusers -m -u USERNAME [-g DEFAULTGROUP] [-p PASSWORD] [-hHOMEDIR] [-s SHELL] [-i USERINFO] [-G GROUPLIST]

View information for all Local User accounts:ibrix_localusers -L

View information for a specific Local User account:ibrix_localusers -l -g USERNAME

Delete a Local User account:ibrix_localusers -d -u USERNAME

Add a Local Group account:ibrix_localgroups -a -g GROUPNAME [-G GROUPID] [-S RID]

Modify a Local Group account:ibrix_localgroups -m -g GROUPNAME [-G GROUPID] [-S RID]

View information about all Local Group accounts:ibrix_localgroups -L

View information for a specific Local Group account:ibrix_localgroups -l -g GROUPNAME

Configuring authentication from the CLI 67

Delete a Local Group account:ibrix_localgroups -d -g GROUPNAME


7 Using CIFSThe IBRIX CIFS server implementation allows you to create file shares for data stored on the cluster.The CIFS server provides a true Windows experience for Windows clients. A user accessing a fileshare on an X9000 system will see the same behavior as on a Windows server.

IMPORTANT: CIFS and X9000 Windows clients cannot be used together because of incompatibleAD user to UID mapping. You can use either CIFS or X9000 Windows clients, but not both at thesame time.

IMPORTANT: Before configuring CIFS, select an authentication method. See “Configuringauthentication for CIFS, FTP, and HTTP” (page 54) for more information.

Configuring file serving nodes for CIFSTo enable file serving nodes to provide CIFS services, you will need to configure the resolv.conffile. On each node, the /etc/resolv.conf file must include a DNS server that can resolve SRVrecords for your domain. For example:# cat /etc/resolv.conf

search mycompany.comnameserver 192.168.100.132

To verify that a file serving node can resolve SRV records for your AD domain, run the Linux digcommand. (In the following example, the Active Directory domain name is mydomain.com.)% dig SRV _ldap._tcp.mydomain.com

In the output, verify that the ANSWER SECTION contains a line with the name of a domain controllerin the Active Directory domain. Following is some sample output:; <<>> DiG 9.3.4-P1 <<>> SRV _ldap._tcp.mydomain.com;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56968;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:;_ldap._tcp.mydomain.com. IN SRV

;; ANSWER SECTION:_ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 adctrlr.mydomain.com.

;; ADDITIONAL SECTION:adctrlr.mydomain.com. 3600 IN A 192.168.11.11

;; Query time: 0 msec;; SERVER: 192.168.100.132 #53(192.168.100.132);; WHEN: Tue Mar 16 09:56:02 2010;; MSG SIZE rcvd: 113

For more information, see the Linux resolv.conf(5) man page.

Starting or stopping the CIFS service and viewing CIFS statisticsIMPORTANT: You will need to start the CIFS service initially on the file serving nodes.Subsequently, the service is started automatically when a node is rebooted.

Use the CIFS panel on the GUI to start, stop, or restart the CIFS service on a particular server, orto view CIFS activity statistics for the server. Select Servers from the Navigator and then select theappropriate server. Select CIFS in the lower Navigator to display the CIFS panel, which showsCIFS activity statistics on the server. You can start, stop, or restart the CIFS service by clicking theappropriate button.

Configuring file serving nodes for CIFS 69

NOTE: Click CIFS Settings to configure SMB signing on this server. See “Configuring SMB signing” (page 75) for more information.

To start, stop, or restart the CIFS service from the CLI, use the following command:ibrix_server –s –t cifs –c {start|stop|restart}

Monitoring CIFS servicesThe ibrix_cifsmonitor command configures monitoring for the following CIFS services:

• lwreg

• dcerpc

• eventlog

• lsass

• lwio

• netlogin

• srvsvc

If the monitor finds that a service is not running, it attempts to restart the service. If the servicecannot be restarted, that particular service is not monitored.The command can be used for the following tasks.Start the CIFS monitoring daemon and enable monitoring:ibrix_cifsmonitor –m [–h HOSTLIST]

Display the health status of the CIFS services:ibrix_cifsmonitor –l

The command output reports status as follows:

ConditionHealth Status

All monitored CIFS services are up and runningUp

The lwio service is running but one or more of the other services are downDegraded

The lwio service is down and one or more of the other services are downDown

70 Using CIFS

ConditionHealth Status

Monitoring is disabledNot Monitored

The active Fusion Manager could not communicate with other file serving nodes in the clusterN/A

Disable monitoring and stop the CIFS monitoring daemon:ibrix_cifsmonitor –u [–h HOSTLIST]

Restart CIFS service monitoring:ibrix_cifsmonitor –c [–h HOSTLIST]

CIFS sharesWindows clients access file systems through CIFS shares. You can use the X9000 GUI or CLI tomanage shares, or you can use the Microsoft Management Console interface. The CIFS servicemust be running when you add shares.

IMPORTANT: When working with CIFS shares, you should be aware of the following:• The permissions on the directory exporting a CIFS share govern the access rights that are

given to the Everyone user as well as to the owner and group of the share. Consequently, theEveryone user may have more access rights than necessary. The administrator should set ACLson the CIFS share to ensure that users have only the appropriate access rights. Alternatively,permissions can be set more restrictively on the directory exporting the CIFS share.

• When the cluster and Windows clients are not joined in a domain, local users are not visiblewhen you attempt to add ACLs on files and folders in a CIFS share.

• A directory tree on a CIFS share cannot be copied if there are more than 50 ACLs on theshare. Also, because of technical constraints in the CIFS service, you cannot create subfoldersin a directory on a CIFS share having more than 50 ACLs.

• When configuring a CIFS share, you can specify IP addresses or ranges that should be allowedor denied access to the share. However, if your network includes packet filters, a NAT gateway,or routers, this feature cannot be used because the client IP addresses are modified while intransit.

Configuring CIFS shares with the GUIUse the Add New File Share Wizard to configure CIFS shares. You can then view or modify theconfiguration as necessary.On the GUI, select File Shares from the Navigator to open the File Shares panel, and then clickAdd to start the Add New File Share Wizard.On the File Share page, select CIFS as the File Sharing Protocol. Select the file system, which mustbe mounted, and enter a name, directory path, and description for the share. Note the following:• Do not include any of the following special characters in a share name. If the name contains

any of these special characters, the share might not be set up properly on all nodes in thecluster.' & ( [ { $ ` , / \

• Do not include any of the following special characters in the share description. If a descriptioncontains any of these special characters, the description might not propagate correctly to allnodes in the cluster.* % + & `

CIFS shares 71

On the Permissions page, specify permissions for users and groups allowed to access the share.

72 Using CIFS

Click Add to open the New User/Group Permission Entry dialog box, where you can configurepermissions for a specific user or group. The completed entries appear in the User/Group Entrieslist on the Permissions page.

On the Client Filtering page, specify IP addresses or ranges that should be allowed or deniedaccess to the share.

NOTE: This feature cannot be used if your network includes packet filters, a NAT gateway, orrouters.

Click Add to open the New Client UP Address Entry dialog box, where you can allow or denyaccess to a specific IP address or a range of addresses. Enter a single IP address, or include abitmask to specify entire subnets of IP addresses, such as 10.10.3.2/25. The valid range for the

CIFS shares 73

bitmask is 1–32. The completed entry appears on the Client IP Filters list on the Client Filteringpage.

On the Advanced Settings page, enable or disable Access Based Enumeration and specify thedefault create mode for files and directories created in the share. The Access Based Enumerationoption allows users to see only the files and folders to which they have access on the file share.

On the Host Servers page, select the servers that will host the share.

74 Using CIFS

Configuring SMB signingThe SMB signing feature specifies whether clients must support SMB signing to access CIFS shares.You can apply the setting to all servers, or to a specific server. To apply the same setting to allserver, select File Shares from the Navigator and click Settings on the File Shares panel. To applya setting to a specific server, select that server on the GUI, select CIFS from the lower Navigator,and click Settings. The dialog is the same for both selection methods.

CIFS shares 75

When configuring SMB signing, note the following:

• SMB2 is always enabled.

• Use the Required check box to specify whether SMB signing (with either SMB1 or SMB2) isrequired.

• The Disabled check box applies only to SMB1. Use this check box to enable or disable SMBsigning with SMB1.

You should also be aware of the following:

• The File Share Settings dialog box does not display whether SMB signing is currently enabledor disabled. Use the following command to view the current setting for SMB signing:ibrix_cifsconfig -i

• SMB signing must not be required to support connections from 10.5 and 10.6 Mac clients.

• It is possible to configure SMB signing differently on individual servers. Backup CIFS serversshould have the same settings to ensure that clients can connect after a failover.

• The SMB signing settings specified here are not affected by Windows domain group policysettings when joined to a Windows domain.

Configuring SMB signing from the CLITo configure SMB signing from the command line, use the following command:ibrix_cifsconfig -t -S SETTINGLIST

You can specify the following values in the SETTINGLIST:smb signing enabledsmb signing required

Use commas to separate the settings, and enclose the list in quotation marks. For example, thefollowing command sets SMB signing to enabled and required:ibrix_cifsconfig –t –S “smb signing enabled=1,smb signing required=1"

To disable SMB signing, enter settingname= with no value. For example:ibrix_cifsconfig –t –S “smb signing enabled=,smb signing required="

IMPORTANT: After making configuration changes with the ibrix_cifsconfig -t -Scommand, use the following command to restart the CIFS services on all nodes affected by thechange.ibrix_server –s –t cifs –c restart [–h SERVERLIST]

Clients will experience a temporary interruption in service during the restart.

Managing CIFS shares with the GUITo view existing CIFS shares on the GUI, select File Shares > CIFS from the Navigator. The CIFSShares panel shows the file system being shared, the hosts (or servers) providing access, the nameof the share, the export path, and the options applied to the share.

NOTE: When externally managed appears in the option list for a share, that share is beingmanaged with the Microsoft Management Console interface. The X9000 Management ConsoleGUI or CLI cannot be used to change the permissions for the share.

76 Using CIFS

On the CIFS Shares panel, click Add or Modify to open the File Shares wizard, where you cancreate a new share or modify the selected share. Click Delete to remove the selected share. ClickCIFS Settings to configure global file share settings; see “Configuring SMB signing ” (page 75))for more information.You can also view CIFS shares for a specific file system. Select that file system on the GUI, andthen select CIFS Shares from the lower Navigator.

Configuring and managing CIFS shares with the CLI

Adding, modifying, or deleting sharesUse the ibrix_cifs command to add, modify, or delete shares. For detailed information, seethe HP IBRIX X9000 Network Storage System CLI Reference Guide.

NOTE: Be sure to use the ibrix_cifs command located in <installdirectory>/bin.The ibrix_cifs command located in /usr/local/bin/init is used internally by X9000Software and should not be run directly.

Add a share:ibrix_cifs -a –f FSNAME –s SHARENAME -p SHAREPATH [-D SHAREDESCRIPTION][-S SETTINGLIST] [-A ALLOWCLIENTIPSLIST] [-E DENYCLIENTIPSLIST] [-FFILEMODE] [-M DIRMODE] [-h HOSTLIST]

CIFS shares 77

Use the -A ALLOWCLIENTIPSLIST or –E DENYCLIENTIPSLIST options to list client IP addressesallowed or denied access to the share. Use commas to separate the IP addresses, and enclose thelist in quotes. You can include an optional bitmask to specify entire subnets of IP addresses (forexample, ibrix_cifs -A “192.186.0.1,102.186.0.2/16”). The default is "", whichallows (or denies) all IP addresses.The -F FILEMODE and -M DIRMODE options specify the default mode for newly created files ordirectories, in the same manner as the Linux chmod command. The range of values is 0000–0777.The default is 0700.To see the valid settings for the -S option, use the following command:ibrix_cifs -L

View share information:ibrix_cifs -i [-h HOSTLIST]

Modify a share:ibrix_cifs -m -s SHARENAME [-D SHAREDESCRIPTION] [-S SETTINGLIST] [-AALLOWCLIENTIPSLIST] [-E DENYCLIENTIPSLIST] [-F FILEMODE] [-M DIRMODE][-h HOSTLIST]

Delete a share:ibrix_cifs –d -s SHARENAME [-h HOSTLIST]

Managing user and group permissionsUse the ibrix_cifsperms command to manage share-level permissions for users and groups.Add a user or group to a share and assign share-level permissions:ibrix_cifsperms -a -s SHARENAME -u USERNAME -t TYPE -p PERMISSION [-hHOSTLIST]

For -t TYPE, specify either allow or deny.For -p PERMISSION, specify one of the following:

• fullcontrol

• change

• read

For example, the following command gives everyone read permission on share1:ibrix_cifsperms -a -s share1 -u Everyone -t allow -p read

Modify share-level permissions for a user or group:ibrix_cifsperms -m -s SHARENAME -u USERNAME -t TYPE -p PERMISSION [-hHOSTLIST]

Delete share-level permissions for a user or group:ibrix_cifsperms -d -s SHARENAME [-u USERNAME] [-t TYPE] [-h HOSTLIST]

Display share-level permissions:ibrix_cifsperms -i -s SHARENAME [-t TYPE] [-h HOSTLIST]

Managing CIFS shares with Microsoft Management ConsoleThe Microsoft Management Console (MMC) can be used to add, view, or delete CIFS shares.Administrators running MMC must have X9000 Software share management privileges.

78 Using CIFS

NOTE: To use MMC to manage CIFS shares, you must be authenticated as a user with sharemodification permissions.

NOTE: If you will be adding users with the MMC, the primary authentication method must beActive Directory.

NOTE: The permissions for CIFS shares managed with the MMC cannot be changed with theX9000 Management Console GUI or CLI.

Connecting to cluster nodesWhen connecting to cluster nodes, use the procedure corresponding to the Windows operatingsystem on your machine.Windows XP, Windows 2003 R2:Complete the following steps:1. Open the Start menu, select Run, and specify mmc as the program to open.2. On the Console Root window, select File > Add/Remove Snap-in.3. On the Add/Remove Snap-in window, click Add.4. On the Add Standalone Snap-in window, select Shared Folders and click Add.5. On the Shared Folders window, select Another computer as the computer to be managed,

enter or browse to the computer name, and click Finish.

6. Click Close > OK to exit the dialogs.7. Expand Shared Folders (\\<address>).8. Select Shares and manage the shares as needed.

CIFS shares 79

Windows Vista, Windows 2008, Windows 7:Complete the following steps:1. Open the Start menu and enter mmc in the Start Search box. You can also enter mmc in a

DOS cmd window.2. On the User Account Control window, click Continue.3. On the Console 1 window, select File > Add/Remove Snap-in.4. On the Add or Remove Snap-ins window, select Shared Folders and click Add.5. On the Shared Folders window, select Another computer as the computer to be managed,

enter or browse to the computer name, and click Finish.

6. Click OK to exit the Add or Remove Snap-ins window.7. Expand Shared Folders (\\<address>).8. Select Shares and manage the shares as needed.

Saving MMC settingsYou can save your MMC settings to use when managing shares on this server in later sessions.Complete these steps:1. On the MMC, select File > Save As.2. Enter a name for the file. The name must have the suffix .msc.3. Select Desktop as the location to save the file, and click Save.4. Select File > Exit.

Granting share management privilegesUse the following command to grant administrators X9000 Software share management privileges.The users you specify must already exist. Be sure to enclose the user names in square brackets.ibrix_auth -t -S 'share admins=[domainname\username,domainname\username]'

80 Using CIFS

The following example gives share management privileges to a single user:ibrix_auth -t -S 'share admins=[domain\user1]'

If you specify multiple administrators, use commas to separate the users. For example:ibrix_auth -t -S 'share admins=[domain\user1, domain\user2,domain\user3]'

Adding CIFS sharesCIFS shares can be added with the MMC, using the share management plug-in. When addingshares, you should be aware of the following:

• The share path must include the X9000 file system name. For example, if the file system isnamed data, you could specify C:\data1\folder1.

NOTE: The Browse button cannot be used to locate the file system.

• The directory to be shared will be created if it does not already exist.

• The permissions on the shared directory will be set to 777. It is not possible to change thepermissions on the share.

• Do not include any of the following special characters in a share name. If the name containsany of these special characters, the share might not be set up properly on all nodes in thecluster.' & ( [ { $ ` , / \

• Do not include any of the following special characters in the share description. If a descriptioncontains any of these special characters, the description might not propagate correctly to allnodes in the cluster.* % + & `

• The management console GUI or CLI cannot be used to alter the permissions for shares createdor managed with Windows Share Management. The permissions for these shares are markedas “externally managed” on the GUI and CLI.

Open the MMC with the Shared Folders snap-in that you created earlier. On the Select Computerdialog box, enter the IP address of a server that will host the share.

The Computer Management window shows the shares currently available from server.

CIFS shares 81

To add a new share, select Shares > New Share and run the Create A Shared Folder Wizard. Onthe Folder Path panel, enter the path to the share, being sure to include the file system name.

When you complete the wizard, the new share appears on the Computer Management window.

82 Using CIFS

Deleting CIFS sharesTo delete a CIFS share, select the share on the Computer Management window, right-click, andselect Delete.

Linux static user mapping with Active DirectoryLinux static user mapping (also called UID/GID mapping or RFC2307 support) allows you to useLDAP as a Network Information Service.Linux static user mapping must be enabled when you configure Active Directory for userauthentication (see “Configuring authentication for CIFS, FTP, and HTTP” (page 54)).If you configure LDAP ID mapping as the secondary authentication service, authentication uses theIDs assigned in AD if they exist. If an ID is not found in an AD entry, authentication looks in LDAPfor a user or group of the same name and uses the corresponding ID assigned in LDAP. The primarygroup and all supplemental groups are still determined by the AD configuration.You can also assign UIDs, GIDs, and other POSIX attributes such as the home directory, primarygroup and shell to users and groups in Active Directory. To add static entries to Active Directory,complete these steps:

• Configure Active Directory.

• Assign POSIX attributes to users and groups in Active Directory.

NOTE: Mapping UID 0 and GID 0 to any AD user or group is not compatible with CIFS staticmapping.

Configuring Active DirectoryYour Windows Domain Controller machines must be running Windows Server 2003 R2 or WindowsServer 2008 R2. Configure the Active Directory domain as follows:

• Install Identity Management for UNIX.

• Activate the Active Directory Schema MMC snap-in.

• Add the uidNumber and gidNumber attributes to the partial-attribute-set of the AD globalcatalog.

You can perform these procedures from any domain controller. However, the account used to addattributes to the partial-attribute-set must be a member of the Schema Admins group.

Linux static user mapping with Active Directory 83

Installing Identity Management for UNIXTo install Identity Management for UNIX on a domain controller running Windows Server 2003R2, see the following Microsoft TechNet Article:http://technet.microsoft.com/en-us/library/cc778455(WS.10).aspxTo install Identity Management for UNIX on a domain controller running Windows Server 2008R2, see the following Microsoft TechNet article:http://technet.microsoft.com/en-us/library/cc731178.aspx

Activating the Active Directory Schema MMC snap-inUse the Active Directory Schema MMC snap-in to add the attributes. To activate the snap-in,complete the following steps:1. Click Start, click Run, type mmc, and then click OK.2. On the MMC Console menu, click Add/Remove Snap-in.3. Click Add, and then click Active Directory Schema.4. Click Add, click Close, and then click OK.

Adding uidNumber and gidNumber attributes to the partial-attribute-setTo make modifications using the Active Directory Schema MMC snap-in, complete these steps:1. Click the Attributes folder in the snap-in.2. In the right panel, scroll to the desired attribute, right-click the attribute, and then click Properties.

Select Replicate this attribute to the Global Catalog, and click OK.

The following dialog box shows the properties for the uidNumber attribute:

The next dialog box shows the properties for the gidNumber attribute.

84 Using CIFS

http://technet.microsoft.com/en-us/library/cc778455(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc731178.aspx

The following article provides more information about modifying attributes in the Active Directoryglobal catalog:http://support.microsoft.com/kb/248717

Assigning attributesTo set POSIX attributes for users and groups, start the Active Directory Users and Computers GUIon the Domain Controller. Open the Administrator Properties dialog box, and go to the UNIXAttributes tab. For users, you can set the UID, login shell, home directory, and primary group. Forgroups, set the GID.

Linux static user mapping with Active Directory 85

http://support.microsoft.com/kb/248717

Consolidating SMB servers with common share namesIf your SMB servers previously used the same share names, you can consolidate the servers withoutchanging the share name requested on the client side. For example, you might have three SMBservers, SRV1, SRV2, and SRV3, that each have a share named DATA. SRV3 points to a shareddrive that has the same path as \\SRV1\DATA; however, users accessing SRV3 have differentpermissions on the share.To consolidate the three servers, we will take these steps:1. Assign Vhost names SRV1, SRV2, and SRV3.2. Create virtual interfaces (VIF) for the IP addresses used by the servers. For example, Vhost

SRV1 has VIF 99.10.10.101 and Vhost SRV2 has VIF 99.10.10.102.3. Map the old share names to new share names. For example, map \\SRV1\DATA to new

share srv1-DATA, map \\SRV2\DATA to new share srv2-DATA, and map \\SRV3\DATAto srv3-DATA.

4. Create the new shares on the cluster storage and assign each share the appropriate path. Forexample, assign srv1-DATA to /srv1/data, and assign srv2-DATA to /srv2/data.Because SRV3 originally pointed to the same share as SRV1, we will assign the sharesrv3-DATA the same path as srv1-DATA, but set the permissions differently.

5. Optionally, create a share having the original share name, DATA in our example. Assign apath such as /ERROR/DATA and place a file in it named SHARE_MAP_FAILED. Doing thisensures that if a user configuration error occurs or the map fails, clients will not gain accessto the wrong shares. The file name notifies the user that their access has failed.

When this configuration is in place, a client request to access share \\srv1\data will be translatedto share srv1-DATA at /srv1/data on the file system. Client requests for \\srv3\data willalso be translated to /srv1/data, but the clients will have different permissions. The client requestsfor \\srv2\data will be translated to share srv2-DATA at /srv2/data.

86 Using CIFS

Client utilities such as net use will report the requested share name, not the new share name.

Mapping old share names to new share namesMappings are defined in the /etc/likewise/vhostmap file. Use a text editor to create andupdate the file. Each line in the file contains a mapping in the following format:VIF (or VhostName)|oldShareName|newShareName

If you enter a VhostName, it will be changed to a VIF internally.The oldShareName is the user-requested share name from the client that needs to be translatedinto a unique name. This unique name (the newShareName) is used when establishing a mountpoint for the share.Following are some entries from a vhostmap file:99.30.8.23|salesd|q1salesd99.30.8.24|salesd|q2salesdsalesSrv|salesq|q3salesd

When editing the /etc/likewise/vhostmap file, note the following:

• All VIF|oldShareName pairs must be unique.

• The following characters cannot be used in a share name: “ / \ | [ ] < > + : ; ,? * =

• Share names are case insensitive, and must be unique with respect to case.

• The oldShareName and newShareName do not need to exist when creating the file; however,they must exist for a connection to be established to the share.

• If a client specifies a share name that is not in the file, the share name will not be translated.

• Care should be used when assigning share names longer than 12 characters. Some clientsimpose a limit of 12 characters for a share name.

• Verify that the IP addresses specified in the file are legal and that Vhost names can be resolvedto an IP address. IP addresses must be IP4 format, which limits the addresses to 15 characters.

IMPORTANT: When you update the vhostmap file, the changes take effect a few minutes afterthe map is saved. If a client attempts a connection before the changes are in effect, the previousmap settings will be used. To avoid any delays, make your changes to the file when the CIFSservice is down.After creating or updating the vhostmap file, copy the file manually to the other servers in thecluster.

CIFS clientsCIFS clients access shares on the X9000 Software cluster in the same way they access shares ona Windows server.

Viewing quota informationWhen user or group quotas are set on a file system exported as a CIFS share, users accessing theshare can see the quota information on the Quotas tab of the Properties dialog box. Users cannotmodify quota settings from the client end.

CIFS clients 87

CIFS users cannot view directory tree quotas.

Differences in locking behaviorWhen CIFS clients access a share from different servers, as in the X9000 Software environment,the behavior of byte-range locks differs from the standard Windows behavior, where clients accessa share from the same server. You should be aware of the following:

• Zero-length byte-range locks acquired on one file serving node are not observed on other fileserving nodes.

• Byte-range locks acquired on one file serving node are not enforced as mandatory on otherfile serving nodes.

• If a shared byte-range lock is acquired on a file opened with write-only access on one fileserving node, that byte-range lock will not be observed on other file serving nodes. ("Write-onlyaccess" means the file was opened with GENERIC_WRITE but not GENERIC_READ access.)

• If an exclusive byte-range lock is acquired on a file opened with read-only access on one fileserving node, that byte-range lock will not be observed on other file serving nodes. ("Read-onlyaccess" means the file was opened with GENERIC_READ but not GENERIC_WRITE access.)

CIFS shadow copyUsers who have accidently lost or changed a file can use the CIFS shadow copy feature to retrieveor copy the previous version of the file from a file system snapshot. X9000 software supports CIFSshadow copy operations as follows.

Access Control Lists (ACLs)X9000 CIFS shadow copy behaves in the same manner as Windows shadow copy with respectto ACL restoration. When a user restores a deleted file or folder using CIFS shadow copy, theACLs applied on the individual files or folders are not restored. Instead, the files and folders inheritthe permissions from the root of the share or from the parent directory where they were restored.When a user restores on an existing file or folder by restoring it with CIFS shadow copy, the ACLsapplied on the individual file or folder are not restored. The ACLS applied on the individual fileor folder remain as they were before the restore.

88 Using CIFS

Restore operationsIf a file has been deleted from a directory that has Previous Versions, the user can recover a previousversion of the file by performing a Restore of the parent directory. However, the Properties of therestored file will no longer list those Previous Versions. This condition is due to the X9000 snapshotinfrastructure; after a file is deleted, a new file in the same location is a new inode and will nothave snapshots until a new snapshot is subsequently created. However, all pre-existing previousversions of the file continue to be available from the Previous Versions of the parent directory.For example, folder Fold1 contains files f1 and f2. There are two snapshots of the folder attimestamps T1 and T2, and the Properties of Fold1 show Previous Versions T1 and T2. TheProperties of files f1 and f2 also show Previous Versions T1 and T2 as long as these files havenever been deleted.If the file f1 is now deleted, you can restore its latest saved version from Previous Version T2 onFold1.From that point on, the Previous Versions of \Fold1\f1 no longer show timestamps T1 and T2.However, the Previous Versions of \Fold1 continue to show T1 and T2, and the T1 and T2 versionsof file f1 continue to be available from the folder.

Windows Clients BehaviorUsers should have full access on files and folders to restore them with CIFS shadow copy. If theuser does not have adequate permission, an error appears and the user is prompted to skip thatfile or folder when the failover is complete.

After the user skips the file or folder, the restore operation may or may not continue depending onthe Windows client being used. For Windows Vista, the restore operation continues by skippingthe folder or file. For other Windows clients (Windows 2003, XP, 2008), the operation stopsabruptly or gives an error message. Testing has shown that Windows Vista is an ideal client forCIFS shadow copy support. X9000 software does not have any control over the behavior of otherclients.

NOTE: HP recommends that the share root is not at the same level as the file system root, and isinstead a subdirectory of the file system root. This configuration reduces access and otherpermissions-related issues, as there are many system files (such as lost+found, quota subsystemfiles, and so on) at the root of the file system.

CIFS clients 89

CIFS shadow copy restore during node failoverIf a node fails over while a CIFS shadow copy restore is in progress, the user may see a disruptionin the restore operation.

After the failover is complete, the user must skip the file that could not be accessed. The restoreoperation then proceeds. The file will not be restored and can be manually copied later, or theuser can cancel the restore operation and then restart it.

Permissions in a cross-protocol CIFS environmentThe manner in which the CIFS server handles permissions affects the use of files by both Windowsand Linux clients. Following are some considerations.

How the CIFS server handles UIDs and GIDsThe CIFS server provides a true Windows experience for Windows users. Consequently, it mustbe closely aligned with Windows in the way it handles permissions and ownership on files.Windows uses ACLs to control permissions on files. The CIFS server puts a bit-for-bit copy of theACLs on the Linux server (in the files on the X9000 file system), and validates file access throughthese permissions.ACLs are tied to Security Identifiers (SIDs) that uniquely identify users in the Windows environment,and which are also stored on the file in the Linux server as a part of the ACLs. SIDs are obtainedfrom the authenticating authority for the Windows client (in X9000 Software, an Active Directoryserver). However, Linux does not understand Windows-style SIDs; instead, it has its own permissionscontrol scheme based on UID/GID and permissions bits (mode bits, sticky bits). Since this is thenative permissions scheme for Linux, the CIFS server must make use of it to access files on behalfof a Windows client; it does this by mapping the SID to a UID/GID and impersonating that UID/GIDwhen accessing files on the Linux file system.From a Windows standpoint, all of the security for the X9000 Software-resident files is self-consistent;Windows clients understand ACLs and SIDs, and understand how they work together to controlaccess to and security for Windows clients. The CIFS server maintains the ACLs as requested bythe Windows clients, and emulates the inheritance of ACLs identically to the way Windows serversmaintain inheritance. This creates a true Windows experience around accessing files from aWindows client.This mechanism works well for pure Linux environments, but (like the CIFS server) Linux applicationsdo not understand any permissions mechanisms other than their own. Note that a Linux applicationcan also use POSIX ACLs to control access to a file; POSIX ACLs are honored by the CIFS server,

90 Using CIFS

but will not be inherited or propagated. The CIFS server also does not map POSIX ACLs to becompatible with Windows ACLs on a file.These permission mechanisms have some ramifications for setting up shares, and for cross-protocolaccess to files on an X9000 system. The details of these ramifications follow.

Permissions, UIDs/GIDs, and ACLsThe X9000 Software CIFS server does not attempt to maintain two permission/access schemes onthe same file. The CIFS server is concerned with maintaining ACLs, so performs ACL inheritanceand honors ACLS. The UID/GIDs and permission bits for files on a directory tree are peripheralto this activity, and are used only as much as necessary to obtain access to files on behalf of aWindows client. The various cases the CIFS server can encounter while accessing files anddirectories, and what it does with UID/GID and permission bits in that access, are considered inthe following sections.

Pre-existing directories and filesA pre-existing Linux directory will not have ACLs associated with it. In this case, the CIFS serverwill use the permission bits and the mapped UID/GID of the CIFS user to determine whether it hasaccess to the directory contents. If the directory is written by the CIFS server, the inherited ACLSfrom the directory tree above that directory (if there are any) will be written into the directory sofuture CIFS access will have the ACLs to guide it.Pre-existing files are treated like pre-existing directories. The CIFS server uses the UID/GID of theCIFS user and the permission bits to determine the access to the file. If the file is written to, theACLs inherited from the containing directory for the file are applied to the file using the standardWindows ACL inheritance rules.

Working with pre-existing files and directoriesPre-existing file treatment has ramifications for cross-protocol environments. If, for example, filesare deposited into a directory tree using NFS and then accessed using CIFS clients, the directorytree will not have ACLs associated with it, and access to the files will be moderated by the NFSUID/GID and permissions bits. If those files are then modified by a CIFS client, they will take onthe UID/GID of the CIFS client (the new owner) and the NFS clients may lose access to those files.

New directories and filesNew directories created in a tree by the Windows client inherit the ACLs of the parent directory.They ACLs are created with the UID/GID of the Windows user (the UID/GID that the SID for theWindows user is mapped to) and they have a Linux permission bit mask of 700. This translates toLinux applications (which do not understand the Windows ACL) having owner and group (userswith the same group ID) with read, write, execute permissions, and everyone else having just readand execute permissions.New files are handled the same way as directories. The files inherit the ACLs of the parent directoryaccording to the Windows rules for ACL inheritance, and they are created with a UID/GID of theWindows user as mapped from the SID. They are assigned a permissions mask of 700.

Working with new files and directoriesThe inheritance rules of Windows assume that all directories are created on a Windows machine,where they inherit ACLs from their parent; the top level of a directory tree (the root of the file system)is assigned ACLs by the file system formatting process from the defaults for the system.This process is not in place on file serving nodes. Instead, when you create a share on a node,the share does not have any inherited ACLs from the root of the file system in which it is created.This leads to strange behavior when a Windows client attempts to use permissions to control accessto a file in such a directory. The usual CREATOR/OWNER and EVERYBODY ACLs (which are apart of the typical Windows ACLS inheritance ACL set) do not exist on the containing directory for

Permissions in a cross-protocol CIFS environment 91

the share, and are not inherited downward into the share directory tree. For true Windows-likebehavior, the creator of a share must access the root of the share and set the desired ACLs on itmanually (using Windows Explorer or a command line tool such as ICACLS). This process issomewhat unnatural for Linux administrators, but should be fairly normal for Windows administrators.Generally, the administrator will need to create a CREATOR/OWNER ACL that is inheritable onthe share directory, and then create an inheritable ACL that controls default access to the files inthe directory tree.

Changing the way CIFS inherits permissions on files accessed from Linux applicationsTo avoid the CIFS server modifying file permissions on directory trees that a user wants to accessfrom Linux applications (so keeping permissions other than 700 on a file in the directory tree), auser can set the setgid bit in the Linux permissions mask on the directory tree. When the setgidbit is set, the CIFS server honors that bit, and any new files in the directory inherit the parentdirectory permission bits and group that created the directory. This maintains group access fornew files created in that directory tree until setgid is turned off in the tree. That is, Linux-stylepermissions semantics are kept on the files in that tree, allowing CIFS users to modify files in thedirectory while NFS users maintain their access though their normal group permissions.For example, if a user wants all files in a particular tree to be accessible by a set of Linux users(say, through NFS), the user should set the setgid bit (through local Linux mechanisms) on thetop level directory for a share (in addition to setting the desired group permissions, for example770). Once that is done, new files in the directory will be accessible to the group that creates thedirectory and the permission bits on files in that directory tree will not be modified by the CIFSserver. Files that existed in the directory before the setgid bit was set are not affected by thechange in the containing directory; the user must manually set the group and permissions on filesthat already existed in the directory tree.This capability can be used to facilitate cross-protocol sharing of files. Note that this does not affectthe permissions inheritance and settings on the CIFS client side. Using this mechanism, a Windowsuser can set the files to be inaccessible to the CIFS users of the directory tree while opening themup to the Linux users of the directory tree.

Troubleshooting CIFS

Changes to user permissions do not take effect immediatelyThe CIFS implementation maintains an authentication cache that is set to four hours. If a user isauthenticated to a share, and the user's permissions are then changed, the old permissions willremain in effect until the cache expires, at four hours after the authentication. The next time theuser is encountered, the new, correct value will be read and written to the cache for the next fourhours.This is not a common occurrence. However, to avoid the situation, use the following guidelineswhen changing user permissions:

• After a user is authenticated to a share, wait four hours before modifying the user's permissions.

• Conversely, it is safe to modify the permissions of a user who has not been authenticated inthe previous four hours.

Robocopy errors occur during node failover or failbackIf Robocopy is in use on a client while a file serving node is failed over or failed back, theapplication repeatedly retries to access the file and reports the error The process cannotaccess the file because it is being used by another process. These errors

92 Using CIFS

occur for 15 to 20 minutes. The client's copy will then continue without error if the retry timeouthas not expired. To work around this situation, take one of these steps:

• Stop and restart the Likewise process on the affected file serving node:# /opt/likewise/bin/lwsm stop lwreg && /etc/init.d/lwsmd stop

# /etc/init.d/lwsmd start && /opt/likewise/bin/lwsm start srvsvc

• Power down the file serving node before failing it over, and do failback operations only duringoff hours.

The following xcopy and robocopy options are recommended for copying files from a client toa highly available CIFS server:xcopy: include the option /C; in general, /S /I /Y /C are good baseline options.robocopy: include the option /ZB; in general, /S /E /COPYALL /ZB are good baselineoptions.

Copy operations interrupted by node failbackIf a node failback occurs while xcopy or robocopy is copying files to a CIFS share, the copyoperation might be interrupted and need to be restarted.

Active Directory users cannot access CIFS sharesIf any AD user is set to UID 0 in Active Directory, you will not be able to connect to CIFS sharesand errors will be reported. Be sure to assign a UID other than 0 to your AD users.

UID for CIFS Guest account conflicts with another userIf the UID for the Guest account conflicts with another user, you can delete the Guest account andrecreate it with another UID.Use the following command to delete the Guest account, and enter yes when you are promptedto confirm the operation:/opt/likewise/bin/lw-del-user Guest

Recreate the Guest account, specifying a new UID:/opt/likewise/bin/lw-add-user –-force --uid <UID_number> Guest

To have the system generate the UID, omit the --uid <UID_number> option.

Troubleshooting CIFS 93

8 Using FTPThe FTP feature allows you to create FTP file shares for data stored on the cluster. Clients accessthe FTP shares using standard FTP and FTPS protocol services.

IMPORTANT: Before configuring FTP, select an authentication method (either Local Users or ActiveDirectory). See “Configuring authentication for CIFS, FTP, and HTTP” (page 54) for more information.

An FTP configuration consists of one or more configuration profiles and one or more FTP shares.A configuration profile defines global FTP parameters and specifies the file serving nodes on whichthe parameters are applied. The vsftpd service starts on these nodes when the cluster servicesstart. Only one configuration profile can be in effect on a particular node.An FTP share defines parameters such as access permissions and lists the file system to be accessedthrough the share. Each share is associated with a specific configuration profile. The shareparameters are added to the profile's global parameters on the file serving nodes specified in theconfiguration profile.You can create multiple shares having the same physical path, but with different sets of properties,and then assign users to the appropriate share. Be sure to use a different IP address or port foreach share.You can configure and manage FTP from the GUI or CLI.

Best practices for configuring FTPWhen configuring FTP, follow these best practices:

• If an SSL certificate will be required for FTPS access, add the SSL certificate to the clusterbefore creating the shares. See “Managing SSL certificates” (page 117) for information aboutcreating certificates in the format required by X9000 Software and then adding them to thecluster.

• When configuring a share on a file system, the file system must be mounted.

• If the directory path to the share includes a subdirectory, be sure to create the subdirectoryon the file system and assign read/write/execute permissions to it. (X9000 Software doesnot create the subdirectory if it does not exist, and instead adds a /pub/ directory to theshare path.)

• For High Availability, when specifying IP addresses for accessing a share, use IP addressesfor VIFs having VIF backups. See the administrator guide for your system for information aboutcreating VIFs.

• The allowed ports are 21 (FTP) and 990 (FTPS).

Managing FTP from the GUIUse the Add New File Share Wizard to configure FTP. You can then view or modify the configurationas necessary.

Configuring FTPOn the GUI, select File Shares from the Navigator to open the File Shares panel, and then clickAdd to start the Add New File Share Wizard.On the File Share page, select FTP as the File Sharing Protocol. Select the file system, which mustbe mounted, and enter the default directory path for the share. If the directory path includes asubdirectory, be sure to create the subdirectory on the file system and assign read/write/executepermissions to it. (X9000 software does not create the subdirectory if it does not exist, and insteadadds a /pub/ directory to the share path.)

94 Using FTP

On the Config Profile page, select an existing configuration profile or create a new profile,specifying a name and defining the appropriate parameters.

Managing FTP from the GUI 95

On the Host Servers page, select the servers that will host the configuration profile.

On the Settings page, configure the FTP parameters that apply to the share. The parameters areadded to the file serving nodes hosting the configuration profile. Also enter the IP addresses andports that clients will use to access the share. For High Availability, specify the IP address of a VIFhaving a VIF backup.

NOTE: The allowed ports are 21 (FTP) and 990 (FTPS).

NOTE: If you need to allow NAT connections to the share, use the Modify FTP Share dialog boxafter the share is created.

96 Using FTP

On the Users page, specify the users to be given access to the share.

IMPORTANT: Ensure that all users who are given read or write access to shares have sufficientaccess permissions at the file system level for the directories exposed as shares.

Managing FTP from the GUI 97

To define permissions for a user, click Add to open the Add User to Share dialog box.

Managing the FTP configurationSelect File Shares > FTP from the Navigator to display the current FTP configuration. The FTP ConfigProfiles panel lists the profiles that have been created. The Shares panel shows the FTP sharesassociated with the selected profile.

98 Using FTP

Use the buttons on the panels to modify or delete the selected configuration profile or share. Youcan also add another FTP share to the selected configuration profile. Use the Modify FTP Sharedialog box if you need to allow NAT connections on the share.

Managing FTP from the CLIFTP is managed with the ibrix_ftpconfig and ibrix_ftpshare commands. For detailedinformation, see the HP IBRIX X9000 Network Storage System CLI Reference Guide.

Configuring FTPTo configure FTP, first add a configuration profile, and then add an FTP share:Add a configuration profile:ibrix_ftpconfig –a PROFILENAME [-h HOSTLIST] [-S SETTINGLIST]

For the -S option, use a comma to separate the settings, and enclose the settings in quotationmarks, such as “passive_enable=TRUE,maxclients=200”. To see a list of available settingsfor the profile, use the following command:ibrix_ftpconfig –L

Add an FTP share:ibrix_ftpshare -a SHARENAME –c PROFILENAME -f FSNAME -p dirpath -IIP-Address:Port [–u USERLIST] [-S SETTINGLIST]

For the -S option, use a comma to separate the settings, and enclose the settings in quotationmarks, such as “browseable=true,readonly=true”. For the -I option, use a semicolon toseparate the IP address:port settings and enclose the settings in quotation marks, such as“ip1:port1;ip2:port2;...”. To list the available settings for the share, use the followingcommand:ibrix_ftpshare –L

Managing the FTP configurationUse the following commands to view, modify, or delete the FTP configuration. In the commands,use -v 1 to display detailed information.View configuration profiles:ibrix_ftpconfig –i -h HOSTLIST [–v level]

Managing FTP from the CLI 99

Modify a configuration profile:ibrix_ftpshare -m SHARENAME –c PROFILENAME [-f FSNAME -p dirpath] -IIP-Address:Port [–u USERLIST] [-S SETTINGLIST]

Delete a configuration profile:ibrix_ftpconfig –d PROFILENAME

View an FTP share:ibrix_ftpshare -i SHARENAME –c PROFILENAME [–v level]

List FTP shares associated with a specific profile:ibrix_ftpshare -l –c PROFILENAME [–v level]

List FTP shares associated with a specific file system:ibrix_ftpshare -l –f FSNAME [–v level]

Modify an FTP share:ibrix_ftpshare -m SHARENAME –c PROFILENAME [-f FSNAME -p dirpath] -IIP-Address:Port [–u USERLIST] [-S SETTINGLIST]

Delete an FTP share:ibrix_ftpshare -d SHARENAME –c PROFILENAME

The vsftpd serviceWhen the cluster services are started on a file serving node, the vsftpd service starts automaticallyif the node is included in a configuration profile. Similarly, when the cluster services are stopped,the vsftpd service also stops. If necessary, use the Linux command ps -ef | grep vsftpdto determine whether the service is running.If you do not want vsftpd to run on a particular node, remove the node from the configurationprofile.

IMPORTANT: For FTP share access to work properly, the vsftpd service must be started byX9000 software. Ensure that the chkconfig of vsftpd is set to OFF (chkconfig vsftpdoff).

Starting or stopping the FTP service manuallyStart the FTP service:/usr/local/ibrix/ftpd/etc/vsftpd start /usr/local/ibrix/ftpd/hpconf/

Stop the FTP service:/usr/local/ibrix/ftpd/etc/vsftpd stop /usr/local/ibrix/ftpd/hpconf/

Restart the FTP service:/usr/local/ibrix/ftpd/etc/vsftpd restart /usr/local/ibrix/ftpd/hpconf/

NOTE: When the FTP configuration is changed with the GUI or CLI, the FTP daemon is restartedautomatically.

100 Using FTP

Accessing sharesClients can access an FTP share by specifying a URL in their browser (Internet Explorer or MozillaFirefox). In the following URLs, IP_address:port is the IP (or virtual IP) and port configured forthe share.

• For a share configured with an IP-based virtual host and the anonymous parameter is set totrue, use the following URL:ftp://IP_address:port/

• For a share configured with a userlist and having the anonymous parameter set to false,use the following URL:ftp://<ADDomain\username>@IP_address:port/

NOTE: When a file is uploaded into an FTP share, the file is owned by the user who uploadedthe file to the share.If a user uploads a file to an FTP share and specifies a subdirectory that does not already exist,the subdirectory will not be created automatically. Instead, the user must explicitly use the mkdirftp command to create the subdirectory. The permissions on the new directory are set to 777. Ifthe anonymous user created the directory, it is owned by ftp:ftp. If a non-anonymous usercreated the directory, the directory is owned by user:group.

You can also use curl commands to access an FTP share. (The default SSL port is 990.)For anonymous users:

• Upload a file using FTP protocol:curl -T <filename> -k ftp://IP_address/pub/ -u anonymous

• Upload a file using FTPS protocol:curl -T <filename> -k --ftp-ssl-reqd ftp://IP_address:990/pub/ -uftp

• Download a file using FTP protocol:curl -k ftp://IP_address/pub/<filename> -u anonymous

• Download a file using FTPS protocol:curl -k --ftp-ssl-reqd ftp://IP_address:990/pub/<file_name> -u ftp

The following example shows an anonymous client accessing a share.

Accessing shares 101

For Active Directory users (specify the user as in this example: ASM2k3.com\\ib1):

• Upload a file using FTP protocol:curl -T <filename> -k ftp://IP_address/pub/ -u <ADuser>

• Upload a file using FTPS protocol:curl -T <filename> -k --ftp-ssl-reqd ftp://IP_address:990/pub/ -u<ADuser>

• Download a file using FTP protocol:curl -k ftp://IP_address/<filename> -u <ADuser>

• Download a file using FTPS protocol:curl -k --ftp-ssl-reqd ftp://IP_address:990/<filename> -u (ADuser>

Shares can be accessed from any Fusion Manager that has FTP clients:ftp <Virtual_IP>

For FTPS, use the following command from the active Fusion Manager:lftp -u <user_name> -p <ssl port> -e 'set ftp:ssl-force true' <share_IP>

102 Using FTP

9 Using HTTPThe HTTP feature allows you to create HTTP file shares for data stored on the cluster. Clients accessthe HTTP shares using standard HTTP and HTTPS protocol services.

IMPORTANT: Before configuring HTTP, select an authentication method (either Local Users orActive Directory). See “Configuring authentication for CIFS, FTP, and HTTP” (page 54) for moreinformation.

The HTTP configuration consists of a configuration profile, a virtual host, and an HTTP share. Aprofile defines global HTTP parameters that apply to all shares associated with the profile. Thevirtual host identifies the IP addresses and ports that clients will use to access shares associatedwith the profile. A share defines parameters such as access permissions and lists the file system tobe accessed through the share.HTTP is administered from thee GUI or CLI. On the GUI, select HTTP from the File Shares list in theNavigator. The HTTP Config Profiles panel lists the current HTTP configuration, including the existingconfiguration profiles and the virtual hosts configured on the selected profile.

Best practices for configuring HTTPWhen configuring HTTP, follow these best practices:

• If an SSL certificate will be required for HTTPS access, add the SSL certificate to the clusterbefore creating the shares. See “Managing SSL certificates” (page 117) for information aboutcreating certificates in the format required by X9000 software and then adding them to thecluster.

• When configuring a share on a file system, the file system must be mounted.

• If the directory path to the share includes a subdirectory, be sure to create the subdirectoryon the file system and assign read/write/execute permissions to it. (X9000 software does notcreate the subdirectory if it does not exist, and instead adds a /pub/ directory to the sharepath.)

Best practices for configuring HTTP 103

• Ensure that all users who are given read or write access to HTTP shares have sufficient accesspermissions at the file system level for the directories exposed as shares.

• For High Availability, when specifying IP addresses for accessing a share, use IP addressesfor VIFs having VIF backups. See the administrator guide for your system for information aboutcreating VIFs.

Managing HTTP from the GUI

Configuring HTTPUse the Add New File Share Wizard to configure HTTP. You can then view or modify theconfiguration as necessary.On the GUI, select File Shares from the Navigator to open the File Shares panel, and then clickAdd to start the Add New File Share Wizard.On the File Share page, select HTTP as the File Sharing Protocol. Select the file system, which mustbe mounted, and enter a share name and the default directory path for the share.

On the Config Profile page, select on existing profile or configure a new profile, specifying a nameand the appropriate parameters for the profile.

104 Using HTTP

On the Host Servers page, select the servers that will host the configuration profile.

Managing HTTP from the GUI 105

On the Virtual Host page, enter a name for the virtual host and specify an SSL certificate anddomain name if used. Also add one or more IP addresses:ports for the virtual host. For HighAvailability, specify a VIF having a VIF backup.

106 Using HTTP

On the Settings page, set the appropriate parameters for the share. Note the following:

• When specifying the URL Path, do not include http://<IP address> or any variation ofthis in the URL path. For example, /reports/ is a valid URL path.

• When the WebDAV feature is enabled, the HTTP share becomes a readable and writablemedium with locking capability. The primary user can make edits, while other users can onlyview the resource in read-only mode. The primary user must unlock the resource before anotheruser can make changes.

• Set the Anonymous field to false only if you want to restrict access to specific users.


On the Users page, specify the users to be given access to the share.

IMPORTANT: Ensure that all users who are given read or write access to shares have sufficientaccess permissions at the file system level for the directories exposed as shares.

108 Using HTTP

To allow specific users read access, write access, or both, click Add. On the Add Users to Sharedialog box, assign the appropriate permissions to the user. When you complete the dialog, theuser is added to the list on the Users pge.

The Summary panel presents an overview of the HTTP configuration. You can go back and modifyany part of the configuration if necessary.When the wizard is complete, users can access the share from a browser. For example, if youconfigured the share with the anonymous user, specified 99.226.50.92 as the IP address on theCreate Vhost dialog box, and specified /reports/ as the URL path on the Add HTTP Sharedialog box, users can access the share using the following URL:http://99.226.50.92/reports/


The users will see an index of the share (if the browseable property of the share is set to true), andcan open and save files. For more information about accessing shares and uploading files, see“Accessing shares” (page 113).

Managing the HTTP configurationSelect File Shares > HTTP from the Navigator to display the current HTTP configuration. The HTTPConfig Profiles panel lists the profiles that have been created. The Vhosts panel shows the virtualhosts associated with the selected profile.

Use the buttons on the panels to modify or delete the selected configuration profile or virtual host.To view HTTP shares on the GUI, select the appropriate profile on the HTTP Config Profiles toppanel, and then select the appropriate virtual host from the lower navigator. The Shares bottompanel shows the shares configured on that virtual host. Click Add Share to add another share tothe virtual host. For example, you could create multiple shares having the same physical path, butwith different sets of properties, and then assign users to the appropriate share.

Tuning the socket read block size and file write block sizeBy default, the socket read block size and file write block size used by Apache are set to 8192bytes. If necessary, you can adjust the values with the ibrix_httpconfig command. The valuesmust be between 8KB and 2GB.

110 Using HTTP

ibrix_httpconfig –a profile1 –h node1,node2 -S“wblocksize=<value>,rblocksize=<value>”

You can also set the values on the Modify HTTP Profile dialog box:

Managing HTTP from the CLIOn the command line, HTTP is managed by the ibrix_httpconfig, ibrix_httpvhost, andibrix_httpshare commands. For detailed information, see the HP IBRIX X9000 NetworkStorage System CLI Reference Guide.

Configuring HTTPAdd a configuration profile:ibrix_httpconfig -a PROFILENAME [-h HOSTLIST] [-S SETTINGLIST]

For the -S option, use a comma to separate the settings, and enclose the settings in quotationmarks, such as “keepalive=true,maxclients=200,...”. To see a list of available settingsfor the share, use ibrix_httpconfig -L.Add a virtual host:ibrix_httpvhost -a VHOSTNAME -c PROFILENAME -I IP-Address:Port [-SSETTINGLIST]

Add an HTTP share:ibrix_httpshare -a SHARENAME -c PROFILENAME -t VHOSTNAME -f FSNAME -pdirpath -P urlpath [-u USERLIST] [-S SETTINGLIST]

For the -S option, use a comma to separate the settings, and enclose the settings in quotationmarks, such as “davmethods=true,browseable=true,readonly=true”.For example, to create a new HTTP share and enable the WebDAV property on that share:# ibrix_httpshare –a share3 –-c cprofile1 –t dav1vhost1 –f ifs1 –p/ifs1/dir1 –P url3 –S “davmethods=true”

To see all of the valid settings for an HTTP share, use the following command:ibrix_httpshare –L

Managing HTTP from the CLI 111

Managing the HTTP configurationView a configuration profile:ibrix_httpconfig -i PROFILENAME [-v level]

Modify a configuration profile:ibrix_httpconfig -m PROFILENAME [-h HOSTLIST] [-S SETTINGLIST]

Delete a configuration profile:ibrix_httpconfig -d PROFILENAME

View a virtual host:ibrix_httpvhost -i VHOSTNAME -c PROFILENAME [-v level]

Modify a virtual host:ibrix_httpvhost -m VHOSTNAME -c PROFILENAME -I IP-Address:Port [-SSETTINGLIST]

Delete a virtual host:ibrix_httpvhost -d VHOSTNAME -c PROFILENAME

View an HTTP share:ibrix_httpshare -i SHARENAME -c PROFILENAME -t VHOSTNAME [-v level]

Modify an HTTP share:ibrix_httpshare -m SHARENAME -c PROFILENAME -t VHOSTNAME [-f FSNAME -pdirpath] [-P urlpath] [-u USERLIST] [-S SETTINGLIST]

The following example modifies an HTTP, enabling WebDAV:# ibrix_httpshare –-m share1 –c cprofile1 –t dav1vhost1 –S"davmethods=true"

Delete an HTTP share:ibrix_httpshare -d SHARENAME -c PROFILENAME -t VHOSTNAME

Starting or stopping the HTTP service manuallyStart the HTTP service:/usr/local/ibrix/httpd/bin/apachectl -k start -f/usr/local/ibrix/httpd/conf/httpd.conf

Stop the HTTP service:/usr/local/ibrix/httpd/bin/apachectl -k stop -f/usr/local/ibrix/httpd/conf/httpd.conf

Restart the HTTP service:/usr/local/ibrix/httpd/bin/apachectl -k restart -f/usr/local/ibrix/httpd/conf/httpd.conf

NOTE: When the HTTP configuration is changed with the GUI or CLI, the HTTP daemon is restartedautomatically.

112 Using HTTP

Accessing sharesClients access an HTTP share by specifying a URL in their browser (Internet Explorer or MozillaFirefox). In the following URLs, IP_address:port is the IP (or virtual IP) and port configured forthe share.

• For a share configured with an IP-based virtual host and the anonymous parameter is set totrue, use the following URL:http://IP_address:port/urlpath/

• For a shared configured with a userlist and having the anonymous parameter set tofalse, use the following URL:http://IP_address:port/urlpath/

Enter your user name and password when prompted.

NOTE: When a file is uploaded into an HTTP share, the file is owned by the user who uploadedthe file to the share.If a user uploads a file to an HTTP share and specifies a subdirectory that does not already exist,the subdirectory will be created. For example, you could have a share mapped to the directory/ifs/http/ and using the url http_url. A user could upload a file into the share:curl -T file http://<ip>:<port>/http_url/new_dir/file

If the directory new_dir does not exist under http_url, the http service automatically createsthe directory /ifs/http/new_dir/ and sets the permissions to 777. If the anonymous userperformed the upload, the new_dir directory is owned by daemon:daemon. If a non-anonymoususer performed the upload, the new_dir directory is owned by user:group.

You can also use curl commands to access an HTTP share.For anonymous users:

• Upload a file using HTTP protocol:curl -T <filename> http://IP_address:port/urlpath/

• Upload a file using HTTPS protocol:curl --cacert <cacert_file> -T <filename>https://IP_address:port/urlpath/<filename>/

• Download a file using HTTP protocol:curl http://IP_address:port/urlpath/<filename> -o <path todownload>/<filename>/

• Download a file using HTTPS protocol:curl --cacert <cacert_file>https://IP_address:port/urlpath/<filename> -o <path todownload>/<filename>/

For Active Directory users (specify the user as in this example: mycompany.com\\User1):

• Upload a file using HTTP protocol:curl –T <filename> -u <ADuser> http://IP_address:port/urlpath/

• Upload a file using HTTPS protocol:curl --cacert <cacert_file> -T <filename> -u <ADuser>https://IP_address:port/urlpath/

Accessing shares 113

• Download a file using HTTP protocol:curl -u <ADuser> http://IP_address/dils/urlpath -o path todownload>/<filename>/

• Download a file using HTTPS protocol:curl --cacert <cacert_file> -u <ADuser>https://IP_address:port/urlpath/<file_name> -o path todownload>/<filename>/

Configuring Windows clients to access HTTP WebDAV sharesComplete the following steps to set up and access WebDAV enabled shares:

• Verify the entry in the Windows hosts file.Before mapping a network drive in Windows, verify that an entry exists in the c:\Windows\System32\drivers\etc\hosts file. For example, IP address 10.2.4.200 is assigned toa Vhost named vhost1, and if the Vhost name is not being used to map the network drive,the client should be able to resolve the domain name such as www.storage.hp.com (in referenceto domain name-based virtual hosts).

• Verify the characters in the Windows hosts file.The Windows c:\Windows\System32\drivers\etc\hosts file specifies IP versushostname mapping. Verify that the hostname in the file includes alpha-numeric charactersonly.

• Verify that the WebClient Service is started.The WebClient Service must be started on Windows-based clients attempting to access theWebDAV share. The WebClient service is missing by default on Windows 2008. To installthe WebClient service, the Desktop Experience package must be installed. See http://technet.microsoft.com/en-us/library/cc754314.aspx for more information.

• Update the Windows registry.When using WebDAV shares in Windows Explorer, you must edit the Windows registry ifthere are many files in the WebDAV shares or the files are large. Launch the windows registryeditor using the regedit command. Go to:Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ParametersChange the value of FileSizeLimitInBytes from the default value of 50000000 to2147483648 (which is the value of 2 GB in bytes). Change the value ofFileAttributesLimitInBytes from the default value of 1000000 to 10000000.

• Enable debug logging on the server.Edit the /usr/local/ibrix/httpd/conf/httpd.conf file and change the lineLogLevel warn to LogLevel debug. Next, restart Apache on the file serving nodes:Use the following command to stop Apache:/usr/local/ibrix/httpd/bin/apachectl stop

Use the following command to start Apache:/usr/local/ibrix/httpd/bin/apachectl start

• Save documents during node failovers.During a failover, MS Office 2010 restores the connection when the connection is lost on theserver, but you must wait until you are asked to refresh the document being edited. In MSOffice 2003 and 2007, you must save the document locally. After the failover is successful,you must re-map the drive and save the document on the WebDAV share.

114 Using HTTP

www.storage.hp.com



• When creating certificates, verify that the hostname matches the Vhost name.When creating a certificate, the hostname should match the Vhost name or the domain nameissued when mapping a network drive or opening the file directly using the URL such as https://storage.hp.com/share/foo.docx.

• Consider the assigned IP address when mapping a network drive on Windows.When mapping a network drive in Windows, if the IP address assigned to the Vhost is similarto the format 10.2.4.200, there should be a corresponding entry in the Windows hosts file.Instead of using the IP address in the mapping, use the name specified in the hosts file. Forexample, 10.2.4.200 can be mapped as srv1vhost1, and you can issue the URL https://srv1vhost1/share when mapping the network drive.

• Unlock locked files.Use the command BitKinex to unlock locked files if the files do not unlock before closingthe application.

• Remove zero byte files created by Microsoft Excel.Microsoft Excel creates 0 byte files on the WebDAV shares. For example, after editing thefile foo.xlsx and saving it more than once, a file such as ~$foo.xlsx is created with 0bytes in size. Delete this file using a tool such as BitKinex, or remove the file on the file system.For example, if the file system is mounted at /ifs1 and the share directory is /ifs1/dir1,remove the file /ifs1/dir1/~$foo.xlsx.

• Use the correct URL path when mapping WebDAV shares on Windows 2003.When mapping WebDAV shares on Windows 2003, the URL should not end with a trailingslash (/). For example, http://storage.hp.com/share can be mapped, but http://storage.hp.com/ cannot be mapped. Also, you cannot map https:// because oflimitations with Windows 2003.

• Delete read-only files through Windows Explorer.If you map a network drive for a share that includes files designated as read-only on the server,and you then attempt to delete one of those files, the file appears to be deleted. However,when you refresh the folder (using the REFRESH command), the folder containing the deletedfile in Windows Explorer reappears. This behavior is expected in Windows Explorer.

NOTE: Symbolic links are not implemented in the current WebDAV implementation (Apache’smod-dav module).

NOTE: After mapping a network drive of a WebDAV share on Windows, Windows Explorerreports an incorrect folder size or available free space on the WebDAV share.

Troubleshooting HTTP

HTTP WebDAV share is inaccessible through Windows Explorer when filesgreater than 10k are createdWhen files greater than 10k are created, the HTTP WebDAV share is inaccessible through WindowsExplorer and the following error appears: Windows cannot access this disc: Thisdisc might be corrupt. This condition is seen in various Windows clients such as Windows2008, Windows 7, and Windows Vista. The condition persists even if the share is disconnectedand re-mapped through Windows Explorer. The files are accessible on the file serving node andthrough BitKinex.Use the following workaround to resolve this condition:

Troubleshooting HTTP 115

https://storage.hp.com/share/foo.docx

https://storage.hp.com/share/foo.docx

1. Disconnect the network drive.2. In Windows, select Start > Run and enter regedit.3. Increase FileAttributeLimitInBytes from the default value of 1000000 to 10000000

(by a factor of 10).4. Increase FileSizeLimitInBytes 10 times by adding one extra zero.5. Save the registry and quit.6. Reboot the Windows system.7. Map the network drive to allow you to access the WebDAV share containing large files.

HTTP WebDAV share fails when downloading a large file from a mappednetwork driveWhen downloading or copying a file greater than 800 MB in Windows Explorer, the HTTPWebDAV share fails. Use the following workaround to resolve this condition:1. In Windows, select Goto > Start > Run and type regedit to open the Windows registry

editor.2. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

NOTE: This hierarchy exists only if WebClient is installed on Windows Vista or Windows7.

3. Change the registry parameter values to allow for the increased file size.a. Set the value of FileAttributesLimitInBytes to 1000000 in decimal.b. Set the value of FileSizeLimitInBytes to 2147483648 in decimal, which equals

2 GB.

Mapping HTTP WebDAV share as AD or local user through Windows Explorerfails if the HTTP Vhost IP address is usedMapping the HTTP WebDAV share to a network drive as Active Directory or local user throughWindows Explorer fails on Windows 2008 if the HTTP Vhost IP address is used. To resolve thiscondition, add the Vhost names and IP addresses in the hosts file on the Windows clients.

116 Using HTTP

10 Managing SSL certificatesServers accepting FTPS and HTTPS connections typically provide an SSL certificate that verifies theidentity and owner of the web site being accessed. You can add your existing certificates to thecluster, enabling file serving nodes to present the appropriate certificate to FTPS and HTTPS clients.X9000 Software supports PEM certificates.When you configure the FTP share or the HTTP vhost, select the appropriate certificate.You can manage certificates from the GUI or the CLI, On the GUI, select Certificates from theNavigator to open the Certificates panel. The Certificate Summary shows the parameters for theselected certificate.

Creating an SSL certificateBefore creating a certificate, OpenSSL must be installed and must be included in your PATH variable(in RHEL5, the path is /usr/bin/openssl).There are two parts to a certificate: the certificate contents (specified in a .crt file) and a privatekey (specified in a .key file). Certificates added to the cluster must meet these requirements:

• The certificate contents (the .crt file) and the private key (the .key file) must be concatenatedinto a single file.

• The concatenated certificate file must include the headers and footers from the .crt and.key files.

• The concatenated certificate file cannot contain any extra spaces.Before creating a real certificate, you can create a self-signed SSL certificate and test access withit. Complete the following steps to create a test certificate that meets the requirements for use inan X9000 cluster:

Creating an SSL certificate 117

1. Generate a private key:openssl genrsa -des3 -out server.key 1024

You will be prompted to enter a passphrase. Be sure to remember the passphrase.2. Remove the passphrase from the private key file (server.key). When you are prompted for

a passphrase, enter the passphrase you specified in step 1.cp server.key server.key.orgopenssl rsa -in server.key.org -out server.keyrm -f server.key.org

3. Generate a Certificate Signing Request (CSR):openssl req -new -key server.key -out server.csr

4. Self-sign the CSR:openssl x509 -req -days 365 -in server.csr -signkey server.key -outserver.crt

5. Concatenate the signed certificate and the private key:cat server.crt server.key > server.pem

When adding a certificate to the cluster, use the concatenated file (server.pem in our example)as the input for the GUI or CLI.The following example shows a valid PEM encoded certificate that includes the certificate contents,the private key, and the headers and footers:-----BEGIN CERTIFICATE-----MIICUTCCAboCCQCIHW1FwFn2ADANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJVUzESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MQwwCgYDVQQKEwNhYmMxDDAKBgNVBAMTA2FiYzEcMBoGCSqGSIb3DQEJARYNYWRtaW5AYWJjLmNvbTAeFw0xMDEyMTEwNDQ0MDdaFw0xMTEyMTEwNDQ0MDdaMG0xCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxDDAKBgNVBAoTA2FiYzEMMAoGA1UEAxMDYWJjMRwwGgYJKoZIhvcNAQkBFg1hZG1pbkBhYmMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdrjHH/W93X7afTIUOrllCHw21u31tinMDBZzi+R18r9SZ/muuyvG4kJCbOoQnohuir/s4aAEULAOnf4mvqLfZlkBe25HgT+ImshLzyHqPImuxTEXvjG5H1sEDLNuQkHvl8hF9Wxao1tv4eL8TL5KqK1W68juMVAw2cFDHxji2GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAKvYJK8RXKMObCKkae6oJ36FEkdl/ACHCw0Nxk/VMR4dv9lIk8Dv8sdYUUqHkNAME2yOaRI190c5bWSaMjhSjOOqUmmgmeDYlAu+ps3/1Fte5yl4ZV8VCu7bHCWx2OSy46Po03MMOu99JXrB/GCKE8fO8Fhyq/7LjFDR5GeghmSw-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----MIICXgIBAAKBgQDdrjHH/W93X7afTIUOrllCHw21u31tinMDBZzi+R18r9SZ/muuyvG4kJCbOoQnohuir/s4aAEULAOnf4mvqLfZlkBe25HgT+ImshLzyHqPImuxTEXvjG5H1sEDLNuQkHvl8hF9Wxao1tv4eL8TL5KqK1W68juMVAw2cFDHxji2GQIDAQABAoGBAMXPWryKeZyb2+np7hFbompOK32vAA1vLZHUwFoI0Tch7yQ60vv2PBvlZCQf4y06ik5xmkqLA+tsGxarx8DnXKUy0PHJ3hu6mTocIJdqqN0n+KO4tG2dvDPdSE7lphX2sY9MVt4X/QN3eNb/F3cHjnM9BYEr0BY3mTkKXz61jzABAkEA+M3PProYwvS6P8m4DenZh6ehsu4u/ycjmW/ujdp/PcRd5HBAWJasTXTezF5msugHnnNBe8F1i1q49PfL0C+kuQJBAOQXjrmPZxDc8YA/V45MUKv4eHHN0E03p84budtblHQ70BCLaO41n267t3DrZfW+VtsVDVBMja4UhoBasgv3rGECQQCILDR6k2YMBd+OG/xleRD6ww+oG96S/bvpNa7t6qFrj/cHmTxOgCDLv+RVHHG/B2lsGo7Dig2oeL30LU9aoUjZAkBVKSqDw7PyitusS3oQShQQsTufGf385pvDi3yQFxhNcYuUschisCivumyaP3mZEBDzyV9oLLz1UvqI79PsPfPhAkEAxSqebd1Ymqr2wi0RnKTmHfDCb3yWLPi57kc+lgrKLUlxawhTzDwzTWJ9m4gQqRlAaXoIElfk6ITwW0g9Th5Ouw==-----END RSA PRIVATE KEY-----

NOTE: When you are ready to create a real SSL certificate, consult the following site for adescription of the procedure:http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcer

118 Managing SSL certificates

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcer

Adding a certificate to the clusterTo add an existing certificate to the cluster, click Add on the Certificates panel. On the AddCertificate dialog box, enter a name for the certificate. Use a Linux command such as cat todisplay your concatenated certificate file. For example:cat server.pem

Copy the contents of the file to the Certificate Content section of the dialog box. The copied textmust include the certificate contents and the private key in PEM encoding. It must also include theproper headers and footers, and cannot contain any extra spaces.

NOTE: You can add only one certificate at a time.

The certificate is saved on all file serving nodes in the directory /usr/local/ibrix/pki.To add a certificate from the CLI, use the following command.ibrix_certificate -a -c CERTNAME -p CERTPATH

For example:# ibrix_certificate -a -c mycert -p server.pem

Run the command from the active Fusion Manager. To add a certificate for a different node, copythat certificate to the active Fusion Manager and then add it to the cluster. For example, if nodeib87 is hosting the active Fusion Manager and you have generated a certificate for node ib86,copy the certificate to ib87:scp server.pem ib87/tmp

Then, on node ib87, add the certificate to the cluster:ibrix_certificate -a -c cert86 –p /tmp/server.pem

Adding a certificate to the cluster 119

Exporting a certificateIf necessary, you can display a certificate and then copy and save the contents for future use. Thisstep is called exporting. Select the certificate on the Certificates panel and click Export.

To export a certificate from the CLI, use this command:ibrix_certificate -e -c CERTNAME

Deleting a certificateTo delete a certificate from the GUI, select the certificate on the Certificates panel, click Delete,and confirm the operation.To delete a certificate from the CLI, use this command:ibrix_certificate -d -c CERTNAME

120 Managing SSL certificates

11 Using remote replicationThis chapter describes how to configure and manage the Continuous Remote Replication (CRR)service.

OverviewThe CRR service provides a method to replicate changes in a source file system on one cluster toa target file system on either the same cluster (intra-cluster replication) or a second cluster (inter-clusterreplication). Both files and directories are replicated with remote replication, and no specialconfiguration of segments is needed. A remote replication task includes the initial synchronizationof the source and target file systems.When selecting file systems for remote replication, you should be aware of the following:

• One, multiple, or all file systems in a single cluster can be replicated.

• Remote replication is a one-way process. Bidirectional replication of a single file system is notsupported.

• The mountpoint of the source file system can be different from the mountpoint on the targetfile system.

Remote replication has minimal impact on these cluster operations:

• Cluster expansion (adding a new server) is allowed as usual on both the source and target.

• File systems can be exported over NFS, CIFS, FTP, or HTTP.

• Source or target file systems can be rebalanced while a remote replication job is in progress.

• File system policies (ibrix_fs_tune) can be set on both the source and target without anyrestrictions.

The Fusion Manager initializes remote replication. However, each file serving node runs its ownreplication and synchronization processes, independent of and in parallel with other file servingnodes. The individual daemons running on the file serving nodes perform the actual file systemreplication.The source-side Fusion Manager monitors the replication and reports errors, failures, and so on.

Continuous or run-once replication modesCRR can be used in two modes: continuous or run-once.Continuous replication. This method tracks changes on the source file system and continuouslyreplicates these changes to the target file system. The changes are tracked for the entire file systemand are replicated in parallel by each file serving node. There is no strict order to replication ateither the file system or segment level. The continuous remote replication program tries to replicateon a first-in, first-out basis.When you configure continuous remote replication, you must specify a file system as the source.(A source directory cannot be specified.) File systems specified as the replication source or targetmust already exist. The replication starts at the root of the source file system (the mount point).Run-once replication. This method replicates a single directory sub-tree or an entire file system fromthe source file system to the target file system. Run-once is a single-pass replication of all files andsubdirectories within the specified directory or file system. All changes that have occurred sincethe last replication task are replicated from the source file system to the target file system. Filesystems specified as the replication source or target must exist. If a directory is specified as thereplication source, the directory must exist on the source cluster under the specified source filesystem.

Overview 121

NOTE: Run-once can also be used to replicate a single software snapshot. This must be done onthe GUI.

You can replicate to a remote cluster (an intercluster replication) or the same cluster (an intraclusterreplication).

Using intercluster replicationsIntercluster configurations can be continuous or run-once:

• Continuous: asynchronously replicates the initial state of a file system and any changes to it.Snapshots cannot be replicated.

• Run-once: replicates the current state of a file system, folder, or file system snapshot.The examples in the configuration rules use three X9000 clusters: C1, C2, and C3:

• C1 has two file systems, c1ifs1 and c1ifs2, mounted as /c1ifs1 and /c1ifs2.

• C2 has two file systems, c2ifs1 and c2ifs2, mounted as /c2ifs1 and /c2ifs2.

• C3 has two file systems, c3ifs1 and c3ifs2, mounted as /c3ifs1 and /c3ifs2.In the examples, <cluster name>:<target path> designates a replication target such asC1:/c1ifs1/target1.The following rules apply to intercluster replications:

• Only one continuous Remote Replication task can run per file system. It must replicate fromthe root of the filesystem; you cannot continuously replicate a subdirectory of a file system.

• A continuous Remote Replication task can replicate to only one target cluster.

• Replication targets are directories in an X9000 file system and can be:

The root of a filesystem such as /c3ifs1.◦◦ A subdirectory such as /c3ifs1/target1.

Targets must be explicitly exported using CRR commands to make them available to CRRreplication tasks.

• A subdirectory created beneath a CRR export can be used as a target by a replication taskwithout being explicitly exported in a separate operation. For example, if the exported targetis /c3ifs1/target1, you can replicate to folder /c3ifs1/target1/subtarget1 if thefolder already exists.

• Directories exported as targets cannot overlap. For example, if C1 is replicating /c1ifs1 toC2:/c2ifs1/target1, C3 cannot replicate /c3ifs1 to C2:/c2ifs1/target1/target2.

• A cluster can be a target for one replication task at the same time that it is replicating data toanother cluster. For example, C1 can replicate /c1ifs1 to C2:/c2ifs1/target1 and C2can replicate /c2ifs2 to C1:/c1ifs2/target2, with both replications occurring at thesame time.

• A cluster can be a target for multiple replication tasks. For example, C1 can replicate /c1ifs1to C3:/c3ifs1/target1 and C2 can replicate /c2ifs1 to C3:/c3ifs1/target2, withboth replications occurring at the same time.

• Continuous Remote Replication tasks can be linked. For example:

C1 replicates /c1ifs1 to C2:/c2ifs1/target1.◦◦ C2 replicates /c2ifs1/target1 to C3:/c3ifs2/target2.

122 Using remote replication

NOTE: If a different file system is used for the target, the linkage can go back to the originalcluster.

• To replicate a directory or snapshot on a file system covered by continuous replication, firstpause the continuous task and then initiate a run-once replication task.

For information about configuring intercluster replications, see “Configuring the target export forreplication to a remote cluster” (page 123).

Using intracluster replicationsThere are two forms of intracluster replication:

• The same cluster and a different file system. Configure either continuous or run-once replication.You will need to specify a target file system and optionally a target directory (the default isthe root of the file system or the mount point).

• The same cluster and the same file system. Configure run-once replication. You will need tospecify a file system, a source directory, and a target directory. Be sure to specify two different,non-overlapping subdirectories as the source and target. For example, the following replicationis not allowed:From <fs_root>dir1 to <fs_root>dir1/dir2

However, the following replication is allowed:From <fs_root>dir1 to <fs_root>dir3/dir4

File system snapshot replicationYou can use the run-once replication mode to replicate a single file system snapshot. If a snapshotreplication is not explicitly configured, snapshots and all related metadata are ignored/filteredout during remote replications. Replication is not supported for block snapshots.

Configuring the target export for replication to a remote clusterUse the following procedure to configure a target export for remote replication. In this procedure,target export refers to the target file system and directory (the default is root of the file system)exported for remote replication.

NOTE: These steps are not required when configuring intracluster replication.

• Register source and destination clusters. The source and target clusters of a remote replicationconfiguration must be registered with each other before remote replication tasks can becreated.

• Create a target export. This step identifies the target file system and directory for replicationand associates it with the source cluster. Before replication can take place, you must createa mapping between the source cluster and the target export that receives the replicated data.This mapping ensures that only the specified source cluster can write to the target export.

• Identify server assignments to use for remote replication. Select the servers and correspondingNICs to handle replication requests, or use the default assignments. The default serverassignment is to use all servers that have the file system mounted.

NOTE: Do not add or change files on the target system outside of a replication operation. Doingthis can prevent replication from working properly.

GUI procedureThis procedure must be run from the target cluster, and is not required or applicable for intraclusterreplication.

Configuring the target export for replication to a remote cluster 123

Select the file system on the GUI, and then select Remote Replication Exports from the lowerNavigator. On the Remote Replication Exports bottom panel, select Add. The Create RemoteReplication Export dialog box allows you to specify the target export for the replication. The mountpoint of the file system is displayed as the default export path. You can add a directory to thetarget export.

The Server Assignments section allows you to specify server assignments for the export. Check thebox adjacent to Server to use the default assignments. If you choose to assign particular serversto handle replication requests, select those servers and then select the appropriate NICs.If the remote cluster does not appear in the selection list for Export To (Cluster), you will need toregister the cluster. Select New to open the Add Remote Cluster dialog box and then enter therequested information.

If the remote cluster is running an earlier version of X9000 software, you will be asked to enterthe clustername for the remote cluster. This name appears on the Cluster Configuration page onthe GUI for the remote cluster.


The Remote Replication Exports panel lists the replication exports you created for the file system.Expand Remote Replication Exports in the lower Navigator and select the export to see theconfigured server assignments for the export. You can modify or remove the server assignmentsand the export itself.

CLI procedure

NOTE: This procedure does not apply to intracluster replication.

Use the following commands to configure the target file system for remote replication:1. Register the source and target clusters with each other using the ibrix_cluster -r

command if needed. To list the known remote clusters, run ibrix_cluster -l on the sourcecluster.

2. Create the export on the target cluster. Identify the target export and associate it with thesource cluster using the ibrix_crr_export command.

3. Identify server assignments for the replication export using the ibrix_crr_nic command.The default assignments are:• Use all servers that have the file system mounted.

• Use the cluster NIC on each server.

Registering source and target clustersRun the following command on both the target cluster and the source cluster to register the clusterswith each other. It is necessary to run the command only once per source or target.ibrix_cluster -r -C CLUSTERNAME -H REMOTE_FM_HOST

CLUSTERNAME is the name of the Fusion Manager for a cluster.For the -H option, enter the name or IP address of the host where the remote cluster's FusionManager is running. For high availability, use the virtual IP address of the Fusion Manager.To list clusters registered with the local cluster, use the following command:ibrix_cluster -l

To unregister a remote replication cluster, use the following command:ibrix_cluster –d –C CLUSTERNAME

Creating the target exportTo create a mapping between the source cluster and the target export that receives the replicateddata, execute the following command on the target cluster:ibrix_crr_export –f FSNAME [-p DIRECTORY] –C SOURCE_CLUSTER [–P]

Configuring the target export for replication to a remote cluster 125

FSNAME is the target file system to be exported. The –p option exports a directory located underthe root of the specified file system (the default is the root of the file system). The -C option specifiesthe source cluster containing the file system to be replicated.Include the -P option if you do not want this command to set the server assignments. You will thenneed to identify the server assignments manually with ibrix_crr_nic, as described in the nextsection.To list the current remote replication exports, use the following command on the target cluster:ibrix_crr_export -l

To unexport a file system for remote replication, use the following command:ibrix_crr_export –U –f TARGET_FSNAME [-p DIRECTORY]

Identifying server assignments for remote replicationTo identify the servers that will handle replication requests and, optionally, a NIC for replicationtraffic, use the following command:ibrix_crr_nic -a -f FSNAME [-p directory] —h HOSTLIST [-n IBRIX_NIC]

When specifying resources, note the following:

• Specify servers by their host name or IP address (use commas to separate the names or IPaddresses). A host is any server on the target cluster that has the target file system mounted.

• Specify the network using the X9000 Software network name (NIC). Enter a valid user NICor the cluster NIC. The NIC assignment is optional. If it is not specified, the host name (or IP)is used to determine the network.

• A previous server assignment for the same export must not exist, or must be removed beforea new assignment is created.

The listed servers receive remote replication data over the specified NIC. To increase capacity,you can expand the number of preferred servers by executing this command again with anotherlist of servers.You can also use the ibrix_crr_nic command for the following tasks:

• Restore the default server assignments for remote replication:ibrix_crr_nic -D -f FSNAME [-p directory]

• View server assignments for remote replication. The output lists the target exports and associatedserver assignments on this cluster. The assigned servers and NIC are listed with a correspondingID number that can be used in commands to remove assignments.ibrix_crr_nic -l

• Remove a server assignment:ibrix_crr_nic -r -P ASSIGNMENT_ID1[,...,ASSIGNMENT_IDn]

To obtain the ID for a particular server, use ibrix_crr_nic -l.

Configuring and managing replication tasks on the GUINOTE: When configuring replication tasks, be sure to following the guidelines described in“Overview” (page 121).

Viewing replication tasksTo view replication tasks for a particular file system, select that file system on the GUI and thenselect Active Tasks > Remote Replication in the lower Navigator. The Remote Replication Tasksbottom panel lists any replication tasks currently running or paused on the file system.


Additional reports are available for the active replication tasks. In the lower Navigator, expandActive Tasks > Remote Replication to see a list of active tasks (crr-25 in the following example).Select Overall Status to see a status summary.

Select Server Tasks to display the state of the task and other information for the servers where thetask is running.

Starting a replication taskTo start a replication task, click New on the Remote Replication Tasks panel and then use the NewRemote Replication Task dialog box to configure the replication. Select the target for replication(a remote cluster, the same cluster, or the same cluster and file system), and specify whether thisis a continuous or run-once replication.The selections you make for the target and type determine the information you will be asked foron the dialog box.

Remote cluster replicationsRemote cluster replications can be configured for continuous or run-once mode.

Configuring and managing replication tasks on the GUI 127

For a run-once replication, either specify the source directory or click Use a snapshot and thenselect the appropriate Snap Tree and snapshot.For both continuous and run-once replications, supply the target side information. Select the targetcluster and target export, which must already be configured. If the remote cluster is not in the TargetCluster selection list, you will need to register the cluster. Select New to open the Add RemoteCluster dialog box. (See “Configuring the target export for replication to a remote cluster” (page 123)for more information.)You can also specify an optional target directory under the target export. For example, you couldconfigure the following replication, which does not include an optional target directory:

• Source directory: /srcFS/a/b/c

• Exported file system and directory on target: /destFS/1/2/3The contents of /srcFS/a/b/c are replicated to destFs/1/2/3/{contents_under_c}.If you also specify the target directory a/b/c, the replication goes to /destFs/1/2/3/a/b/c{contents_under_c}.The Replication Destination shows the location you have configured. The Continuous exampleabove shows a completed Target Side section.

Same cluster replicationsSame cluster replications can be configured for continuous or run-once mode.


For a run-once replication, either specify the source directory or click Use a snapshot and thenselect the appropriate Snap Tree and snapshot.For both continuous and run-once replications, supply the target side information. Select theappropriate target file system and optionally enter a target directory in that file system.

IMPORTANT: If you specify a target directory, be sure that it does not overlap with a previousreplication using the same target export.

Same cluster and file system replicationsSame cluster and file system replications can be configured only for run-once mode.

Either specify the source directory to be replicated, or click Use a snapshot and select theappropriate Snap Tree and snapshot. Then specify the target directory to receive the replication.

Configuring and managing replication tasks on the GUI 129

Pausing or resuming a replication taskTo pause a task, select it on the Remote Replication Tasks panel and click Pause. When you pausea task, the status changes to PAUSED. Pausing a task that involves continuous data capture doesnot stop the data capture. You must allocate space on the disk to avoid running out of spacebecause the data is captured but not moved. To resume a paused replication task, select the taskand click Resume. The status of the task then changes to RUNNING and the task continues from thepoint where it was paused.

Stopping a replication taskTo stop a task, select that task on the Remote Replication Tasks panel and click Stop. To viewstopped tasks, select Inactive Tasks from the lower Navigator. You can delete one or more tasks,or see detailed information about the selected task.

Configuring and managing replication tasks from the CLINOTE: When configuring replication tasks, be sure to following the guidelines described in“Overview” (page 121).

Starting a remote replication task to a remote clusterUse the following command to start a continuous or run-once replication task to a remote cluster.The command is executed from the source cluster.ibrix_crr -s -f SRC_FSNAME [-o] [-S SRCDIR] –C TGT_CLUSTERNAME -F TGT_FSNAME [-X TGTEXPORT] [-P TGTDIR] [-R]

Use the –s option to start a continuous remote replication task. The applicable options are:

The source file system to be replicated.-f SRC_FSNAME

The remote target cluster.–C TGT_CLUSTERNAME

The remote target file system.-F TGT_FSNAME

The remote replication target (exported directory). The default is the root of the filesystem.

NOTE: This option is used only for replication to a remote cluster. The file systemspecified with -F and the directory specified with -X must both be exported from thetarget cluster (target export).

-X TGTEXPORT

A directory under the remote replication target export (optional). This directory mustexist on the target, but does not need to be exported.

-P TGTDIR

Bypass retention compatibility checking.-R

Omit the -o option to start a continuous replication task. A continuous replication task does aninitial full synchronization and then continues to replicate any new changes made on the source.Continuous replication tasks continue to run until you stop them manually.Use the -o option for run-once tasks. This option synchronizes single directories or entire file systemson the source and target in a single pass. If you do not specify a source directory with the -S


option, the replication starts at the root of the file system. The run-once job terminates after thereplication is complete; however, the job can be stopped manually, if necessary.Use -P to specify an optional target directory under the target export. For example, you couldconfigure the following replication, which does not include the optional target directory:

• Source directory: /srcFS/a/b/c

• Exported file system and directory on target: /destFS/1/2/3The replication command is:ibrix_crr –s -o –f srcFs –S a/b/c –C tcluster –F destFs –X 1/2/3

The contents of /srcFS/a/b/c is replicated to destFs/1/2/3/{contents_under_c}.When the same command includes the –P option to specify the target directory a/b/c:ibrix_crr –s -o –f srcFs –S a/b/c –C tcluster –F destFs –X 1/2/3 –Pa/b/c

The replication now goes to /destFs/1/2/3/a/b/c{contents_under_c}.

Starting an intracluster remote replication taskUse the following command to start a continuous or run-once intracluster replication task for thespecified file system:ibrix_crr -s -f SRC_FSNAME [-o [-S SRCDIR]] -F TGT_FSNAME [-P TGTDIR]

The -F option specifies the name of the target file system (the default is the same as the source filesystem). The -P option specifies the target directory under the target file system (the default is theroot of the file system).Use the -o option to start a run-once task. The -S option specifies a directory under the sourcefile system to synchronize with the target directory.

Starting a run-once directory replication taskUse the following command to start a run-once directory replication for file system SRC_FSNAME.The -S option specifies the directory under the source file system to synchronize with the targetdirectory. The -P option specifies the target directory.ibrix_crr -s -f SRC_FSNAME -o -S SRCDIR -P TGTDIR

Stopping a remote replication taskUse the following command to stop a continuous or run-once replication task. Use the ibrix_task-l command to obtain the appropriate ID.ibrix_crr -k –n TASKID

The stopped replication task is moved to the inactive task list. Use ibrix_task -l -c to viewthe inactive task list.To forcefully stop a replication task, use the following command:ibrix_crr -k –n TASKID

The stopped task is removed from the list of inactive tasks.

Pausing a remote replication taskUse the following command to pause a continuous replication or run-once replication task with thespecified task ID. Use the ibrix_task -l command to obtain the appropriate ID.ibrix_crr -p –n TASKID

Configuring and managing replication tasks from the CLI 131

Resuming a remote replication taskUse the following command to resume a continuous or run-once replication task with the specifiedtask ID. Use the ibrix_task -l command to obtain the appropriate ID.ibrix_crr -r –n TASKID

Querying remote replication tasksUse the following command to list all active replication tasks in the cluster, optionally restricted bythe specified file system and servers.ibrix_crr -l [-f SRC_FSNAME] [-h HOSTNAME] [-C SRC_CLUSTERNAME]

To see more detailed information, run ibrix_crr with the -i option. The display shows the statusof tasks on each node, as well as task summary statistics (number of files in the queue, number offiles processed). The query also indicates whether scanning is in progress on a given server andlists any error conditions.ibrix_crr -i [-f SRC_FSNAME] [-h HOSTNAME] [-C SRC_CLUSTERNAME]

The following command prints detailed information about replication tasks matching the specifiedtask IDs. Use the -h option to limit the output to the specified server.ibrix_crr -i –n TASKIDS [ [-h HOSTNAME] [-C SRC_CLUSTERNAME]

Replicating WORM/retained filesWhen using remote replication for file systems enabled for data retention, the following requirementsmust be met:

• The source and target file systems must use the same data retention mode (Enterprise orRelaxed).

• The default, maximum, and minimum retention periods must be the same on the source andtarget file systems.

• A clock synchronization tool such as ntpd must be used on the source and target clusters. Ifthe clock times are not in synch, file retention periods might not be handled correctly.

Also note the following:

• Multiple hard links on retained files on the replication source are not replicated. Only the firsthard link encountered by remote replication is replicated, and any additional hard links arenot replicated. (The retainability attributes on the file on the target prevent the creation of anyadditional hard links). For this reason, HP strongly recommends that you do not create hardlinks on files that will be retained.

• For continuous remote replication, if a file is replicated as retained, but later its retainabilityis removed on the source filesystem (using data retention management commands), the newfile’s attributes and any additional changes to that file will fail to replicate. This is because ofthe retainability attributes that the file already has on the target, which cause the filesystemon the target to prevent remote replication from changing it.

• When a legal hold is applied to a file, the legal hold is not replicated on the target. If the fileon the target should have a legal hold, you will also need to set the legal hold on that file.

• If a file has been replicated to a target and you then change the file's retention expirationtime with the ibrix_reten_adm -e command, the new expiration time is not replicated tothe target. If necessary, also change the file's retention expiration time on the target.

Configuring remote failover/failbackWhen remote replication is configured from a local cluster to a remote cluster, you can fail overthe local cluster to the remote cluster:


1. Stop write traffic to the local site.2. Wait for all remote replication queues to drain.3. Stop remote replication on the local site.4. Reconfigure shares as necessary on the remote site. The cluster name and IP addresses (or

VIFs) are different on the remote site, and changes are needed to allow clients to continue toaccess shares.

5. Redirect write traffic to the remote site.When the local cluster is healthy again, take the following steps to perform a failback from theremote site:1. Stop write traffic to the remote site.2. Set up Run-Once remote replication, with the remote site acting as the source and the local

site acting as the destination.3. When the Run-Once replication is complete, restore shares to their original configuration on

the local site, and verify that clients can access the shares.4. Redirect write traffic to the local site.

Troubleshooting remote replication

Continuous remote replication fails when a private network is usedContinuous remote replication will fail if the configured cluster interface and the correspondingcluster Virtual Interface (VIF) for the Fusion Manager are in a private network on either the sourceor target cluster. By default, continuous remote replication uses the cluster interface and the ClusterVIF (the ibrixinit –C and –v options, respectively) for communication between the sourcecluster and the target cluster. To work around potential continuous remote replication communicationerrors, it is important that the ibrixinit -C and -v arguments correspond to a public interfaceand a public cluster VIF, respectively. If necessary, the ibrix_crr_nic command can be usedto change the server assignments (the server/NICs pairs that handle remote replication requests).

Troubleshooting remote replication 133

12 Managing data retention and validationThe data retention and validation feature is intended for sites that need to archive read-only filesfor business purposes. Data retention ensures that files cannot be modified or deleted for a specificretention period. Data validation scans can be used to ensure that files remain unchanged.

OverviewData retention must be enabled on a file system. When you enable data retention, you can specifya retention profile that includes minimum, maximum, and default retention periods that specify howlong a file must be retained.

WORM and WORM-retained filesThe files in the file system can be in the following states:

• Normal. The file is created read-only or read-write, and can be modified or deleted at anytime. A checksum is not calculated for normal files and they are not managed by data retention.

• Write-Once Read-Many (WORM). The file cannot be modified, but can be deleted at anytime. WORM files can be managed by data retention. A checksum is calculated for WORMfiles and they can be managed by data retention.

• WORM-retained. A WORM file becomes WORM-retained when a retention period is appliedto it. The file cannot be modified, and cannot be deleted until the retention period expires.WORM-retained files can be managed by data retention. A checksum is calculated forWORM-retained files and they can be managed by data retention.

NOTE: You can apply a legal hold to a WORM or WORM-retained file. The file then cannot bedeleted until the hold is released, even if the retention period has expired.

For WORM and WORM-retained files, the file's contents and the following file attributes cannotbe modified:• File name (the file cannot be renamed or moved)

• User and group owners

• File access permissions

• File modification timeAlso, no new hard links can be made to the file and the extended attributes cannot be added,modified, or removed.The following restrictions apply to directories in a file system enabled for data retention:

• A directory cannot be moved or renamed unless it is empty (even if it contains only normalfiles).

• You can delete directories containing only WORM and normal files, but you cannot deletedirectories containing retained files.

Data retention attributes for a file systemThe data retention attributes configured on a file system are called a retention profile. The profileincludes the following:

134 Managing data retention and validation

Default retention period. If a specific retention period is not applied to a file, the file will be retainedfor the default retention period. The setting for this period determines whether you can manageWORM (non-retained) files as well as WORM-retained files:

• To manage both WORM (non-retained) files and WORM-retained files, set the default retentionperiod to zero. To make a file WORM-retained, you will need to set the atime to a date inthe future.

• To manage only WORM-retained files, set the default retention period to a non-zero value.Minimum and maximum retention periods. Retained files cannot be deleted until their retentionperiod expires, regardless of the file system retention policy. You can set a specific retention periodfor a file; however, it must be within the minimum and maximum retention periods associated withthe file system. If you set a time that is less than the minimum retention period, the expiration timeof the period will be adjusted to match the minimum retention period. Similarly, if the new retentionperiod exceeds the maximum retention period, the expiration time will be adjusted to match themaximum retention period. If you do not set a retention period for a file, the default retention periodis used. If that default is zero, the file will not be retained.Autocommit period. Files that are not changed during this period automatically become WORMor WORM-retained when the period expires. (If the default retention period is set to zero, the filesbecome WORM. If the default retention period is set to a value greater than zero, the files becomeWORM-retained.) The autocommit period is optional and should not be set if you want to keepnormal files in the file system.

IMPORTANT: For a file to become WORM, its ctime and mtime must be older than theautocommit period for the file system. On Linux, ctime means any change to the file, either itscontents or any metadata such as owner, mode, times, and so on. The mtime is the last modifiedtime of the file's contents.

Retention mode. Controls how the expiration time for the retention period can be adjusted:

• Enterprise mode. The expiration date of the retention period can be extended to a later date.

• Relaxed mode. The expiration date of the retention period can be moved in or extended toa later date.

The autocommit and default retention periods determine the steps you will need to take to make afile WORM or WORM-retained. See “Creating WORM and WORM-retained files” (page 140) formore information.

Data validation scansTo ensure that WORM and retained files remain unchanged, it is important to run a data validationscan periodically. Circumstances such as the following can cause a file to change unexpectedly:

• System hardware errors, such as write errors

• Degrading of on-disk data over time, which can change the stored bit values, even if noaccesses to the data are performed

• Malicious or accidental changes made by usersA data validation scan computes hash sum values for the WORM, WORM-retained, andWORM-hold files in the scanned file system or subdirectory and compares them with the valuesoriginally computed for the files. If the scan identifies changes in the values for a particular file,an alert is generated on the GUI. You can then replace the bad file with an unchanged copy froman earlier backup or from a remote replication.

NOTE: Normal files are not validated.

The time required for a data scan depends on the number of files in the file system or subdirectory.If there are a large number of files, the scan could take up to a few weeks to verify all content on

Overview 135

storage. A scheduled scan will quit immediately if it detects that a scan of the same file system isalready running.You can schedule periodic data validation scans, and you can also run on-demand scans.

Enabling file systems for data retention and validationYou can enable a new or an existing file system for data retention and, optionally, validation.When you enable a file system, you can define a retention profile that specifies the retention modeand the default, minimum, and maximum retention periods.

New file systemsThe New Filesystem Wizard includes a WORM/Data Retention dialog box that allows you toenable data retention and define a retention profile for the file system. You can also enable anddefine schedules for data validation scans and data collection for reports.

The default retention period determines whether you can manage WORM (non-retained) files aswell as WORM-retained files. To manage only WORM-retained files, set the default retentionperiod. WORM-retained files then use this period by default; however, you can assign a differentretention period if desired.To manage both WORM (non-retained) and WORM-retained files, uncheck Set Default RetentionPeriod. The default retention period is then set to 0 seconds. When you make a WORM file retained,you will need to assign a retention period to the file.The Set Auto-Commit Period option specifies that files will become WORM or WORM-retained ifthey are not changed during the specified period. (If the default retention period is set to zero, thefiles become WORM. If the default retention period is set to a value greater than zero, the filesbecome WORM-retained.) To use this feature, check Set Auto-Commit Period and specify the timeperiod. The minimum value for the autocommit period is five minutes, and the maximum value isone year. If you plan to keep normal files on the file system, do not set the autocommit period.


Check Enable Data Validation to schedule periodic scans on the file system. Use the default schedule,or select Modify to open the Data Validation Scan Schedule dialog box and configure your ownschedule.

Check Enable Data Validation to schedule periodic scans on the file system. Use the default schedule,or select Modify to open the Report Data Generation Schedule dialog box and configure your ownschedule.

Enabling data retention from the CLIYou can also enable data retention when creating a new file system from the CLI. Use ibrix_fs-c and include the following-o options:–o "retenMode=<mode>,retenDefPeriod=<period>,retenMinPeriod=<period>,retenMaxPeriod=<period>,retenAutoCommitPeriod=<period>"

Enabling file systems for data retention and validation 137

The retenMode option is required and is either enterprise or relaxed. You can specify any,all, or none of the period options. retenDefPeriod is the default retention period,retenMinPeriod is the minimum retention period, and retenMaxPeriod is the maximumretention period.The retenAutoCommitPeriod option specifies that files will become WORM or WORM-retainedif they are not changed during the specified period. (If the default retention period is set to zero,the files become WORM. If the default retention period is set to a value greater than zero, the filesbecome WORM-retained.) The minimum value for the autocommit period is five minutes, and themaximum value is one year. If you plan to keep normal files on the file system, do not set theautocommit period.When using a period option, enter a decimal number, optionally followed by one of thesecharacters:

• s (seconds)

• m (minutes)

• h (hours)

• d (days)

• w (weeks)

• M (months)

• y (years)If you do not include a character specifier, the decimal number is interpreted as seconds.The following example creates a file system with Enterprise mode retention, with a default retentionperiod of 1 month, a minimum retention period of 3 days, a maximum retention period of 5 years,and an autocommit period of 1 hour:ibrix_fs -o "retenMode=Enterprise,retenDefPeriod=1M,retenMinPeriod=3d,retenMaxPeriod=5y,retenAutoCommitPeriod=1h" -c -f ifs1 -s ilv_[1-4] -a

Configuring data retention on existing file systems

NOTE: Data retention cannot be enabled on a file system created on X9000 software 5.6 orearlier versions. Instead, create a new file system on X9000 software 6.0 or later, and then copyor move files from the old file system to the new file system.

To enable or change the data retention configuration an existing file system, first unmount the filesystem. Select Active Tasks > WORM/Data Retention from the lower Navigator, and then clickModify on the WORM/Data Retention panel. You do not need to unmount the file system to changethe configuration for data validation or report data generation.


To enable data retention on an existing file system using the CLI, run this command:ibrix_fs -W -f FSNAME -o "retenMode=<mode>,retenDefPeriod=<period>,retenMinPeriod=<period>,retenMaxPeriod=<period>"

To use the autocommit feature on an existing file system, first upgrade the file system to enableautocommit:ibrix_reten_adm -u -f FSNAME

Then set the autocommit period on the file system with the -o"retenAutoCommitPeriod=<period>" option.

Viewing the retention profile for a file systemTo view the retention profile for a file system, select the file system on the GUI, and then selectWORM/Data Retention from the lower navigator. The WORM/Data retention panel shows theretention profile.

To view the retention profile from the CLI, use the ibrix_fs -i command, as in the followingexample:ibrix_fs -i -f ifs1 FileSystem: ifs1

Enabling file systems for data retention and validation 139

========================= { … } RETENTION : Enterprise [default=15d,mininum=1d,maximum=5y]

Changing the retention profile for a file systemThe file system must be unmounted when you make changes to the retention profile. After unmountingthe file system, click Modify on the WORM/Data Retention panel to open the Modify WORM/DataRetention dialog box and then make your changes.To change the configuration from the CLI, use the following command:ibrix_fs -W -f FSNAME -o "retenMode=<mode>,retenDefPeriod=<period>,retenMinPeriod=<period>,retenMaxPeriod=<period>,retenAutoCommitPeriod=<period>"

Managing WORM and retained filesYou can change a file to the WORM or WORM-retained state, view the retention informationassociated with a file, and use administrative tools to manage individual files, including setting orremoving a legal hold, setting or removing a retention period, and administratively deleting a file.

Creating WORM and WORM-retained filesThe autocommit and default retention periods determine the steps you will need to take.Autocommit period is set and default retention period is zero seconds:

• To make a WORM file retained, set the atime to a time in the future.Autocommit period is set and default retention period is non-zero:

• Files remaining unchanged during the autocommit period automatically becomeWORM-retained and use the default retention period. You can assign a different retentionperiod to a file if necessary.

Autocommit period is not set and default retention period is zero seconds:

• To create a WORM file, run a command to make the file read-only.

• To make a WORM file retained, set the atime to a time in the future.Auto commit period is not set and default retention period is non-zero:

• To create a WORM-retained file, run a command to make the file read-only. By default, thefile uses the default retention period.

• To assign a different retention period to the WORM-retained file, set the atime to a time inthe future.

NOTE: If you are not using autocommit, files must explicitly be made read-only. Typically, youcan configure your application to do this.

Making a file read-onlyLinux. Use chmod to make the file read-only. For example:chmod 444 myfile.txt

Windows. Use the attrib command to make the file read-only:C:\> attrib +r myfile.txt

Setting the atimeLinux. Use a command such as touch to set the access time to the future:touch -a -d "30 minutes" myfile.txt


See the touch(1) documentation for the time/date formats allowed with the -d option. You canalso enter the following on a Linux command line to see the acceptable date/time strings for thetouch command:info "Date input formats"

Windows. Windows does not include a touch command. Instead, use a third-party tool such ascygwin or FileTouch to set the access time to the future.

NOTE: For CIFS users setting the access time manually for a file, the maximum retention periodis100 years from the date the file was retained. For NFS users setting the access time manuallyfor a file, the retention expiration date must be before February 5, 2106.

The access time has the following effect on the retention period:

• If the access time is set to a future date, the retention period of the file is set so that retentionexpires at that date.

• If the access time is not set, the file inherits the default retention period for the file system.Retention expires at that period in the future, starting from the time the file is set read-only.

• If the access time is not set and the default retention period is zero, the file will become WORMbut not retained, and can be deleted.

You can change the retention period if necessary; see “Changing a retention period” (page 143).

Viewing the retention information for a fileTo view the retention information for a file, run the following command:ibrix_reten_adm -l -f FSNAME -P PATHLIST

For example:# ibrix_reten_adm -l -f sales_fs -P /sales_fs/dir1/contacts.txtnl

/sales_fs/dir1/contacts.txt: state={retained} retain-to:{2011-Nov-1015:55:06} [period: 182d15h (15778800s)]

In this example, contacts.txt is a retained file, its retention period expires on November 10,2011, and the length of the retention period is 182 days, 15 hours.

File administrationTo administer files from the GUI, select File Administration on the WORM/Data Retention panel.Select the action you want to perform on the WORM/Data Retention – File Administration dialogbox.

Managing WORM and retained files 141

To administer files from the CLI, use the ibrix_reten_adm command.

IMPORTANT: Do not use the ibrix_reten_adm command on a file system that is not enabledfor data retention.

Specifying path listsWhen using the GUI or the ibrix_reten_adm command, you need to specify paths for the filesaffected by the retention action. The following rules apply when specifying path lists:

• A path list can contain one or more entries, separated by commas.

• Each entry can be a fully-qualified path, such as /myfs1/here/a.txt. An entry can alsobe relative to the file system mount point. For example, if myfs1 is mounted at /myfs1, thepath here/a.txt is a valid entry.

• A relative path cannot begin with a slash (/). Relative paths are always relative to the mountpoint; they cannot be relative to the user’s current directory, unlike other UNIX commands.

• A directory cannot be specified in a path list. Directories themselves have no retention settings,and the command returns an error message if a directory is entered.

To apply an action to all files in a directory, you need to specify the paths to the files. You can usewildcards in the pathnames, such as /my/path/*,/my/path/.??*. The command does notapply the action recursively; you need to enter subdirectories.To apply a command to all files in all subdirectories of the tree, you can wrap theibrix_reten_adm command in a find script (or other similar script) that calls the commandfor every directory in the tree. For example, the following command sets a legal hold on all filesin the specified directory:find /myfs1/here/usr_local_src/matplotlib-1.0.0/agg24 -type d -execibrix_reten_adm -h -f myfs1 -P {}/* \;

The following script includes files beginning with a dot, such as .this. (This includes file uploadedto the file system, not file system files such as the .archiving tree.)find /myfs1/here/usr_local_src/matplotlib-1.0.0/agg24 -type d -execibrix_reten_adm -h -f myfs1 -P {}/*,{}/.??* \;


Setting or removing a legal holdWhen a legal hold is set on a retained or WORM file, the file cannot be deleted until the hold isreleased, even if the retention period has expired. On the WORM/Data Retention – FileAdministration dialog box, select Set a Legal Hold and specify the appropriate file.To remove a legal hold from a file, Remove a Legal Hold and specify the appropriate file. Whenthe hold is removed, the file is again under the control of its original retention policy.To set a legal hold from the CLI, use this command:ibrix_reten_adm -h -f FSNAME -P PATHLIST

To remove a legal hold from the CLI, use this command:ibrix_reten_adm -r -f FSNAME -P PATHLIST

Changing a retention periodIf necessary, you can change the length of the current retention period. For example, you mightwant to assign a different retention period to a retained file currently using the default retentionperiod. This is done by resetting the expiration time of the period. If the retention mode is Enterprise,the new expiration time must be later than the current expiration time. If the retention mode isRelaxed, the new expiration time can be earlier or later than the current expiration time.On the WORM/Data Retention – File Administration dialog box, select Reset Expiration Time andspecify the appropriate file. When you set the new expiration time, the length of the retentionperiod is adjusted accordingly. If you specify a time that is less than the minimum retention periodfor the file system, the expiration time will be adjusted to match the minimum retention period.Similarly, if the new time will exceed the maximum retention period, the expiration time will beadjusted to match the maximum retention period.

To reset the expiration time using the CLI:ibrix_reten_adm -e expire_time -f FSNAME -P PATHLIST

If you specify an interval such as 20m (20 minutes) for the expire_time, the retention expirationtime is set to that amount of time in the future starting from now, not that amount of time from theoriginal start of retention. If you specify an exact date/time such as 19:20:02 or 2/16/2012 forthe expire_time, the command sets the retention expiration time to that exact time. If the file

Managing WORM and retained files 143

system is in Relaxed retention mode (not Enterprise), the exact date/time can be in the past, inwhich case the file immediately expires from retention and becomes WORM but no longer retained.See the Linux date(1) man page for a description of the valid date/time formats for theexpire_time parameter.

Removing the retention periodWhen you remove the retention period from a retained file, the file becomes a WORM file. Onthe WORM/Data Retention – File Administration dialog box, select Remove Retention Period andspecify the appropriate file.To remove the retention period using the CLI:ibrix_reten_adm -c -f FSNAME -P PATHLIST

Deleting a file administrativelyThis option allows you to delete a file that is under the control of a data retention policy. On theWORM/Data Retention – File Administration dialog box, select Administrative Delete and specifythe appropriate file.

CAUTION: Deleting files administratively removes them from the file system, regardless of thedata retention policy.

To delete a file using the CLI:ibrix_reten_adm -d -f FSNAME -P PATHLIST

Running data validation scans

Scheduling a validation scanWhen you use the GUI to enable a file system for data validation, you can set up a schedule forvalidation scans. You might want to run additional scans of the file system at other times, or youmight want to scan particular directories in the file system.

NOTE: Although you can schedule multiple scans of a file system, only one scan can run at atime for a given file system.

To schedule a validation scan, select the file system on the GUI, and then select Active Tasks fromthe lower navigator. Select New to open the Starting a New Task dialog box. Select Data Validationas the Task Type.

When you click OK, the Start a new Validation Scan dialog box appears. Change the path to bescanned if necessary.


Go to the Schedule tab to specify when you want to run the scan.

Starting an on-demand validation scanYou can run a validation scan at any time. Select the file system on the GUI, and then select ActiveTasks from the lower navigator. Click New to open the Starting a New Task dialog box. SelectData Validation as the Task Type.

When you click OK, the Start a new Validation Scan dialog box appears. Change the path to bescanned if necessary and click OK.

Running data validation scans 145

To start an on-demand validation scan from the CLI, use the following command:ibrix_datavalidation -s -f FSNAME [-d PATH]

Viewing, stopping, or pausing a scanScans in progress are listed on the Active Tasks panel on the GUI. If you need to halt the scan,click Stop or Pause on the Active Tasks panel. Click Resume to resume the scan.To view the progress of a scan from the CLI, use the ibrix_task command. The -s option listsscheduled tasks.ibrix_task -i [-f FILESYSTEMS] [-h HOSTNAME]

To stop a scan, use this command:ibrix_task -k -n TASKID [-F] [-s]

To pause a scan, use this command:ibrix_task -p -n TASKID

To resume a scan, use this command:ibrix_task -r -n TASKID

Viewing validation scan resultsWhile a validation scan is running, it is listed on the Active Tasks panel on the GUI (select the filesystem, and then select Active Tasks from the lower Navigator). Information about completed scansis listed on the Inactive Tasks panel (select the file system, and then select Inactive Tasks from thelower Navigator). On the Inactive Tasks panel, select a validation task and then click Details tosee more information about the scan.A unique validation summary file is also generated for each scan. The files are located in the rootdirectory of the file system at {filesystem root}/.archiving/validation/history.The validation summary files are named <ID-n>-sum, such as 1–0.sum, 2–0.sum, and so on.The ID is the task ID assigned by X9000 Software when the scan was started. The second numberis 0 unless there is an existing summary file with the same task ID, in which case the second numberis incremented to make the filename unique.

Viewing and comparing hash sums for a fileIf a validation scan summary file reports inconsistent hash sums for a file and you want to investigatefurther, use the showsha and showvsm commands to compare the current hash sums with thehash sums that were originally calculated for the file.The showsha command calculates and displays the hash sums for a file. For example:# /usr/local/ibrix/sbin/showsha rhnplugin.pyPath hash: f4b82f4da9026ba4aa030288185344db46ffda7b


Meta hash: 80f68a53bb4a49d0ca19af1dec18e2ff0cf965daData hash: d64492d19786dddf50b5a7c3bebd3fc8930fc493

The showvms command displays the hash sums stored for the file. For example:# /usr/local/ibrix/sbin/showvms rhnplugin.py

VMSQuery returned 0Path hash: f4b82f4da9026ba4aa030288185344db46ffda7bMeta hash: 80f68a53bb4a49d0ca19af1dec18e2ff0cf965daData hash: d64492d19786dddf50b5a7c3bebd3fc8930fc493

last attempt: Wed Dec 31 17:00:00 1969 last success: Wed Dec 31 17:00:00 1969 changed: 0

In this example, the hash sums match and there are no inconsistencies. The 1969 dates appearingin the showvms output mean than the file had not yet been validated.

Handling validation scan errorsWhen a validation scan detects files having hash values inconsistent with their original values, itdisplays an alert in the events section of the GUI. However, the alert lists only the first inconsistentfile detected. It is important to check the validation summary report to identify all inconsistent filesthat were flagged during the scan.To replace an inconsistent file, follow these steps:1. Obtain a good version of the file from a backup or a remote replication.2. If the file is retained, remove the retention period for the file, using the GUI or the

ibrix_reten_adm -c command.3. Delete the file administratively using the GUI or the ibrix_reten_adm -d command.4. Copy the good version of the file to the data-retained file system or directory. If you recover

the file using an NDMP backup application, the proper retention expiration period is appliedfrom the backup copy of the file. If you copy the file another way, you will need to set theatime and read-only status.

Creating data retention reportsThree reports are available: data retention, utilization, and validation. The reports can show resultseither for the entire file system or for individual tiers. To generate a tiered report, the file systemmust include at least one tier.You can display reports as PDFs, CSV (CLI only), or in html format (GUI only). The latest files ineach format are saved in /usr/local/ibrix/reports/output/<report type>/.When you generate a report, the system creates a CSV file containing the data for the report. Thelatest CSV file is also stored in /usr/local/ibrix/reports/output/<report type>/.

NOTE: Older report files are not saved. If you need to keep report files, save them in anotherlocation before you generate new reports.

The data retention report lists ranges of retention periods and specifies the number of files in eachrange. The Number of Files reported on the graph scales automatically and is reported as individualfiles, thousands of files, or millions of files. The following example shows a data retention reportfor an entire file system.

Creating data retention reports 147

The utilization report summarizes how storage is utilized between retention states and free space.The next example shows the first page of a utilization report broken out by tiers. The results foreach tier appear on a separate page. The total size scales automatically, and is reported as MB,GB, or TB, depending on the size of the file system or tier.

A data validation report shows when files were last validated and reports any mismatches. Amismatch can be either content or metadata. The Number of Files scales automatically and isreported as individual files, thousands of files, or millions of files.


Generating and managing reportsTo run an unscheduled report from the GUI, select Filesystems in the upper Navigator and thenselect WORM/Data Retention in the lower Navigator. On the WORM/Data Retention panel, clickRun a Report. On the Run a WORM/Data Protection Summary Report dialog box, select the typeof report to view, and then specify the output format.

If an error occurs during report generation, a message appears in red text on the report. Simplyrun the report again.

Generating reports from the CLIYou can generate reports at any time using the ibrix_reports command. Scheduled reportscan be configured only on the GUI.First run the following command to scan the file system and collect the data to be used in thereports:

Creating data retention reports 149

ibrix_reports -s -f FILESYSTEM

Then run the following command to generate the specified report:ibrix_reports -g -f FILESYSTEM -n NAME -o OUTPUT FORMAT

Use the -n option to specify the type of report, where NAME is one of the following;

• retention

• retention_by_tier

• validation

• validation by tier

• utilization

• utilization_by_tier

The output format specified with -o can be csv or pdf.

Using hard links with WORM filesYou can use the Linux ln command without the -s option to create a hard link to a normal(non-WORM) file on an retention-enabled file system. If you later make the file a WORM file, thefollowing restrictions apply until the file is deleted:

• You cannot make any new hard links to the file. Doing this would increment the metadata ofthe link count in the file's inode, which is not allowed under WORM rules.

• You can delete hard links (the original file system entry or a hard-link entry) without deletingthe other file system entries or the file itself. WORM rules allow the link count to bedecremented.

Using remote replicationWhen using remote replication for file systems enabled for retention, the following requirementsmust be met:

• The source and target file systems must use the same retention mode (Enterprise or Relaxed).

• The default, maximum, and minimum retention periods must be the same on the source andtarget file systems.

• A clock synchronization tool such as ntpd must be used on the source and target clusters. Ifthe clock times are not in sync, file retention periods might not be handled correctly.

Also note the following:

• Multiple hard links on retained files on the replication source are not replicated. Only the firsthard link encountered by remote replication is replicated, and any additional hard links arenot replicated. (The retainability attributes on the file on the target prevent the creation of anyadditional hard links). For this reason, HP strongly recommends that you do not create hardlinks on retained files.

• For continuous remote replication, if a file is replicated as retained, but later its retainabilityis removed on the source filesystem (using data retention management commands), the newfile’s attributes and any additional changes to that file will fail to replicate. This is because ofthe retainability attributes that the file already has on the target, which will cause the filesystemon the target to prevent remote replication from changing it.

• When a legal hold is applied to a file, the legal hold is not replicated on the target. If the fileon the target should have a legal hold, you will also need to set the legal hold on that file.

• If a file has been replicated to a target and you then change the file's retention expirationtime with the ibrix_reten_adm -e command, the new expiration time is not replicated tothe target. If necessary, also change the file's retention expiration time on the target.


Backup support for data retentionThe supported method for backing up and restoring WORM/retained files is to use NDMP withDMA applications. Other backup methods will back up the file data, but will lose the retentionconfiguration.

Troubleshooting data retention

Attempts to edit retained files can create empty filesIt you attempt to edit a WORM file in the retained state, applications such as the vi editor will beunable to edit the file, but can leave empty temp files on the file system.

Applications such as vi can appear to update WORM filesIf you use an application such as vi to edit a WORM file that is not in the retained state, the filewill be modified, and it will be retained with the default retention period. This is the expectedbehavior. The file modification occurs because the editor edits a temporary copy of the file, triesto rename it to the real file, and when that fails, deletes the original file and then does the rename,which succeeds (because unretained WORM files are allowed to be deleted).

Cannot enable data retention on a file system with a bad segmentData retention must be set on all segments of a file system to ensure that all files can be managedproperly. File systems with bad segments cannot be enabled for data retention. If a file system hasa bad segment, evacuate or remove the segment first, and then enable the file system.

Backup support for data retention 151

13 Configuring Antivirus supportThe X9000 antivirus feature can be used with supported Antivirus software, which must be run onsystems outside the cluster. These systems are called external virus scan engines.To configure the Antivirus feature on an X9000 cluster, complete these steps:1. Add the external virus scan engines to be used for virus scanning. You can schedule periodic

updates of virus definitions from the virus scan engines to the cluster nodes.2. Enable Antivirus on file systems.3. Configure Antivirus settings as appropriate for your cluster.For file sharing protocols other than CIFS, when Antivirus is enabled on a file system, scans aretriggered when a file is first read. Subsequent reads to the file do not trigger a scan unless the filehas been modified or the virus definitions have changed. For CIFS, you must specify the fileoperations that trigger a scan (open, close, or both).The scans are forwarded to an external scan engine, which blocks the operation until the scan iscomplete. After a successful scan, if the file is found to be infected, the system reports apermission denied error message as the result of the file operation. If the file is clean, the fileoperation is allowed to go through.You can define Antivirus exclusions on directories in a file system to exclude files from beingscanned. When you define an exclusion rule for a directory, all files/folders in that directoryhierarchy are excluded from Antivirus scans based on the rule.Anti-virus support can be configured from the GUI or the CLI. On the GUI, select ClusterConfiguration from the Navigator, and then select Antivirus from the lower Navigator. the AntivirusSettings panel displays the current configuration.

152 Configuring Antivirus support

On the CLI, use the ibrix_avconfig command to configure Antivirus support. Use the ibrix_avcommand to update Antivirus definitions or view statistics.

Adding or removing external virus scan enginesThe Antivirus software is run on external virus scan engines. You will need to add these systemsto the Antivirus configuration.

IMPORTANT: HP recommends that you add a minimum of two virus scan engines to provideload balancing for scan requests and to prevent loss of scanning if one virus scan engine becomesunavailable.

On the GUI, select Virus Scan Engines from the lower Navigator to open the Virus Scan Enginespanel, and then click Add on that panel. On the Add dialog box, enter the IP address of the externalscan engine and the ICAP port number configured on that system.

NOTE: The default port number for ICAP is 1344. HP recommends that you use this port, unlessit is already in use by another activity. You may need to open this port for TCP/UDP in your firewall.

To remove an external virus scan engine from the configuration, select that system on the VirusScan Engines panel and click Delete.To add an external virus scan engine from the CLI, use the following command:ibrix_avconfig -a -S -I IPADDR -p PORTNUM

The port number specified here must match the ICAP port number configured on the virus scanengines.Use the following command to remove an external virus scan engine:ibrix_avconfig -r -S -I IPADDR

Enabling or disabling Antivirus on X9000 file systemsOn the GUI, select AV Enable/Disable FileSystems from the lower Navigator to open the AV EnableDisable panel, which lists the file systems in the cluster. Select the file system to be enabled, clickEnable, and confirm the operation. To disable Antivirus, click Disable.The CLI commands are as follows:Enable Antivirus on all file systems in the cluster:ibrix_avconfig -e -F

Enable Antivirus on specific file systems:ibrix_avconfig -e -f FSLIST

If you specify more than one file system, use commas to separate the file systems.Disable Antivirus on all file systems:

Adding or removing external virus scan engines 153

ibrix_avconfig -d -F

Disable Antivirus on specific file systems:ibrix_avconfig -d -f FSLIST

Updating Antivirus definitionsYou should update the virus definitions on the cluster nodes periodically. On the GUI, click UpdateClusterWide ISTag on the Antivirus Settings panel. The cluster then connects with the external virusscan engines and synchronizes the virus definitions on the cluster nodes with the definitions on theexternal virus scan engines.

NOTE: All virus scan engines should have the same virus definitions. Inconsistencies in virusdefinitions can cause files to be rescanned.Be sure to coordinate the schedules for updates to virus definitions on the virtual scan engines andupdates of virus definitions on the cluster nodes.

On the CLI, use the following commands:Schedule cluster-wide updates of virus definitions:ibrix_av -t [-S CRON_EXPRESSION]

The CRON_EXPRESSION specifies the time for the virus definition update. For example, theexpression "0 0 12 * * ?" executes this command at noon every day.View the current schedule:ibrix_av -l -T

Configuring Antivirus settings

Defining the Antivirus unavailable policyThis policy determines how targeted file operations are handled when an external virus scan engineis not available. The policies are:

• Allow. All operations triggering scans are allowed to run to completion.

• Deny. All operations triggering scans are blocked and returned with an error. This policyensures that a virus is not returned when Antivirus is not available. This is the default.

Following are examples of situations that can cause Antivirus to be unavailable:

• All configured virus scan engines are unreachable.

• The cluster nodes cannot communicate with the virus scan engines because of network issues.

• The number of incoming scan requests exceeds the threads available on the cluster nodes toprocess the requests.

The Antivirus Settings panel shows the current setting for this policy. To toggle the policy, clickConfigure AV Policy.


To set the policy from the CLI, use this command:ibrix_avconfig -u -g A|D

Defining protocol-specific policiesFor certain file sharing protocols (currently only CIFS), you can specify the file operations thattrigger a scan (open, close, or read). There are three policies:

• OPEN — Scan on open.

• CLOSE — Scan on close.

• BOTH — Scan on open and close.To set the policy, select Protocol Scan Settings from the lower Navigator. The AV Protocol Settingspanel then displays the current setting. To set or change the setting, click Set/Modify on the paneland then select the appropriate setting from the Action dialog box.

To set the policy from the CLI, use this command:ibrix_avconfig -u -k PROTOCOL -G O|C|B

Defining exclusionsExclusions specify files to be skipped during Antivirus scans. Excluding files can improveperformance, as files meeting the exclusion criteria are not scanned. You can exclude files based

Configuring Antivirus settings 155

on their file extension or size. To configure exclusions on the GUI, click Exclusion on the AV EnableDisable panel. On the Exclusion Property dialog box, select the file system and then specify thedirectory path where the exclusion is to be applied.

By default, when exclusions are set on a particular directory, all of its child directories inherit thoseexclusions. You can overwrite those exclusions for a child directory by explicitly setting exclusionson the child directory or by using the No rule option to stop exclusion inheritance on the childdirectory.Select the appropriate type of rule:

• Inherited Rule/Remove Rule. Use this option to reset or remove exclusions that were explicitlyset on the child directory. The child directory will then inherit exclusions from its parent directory.You should also use this option to remove exclusions on the top-most level directory whereexclusions rules have been are set.

• No rule. Use this option to remove or stop exclusions at the child directory. The child directorywill no longer inherit the exclusions from its parent directory.

• Custom rule. Use this option to exclude files having specific file extensions or exceeding aspecific size. If you specify multiple file extensions, use commas to separate the extension. Toexclude all types of files from scans, enter an asterisk (*) in the file extension field. You canspecify either file extensions or a file size (or both).


On the CLI, use the following options to specify exclusions with the ibrix_avconfig command:

• -x FILE_EXTENSION — Excludes all files having the specified extension, such as .jpg. Ifyou specify multiple extensions, use commas to separate the extensions.

• -s FILE_SIZE — Excludes all files larger than the specified size (in MB).

• -N — Does not exclude any files in the directory hierarchy.Add an exclusion to a directory:ibrix_avconfig -a -E -f FSNAME -P DIR_PATH {-N | [-x FILE_EXTENSION][-s FILE_SIZE]}

View exclusions on a specific directory:ibrix_avconfig -l -E -f FSNAME -P DIR_PATH

Remove all exclusions from a directory:ibrix_avconfig -r -E -f FSNAME -P DIR_PATH

Viewing Antivirus statisticsAntivirus statistics are accumulated whenever a scan is run. To view statistics, select Statistics fromthe lower Navigator. Click Clear Stats to clear the current statistics and start accumulating themagain.

Viewing Antivirus statistics 157

The CLI commands are:View statistics from all cluster nodes:ibrix_av -l -s

Delete statistics from all nodes:ibrix_av -d -s

Antivirus quarantines and software snapshotsThe quarantine utility has the following limitations when used with snap files.Limitation 1: When the following sequence of events occurs:

• A virus file is created inside the snap root• A snap is taken• The original file is renamed or moved to another path• The original file is readThe quarantine utility cannot locate the snap file because the link was formed with the new filenameassigned after the snap was taken.Limitation 2:When the following sequence of events occurs:

• A virus file is created inside the snap root• A snap is taken• The original file is renamed or moved to another path• The snap file is readThe quarantine utility cannot track the original file because the link was not created with its name.That file cannot be listed, reset, moved, or deleted by the quarantine utility.Limitation 3:When the following sequence of events occurs:

• A virus file is created inside the snap root• The original file is read• A snap is taken• The original file is renamed or moved to another path


The quarantine utility displays both the snap name (which still has the original name), and the newfilename, although they are same file.

Antivirus quarantines and software snapshots 159

14 Creating X9000 software snapshotsThe X9000 software snapshot feature allows you to capture a point-in-time copy of a file systemor directory for online backup purposes and to simplify recovery of files from accidental deletion.Software snapshots can be taken of the entire file system or selected directories. Users can accessthe filesystem or directory as it appeared at the instant of the snapshot.

NOTE: To accommodate software snapshots, the inode format was changed in the X9000 6.0release. Consequently, files used for snapshots must either be created on X9000 File ServingSoftware 6.0 or later, or the pre-6.0 file system containing the files must be upgraded for snapshots.To upgrade a file system, use the upgrade60.sh utility. For more information, see the HP IBRIXX9000 Network Storage System CLI Reference Guide.

Before taking snapshots of a file system or directory, you must enable the directory tree for snapshots.An enabled directory tree is called a snap tree. You can then define a schedule for taking periodicsnapshots of the snap tree, and you can also take on-demand snapshots.Users can access snapshots using NFS or CIFS. All users with access rights to the root of thesnapshot directory tree can navigate, view, and copy all or part of a snapshot.

NOTE: Snapshots are read only and cannot be modified, moved, or renamed. However, theycan be copied.

NOTE: You can use either the software method or the block method to take snapshots on a filesystem. Using both snapshot methods simultaneously on the same file system is not supported.

File system limits for snap trees and snapshotsA file system can have a maximum of 1024 snap trees. Each snap tree can have a maximum of1024 snapshots.

Configuring snapshot directory trees and schedulesYou can enable a directory tree for snapshots using either the GUI or the CLI; however, the GUImust be used to configure a snapshot schedule.On the GUI, select Snapshots from the Navigator. The Snap Trees panel lists all directory treescurrently enabled for snapshots. The Schedule Details panel shows the snapshot schedule for theselected directory tree.

160 Creating X9000 software snapshots

To enable a directory tree for snapshots, click Add on the Snap Trees panel.

You can create a snapshot directory tree for an entire file system or a directory in that file system.When entering the directory path, do not specify a directory that is a parent or child of anothersnapshot directory tree. For example, if directory /dir1/dir2 is a snapshot directory tree, youcannot create another snapshot directory tree at /dir1 or /dir1/dir2/dir3.The snapshot schedule can include any combination of hourly, daily, weekly, and monthly snapshots.Also specify the number of snapshots to retain on the system. When that number is reached, theoldest snapshot is deleted.All weekly and monthly snapshots are taken at the same time of day. The default time is 9 pm. Tochange the time, click the time shown on the dialog box, and then select a new time on the ModifyWeekly/Monthly Snapshot Creation Time dialog box.

To enable a directory tree for snapshots using the CLI, run the following command:ibrix_snap -m -f FSNAME -p SNAPTREEPATH

SNAPTREEPATH is the full directory pathname, starting at the root of the file system. For example:ibrix_snap –m –f ifs1 -p /ifs1/dir1/dir2

IMPORTANT: A snapshot reclamation task is required for each file system containing snap treesthat have scheduled snapshots. If a snapshot reclamation task does not already exist, you will needto configure the task. See “Reclaiming file system space previously used for snapshots” (page 165).

Configuring snapshot directory trees and schedules 161

Modifying a snapshot scheduleYou can change the snapshot schedule at any time. On the Snap Trees panel, select the appropriatesnap tree, select Modify, and make your changes on the Modify Snap Tree dialog box.

Managing software snapshotsTo view the snapshots for a specific directory tree, select the appropriate directory tree on the SnapTrees panel, and then select Snapshots from the lower Navigator. The Snapshots panel lists snapshotsfor the directory tree and allows you to take a new snapshot or delete an existing snapshot. Usethe filter at the bottom of the panel to select the snapshots you want to view.

The following CLI commands display information about snapshots and snapshot directory trees:

• List all snapshots, or only the snapshots on a specific file system or snapshot directory tree:ibrix_snap -l -s [-f FSNAME [-P SnapTreePath]]

• List all snapshot directory trees, or only the snapshot directory trees on a specific file system:ibrix_snap -l [-f FSNAME]

Taking an on-demand snapshotTo take an on-demand snapshot of a directory tree, select the directory tree on the Snap Treespanel and then click Create on the List of Snapshots panel.


To take a snapshot from the CLI, use the following command:ibrix_snap -c -f FSNAME -P SNAPTREEPATH -n NAMEPATTERN

SNAPTREEPATH is the full directory path starting from the root of the file system. The name thatyou specify is appended to the date of the snapshot. The following words cannot be used in thename, as they are reserved for scheduled snapshots:HourlyDailyWeeklyMonthlyYou will need to manually delete on-demand snapshots when they are no longer needed.

Determining space used by snapshotsSpace used by snapshots counts towards the used capacity of the filesystem and towards userquotas. Standard file system space reporting utilities work as follows:

• The ls and du commands report the size of a file depending on the version you are viewing.if you are looking at a snapshot, the commands report the size of the file when it was snapped.If you are looking at the current version, the commands report the current size.

• The df command reports the total space used in the file system by files and snapshots.

Accessing snapshot directoriesSnapshots are stored in a read-only directory named .snapshot located under the directory tree.For example, snapshots for directory tree /ibfs1/users are stored in the /ibfs1/users/.snapshot directory. Each snapshot is a separate directory beneath the .snapshot directory.Snapshots are named using the ISO 8601 date and time format, plus a custom value. For example,a snapshot created on June 1, 2011 at 9am will be named 2011-06-01T090000_<name>. Forsnapshots created automatically, <name> is hourly, daily, weekly, or monthly, dependingon the snapshot schedule. If you create a snapshot on-demand, you can specify the <name>.The following example lists snapshots created on an hourly schedule for snap tree /ibfs1/users.Using ISO 8601 naming ensures that the snapshot directories are listed in order according to thetime they were taken.[root@x9000n1 ~]# # cd /ibfs1/users/.snapshot/[root@x9000n1 .snapshot]# ls2011-06-01T110000_hourly 2011-06-01T190000_hourly 2011-06-02T030000_hourly2011-06-01T120000_hourly 2011-06-01T200000_hourly 2011-06-02T040000_hourly2011-06-01T130000_hourly 2011-06-01T210000_hourly 2011-06-02T050000_hourly

Managing software snapshots 163

2011-06-01T140000_hourly 2011-06-01T220000_hourly 2011-06-02T060000_hourly2011-06-01T150000_hourly 2011-06-01T230000_hourly 2011-06-02T070000_hourly2011-06-01T160000_hourly 2011-06-02T000000_hourly 2011-06-02T080000_hourly2011-06-01T170000_hourly 2011-06-02T010000_hourly 2011-06-02T090000_hourly2011-06-01T180000_hourly 2011-06-02T020000_hourly

Users having access to the root of the snapshot directory tree (in this example, /ibfs1/users/)can navigate the /ibfs1/users/.snapshot directory, view snapshots, and copy all or partof a snapshot. If necessary, users can copy a snapshot and overlay the present copy to achievemanual rollback.

NOTE: Access to .snapshot directories is limited to administrators and NFS and CIFS users.

Accessing snapshots using NFSAccess over NFS is similar to local X9000 access except that the mount point will probably bedifferent. In this example, NFS export /ibfs1/users is mounted as /users1 on an NFS client.[root@rhel5vm1 ~]# cd /users1/.snapshot[root@rhel5vm1 .snapshot]# ls2011-06-01T110000_hourly 2011-06-01T150000_hourly 2011-06-01T190000_hourly2011-06-01T120000_hourly 2011-06-01T160000_hourly 2011-06-01T200000_hourly2011-06-01T130000_hourly 2011-06-01T170000_hourly2011-06-01T140000_hourly 2011-06-01T180000_hourly

Accessing snapshots using CIFSOver CIFS, Windows users can use Explorer to navigate to the .snapshot folder and view files.In the following example, /ibfs1/users/ is mapped to the Y drive on a Windows system.

Restoring files from snapshotsUsers can restore files from snapshots by navigating to the appropriate snapshot directory andcopying the file or files to be restored, assuming they have the appropriate permissions on thosefiles. If a large number of files need to be restored, you may want to use Run Once remote replication


to copy files from the snapshot directory to a local or remote directory (see “Starting a replicationtask” (page 127)).

Deleting snapshotsScheduled snapshots are deleted automatically according to the retention schedule specified forthe snapshot tree; however you can delete a snapshot manually if necessary. You also need todelete on-demand snapshots manually. Deleting a snapshot does not free the file system space thatwas used by the snapshot; you will need to reclaim the space.

IMPORTANT: Before deleting a directory that contains snapshots, take these steps:• Delete the snapshots (use ibrix_snap).

• Reclaim the file system space used by the snapshots (use ibrix_snapreclamation).

• Remove snapshot authorization for the snap tree (use ibrix_snap).

Deleting a snapshot manuallyTo delete a snapshot from the GUI, select the appropriate snapshot on the List of Snapshots panel,click Delete, and confirm the operation.To delete the snapshot from the CLI, use the following command:ibrix_snap -d -f FSNAME -P SNAPTREEPATH -n SNAPSHOTNAME

If you are unsure of the name of the snapshot, use the following command to locate the snapshot:ibrix_snap -l -s [-f FSNAME] [-P SNAPTREEPATH]

Reclaiming file system space previously used for snapshotsSnapshot reclamation tasks are used to reclaim file system space previously used by snapshotsthat have been deleted.

IMPORTANT: A snapshot reclamation task is required for each file system containing snap treesthat have scheduled snapshots.

Using the GUI, you can schedule a snapshot reclamation task to run at a specific time on a recurringbasis. The reclamation task runs on an entire file system, not on a specific snapshot directory treewithin that file system. If a file system includes two snapshot directory trees, space is reclaimed inboth snapshot directory trees.To start a new snapshot reclamation task, select the appropriate file system from the Filesystemspanel and then select Active Tasks > Snapshot Space Reclamation from the lower Navigator.


Select New on the Task Summary panel to open the New Snapshot Space Reclamation Task dialogbox.

On the General tab, select a reclamation strategy:

• Maximum Space Reclaimed. The reclamation task recovers all snapped space eligible forrecovery. It takes longer and uses more system resources than Maximum Speed. This is thedefault.

• Maximum Speed of Task. The reclamation task reclaims only the most easily recoverablesnapped space. This strategy reduces the amount of runtime required by the reclamation task,but leaves some space potentially unrecovered (that space is still eligible for later reclamation).You cannot create a schedule for this type of reclamation task.

If you are using the Maximum Space Reclaimed strategy, you can schedule the task to runperiodically. On the Schedule tab, click Schedule this task and select the frequency and time torun the task.


To stop a running reclamation task, click Stop on the Task Summary panel.

Managing reclamation tasks from the CLITo start a reclamation task from the CLI, use the following command:ibrix_snapreclamation -r -f FSNAME [-s {maxspeed | maxspace}] [-v]

The reclamation task runs immediately; you cannot create a recurring schedule for it.To stop a reclamation task, use the following command:ibrix_snapreclamation -k -t TASKID [-F]

The following command shows summary status information for all replication tasks or only the taskson the specified file systems:ibrix_snapreclamation -l [-f FSLIST]

The following command provides detailed status information:ibrix_snapreclamation -i [-f FSLIST]

Removing snapshot authorization for a snap treeBefore removing snapshot authorization from a snap tree, you must delete all snapshots in the snaptree and reclaim the space previously used by the snapshots. Complete the following steps:1. Disable any schedules on the snap tree. Select the snap tree on the Snap Trees panel, select

Modify, and remove the Frequency settings on the Modify Snap Tree dialog box.2. Delete the existing snapshots of the snap tree. See “Deleting snapshots” (page 165)3. Reclaim the space used by the snapshots. See “Reclaiming file system space previously used

for snapshots” (page 165).4. Delete the snap tree. On the Snap Trees panel, select the appropriate snap tree, click Delete,

and confirm the operation.To disable snapshots on a directory tree using the CLI, run the following command:ibrix_snap -m -U -f FSNAME -P SnapTreePath


Moving files between snap treesFiles created on, copied, or moved to a snap tree directory can be moved to any other snap treeor non-snap tree directory on the same file system, provided they are not snapped. After a snapshotis taken and the files have become part of that snapshot, they cannot be moved to any other snaptree or directory on the same file system. However, the files can be moved to any snap tree ordirectory on a different file system.

Backing up snapshotsSnapshots are stored in a .snapshot directory under the directory tree. For example:# ls -alR /fs2/dir.tst/fs2/dir.tst:drwxr-xr-x 4 root root 4096 Feb 8 09:11 dir.dir-rwxr-xr-x 1 root root 99999999 Jan 31 09:33 file.0-rwxr-xr-x 1 root root 99999999 Jan 31 09:33 file.1drwxr-xr-x 2 root root 4096 Apr 6 15:55 .snapshot/fs2/dir.tst/.snapshot:lrwxrwxrwx 1 root root 15 Apr 6 15:39 2011-04-06T15:39:57_ -> ../.@1302118797lrwxrwxrwx 1 root root 15 Apr 6 15:55 2011-04-06T15:55:07_tst1 -> ../.@1302119707 /fs2/dir.tst/dir.dir: -rwxr-xr-x 1 root root 99999999 Jan 31 09:34 file.1

NOTE: The links beginning with .@ are used internally by the snapshot software and cannot beaccessed.

To back up the snapshots, use the procedure corresponding to your backup method.

Backups using NDMPBy default, NDMP does not back up the .snapshot directory. For example, if you specify abackup of the /fs2/dir.test directory, NDMP backs up the directory but excludes /fs2/dir.tst/.snapshot and its contents.To back up the snapshot of the directory , specify the path /fs2/dir.tst/.snapshot/2011-04-06T15:55:07_tst1. Now you can use the snapshot ( a point in time copy) to restoreits associated directory. For example use /fs2/dir.tst/.snapshot/2011-04-06T15:55:07_tst1 to restore /fs2/dir.tst.

Backups without NDMPDMA applications can not backup a snapshot directory tree using a path such as /fs2/dir.tst/.snapshot/time-stamp-name. Instead, mount the snapshot using the mount -o bind optionand then back up the mount point. For example, using a mount point such as as/mnt-time_stamp-name, use the following command to mount the snapshot:mount –o bind /fs2/dir.tst.snapshot/time-stamp-name /mnt-time_stamp-name

Then configure the DMA to back up /mnt-time_stamp-name.

Backups with the tar utilityThe tar symbolic link (h) option can copy snapshots. For example, the following command copiesthe /snapfs1/test3 directory associated with the point-in-time snapshot.tar –cvfh /snapfs1/test3/.snapshot/2011-07-01T044500_hourly


15 Creating block snapshotsThe block snapshot feature allows you to capture a point-in-time copy of a file system for onlinebackup purposes and to simplify recovery of files from accidental deletion. The snapshot replicatesall file system entities at the time of capture and is managed exactly like any other file system.

NOTE: You can use either the software method or the block method to take snapshots on a filesystem. Using both snapshot methods simultaneously on the same file system is not supported.

The block snapshot feature is supported as follows:• HP X9320 Network Storage System: supported on the HP P2000 G3 MSA Array System or

HP 2000 Modular Smart Array G2 provided with the platform.• HP X9300 Network Storage Gateway: supported on the HP P2000 G3 MSA Array System;

HP 2000 Modular Smart Array G2; HP P4000 G2 Models; HP 3PAR F200, F400, T400 andT800s Storage Systems (OS version 2.3.1 (MU3); and Dell EqualLogic storage array (noarrays are provided with the X9300 system).

• HP X9720/X9730 Network Storage System: no support.The block snapshot feature uses the copy-on-write method to preserve the snapshot regardless ofchanges to the origin file system. Initially, the snapshot points to all blocks that the origin file systemis using (B in the following diagram). When a block in the origin file system is overwritten withadditions, edits, or deletions, the original block (prior to changes) is copied to the snapshot store,and the snapshot points to the copied block (C in the following diagram). The snapshot continuesto point to the origin file system contents from the point in time that the snapshot was executed.

To create a block snapshot, first provision or register the snapshot store. You can then create asnapshot from type-specific storage resources. The snapshot is active from the moment it is created.You can take snapshots via the X9000 Software block snapshot scheduler or manually, whenevernecessary. Each snapshot maintains its origin file system contents until deleted from the system.Snapshots can be made visible to users, allowing them to access and restore files (based onpermissions) from the available snapshots.

NOTE: By default, snapshots are read only. HP recommends that you do not allow writes to anysnapshots.

Setting up snapshotsThis section describes how to configure the cluster to take snapshots.

Preparing the snapshot partitionThe block snapshot feature does not require any custom settings for the partition. However, HPrecommends that you provide sufficient storage capacity to support the snapshot partition.

Setting up snapshots 169

NOTE: If the snapshot store is too small, the snapshot will eventually exceed the available space(unless you detect this and manually increase storage). If this situation occurs, the array softwaredeletes the snapshot resources and the X9000 Software snapshot feature invalidates the snapshotfile system.

Although you can monitor the snapshot and manually increase the snapshot store as needed, thesafest policy is to initially provision enough space to last for the expected lifetime of the snapshot.The optimum size of the snapshot store depends on usage patterns in the origin file system andthe length of time you expect the snapshot to be active. Typically, a period of trial and error isrequired to determine the optimum size.See the array documentation for procedures regarding partitioning and allocating storage for filesystem snapshots.

Registering for snapshotsAfter setting up the snapshot partition, you can register the partition with the Fusion Manager. Youwill need to provide a name for the storage location and specify access parameters (IP address,user name, and password).The following command registers and names the array’s snapshot partition on the Fusion Manager.The partition is then recognized as a repository for snapshots.ibrix_vs -r -n STORAGENAME -t { msa | lefthand | 3PAR | eqlogic} -I IP(s) -U USERNAME[-P PASSWORD]

To remove the registration information from the configuration database, use the following command.The partition will then no longer be recognized as a repository for snapshots.ibrix_vs -d -n STORAGENAME

Discovering LUNs in the arrayAfter the array is registered, use the -a option to map the physical storage elements in the arrayto the logical representations used by X9000 Software. The software can then manage the movementof data blocks to the appropriate snapshot locations on the array.Use the following command to map the storage information for the specified array:ibrix_vs -a [-n STORAGENAME]

Reviewing snapshot storage allocationUse the following command to list all of the array storage that is registered for snapshot use:ibrix_vs -l

To see detailed information for named snapshot partitions on either a specific array or all arrays,use the following command:ibrix_vs -i [-n STORAGENAME]

Automated block snapshotsIf you plan to take a snapshot of a file system on a regular basis, you can automate the snapshots.To do this, first define an automated snapshot scheme, and then apply the scheme to the file systemand create a schedule.A snapshot scheme specifies the number of snapshots to keep and the number of snapshots tomount. You can create a snapshot scheme from either the GUI or the CLI.

170 Creating block snapshots

The type of storage array determines the maximum number of snapshots you can keep and mountper file system.

Maximum number of snapshots to mountMaximum number of snapshots tokeep

Array

7 snapshots per file system32 snapshots per file systemP2000 G3 MSA System/MSA2000G2 array

7 snapshots per file system8 snapshots per file systemEqualLogic array

7 snapshots per file system32 snapshots per file systemP4000 G2 storage system

7 snapshots per file system32 snapshots per file system3PAR storage system

For the P2000 G3 MSA System/MSA2000, the storage array itself also limits the total number ofsnapshots that can be stored. Arrays count the number of LUNs involved in each snapshot. Forexample, if a file system has four LUNs, taking two snapshots of the file system increases the totalsnapshot LUN count by eight. If a new snapshot will cause the snapshot LUN count limit to beexceeded, an error will be reported, even though the file system limits may not be reached. Thesnapshot LUN count limit on P2000 G3 MSA System/MSA2000 arrays is 255.The 3PAR storage system allows you to make a maximum of 500 virtual copies of a base volume.Up to 256 virtual copies can be read/write copies.

Creating automated snapshots using the GUISelect the file system where the snapshots will be taken, and then select Block Snapshots from thelower Navigator. On the Block Snapshots panel, click New to display the Create Snapshot dialogbox. On the General tab, select Recurring as the Snapshot Type.

Automated block snapshots 171

Under Snapshot Configuration, select New to create a new snapshot scheme. The Create SnapshotScheme dialog box appears.


On the General tab, enter a name for the strategy and then specify the number of snapshots tokeep and mount on a daily, weekly, and monthly basis. Keep in mind the maximums allowed foryour array type.Daily means that one snapshot is kept per day for the specified number of days. For example, ifyou enter 6 as the daily count, the snapshot feature keeps 1 snapshot per day through the 6th day.On the 7th day, the oldest snapshot is deleted. Similarly,Weekly specifies the number of weeksthat snapshots are retained, and Monthly specifies the number of months that snapshots are retained.On the Advanced tab, you can create templates for naming the snapshots and mountpoints. Thisstep is optional.


For either template, enter one or more of the following variables. The variables must be enclosedin braces ({ }) and separated by underscores (_). The template can also include text strings. Whena snapshot is created using the templates, the variables are replaced with the following values.

ValueVariable

File system namefsname

yyyy_mm_ddshortdate

yyyy_mm_dd_HHmmz + GMTfulldate

When you have completed the scheme, it appears in the list of snapshot schemes on the CreateSnapshot dialog box. To create a snapshot schedule using this scheme, select it on the CreateSnapshot dialog box and go to the Schedule tab. Click Schedule this task, set the frequency of thesnapshots, and schedule when they should occur. You can also set start and end dates for theschedule. When you click OK, the snapshot scheduler will begin taking snapshots according tothe specified snapshot strategy and schedule.

Creating an automated snapshot scheme from the CLIYou can create an automated snapshot scheme with the ibrix_vs_snap_strategy command.However, you will need to use the GUI to create a snapshot schedule.To define a snapshot scheme, execute the ibrix_vs_snap_strategy command with the -coption:


ibrix_vs_snap_strategy -c -n NAME -k KEEP -m MOUNT [-N NAMESPEC] [-M MOUNTSPEC]

The options are:

The name for the snapshot scheme.-n NAME

The number of snapshots to keep per file system. For the P2000 G3 MSA System/MSA2000G2 array, the maximum is 32 snapshots per file system. For P4000 G2 storage systems, the

-k KEEP

maximum is 32 snapshots per file system. For P4000 G2 storage systems, the maximum is 32snapshots per file system. For Dell EqualLogic arrays, the maximum is eight snapshots per filesystem.Enter the number of days, weeks, and months to retain snapshots. The numbers must be separatedby commas, such as -k 2,7,28.

NOTE: One snapshot is kept per day for the specified number of days. For example, if youenter 6 as the daily count, the snapshot feature keeps 1 snapshot per day through the 6th day.On the 7th day, the oldest snapshot is deleted. Similarly, the weekly count specifies the numberof weeks that snapshots are retained, and the monthly count specifies the number of months thatsnapshots are retained.

The number of snapshots to mount per file system. The maximum number of snapshots is 7 perfile system.

-m MOUNT

Enter the number of snapshots to mount per day, week, and month. The numbers must beseparated by commas, such as -m 2,2,3. The sum of the numbers must be less than or equalto 7.

Snapshot name template. The template specifies a scheme for creating unique names for thesnapshots. Use the variables listed below for the template.

-N NAMESPEC

Snapshot mountpoint template. The template specifies a scheme for creating unique mountpointsfor the snapshots. Use the variables listed below for the template.

–M MOUNTSPEC

Variables for snapshot name and mountpoint templates.

yyyy_mm_dd_HHmmz + GMTfulldate

yyyy_mm_ddshortdate

File system namefsname

You can specify one or more of these variables, enclosed in braces ({ }) and separated byunderscores (_). The template can also include text strings. Two sample templates follow. When asnapshot is created using one of these templates, the variables will be replaced with the valueslisted above.{fsname}_snap_{fulldate}snap_{shortdate}_{fsname}

Other automated snapshot proceduresUse the following procedures to manage automated snapshots.

Modifying an automated snapshot schemeA snapshot scheme can be modified only from the CLI. Use the following command:ibrix_vs_snap_strategy -e -n NAME -k KEEP -m MOUNT [-N NAMESPEC] [-M MOUNTSPEC]

Viewing automated snapshot schemesOn the GUI, you can view snapshot schemes on the Create Snapshot dialog box. Select Recurringas the Snapshot Type, and then select a snapshot scheme. A description of that scheme will bedisplayed.To view all automated snapshot schemes or all schemes of a specific type using the CLI, executethe following command:ibrix_vs_snap_strategy -l [-T TYPE]


To see details about a specific automated snapshot scheme, use the following command:ibrix_vs_snap_strategy -i -n NAME

Deleting an automated snapshot schemeA snapshot scheme can be deleted only from the CLI. Use the following command:ibrix_vs_snap_strategy -d -n NAME

Managing block snapshotsThis section describes how to manage individual snapshots.

Creating an on-demand snapshotTo take an on-demand snapshot from the GUI, select the file system where the snapshot will betaken, and then select Block Snapshots from the lower Navigator. On the Block Snapshots panel,click New to display the Create Snapshot dialog box. On the General tab, select Once as theSnapshot Type and click OK.Use the following command to create a snapshot from the CLIibrix_vs_snap -c -n SNAPFSNAME -f ORIGINFSNAME

For example, to create a snapshot named ifs1_snap for file system ifs1:ibrix_vs_snap -c -n ifs1_snap -f ifs1

Mounting or unmounting a snapshotOn the GUI, select Block Snapshots from the lower Navigator, select the snapshot on the BlockSnapshots panel, and click Mount or Unmount.Include the -M option to the create command to automatically mount the snapshot file system aftercreating it. This makes the snapshot visible to authorized users. HP recommends that you do notallow writes to any snapshot file system.ibrix_vs_snap -c –M –n SNAPFSNAME -f ORIGINFSNAME

For example, to create and mount a snapshot named ifs1_snap for file system ifs1:ibrix_vs_snap -c -M –n ifs1_snap -f ifs1

Recovering system resources on snapshot failureIf a snapshot encounters insufficient resources when attempting to update its contents due to changesin the origin file system, the snapshot fails and is marked invalid. Data is no longer accessible inthe snapshot. To clean up records in the configuration database for an invalid snapshot, use thefollowing command from the CLI:ibrix_vs_snap -r -f SNAPFSLIST

For example, to clean up database records for a failed snapshot named ifs1_snap:ibrix_vs_snap -r -f ifs1_snap

On the GUI, select the snapshot on the Block Snapshots panel and click Cleanup.

Deleting snapshotsDelete snapshots to free up resources when the snapshot is no longer needed or to create a newsnapshot when you have already created the maximum allowed for your storage system.On the GUI, select the snapshot on the Block Snapshots panel and click Delete. On the CLI, usethe following command:ibrix_vs_snap -d -f SNAPFSLIST

For example, to delete snapshots ifs0_snap and ifs1_snap:ibrix_vs_snap -d -f ifs0_snap,ifs1_snap


Viewing snapshot informationUse the following commands to view snapshot information from the CLI.

Listing snapshot information for all hostsThe ibrix_vs_snap -l command displays snapshot information for all hosts. Sample outputfollows:ibrix_vs_snap -l

NAME NUM_SEGS MOUNTED? GEN TYPE CREATETIME----- -------- -------- --- ---- ----------snap1 3 No 6 msa Wed Oct 7 15:09:50 EDT 2009

The following table lists the output fields for ibrix_vs_snap -l.

DescriptionField

Snapshot name.NAME

Number of segments in the snapshot.NUM_SEGS

Snapshot mount state.MOUNTED?

Number of times the snapshot configuration has been changed in the configuration database.GEN

Snapshot type, based on the underlying storage system.TYPE

Creation timestamp.CREATETIME

Listing detailed information about snapshotsUse the ibrix_vs_snap -i command to monitor the status of active snapshots. You can usethe command to ensure that the associated snapshot stores are not full.ibrix_vs_snap -i

To list information about snapshots of specific file systems, use the following command:ibrix_vs_snap -i [-f SNAPFSLIST]

The ibrix_vs_snap -i command lists the same information as ibrix_fs -i, plus informationfields specific to snapshots. Include the -f SNAPFSLIST argument to restrict the output to specificsnapshot file systems.The following example shows only the snapshot-specific fields. To view an example of the commonfields, see “Viewing file system information” (page 35).

SEGMENT OWNER LV_NAME STATE BLOCK_SIZE CAPACITY(GB) FREE(GB) AVAIL(GB) FILES FFREE USED% BACKUP TYPE TIER LAST_REPORTED------- -------- --------------------- --------------- ---------- ------------ -------- --------- ----- ----- ----- ------ ----- ---- -------------1 ib50-243 ilv11_msa_snap9__snap OK, SnapUsed=4% 4,096 0.00 0.00 0.00 0 0 0 MIXED 7 Hrs 56 Mins 46 Secs ago2 ib50-243 ilv12_msa_snap9__snap OK, SnapUsed=6% 4,096 0.00 0.00 0.00 0 0 0 MIXED 7 Hrs 56 Mins 46 Secs ago3 ib50-243 ilv13_msa_snap9__snap OK, SnapUsed=6% 4,096 0.00 0.00 0.00 0 0 0 MIXED 7 Hrs 56 Mins 46 Secs ago4 ib50-243 ilv14_msa_snap9__snap OK, SnapUsed=8% 4,096 0.00 0.00 0.00 0 0 0 MIXED 7 Hrs 56 Mins 46 Secs ago5 ib50-243 ilv15_msa_snap9__snap OK, SnapUsed=6% 4,096 0.00 0.00 0.00 0 0 0 MIXED 7 Hrs 56 Mins 46 Secs ago6 ib50-243 ilv16_msa_snap9__snap OK, SnapUsed=5% 4,096 0.00 0.00 0.00 0 0 0 MIXED 7 Hrs 56 Mins 46 Secs ago

NOTE: For P4000 G2 storage systems, the state is reported as OK, but the SnapUsed fieldalways reports 0%.

Managing block snapshots 177

The following table lists the output fields for ibrix_vs_snap -i.

DescriptionField

Snapshot segment number.SEGMENT

The file serving node that owns the snapshot segment.OWNER

Logical volume.LV_NAME

State of the snapshot.STATE

Block size used for the snapshot.BLOCK_SIZE

Size of this snapshot file system, in GB.CAPACITY (GB)

Free space on this snapshot file system, in GB.FREE (GB)

Space available for user files, in GB.AVAIL (GB)

Number of files that can be created in this snapshot file system.FILES

Number of unused file inodes available in this snapshot file system.FFREE

Percentage of total storage occupied by user files.USED%

Backup host name.BACKUP

Segment type. Mixed means the segment can contain both directories and files.TYPE

Tier to which the segment was assigned.TIER

Last time the segment state was reported.Last Reported

Accessing snapshot file systemsBy default, snapshot file systems are mounted in two locations on the file serving nodes:

• /<snapshot_name>

• /<original_file_system>/.<snapshot_name>

For example, if you take a snapshot of the fs1 file system and name the snapshot fs1_snap1,it will be mounted at /fs1_snap1 and at /fs1/.fs1_snap1.X9000 clients must mount the snapshot file system (/<snapshot_name>) to access the contentsof the snapshot.NFS and CIFS clients can access the contents of the snapshot through the original file system (suchas /fs1/.fs1_snap1) or they can mount the snapshot file system (in this example, /fs1_snap1).The following window shows an NFS client browsing the snapshot file system .fs1_snap2 in thefs1_nfs file system.


The next window shows a CIFS client accessing the snapshot file system .fs1_snap1. The originalfile system is mapped to drive X.

Accessing snapshot file systems 179

Troubleshooting block snapshots

Snapshot reserve is full and the MSA2000 is deleting snapshot volumesWhen the snapshot reserve is full, the MSA2000 will delete snapshot volumes on the storage array,leaving the device entries on the file serving nodes. To correct this situation, take the followingsteps:1. Stop I/O or any applications that are reading or writing to the snapshot file systems.2. Log on to the active Fusion Manager.3. Unmount all snapshot file systems.4. Delete all snapshot file systems to recover space in the snapshot reserve.

CIFS clients receive an error when creating a snapshotCIFS clients might see the following error when attempting to create a snapshot:Make sure you are connected to the network and try again

This error is generated when the snapshot creation takes longer than the CIFS timeout, causing theCIFS client to determine that the server has failed or the network is disconnected. To avoid thissituation, do not take snapshots during periods of high CIFS activity.

Cannot create 32 snapshots on an MSA systemMSA systems or arrays support a maximum of 32 snapshots per file system. If snapshot creationis failing before you reach 32 snapshots, check the following:

• Verify the version of the MSA firmware.

• If the cluster has been rebuilt, use the MSA GUI or CLI to check for old snapshots that werenot deleted before the cluster was rebuilt. The CLI command is show snapshots.

• Verify the virtual disk and LUN layout.


16 Using data tieringA data tier is a logical grouping of file system segments. After creating tiers containing the segmentsin the file system, you can use the data tiering migration process to move files from the segmentsin one tier to the segments in another tier.For example, you could create a primary data tier for SAS storage and another tier for SATAstorage. You could then migrate specific data from the SAS tier to the lower-cost SATA tier. Otherconfigurations might be based on the type of file being stored, such as storing all streaming filesin a tier or moving all files over a certain size to a specific tier.X9000 data tiering is transparent to users and applications and is compatible with X9000 softwarefile system snapshots and other X9000 data services.Migration is a storage and filesystem intensive process which, in some circumstances, can takedays to complete. Migration tasks must be run at a time when clients are not generating significantload. Migration it is not suitable for environments where there are no quiet times to run migrationtasks.

IMPORTANT: Data tiering has a cool-down period of approximately 10 minutes. If a file waslast accessed during the cool-down period, the file will not be moved.

Configuring data tiersComplete the following steps to configure data tiering:

• Assign segments to tiers. You can create any number of tiers. A tier cannot be on tape or ona location external to the X9000 file system, such as an NFS share.

• Define the primary tier. All new files are written to this tier.

• Create the tiering policy for the file system. The policy consists of rules that specify the datato be migrated. The parameters and directives used in the migration rules include actionsbased on file access patterns (such as access and modification times), file size, and file type.Rules can be constrained to operate on files owned by specific users and groups and to specificpaths. Logical operators can be used to combine directives.

Assigning segments to tiersSegments can be assigned to tiers when a file system is created or expanded, or at times when amigration task is not running. Similarly, tier assignments can be changed or removed at any time,provided that no migration tasks are running.On the GUI, select Filesystems from the Navigator and select a file system in the Filesystems panel.In the lower Navigator, select Segments. The Segments panel displays all of the segments in thefile system.

Configuring data tiers 181

In this example, filesystem ifs1 has four segments and no tiering information is currently defined.We will create two tiers, Tier1 and Tier2, and we will assign two segments to each tier.On the Segments panel, select the segments for the tier and click Assign to Tier. On the Assign toTier dialog box, specify a name for the tier.

When you repeat the operation to place other file system segments in a tier, the dialog box allowsyou to add the segments to an existing tier or to create a new tier.

When you create a tier, the tier assignment is added to the Segments panel. In the followingexample, segments 1 and 2 are in Tier1 and segments 3 and 4 are in Tier2.

182 Using data tiering

Defining the primary tierAll new files are written to the primary tier, which is typically the tier built on the fastest storage.Use the following command to define the primary tier:ibrix_fs_tune -f FILESYSTEM -h SERVERS -t TIERNAME

The following example specifies Tier1 as the primary tier:ibrix_fs_tune -f ifs1 -h ibrix1a,ibrix1b -t Tier1

This policy takes precedence over any other file allocation polices defined for the filesystem.

NOTE: This example assumes users access the files over CIFS, NFS, FTP, or HTTP. If X9000clients are used, the allocation policy must be applied to the clients. (Use -h to specify the clients.)

Creating a tiering policy for a file systemA tiering policy specifies migration rules for the file system. One tiering policy can be defined perfile system and the policy must have at least one rule. Rules in the policy can migrate files betweenany two tiers in the filesystem. For example, rule1 could move files between Tier1 and Tier2, rule2could migrate files from Tier2 to Tier1, and rule3 could migrate files between Tier1 and Tier3.A file is migrated according to the first rule that it matches. You can narrow the scope of rules bycombining directives using logical operators.The following example creates a policy that has three simple rules:

• Migrate all files that have not been modified for 30 minutes from Tier1 to Tier2. (This rule isnot valid for production, but is a good rule for testing.)

• Migrate all files larger than 5 MB from Tier1 to Tier2.

• Migrate all mpeg4 files from Tier1 to Tier 2.On the GUI, select Filesystems from the Navigator and then select a file system in the Filesystemspanel. In the lower Navigator, select Active Tasks > Data Tiering > Rules.

Creating a tiering policy for a file system 183

The Data Tiering Rules panel lists the existing rules for the file system. To create a rule, click Create.On the Create Data Tiering Rule dialog box, select the source and destination tier and then definea rule. The rule can move files between any two tiers.

When you click OK, the rule is checked for correct syntax. If the syntax is correct, the rule is savedand appears on the Data Tiering Rules panel. The following example shows the three rules createdfor the example.

You can delete rules if necessary. Select the rule on the Data Tiering Rules panel and click Delete.


Additional rule examplesThe following rule migrates all files from Tier2 to Tier1:name="*"

The following rule migrates all files in the subtree beneath the path. The path is relative to themountpoint of the file system.path=testdata2

The next example migrates all mpeg4 files in the subtree. A logical “and” operator combines therules:path=testdata4 and name="*mpeg4"

The next example narrows the scope of the rule to files owned by users in a specific group. Notethe use of parentheses.gname=users and (path=testdata4 and name="*mpeg4")

For more examples and detailed information about creating rules, see “Writing tiering rules”(page 191).

Running a migration taskMigrating files from one tier to another must be initiated manually. Migration tasks cannot bescheduled to run using X9000 commands. Once started, a migration task passes once throughthe filesystem then stops. It is possible to use external job control software to run a migration taskon a schedule if required.Only one migration task can run on a file system at any time. The task is not restarted on failure,and cannot be paused and later resumed. However, a migration task can be started when a serveris in the InFailover state.To start a migration task from the GUI, select the file system from the Filesystems panel and thenselect Data Tiering in the lower Navigator. Click New on the Task Summary panel. The counterson the panel are updated periodically while the task is running.

If necessary, click Stop to stop the data tiering task. There is no pause/resume function. When thetask is complete, it appears on the GUI under Inactive Tasks for the file system. You can check theexit status there.

Running a migration task 185

Click Details to see summary information about the task.

Changing the tiering configuration with the GUIThe following restrictions apply when changing the configuration:

• You cannot modify the tiering configuration for a filesystem while an active migration task isrunning.

• You cannot move segments between tiers, assign them to new tiers, or unassign them fromtiers while an active migration task is running or while any rules exist that apply to the segments.

Moving a segment to another tierTo move a segment to another tier, select the segment on the Segments panel, click Assign to Tier,and then select a different tier for the segment, or create a new tier. The following example moveda segment from Tier1 to Tier2.


Removing a segment from a tierYou can remove a segment from a tier, without assigning it to another tier. Select the file systemfrom the Filesystems panel and expand Segments in the lower Navigator to list the tiers in the filesystem. Select the tier containing the segment. On the Tier Segments panel, select the segment andclick Unassign.

Configuring tiers and migrating data using the CLIUse the ibrix_tier command to manage tier assignments and to list information about tiers.Use the ibrix_migrator command to create or delete rules defining migration policies, to startor stop migration tasks, and to list information about rules and migrator tasks.

Configuring tiers and migrating data using the CLI 187

Assigning segments to tiersFirst determine the segments in the file system and then assign them to tiers. Use the followingcommand to list the segments:ibrix_fs -f FSNAME –i

For example (the output is truncated):[root@ibrix01a ~]# ibrix_fs -f ifs1 –i.

.SEGMENT OWNER LV_NAME STATE BLOCK_SIZE CAPACITY(GB) ------- -------- ------- ----- ---------- ------------ 1 ibrix01b ilv1 OK 4,096 3,811.11 . . .2 ibrix01a ilv2 OK 4,096 3,035.67 3 ibrix01b ilv3 OK 4,096 3,811.11 4 ibrix01a ilv4 OK 4,096 3,035.67 ..

Use the following command to assign segments to a tier. The tier is created if it does not alreadyexist.ibrix_tier -a -f FSNAME -t TIERNAME -S SEGLIST

For example, the following command creates Tier 1 and assigns segments 1 and 2 to it:[root@ibrix01a ~]# ibrix_tier -a -f ifs1 -t Tier1 -S 1,2Assigned segment: 1 (ilv1) to tier Tier1Assigned segment: 2 (ilv2) to tier Tier1Command succeeded!

NOTE: Be sure to spell the name of the tier correctly when you add segments to an existing tier.If you spell the name incorrectly, a new tier is created with the incorrect tier name, and no erroris recognized.

Use ibrix_fs_tune to designate the primary tier. See “Defining the primary tier” (page 183).

Displaying information about tiersUse the following command to list the tiers in a file system. The -t option displays information fora specific tier.ibrix_tier -l -f FSNAME [-t TIERNAME]

For example:[root@ibrix01a ~]# ibrix_tier -i -f ifs1Tier: Tier1===========FS Name Segment Number Tier------- -------------- ----ifs1 1 Tier1ifs1 2 Tier1

Tier: Tier2===========FS Name Segment Number Tier------- -------------- ----ifs1 3 Tier2ifs1 4 Tier2

Creating a tiering policyTo create a rule for migrating data from a source tier to a destination tier, use the followingcommand:


ibrix_migrator -A -f FSNAME -r RULE -S SOURCE_TIER -D DESTINATION_TIER

The following rule migrates all files that have not been modified for 30 minutes from Tier1 to Tier2:[root@ibrix01a ~]# ibrix_migrator -A -f ifs1 -r 'mtime older than 30 minutes' -S Tier1 -D Tier2Rule: mtime<now - 0-0-0-0:30:0Command succeeded!

Listing tiering rulesTo list all of the rules in the tiering policy, use the following command:ibrix_migrator -l [-f FSNAME] -r

The output lists the file system name, the rule ID (IDs are assigned in the order in which rules areadded to the configuration database), the rule definition, and the source and destination tiers. Forexample:[root@ibrix01a ~]# ibrix_migrator -l -f ifs1 -rHsmRules========FS Name Id Rule Source Tier Destination Tier------- -- --------------------------- ----------- ----------------ifs1 9 mtime older than 30 minutes Tier1 Tier2ifs1 10 name = "*.mpeg4" Tier1 Tier2ifs1 11 size > 4M Tier1 Tier2

Running a migration taskTo start a migration task, use the following command:ibrix_migrator -s -f FSNAME

For example:[root@ibrix01a ~]# ibrix_migrator -s -f ifs1Submitted Migrator operation to background. ID of submitted task: Migrator_163Command succeeded!

NOTE: The ibrix_migrator command cannot be run at the same time as ibrix_rebalance.

To list the active migration task for a file system, use the ibrix_migrator -i option. For example:[root@ibrix01a ~]# ibrix_migrator -i -f ifs1 Operation: Migrator_163 ======================= Task Summary ============ Task Id : Migrator_163 Type : Migrator File System : ifs1 Submitted From : root from Local Host Run State : STARTING Active? : Yes EXIT STATUS : Started At : Jan 17, 2012 10:32:55 Coordinator Server : ibrix01b Errors/Warnings : Dentries scanned : 0 Number of Inodes moved : 0 Number of Inodes skipped : 0 Avg size (kb) : 0 Avg Mb Per Sec : 0 Number of errors : 0

To view summary information after the task has completed, run the ibrix_migrator -i commandagain and include the -n option, which specifies the task ID. (The task ID appears in the outputfrom ibrix migrator -i.)

Configuring tiers and migrating data using the CLI 189

[root@ibrix01a testdata1]# ibrix_task -i -n Migrator_163 Operation: Migrator_163 ======================= Task Summary ============ Task Id : Migrator_163 Type : Migrator File System : ifs1 Submitted From : root from Local Host Run State : STOPPED Active? : No EXIT STATUS : OK Started At : Jan 17, 2012 10:32:55 Coordinator Server : ibrix01b Errors/Warnings : Dentries scanned : 1025 Number of Inodes moved : 1002 Number of Inodes skipped : 1 Avg size (kb) : 525 Avg Mb Per Sec : 16 Number of errors : 0

Stopping a migration taskTo stop a migration task, use the following command:ibrix_migrator -k -t TASKID [-F]

Changing the tiering configuration with the CLIThe following restrictions apply when changing the configuration:

• You cannot modify the tiering configuration for a filesystem while an active migration task isrunning.

• You cannot move segments between tiers, assign them to new tiers, or unassign them fromtiers while an active migration task is running or while any rules exist that apply to the segments.

Moving a segment to another tierUse the following command to assign a segment to another tier:ibrix_tier -a -f FSNAME -t TIERNAME -S SEGLIST

Removing a segment from a tierThe following command removes segments from a tier. If you do not specify a segment list, allsegments in the file system are unassigned.ibrix_tier -u -f FSNAME [-S SEGLIST]

The following example removes segments 3 and 4 from their current tier assignment:[root@ibrix01a ~]# ibrix_tier -u -f ifs1 -S 3,4

Deleting a tierBefore deleting a tier, take these steps:

• Delete all policy rules defined for the tier.

• Allow any active tiering jobs to complete.To unassign all segments and delete the tier, use the following command:ibrix_tier -d -f FSNAME -t TIERNAME


Deleting a tiering ruleBefore deleting a rule, run the ibrix_migrator -l [-f FSNAME] -r command and notethe ID assigned to the rule. Then use the following command to delete the rule:ibrix_migrator -d -f FSNAME -r RULE_ID

The -r option specifies the rule ID. For example:[root@ibrix01a ~]# ibrix_migrator -d -f ifs2 -r 2

Writing tiering rulesA tiering policy consists of one or more rules that specify how data is migrated from one tier toanother. You can write rules using the GUI, or you can write them directly to the configurationdatabase using the ibrix_migrator -A command.

Rule attributesEach rule identifies file attributes to be matched. It also specifies the source tier to scan and thedestination tier where files that meet the rule’s criteria will be moved and stored.Note the following:

• Tiering rules are based on individual file attributes.

• All rules are executed when the tiering policy is applied during execution of theibrix_migrator command.

• It is important that different rules do not target the same files, especially if different destinationtiers are specified. If tiering rules are ambiguous, the final destination for a file is notpredictable. See “Ambiguous rules” (page 193), for more information.

The following are examples of attributes that can be specified in rules. All attributes are listed in“Rule keywords” (page 192). You can use AND and OR operators to create combinations.Access time

• File was last accessed x or more days ago

• File was accessed in the last y daysModification time

• File was last modified x or more days agoFile size—greater than n KFile name or File type—jpg, wav, exe (include or exclude)File ownership—owned by user(s) (include or exclude)Use of the tiering assignments or policy on any file system is optional. Tiering is not assigned bydefault; there is no “default” tier.

Operators and date/time qualifiersValid rules operators are <, <=, =, !=, >, >=, and boolean and and or.Use the following qualifiers for fixed times and dates:

• Time: Enter as three pairs of colon-separated integers using a 24-hour clock. The format ishh:mm:ss (for example, 15:30:00).

• Date: Enter as yyyy-mm-dd [hh:mm:ss], where time of day is optional (for example,2008-06-04 or 2008-06-04 15:30:00). Note the space separating the date and time.

When specifying an absolute date and/or time, the rule must use a compare type operator (< |<= | = | != | > | >=). For example:ibrix_migrator -A -f ifs2 -r "atime > '2010-09-23' " -S TIER1 -D TIER2

Writing tiering rules 191

Use the following qualifiers for relative times and dates:

• Relative time: Enter in rules as year or years, month or months,week or weeks, day ordays, hour or hours.

• Relative date: Use older than or younger than. The rules engine uses the time theibrix_migrator command starts execution as the start time for the rule. It then computesthe required time for the rule based on this start time. For example, ctime older than 4weeks refers to that time period more that 4 weeks before the start time.

The following example uses a relative date:ibrix_migrator -A -f ifs2 -r "atime older than 2 days " -S TIER1 -DTIER2

Rule keywordsThe following keywords can be used in rules.

DescriptionKeyword

Access time, used in a rule as a fixed or relative time.atime

Change time, used in a rule as a fixed or relative time.ctime

Modification time, used in a rule as a fixed or relative timemtime

An integer corresponding to a group ID.gid

A string corresponding to a group name. Enclose the name string in double quotes.gname

An integer corresponding to a user ID.uid

A string corresponding to a user name, where the user is the owner of the file. Enclose the namestring in double quotes.

uname

File system entity the rule operates on. Currently, only the file entity is supported.type

In size-based rules, the threshold value for determining migration. Value is an integer specified inK (KB), M (MB), G (GB), and T (TB). Do not separate the value from its unit (for example, 24K).

size

Regular expression. A typical use of a regular expression is to match file names. Enclose a regularexpression in double quotes. The * wildcard is valid (for example, name = "*.mpg").

name

A name cannot contain a / character. You cannot specify a path; only a filename is allowed.

Path name that allows these wild cards: *, ?, /. For example, if the mountpoint for the file systemis /mnt, path=ibfs1/mydir/* matches the entire directory subtree under /mnt/ibfs1/mydir.(A path cannot start with a /).

path

Path name that rigidly conforms to UNIX shell file name expansion behavior. For example,strict_path=/mnt/ibfs1/mydir/* matches only the files that are explicitly in the mydirdirectory, but does not match any files in subdirectories of mydir.

strict_path

Migration rule examplesWhen you write a rule, identify the following components:

• File system (-f)

• Source tier (-S)

• Destination tier (-D)Use the following command to write a rule. The rule portion of the command must be enclosed insingle quotes.ibrix_migrator -A -f FSNAME -r 'RULE' -S SOURCE_TIER -D DEST_TIER

Examples:


The rule in the following example is based on the file’s last modification time, using a relative timeperiod. All files whose last modification date is more than one month in the past are moved.# ibrix_migrator -A -f ifs2 -r 'mtime older than 1 month' -S T1 -D T2

In the next example, the rule is modified to limit the files being migrated to two types of graphicfiles. The or expression is enclosed in parentheses, and the * wildcard is used to match filenamepatterns.# ibrix_migrator -A -f ifs2 -r 'mtime older than 1 month and( name = "*.jpg" or name = "*.gif" )' -S T1 -D T2

In the next example, three conditions are imposed on the migration. Note that there is no spacebetween the integer and unit that define the size threshold (10M):# ibrix_migrator -A -f ifs2 -r 'ctime older than 1 month and type = file and size >= 10M' -S T1 -D T2

The following example uses the path keyword. It moves files greater than or equal to 5M that areunder the directory /ifs2/tiering_test from TIER1 to TIER2:ibrix_migrator -A -f ifs2 -r "path = tiering_test and size >= 5M" -STIER1 -D TIER2

Rules can be group- or user-based as well as time- or data-based. In the following example, filesassociated with two users are migrated to T2 with no consideration of time. The names are quotedstrings.# ibrix_migrator -A -f ifs2 -r 'type = file and ( uname = "ibrixuser"or uname = "nobody" )' -S T1 -D T2

Conditions can be combined with and and or to create very precise tiering rules, as shown in thefollowing example.# ibrix_migrator -A -f ifs2 -r ' (ctime older than 3 weeks and ctime younger than 4 weeks) and type = file and ( name = "*.jpg" or name = "*.gif" ) and (size >= 10M and size <= 25M)' -S T1 -D T2

Ambiguous rulesIt is possible to write a set of ambiguous rules, where different rules could be used to move a fileto conflicting destinations. For example, if a file can be matched by two separate rules, there isno guarantee which rule will be applied in a tiering job.Ambiguous rules can cause a file to be moved to a specific tier and then potentially moved back.Examples of two such situations follow.Example 1:In the following example, if a .jpg file older than one month exists in tier 1, then the first rulemoves it to tier 2. However, once it is in tier 2, it is matched by the second rule, which then movesthe file back to tier 1.# ibrix_migrator -A -f ifs2 -r ' mtime older than 1 month ' -S T1 -D T2# ibrix_migrator -A -f ifs2 -r ' name = "*.jpg" ' -S T2 -D T1

There is no guarantee as to the order in which the two rules will be executed; therefore, the finaldestination is ambiguous because multiple rules can apply to the same file.Example 2:Rules can cause data movement in both directions, which can lead to issues. In the followingexample, the rules specify that all .doc files in tier 1 to be moved to tier 2 and all .jpg files intier 2 be moved to tier 1. However, this might not succeed, depending on how full the tiers are.# ibrix_migrator -A -f ifs2 -r ' name = "*.doc" ' -S T1 -D T2# ibrix_migrator -A -f ifs2 -r ' name = "*.jpg" ' -S T2 -D T1

For example, if tier 1 is filled with .doc files to 70% capacity and tier2 is filled with .jpg files to80% capacity, then tiering might terminate before it is able to fully "swap" the contents of tier 1and tier 2. The files are processed in no particular order; therefore, it is possible that more .doc

Writing tiering rules 193

files will be encountered at the beginning of the job, causing space on tier 2 to be consumed fasterthan on tier 1. Once a destination tier is full, obviously no further movement in that direction ispossible.These rules in these two examples are ambiguous because they give rise to possible conflictingfile movement. It is the user’s responsibility to write unambiguous rules for the data tiering policyfor their file systems.


17 Using file allocationThis chapter describes how to configure and manage file allocation.

OverviewX9000 Software allocates new files and directories to segments according to the allocation policyand segment preferences that are in effect for a client. An allocation policy is an algorithm thatdetermines the segments that are selected when clients write to a file system.

File allocation policiesFile allocation policies are set per file system on each file serving node and on X9000 clients. Thepolicies define the following:

• Preferred segments. The segments where a file serving node or X9000 client creates all newfiles and directories.

• Allocation policy. The policy that a file serving node or X9000 client uses to choose segmentsfrom its pool of preferred segments to create new files and directories.

The segment preferences and allocation policy are set locally for X9000 clients. For NFS, CIFS,HTTP, and FTP clients (collectively referred to as NAS clients), the allocation policy and segmentpreferences must be set on the file serving nodes from which the NAS clients access shares.Segment preferences and allocation policies can be set and changed at any time, including whenthe target file system is mounted and in use.

IMPORTANT: It is possible to set separate allocation policies for files and directories. However,this feature is deprecated and should not be used unless you are directed to do so by HP support.

NOTE: X9000 clients access segments directly through the owning file serving node and do nothonor the file allocation policy set on file serving nodes.

IMPORTANT: Changing segment preferences and allocation policy will alter file system storagebehavior.

The following tables list standard and deprecated preference settings and allocation policies.

Overview 195

Standard segment preferences and allocation policies

CommentDescriptionName

This is the default segment preference. It is suitablefor most use cases.

Prefer all of the segments available in the filesystem for new files and directories.

ALL

No writes are routed between the file serving nodesin the cluster. This preference is beneficial for

Prefer the file serving node’s local segments fornew files and directories.

LOCAL

performance in some configurations and for someworkloads, but can cause some segments to beoverutilized.

This is the default allocation policy. It generallyspreads new files and directories evenly (by number

Allocate files to a randomly chosen segmentamong preferred segments.

RANDOM

of files, not by capacity) across all of the preferredsegments; however, that is not guaranteed.

This policy guarantees that new files and foldersare spread evenly across the preferred segments(by number of files, not by capacity).

Allocate files to preferred segments in segmentorder, returning to the first segment (or thedesignated starting segment) when a file ordirectory has been allocated to the last segment.

ROUNDROBIN

Deprecated segment preferences and allocation policies

IMPORTANT: HP recommends that you do not use these options. They are currently supportedbut will be removed in a future release.

CommentDescriptionName

Should be used only on the adviceof HP support.

Lets the X9000 Software select the allocation policy.AUTOMATIC


Allocates files to the segment where its parentdirectory is located.

DIRECTORY


Allocates files to one segment until the segment’sstorage limit is reached, and then moves to the next

STICKY

segment as determined by the AUTOMATIC fileallocation policy.


For clusters with more than 16 file serving nodes,takes a subset of the servers to be used for file

HOST_ROUNDROBIN_NB

creation and rotates this subset on a regular, periodicbasis.

Use NONE only to set file anddirectory allocation to the samepolicy.

Sets directory allocation policy only. Causes thedirectory allocation policy to revert to its default,which is the policy set for file allocation.

NONE

How file allocation settings are evaluatedBy default, ALL segments are preferred and file systems use the RANDOM allocation policy. Thesedefaults are adequate for most X9000 environments; but in some cases, it may be necessary tochange the defaults to optimize file storage for your system.

196 Using file allocation

An X9000 client or X9000 file serving node (referred to as “the host”) uses the following precedencerules to evaluate the file allocation settings that are in effect:

• The host uses the default allocation policies and segment preferences: The RANDOM policyis applied, and a segment is chosen from among ALL the available segments.

• The host uses a non-default allocation policy (such as ROUNDROBIN) and the default segmentpreference: Only the file or directory allocation policy is applied, and a segment is chosenfrom among ALL available segments.

• The host uses a non-default segment preference and a non-default allocation policy (such asLOCAL/ROUNDROBIN): A segment is chosen according to the following rules:

◦ From the pool of preferred segments, select a segment according to the allocation policyset for the host, and store the file in that segment if there is room. If all segments in thepool are full, proceed to the next rule.

◦ Use the AUTOMATIC allocation policy to choose a segment with enough storage roomfrom among the available segments, and store the file.

When file allocation settings take effect on X9000 clientsAlthough file allocation settings are executed immediately on file serving nodes, for X9000 clients,a file allocation intention is stored in the Fusion Manager. When X9000 Software services starton a client, the client queries the Fusion Manager for the file allocation settings that it should useand then implements them. If the services are already running on a client, you can force the clientto query the Fusion Manager by executing ibrix_client or ibrix_lwhost --a on the client,or by rebooting the client.

Using CLI commands for file allocationFollow these guidelines when using CLI commands to perform any file allocation configurationtasks:

• To perform a task for NAS clients (NFS, CIFS, FTP, HTTP), specify file serving nodes for the-h HOSTLIST argument.

• To perform a task for X9000 clients, specify individual clients for -h HOSTLIST or specifya hostgroup for -g GROUPLIST. Hostgroups are a convenient way to configure file allocationsettings for a set of X9000 clients. To configure file allocation settings for all X9000 clients,specify the clients hostgroup.

Setting file and directory allocation policiesYou can set a nondefault file or directory allocation policy for file serving nodes and X9000 clients.You can also specify the first segment where the policy should be applied, but in practice this isuseful only for the ROUNDROBIN policy.

IMPORTANT: Certain allocation policies are deprecated. See “File allocation policies” (page 195)for a list of standard allocation policies.

On the GUI, open the Modify Filesystem Properties dialog box and select the Host Allocation tab.

Setting file and directory allocation policies 197

Setting file and directory allocation policies from the CLIAllocation policy names are case sensitive and must be entered as uppercase letters (for example,RANDOM).Set a file allocation policy:ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} –s LVNAMELIST –p POLICY [-S STARTSEGNUM]

The following example sets the ROUNDROBIN policy for files only on file system ifs1 on fileserving node s1.hp.com, starting at segment ilv1:ibrix_fs_tune -f ifs1 -h s1.hp.com -p ROUNDROBIN -s ilv1

Set a directory allocation policy:Include the -R option to specify that the command is for a directory.ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} -p POLICY [-S STARTSEGNUM] [-R]

The following example sets the ROUNDROBIN directory allocation policy on file system ifs1 forfile serving node s1.hp.com, starting at segment ilv1:ibrix_fs_tune -f ifs1 -h s1.hp.com -p ROUNDROBIN -R

Setting segment preferencesThere are two ways to prefer segments for file serving nodes, X9000 clients, or hostgroups:

• Prefer a pool of segments for the hosts to use.

• Prefer a single segment for files created by a specific user or group on the clients.Both methods can be in effect at the same time. For example, you can prefer a segment for a userand then prefer a pool of segments for the clients on which the user will be working.On the GUI, open the Modify Filesystem Properties dialog box and select the Segment Preferencestab.


Creating a pool of preferred segments from the CLIA segment pool can consist of individually selected segments, all segments local to a file servingnode, or all segments. Clients will apply the allocation policy that is in effect for them to choose asegment from the segment pool.

NOTE: Segments are always created in the preferred condition. If you want to have some segmentspreferred and others unpreferred, first select a single segment and prefer it. This action unprefersall other segments. You can then work with the segments one at a time, preferring and unpreferringas required. By design, the system cannot have zero preferred segments. If only one segment ispreferred and you unprefer it, all segments become preferred.

When preferring multiple pools of segments (for example, one for X9000 clients and one for fileserving nodes, make sure that no segment appears in both pools.Use the following command to specify the pool by logical volume name (LVNAMELIST):ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} -s LVNAMELIST

Use the following command and the LOCAL keyword to create a pool of all segments on file servingnodes. Use the ALL keyword to restore the default segment preferences.ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} -S {SEGNUMLIST|ALL|LOCAL}

Restoring the default segment preferenceThe default is for all file system segments to be preferred. Use the following command to restorethe default value:ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} -S ALL

Setting segment preferences 199

Tuning allocation policy settingsTo optimize system performance, you can globally change the following allocation policy settingsfor a file system:

• File allocation policy.

IMPORTANT: Certain allocation policies are deprecated. See “File allocation policies”(page 195) for a list of standard allocation policies.

• Starting segment number for applying changes.

• Preallocation: number of KB to preallocate for files.

• Readahead: number of KB in a file to pre-fetch.

• NFS readahead: number of KB in a file to pre-fetch on NFS systems.

NOTE: Preallocation, Readahead, and NFS readahead are set to the recommended valuesduring the installation process. Contact HP Support for guidance if you want to change thesevalues.

On the GUI, open the Modify Filesystem Properties dialog box and select the Allocation tab.

Restore the default file allocation policy:ibrix_fs_tune -f FSNAME {-h HOSTLIST|-g GROUPLIST} -p -U

Listing allocation policiesUse the following command to list the preferred segments (the -S option) or the allocation policy(the -P option) for the specified hosts, hostgroups, or file system.ibrix_fs_tune -l [-S] [-P] [-h HOSTLIST | —g GROUPLIST] [-f FSNAME]


HOSTNAME FSNAME POLICY STARTSEG DIRPOLICY DIRSEG SEGBITS READAHEAD PREALLOC HWM SWMmak01.hp.com ifs1 RANDOM 0 NONE 0 DEFAULT DEFAULT DEFAULT DEFAULT DEFAULT

Listing allocation policies 201

18 Support and other resourcesContacting HP

For worldwide technical support information, see the HP support website:http://www.hp.com/support

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

Related informationThe following documents provide related information:

• HP IBRIX X9000 Network Storage System Release Notes

• HP IBRIX X9000 Network Storage System CLI Reference Guide

• HP IBRIX X9300/X9320 Network Storage System Administrator Guide

• HP IBRIX X9720/X9730 Network Storage System Administrator Guide

• HP IBRIX X9000 Network Storage System Installation Guide

• HP IBRIX X9000 Network Storage System Network Best Practices GuideRelated documents are available on the Manuals page at http://www.hp.com/support/manuals.On the Manuals page, select storage > NAS Systems > Ibrix Storage Systems > HP X9000 NetworkStorage Systems.

HP websitesFor additional information, see the following HP websites:

• http://www.hp.com

• www.hp.com/go/x9000

• http://www.hp.com/go/storage

• http://www.hp.com/support/manuals

Subscription serviceHP recommends that you register your product at the Subscriber's Choice for Business website:

http://www.hp.com/go/e-updates

After registering, you will receive e-mail notification of product enhancements, new driver versions,firmware updates, and other product resources.

202 Support and other resources

http://www.hp.com/support


http://www.hp.com

www.hp.com/go/x9000

http://www.hp.com/go/storage


http://www.hp.com/go/e-updates

19 Documentation feedbackHP is committed to providing documentation that meets your needs. To help us improve thedocumentation, send any errors, suggestions, or comments to Documentation Feedback([email protected]). Include the document title and part number, version number, or the URLwhen submitting your feedback.

203

mailto:[email protected]

GlossaryACE Access control entry.ACL Access control list.ADS Active Directory Service.ALB Advanced load balancing.BMC Baseboard Management Configuration.CIFS Common Internet File System. The protocol used in Windows environments for shared folders.CLI Command-line interface. An interface comprised of various commands which are used to control

operating system responses.CSR Customer self repair.DAS Direct attach storage. A dedicated storage device that connects directly to one or more servers.

DNS Domain name system.FTP File Transfer Protocol.GSI Global service indicator.HA High availability.HBA Host bus adapter.HCA Host channel adapter.HDD Hard disk drive.IAD HP X9000 Software Administrative Daemon.iLO Integrated Lights-Out.IML Initial microcode load.IOPS I/Os per second.IPMI Intelligent Platform Management Interface.JBOD Just a bunch of disks.KVM Keyboard, video, and mouse.LUN Logical unit number. A LUN results from mapping a logical unit number, port ID, and LDEV ID to

a RAID group. The size of the LUN is determined by the emulation mode of the LDEV and thenumber of LDEVs associated with the LUN.

MTU Maximum Transmission Unit.NAS Network attached storage.NFS Network file system. The protocol used in most UNIX environments to share folders or mounts.NIC Network interface card. A device that handles communication between a device and other devices

on a network.NTP Network Time Protocol. A protocol that enables the storage system’s time and date to be obtained

from a network-attached server, keeping multiple hosts and storage devices synchronized.OA Onboard Administrator.OFED OpenFabrics Enterprise Distribution.OSD On-screen display.OU Active Directory Organizational Units.RO Read-only access.RPC Remote Procedure Call.RW Read-write access.SAN Storage area network. A network of storage devices available to one or more servers.SAS Serial Attached SCSI.

204 Glossary

SELinux Security-Enhanced Linux.SFU Microsoft Services for UNIX.SID Secondary controller identifier number.SNMP Simple Network Management Protocol.TCP/IP Transmission Control Protocol/Internet Protocol.UDP User Datagram Protocol.UID Unit identification.VACM SNMP View Access Control Model.VC HP Virtual Connect.VIF Virtual interface.WINS Windows Internet Naming Service.WWN World Wide Name. A unique identifier assigned to a Fibre Channel device.WWNN World wide node name. A globally unique 64-bit identifier assigned to each Fibre Channel node

process.WWPN World wide port name. A unique 64-bit address used in a FC storage network to identify each

device in a FC network.

205

Index

Symbols/etc/likewise/vhostmap file, 8732-bit mode, disable, 4132-bit mode, enable, 12

AActive Directory

configure, 57configure from CLI, 65Linux static user mapping, 83use with LDAP ID mapping, 54

Antivirusconfigure, 152enable or disable, 153file exclusions, 155protocol scan settings, 155statistics, 157unavailable policy, 154virus definitions, 154virus scan engine, 152

add, 153remove, 153

authenticationActive Directory, 54configure from CLI, 65configure from GUI, 56Local Users, 54

Authentication Wizard, 56automated block snapshots

create from CLI, 174create on GUI, 171delete snapshot scheme, 176modify snapshot scheme, 175snapshot scheme, 170view snapshot scheme from CLI, 175

Bbackups

snapshots, software, 168

Ccase-insensitive filenames, 51CIFS

Active Directory domain, configure, 83activity statistics per node, 69authentication, 54configure nodes, 69Linux static user mapping, 83locking behavior, 88monitor CIFS services, 70permissions management, 90RFC2037 support, 83shadow copy, 88share administrators, 64SMB server consolidation, 86

SMB signing, 76start or stop CIFS service, 69troubleshooting, 92

CIFS sharesadd with MMC, 81configure with GUI, 71delete with MMC, 83manage with CLI, 77manage with MMC, 78quotas information, 87SMB signing, 75view share information, 76

contacting HP, 202

Ddata retention

autocommit period, 135backup support, 151data validation scans, 135delete files, 144enable on file system, 136file administration, 141

change retention period, 143delete files, 144remove retention period, 144set or remove legal hold, 143

file states, 134hard links, 150legal holds, 143on-demand data validation scans, 145remote replication, use with, 150rentention profile

modify, 140view, 139

reports, 147retained file, 134

create, 140view retention information, 141

retention periodchange, 143remove, 144

retention profile, 134schedule data validation scans, 144troubleshooting, 151validation scan errors, 147validation scan results, 146view retention information, 141WORM file, 134

data tieringassign segments, 181configure, 181manage from CLI, 187migration task, 185primary tier, 183tiering policy, 183tiering rules, 191

206 Index

data validationcompare hash sums, 146on-demand scans, 145resolve scan errors, 147schedule scans, 144stop or pause, 146view scan results, 146

data validation scans, 135directory tree quotas

create, 27delete, 31

disk space information, 37document

related documentation, 202documentation

providing feedback on, 203

EExport Control, enable, 16, 22

Ffile allocation

allocation policies, 195evaluation of allocation settings, 196list policies, 200segment preferences, 195set file and directory policies, 197set segment preferences, 198tune policy settings, 200

file serving nodesdelete, 42segment management, 9unmount a file system, 21view CIFS shares, 76

file systems32 or 64-bit mode, 1232-bit mode, disable, 41allocation policy, 9case-insensitive filenames, 51check and repair, 42components of, 10create

from CLI, 17New Filesystem Wizard, 12options for, 12

data retention and validation, 134delete, 41disk space information, 37Export Control, enable, 16, 22extend, 37file limit, 18lost+found directory, 37mount, 18, 20mountpoints, , 18operating principles, 8performance, 33quotas, 24remote replication, 121segments

defined, 8rebalance, 38

snapshots, block, 169snapshots, software, 160troubleshooting, 44unmount, 21view summary information, 35

filenames, case-insensitive, 51FTP, 94

authentication , 54configuration best practices, 94configuration profile, 99FTP share

access, 101add, 94

start or stop, 100vsftpd service, 100

Hhelp

obtaining, 202HP

technical support, 202HP websites, 202HTTP

Apache tunables, 110authentication , 54configuration, 103configuration best practices, 103configure from the CLI, 111configure on the GUI, 104shares, access, 113start or stop, 112troubleshooting, 115WebDAV shares, 114

LLDAP authentication

configuration template, 55configure, 59configure from CLI, 65remote LDAP server, configure, 55requirements, 55

LDAP ID mappingconfigure, 58configure from CLI, 66use with Active Directory, 54

Linux static user mapping, 83Linux X9000 clients

disk space information, 37Local Groups authentication, 61

configure from CLI, 67Local Users authentication, 62

configure from CLI, 67logical volumes

view information, 35lost+found directory, 37

207

MMicrosoft Management Console

manage CIFS shares, 78migration, files, 185mounting, file system, 18, 20mountpoints

create from CLI, 20delete, 19, 20view, 18, 20

NNew Filesystem Wizard, 12NFS

case-insensitive filenames, 51configure NFS server threads, 48export file systems, 48unexport file systems, 51

Pphysical volumes

delete, 42view information, 34

Qquotas

CIFS shares, 87configure email notifications, 31delete, 31directory tree, 27enable, 24export to file, 29import from file, 29online quota check, 30operation of, 24quotas file format, 29troubleshoot, 32user and group, 25

Rrebalancing segments, 38

stop tasks, 41track progress, 40view task status, 41

related documentation, 202remote replication

configure target export, 123continuous, 121defined, 121failover/failback, 132identify host and NIC designations, 123intercluster, 122intracluster, 123pause or resume task, 130, 131register clusters, 123remote cluster, 123replicate a snapshot, 128run-once, 121start intracluster replication, 131start replication task, 127, 130

start run-once task, 131stop task, 130, 131troubleshooting, 133view tasks, 126, 132WORM/retained files, 132

retention, dataautocommit period, 135backup support, 151data validation scans, 135enable on file system, 136file administration, 141

change retention period, 143delete files, 144remove retention period, 144set or remove legal hold, 143

file states, 134hard links, 150legal holds, 143on-demand data validation scans, 145remote replication, use with, 150rentention profile

modify, 140view, 139

reports, 147retained file, 134

create, 140view retention information, 141

retention periodchange, 143remove, 144

retention profile, 134schedule data validation scans, 144troubleshooting, 151validation scan errors, 147validation scan results, 146view retention information, 141WORM file, 134

SSegmentNotAvailable alert, 45SegmentRejected alert, 45segments

defined, 8delete, 42rebalance, 38

stop tasks, 41track progress, 40view task status, 41

SMB server consolidation, 86SMB signing, 76snapshots, block

access snapshot file systems, 178automated, 170

create from CLI, 174create on GUI, 171delete snapshot scheme, 176modify snapshot scheme, 175view snapshot scheme from CLI, 175

clear invalid snapshot, 176

208 Index

create, 176defined, 169delete, 176discover LUNs, 170list storage allocation, 170mount, 176register the snapshot partition, 170set up the snapshot partition, 169troubleshooting, 180view information about, 177

snapshots, softwareaccess, 163backup, 168defined, 160delete, 165on-demand snapshots, 162reclaim file system space, 165replicate, 128restore files, 164schedule, 161snap trees

configure, 160move files, 168remove snapshot authorization, 167schedule snapshots, 161

space usage, 163view on GUI, 162

SSL certificatesadd to cluster, 119create, 117delete, 120export, 120

Subscriber's Choice, HP, 202

Ttechnical support

HP, 202service locator website, 202

tiering, dataassign segments, 181configure, 181migration task, 185, 187primary tier, 183tiering policy, 183tiering rules, 191

Uunmounting, file systems, 21

Vvalidation scans, 135validation, data

compare hash sums, 146on-demand scans, 145resolve scan errors, 147schedule scans, 144stop or pause, 146view scan results, 146

volume groups

delete, 42view information, 34

Wwebsites

HP Subscriber's Choice for Business, 202

XX9000 clients

delete, 42limit file access, 22locally mount a file system, 21locally unmount file system, 21

209

HP IBRIX X9000 Network Storage System File System …h20628. · ibrix_mountpoint -c [-h HOSTLIST]...

Documents

Transcript of HP IBRIX X9000 Network Storage System File System …h20628. · ibrix_mountpoint -c [-h HOSTLIST]...