Clustered Data ONTAP 8.3: System Administration Guide For SVM Administrators
Clustered Data ONTAP 8.3: System Administration Guide For SVM Administrators
3
System Administration Guide for SVM Administrators
Contents
Understanding SVM administration .......................................................... 6
What SVMs are ........................................................................................................... 6
Why you use SVMs ..................................................................................................... 7
Differences between cluster and SVM administrators ................................................ 8
Data ONTAP management interface basics .............................................. 9
Using the Data ONTAP command-line interface ....................................................... 9
Methods of navigating CLI command directories ........................................... 9
Rules for specifying values in the CLI .......................................................... 10
Methods of viewing command history and reissuing commands ................. 10
Keyboard shortcuts for editing CLI commands ............................................ 11
Use of administrative privilege levels ........................................................... 12
Setting the privilege level in the CLI ............................................................ 13
Setting display preferences in the CLI .......................................................... 13
Methods of using query operators ................................................................. 14
Methods of using extended queries ............................................................... 15
Methods of customizing show command output by using fields .................. 16
Methods of accessing Data ONTAP man pages ........................................... 16
Accessing SVMs .......................................................................................... 18
Access methods for user accounts ............................................................................. 18
Authentication methods for user accounts ................................................................ 18
Logging in to an SVM ............................................................................................... 19
Managing SVM authentication ................................................................. 21
Changing the login password .................................................................................... 21
Managing SSH security configurations ..................................................................... 22
Commands for managing SSH security configurations ................................ 23
Managing public keys ............................................................................................... 24
Commands for managing public keys ........................................................... 24
Managing digital certificates for server or client authentication ............................... 25
Installing a server certificate to authenticate the SVM as an SSL server ..... 26
Installing a client CA or root CA certificate to authenticate an SSL
client of the SVM .................................................................................... 29
4 | System Administration Guide for SVM Administrators
Data LIFs
Management
NFS,
LIF
CIFS,
Client access
SVM administrator iSCSI, and
FC
Multiple FlexVol
Each SVM with FlexVol volumes in a NAS environment presents a single directory hierarchical
view and has a unique namespace. The namespace enables NAS clients to access data without
specifying the physical location of the data. The namespace also enables the cluster and SVM
administrators to manage distributed data storage as a single directory with multiple levels of
hierarchy.
Understanding SVM administration | 7
The volumes within each NAS SVM are related to each other through junctions and are mounted on
junction paths. These junctions present the file system in each volume. The root volume of the SVM
is a FlexVol volume that resides at the top level of the namespace hierarchy; additional volumes are
mounted to the SVM root volume to extend the namespace. As volumes are created for the SVM, the
root volume of the SVM contains junction paths.
SVMs with FlexVol volumes can contain files and LUNs. They provide file-level data access by
using NFS and CIFS protocols for the NAS clients, and block-level data access by using iSCSI and
Fibre Channel (FC) (FCoE included) for SAN hosts.
SVMs with Infinite Volume can contain only one Infinite Volume to serve data. Each SVM with
Infinite Volume includes only one junction path, which has a default value of /NS. The junction
provides a single mount point for the large namespace provided by the SVM with Infinite Volume.
You cannot add more junctions to an SVM with Infinite Volume. However, you can increase the size
of the Infinite Volume.
SVMs with Infinite Volume can contain only files. They provide file-level data access by using NFS
and CIFS protocols. SVMs with Infinite Volume cannot contain LUNs and do not provide block-
level data access.
Note: The Data ONTAP command-line interface (CLI) continues to use the term Vserver in the
output, and vserver as a command or parameter name has not changed.
• Multi-tenancy
SVM is the fundamental unit of secure multi-tenancy, which enables partitioning of the storage
infrastructure so that it appears as multiple independent storage systems. These partitions isolate
the data and management.
• Nondisruptive operations
SVMs can operate continuously and nondisruptively for as long as they are needed. SVMs help
clusters to operate continuously during software and hardware upgrades, addition and removal of
nodes, and all administrative operations.
• Scalability
SVMs meet on-demand data throughput and the other storage requirements.
• Security
Each SVM appears as a single independent server, which enables multiple SVMs to coexist in a
cluster while ensuring no data flows among them.
• Unified storage
SVMs can serve data concurrently through multiple data access protocols. SVMs provide file-
level data access through NAS protocols, such as CIFS and NFS, and block-level data access
through SAN protocols, such as iSCSI and FC (FCoE included). SVMs can serve data to SAN
and NAS clients independently at the same time.
Note: SVMs with Infinite Volume can serve data only through NFS and CIFS protocols.
vs1::> volume
vs1::volume> show
You can abbreviate commands by entering only the minimum number of letters in a command that
makes the command unique to the current directory. For example, to abbreviate the command in the
previous example, you can enter vol show. You can also use the Tab key to expand abbreviated
commands and to display a command's parameters, including default parameter values.
You can use the top command to go to the top level of the command hierarchy, and the up command
or .. command to go up one level in the command hierarchy.
10 | System Administration Guide for SVM Administrators
Note: Commands and command options preceded by an asterisk (*) in the CLI can be executed
only at the advanced privilege level or higher.
• A value can be a number, a Boolean specifier, a selection from an enumerated list of predefined
values, or a text string.
Some parameters can accept a comma-separated list of two or more values. Comma-separated
lists of values do not need to be in quotation marks (" "). Whenever you specify text, a space, or a
query character (when not meant as a query or text starting with a less-than or greater-than
symbol), you must enclose the entity in quotation marks.
• The CLI interprets a question mark (“?”) as the command to display help information for a
particular command.
• Some text that you enter in the CLI, such as command names, parameters, and certain values, is
not case-sensitive.
For example, when you enter parameter values for the vserver cifs commands, capitalization
is ignored. However, most parameter values, such as the names of Storage Virtual Machines
(SVMs), aggregates, volumes, and logical interfaces, are case-sensitive.
• If you want to clear the value of a parameter that takes a string or a list, you specify an empty set
of quotation marks ("") or a dash ("-").
• The hash sign (“#”), also known as the pound sign, indicates a comment for a command-line
input; if used, it should appear after the last parameter in a command line.
The CLI ignores the text between “#” and the end of the line.
For example, you can use the redo -2 command to reissue the command that you ran two
commands ago.
For example, to redo the command that is third from the end of the command history, you would
enter the following command:
vs1::> redo -3
Replace the current content of the command line with the next entry Ctrl-N
on the history list
Esc-N
With each repetition of the keyboard shortcut, the history cursor
moves to the next entry. Down arrow
Expand a partially entered command or list valid input from the Tab
current editing position
Ctrl-I
Display context-sensitive help ?
Escape the special mapping for the question mark (“?”) character Esc-?
For instance, to enter a question mark into a command's argument,
press Esc and then the “?” character.
Start TTY output Ctrl-Q
Stop TTY output Ctrl-S
Commands and parameters at this level are used infrequently, require advanced
knowledge, and can cause problems if used inappropriately.
You use advanced commands or parameters only with the advice of support personnel.
diagnostic
Diagnostic commands and parameters are potentially disruptive. They are used only by
support personnel to diagnose and fix problems.
Step
1. To set the privilege level in the CLI, use the set command with the -privilege parameter.
• The number of rows the screen displays in the current CLI session before the interface pauses
output
If the preferred number of rows is not specified, it is automatically adjusted based on the actual
height of the terminal. If the actual height is undefined, the default number of rows is 24.
Step
For more information, see the man pages for the set command and rows command.
Operator Description
* Wildcard that matches all entries.
For example, the command volume show -volume *tmp* displays a list
of all volumes whose names include the string tmp.
! NOT operator.
Indicates a value that is not to be matched; for example, !vs0 indicates not
to match the value vs0.
| OR operator.
Separates two values that are to be compared; for example, vs0 | vs2
matches either vs0 or vs2. You can specify multiple OR statements; for
example, a | b* | *c* matches the entry a, any entry that starts with b,
and any entry that includes c.
Data ONTAP management interface basics | 15
Operator Description
.. Range operator.
For example, 5..10 matches any value from 5 to 10, inclusive.
< Less-than operator.
For example, <20 matches any value that is less than 20.
> Greater-than operator.
For example, >5 matches any value that is greater than 5.
<= Less-than-or-equal-to operator.
For example, <=5 matches any value that is less than or equal to 5.
>= Greater-than-or-equal-to operator.
For example, >=5 matches any value that is greater than or equal to 5.
{query} Extended query.
An extended query must be specified as the first argument after the
command name, before any other parameters.
For example, the command volume modify {-volume *tmp*} -state
offline sets offline all volumes whose names include the string tmp.
If you want to parse query characters as literals, you must enclose the characters in double quotes
(for example, “^”, “.”, “*”, or “$”) for the correct results to be returned.
You can use multiple query operators in one command line. For example, the command volume
show -size >1GB -percent-used <50 displays all volumes that are greater than 1 GB in size
and less than 50% utilized.
Extended queries are generally useful only with modify and delete commands. They have no
meaning in create or show commands.
16 | System Administration Guide for SVM Administrators
Press <space> to page down, <return> for next line, or 'q' to quit...
...
vs1::>
vs1::>
Related information
NetApp Support Site: mysupport.netapp.com
18 | System Administration Guide for SVM Administrators
Accessing SVMs
As an SVM administrator, you can access SVMs by using different access methods. Your user
account can be authenticated by using several authentication methods, as specified by the cluster
administrator.
• SSH
• SNMP
• Network Information Service (NIS) and Lightweight Directory Access Protocol (LDAP)
nsswitch
Note: Clustered Data ONTAP supports only the RFC 2307 schema for LDAP authentication of
SVM accounts. It does not support any other schemas, such as Active Directory Identity
Management for UNIX (AD-IDMU) and Active Directory Services for UNIX (AD-SFU).
Logging in to an SVM
To manage the SVM resources, an SVM administrator logs in to an SVM by using the user name and
password provided by the cluster administrator. The SVM administrator can use an appropriate
Secure Shell client application, such as PuTTY for Windows operating system and OpenSSH for
UNIX operating system.
• Data access protocols, such as NFS, CIFS, iSCSI, and FC (FCoE included)
You can also monitor the network connection, network interface, LDAP client configuration, and
SVM health.
Note: Clustered Data ONTAP supports only the AES and 3DES encryption algorithms (also
known as ciphers) for SSH.
Step
1. To log in to an SVM by using SSH application, perform the appropriate action depending on the
operating system:
Note: If you or the cluster administrator has created a public key for your user account, you do
not require a password to log in to the SVM.
Related tasks
Identifying the commands that you can execute on page 41
21
• Managing SSL
Steps
1. Change the login password by using the security login password command.
Result
Your user account is updated with the new password. You must enter the new password on the
subsequent login.
22 | System Administration Guide for SVM Administrators
• The following SSH key exchange algorithms are supported and enabled by default:
SHA-2 algorithms are more secure than SHA-1 algorithms. Data ONTAP, which serves as an
SSH server, automatically selects the most secure SSH key exchange algorithm that matches the
client. To further enhance SSH security, you can manually disable the SHA-1 algorithms and
leave only the SHA-2 algorithm enabled.
• For ciphers, the following counter (CTR) mode and cipher block chaining (CBC) mode of the
AES and 3DES symmetric encryptions are supported and enabled by default:
◦ aes256-ctr
◦ aes192-ctr
◦ aes128-ctr
◦ aes256-cbc
◦ aes192-cbc
◦ aes128-cbc
◦ 3des-cbc
Managing SVM authentication | 23
The CTR mode ciphers are more secure than the CBC mode ciphers. Among ciphers of the same
mode, the higher the key size, the more secure the cipher. Of the ciphers supported by Data
ONTAP, aes256-ctr is the most secure, and 3des-cbc is the least secure.
You can manage the SSH key exchange algorithms and ciphers for SVMs in the following ways:
• Display the current configurations of SSH key exchange algorithms and ciphers (security ssh
show)
The enabled SSH key exchange algorithms are displayed in the order of deceasing security
strengths.
The enabled CTR mode ciphers (more secure) are displayed before the CBC mode ciphers (less
secure). Within each mode type, the ciphers are displayed in decreasing key size.
• Replace the current configurations of the SSH key exchange algorithms or ciphers with the
configuration settings you specify (security ssh modify)
• Add SSH key exchange algorithms or ciphers to the current configurations (security ssh
add)
The added SSH key exchange algorithms or ciphers are enabled.
• Remove the specified SSH key exchange algorithms or ciphers from the current configurations
(security ssh remove)
The removed SSH key exchange algorithms or ciphers are disabled.
Data ONTAP prevents you from removing all SSH key exchange algorithms or all ciphers from
the SVM.
Related information
Clustered Data ONTAP 8.3 Commands: Manual Page Reference
• Adding a public key by associating an existing public key in a valid OpenSSH format with a user
account
Multiple public keys are allowed for a user account.
• Loading a public key from a universal resource identifier (URI), such as FTP or HTTP, and
associating it with a user account
You can also overwrite an existing public key with the one you are loading.
To create or modify a public key or load a public key from a URI, your user account must be
configured with the publickey login method.
You use the security login publickey commands to manage public keys. For information
about these commands, see the appropriate man pages.
Modify a public key for a specific user security login publickey modify
Delete a public key for a specific user security login publickey delete
Managing SVM authentication | 25
Related information
Clustered Data ONTAP 8.3 Commands: Manual Page Reference
• You can generate a digital certificate signing request (CSR) that will be sent to a CA for signing.
• You can install a CA-signed digital certificate and the public key certificate of the root CA.
• You can display digital certificates that are signed by the SVM as the CA.
• You can revoke a digital certificate signed by the SVM as the CA, if the certificate becomes
compromised.
• When the SVM is created, Data ONTAP automatically creates a self-signed digital certificate for
authenticating the SVM as a server.
• By default, Data ONTAP uses the SHA256 cryptographic hashing function for signing a CSR or
digital certificate.
• By default, digital certificates created by Data ONTAP are set to expire in 365 days, but you can
specify the expiration setting when you create a digital certificate.
• By default, SSL server authentication is enabled, but SSL client authentication is disabled.
The security ssl modify command enables or disables SSL authentication of the SVM as an
SSL server and that of its client. The -server-enabled parameter defaults to true, and the -
client-enabled parameter defaults to false. Setting the -client-enabled parameter to
true enables mutual authentication of the server (the SVM) and its client.
When you manage digital certificates, you specify one of the following certificate types (the -type
parameter of the security certificate command family) for server or client authentication:
• root-ca is a self-signed root CA certificate that enables the SVM to act as a CA.
When you create a root-ca certificate, a client-ca certificate and a server-ca certificate are
also created automatically. When you delete the root-ca certificate, the corresponding client-
ca and server-ca certificates are also deleted automatically.
Steps
1. To create a self-signed digital certificate for server authentication, use the security
certificate create command with the -type server parameter.
2. To use a third-party CA-signed digital certificate for server authentication, complete the
following steps:
Managing SVM authentication | 27
a. Generate a digital certificate signing request (CSR) by using the security certificate
generate-csr command.
The system displays the CSR output. The output includes a certificate request and a private
key. You should keep a copy of the private key.
b. Copy the certificate request from the CSR output and send it in an electronic form (such as
email) to a trusted third-party CA for signing.
After processing your request, the CA sends you the signed digital certificate. You should
keep a copy of the private key and the CA-signed digital certificate.
c. Install the third-party CA-signed digital certificate by using the security certificate
install command with the -type server parameter.
d. Enter the certificate and the private key when you are prompted, and then press Enter.
e. When Data ONTAP asks you whether you want to install the CA root and intermediate
certificates that form the certificate chain of the server certificate, enter Y.
f. Enter any additional root or intermediate certificates when you are prompted, and then press
Enter
You install the certificates of the CA to form a certificate chain of the server certificate. The
chain starts with the certificate of the CA that issued the server certificate, and it can range up
to the root certificate of the CA. Any missing intermediate certificates will result in the failure
of server certificate installation.
After the CA certificates are entered, the certificates chain is installed as server-chain
along with the server certificate type.
3. To use a self CA-signed digital certificate for server authentication (with the SVM being the
signing CA), complete the following steps:
b. Create a self-signed root CA certificate for the SVM by using the security certificate
create command with the -type root-ca parameter.
c. Display the root CA certificate by using the security certificate show command with
the -instance and -type root-ca parameters.
You will need the following information from the command output for signing the CSR:
e. When you are prompted, enter the CSR and then press ENTER.
f. Install the self CA-signed digital certificate by using the security certificate install
command with the -type server parameter.
g. Enter the certificate and the private key when you are prompted, and then press Enter.
h. When Data ONTAP asks you whether you want to install the CA root and intermediate
certificates that form the certificate chain of the server certificate, enter N.
4. If you want to modify the SSL configuration to specify the certificate for server authentication,
use the security ssl modify command with the -ca and the -serial parameters.
The following command creates a CSR with a 2048-bit private key for use by the Software
group in the IT department of a company whose custom common name is
server1.companyname.com, located in Sunnyvale, California, USA. The email address of the
contact administrator who manages the SVM is [email protected]. The system
displays the CSR and the private key in the output:
Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----
Managing SVM authentication | 29
Note: Please keep a copy of your private key and certificate request for
future reference.
The following command installs a CA-signed server certificate for the “vs1” SVM. The
certificate is for authenticating the “vs1” SVM as an SSL server:
Note: You should keep a copy of your certificate and private key for future
reference.
If you revert to an earlier release, the certificate and private key are
deleted.
that signed the client's certificate signing request (CSR). You can also create a root CA certificate
with the root-ca type on the SVM to self-sign the CSR for the client.
Steps
1. If the SVM will be the CA that signs the client certificate, and a self-signed root CA certificate
for the SVM does not yet exist, create one by using the security certificate create
command with the -type root-ca parameter.
Example
The following command creates a root CA certificate for the “vs1” SVM whose custom common
name is lab.companyname.com:
2. Enable SSL client authentication on the SVM by using the security ssl modify command
with the -client-enabled parameter set to true.
3. Generate a CSR for the client you want to authenticate by using the security certificate
generate-csr command.
Example
The following command generates a CSR for a client whose custom common name is vs1admin:
Private Key :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvqiF1PmYy1Vtmkf6I8+mRXOy/m+3m/O1sEjUILbopzTlTu92
igqEzDY4W6q7KoRkcSa2x/Zn6IRlqxKrQbvUAJvAUDhcV7bn9NAzv9JE1j/6+0RY
IVR6Hr6QnCRSsjlLDxBnV3uZu8WNghpbIL98QP4oxwFu7G0HQsOleO3HMazOFyvW
...
Managing SVM authentication | 31
Note: Please keep a copy of your certificate request and private key
for future reference.
Data ONTAP displays the certificate request and private key and reminds you to copy them to a
file for future reference.
a. Display the root CA certificate you created in Step 1 by using the security certificate
show command with the -instance and -type root-ca parameters.
You will need the following information from the command output for signing the CSR:
Example
b. Sign the CSR with the root CA by using the security certificate sign command.
The default format (-format) for the signed certificate is PEM. If you specify the format to
be PKCS12, you can optionally specify the destination to upload the signed certificate by
using the -destination parameter.
c. When you are prompted, enter the CSR and then press ENTER.
Example
Signed Certificate: :
-----BEGIN CERTIFICATE-----
MIIDmzCCAoOgAwIBAgIEU9e2rzANBgkqhkiG9w0BAQsFADBoMRwwGgYDVQQDExNO
ZXcuQ29tcGFueU5hbWUuY29tMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYD
VQQHEwAxCTAHBgNVBAoTADEJMAcGA1UECxMAMQ8wDQYJKoZIhvcNAQkBFgAwHhcN
...
-----END CERTIFICATE-----
The signed certificate is displayed. You should keep a copy of the certificate.
5. If you have a third-party CA sign the CSR, complete the following steps:
a. Send the certificate request from the CSR output (Step 3) in an electronic form (such as email)
to a trusted CA for signing.
After processing your request, the CA sends you the signed digital certificate. You should
keep a copy of the private key and the CA-signed certificate for future reference.
b. On the SVM, install the root certificate and each intermediate certificate of the CA that signed
the certificate by using the security certificate install command with the -type
client-ca parameter.
Example
6. Provide the self-signed or CA-signed certificate for the user to install on the client.
8. If an SVM user is not set up to be authenticated by digital certificates, contact the cluster
administrator to have the user account set up for digital certificate authentication.
For SVM user accounts, digital certificate authentication is supported only with the ontapi
access method.
Steps
1. Install the root certificate provided by the SSL server by using the security certificate
install command with the -type server-ca parameter.
2. When you are prompted, enter the certificate, and then press Enter.
Data ONTAP reminds you to keep a copy of the certificate for future reference.
Steps
1. To use a self-signed digital certificate for client authentication, use the security certificate
create command with the -type client parameter.
2. To use a CA-signed digital certificate for client authentication, complete the following steps:
a. Generate a digital certificate signing request (CSR) by using the security certificate
generate-csr command.
Data ONTAP displays the CSR output, which includes a certificate request and private key,
and reminds you to copy the output to a file for future reference.
b. Send the certificate request from the CSR output in an electronic form (such as email) to a
trusted CA for signing.
After processing your request, the CA sends you the signed digital certificate. You should
keep a copy of the private key and the CA-signed certificate for future reference.
c. Install the CA-signed certificate by using the security certificate install command
with the -type client parameter.
d. Enter the certificate and the private key when you are prompted, and then press Enter.
e. Enter any additional root or intermediate certificates when you are prompted, and then press
Enter
You install an intermediate certificate on the SVM if a certificate chain that begins at the
trusted root CA, and ends with the SSL certificate issued to you, is missing the intermediate
certificates. An intermediate certificate is a subordinate certificate issued by the trusted root
specifically to issue end-entity server certificates. The result is a certificate chain that begins
at the trusted root CA, goes through the intermediate, and ends with the SSL certificate issued
to you.
3. Provide the client-ca certificate of the SVM to the administrator of the SSL server for
installation on the server.
Managing SVM authentication | 35
The security certificate show command with the -instance and -type client-ca
parameters displays the client-ca certificate information.
The following command creates a CSR with a 2048-bit private key for use by the Software
group in the IT department of a company whose custom common name is
lab.companyname.com, located in Sunnyvale, California, USA. The email address of the
contact administrator who manages the SVM is [email protected]. The system
displays the CSR and the private key on the console:
Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAMl6ytrK8nQj82UsWeHOeT8gk0BPX+Y5MLycsUdXA7hXhumHNpvF
C61X2G32Sx8VEa1th94tx+vOEzq+UaqHlt0CAwEAAQJBAMZjDWlgmlm3qIr/n8VT
PFnnZnbVcXVM7OtbUsgPKw+QCCh9dF1jmuQKeDr+wUMWknlDeGrfhILpzfJGHrLJ
...
-----END RSA PRIVATE KEY-----
Note: Please keep a copy of your private key and certificate request for
future reference.
The following command installs a CA-signed client certificate for the “vs1” SVM. The
certificate is for authenticating the “vs1” SVM as an SSL client:
-----END CERTIFICATE-----
Note: You should keep a copy of your certificate and private key for future
reference.
If you revert to an earlier release, the certificate and private key are
deleted.
Steps
• Serial number
• Certificate type
3. Obtain a new certificate with the same common name to replace the certificate that has expired:
• server
• root-ca
• client
• server
• client-ca
• server-ca
• client
Related information
Clustered Data ONTAP 8.3 Commands: Manual Page Reference
Managing SSL
The SSL protocol improves the security of web access by using a digital certificate to establish an
encrypted connection between a web server and a browser.
You can manage SSL for a Storage Virtual Machine (SVM) in the following ways:
• Enabling SSL
• Generating and installing a digital certificate and associating it with the SVM
• Displaying the SSL configuration to see whether SSL has been enabled, and, if available, the SSL
certificate name
Managing SVM authentication | 39
Related information
Clustered Data ONTAP 8.3 Commands: Manual Page Reference
40 | System Administration Guide for SVM Administrators
Administering SVMs
Depending on the capabilities assigned by the cluster administrator, an SVM administrator can
perform various administration tasks on a Storage Virtual Machine (SVM, formerly known as
Vserver). After logging in to the SVM, an SVM administrator can identify the capabilities assigned
and the commands that are available for the administration.
The following illustration depicts the SVM administrative components:
SSH
Policies Services
management configuration
NIS, LDAP,
Data security
and DNS
management
Management Data
LIFs Storage management LIFs
Data
Volumes, quotas, protocols
qtrees, LUNs, and configuration
SVM attributes Snapshot copies
management NFS, CIFS,
iSCSI, and
FC
Backup management
SnapMirror and NDMP
• Policy management
You can create and manage policies to manage data access from the SVM.
• Services configuration
You can configure services, such as LDAP, NIS, and DNS.
• Storage management
You can manage volumes, quotas, qtrees, and files.
• LUN management
You can manage LUNs in a SAN environment.
• Backup management
You can back up and manage the SVM's data by using SnapMirror technology and NDMP.
• Monitoring SVM
You can monitor performance data, network connection, information, and SVM health.
Note: For troubleshooting or modifying SVM configurations, SVM administrators must contact
the cluster administrator.
Note: The Data ONTAP command-line interface (CLI) continues to use the term Vserver in the
output, and vserver as a command or parameter name has not changed.
Steps
2. To identify the available subcommands within a command, perform the following steps:
Example
The following example shows the commands and the volume subcommands that are available
for an SVM administrator in the Storage Virtual Machine (SVM, formerly known as Vserver)
vs1.example.com:
vs1.example.com::> ?
up Go up one directory
dashboard> Display dashboards
exit Quit the CLI session
.
.
.
volume> Manage virtual storage, including volumes,
snapshots, and mirrors
vserver> Manage Vservers
vs1.example.com::>volume
vs1.example.com::volume> ?
autosize Set the autosize settings of the
flexible volume.
clone> Manage FlexClones
.
.
.
Step
1. Use the security login role show-ontapi to view the Data ONTAP APIs and their
corresponding CLI commands.
Example
The following example shows how to view the Data ONTAP APIs and their corresponding
CLI commands for the SVM vs1.example.com:
Administering SVMs | 43
Related information
Clustered Data ONTAP 8.3 Commands: Manual Page Reference
Related information
Clustered Data ONTAP 8.3 Commands: Manual Page Reference
Each object has zero or more instances. For example, the LUN object has an instance for each LUN
in your cluster.
A counter is a predefined performance metric that provides data about an object. Examples of data
that counters provide include the following:
The following illustration shows the relationship between an object and its instances and counters. In
this illustration, the volume object has two instances: vol0 and vol1. The object's counters provide
data about each of these instances. The illustration shows three of the object's counters: avg_latency,
read_ops, and total_ops.
46 | System Administration Guide for SVM Administrators
object volume
avg_latency avg_latency
counters read_ops read_ops
total_ops total_ops
Decision Considerations
How do you want to retrieve and display the You have two choices:
data?
• You can collect and view a set of data for a
specific time period.
If you choose this option, you can view data
for several objects and instances at a time.
For which objects do you want to view data? You need to specify at least one object for
which you want to view data.
Do you want data from all counters or from The default setting shows data for all counters
specific counters? in an object; however, you can specify specific
counters to get the exact data that you need.
Administering SVMs | 47
Decision Considerations
Do you want data for all instances of an object • If you collect data for a time period, the
or for specific instances? default setting shows data for all instances;
however, you can specify one or more
instances.
For more information about the statistics commands, see the man pages.
Steps
2. Optional: Use the statistics stop command to stop collecting data for the sample.
You can view data from the sample if you do not stop data collection. Stopping data collection
gives you a fixed sample. Not stopping data collection gives you the ability to get updated data
that you can use to compare against previous queries. The comparison can help you identify
performance trends.
The following command shows data from the sample by specifying counters that show the
number of successful read and write requests versus the total number of read and write
requests:
Object: nfsv3
Instance: vs1
Start-time: 2/11/2013 15:38:29
End-time: 2/11/2013 15:38:41
Cluster: cluster1
Counter Value
--------------------------- ---------------------------
read_success 40042
read_total 40042
write_success 1492052
write_total 1492052
Step
The following command shows performance data for a volume by specifying counters that
show the number of operations per second and latency:
Step
Example
The following command displays basic information about the SVM:
Administering SVMs | 51
Step
1. Use the vserver peer show command to view the peered SVMs and the state of the SVM peer
relationship.
Example
The following example shows how to view the information about peered SVMs:
Peer Peer
Vserver Vserver State
------------- ----------- ------------
vs1.example0.com vs5.example0.com peered
vs1.example0.com vs3.example0.com peered
52 | System Administration Guide for SVM Administrators
For more information about this command, see the man pages.
Step
Example
The following example shows how to view the LIFs of an SVM:
Related information
Clustered Data ONTAP 8.3 System Administration Guide for Cluster Administrators
Display the health status of aggregates in SVMs dashboard health vserver show-
aggregate
Display the health status of volumes in SVMs dashboard health vserver show-
volume
Display the health status of LIFs in SVMs dashboard health vserver show-lif
Display the health status of SVM network ports dashboard health vserver show-port
Display the health status of protocols in SVMs dashboard health vserver show-
protocol
Note: You can configure and manage only the protocols that are allowed on the SVM by the
cluster administrator.
NAS protocols
NFS clients can access data on an SVM by using the NFS protocol. You must configure an NFS
server on an SVM to provide data access to its NFS clients. You can set up authentication between
the SVM and NFS clients by configuring a network authentication protocol, such as NIS and LDAP.
CIFS clients can access data on an SVM by using the CIFS protocol. You can create multiple CIFS
shares for the clients. You can set up authentication between the SVM and CIFS clients by
configuring a network authentication protocol, such as Windows Active Directory.
In addition to NFS and CIFS protocols, you can also manage the following:
• Name mappings
You can create and use name mappings to map your UNIX users and groups to Windows users
and groups or Windows users and groups to UNIX users and groups.
• Export policies
You can create and use export policies to restrict access to volumes or qtrees for specific clients.
• Locks
You can view and break a lock if it prevents a client's access to the files.
SAN protocols
You must configure the iSCSI protocol on an SVM to export LUNs and transfer block data to the
iSCSI initiator hosts.
You must configure the FC (FCoE included) protocol on an SVM to export LUNs and transfer block
data to the FC initiator hosts.
Related information
Clustered Data ONTAP 8.3 File Access Management Guide for NFS
Administering SVMs | 55
Clustered Data ONTAP 8.3 File Access Management Guide for CIFS
Clustered Data ONTAP 8.3 SAN Administration Guide
Example
The following example shows how to identify the list of NFS protocol commands:
vs1.example.com::vserver> ?
audit> Manage auditing of protocol requests that the
Vserver services
cifs> Manage the CIFS configuration of a Vserver
dashboard> The dashboard directory
data-policy> Manage data policy
export-policy> Manage export policies and rules
fcp> Manage the FCP service on a Vserver
fpolicy> Manage FPolicy
group-mapping> The group-mapping directory
iscsi> Manage the iSCSI services on a Vserver
locks> Manage Client Locks
name-mapping> The name-mapping directory
nfs> Manage the NFS configuration of a Vserver
peer> Create and manage Vserver peer relationships
security> Manage ontap security
services> The services directory
show Display Vservers
smtape> The smtape directory
vs1.example.com::vserver nfs> ?
create Create an NFS configuration for a Vserver
delete Delete the NFS configuration of a Vserver
kerberos-config> Manage the Kerberos configuration for an NFS
server
modify Modify the NFS configuration of a Vserver
off Disable the NFS service of a Vserver
on Enable the NFS service of a Vserver
show Display the NFS configurations of Vservers
start Start the NFS service of a Vserver
status Display the status of the NFS service of a
Vserver
stop Stop the NFS service of a Vserver
56 | System Administration Guide for SVM Administrators
• Applying files and directory security settings defined in a security policy to an SVM
Related information
Clustered Data ONTAP 8.3 File Access Management Guide for NFS
Clustered Data ONTAP 8.3 File Access Management Guide for CIFS
Example
The following example shows how to identify the file security and tracing commands:
vs1.example.com::vserver security> ?
file-directory> Manage file security
trace> Manage security tracing
Services configuration
As an SVM administrator, you can configure services such as Network Information Service (NIS),
Domain Name Service (DNS), and Lightweight Directory Access Protocol (LDAP) for an SVM. You
can configure these services to provide network directory information, authentication, and UNIX
compatibility.
Note: The Active Directory service is configured as part of CIFS protocol configuration.
• LDAP services
You can configure LDAP services on an SVM to provide network information and authentication
for the data access and management requests.
• Netgroups
You can import UNIX netgroups from an FTP or HTTP site that is used by an SVM.
Related information
NetApp Technical Report 4067: Clustered Data ONTAP NFS Best Practice and Implementation
Guide
Clustered Data ONTAP 8.3 File Access Management Guide for NFS
Clustered Data ONTAP 8.3 File Access Management Guide for CIFS
58 | System Administration Guide for SVM Administrators
Example
The following example shows how to identify the services commands:
vs1.example.com::vserver services> ?
dns> Manage DNS service
ldap> Manage LDAP configuration
ndmp> Manage vserver scoped NDMP
netgroup> Manage local netgroups
nis-domain> Manage Network Information Service domains
unix-group> Manage local UNIX group accounts
unix-user> Manage local UNIX user accounts
Storage management
Storage Virtual Machines (SVMs) represents the logical layer of data storage. SVMs can either
contain one or more FlexVol volumes or a single Infinite Volume. The storage space available in an
SVM is scalable, thus enabling SVM administrators to provision and manage storage in an SVM.
SVMs with FlexVol volumes can also have quotas and qtrees. SVMs with Infinite Volume cannot
have quotas and qtrees. Therefore, you cannot perform the quotas and qtrees related tasks on SVMs
with Infinite Volume.
Depending on your capabilities, you can perform the following tasks to manage volumes on an SVM:
Depending on your capabilities, you can manage volume qtrees and volume quotas by performing the
following tasks:
Related information
Clustered Data ONTAP 8.3 Logical Storage Management Guide
Example
The following example shows how to identify the storage commands:
vs1.example.com::volume> ?
autosize Set/Display the autosize settings of the
flexible volume.
clone> Manage FlexClones
create Create a new volume
delete Delete an existing volume
file> File related commands
...
...
...
show-space Display a list of volumes and their space usage
show-space-old Display a list of volumes and their space usage
size Set/Display the size of flexible volume.
snapshot> Manage snapshots
unmount Unmount a volume
60 | System Administration Guide for SVM Administrators
LUN management
In a SAN environment, an SVM administrator can provision storage by creating LUNs, igroups, and
mapping the LUNs to the igroups. After creating LUNs, SVM administrator can manage their
availability, mapping, and accessibility.
Note: SVMs with Infinite Volume cannot have LUNs. Therefore, you cannot perform LUN related
tasks on an SVM with Infinite Volume.
Depending on your capabilities, you can perform the following tasks to manage LUNs:
• Creating, modifying, renaming, or deleting LUNs
• Unmapping LUNs
Related information
Clustered Data ONTAP 8.3 SAN Administration Guide
Example
The following example shows how to identify the lun commands:
vs1.example.com::lun> ?
create Create a new LUN
delete Delete the LUN
igroup> Manage initiator groups
map Map LUN to all the initiators in the group
mapped> The mapped directory
maxsize Display the maximum possible size of a LUN on a
given volume or qtree.
modify Modify a LUN
move Move (rename) a LUN
portset> Manage portsets
Administering SVMs | 61
Backup management
As an SVM administrator, you can back up SVM's data volumes by using Snapshot copy and NDMP
technology. You can also set up SnapMirror relationship between volumes of the peered SVMs to
protect data volumes of an SVM.
Starting with clustered Data ONTAP 8.2, you can perform tape backup and restore operations for
your SVM data by using NDMP and set up SnapMirror relationships between volumes of the peered
SVMs. You can create and manage data protection (DP), SnapVault (XDP), and transition (TDP)
relationships. You cannot create or manage load-sharing relationship (LS) SnapMirror relationships.
Note: Infinite Volumes do not support NDMP, SnapVault relationships (XDP), transition
relationships (TDP), and load-sharing relationships (LS).
Related information
Clustered Data ONTAP 8.3 Data Protection Guide
Clustered Data ONTAP 8.3 Data Protection Tape Backup and Recovery Guide
Depending on your capabilities, you can perform the following tasks to manage Snapshot copies of
Infinite Volumes of an SVM:
For more information about managing Snapshot copies, see the Clustered Data ONTAP Data
Protection Guide.
Related information
Documentation on the NetApp Support Site: mysupport.netapp.com
SnapMirror management
As an SVM administrator, you can create and manage SnapMirror relationships with types data
protection (DP), SnapVault (XDP), and transition (TDP) between volumes of the peered SVMs to
replicate data of the primary SVM. You cannot create or manage load-sharing relationship (LS)
SnapMirror relationships.
Depending on your capabilities, you can perform the following tasks to manage SnapMirror
relationships of an SVM:
For more information about SnapMirror operations, see the Clustered Data ONTAP Data Protection
Guide.
Related information
Documentation on the NetApp Support Site: mysupport.netapp.com
Administering SVMs | 63
NDMP management
As an SVM administrator, you can perform NDMP operations such as creating and managing NDMP
sessions to back up SVM with FlexVol volume's data and restore the data whenever needed. SVMs
with Infinite Volume do not support NDMP.
Depending on your capabilities, you can perform the following tasks to manage NDMP sessions of
an SVM:
For more information about the NDMP operations, see the Clustered Data ONTAP Data Protection
Tape Backup and Recovery Guide.
Related information
Documentation on the NetApp Support Site: mysupport.netapp.com
• Managing Snapshot copies, you must navigate to the snapshot directory under volume directory.
• Managing NDMP, you must navigate to the ndmp directory under vserver services directory.
Example
The following example shows how to identify the backup commands:
vs1.example.com::volume snapshot> ?
autodelete> Manage snapshot autodelete settings
create Create a snapshot
delete Delete a snapshot
modify Modify snapshot attributes
partial-restore-file Restore part of a file from a snapshot
policy> Manage snapshot policies
rename Rename a snapshot
restore-file Restore a file from a snapshot
show Display a list of snapshots
64 | System Administration Guide for SVM Administrators
vs1.example.com::snapmirror> ?
abort Abort an active transfer
break Make SnapMirror destination writable
create Create a new SnapMirror relationship
...
...
update Start an incremental transfer
Policy management
As an SVM administrator, you can create and manage a collection of rules called policies to manage
the data access from an SVM. Depending on the capabilities assigned to you, you can create policies
such as SnapMirror policy and Snapshot policy.
You can manage the following policies of SVMs:
• Export policies
• File policies
• Quota policies
• SnapMirror policies
• Data policies
Each SVM with Infinite Volume has one data policy. When an Infinite Volume contains two or
more storage classes, you can use a data policy and its rules to automatically filter incoming data
into different storage classes.
Depending on your capabilities, you can perform the following tasks to manage policies of an SVM:
Example
The following example shows how to identify the SnapMirror policy commands:
vs1.example.com::snapmirror policy> ?
add-rule Add a new rule to SnapMirror policy
create Create a new SnapMirror policy
delete Delete a SnapMirror policy
modify Modify a SnapMirror policy
modify-rule Modify an existing rule in SnapMirror
policy
remove-rule Remove a rule from SnapMirror policy
show Show SnapMirror policies
66 | System Administration Guide for SVM Administrators
Glossary
administrator
The account that has the required permission to administer a Data ONTAP system.
aggregate
A manageable unit of RAID-protected storage, consisting of one or two plexes, that can
contain one traditional volume or multiple FlexVol volumes.
Common Internet File System (CIFS)
Microsoft's file-sharing networking protocol that evolved from SMB.
CIFS share
• In Data ONTAP, a directory or directory structure that has been made available to
network users and can be mapped to a drive letter on a CIFS client. Also known
simply as a share.
client
A workstation or PC in a client-server architecture; that is, a computer system or process
that requests services from and accepts the responses of another computer system or
process.
credential
The configuration of a user account name and password that provide administrative
privileges on the storage system.
data SVM
Formerly known as data Vserver. In clustered Data ONTAP, a Storage Virtual Machine
(SVM) that facilitates data access from the cluster; the hardware and storage resources of
the cluster are dynamically shared by data SVMs within a cluster.
domain name server (DNS)
In OnCommand Insight (formerly SANscreen suite), a resource that resolves domain
names to their equivalent IP addresses so that IP traffic can be transported to the correct
destination. Each domain name is associated with, at a minimum, a primary and a
secondary DNS.
FC (Fibre Channel Protocol)
An interface protocol for SCSI transport when mapping block-oriented storage data over
Fibre Channel networks.
Glossary | 67
FlexVol volume
In clustered Data ONTAP, a logical entity contained in a Storage Virtual Machine (SVM,
formerly known as Vserver)—referred to as SVM with FlexVol volumes. FlexVol
volumes typically hold user data, although they also serve as node or SVM root volumes
and metadata containers. A FlexVol volume obtains its storage from a single aggregate.
igroup
initiator group. A collection of unique identifiers, either FC WWPNs (World Wide Port
Names) in a SCSI network or iSCSI node names of initiators (hosts) in an IP network, that
are given access to LUNs when they are mapped to those LUNs.
initiator
The system component that originates an I/O command over an I/O bus or network. The
target is the component that receives this command.
Infinite Volume
In clustered Data ONTAP, a logical entity contained in a Storage Virtual Machine (SVM,
formerly known as Vserver)—referred to as SVM with Infinite Volume—that holds user
data. An Infinite Volume obtains its storage from multiple aggregates.
iSCSI
Internet Small Computer Systems Interface (iSCSI) protocol. A licensed service on the
storage system that enables you to export LUNs to hosts using the SCSI protocol over
TCP/IP.
LIF
logical interface. Formerly known as VIF (virtual interface) in Data ONTAP GX. A
logical network interface, representing a network access point to a node. LIFs currently
correspond to IP addresses, but could be implemented by any interconnect. A LIF is
generally bound to a physical network port; that is, an Ethernet port. LIFs can fail over to
other physical ports (potentially on other nodes) based on policies interpreted by the LIF
manager.
Lightweight Directory Access Protocol (LDAP)
A client-server protocol for accessing a directory service.
LUN (Logical Unit Number)
The identifier of an FC or iSCSI logical unit. A logical unit typically corresponds to a
storage volume and is represented within a computer operating system as a device.
move (v)
To physically move data and any needed associated configuration of an object from one
aggregate to another within a cluster, including within a single node.
namespace
In network-attached storage (NAS) cluster environments, an abstraction layer for data
location that provides a single access point for all data in the system. It enables users to
access data without specifying the physical location of the data, and enables
68 | System Administration Guide for SVM Administrators
volume
• For Data ONTAP, a logical entity that holds user data that is accessible through one or
more of the supported access protocols, including Network File System (NFS),
Common Internet File System (CIFS), Fibre Channel (FC), and Internet SCSI (iSCSI).
Data ONTAP treats an IBM volume as a disk.
• For IBM, the area on the storage array that is available for a Data ONTAP system or
non Data ONTAP host to read data from or write data to. The documentation uses the
term array LUN to describe this area.
70 | System Administration Guide for SVM Administrators
Copyright information
Copyright © 1994–2014 NetApp, Inc. All rights reserved. Printed in the U.S.
No part of this document covered by copyright may be reproduced in any form or by any means—
graphic, electronic, or mechanical, including photocopying, recording, taping, or storage in an
electronic retrieval system—without prior written permission of the copyright owner.
Software derived from copyrighted NetApp material is subject to the following license and
disclaimer:
THIS SOFTWARE IS PROVIDED BY NETAPP "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE,
WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL NETAPP BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
NetApp reserves the right to change any products described herein at any time, and without notice.
NetApp assumes no responsibility or liability arising from the use of products described herein,
except as expressly agreed to in writing by NetApp. The use or purchase of this product does not
convey a license under any patent rights, trademark rights, or any other intellectual property rights of
NetApp.
The product described in this manual may be protected by one or more U.S. patents, foreign patents,
or pending applications.
RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.277-7103 (October 1988) and FAR 52-227-19 (June 1987).
71
Trademark information
NetApp, the NetApp logo, Go Further, Faster, ASUP, AutoSupport, Campaign Express, Cloud
ONTAP, clustered Data ONTAP, Customer Fitness, Data ONTAP, DataMotion, Fitness, Flash
Accel, Flash Cache, Flash Pool, FlashRay, FlexArray, FlexCache, FlexClone, FlexPod, FlexScale,
FlexShare, FlexVol, FPolicy, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster,
MultiStore, NetApp Insight, OnCommand, ONTAP, ONTAPI, RAID DP, SANtricity, SecureShare,
Simplicity, Simulate ONTAP, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock,
SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator,
SnapVault, StorageGRID, Tech OnTap, Unbound Cloud, and WAFL are trademarks or registered
trademarks of NetApp, Inc., in the United States, and/or other countries. A current list of NetApp
trademarks is available on the web at http://www.netapp.com/us/legal/netapptmlist.aspx.
Cisco and the Cisco logo are trademarks of Cisco in the U.S. and other countries. All other brands or
products are trademarks or registered trademarks of their respective holders and should be treated as
such.
72 | System Administration Guide for SVM Administrators
Index
E K
encryption algorithms key exchange algorithms
data, introduction to managing SSH security introduction to managing SSH security
configurations 22 configurations 22
extended queries keyboard shortcuts
methods of using 15 for editing CLI commands 11
keys
ways to manage public 24
F
feedback L
how to send comments about documentation 72
fields levels
Index | 75