DELLEMC - Docu48453 - Using VNX File Level Retention 8.1
DELLEMC - Docu48453 - Using VNX File Level Retention 8.1
Release 8.1
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
Copyright © 1998 - 2013 EMC Corporation. All rights reserved.
Published August 2013
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
For the most up-to-date regulatory document for your product line, go to the Technical
Documentation and Advisories section on EMC Powerlink.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on
EMC.com.
All other trademarks used herein are the property of their respective owners.
Corporate Headquarters: Hopkinton, MA 01748-9103
Preface.....................................................................................................7
Chapter 1: Introduction...........................................................................9
Overview................................................................................................................10
System requirements.............................................................................................10
Restrictions and limitations.................................................................................11
User interface choices...........................................................................................12
Related information..............................................................................................13
Chapter 2: Concepts.............................................................................15
Overview................................................................................................................16
FLR-E and FLR-C...................................................................................................16
Tamperproof FLR clock........................................................................................17
Transition between states.....................................................................................17
Minimum, default, and maximum retention periods......................................19
Automatic file locking..........................................................................................20
Automatic file deletion.........................................................................................20
FLR epoch year......................................................................................................20
Data verification....................................................................................................21
Replication..............................................................................................................21
Activity log.............................................................................................................21
What FLR cannot protect against........................................................................22
Chapter 3: Configuring.........................................................................23
Enable the FLR license..........................................................................................24
Create an FLR-enabled file system.....................................................................25
Chapter 6: Troubleshooting..................................................................47
EMC E-Lab Interoperability Navigator..............................................................48
VNX user customized documentation...............................................................48
Known problems...................................................................................................48
Error messages.......................................................................................................48
EMC Training and Professional Services...........................................................49
SEC ruling...............................................................................................................56
EMC file-level retention with compliance.........................................................57
Glossary..................................................................................................63
Index.......................................................................................................65
As part of an effort to improve and enhance the performance and capabilities of its product lines,
EMC periodically releases revisions of its hardware and software. Therefore, some functions described
in this document may not be supported by all versions of the software or hardware currently in use.
For the most up-to-date information on product features, refer to your product release notes.
If a product does not function properly or does not function as described in this document, please
contact your EMC representative.
Note: Emphasizes content that is of exceptional importance or interest but does not relate to personal
injury or business/data loss.
Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
Note: Do not request a specific support representative unless one has already been assigned to
your particular system problem.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall
quality of the user publications.
Please send your opinion of this document to:
Introduction
Overview
File-level retention (FLR) is an EMC® VNX® series software feature for protecting files from
modification or deletion until a specified retention date. By using file-level retention, you
can archive data to FLR storage on standard rewritable magnetic disks through NFS or CIFS
operations. FLR allows you to create a permanent, unalterable set of files and directories
and ensure the integrity of data.
There are two different types of file-level retention available: enterprise (FLR-E) and
compliance (FLR-C).
◆ FLR-E protects data content from changes made by users through CIFS, NFS, and FTP.
◆ FLR-C protects data content from changes made by users through CIFS, NFS, and FTP,
from changes made by administrators, and also meets the requirements of SEC rule
17a-4(f).
An FLR-enabled file system:
System requirements
Table 1 on page 10 describes the EMC VNX series software, hardware, network, and storage
configurations.
License Use of file-level retention functionality requires the purchase and activation of an FLR license
◆ It is not possible to enable the VNX FileMover functionality on a file system with file-level
retention enabled. Therefore, you cannot use a file system with file-level retention enabled
as primary storage in a FileMover environment. However, you can create a file system
with file-level retention enabled as secondary storage.
◆ Although file-level retention supports all backup functionality, the FLR attribute is not
preserved in the NDMP backup. Therefore, the VNX administrator must make sure that
the files are restored to a file system with file-level retention enabled.
◆ The root file system of the nested mount cannot be a file system with file-level retention
enabled.
◆ The file-level retention features of NFSv4.1 cannot be used to manage the locked state
of files in an FLR-enabled file system. NFSv4.1 clients must use the same mechanisms
as NFSv3 clients.
◆ You cannot create a writeable checkpoint of an FLR-C–enabled file system. However,
you can create a writeable checkpoint of an FLR-E–enabled file system.
◆ When using SMB 2.0 or higher, some versions of Windows, such as Windows 2008,
Windows Vista, and Windows 7, will cache file attribute changes by default without
confirming that the changes occurred on the file server. While this provides improved
performance, it also means that attempting to change a locked file in an FLR file system
from read-only to writable may appear to succeed when it does not. It can take a few
minutes for the Windows client to correct its cache and file attributes display.
You can resolve this issue by reducing or disabling the Windows client file information
cache as described in http://technet.microsoft.com/en-us/library/ff686200 (WS.10).aspx.
The Unisphere software online help contains additional information about managing your
system.
Installing Management Applications on VNX for File includes instructions on launching the
Unisphere software.
Related information
Specific information related to the features and functionality described in this document are
included in:
◆ VNX Command Line Interface Reference for File
◆ Online VNX man pages
◆ Parameters Guide for VNX for File
VNX wizards
Unisphere software provides wizards for performing setup and configuration tasks. The
Unisphere online help provides more details on the wizards.
Related information 13
Introduction
Concepts
Overview
File-level retention allows you to set file-based permissions on a file system to limit write
access for a specified retention date. File-level retention is enabled on a specified file system
only at creation time. When a new file system is created and enabled for file-level retention,
it is persistently marked as an FLR-enabled file system and the FLR setting cannot be changed.
After a file system is created and enabled with file-level retention, an administrator can
apply FLR protection on a per-file basis.
A file in an FLR-enabled file system is always in one of four possible states: not locked,
locked, append-only, or expired. You manage files in the locked state by setting retention
dates that, until the dates have passed, prevent the files from being modified or deleted.
FLR files can be grouped by directory or batch process, thus enabling you to manage the
file archives on a file system basis, or to run a script to locate and delete files in the expired
state. Use the FLR Toolkit, which contains a suite of applications that enables users to manage
the retention states of files in an FLR-enabled file system, including deletion of expired files.
To access the FLR Toolkit, go to EMC Online Support. After logging in to EMC Online
Support, locate the applicable Support by Product page. Search for FLR Toolkit to access
information for the FLR Toolkit.
Note: A file's current state is not visible to the user. Also, access to a file that is not locked causes the
file's LAT to change. For example, antivirus scanning, backing up, or searching file contents modifies
the LAT on a file.
When you change the permissions on a file that is not locked from read/write to read-only,
the file transitions from the not locked state to the locked state. A locked file cannot be
modified or deleted by VNX clients or users. Also, the path to any locked file is protected
from modification. This means a directory on an FLR-enabled file system cannot be renamed
or deleted unless it does not contain any protected files. Locked files can be deleted only
after their retention date has passed.
Important: If you use Windows Explorer to make a file in an FLR file system read-only, it sets the atime
of the file to the current date and time before making it read-only. This results in locking the file for
the default retention period in effect on the file system. If you want to use Windows Explorer to set
or manage retention dates, or to lock files in an FLR-enabled file system, you must install the FLR
Toolkit. The Toolkit contains a suite of applications that enables users to manage the retention states
of files in an FLR-enabled file system. To access the FLR Toolkit, go to EMC Online Support. After
logging in to EMC Online Support, locate the applicable Support by Product page. Search for FLR Toolkit
to access information for the FLR Toolkit.
A retention date specifies the date and time when a file's FLR protection expires. EMC
suggests specifying a retention date before you lock the file. You can set a file's retention
date by modifying the file's LAT through NFS or CIFS operations. If you do not specify a
retention date before you lock the file in an FLR file system, the file will be locked for the
default retention period that is set on the file system at the time the file is locked.
If a file is empty, it could transition between the locked and append-only states. You do not
have to set a retention date on a file to convert it from a locked file into an append-only file.
The transition from locked to append-only is performed by manipulating an empty file to
read-only and back to writable again. As long as a file remains empty, it can cycle between
the locked and append-only states.
The append-only state should be used by applications that send sequential data. If the data
received by the Data Mover is not sequential, a request to modify or delete the file is rejected.
Append-only files do not support the non-sequential addition of data. While in an
append-only state, data may be appended only to the end of the file. Any data already in
the file cannot be modified or deleted. A typical use case for the append-only state is a log
file, which only appends new data.
Once a file in the append-only state has been written to, putting it into the locked state by
making it read-only locks the file into that state until its retention date has passed.
A file transitions from the locked state to the expired state when its retention date has passed.
A file in the expired state can be deleted by the file's owner or the administrator, but cannot
be altered.
Note: For systems that use version 7.1 and later, Enable automatic file deletion on page 42 describes
how to automatically delete files in an expired state. For systems that use version 7.0 and earlier,
file-level retention does not perform automatic deletion of files in an expired state. Expired files must
be deleted explicitly or by using the FLR Toolkit. To access the FLR Toolkit, go to EMC Online Support.
After logging in to EMC Online Support, locate the applicable Support by Product page. Search for
FLR Toolkit to access information for the FLR Toolkit.
If necessary, you can revert a file from the expired state back to the locked state by extending
its retention date to a date beyond the original retention date. To extend a retention date,
change the file's LAT to a time that extends beyond the original expiration date. Although
you can extend a file's retention date, you cannot shorten it. If you specify a new access time
that is earlier than the current access time for the file, the system rejects the command. With
the exceptions of extending a file's retention date and modifying a user or group's read
permissions to the file, the file's metadata is not editable during the retention period.
While copying a read-only file from a regular file system to an FLR-enabled file system, the
file is not locked. Upon completion of the read-only file copy, the file stays in the not locked
state. To lock a read-only file, you must:
1. Copy the file to an NFS or CIFS file system enabled for file-level retention.
2. Change permission on the file to read/write.
3. Set a retention date.
4. Lock the file.
Additionally, file systems with file-level retention enabled always enforce synchronization
of Windows (CIFS) read-only bit and UNIX (NFS) read/write mode.
period is infinite, which means that the files can never be deleted. The system will ensure
that the default retention period is always less than or equal to the maximum retention
period.
◆ A maximum retention period specifies the longest period for which files on an FLR-enabled
file system can be locked and protected from deletion. The default value for the maximum
retention period is infinite, which means that the files can never be deleted. Any attempt
to lock a file for more than this maximum retention period results in the file being locked
until the current system time plus the maximum retention period is reached. The
maximum retention period can be set to Y for years, M for months, D for days, or infinite.
Modifying the minimum, default, or maximum retention period value does not affect files
that are currently locked in a file system.
Note: Most file copy tools preserve the last modified time of a file being copied. When copying files
into an FLR file system with automatic file locking enabled, if you did not modify files to copy within
the automatic file lock policy interval specified on the FLR file system, the file copies are locked almost
immediately after being copied into the FLR file system. The files immediately meet the criteria for
being locked automatically. For example, the lock policy interval is set to 30 minutes. File A was
modified 15 minutes ago. File B was modified 60 minutes ago. File A is not locked when copied into
the FLR file system because its modification time is less than the lock policy interval. However, File
B is locked when copied into the FLR file system because its modification time is more than the lock
policy interval.
◆ When a file is locked with its atime set to a value less than the FLR epoch year value, the
file's retention date is set to 2038 + (atime_year - 1970).
You can specify values from 2000 to 2037. The default value is 2003. The maximum value
for the retention period is December 31, 2104 11:59:59 p.m. Trying to set a date beyond this
value generates an error.
Data verification
Data verification ensures the integrity of the data written to disk by performing a read back
of the data that was written to the FLR-C–enabled file system. This write verification
functionality, disabled by default, is available for FLR-C–enabled file systems only. To be
SEC rule 17a4(f) compliant , you must manually enable write verification. Set write
verification on page 43 contains information on enabling write verification.
If the data read back from the storage does not match the data in memory, the Data Mover
reattempts the write and read back twice more, for a total of three times. If there is still a
mismatch, the Data Mover logs a message to the Data Mover server log and panics the Data
Mover, which identifies that data is corrupt. The Data Mover panic ensures that the data
verification failure will not go unnoticed.
Note: If write verification is enabled, all write operations on all FLR-C file systems mounted on the
Data Mover will be read back and verified to see whether the data has been written correctly. The
system performance may degrade during this procedure due to the amount of operations that are
being performed.
Replication
For VNX Replicator create and file system copy operations, replication on an FLR-C–enabled
file system is allowed when:
◆ The source file system has FLR-C enabled, and the destination file system has FLR-C
enabled and does not have protected files.
◆ The source file system has FLR-C enabled and the destination is a storage pool.
You can start a replication session when the source file system has FLR-C enabled and the
destination file system has FLR-C enabled and does not have protected files.
You can start a replication session with the reverse option when the original source file
system has FLR-C enabled and does not have protected files and the original destination
file system has FLR-C enabled.
Activity log
The activity log file contains events that successfully changed or attempted to change
protected data on an FLR-enabled file system. The activity log file is named
Data verification 21
Concepts
For these reasons and others, it is important to physically maintain either backups or replicas
of file systems. Logically separate them from the file system production copy by using
features such as VNX SnapSure, VNX Replicator, and offsite backups.
Configuring
Note: Ensure that the system clock is set to the correct time before creating and mounting an
FLR-enabled file system. The file system's FLR clock is set when the system is first mounted.
Action
To create an FLR-enabled file system, use this command syntax:
$ nas_fs -name <name> -create [size=<integer>[T|G|M]] pool=<pool>
[worm={enterprise|compliance|off}[-default_retention {<def_integer>{Y|M|D}
|infinite}] [-min_retention {<min_integer>{Y|M|D}|infinite}]
[-max_retention {<max_integer>{Y|M|D}|infinite}]]
where:
<name> = name of the file system.
<def_integer> = default retention period that is used in an FLR-enabled file system when a file is locked and a retention
period is not specified. This value must be greater than or equal to the minimum retention period, and less than or equal
to the maximum retention period. Specify Y for years, M for months, D for days, or infinite. The default value for the default
retention period is infinite, which means that the files can never be deleted.
<min_integer> = shortest retention period for which files on an FLR-enabled file system can be locked and protected
from deletion. This value must be less than or equal to the maximum retention period. Any attempt to lock a file for less
than the minimum retention period results in the file being locked until the current system time plus the minimum retention
period is reached. The default value for the minimum retention period is 1 day. Specify Y for years, M for months, D for
days, or infinite. Setting infinite means that the files can never be deleted.
<max_integer> = longest retention period for which files on an FLR-enabled file system can be locked and protected
from deletion. Any attempt to lock a file for more than this maximum retention period results in the file being locked until
the current system time plus the maximum retention period is reached. Specify Y for years, M for months, D for days, or
infinite. The default value for the maximum retention period is infinite, which means that the files can never be deleted.
Example:
To create an FLR-enabled file system ufs4, with a size of 100 GB, by using the clar_r5_performance pool, with file-level
retention set to enterprise, a minimum retention period of 30 days, a default retention period of 60 days, and a maximum
retention period of 10 years, type:
$ nas_fs -name ufs4 -create size=100G pool=clar_r5_performance worm=enterprise
-min_retention 30D -default_retention 60D -max_retention 10Y
Output
id = 18
name = ufs4
acl = 0
in_use = False
type = uxfs
worm = enterprise with no protected files
worm_clock= Clock not initialized
worm Max Retention Date= NA
worm Default Retention Period= 60 Days
worm Minimum Retention Period= 30 Days
worm Maximum Retention Period= 10 Years
FLR Auto_lock= off
FLR Policy Interval= 3600 seconds
FLR Auto_delete= off
FLR Epoch Year= 2003
volume = v125
pool = clar_r5_performance
member_of = root_avm_fs_group_3
rw_servers=
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
deduplication = unavailable
stor_devs =
BB005056830430-0019,BB005056830430-0016,BB005056830430-0015,BB005056830430-
0010
disks = d16,d13,d12,d7
Note
To enable file-level retention, the worm option can be set to either enterprise or compliance. Off disables file-level retention
capability. If a worm option is not specified, the default value is off.
Managing Files in an
FLR-Enabled File System
Note: You can also use the ls -lu command to verify the file permission bits and LAT.
Output:
total 16
drwxr-xr-x 2 root root 8192 2008-01-21 14:27:23.000000000 -0500
lost+found
-rw-r--r-- 1 32770 32770 16 2008-01-21 14:42:18.000000000 -0500
New Text Document.txt
Note: The write permission bit (-rw-r--r--) on the New Text Document.txt file indicates the file is
either not locked or in the append-only state.
For example:
To set the retention date for an NFS file to January 24, 2008, 8 a.m. from the CLI, type:
$ touch -at 200801240800 rp012408
Output
None
Notes
You can also set the retention date for a file on NFS from the application by using the utime system call. Transition between
states on page 17 provides more details about setting a retention date.
Dates between the current epoch year on the file system (default is 2003) and 2038 are set directly on the file. To set
dates beyond 2038, you need to set the atime of the file as an offset from January 1, 1970. Dates below the epoch year
set on the file system are mapped above 2038 by subtracting 1970 from the year portion of the file’s atime and adding the
remainder to 2038 to arrive at the desired retention date. For example, if you set the access time on the file to 1/1/1999,
when the file is locked, it is set with a retention date of 1/1/2067. This date was arrived at by using the following calculation:
2038+(1999-1970)=2067.
The current epoch year set on the file system is the maximum offset beyond 2038 that you can use. For example, with
the epoch year for the file system set to its default of 2003, any atime between January 1, 1970 and December 31, 2002
will be mapped above 2038 (by subtracting 1970 from the year portion of the file’s atime and adding the remainder to
2038). Adjusting the epoch year of the file system to its maximum of 2037 means that any date between January 1, 1970
and December 31, 2036 will be mapped above 2038. Therefore, the maximum retention date that you can set on a file is
December 31, 2104. For example, file system epoch year=2037; file atime=December 31, 2036; retention date becomes
2038+(2036-1970)=2104.
Important: Windows Explorer does not contain the capability of setting a retention date for a file in an FLR-enabled file
system. If you want to use Windows Explorer to set or manage retention dates in an FLR-enabled file system, you must
install the FLR Toolkit.
Output
None
Output
total 16
drwxr-xr-x 2 root root 8192 2008-01-21 14:27 lost+found
-rw--r--r-- 1 32770 32770 16 2008-01-24 08:00 New Text Document.txt
Note
The retention date is set to 2008-01-24 08:00 on the New Text Document.txt file.
You can also change a file’s access permission to read-only from an application by using the chmod system call to clear
all write permissions.
The chmod command can specify file permissions symbolically or numerically. Modify the permissions on a file by using
the combination that best suits the requirements. The execute permission does not prevent the file-level retention lock.
The chmod a-w <filename> command is an alternate option to chmod 444 <filename>.
Output
None
Output
None
Important Notes
◆ If you use Windows Explorer to make a file in an FLR file system read-only, it sets the atime of the file to the current
date and time before making it read-only. This results in locking the file for the default retention period in effect on the
file system. If you want to use Windows Explorer to lock files in an FLR-enabled file system, you must install the FLR
Toolkit.
◆ For systems that use version 7.0 and earlier, when using Windows Explorer to copy read-only files either into or
within an FLR file system, or between FLR file systems, the protection state of the file's copy depends on whether the
Windows client making the copy uses the SMB1 or SMB2 protocol. If the Windows client uses SMB1, then the desti-
nation file will be read-only, but not protected. If the Windows client uses SMB2, the destination file will be read-only
and locked with an infinite retention date. This infinite date can be reduced in an FLR-E file system, but not in an FLR-
C file system. Turning off the read-only bit on the source files (if possible) before copying them will avoid any potential
confusion.
◆ For systems that use version 7.1 and later, when using Windows Explorer to copy read-only files either into or within
an FLR file system, or between FLR file systems, the protection state of the file's copy depends on whether the Windows
client making the copy uses the SMB1 or SMB2 protocol. If the Windows client uses SMB1, then the destination file
will be read-only, but not protected. If the Windows client uses SMB2, the destination file will be read-only and locked
for the default retention period configured on the file system.Turning off the read-only bit on the source files (if possible)
before copying them will avoid any potential confusion.
Output
total 16
drwxr-xr-x 2 root root 8192 Jan 21 14:27 lost+found
-r--r--r-- 1 32770 32770 16 2008-01-24 08:00 New Text Document.txt
Note
The permission bits for the New Text Document.txt file have changed from rw to r. read-only indicates the file is locked.
Ensure that the file's LAT is a future time or the retention time is set to the file system default.
Output:
server_2 : Thu Jan 24 08:20:20 EST 2008
2. Verify the date and time on the saved file by typing:
$ ls -l --time-style=long-iso --time=atime
Output:
total 16
drwxr-xr-x 2 root root 8192 2008-01-21 14:27 lost+found
-r--r--r-- 1 32770 32770 16 2008-01-21 08:00 New Text
Document.txt
The retention date 2008-01-21 08:00 on the New Text Document.txt file is less than the
date and time of the file system's FLR clock, Thu Jan 24 08:20:20 EST 2008, which indicates
the file is in the expired state.
Note: If a file is not in the expired state, any attempt to delete the file will fail.
Managing an FLR-Enabled
File System
Example:
To query the file system ufs4, type:
$ nas_fs -info ufs4
Output
id = 16
name = ufs4
acl = 0
in_use = False
type = uxfs
worm = enterprise with no protected files
worm_clock= Clock not initialized
worm Max Retention Date= NA
worm Default Retention Period= infinite
worm Minimum Retention Period= 1 Day
worm Maximum Retention Period= infinite
FLR Auto_lock= off
FLR Policy Interval= 3600 seconds
FLR Auto_delete= off
FLR Epoch Year= 2003
volume = v121
pool = clar_r5_performance
member_of = root_avm_fs_group_3
rw_servers=
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
deduplication = unavailable
thin_storage = True
tiering_policy = Auto-tier
compressed= False
mirrored = False
auto_provision= False
stor_devs =
BB005056830430-0019,BB005056830430-0016
disks = d16,d13
Note
◆ The worm (FLR) option for the ufs4 file system is worm=enterprise with no protected files to indicate the file system
is enabled for file-level retention but no files are locked. This option could also be set to worm=compliance. When a
file system is not enabled for file-level retention, the worm option is worm=off.
◆ The following data appears only if worm=enterprise or compliance:
◆ worm_clock
◆ worm Max Retention Date
◆ worm Default Retention Period
◆ worm Minimum Retention Period
◆ worm Maximum Retention Period
◆ FLR Auto_lock
◆ FLR Policy Interval
◆ FLR Auto_delete
◆ FLR Epoch Year
◆ The FLR clock stops ticking when the file system is mounted read-only or is unmounted.
Action
To modify a retention period for a file system, use this command syntax:
$ nas_fs -modify <fsname> -worm [-default_retention {<def_integer>{Y|M|D}
|infinite}] [-min_retention {<min_integer>{Y|M|D}|infinite}]
[-max_retention {<max_integer>{Y|M|D}|infinite}]
where:
<fsname> = name of the file system
<def_integer> = default retention period that is used in an FLR-enabled file system when a file is locked and a retention
period is not specified. This value must be greater than or equal to the minimum retention period, and less than or equal
to the maximum retention period. Specify Y for years, M for months, D for days, or infinite. The default value for the default
retention period is infinite, which means that the files can never be deleted.
<min_integer> = shortest retention period for which files on an FLR-enabled file system can be locked and protected
from deletion. This value must be less than or equal to the maximum retention period. Any attempt to lock a file for less
than the minimum retention period results in the file being locked until the current system time plus the minimum retention
period is reached. Specify Y for years, M for months, D for days, or infinite. The default value for the minimum retention
period is 1 day. Setting infinite means that the files can never be deleted.
Action
<max_integer> = longest retention period for which files on an FLR-enabled file system can be locked and protected
from deletion. Any attempt to lock a file for more than this maximum retention period results in the file being locked until
the current system time plus the maximum retention period is reached. Specify Y for years, M for months, D for days, or
infinite. The default value for the maximum retention period is infinite, which means that the files can never be deleted.
Example:
To modify FLR file system worm_ufs2 with a default retention period of 5 years, type:
$ nas_fs -modify worm_ufs2 -worm -default_retention 5Y
Output
id = 40
name = worm_ufs2
acl = 0
in_use = True
type = uxfs
worm = enterprise with no protected files
worm_clock= Fri Jul 29 11:14:27 EDT 2011
worm Max Retention Date= No protected files created
worm Default Retention Period= 5 Years
worm Minimum Retention Period= 30 Days
worm Maximum Retention Period= 5 Years
FLR Auto_lock= off
FLR Policy Interval= 3600 seconds
FLR Auto_delete= off
FLR Epoch Year= 2003
volume = v117
pool = clar_r5_performance
member_of = root_avm_fs_group_3
rw_servers= server_2
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
deduplication = Off
stor_devs =
BB005056830430-0019,BB005056830430-0016
disks = d16,d13
disk=d16 stor_dev=BB005056830430-0019 addr=c0t1l9 server=server_2
disk=d16 stor_dev=BB005056830430-0019 addr=c16t1l9 server=server_2
disk=d13 stor_dev=BB005056830430-0016 addr=c0t1l6 server=server_2
disk=d13 stor_dev=BB005056830430-0016 addr=c16t1l6 server=server_2
<year> = epoch value used to calculate the maximum date that locked files can be retained. Type an integer from 2000
to 2037. The default value is 2003.
Example:
To reset the FLR epoch date for file system ufs4 to 2000, type:
$ nas_fs -modify ufs4 -worm -reset_epoch 2000
Output
id = 14
name = ufs4
acl = 0
in_use = True
type = uxfs
worm = enterprise with no protected files
worm_clock= Fri Jul 29 12:18:36 EDT 2011
worm Max Retention Date= No protected files created
worm Default Retention Period= 10 Years
worm Minimum Retention Period= 30 Days
worm Maximum Retention Period= 11 Years
FLR Auto_lock= off
FLR Policy Interval= 3600 seconds
FLR Auto_delete= off
FLR Epoch Year= 2000
volume = v117
pool = clar_r5_performance
member_of = root_avm_fs_group_3
rw_servers= server_2
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
deduplication = Off
stor_devs =
BB005056830430-0019,BB005056830430-0016
disks = d16,d13
disk=d16 stor_dev=BB005056830430-0019 addr=c0t1l9 server=server_2
disk=d16 stor_dev=BB005056830430-0019 addr=c16t1l9 server=server_2
disk=d13 stor_dev=BB005056830430-0016 addr=c0t1l6 server=server_2
disk=d13 stor_dev=BB005056830430-0016 addr=c16t1l6 server=server_2
Note
For systems that use version 7.0 and earlier, you can set a maximum retention year of 2038. For systems that use version
7.1 and later, by using the epoch value you can now set a maximum value for the retention period up to December 31,
2104 11:59:59 p.m. Trying to set a date beyond this value generates an error.
where:
<fs_name> = name of the file system.
<integer> = an interval for how long to wait after files are modified before the files are automatically locked in an FLR-
enabled file system.Type an integer and specify M for minutes, D for days, or H for hours.The policy interval has a minimum
value of 1 minute and a maximum value of 366 days. The default value is 1 hour.
Example:
To enable FLR automatic file locking with a policy interval of 30 minutes for file system ufs4, type:
$ nas_fs -modify ufs4 -worm -auto_lock enable -policy_interval 30M
Output
id = 14
name = ufs4
acl = 0
in_use = True
type = uxfs
worm = enterprise with no protected files
worm_clock= Fri Jul 29 12:24:44 EDT 2011
worm Max Retention Date= No protected files created
worm Default Retention Period= 10 Years
worm Minimum Retention Period= 30 Days
worm Maximum Retention Period= 11 Years
FLR Auto_lock= on
FLR Policy Interval= 1800 seconds
FLR Auto_delete= off
FLR Epoch Year= 2000
volume = v117
pool = clar_r5_performance
member_of = root_avm_fs_group_3
rw_servers= server_2
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
deduplication = Off
stor_devs =
BB005056830430-0019,BB005056830430-0016
disks = d16
disk=d16 stor_dev=BB005056830430-0019 addr=c0t1l9 server=server_2
disk=d16 stor_dev=BB005056830430-0019 addr=c16t1l9 server=server_2
Note
Most file copy tools preserve the last modified time of a file being copied. When copying files into an FLR file system with
automatic file locking enabled, if you did not modify files to copy within the automatic file lock policy interval specified on
the FLR file system, the file copies are locked almost immediately after being copied into the FLR file system. The files
immediately meet the criteria for being locked automatically. For example, the lock policy interval is set to 30 minutes. File
A was modified 15 minutes ago. File B was modified 60 minutes ago. File A is not locked when copied into the FLR file
system because its modification time is less than the lock policy interval. However, File B is locked when copied into the
FLR file system because its modification time is more than the lock policy interval.
Example:
To enable FLR automatic file deletion for file system ufs4, type:
$ nas_fs -modify ufs4 -worm -auto_delete enable
Output
id = 14
name = ufs4
acl = 0
in_use = True
type = uxfs
worm = enterprise with no protected files
worm_clock= Fri Jul 29 12:26:42 EDT 2011
worm Max Retention Date= No protected files created
worm Default Retention Period= 10 Years
worm Minimum Retention Period= 30 Days
worm Maximum Retention Period= 11 Years
FLR Auto_lock= on
FLR Policy Interval= 1800 seconds
FLR Auto_delete= on
FLR Epoch Year= 2000
volume = v117
pool = clar_r5_performance
member_of = root_avm_fs_group_3
rw_servers= server_2
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
deduplication = Off
stor_devs =
BB005056830430-0019,BB005056830430-0016
disks = d16,d13
disk=d16 stor_dev=BB005056830430-0019 addr=c0t1l9 server=server_2
disk=d16 stor_dev=BB005056830430-0019 addr=c16t1l9 server=server_2
disk=d13 stor_dev=BB005056830430-0016 addr=c0t1l6 server=server_2
disk=d13 stor_dev=BB005056830430-0016 addr=c16t1l6 server=server_2
<new_value> = enable (1) or disable (0) the write verification capability. The range of values is 0 to 1, and the default
value is 1.
Example:
To enable write verification on server_2, type:
$ server_param server_2 -facility FLRCompliance -modify writeverify -value 1
Output
server_2 : done
<fs_name_ckpt2> = name for the new checkpoint automatically created in the restore process
If no name is specified, the system creates the new checkpoint by using a standard naming convention.
Note
The -Force option must be used to restore an FLR-E–enabled file system. Otherwise, the restore operation fails with an
error: “requires -Force option.”
Action
To delete an FLR-enabled file system, use this command syntax:
$ nas_fs -delete <fs_name> -Force
where:
<fs_name> = name of the file system
Example:
To delete an FLR-E–enabled file system worm_ufs1, type:
$ nas_fs -delete worm_ufs1 -Force
Output:
id = 805
name = worm_ufs1
acl = 0
in_use = False
type = uxfs
worm = enterprise
volume = v630
rw_servers=
ro_servers=
rw_vdms =
ro_vdms =
auto_ext = no,thin=no
stor_devs = APM00043305843-000D,APM00043305843-0008,APM00043305843-0017,
APM00043305843-0013
disks = d26,d14,d21,d8
Example:
To delete an FLR-C–enabled file system worm_ufs2, type:
$ nas_fs -delete worm_ufs2
Action
Output:
Error 13423542289: File system worm_ufs2 cannot be deleted because it
contains protected files.
Note
The -Force option must be used to delete an FLR-E file system with file-level retention enabled. Otherwise, the delete
operation fails with an error: “must specify -Force to delete WORM filesystem.”
Troubleshooting
Known problems
Table 2 on page 48 describes known problems that might occur when using file-level
retention, and presents workarounds.
Cannot easily distinguish between a Set the LAT to an earlier date and time.
locked file and a read-only file that is
copied or transferred through FTP in to a ◆ If the operation fails, the file is locked.
file system with file-level retention en- ◆ If the operation succeeds, the file is not locked.
abled.
Error messages
All event, alert, and status messages provide detailed information and recommended actions
to help you troubleshoot the situation.
To view message details, use any of these methods:
◆ Unisphere software:
• Right-click an event, alert, or status message and select to view Event Details, Alert
Details, or Status Details.
◆ CLI:
• Use this guide to locate information about messages that are in the earlier-release
message format.
• Use the text from the error message's brief description or the message's ID to search
the Knowledgebase on EMC Online Support. After logging in to EMC Online Support,
locate the applicable Support by Product page, and search for the error message.
Overview
File-level retention does not require a separate API, although an API is available through
the EMC Velocity Partner program that allows you to perform more complex tasks. File-level
retention works by enhancing standard NFS and CIFS requests with new semantics when
targeting an FLR-enabled file system. Application programs can use standard file access
APIs for manipulating FLR files. Each operation is described as to how it is encoded within
the NFS or CIFS protocol, and how it is invoked by using standard file access APIs.
Important: Windows Explorer does not contain the capability of setting a retention date for a file in an
FLR-enabled file system. If you want to use Windows Explorer to set or manage retention dates in an
FLR-enabled file system, you must install the FLR Toolkit. To access the FLR Toolkit, go to EMC Online
Support. After logging in to EMC Online Support, locate the applicable Support by Product page.
Search for FLR Toolkit to access information for the FLR Toolkit.
BOOL SetFileTime(
HANDLE hFile,
const FILETIME *lpCreationTime,
const FILETIME *lpLastAccessTime,
const FILETIME *lpLastWriteTime);
Errors: If the file is locked, the retention date cannot be shortened. If the new access time
specified is earlier than the current access time for the file, the server rejects the command.
Important: If you use Windows Explorer to make a file in an FLR file system read-only, it sets the atime
of the file to the current date and time before making it read-only. This results in locking the file for
the default retention period in effect on the file system. If you want to use Windows Explorer to lock
files in an FLR-enabled file system, install the FLR Toolkit which contains a suite of applications that
enables users to manage the states of files in an FLR-enabled file system. To access the FLR Toolkit,
go to EMC Online Support. After logging in to EMC Online Support, locate the applicable Support
by Product page. Search for FLR Toolkit to access information for the FLR Toolkit.
For systems that use version 7.0 and earlier, when using Windows Explorer to copy read-only files
either into or within an FLR file system, or between FLR file systems, the protection state of the file's
copy depends on whether the Windows client making the copy uses the SMB1 or SMB2 protocol. If
the Windows client uses SMB1, then the destination file will be read-only, but not protected. If the
Windows client uses SMB2, the destination file will be read-only and locked with an infinite retention
date. This infinite date can be reduced in an FLR-E file system, but not in an FLR-C file system. Turning
off the read-only bit on the source files (if possible) before copying them will avoid any potential
confusion.
For systems that use version 7.1 and later, when using Windows Explorer to copy read-only files either
into or within an FLR file system, or between FLR file systems, the protection state of the file's copy
depends on whether the Windows client making the copy uses the SMB1 or SMB2 protocol. If the
Windows client uses SMB1, then the destination file will be read-only, but not protected. If the Windows
client uses SMB2, the destination file will be read-only and locked for the default retention period
configured on the file system. Turning off the read-only bit on the source files (if possible) before
copying them will avoid any potential confusion.
BOOL SetFileAttributes(
LPCTSTR lpFileName,
DWORD dwFileAttributes);
From the user interface (such as Windows Explorer), a user can set the read-only attribute
of a file by using the Properties ➤ General tab.
Note: File-level retention mandates the synchronization of the DOS read-only bit and the UNIX mode
bits.
This section includes information about the SEC ruling requirements and
how FLR handles the requirements.
Topics included are:
◆ SEC ruling on page 56
◆ EMC file-level retention with compliance on page 57
SEC ruling
This section explains the SEC ruling 17a-4(f) requirements.
If electronic storage media is used by a member, broker, or dealer, it shall comply with the
following requirements:
◆ The member, broker, or dealer must notify its examining authority designated pursuant
to section 17(d) of the Act prior to employing electronic storage media. If employing any
electronic storage media other than optical disk technology (including CD-ROM), the
member, broker, or dealer must notify its designated examining authority at least 90
days prior to employing such storage media. In either case, the member, broker, or dealer
must provide its own representation or one from the storage medium vendor or other
third party with appropriate expertise that the selected storage media meets the conditions
set forth in this paragraph (f)(2).
◆ The electronic storage media must:
•
Preserve the records exclusively in a non-rewritable, non-erasable format.
•
Verify automatically the quality and accuracy of the storage media recording process.
•
Serialize the original and, if applicable, duplicate units of storage media, and time-date
for the required period of retention the information placed on such electronic storage
media.
•
Have the capacity to readily download indexes and records preserved on the electronic
storage media to any medium acceptable under this paragraph (f) as required by the
Commission or the self-regulatory organizations of which the member, broker, or
dealer is a member.
◆ FLR does not by itself offer any protection against the physical failure of disk drives or
storage arrays. Protection of data from these types of failure relies on mechanisms such
as RAID and replication of data to a second site.
◆ FLR does not protect data against the actions of anyone who has physical access to the
system. For example, someone could manually remove and destroy disk drives and
thereby destroy the data they contain.
◆ FLR does not offer any protection to FLR file systems affected by corruption of the VNX
system configuration database or software bugs. The system will automatically detect
corruption of its configuration database and “dial-home.”
◆ FLR does not provide any protection against someone with access to the VNX storage
array management tools that can delete (or unbind) the LUNs (disks) that a file system
is built on, thereby destroying the file system itself and the data it contains. This type of
attack:
•
Cannot be targeted at specific files. The entire file system is destroyed.
•
Is unlikely to go unnoticed. One or more file systems will disappear and the Data
Mover will panic.
•
Destroys data rather than allowing it to be modified.
For these reasons and others, it is important to physically maintain either backups or replicas
of file systems, and to logically separate them from the file system production copy by using
features such as SnapSure, VNX Replicator, and offsite backups.
Overview
By default, the VNX system logs all activity associated with successfully changing or
attempting to change protected data on an FLR-enabled file system. These events are logged
to a log file in the FLR-logs sub-directory of the root directory of the file system.
The activity log file is an append-only file which grows to approximately 10 MB in size. The
log file is named flrLogyyyymmddhhmm where the yyyymmddhhmm timestamp suffix is
the FLR clock time when the file was created. When it reaches its maximum size, a new
activity log file is created. Old log files are converted to FLR files with a retention date that
is set to the maximum retention date of files that the activity log refers to. This means that
the activity log is retained at least as long as any of the files to which it refers.
The administrator must delete old log files.
Note: When a Windows CIFS client deletes an empty expired file, the FLR activity log records this as
the creation of an append-only file, followed by its deletion. This is because when deleting read-only
files, Windows clients first make the file writable. The empty expired file becomes an append-only
file, and then the Windows clients delete the file. The message states that an append-only file was
deleted.
The following associated information for each event is captured in the FLR log file:
◆ Time of event, relative to the FLR clock maintained for the file system.
◆ Event action, such as create an append-only file.
◆ Inode number and generation count number of the file to which the event applies. The
inode number and generation count of a file uniquely identify it.
◆ The UID and GID (user identifier) of the user who performed or attempted the action.
◆ Event-specific information:
•
For a locked file, the new retention date and time
•
For the extension of the retention date and time, the new retention date and time
•
For a delete or attempted delete operation, whether the operation succeeded or failed
Table 3 on page 61 provides a brief description of an activity log event and an example.
User locked a file with a retention date that is specified by Tue Oct 14 09:35:38 2008 : Worm commit clean file : Inode
the value of the last access time of the file. No = 1082 : Generation No = 1223984104 : Uid = 0 : Gid =
1 : FileMode = 444 : RP = Tue Oct 21 09:35:37 2008 :
Passed
User extended the retention date of a locked file. Wed Oct 15 07:39:26 2008 : Extend Retention Period on
worm committed file : Inode No = 22 : Generation No =
1224056308 : Uid = 201 : Gid = 201 : FileMode = 444 : Old
RP = Wed Oct 15 07:40:00 2008 : New RP = Wed Oct 15
07:50:00 2008 : Passed
User extended the retention date of an expired file. It be- Sun Oct 19 14:54:24 2008 : Extend Retention Period on
comes locked again. worm expired file : Inode No = 21 : Generation No =
1224427555 : Uid = 201 : Gid = 201 : FileMode = 444 : Old
RP = Sun Oct 19 14:47:00 2008 : New RP = Sun Oct 19
15:15:00 2008 : Passed
User attempted to make a locked file writeable. This should Sun Oct 19 15:57:48 2008 : Make writeable worm committed
fail. file : Inode No = 24 : Generation No = 1224431800 : Uid =
201 : Gid = 201 : FileMode = 664 : RP = Sun Oct 19 16:30:00
2008 : Failed
User locked an append-only file and it became a standard Sun Oct 19 17:19:12 2008 : Worm commit worm append-
locked file. only file : Inode No = 26 : Generation No = 1224436571 :
Uid = 201 : Gid = 201 : FileMode = 444 : RP = Infinite :
Passed
User attempted to delete a locked file. This should fail. Tue Oct 14 09:43:42 2008 : Delete worm committed file :
Inode No = 6567 : Generation No = 1223980799 : Uid = 0 :
Gid = 0 : FileMode = 444 : RP = Tue Oct 14 09:55:00 2008
: Failed
User deleted an expired file. Sun Oct 19 14:56:28 2008 : Delete worm expired file : Inode
No = 19 : Generation No = 1224427141 : Uid = 201 : Gid =
201 : FileMode = 444 : RP = Sun Oct 19 14:44:00 2008 :
Passed
User attempted to delete an append-only file. This should Tue Oct 14 10:53:49 2008 : Delete worm append-only file :
fail. Inode No = 15 : Generation No = 1223988975 : Uid = 0 :
Gid = 0 : FileMode = 644 : RP = Infinite : Failed
Finding a file
To find a file, search the file system from an NFS client by using the UNIX find utility.
Use this command syntax:
$ find . -inum <inode_number> -print
where:
<inode_number> = “Inode No” from the log message
where:
<movername> = the name of the Data Mover that is hosting the FLR file system
<uid> = “Uid” from the log message
If the UID is not found by using the command above, then the UID was supplied by an
NFS client. Query the UNIX client nameservice instead.
where:
<movername> = the name of the Data Mover that is hosting the FLR file system
<gid> = “Gid” from the log message
If the GID is not found by using the command above, then the GID was supplied by an
NFS client. Query the UNIX client nameservice instead.
append-only state
State of a file when the data in it cannot be modified, but the file can have new data appended
to the end of it. In addition, the file itself cannot be deleted. Once a file in the append-only state
has been written to, changing it to the locked state by making it read-only locks it into that state
until its retention date has passed.
CLEAN state
See not locked state.
Data Mover
In VNX for file, a cabinet component that is running its own operating system that retrieves
data from a storage device and makes it available to a network client. This is also referred to as
a blade.
expired state
State of a file when its retention date has passed. A file in the expired state can be reverted back
to the locked state or deleted from the FLR-enabled file system, but cannot be altered.
FLR clock
Non-modifiable, per file system clock used to track the retention date. It is initialized when an
FLR-enabled file system is mounted read/write on a Data Mover. It does not advance when a
file system is unmounted or mounted read-only.
FLR state
See locked state.
LAT
Last access time of a file.
locked state
State of a file when its read/write permission is changed to read-only in a file system enabled
for file-level retention. Files committed to the locked (WORM) state cannot be altered or deleted
until their retention date has passed.
retention date
Date until which a locked file in an FLR-enabled file system will be protected. Users and
applications manage a file's retention date by using NFS or CIFS to set the file's last access time
to a future date and time. The retention timestamp is compared to the file system's FLR clock
to determine whether a file's retention date has passed.
ATTRIB command 32
F
C file system
copying files 19, 44
CAVA (Common AntiVirus Agent) 11 creating an FLR file system 25
checkpoint deleting 44
restoring 43 querying 36
chmod command 31 file-level retention
CIFS creating an FLR file system 25
committing a file to the locked state 32, 53 modifying a default retention period 37
lock a file 32 modifying a maximum retention period 38
command modifying a minimum retention period 37
ATTRIB 32 transition between states 17
chmod 31 FLR API
fs_ckpt 43 committing a file to the locked state 53
touch 29 Force option 43, 45
committing a file to the locked state fs_ckpt command 43
CIFS 32, 53 function
NFS 31, 53 SetFileAttributes 32
Common AntiVirus Agent 11 SetFileTime 30
copying files to an FLR file system 19, 44
creating FLR system 25
L
D last access time See LAT 17
LAT (last access time) 17
deleting lock a file
an FLR file system 44 CIFS 32, 53
expired file 33 NFS 31, 53
locked file 54 locked state, verifying 32
E M
EMC E-Lab Navigator 48 messages, error 48
error messages 48 modifying a default retention period 37