1

I've got a requirement to use vfilers and ipspaces to segregate network traffic to a NetApp filer in a multi-tenancy environment.

Unfortunately, most of it has already been implemented and designed, so we're investigating how to retrofit this.

Our initial model had vfilers with 3 interfaces - management, backup and 'data'. Multiple vfilers would all use management and backup, but they'd have their own dedicated 'data' vlan and subnet, which would then be presented into the different network segments as appropriate.

The advantage of ipspaces is it segregates interfaces, such that each logical interface can only belong to one ipspace. This means we can't have common management and backup on each of the vfilers any more. (At least, not without doing some somewhat nasty things like multiple vlans within the same subnet)

I think we've figured out how to deal with the backups, in that we can use the base filer to do snapvaults (and thus can remove the need for the 'backup' interface).

However what I'm stumbling on now is the 'vol0' export - we mount vol0 from all the vfilers on a management host, and we also mount some of the home drive structure, so we can create qtrees and set initial ownership and skeleton files, because we don't want to give out root access.

I suspect the answer will be "You can't" but on the offchance - is anyone able to tell me if there's a way to export vfiler vol0 (and assigned vfiler volumes) from the base vfiler0, in a different IP space?

Improve this question
1
  • You should start tagging these as "storage" :) I missed it until just now.
    – Basil
    Commented Oct 11, 2014 at 16:12

2 Answers 2

Reset to default
1

The safest way to modify the etc for any filer is, of course, an NFS or CIFS admin share. If that's not an option, the wrfile option isn't a good idea- it has, in the past, completely mangled a file we were trying to write. I've seen it do this from putty, having just pasted, as well as through ssh with an input redirect in Unix. The safest way to modify vFiler system files without network access to the /etc$ share is ndmpcopy.

First, do an ndmpcopy from the vFiler root volume to a volume you have access to: ndmpcopy /vol/vf_vol0/etc/hosts /vol/management/etc/. Next, edit the file in the management volume the same way you would edit any other file.

Once the hosts file looks the way you want, ndmpcopy it back: ndmpcopy /vol/management/etc/hosts /vol/vf_vol0/etc/

Improve this answer
2
  • Likewise - wrfile is an excellent way of clobbering things. I hadn't thought of the NDMP copy approach - but we do more or less do this with a 'filer admin' NFS share (contains scripts, source files etc). So actually, maintaining a 'primary' copy of key files, and pushing them into place with NDMP copy seems very sensible.
    – Sobrique
    Commented Oct 13, 2014 at 9:03
  • You can also use ndmpcopy to grab data from snapshots, so if you ever did clobber something like your /etc/snapmirror.conf, you could ndmpcopy it from a snapshot to the /etc directory.
    – Basil
    Commented Oct 13, 2014 at 15:39
1

With some more research the answer is: You can't. The NFS server instance in a vfiler tracks things like open files, locks, etc. Doing two pointed at the same source volume won't - and can't - work.

Workarounds are:

  • use vfiler run vfilername rdfile /vol/vf_vol0/etc/hosts to access files. wrfile will let you write files, but be warned - it's not very user friendly. As soon as you run it, it'll clobber what you were writing, so read the manpage.

  • NFS mount across firewalls.

The whole purpose of ipspaces is isolation, so it's working as designed.

Improve this answer
6
  • 1
    Sobrique, thanks for coming and posting the results of your research; +1 from me. If you don't know about the NetApp administrators' mailing list, it may also be of use to you. Disclaimer: I run the list.
    – MadHatter
    Commented Oct 10, 2014 at 11:05
  • Looked at the list before - somewhat ironically, the 'subscribe' link falls foul of some corporate filtering, which is why I've not signed up (by the time I've got home, I've forgotten entirely).
    – Sobrique
    Commented Oct 10, 2014 at 11:49
  • You can also subscribe by email, to [email protected] (it's a bog-standard mailman list in that respect).
    – MadHatter
    Commented Oct 10, 2014 at 11:53
  • (Ack, helps if I spell 'subscribe' right :))
    – Sobrique
    Commented Oct 10, 2014 at 12:06
  • Actually, I think it probably helps if I start off by spelling it correctly. For anyone who comes later, that's [email protected] , not the botched erratum that appears above (too late to edit). Sorry about all this!
    – MadHatter
    Commented Oct 10, 2014 at 12:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .