How to: FPolicy Registration - NetApp 7-Mode

Summary

NSS uses a proprietary interface when delivering quota functionality on NetApp systems. This interface is used to streamline quota monitoring, to allow for fail-open locking of hard quotas and for file blocking functionality. The API used is a NetApp technology called FPolicy.

In order to establish this interface, and begin receiving FPolicy notifications, NSS must register to FPolicy on the filer. Note that this registration is only necessary for quota operations, it is not used for reporting purposes. Also, in the case of physical filers the registration should be made with that physical filer, for vfilers it is necessary to register with the vfiler.

This article describes how the registration channel is established, maintained, and used. It also details a procedure to create the necessary account on the NetApp filer with the right capabilities and verify if the FPolicy object is successfully created.

A basic knowledge of NetApp administrative command-line is required. Further details are available in the official Data Ontap administrator guide.

Using FPolicy

In order to understand when the FPolicy API is used, and why, it is useful to gather some background on the interfaces used by NSS when managing NetApp devices. (Additional information is available in KB - 3042.) NSS uses 3 APIs to communicate with a NetApp filer:

  • CIFS
    The NSS services need to access the CIFS shares where quotas or reports are applied. Using CIFS, NSS has the amount of access to the filer allowed by the user account used for the NSS Core Service and NSS Quota Service. When run under Administrator groups, both services will claim Backup rights for scanning operations.
  • RPC
    The RPC protocol is used by the Quota Server component of NSS to retrieve and answer to FPolicy requests.
    FPolicy request is by default send to a pipe called ntapfprq for Quota Server to process. Quota Server completes this FPolicy then by answering the pipe at ntapfpcp.
  • HTTP/HTTPS
    The channel is used for the management of the FPolicy connection.
    Note: NSS can use HTTP or HTTPS for FPolicy registration in the case of physical filers, and HTTP for vfilers. NetApp does not support the use of SSL on vfilers, hence HTTPS for vfiler registration is not available. If HTTPS is a requirement, and vfilers are used, a physical dedicated network (VLAN) should be used to drive the unsecure channel registration protocol through a secure physical channel.

THE FPOLICY COMMANDS USED
NSS uses “fpolicy-*” APIs from the Quota Server service to the filer. The commands executed are primarily used to create and update the NSS FPolicy registration. They are executed under the account specified in the NetApp connection settings in NSS Quota Server, not using the Quota Server service account itself. The actual FPolicy commands used are as follows:
- fpolicy-list-info
- fpolicy-create-policy
- fpolicy-volume-list-set
- fpolicy-volumes-list-info
Additionally NSS uses the 'system-get-version' API to get the vfiler API version.
Northern declares as  requirement for the account This login-* and api-* capabilities in order to use the previous commands. Also, SSL connections must be enabled on the NetApp filer if HTTPS is to be used.

CREATING THE FPOLICY OBJECT
NSS will use the HTTP or HTTPS configuration to connect to NetApp and create the FPolicy object required, assuming one does not already exist. The name of the FPolicy contains 'NorthernPolicy' and is finished with the NSS managing host (for example NorthernPolicyNSS-SRV). NSS will only connect to, or create, the FPolicy if there are locked quotas or file blocking policies in place. It will not disconnect, or delete the FPolicy if the locked quotas are unlocked. NSS may disconnect from the FPolicy and reconnect in cases where it does not need to receive specific notifications. 

MULTIPLE NETAPP CONNECTIONS (VIRTUAL OR PHYSICAL FILERS)
The Quota Server service can be configured to contact and to be registered to several filers at the same time, but a unique account can be specified.

Consequently, an identical procedure must be repeated on all filers, in order to create an identical account with the same capabilities.

To switch to a vfiler environment, we must use the ‘vfiler context’ command. To list all vfilers available, run the 'vfiler status' command.

Registration: Step-by-Step

Northern strongly suggests to verify the prerequisites and follow the procedure for the correct test and validation.

When a connection to the filer is required, please login through an SSH connection with the root or equivalent account. An SSH client called putty is used, this 3rd party tool is available for free download.

1. Enable FPolicy on each filer/vfiler
Connect to each NetApp filer with administrative privileges. Check if the fpolicy is enable (in case of vfilers, check the option in each vfiler context where CIFS servers to be managed are hosted).

For Physical Filer(s)
To enable FPolicy on a physical filer:
options fpolicy.enable on

To check if FPolicy is enabled on a physical filer:
options fpolicy.enable

For vFiler(s)
To get the list of vfilers hosted in the physical filer:
vfiler status

Example:
netapp821-7m> vfiler status
vfiler0                          running
vfiler1                          running

(Ignore the name vfiler0 which is the default name given to the physical filer)

To enable FPolicy for a specific vfiler:
vfiler run vfilername options fpolicy.enable on

Example:
vfiler run vfiler1 options fpolicy.enable on
===== vfiler1
Tue Sep 1 11:34:51 CEST [vfiler1@netapp821-7m:fpolicy.enable:info]: FPOLICY: The file policy feature has been enabled.

To check if FPolicy is enabled for a specific vfiler:
vfiler run vfilername options fpolicy.enable

Example:
netapp821-7m> vfiler run vfiler1 options fpolicy.enable
===== vfiler1 fpolicy.enable on

2. Verify if the SSL protocol is enabled
This option can only be set if all filers to be managed are physical - SSL is not implemented (by NetApp) in a vfiler context. If one or more vfilers will be managed then HTTP connection must be used and this step should be skipped; unencrypted communication must be enabled instead (step 3).

For Physical Filer(s)
Ensure that the administrative connection through HTTPS is enabled on each Physical Filer. Run the following command in the physical filer context:
options httpd.admin.ssl.enable on

To check if the option has been applied:
options httpd.admin.ssl.enable

3. Enable connection with the Data ONTAP 7-Mode system (not using SSL)
This step is mandatory if one or more vfilers will be managed (HTTP will be used for NSS>filer connection). It is not necessary if only physical filers will be managed (HTTPS will be used for NSS>filer connection).

For Physical Filer(s)
Ensure that the administrative connection through HTTP is enabled on each Physical Filer.

Run the following command in the physical filer context:
options httpd.admin.enable on

To check if the option has been applied:
options httpd.admin.enable

For vFiler(s)
For vFilers it is necessary to enable the administrative connection through HTTP on each Physical Filer AND on each vFiler.

Run the following command in the physical filer context:
options httpd.admin.enable on

To check if the option has been applied:
options httpd.admin.enable

Run the following command in the physical filer context for each vfiler to be managed by NSS:
vfiler run vfilername options httpd.admin.enable on

To check if the option has been applied:
vfiler run vfilername options httpd.admin.enable

4. Add the Netapp account and assign the correct FPolicy
Names used here are not mandatory. We can use different names for the role, group and user, according to existing policies.

Create a role (i.e. nssrole) and give it the login-* and api-* capabilities, as previously described:
useradmin role add nssrole -a login-*,api-*

Create a group (i.e. nssgroup) and assign it the previous role:
useradmin group add nssgroup -r nssrole

Create a user (i.e. nssuser) and assign to the previous group as primary.
useradmin user add nssuser -g nssgroup

Note: in this procedure a local NetApp account is created. A domain account can also be used. In this case, please refer to the right syntax "useradmin domainuser ..." for further details.

As previously noted, if the NetApp filer has the Multifiler extension enabled, all vfilers must be considered, and not the physical host. All steps must be completed for each vfiler, this is a result of the fact that they are independent and not connected to their NetApp host. Create the same account for all vfiler contexts. NSS can connect to many NetApp vfilers at the same time, but it uses a common account for all of them.

5. Verify if the Quota Server service account belongs to the NetApp 'Administrators' group
The domain account specified in the Quota Server service needs to contact the remote file system only to refresh the quota usage, with a low frequency, so it strictly needs backup privileges, only.

In case the security on the Administrators group is a policy, please adapt the following procedure according to your needs, and use the right group for the account (i.e. Backup Operators).
useradmin domainuser list -g Administrators

Note: 'domainuser list' is used to list all of the SIDs in a group. To find what username a SID represents, use the cifs lookup command.

cifs lookup domain\name   where domain\name is the account used.

In this example, the correct syntax should be:
cifs lookup NORTHERN-DEMO\NSSServiceAccount

Check if the SID is contained in the list given by the previous command.

6. Choose the right protocol in the NSS configuration
If only physical filers are present: ensure that ‘HTTPS’ protocol is selected as the Connection Type in the Quota Server client; Quota Servers > NetApp Settings

If at one or more vfilers will be managed, ensure that ‘HTTP’ protocol is selected as the Connection Type in the Quota Server client; Quota Servers > NetApp Settings

Example 1:
Physical NetApp filers, using HTTPS protocol, and a local NetApp account, previously created on each filer, as identical.

Example 2:
Multiple virtual filers, using HTTP (the only possibility, in this case) and a domain account.

Confirm Results

Create an Object quota, and assign a locking action to a threshold.  Suggested value: 'Lock dir'

Copy files on the folder, in order to pass the quota threshold.  Use a network client for the copy action.

The first file passing through the quota activates the associated action, but it will be allowed to be saved. Another file must be blocked.

Login to the NetApp filer, and check if the FPolicy server object has been created and registered, typing fpolicy

Further details are contained in the /etc/message file on the physical NetApp filer, and on the ncl_trace_QSServer.txt file in the 'Trace Files' NSS folder.

For advanced troubleshooting, please contact the Technical Support team at Northern (support@northern.net).

ADDITIONAL RESOURCES

  • KB1753 Specific Error: Failed to get Netapp api version for filer
  • KB Article: 1762

    Updated: 11/4/2015

    • Category
      • Usage
    • Affected versions
      • Northern Storage Suite 8.27
      • Northern Storage Suite 8.7
      • NSS 9.0
      • NSS 9.5
      • NSS 9.6

    North America HQ

    NORTHERN Parklife, Inc.
    301Edgewater Place, Suite 100
    Wakefield, MA 01880
    USA

    Voice: 781.968.5424
    Fax: 781.968.5301

    salesUS@northern.net

     

    Additional Contact Information

    EMEA & APAC HQ

    NORTHERN Parklife AB
    St. Göransgatan 66
    112 33 Stockholm
    Sweden

    Voice: +46 8 457 50 00

    salesHQ@northern.net

    Northern Parklife



    ©2018 northern parklife

    privacy statement 
    terms of use