get-admin

This morning while standing up a new vScan A/V server I wanted to look up our McAfee service account.  I knew the account would be a domain account, and I knew it would be a member of the backup operators group on the filer.  With that in mind I ran the following.

[0:4]> Get-NaDomainUser -Group "Backup Operators"

SID
---
S-1-5-21-XXXXXXXX-XXXXXXXXX-XXXXXXXXX-112477
S-1-5-21-XXXXXXXX-XXXXXXXXX-XXXXXXXXX-111419
S-1-5-21-XXXXXXXX-XXXXXXXXX-XXXXXXXXX-146727

Well that’s rather useless… Unfortunately, the OnTAP API doesn’t provide a means to convert a SID to a NTAccount.  This is normally accomplished via the “cifs lookup” command on the Ontap CLI, but that doesn’t help us much from the toolkit.  Fortunately .Net provides a native means to perform this conversion.  This isn’t new to anyone who has been following PowerShell for a while (/\/\o\/\/ first posted these function way back in the Monad days), but that doesn’t make them any less useful!

Function ConvertTo-NTAccount
{
    Param(
        [Parameter(Mandatory=$true,
            HelpMessage="Enter the Sid to translate",
            ValueFromPipeLine=$true,
            ValueFromPipelineByPropertyName=$true
        )]
        [string]
        $SID
    )
    Process {
        $SIDObject = New-Object system.security.principal.securityidentifier($SID)
        write-output $SIDObject.translate([system.security.principal.ntaccount])
    }
}
Function ConvertTo-SID
{
    Param(
        [Parameter(Mandatory=$true,
            HelpMessage="Enter the NTAccount to translate in the form of domain\account",
            ValueFromPipeLine=$true,
            ValueFromPipelineByPropertyName=$true
        )]
        [string]
        $NTAccount
    )
    Process {
        $NTAccountObject = New-Object system.security.principal.NtAccount($NTaccount)
        write-output $NTAccountObject.translate([system.security.principal.securityidentifier])
    }
}

Armed with my trusty functions Let's try this again!

[0:15]> Get-NaDomainUser -Group "Backup Operators" | ConvertTo-NTAccount

Value
-----
GetAdmin\svcAV
GetAdmin\svcBackup
GetAdmin\svcMNV

Now that’s more like it!  This is what I Love about powershell.  In the past I would have had to push back on my sales rep, who would have inturn pushed back on the development team.  fast forward a year, and maybe I would have a workaround.  Or I would have had to try and glue a couple third party exe together (yuck). With PowerShell if I don’t like something I simply extend it in script.  No development, nothing complicated, just a couple line of PowerShell.  Best of all I can then provide this to the vendor as a concreate example of what I want in the next release (hint hint NetApp cifs lookup needs to be in the SDK!)

It really is just great stuff.
~Glenn

Well it’s the night before VMworld, and I can’t sleep, so I’m catching up on my blog.  A while back I did a presentation to the PowerShell Virtual Users Group.  I demoed my PoshOnTap PowerShell Module, a lot has changed since that presentation.  Mainly I have a new version, but I’m still in the process of trying to get the nod from NetApp.  So in the meantime if you wished you could manage a NetApp SAN from PowerShell go check it out I have the first 30 minutes.  http://marcoshaw.blogspot.com/2009/08/windows-powershell-virtual-user-group.html

With a little luck I’ll get the nod to redistribute the manageontap c# assemblies, and I’ll post Version 2 of my PoshOnTap module!

~Glenn

So, this post irked me. Not because of the poster or his post (honest Andy, if you ever read this, I have nothing against you or your post! I’m happy to see another VMware/NetApp blogger!), but because of the script he referenced and the problem encountered. He has a good solution, but the problem shouldn’t exist.

You see, I hate RSH. I don’t know why (well, it is quite insecure, and it can require some configuration), but I hate it. SSH is only marginally better in this case…sure it’s secure, but you have to auth each time, and if you don’t (ssh keys), well, it’s only a little better than RSH (comms are encrypted, but compromise of a single account can lead to bad things on many hosts). The script that is referenced, one that NetApp recommends that admins use to verify that their aggregates have enough free space to hold the metadata for the volumes in OnTAP 7.3 (the metadata gets moved from the volumes to the aggregate in 7.3), uses RSH to execute commands that are then parsed in a somewhat rudimentary way to get information.

Sure, it’s effective, but it’s far from graceful…especially when you have a perfectly good and effective SDK at your disposal.

I was kind of bored, so I decided to rewrite the script using the SDK. This is the end result. It reports the same data, but uses the SDK to gather all of the necessary information to make a determination for the user. The new script is significantly shorter (10KB vs 25KB, 380 lines vs 980), and it requires only one login.

Thanks to NetApp for providing their SDK, and I hope that no one over there minds me refactoring…

Continue Reading »

Update 2009-07-21: With some help from Steffen, a bug was found where the script wasn’t returning any values in the result hash when the toaster didn’t return values for certain queries. This caused Perl to print errors when it was trying to do math on non-existent values. Starting at line 273, the script has been updated so that the hash returned by the subroutine that does the ZAPI query has default values of zero, which should eliminate the errors seen by Steffen. Please let me know of any other problems encountered! (and thanks to Steffen for finding this bug!)

My previous post only prints NFS latency for the NetApp as a whole, it doesn’t give any information about a specific volume. Some of my ESX hosts use iSCSI for their datastores, and because the NetApp has many iSCSI clients, looking at iSCSI stats for the filer as a whole didn’t help me very much.

The solution was this script. It is a significantly modified version of the previous script that is capable of showing the realtime latency for all protocols: NFS, CIFS, SAN (which I believe is all block level ops summarized), FCP and iSCSI. It also displays the three different types of operations for each protocol: read, write, and other.

The script, if invoked with nothing more than the connection information, will display the read, write, and “other” latency and operations for the total of all protocols. There is a fourth column as well, which shows the average latency and total operations across all operation types (r/w/o).

This script has proven quite beneficial for me. By monitoring CIFS latency during peak hours on the volume that contains shares for profiles, I have proven that the reason logins can take a significant amount of time is due to the use of high capacity, but very slow, SATA disks and not the network or desktops themselves. I’ve also been able to prove that one of our iSCSI volumes was “slow” due to bandwidth, and not spindle count (interestingly, the problem with this volume is the I/O request size…the app makes large requests which chokes bandwidth before available IOP/s runs out).

The OnTAP SDK is quite powerful, Glenn and I are quickly discovering that anything possible in FilerView and/or DFM/OpsMgr is doable through the SDK.

Continue Reading »

UPDATE: Due to a schedualing conflict the meeting has been moved to Thursday May 7th, 2009 at 8:00PM EST (lucky number 7 should be a good meeting)

Marco announced yesterday that the 10th Powershell Virtual User group will be held on Thursday April 30th, 2009 at 8:00PM EST.  On the schedule will be Bart De Smet (Microsoft), Sergei Anotonov (Microsoft), and Your’s truely!

I will be presenting Managing NetApp via Powershell, and plan on covering the OnTap SDK as well as my own PoshOnTap V2 module.

All the details can be found here

See you there
~Glenn

This morning I decided to play with the passthru authentication via RPC that the SDK provides, and boy is it easy! To utilize passthru authentication you first you need to *install* a dll. Assuming the sdk is saved to C:\

x86
copy “C:\manage-ontap-sdk-3.5\lib\nt\ntapadmin.dll” %windir%\System32\ntapadmin.dll
x64
copy “C:\manage-ontap-sdk-3.5\lib\nt\x64\ntapadmin.dll” %windir%\System32\ntapadmin.dll
copy “C:\manage-ontap-sdk-3.5\lib\nt\ntapadmin.dll” %windir%\SysWOW64\ntapadmin.dll
ia64
copy “C:\manage-ontap-sdk-3.5\lib\nt\ia64\ntapadmin.dll” %windir%\System32\ntapadmin.dll
copy “C:\manage-ontap-sdk-3.5\lib\nt\ntapadmin.dll” %windir%\SysWOW64\ntapadmin.dll

Now that the appropriate DLL is *installed* connecting to a Filer is as simple as specifiying the style as RPC.

#Load the SDK
[void][Reflection.Assembly]::LoadFile('C:\manage-ontap-sdk-3.5\lib\DotNet\ManageOntap.dll')
# Instantiate a new NaServer object specifying our destination filer as 'NetApp', and using OnTAPI 1.0
$NaServer = New-Object Netapp.Manage.NaServer("NetApp",1,0)
#Set the connection style to RPC
$NaServer.Style = "RPC"
#Create our request in this case 'system-get-version'
$NAElement = New-Object NetApp.Manage.NaElement("system-get-version")
#Get the results
$NaServer.InvokeElem($NAElement).GetChildContent("version")
NetApp Release 7.2.5.1: Wed Jun 25 09:03:07 PDT 2008

Similar procedures will enable the SLL/encryption capabilities within the SDK only using the ssleay32.dll(SSL)/libeay32.dll(encryption). I’m not yet sure what the zephyr(ZAPI) assemblies do, but hey I’m just admin living in a devs world.

Enjoy
~Glenn

This challenge was also thrown down by LucD, he asked for a list of mixed vols and any NFS exports/Cifs shares off the volume.  Well this was a fairly straight forward process. First I would need every NFS export followed shortly by any Cifs shares.   While I could have used my “cli-cheat” for the Cifs shares, I decided to write a function using the proper ZAPI calls.  Finally the volumes… well maybe not, security style is assigned on a Qtree level,  I called an audible…  This script uses my Get-NaCifs , and Get-NaNFSExport scripts which can be found on poshcode.org.

Continue Reading »

Task: Get a list of all Cifs shares on a filer, and their permissions.

I’m going cheat a bit and just say that I spent two days searching through the API for this, before I realized that Filerview was echoing out the output from ‘cifs shares’… This changes the task slightly, the end goal is still the same, but the method will be via the cli. I used the same discovery functions as before. Good thing I wrote them because the API I needed is undocumented!

Continue Reading »

I’ve come to love PowerShells ability to perform reflection on any given object (I.e. Get-Member). The way the OnTap SDK was implemented does not support reflection… directly. The problem is the SDK consists of two classes that are able to interact with the ZAPI interfaces. Basically NaServer holds everything needed to connect->execute-> return results. Likewise the NaElement knows how to take input, and format that input into a valid XML request for ZAPI. NaElement also has all the logic needed to navigate, and use the information returned by a request. So what does that mean to us? Neither object has any knowledge of the actual API! This utterly kills the ability to “feel out” a given object. I can’t (new-object something|gm) till I find what I’m looking for, and I wanted that ability.

That small capability is almost a deal breaker for me. I’ve spent hours upon hours with the API on one monitor, and PowerShell on the other… it’s not fun! I sent out an open call during my last post, and was quickly taken up on it. As I sat down last night, and started digging through the API yet again. I decided enough was enough… I sat down and wrote a couple functions that more or less allow me to perform a primitive version of reflection. More accurately I can search the API reference right there from my console. I was so pleased with the outcome I decided to post a quick how to.

Continue Reading »

Late last night I stumbled upon this post in the NetApp Technology Network (NTN) announcing version 3.5 of the Manage OnTap SDK… My first reaction was that OnTap 7.3.1 might be getting closer to GA, seeing as they finalized the API.  I downloaded the new bits, and was reading through the documentation when I noticed the following:

Supports multiple language interfaces –  C/C++, C#, VB.NET, Java, and Perl

Well that pretty much made my whole PoshOnTap module irrelevant… but it’s still a great source for examples using the SDK.   Speaking of, how about quick intro to the SDK… Continue Reading »