This procedure demonstrates how to create a vfiler containing Snaplock compliance volumes.

First we want to create a new interface group using interfaces e0e and e0f

FILER02P> ifgrp create compIFGRP e0e e0f
FILER02P> Fri Mar 11 04:11:58 EST [FILER02P:pvif.switchLink:warning]: compIFGRP: switching to e0e

FILER02P> ifgrp status
compIFGRP: 1 link, transmit 'IP Load balancing', Ifgrp Type 'multi_mode' fail 'default'
         Ifgrp Status   Up      Addr_set
        up:
        e0e: state up, since 11Mar2016 04:11:58 (00:00:12)
                mediatype: auto-1000t-fd-up
                flags: enabled
                input packets 7, input bytes 1009
                output packets 0, output bytes 0
                up indications 1, broken indications 0
                drops (if) 0, drops (link) 0
                indication: up at 11Mar2016 04:11:58
                        consecutive 12, transitions 1
        pending:
        e0f: state pending, since 11Mar2016 04:11:58 (00:00:12)
                mediatype: auto-unknown-down
                flags: enabling
                input packets 0, input bytes 0
                output packets 0, output bytes 0
                up indications 0, broken indications 0
                drops (if) 0, drops (link) 0
                indication: down at 11Mar2016 04:11:58
                        consecutive 0, transitions 0

Now, create a unique IP space using the interface group just created

FILER02P> ipspace create compIPSpace
Ipspace "compIPSpace" created
Fri Mar 11 04:13:39 EST [FILER02P:ip.drd.ipspace:warning]: The routing daemon (routed) is being turned off because more than one IP space was created. The routing daemon is not supported with multiple IP spaces.
FILER02P>
FILER02P> ipspace assign compIPSpace compIFGRP

FILER02P> ipspace list
Number of ipspaces configured: 2
default-ipspace                   (e0b e0d e0M losk IFGRP1)
compIPSpace                      (compIFGRP)

We need to create a small volume for the vfiler root configuration files. This cannot be on a compliance volume as the vfiler needs to be able to write to it.

vol create comp-root aggr0 10g

Now we can create the vfiler using this volume

vfiler create comp-vfiler -s compIPSpace -i 192.168.0.20 /vol/comp-root

There'll be various prompts to respond to (something along the lines of the following):

Fri May  6 08:33:47 EDT [FILER01P:httpd.config.mime.missing:warning]: /etc/httpd.mimetypes.sample file is missing.
Fri May  6 08:33:47 EDT [comp_worm_vfiler@FILER01P:httpd.config.mime.missing:warning]: /etc/httpd.mimetypes file is missing.
Fri May  6 08:33:47 EDT [comp_worm_vfiler@FILER01P:httpd.config.mime.missing:warning]: /etc/httpd.mimetypes.sample file is missing.
Fri May  6 08:33:47 EDT [comp_worm_vfiler@FILER01P:useradmin.added.deleted:info]: The role 'compliance' has been added.
Fri May  6 08:33:48 EDT [comp_worm_vfiler@FILER01P:export.file.missing:warning]: Could not open '/etc/exports' for reading.
The etc configuration directory for vfiler "comp_worm_vfiler" is /vol/comp_worm_root/etc.

Setting up vfiler comp_worm_vfiler
Fri May  6 08:33:48 EDT [comp_worm_vfiler@FILER01P:cmds.vfiler.info:notice]: vFiler unit comp_worm_vfiler initialized.
Configure vfiler IP address 10.1.60.36? [y]:
Interface to assign this address to {e0b, e0d, e0M, IFGRP1}:
Please enter a valid interface name or type Control - C (^C)
Interface to assign this address to {e0b, e0d, e0M, IFGRP1}: IFGRP1
Netmask to use: [255.255.255.0]:
         The administration host is given root access to the filer's
        /etc files for system administration.  To allow /etc root access
        to all NFS clients enter RETURN below.
Please enter the name or IP address of the administration host: 10.1.60.33
Do you want to run DNS resolver? [n]: y
Please enter DNS domain name []: us.icaFri May  6 08:34:38 EDT [comp_worm_vfiler@FILER01P:nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server.
p.com
You may enter up to 3 nameservers
Please enter the IP address for first nameserver []: 10.1.59.11
Do you want another nameserver? [n]: y
Please enter the IP address for alternate nameserver []: 10.1.24.104
Do you want another nameserver? [n]: y
Please enter the IP address for alternate nameserver []: 10.10.48.99
Do you want to run NIS client? [n]:
IFGRP1: flags=0x20f4c863<UP,BROADCAST,RUNNING,MULTICAST,TCPCKSUM> mtu 1500
        inet 10.1.60.33 netmask 0xffffff00 broadcast 10.1.60.255
        partner IFGRP1 (not in use)
        ether 02:a0:98:57:94:2e (Enabled interface groups)
Default password for root on vfiler comp_worm_vfiler is "".
New password:Fri May  6 08:35:36 EDT [comp_worm_vfiler@FILER01P:useradmin.added.deleted:info]: The user 'root' has been added.

Retype new password:Fri May  6 08:35:51 EDT [comp_worm_vfiler@FILER01P:nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server.

Fri May  6 08:35:53 EDT [comp_worm_vfiler@FILER01P:passwd.changed:info]: passwd for user 'root' changed.
Do you want to setup CIFS? [y]: Fri May  6 08:35:55 EDT [FILER01P:nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server.

This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

That name is longer than 15 characters.  Please choose another name.
        Your filer does not have WINS configured and is visible only to
        clients on the same subnet.
Do you want to make the system visible via WINS? [n]:
        A filer can be configured for multiprotocol access, or as an NTFS-only
        filer. Since multiple protocols are currently licensed on this filer,
        we recommend that you configure this filer as a multiprotocol filer

(1) Multiprotocol filer
(2) NTFS-only filer

Selection (1-2)? [1]:
        CIFS requires local /etc/passwd and /etc/group files and default files
        will be created.  The default passwd file contains entries for 'root',
       'pcuser', and 'nobody'.
        The default name for this CIFS server is 'FILER'.
Would you like to change this name? [n]: comp_worm
Only (y)es or (n)o allowed. Ctrl-C to quit
Would you like to change this name? [n]: y
Enter the CIFS server name for the filer []: comp_worm
        Data ONTAP CIFS services support four styles of user authentication.
        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]:
What is the name of the Active Directory domain? [us.icap.com]:
***     In Active Directory-based domains, it is essential that the filer's
***     time match the domain's internal time so that the Kerberos-based
***     authentication system works correctly. If the time difference between
***     the filer and the domain controllers is more than 5 minutes,
***     authentication will fail. Time services are currently not configured
***     on this filer. Since time services are configured on the local default
***     vfiler (vfiler0),, and since this particular setup is for a different
***     vfiler, we cannot configure time services now.  We recommend that you
***     terminate setup with Ctrl-C, configure time services on local vfiler0,
***     and then re-run CIFS setup.

        In order to create an Active Directory machine account for the filer,
        you must supply the name and password of a Windows account with
        sufficient privileges to add computers to the US.ICAP.COM domain.
Enter the name of the Windows user []: us\svcusvfiler01p
Password for US\svcusvfiler01p:
CIFS - Logged in as US\svcusvfiler01p.
        The user that you specified has permission to create the filer's
        machine account in many (950) containers. Please choose the method
        that you want to use to specify the container that will hold this
        account.

(1) Create the filer's machine account in the "Computers" container (CN=Computers, Windows default)
(2) Choose from the entire list
(3) Choose from a subset of containers by specifying a search filter

Selection (1-3)? [1]:
CIFS - Starting SMB protocol...
        It is highly recommended that you create the local administrator
        account (comp_worm\administrator) for this filer. This account allows
        access to CIFS from Windows when domain controllers are not
        accessible.
Do you want to create the comp_worm\administrator account? [y]:
Enter the new password for comp_worm\administrator:
Retype the password:
Welcome to the US.ICAP.COM (US) Active Directory(R) domain.
FILER01P*>

We now have our vfiler ready, now to set up the compliance environment.

First add the license and enable snaplock

FILER01P> license add MBHCDBNQACAAAAOPXNBAAAAAAAAA
license add: successfully added license key "MBHCDBNQACAAAAOPXNBAAAAAAAAA".
FILER01P> license show
Serial Number: 701416000688
Owner: FILER01P
Package           Type    Description           Expiration
----------------- ------- --------------------- --------------------
NFS               license NFS License           -
CIFS              license CIFS License          -
iSCSI             license iSCSI License         -
FCP               license FCP License           -
SnapRestore       license SnapRestore License   -
SnapMirror        license SnapMirror License    -
FlexClone         license FlexClone License     -
SnapVault         license SnapVault License     -
SnapLock          license SnapLock Compliance License -
SnapManagerSuite  license SnapManagerSuite License -

FILER01P> options licensed_feature.snaplock.enable on
FILER01P> options licensed_feature
licensed_feature.disk_sanitization.enable off
licensed_feature.fcp.enable  off
licensed_feature.flex_clone.enable off
licensed_feature.flexcache_nfs.enable off
licensed_feature.iscsi.enable off
licensed_feature.multistore.enable on
licensed_feature.nearstore_option.enable off
licensed_feature.snaplock.enable on
licensed_feature.snaplock_enterprise.enable off
licensed_feature.vld.enable  off

Now we need to set the compliance clock. MAKE SURE TIME IS CORRECT! You should have NTP enabled:

FILER01P> options timed
timed.enable                 on         (same value in local+partner recommended)
timed.log                    on         (same value in local+partner recommended)
timed.max_skew               1m         (same value in local+partner recommended)
timed.min_skew               0          (same value in local+partner recommended)
timed.proto                  ntp        (same value in local+partner recommended)
timed.sched                  hourly     (same value in local+partner recommended)
timed.servers                10.180.161.116 (same value in local+partner recommended)
timed.window                 0s         (same value in local+partner recommended)

timed.enable is on and timed.proto is set to NTP. You can check it's working OK by running ntpq -pn from a server and pointing it at your filer

[root@aserver01p ~]# ntpq -pn FILER01P
     remote           refid      st t when poll reach   delay   offset  jitter
 ==============================================================================
*10.180.161.116  10.180.161.172   5 u  295 1024  377    0.415    5.763   3.569

So we're sure that NTP is working fine and the time is correct, we can now set the compliance clock

FILER01P> snaplock clock initialize

*** WARNING: YOU ARE INITIALIZING THE SECURE COMPLIANCE CLOCK ***

You are about to initialize the secure Compliance Clock of this
system to the current value of the system clock. This procedure
can be performed ONLY ONCE on this system so you should ensure
that the system time is set correctly before proceeding.

The current local system time is: Wed May  4 04:19:17 EDT 2016

Is the current local system time correct? y
Are you REALLY sure you want initialize the Compliance Clock? y
FILER01P> Wed May  4 04:19:39 EDT [FILER01P:snaplock.sys.compclock.set:info]: The compliance clock time of the system has been set to 'Wed    May  4 04:19:17 EDT 2016' due to the reason 'initialized by administrator'.

FILER01P> snaplock clock status
System Compliance Clock: Wed May  4 04:21:33 EDT 2016

Next, let's create the compliance aggregate (-L compliance marks the aggregate as a snaplock aggregate).

aggr create comp_aggr1 -L compliance -d 1a.11.11 1a.11.12 1a.11.13 1a.11.14 1a.11.15 1a.11.16 1a.11.17 1a.11.18 1a.11.19 1a.11.20 1a.11.21

Now we can create a volume in the compliance aggregate and set the retention period options:

FILER01P*> vol create comp_worm_10YR comp_aggr1 200g
FILER01P*> vol options comp_worm_10YR nosnap on
FILER01P*> vol options comp_worm_10YR snaplock_maximum_period 1d
FILER01P*> vol options comp_worm_10YR snaplock_minimum_period 4h
FILER01P*> vol options comp_worm_10YR snaplock_default_period min
FILER01P*> vol options comp_worm_10YR snaplock_autocommit_period 2h

The rententiom times have been set to low values for testing. The maximum and minimum periods are fairly self explainatory, i.e. the maximim retention period that can be set is 1 dat and the minimum is 4 hours. The default (if nothing period is specified) is the minimum period, 4 hours. Files will automatically locked if they haven't been updated for 2 hours.

Now we need to move the volume into the vfiler.

FILER01P*> vfiler move vfiler0 comp_worm_vfiler /vol/comp_worm_10YR
WARNING: reassigning storage to another vfiler does not change the
security information on that storage. If the security domains are
not identical, unwanted access may be permitted, and wanted access
may be denied.
Fri May  6 10:03:48 EDT [FILER01P:cmds.vfiler.path.move:notice]: Path /vol/comp_worm_10YR was moved to vFiler unit "comp_worm_vfiler".

FILER01P*> vfiler context comp_worm_vfiler
comp_worm_vfiler@FILER01P*> Fri May  6 10:04:15 EDT [comp_worm_vfiler@FILER01P:cmds.vfiler.console.switch:notice]: Console context was switched to a vFiler(tm) unit comp_worm_vfiler.

comp_worm_vfiler@FILER01P*> vol status
         Volume State           Status                Options
 comp_worm_root online          raid_dp, flex         create_ucode=on, convert_ucode=on,
                              64-bit                guarantee=none, fractional_reserve=0
 comp_worm_10YR online          raid_dp, flex         no_atime_update=on, create_ucode=on,
                              64-bit                convert_ucode=on, snaplock_compliance,
                                                    guarantee=none, fractional_reserve=0

We can if desired create some qtrees

qtree create /vol/comp_worm_10YR/WORM_FOLDER1
qtree create /vol/comp_worm_10YR/WORM_FOLDER1
qtree create /vol/comp_worm_10YR/WORM_FOLDER3

And to shares them out as CIFS shares

comp_worm_vfiler2@FILER01P> cifs shares -add Department /vol/comp_worm_10YR/WORM_FOLDER1
The share name 'Department' will not be accessible by some MS-DOS workstations
comp_worm_vfiler2@FILER01P> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
ETC$         /vol/comp_Dept_Shares_Vol/etc    Remote Administration
                        BUILTIN\Administrators / Full Control
HOME         /vol/comp_Dept_Shares_Vol/home   Default Share
                        everyone / Full Control
C$           /                                 Remote Administration
                        BUILTIN\Administrators / Full Control
Department   /vol/comp_worm_10YR/WORM_FOLDER1
                      everyone / Full Control

If snapmirror is required, do the following.

On both vfilers:

snapmirror on

On src

comp_worm_vfiler@FILER01P> options snapmirror.access host=10.10.32.44
comp_worm_vfiler@FILER01P> options snapmirror
snapmirror.access            host=10.10.32.44
snapmirror.checkip.enable    off
snapmirror.enable            on

On dst

comp_worm_vfiler2@US01DINFAPL02P> options snapmirror.access host=10.1.60.36
comp_worm_vfiler2@US01DINFAPL02P> options snapmirror
snapmirror.access            host=10.1.60.36
snapmirror.checkip.enable    off
snapmirror.enable            on

On dst

comp_worm_vfiler2@US01DINFAPL02P> snapmirror initialize -S 10.1.60.36:comp_worm_10YR comp_worm_vfiler2:comp_worm_10YR
Transfer started.
Monitor progress with 'snapmirror status' or the snapmirror log.
comp_worm_vfiler2@US01DINFAPL02P> snapmirror status
Snapmirror is on.
Source                     Destination                       State          Lag        Status
10.1.60.36:comp_worm_10YR  comp_worm_vfiler2:comp_worm_10YR  Uninitialized  00:00:00   Transferring  (424 KB done)

Recent Changes

Contribute to this wiki

Why not help others by sharing your knowledge? Contribute something to this wiki and join out hall of fame!
Contact us for a user name and password