NTPSoftwareWhitePaper
of 82
-
Upload
vikram-singh -
Category
Documents
-
view
170 -
download
0
Transcript of NTPSoftwareWhitePaper
NetApp and NTP Software: Joint Solution White Paper
NTP Software: Quota Use Guide for NetApp Storage SystemsMay 2010
ABSTRACT This guide provides practical guidelines for implementing quotas on NetApp storage. There will be two methods described for quota implementation. The first method employs native Data ONTAP quotas. Quota management utilizing NTP Software QFS for NAS, NetApp Edition will also be presented. The goal of this guide is to provide enough underlying information on how quotas work in a typical environment to enable storage administrators to set up quotas confidently in their own environment.
TABLE OF CONTENTS1 2 INTRODUCTION ....................................................................................................................3 ENVIRONMENT .....................................................................................................................42.1. 2.2. 2.3. 2.4. WINDOWS ACTIVE DIRECTORY ENVIRONMENT..........................................................................................4 NIS ENVIRONMENT............................................................................................................................................5 USERMAP.CFG ...................................................................................................................................................5 MULTIPROTOCOL CONSIDERATIONS ...........................................................................................................5
3
QUOTAS FILE........................................................................................................................83.1. 3.2. 3.3. QUOTAS FILE DESCRIPTION...........................................................................................................................8 QUOTAS FILE SPECIAL DIRECTIVES .............................................................................................................9 VALID ENTRIES FOR QUOTAS FILE FIELDS ...............................................................................................10
4
QUOTA COMMANDS...........................................................................................................144.1. 4.2. 4.3. 4.4. QUOTA ON ........................................................................................................................................................14 RESIZE QUOTAS AFTER CHANGES TO QUOTAS FILE .............................................................................14 TURNING QUOTAS OFF ..................................................................................................................................14 QUOTA REPORT ..............................................................................................................................................15
5
QUOTA USE CASES ...........................................................................................................165.1. 5.2. 5.3. QUOTA USE CASE: QUOTA MANAGEMENT WITH USER & QTREE QUOTAS .......................................16 QUOTA USE CASE: QUOTA MANAGEMENT WITH MIXED QTREES........................................................20 QUOTA USE CASE: QUOTA MANAGEMENT IN MULTIPROTOCOL ENVIRONMENTS ..........................22
6 QUOTA MANAGEMENT IN A WINDOWS ENVIRONMENT USING NTP SOFTWARE QFS FOR NAS, NETAPP EDITION ....................................................................................................266.1. 6.2. 6.3. 6.4. INTRODUCTION TO NTP SOFTWARE QFS FOR NAS, NETAPP EDITION ...............................................26 INSTALLATION OF NTP SOFTWARE QFS FOR NAS, NETAPP EDITION.................................................27 CREATION OF THE NAS CONNECTOR ........................................................................................................29 CREATION OF QUOTA POLICIES WITH NTP SOFTWARE QFS ................................................................33
7
FILERVIEW QUOTA MANAGEMENT AND FILERVIEW QUOTA REPORTING...................687.1. 7.2. FILERVIEW QUOTA MANAGEMENT INTERFACE .......................................................................................68 FILERVIEW QUOTA REPORTING INTERFACE ............................................................................................71
8
DFM QUOTA MANAGEMENT & REPORTING.....................................................................728.1. 8.2. DFM QUOTA MANAGEMENT..........................................................................................................................72 DFM REPORTING INTERFACE.......................................................................................................................75
9
SUMMARY AND CONCLUSIONS........................................................................................78
10 REFERENCES .....................................................................................................................78 11 APPENDICES ......................................................................................................................79APPENDIX A: APPENDIX B: THE QUOTA COMMANDS ...............................................................................................................79 QUOTAS FILE ALLOWABLE SUFFIXES .......................................................................................81
2
1
INTRODUCTION
Storage administrators have found that if storage is available, it will be used. However, financial prudence dictates that companies control the use of storage and its rate of growth. Therefore, storage administrators need a method to define and limit the amount of storage that is used by individuals. Additionally, with virtualized, network-attached storage, it is possible that a volume can be subdivided into qtrees for departmental or organizational usage. Each qtree is used by a different group, each with its own storage requirements. Storage administrators need a methodology for limiting the amount of space within the volume that a subdivided area can use. Native Data ONTAP quota management allows administrators to apply quotas to users in a multiprotocol environment. Quotas can be applied to individual users, or a default user quota can be established that applies to all users utilizing space within the volume or qtree. Quotas can also be applied to UNIX groups in the same manner as with users. Native Data ONTAP quota management also allows storage administrators to place quotas on the qtree itself. This limits the amount of space within a volume that can be utilized by a qtree. To provide additional quota management flexibility, NetApp has partnered with NTP Software, a leading provider of quota and file management software. NTP Software QFS for NAS, NetApp Edition brings additional quota management features to NetApp quota management when used in a Windows environment. NTP Software QFS is a policy-based quota and file management system that gives administrators the ability to place default space limits (analogous to Data ONTAP qtree quotas) on a share, folder, or file. A quota can be placed on a share or on the absolute path of the volume root, the qtree, or any subdirectory within the volume root or qtree. The quota is not limited to the volume or qtree level. In addition, NTP Software QFS allows storage administrators to create policies that apply across multiple storage systems, or even to storage systems and Windows Servers alike. In a similar way, NTP Software QFS provides the ability to place user quotas at any level within the volume using either the share or the absolute path. When applying quotas with NTP Software QFS, Windows groups may be used in the quota policies. This guide provides instructions for quota setup using native Data ONTAP and using NTP Software QFS for NAS, NetApp Edition. Various scenarios will be presented, followed by the configuration that will accomplish the goals of each scenario.
3
2
ENVIRONMENT
Native Data ONTAP quota management functions in a multiprotocol environment. With Data ONTAP multiprotocol features, a single set of data can be accessed both via NFS and CIFS. Therefore, native Data ONTAP quotas must be able to track disk and file usage when accessed either by CIFS or by NFS, and when the data is protected by Windows file security or UNIX file security. This guide will demonstrate quota management when data is accessed via either a users Windows identity or a users UNIX identity. A mixed UNIX and Windows test environment is set up as shown in the following diagrams. 2.1. WINDOWS ACTIVE DIRECTORY ENVIRONMENT
4
2.2. NIS ENVIRONMENT
2.3. USERMAP.CFG
Note: User names not listed in usermap.cfg have direct mappings and do not need to have entries in the mapping file. For example, Windows user Anne corresponds to UNIX user anne. 2.4. MULTIPROTOCOL CONSIDERATIONS Data ONTAP has native multiprotocol support. With the appropriate permissions, data can be accessed by users from UNIX hosts via NFS or from Windows hosts via CIFS. NetApp quota management must take multiprotocol access into consideration when calculating user space and file usage. Below is a brief overview of multiprotocol access on NetApp storage systems and how it relates to quota management. UNIX, NTFS, and Mixed qtree styles are supported on NetApp storage systems. UNIX qtree style indicates that the file security style of the qtree is UNIX based. NTFS qtree style indicates that the file security style of the qtree is Windows based. Mixed qtree style indicates that either UNIX or NTFS file security style could be the effective security style within the qtree.
5
When we refer to security style, we do not refer to the type of client used to access the data. Data in all three qtree styles can be accessed from both Windows and UNIX hosts, provided that the appropriate user mapping is in place and that the file access permissions allow it. Security style refers to the style of file permissions and the type of authorization needed to access the directories and files within a qtree. For the UNIX security style, authorization to access directories and files is based on access allowed to the users UNIX UID and GID, with access rules following the UNIX style of file permissions (rwxrwxrwx). For the Windows security style, authorization to access folders and files is based on access allowed to the users Windows User Name and Windows Group memberships, with access rules based on NTFS permissions. Multiprotocol access depends on user mapping between a users UNIX identity and Windows identity to properly evaluate the users rights to perform file and folder operations within volumes and qtrees. The following logic is used to determine access. UNIX Qtrees: A UNIX-style qtree is always accessed with a users UNIX identity. If a user is accessing data from a UNIX or Linux host, the users UID and GID are used to determine access rights. If a user is accessing data in a UNIX qtree from a Windows machine, Data ONTAP first maps the Windows user name to its corresponding UNIX UID. If there is no corresponding UNIX user, the Windows user is mapped to the default UNIX user. The default user is designated with the following storage system option: options wafl.default_UNIX_user pcuser
The designated default user can be any valid UNIX user designated by the storage administrator, but the default user must exist in the storage systems /etc/passwd file, the NIS database, or the LDAP database. If the default user is set to null, a Windows user that does not map to a UNIX user is not allowed access to qtrees or volumes with UNIX style security. NTFS Qtrees: An NTFS-style qtree is always accessed with a users Windows identity. Data ONTAP always maps the users Windows identity to the users UNIX identity when access is requested to data with NTFS-style security.
If a user is accessing data from a Windows host, the users Windows user name and Windows groups are used to determine NTFS access rights. If a user is accessing data in an NTFS qtree from a UNIX host, Data ONTAP grants access based on the users mapped Windows user. By default, if there is not a corresponding Windows user, access is denied to the NTFS qtree from a UNIX host. wafl.default_nt_user is a storage system option that can be used that will allow mapping of Windows users with no corresponding UNIX account to a generic Windows account. The default for this option is null. options wafl.default_nt_user To enable access from a default user, add a valid Windows account to this option. wafl.default_nt_user corp\ntuser
6
Mixed Qtrees: For mixed-style qtrees, access is based on the effective security style on the qtree, folders, and files within the qtree. A mixed qtree can have either UNIX- or NTFS-style security in place. Particular folders or files within a mixed volume or qtree can have a security style that differs from the root of the volume or qtree (but not both security styles at the same time for any particular folder or file).
Consider the following qtree and a folder that was created within the qtree. eddie:/vol/vol1/qtree_mixed eddie:/vol/vol1/qtree_mixed/ntfs_folder
The root of qtree_mixed has UNIX style security (uses UID and GID to determine access rights). However, the folder ntfs_folder was created by a Windows administrator via a mapping on a Windows machine. The Windows administrator specified that this folder should not inherit parent permissions. Instead, the administrator gave the folder its own specific NTFS permissions. The addition of specific NTFS permissions changed the security style of this folder and all data subsequently placed within this folder to NTFS security style. When considering which identity (UNIX or Windows) should be used for quota management, the type of host used to access data in the volumes is not what decides which identity is used. Instead, quotas are calculated based on the security style of the volume, qtree, & folder and/or file being accessed. Quota calculation of UNIX qtrees is always allocated to the users UID or GID. Quota calculation of NTFS qtrees is always allocated to the users Windows SID. Quota calculation of mixed qtrees depends on which security style is in effect within the area of the qtree where data is being modified or added. From the above discussion of mixed style qtrees, we can see that quota management for mixed qtrees where quota mapping is not enabled can be problematic, because some areas within the volume or qtree can be NTFS-style security while other areas can have UNIX-style security. For appropriate quota management, quotas applied to mixed qtrees should be within a Quota Mapping Directive. The Quota Mapping Directive is discussed in Section 5.2. For more information on multiprotocol, please consult: Tech Report TR3014: MULTIPROTOCOL DATA ACCESS: NFS, CIFS, AND HTTP at http://media.netapp.com/documents/wp_3014.pdf
7
3
QUOTAS FILE
The heart of native Data ONTAP quota management is the quotas configuration file, /etc/quotas. The quotas file describes disk quotas that go into effect when quotas are enabled. All quotas are established on a per-volume basis. That is, a quota rule is not enforced across volumes or across storage systems. Each volume must have its own set of quota entries in the quotas file. A quota limits: The amount of disk space and/or the number of files that a particular user or group can consume at a volume or qtree level. A user can be a Windows user or a UNIX or Linux user. A group can be a UNIX or Linux group. NetApp quotas do not support the use of Windows groups. The total space and/or files used within a qtree.
User and group quotas do not apply to root or to the Windows Administrator account. If you enable the storage system option that tells the storage system to map Windows Administrators to root, then all Windows Administrators are exempt from user and group quotas. Qtree quotas apply even to root and Windows Administrator accounts. If a qtree quota is exceeded, even root and Windows Administrators cannot add space or files to that qtree until data is deleted (or the quota is changed and the quota resize volume_name command is issued). 3.1. QUOTAS FILE DESCRIPTION The /etc/quotas file has the basic composition as follows: # Quota Target type disk files thold sdisk sfile # ------------- ----- ---- ----- ----- ----- ---- Quota Target: The specific entity within the quota type to be acted on. For example, if type is user, the quota target would be a specific user. Type: Type of entity to which the quota rule applies. Supported types are Windows or UNIX users, UNIX group, or qtree. Disk: The hard space limit that applies to the quota target. Files: The hard limit on number of files that are allowed for this quota target. Thold: The space warning threshold. If an attempt to allocate space for the quota target would exceed the threshold, a warning message is logged on the storage system console and an SNMP trap is generated. Sdisk: The soft disk limit is analogous to the Disk limit, except the limit is not enforced. Instead, a warning message is logged on the storage system and an SNMP trap is generated. When the quota targets usage goes back below the sdisk limit, another message is logged and another SNMP trap is generated. Sfile: Analogous to Sdisk, except it acts on the number of files generated rather than space usage.
For a list of suffixes that can be used in the Disk, Files, Thold, Sdisk, & Sfile fields, see Appendix B.
8
3.2. QUOTAS FILE SPECIAL DIRECTIVES There are two special modifiers which can be used in the quotas file that provide additional quota management functionality. QUOTA_TARGET_DOMAIN The Domain Directive can be used to change a UNIX-style user name in the quota target field to a Windows-style user quota target. It will prepend the domain and a backslash to subsequent UNIX-style user names. It will continue to do this until another domain directive is encountered or the end of the quota file is reached. For example, the quota entry below: QUOTA_TARGET_DOMAIN corp jim user 200M QUOTA_TARGET_DOMAIN Translates to: corp\sam, sam corp\jim user user 50M 200M
QUOTA_PERFORM_USER_MAPPING [ ON | OFF ] This directive, when ON, will use the storage systems user name mapping support to map a UNIX user quota target to the corresponding Windows account name, and will consider them together when calculating user quotas. The reverse is also true; a Windows user name will be mapped to its corresponding UNIX identity, and both will be used when calculating user quotas. The setting, once turned on, remains in effect until the OFF directive is used. For example, the quota entry below: QUOTA_PERFORM_USER_MAPPING ON corp\sam user 50M jim user 200M QUOTA_PERFORM_USER_MAPPING OFF Translates to: corp\sam, sam corp\jim, jim user user 50M 200M
9
3.3. VALID ENTRIES FOR QUOTAS FILE FIELDS Lets consider valid quota file entries for the three quota types supported by Data ONTAP. The three supported quota types are user, UNIX group, and qtree. It is possible (and, in fact, quite likely) that a quota file will contain multiple quota rules that can impact a users ability to use space or add files within a volume or qtree. For instance, a user could have a specific user quota, and he could also be bound by a qtree quota placed on the qtree to which he is copying or modifying data. With Data ONTAP quota management, all quota policies must be met. All applicable entries within the quotas file are considered when a decision is made whether to allow a user to add data or files to a volume or qtree. USER QUOTA TYPE The following sample /etc/quotas file contains exemplar entries for the user quota type. Use default user entries to optimize quota management and to simplify /etc/quotas file configuration. Use specific user quotas for the small subset of people whose space needs differ from the default.
10
GROUP QUOTA TYPE The following sample /etc/quotas file contains exemplar entries for the group quota type. The group type is used for UNIX groups only. Windows groups are not supported. Quotas are calculated for a UNIX users primary group only.
11
QTREE QUOTA TYPE The following sample /etc/quotas file contains exemplar entries for the qtree quota type. For optimal quota management, use default qtree quotas. If specific qtrees space requirements differ from the default qtree quota, a specific qtree quota can be set.
12
SUMMARY OF EFFECTIVE QUOTA LIMITS WHEN MORE THAN ONE LIMIT AFFECTS DATA MODIFICATION WITHIN A MANAGED QTREE OR VOLUME Often, quotas can be configured such that more than one rule applies to space and file usage within a qtree or volume. How does Data ONTAP apply quota rules when this is the case? DATA ONTAP will apply all relevant quota rules before a data modification or file addition is allowed within the qtree or volume. All rules must allow the space usage or file addition before it is permitted. When applying the rules, the most restrictive rule applies; put another way, the limit that is reached first is the one that is applied to restrict space and file usage. Below are general rules for the application of quota policy when there are multiple limits that apply to the data modification or file addition operation: With a user quota and a group quota that apply to the user at the qtree level, the limit reached first is the effective limit. For instance, if user1 belongs to groupA, and the quota limit for groupA is reached, user1 will not be able to write to this qtree even if he has not exceeded his user limit. For a user quota and a group quota that apply to the user at the volume level, the limit reached first is the effective limit. With a user quota and a qtree quota on a qtree, the limit reached first is the effective limit. For instance, if user1 attempts to copy data to a qtree where the qtree limit has not been reached, but his user limit is reached, the copy will fail. For a volume level user or group quota and a qtree level user or group quota, the limit reached first is the effective limit. For instance, if user1 has used space in /vol/vol1/qtree, but has not exceeded his limit at this qtree level, he will be able to copy more data into /vol/vol1/qtree unless his total space consumed in vol1 exceeds his volume limits. Volume limits apply to the qtrees as well as to the root of the volume. Even if the qtrees have individual user and group quotas applied at the qtree level, usage within the qtrees counts as volume usage. Therefore, user and group quotas at the volume level should be set with care. For a volume level user or group quota and a qtree quota, the limit reached first is the effective limit. For instance, if a user or group has not fully utilized the user or group quota, but the qtree quota for a particular qtree has been reached, the users and group members will be able to write to other qtrees and to the root of the volume, but they will not be able to write to the qtree whose quota has been exceeded. For a user, group, or qtree quota where there are file and space limits, the limit reached first is the effective limit. For instance if a quota has a limit of 100 files and 20 GB of space and a user wants to copy a million files, each 4 bytes in size, into this space, the copy would fail. He would be able to copy 100 files and no more, regardless of how little of the 20 GB space quota has been used.
13
4
QUOTA COMMANDS
The quotas file describes the quotas to impose, and the quota commands control quota function. The quota commands most frequently used in quota management are outlined below. For a complete description of the quota commands, see Appendix A. 4.1. QUOTA ON quota on volume This command activates quotas in the specified volume based on the contents of /etc/quotas. Once enabled for a particular volume, changing /etc/quotas has no effect on quota management for that volume until the next time quota on or quota resize is executed. When quotas are first turned on, the storage system scans the file system to determine current file and space usage for each user and group with a quota. On volumes with large file systems, the initialization can take considerable time. During initialization, quotas are not in effect, although the file system is still accessible. Since initialization uses system resources, it is recommended that (if feasible) initializations be done during non-peak storage system usage. 4.2. RESIZE QUOTAS AFTER CHANGES TO QUOTAS FILE quota resize volume This command adjusts currently active quotas in the specified volume to reflect changes in the /etc/quotas file. For instance, if you edit an entry in /etc/quotas to increase a user's quota, quota resize will cause the change to take effect. Quota resize can be used only when quotas are already on. Because it does not rescan the file system to compute usage, quota resize is faster than turning quotas off and then on again. Quota resize will apply all updated entries in /etc/quotas; however, it will generally ignore newly added entries. 4.3. TURNING QUOTAS OFF quota off volume This command turns quotas off on the specified volume.
14
4.4. QUOTA REPORT quota report This command prints the current file and space consumption for each user or group with a quota and for each qtree to the storage system console. If the storage administrator wants to parse the output of the file and look for specific events or trends, the command may be run from a host via rsh or ssh with the resultant output piped to a text file. The text file can then be processed via rd scripts or 3 party applications. Formatting options of particular interest include: -u If a quota target consists of multiple IDs, the first ID is listed on the first line of the quota report for that entry. The other IDs are listed on the lines following the first line, with one ID per line. Each ID is followed by its original quota specifier, if any. Without this option, only one ID is displayed for quota targets with multiple IDs. -x If a quota target consists of multiple IDs, all IDs are listed on the first line of the quota report for that entry. The IDs are listed as a comma-separated list. Each column of the report output will be separated by a tab character. The threshold column will also be included.
15
5
QUOTA USE CASES
Three use cases are presented below. The Windows and UNIX environment is as described in Section 2 above. For each case, a scenario is first presented. This is followed by the quotas file used in that use case. After the quotas file, the effects of the application of quota rules are demonstrated by a series of tests. This will demonstrate how the rules are applied as data and files are added to the managed qtrees. 5.1. QUOTA USE CASE: QUOTA MANAGEMENT WITH USER & QTREE QUOTAS The following are basic features of our scenario: The typical user accesses data from either a Windows host or a UNIX host. Some users access data from both a Windows host and a UNIX host. One qtree uses UNIX security style, with data accessed via a users UNIX identity. One qtree uses NTFS security style, with data is accessed via a users Windows identity. Default user quotas are utilized at the individual qtree level. Specific user quotas are required for some users. Qtrees quotas are employed as a means of limiting the amount of total space within a volume that any one qtree can utilize.
USER ACCESS AND QUOTA MANAGEMENT IN THIS SCENARIO With this scenario, we will demonstrate quota management in a typical environment. We have a multi-purpose storage system. Some data is primarily accessed from UNIX hosts and is administered by UNIX administrators. Some data is primarily accessed from Windows hosts and is administered by Windows administrators. In order to create separate zones of security, the volume is divided into qtrees. We will discuss two of the qtrees, a UNIX qtree and an NTFS qtree. Regardless of the users host operating system, any data access of the UNIX qtree is always done through a users UNIX identity. Similarly, any data access of the NTFS qtree is always done through a users Windows identity. Therefore, we will set up a quotas configuration where quotas are applied at the qtree level. Each qtree has its own separate default user quota. Additionally, for each qtree, there are specific users who need more space than is given to the default user; those users have specific quotas set up at the qtree level. Without a qtree quota, a single qtree could take up more of the total volume space than is desired. To limit each qtree to a specific amount of the volume space, we also configure qtree quotas. All applicable quota rules are examined before a user is allowed to use space or files within a volume. All rules must be satisfied before the operation is allowed. After our quotas are initialized, we will demonstrate: The effect of exceeding a default user quota. The effect of exceeding a specific user quota. The effect of a user exceeding a qtree quota, even if the user has not exceeded his individual quota. The effect of exceeding a cumulative specific user quota (a quota target with multiple, comma delimited users).
16
QUOTAS FILE WITH USER AND QTREE QUOTAS Below is the quotas file used in this study, along with notes of interest regarding some of the configuration parameters in the quotas file. Users listed on the same line with a comma separator are all considered to be the same target. Their cumulative usage is considered when calculating quotas. The three users listed within the Domain Directive will all have the specified domain name pre-pended to their user name. This directive is a convenient way to list users that belong to a domain that differs from the storage systems domain. When using the Domain Directive, users must be listed one per line. Multiple, commadelimited user quota targets cannot be used in the Domain Directive. When using the Domain Directive, the Windows form of a user name must be used (if it differs from the UNIX name).
After quotas are initialized with the quota on command, the initial entries from the quota report are recorded below:
17
USER QUOTA IS EXCEEDED ON QTREE_NTFS In the quotas file, Anne is not configured to have a specific quota for qtree_ntfs. She will be subjected to the default quota of 550M. Over a period of time, Anne has copied 501 MB of data into qtree_ntfs. From Windows XP, she now attempts to copy a 167MB file into qtree_ntfs. The copy fails and the following message is recorded on the storage system console: Disk quota exceeded on volume vol3 for Windows user ID: S-1-5-21-26777087121729956257-2544577925-2617 The quota report below shows that, after the failure, Annes quota usage is still at 501 MB. The addition of 167 MB would have put her over quota; therefore, it was not allowed.
QTREE QUOTA IS EXCEEDED ON QTREE_NTFS Other users continue to copy data to qtree_ntfs until the qtree contains approximately 1500 MB of data. As seen in the qtree report above, the exact qtree limit on qtree_ntfs is 1536 MB. Shara, from the Windows XP host, attempts to copy dfm.exe, a 167 MB file into qtree_ntfs. Shara finds, however, that this copy fails even though she would not exceed her user quota; it fails because the qtree limits are exceeded. No one, not even root or Windows Administrators, can put more data into this qtree until files are deleted or the quota is changed in the quotas file and a quota resize vol3 command is issued. The following message is recorded on the storage systems console, which indicates that the failure is due to qtree quota limits: [Wafl.quota.qtree.exceeded:notice]: tid 1: tree quota exceeded on volume vol3. The quota report records space usage and shows that Shara has the space remaining in her quota limits to add 167 MB to qtree_ntfs, but qtree_ntfs has only 36 MB left before the quota limit is reached.
18
Other points of interest in this quota report: Fitzpatrick, Frederick, and Shara all have specific 700 MB quotas assigned to them. Anne is assigned the default quota, as indicated by the asterisk in the quota column. Without the use of the quota mapping directive, space usage in a qtree of NTFS security style is allocated to a users Windows identity, which is designated by a backslash preceding the user name (\shara) in the ID column of the quota report.
QUOTA MANAGEMENT FOR A QUOTA TARGET CONTAINING MORE THAN ONE USER Our quotas file contains one quota entry where multiple users are defined in the quota target: fred,fritz user@/vol/vol3/qtree_UNIX 700M - 550m A comma-delimited list of users is considered one target. The listed users have a cumulative limit of 700 MB. It does not matter which of the two users adds data to qtree_UNIX; their space usage is considered together. A quota entry such as this is useful when a group of people share a single task or project and the storage administrators wish to limit the space consumed by data from a particular project. In this example, Fred and Fritz each copy 333 MB of data into qtree_UNIX. Below are the quota report entries recording their space usage. Note that their space usage is recorded together, not individually.
Other points of interest in the quota report: Space usage in a qtree with UNIX security style is allocated to a users UNIX identity. In quota report, a UNIX user designation is not preceded by a backslash (fred or fritz) in the ID column of quota report.
SUMMARY OF RESULTS Data ONTAP quota management tracks usage on the basis of UNIX and/or Windows users, UNIX groups, and qtrees. Within the quotas configuration file, we can specify quotas on qtrees, which limit the amount of total volume space that a qtree can consume. This prohibits data that resides in one qtree from consuming all of the available space within a volume. Default user quotas can be configured at a qtree level or a volume level. When default user quotas are configured at the qtree level, a users space and/or file usage is tracked within that qtree and is independent of quota tracking within other qtrees.
19
Specific user quotas can also be configured at the qtree or volume level. This allows the storage administrator to allocate more or less space and/or file usage to particular users than is allocated to the default user. When UNIX or NTFS qtrees are configured, quota mapping is not necessary. This is because a UNIX qtree is always accessed by a users UNIX identity and NTFS qtrees are always accessed as a users Windows identity. All relevant quota rules are applied before a decision is made whether to permit the operation. A user may not add data to a qtree whose quota is reached, even if the user still has quota space available. A user may not add data to a qtree if his quota is reached, even if the qtree quota has not been reached. For quota targets that contain multiple, comma-delimited users, the quota is applied to the cumulative usage of the listed users. 5.2. QUOTA USE CASE: QUOTA MANAGEMENT WITH MIXED QTREES A demonstration of quota management with and without the quota mapping directive uses the following scenario: The data resides in mixed qtrees. The typical user accesses data from both Windows hosts and from UNIX hosts.
USER ACCESS AND QUOTA MANAGEMENT IN THIS SCENARIO With this scenario, we will demonstrate quota management calculations with and without the quota mapping directive. Recall from the discussion on multiprotocol access that file access is granted based on the security style of the qtree and folders within the qtree, not based on which type of host is used to access the data. Therefore, in this scenario, we need to use quota mapping not because users access the data from both types of hosts, but because the qtree is mixed, with areas where data has Windows security and areas where data has UNIX security. Mixed qtrees present a challenge for quota management. The security style of a mixed qtree is not fixed, and the security style of folders within the qtree can differ from the root of the qtree. The quota mapping directive is used to ensure that space usage for a person is tracked accurately, regardless of security styles within the qtree. The root of qtree_mixed has UNIX security style. File access at the root will be granted to the persons UNIX identity. A subfolder, ntfs_folder, has NTFS security style. File access within this subfolder will be granted to the persons Windows identity. A user, Shara, needs to copy data to the root level of qtree mixed. She also needs to copy data to ntfs_folder. QUOTAS FILE WITH QUOTA MAPPING In order to track cumulative usage in this qtree, we use the quota mapping directive. All users have a default quota of 200 MB. Shara has a specific quota of 450 MB. The quota management configuration is shown in the quotas file below.
20
To demonstrate quota management with this configuration, Shara copies a 167MB file to the root of qtree_mixed and then copies the same 167MB file to ntfs_folder. Since the quota mapping directive is used, cumulative usage is tracked for UNIX user shara and Windows user \shara. The resultant quota report is shown below.
QUOTAS FILE WITHOUT QUOTA MAPPING To illustrate the effect of removing the quota mapping directive, the quotas configuration file was modified to the configuration seen below. The only change to the file is the removal of the mapping directive.
Quota usage was recalculated with the new configuration file by turning quotas off and then back on for vol1. The recalculated quota report now shows separate calculations for data copied into the UNIX security area of the qtree and the data copied into the Windows security area of the qtree.
21
As can be seen from the quota report, without the quota mapping directive, UNIX user shara and Windows user \Shara are considered to be separate users and are tracked separately. Moreover, \Shara has a quota of 450 MB, but the UNIX user, shara, is subjected to the default user limit of 200 MB. This would probably not be the desired result in most environments. SUMMARY OF RESULTS Quota management on mixed qtrees is not as straightforward as quota management on NTFS or UNIX qtrees. Mixed qtrees may have portions of the qtree that are of UNIX security style and portions of the qtree that are of Windows security style. If user mapping is not enabled in the quotas file, quota tracking will be done separately for the users UNIX identity and for a users Windows identity. This can lead to inconsistent quota management. To provide consistent quota management on mixed qtrees, configure quota mapping in the quotas file. This will lead to Data ONTAP tracking the users combined usage Windows and UNIX identities together. NetApp recommends that the use of mixed qtrees be minimized. Instead, choose the UNIX or NTFS qtree style. Users can access data from either UNIX or Windows hosts if user mapping is consistently applied (if the appropriate file access permissions are present). The security style NTFS or UNIX is chosen based on which set of administrators will be administering the qtrees. Choose UNIX qtree style if UNIX administrators will be administering the exports file and file permissions. Choose NTFS qtree style if Windows administrators will be administering the shares and NTFS permissions. However, if it is necessary to have qtrees where both UNIX and Windows administrators administer security, mixed qtrees can be employed. Quota management on these qtrees should utilize the mapping directive for consistent quota tracking. 5.3. QUOTA USE CASE: QUOTA MANAGEMENT IN MULTIPROTOCOL ENVIRONMENTS The following are basic features of our scenario: The typical user accesses data from both Windows and UNIX clients. UNIX groups are used for quota management on selected qtrees. In this case study, storage administrators occasionally find a need to change the security style of qtrees from UNIX or NTFS to mixed. If the security style was changed to mixed, we would not be able to predict how quota usage would be allocated; it could be allocated to a UNIX identity, or it could be allocated to a Windows identity. This uncertainty necessitates that the quota file maps UNIX and Windows users so that all user usage is tracked cumulatively.
22
USER ACCESS AND QUOTA MANAGEMENT IN THIS SCENARIO In this scenario, we use the quota mapping feature to ensure that space usage of a users Windows identity and UNIX identity is tracked cumulatively. Additionally, we have a UNIX qtree where we use UNIX groups for quota management. Our tests will illustrate: The effect of exceeding a group quota. The effect of space usage on a group quota when that group is a users secondary group. The calculation of space usage using the cumulative usage of a persons UNIX and Windows identity. The effect of exceeding a qtree quota.
The quotas file used in this study is shown below. Notes of interest regarding the quotas file: Default user and specific user quotas are contained within the quota mapping directive. All user usage will be tracked cumulatively for the users UNIX and Windows identities. Fred, fritz, tom, and rod belong to support as their primary UNIX group. Fred and fritz belong to lab group as a secondary group.
23
After quotas are initialized with the quota on command, the initial quota report is recorded below:
GROUP QUOTA EXCEEDED ON QTREE_UNIX Fred and Fritz each copy 333 MB into qtree_UNIX. Their space usage is tracked both through the user quota management and the group quota management. The group support has used 667 MB towards a quota limit of 800 MB. When Fred attempts to copy another 167 MB file into qtree_UNIX, it fails. Freds user quota is not exceeded, but the group quota is exceeded and thus the operation is not permitted. We can identify that the quota for the group support (with a GID of 107) is exceeded with the following message on the storage systems console: [wafl.quota.groupQtree.exceeded:notice]: gid 107 tid 2: disk quota exceeded on volume vol2. Below is the resultant quota report:
No further copies to /vol/vol2/qtree_UNIX are possible by users whose UNIX identity has support as a primary group until group members delete some files or a storage administrator increases the quota for this group. If the quota size is increased, the command, quota resize vol2 must be issued. There is no space usage recorded for group lab, even though Fred and Fritz are members of this group as a secondary group. Data ONTAP quota management does not track a users secondary group usage.
24
QUOTA MANAGEMENT WITH QUOTA MAPPING Users continue to copy data to qtree_ntfs. After a time, users report that they can no longer copy data to qtree_ntfs. The storage administrator wishes to verify storage usage and issues the quota report command. The administrator determines that the qtree quota is exceeded on qtree_ntfs. Of additional interest, we can see from the output that all user quota tracking is by each users combined UNIX identity and Windows identity. Even if the storage administrator changes the qtree style or the qtrees, accurate quota tracking will not be hindered. The resultant quota report is below:
SUMMARY OF RESULTS Quota management for multiprotocol environments can be accomplished with native Data ONTAP. With the use of user mapping in the /etc/quotas file, space and file usage will be tracked cumulatively for the users Windows identity and UNIX identity. It does not matter if the security style of the qtree or volume is UNIX or Windows, nor does it matter if the user is accessing data from a Windows machine or a UNIX machine; space and file usage will be tracked properly for each individual. UNIX groups can also be used for quota management, where a UNIX group can be allocated a certain amount of space that the group as a whole can use within a qtree or a volume. A users primary UNIX group is the only group tracked. If a UNIX user belongs to secondary groups, his space and file usage is not tracked for the secondary groups. We saw with this case that all quota rules are considered before a user is allowed to write data or files to a tracked object (qtree or volume). After all relevant rules are applied, if no applicable rule would be violated, a user can write data to the qtree or volume. For an environment where both UNIX and Windows security styles are used, Data ONTAP quota management provides the ideal method for tracking space and file usage.
25
6
QUOTA MANAGEMENT IN A WINDOWS ENVIRONMENT USING NTP SOFTWARE QFS FOR NAS, NETAPP EDITION
For quota management in a Windows environment using NTP Software QFS for NAS, NetApp Edition: Quota management is needed on data where access will be granted exclusively to Windows users. The data being monitored must be accessed exclusively by CIFS. The /etc/quotas file need not have entries for volumes or qtrees that have quotas managed by NTP Software QFS. NTP Software QFS does not rely on native Data ONTAP quota management. Quota management may be implemented at the volume level, at the qtree level, at the subfolder level, or on individual file types. NTP Software QFS quota management may use Windows groups as objects on which space consumption will be monitored. A global policy can be configured such that a policy can apply to more than one storage system. Quotas can be placed on shares or on folders. Quotas can be placed on all users, which have the effect of Data ONTAP qtree quotas. The result is that all users combined cannot go above the set quota. Quotas can be placed on certain users, which have the effect of Data ONTAP user and group quotas. The result is that the quota applies to every user individually. In addition, NTP Software QFS provides robust end-user support, including pop-up and email messages, a time-limited overdraft allowance, online end-user help, and supporting applications that allow users to manage their own storage more effectively.
6.1. INTRODUCTION TO NTP SOFTWARE QFS FOR NAS, NETAPP EDITION NTP Software QFS for NAS, NetApp Edition is a real-time, policy-based quota and file management solution for Windows environments. NTP Software QFS uses NetApp file policy functionality for both file policy screening and quota management. NTP Software QFS does not use native Data ONTAP quota management. This allows QFS to bring additional functionality to quota management on NetApp storage systems in a Windows environment. NTP Software QFS for NAS, NetApp Edition gives administrators the ability to manage and control disk space consumption and block or take other action if a user attempts to put unwanted files on storage resources. It has the flexibility to set policies per share, directory, user, or group on storage systems and vfiler storage. NTP Software QFS is not limited to volume or qtree level policies; subfolders within a volume or qtree can be the target of a file policy. Additionally, with NTP Software QFS, global policies can be created where policies apply to multiple storage systems across the enterprise. For instance, if multiple storage systems are used for home directories, a global policy may be implemented that limits each user to the same amount of space for his home directory regardless of which storage system holds the home directory. Each policy can communicate with users via email and pop-ups. Since NTP Software QFS does not use native Data ONTAP quota management and is a CIFS, file policy based product, QFS cannot monitor and manage quota usage in UNIX style qtrees or mixed qtrees where UNIX security style is effective. It also cannot be used effectively when data is accessed from a UNIX or Linux host, regardless of the security style on the storage system. fpolicy utilizes CIFS protocol, and since NTP Software QFS utilizes fpolicy for both file and quota management, QFS is only effective when data is manipulated from Windows hosts.
26
NTP Software QFS can be used where the volume or qtree is NTFS or mixed with an effective NTFS security style. Since the effective security style of mixed volumes and qtrees cannot be guaranteed to be NTFS, it is highly recommended that any volume or qtree monitored by NTP Software QFS be created as an NTFS volume or qtree. In addition to Windows users, QFS policies can be applied to Windows groups. This is a significant benefit in Windows-only environments. In the demonstrations below, we will see that a single policy can be applied to multiple Windows users and multiple Windows groups. Additionally, a single folder or file may have several policies that apply to that object. The effective policy is determined with the following logic: If you have two or more disk quota policies, placing limits on the same user (or group), QFS will enforce the least restrictive quota limit first. For added control, Disk Quota Policies and File Removal Policies include a check box that can be checked during configuration that lets you "Always enforce" that policy in the case of a conflict when multiple policies apply to a file or folder. In this case, we will demonstrate: Initial installation of QFS on one server Creating a NAS Connector Creating policies: o Policy on user home directories, applied at every individuals home folder. o o o Policy on All Users, applied at the folder level. Analogous to NetApp qtree policy. Policy on Select Users, applied at the folder level. Analogous to NetApp user and group policy. Global folder-based policy. This policy has no analog in NetApp quota management.
Setting up thresholds for alerts and messages Setting up exceptions in a policy Setting up notifications in a policy
6.2. INSTALLATION OF NTP SOFTWARE QFS FOR NAS, NETAPP EDITION QFS will need a similar account to run under as a service. You can use the account you install from or a different one. The host for this application can be Windows 2000 / 2003 / 2008. Data ONTAP 6.5 or higher (excluding version 7.1) is required. Before installation, on the storage system, create the default fpolicy with this command: fpolicy create default screen NTP Software QFS installation is easy. If there are no other NTP Software Smart Policy Manager-enabled products on your system, the first part of the QFS installation process involves installing NTP Software Smart Policy Manager. NTP Software Smart Policy Manager provides the policy engine that drives NTP Software QFS. If NTP Software Smart Policy Manager is already on your machine, setup will automatically skip this step. If not, NTP Software Smart Policy Manager installation takes only a few minutes. Once this is complete, QFS installation will automatically begin. After QFS installation is complete, the installation of the NAS connector will begin. A few minutes after this, you will be up and running. A reboot is not required. To begin the install, log in as an administrative account and double-click the executable file provided by NTP.
27
During installation of NTP Software Smart Policy Manager, the following information needs to be provided: 1) Select components (select NTP Software Smart Policy Manager service and NTP Software Smart Policy Manager admin). 2) Name and password of service account to be used for NTP Software Smart Policy Manager service 3) Path to NTP Software Smart Policy Manager database location (accept default or enter another path) 4) Choose setup type. (Choose First time Installation in the Environment or Adding to Enterprise Installation whichever is appropriate for this installation.) 5) NTP Software Smart Policy Manager Initial Setup Parameters o o Organization (This is the top of the enterprise tree. Typically the name of the organization.) Location (2nd tier of the enterprise tree. Could be physical location or organization unit.)
During installation of NTP Software QFS, the following information needs to be provided: 1) Path to installation directory for QFS Program 2) Select components (select Admin and Service). 3) Company name, QFS serial number (license key) and NAS Connector serial number 4) Account type 5) Name and password of service account to be used for QFS service 6) Choose the program folder. (Default is NTP Software NTP Software Smart Policy Manager.) Now, we need to configure our application to use the NAS Connector. Start the QFS management application by clicking on Start > All Programs > NTP Software QFS for NAS > NTP Software QFS for NAS Admin.
28
6.3. CREATION OF THE NAS CONNECTOR CURRENT CONFIGURATION OF NTP SOFTWARESMART POLICY MANAGER & NTP SOFTWARE QFS Before adding a NAS Connector, lets view the current configuration. The initial NTP Software QFS installation automatically adds to the global tree the Windows Server on which it is installed. A Quota and File Sentinel Policy object is also added under this server. A storage system to be managed through the NTP Software Smart Policy Manager organization must be added manually. This is accomplished with three additional steps, as described below. One storage system, eddie, has already been added to the tree. Additionally, a Quota and File Sentinel Object has been added to the eddie object. This demonstration will go through the three steps to add another storage system and sentinel to the organization. Our NTP Software Smart Policy Manager tree currently has this structure:
29
ADDING A STORAGE SYSTEM TO THE NTP SOFTWARE QFS MANAGEMENT SERVER 1) Tell the application that you want to manage a storage system. Under the Dell15550-16 Server Object, right-click on the Quota and File Sentinel Object and choose Properties. At the NAS Connector Window, click Add and enter the name of storage system to which a connection is to be made. Click OK.
30
2) Add the storage system to the NTP Software Smart Policy Manager tree: Right-click on the Java Container Object under the NAS Container Object and choose New Filer. At the NewFiler window, enter the name of storage system, heckle, to which a connection is to be made. Click OK.
3) Add a Quota and File Sentinel Application to storage system heckle.
31
From the graphic above, we can see that heckle is added to the Java location, but it has no objects under it. We must now add a Quota & File Sentinel Application to heckle. Right-click on the heckle Filer Object and select New Quota & File Sentinel Application. Then click OK.
32
4) The addition of the NAS connector is now complete. At this point, disk quota policies and file control policies can be configured for heckle.
6.4. CREATION OF QUOTA POLICIES WITH NTP SOFTWARE QFS The next sections will demonstrate creation of quota policies with NTP Software QFS. Storage systems eddie and heckle will be used for this exercise. The Windows AD domain ellie.com and the NIS domain ellie will be used. All users and group information can be found at the beginning of this technical report. Even though QFS can only manage quotas and files accessed through CIFS, NIS will still be important in this scenario. With CIFS access, a user name is always mapped to its UNIX counterpart prior to access being granted. If the storage systems are configured to use NIS for UNIX user lookups, the NIS server must be available and appropriate name mappings must exist. Below is specific configuration information for the storage systems eddie and heckle. Following this are specific quota policy examples. CONFIGURATION OF EDDIE AND HECKLE 1) Quotas file For this case study, all volumes that will be monitored by NTP Software QFS for NAS will not have entries in the storage systems /etc/quotas file. Monitoring of all data in these volumes will be accomplished with QFS. 2) Usermap.cfg In NetApp mixed protocol environments, data on volumes and qtrees with NTFS security style can be accessed from either UNIX hosts or Windows hosts. If both CIFS and NFS are licensed and data is accessed that has NTFS effective security in place, Data ONTAP always maps the Windows user ID to the analogous UNIX user. This happens regardless of whether access is from a UNIX host or a Windows host. If a UNIX user name and Windows user name are the same, the mapping occurs automatically. If the user names are not the same, appropriate entries must be made in the /etc/usermap.cfg file.
33
Below is the usermap.cfg file for the two storage systems used in the case. Note: Other user names used in this case (such as Terry, Verde, Margo, Linda, and Liz) do not need entries in the /etc/usermap.cfg file because their UNIX and Windows user names match. Mappings are necessary only if you have users whose names do not match or the storage administrator wishes to map a user to a different corresponding identity.
3) Volumes and qtrees created on eddie and heckle for use in this case Eddie and Heckle have had volumes and qtrees created for this case. The volume names and qtree names are the same between the two storage systems. Note that all volumes and all qtrees are NTFS security style.
34
CREATION OF A DEFAULT USER HOME DIRECTORY QUOTA POLICY ON HECKLE This quota policy will be applied to all users in the Users home directory. This policy will grant each user 400 MB of space inside his home directory. 1) In the tree pane, under heckle, expand the Quota & File Sentinel Application hierarchy. 2) Right-click on Disk Quota Policies and select New--> Folder Policy Using Directories.
3) The directory that we will choose could be the root of a volume, a qtree, or an actual folder. QFS is not limited to policies on qtrees and volumes.
35
4) In the New Quota Directory Policy window, select the General tab. Enter a name for your policy and a description.
If more than one Disk Quota Policy is applied to the directory or share that this policy is managing, the Always enforce this one option can be chosen to ensure that this policy will always be enforced, even if other policies would normally affect this one.
36
5) Select the Quota tab; set an Absolute Quota Limit of 400 MB. Check the Deny Writes at 100% of Quota. Option.
For the default home dpolicy, we will not allow the users to have any Overdraft limits. Users will not be able to go above the 400 MB limit in their home directory under any circumstances. Overdraft protection would have given them the right to exceed the limit for a specified period of time. We will configure this protection later on a different policy.
37
6) Select the Thresholds tab.
By default, there is already a threshold configured: At Quota 100%. To add more thresholds, select the Add button and fill in the information you want for that threshold. As space is consumed, these thresholds are triggered. Each threshold can send e-mails or popup messages to users or network administrators, or can trigger a process such as deletion of .TMP files or starting an archive to tape. The messages sent when thresholds are triggered can be customized.
38
7) Double-click on the At Quota 100% threshold and the Threshold Properties dialog box displays.
The pop-ups will already be selected. If QFS is configured for e-mail, then check the box for Email to the Triggering User. The Messages tab lets you customize the text of the messages that will be sent. The Commands tab allows you to specify a program, script, or batch file that will be run when the threshold is reached. Other Recipients is configured on the main policy page, and may be someone such as Storage Administrators. Owner is the owner of the policy object defined in this policy (the defined directory or share in the directories or shares tab).
39
8) Select the Directories tab. Click on the New tab and type in \vol\ntp1\ntp1qtree1\home\*.
When applying a folder policy through QFS, the entire path to the folder is entered, starting with \vol\. The asterisk indicates that this policy applies to each subdirectory in the path and not the subdirectory itself. The slashes in the path follow the Windows convention, not the UNIX convention. An error will be encountered if the leftward leaning, Windows-style slashes are not used in the path.
40
9) Select the Managed User and Groups tab. Confirm that this policy applies to All Users.
All Users is chosen, since this is a default policy to be applied at each subdirectory within the home directory. When the directive All Users is used in the policy, it means that all users space consumption combined is used for the calculation of percentage of space used that is applied toward the quota limit. Since this policy applies to each subdirectory, with each user having a subdirectory of his own, this is appropriate. Each subdirectory will have a 400 MB limit, with each home folder being accessible to its owner. For policies where each users space usage is to be considered separately, this directive would not be appropriate. Instead, we would choose Certain Users and indicate which groups or users are covered by the policy.
41
10) Select the Exempt User and Groups tab.
Confirm that this policy is exempt for Administrators and other appropriate groups. If other groups or users need to be exempt from this policy, click Add and add groups or users. The groups or users would typically be chosen from the Windows AD domain to which the storage system belongs or from a domain trusted by the storage systems domain. 11) Click OK to complete the configuration of this quota policy.
42
The creation of the Home Directory on Heckle Quota Policy is complete. The only home directory currently in the home folder belongs to Frederick. The files already present put him over the default quota. Frederick will not be able to add more data to his folder until he deletes enough data to put him under the quota limit. 12) Home directory policy on heckle
Frederick has deleted some of the data in his folder and a folder has been created for Thomas, which he has used for data storage. The current view for this policy is below. CREATION OF FOLDER BASED POLICY -- EACH DOMAIN USER HAS A QUOTA LIMIT: POLICY ANALOGOUS TO NETAPP DEFAULT USER/GROUP QUOTA 1) In the tree pane, under heckle, expand the Quota & File Sentinel Application hierarchy. 2) Right-click on Disk Quota Policies and select New--> Folder Policy Using Directories.
The directory that we are going to choose could be the root of a volume, a qtree, or an actual folder. QFS is not limited to policies on qtrees and volumes.
43
3) On the New Policy window, select the General tab. Enter a name for your policy and a description.
If more than one Disk Quota Policy is applied to the directory or share that this policy is managing, the Always enforce this one can be chosen to ensure that this policy will always be enforced, even if other policies would normally affect this one.
44
4) Select the Quota tab, and set an Absolute Quota Limit of 700 MB. Check the Deny Writes at 100% option but also check the Allow an Overdraft of option and allow an overdraft of 10% for 60 minutes.
For the tech_support policy, we will allow the uses to have Overdraft limits. There is still a hard limit of 700MB per user, but users will temporarily be able to go above the 700 MB per user limit by 10% for one hour. Overdraft protection gives users the flexibility to exceed the limit for a specified period of time. This allows the user to continue with his immediate work, but the user must get his usage down below the limit within the hour.
45
5) Select the Thresholds tab. Click on Add to set up another threshold.
Enter 85% for Percent of Quota. Under Send to Triggering User, select Email, User Name Pop-up, and Computer Name Pop-up. Any user who has exceeded 85% of his threshold will be sent an e-mail, will have a UName Pop-up message sent, and will have a Computer Name Pop-up sent.
46
6) Select Triggering User Messages tab and enter the text that should be sent in the e-mail and the pop-up messages. Click OK.
Thresholds are configured for 85% and 100% of the quota limit.
47
7) Select the Directories tab. Click on Add.
Type \vol\ntp2\ntp2qtree2 in the New Directory box and click on OK. When applying a folder policy through QFS, the entire path to the folder is entered, starting with \vol\. The slashes in the path follow the Windows convention, not the UNIX convention. An error will be encountered if the leftward leaning, Windows-style slashes are not used in the path.
48
8) Select the Managed Users and Groups tab. Select Certain Users.
Certain Users is chosen because this is a policy that is to be applied to each user individually, not cumulatively. When a policy is applied individually, each user is allocated the amount of space in this directory that is indicated in the quota tab. (If a policy is applied cumulatively (that is, to all users), all the users space consumption together must be below the quota limit. This is similar to NetApp qtree quotas. This is not what we want in this policy. A later example will illustrate implementing a policy which applies cumulatively to all users within a directory.) 1) Click Add to bring up the Enter a Windows NT account box. 2) Click on Browse. This brings up the Choose Account window. 3) Use the drop down in the Select Domain to select the desired domain, and then choose the user or group to whom this policy will apply. 4) Multiple groups and individuals can be chosen for each policy. For this policy, choose the Tech_Support group and click OK.
49
9) Select the Exempt Users and Groups tab.
Confirm that this policy is exempt from Administrators and other appropriate groups. If other groups or users need to be exempt from this policy, click Add and add groups or users. The groups or users would typically be chosen from the Windows AD domain to which the storage system belongs, or from a domain trusted by the storage systems domain. 10) Click OK to complete the configuration of this quota policy. The creation of the Tech_Support Quota Policy is complete. There are currently no files saved in this folder. The quota policy will only apply to the Tech_Support group. In order to prevent other users from adding or modifying data in this folder, appropriate NTFS permissions need to be applied.
50
CREATION OF FOLDER BASED POLICY -- ALL DOMAIN USERS HAVE A CUMULATIVE QUOTA LIMIT: POLICY ANALOGOUS TO NETAPP QTREE QUOTA 1) In the tree pane, under heckle, expand the Quota & File Sentinel Application hierarchy.
2) Right-click on Disk Quota Policies and select New Folder Policy Using Directories. The directory that we are going to choose could be the root of a volume, a qtree, or an actual folder. QFS is not limited to policies on qtrees and volumes.
51
3) On the New Quota Directory Policy window, select the General tab. Enter Engineer as your Policy Name and, if desired, enter a description.
Check the When more than one policy applies: Always enforce this one option. If more than one Disk Quota Policy is applied to the directory or share that this policy is managing, the Always enforce this one directive will ensure that this policy will always be enforced, even if other policies would normally affect this one.
52
4) Select the Quota tab and set an Absolute Quota Limit of 2000 MB. Check the Deny Writes at 100% option but also check the Allow on Overdraft of 10% option and check the box No Time Limit on Overdrafts.
For the engineer policy, we will allow an Overdraft on the amount of space that users can cumulatively add to this folder There is still a hard limit of 2000MB, but users will be able to go above the 2000 MB limit by 10%. There is no limit on the amount of time that this quota can be exceeded. This would be a wise choice for a folder where critical work is saved and for which a number of people have to be consulted on reduction. It is the responsibility of the users managed by this policy to ensure that they reduce the space usage when they receive warnings.
53
5) Select the Thresholds tab. Click on Add to set up another threshold.
Under Threshold Settings, click on Deny Write Threshold. This indicates that threshold message should be generated when the quota limit has been reached. For this policy, we allow an indefinite overdraft of 10%; therefore, this threshold will warn users at the limit. It would be appropriate to warn users at 85% of threshold as well. Under Notification message to send when threshold is reached, Send to Triggering User check the Email, User Name Pop-up, and Computer Name Pop-up options. Under Send to Other Recipient, click on Email & User Name Pop-up.
54
6) Select the Triggering User Messages tab and enter the text that should be sent in the email and pop-up message.
55
7) Click on "Other Recipient Messages" and enter warning messages. Other recipients are defined on a per-policy basis and are usually storage or network administrators or that would be responsible for managing space.
56
8) Threshold warnings are configured as shown below.
57
9) Select the Directories tab. Click on the Add tab. Type \vol\ntpDirectory in the New Directory box and click OK.
Note that the chosen directory for this policy, engineer, is not qtree. It is a directory created in the root of the ntp1 volume. When applying a folder policy through QFS, the entire path to the folder is entered, starting with \vol\. The slashes in the path follow the Windows convention, not the UNIX convention.
58
10) Select the Managed User and Groups All Users is chosen because this is a policy that is to be applied cumulatively to all users to which this policy applies.
If a policy is applied cumulatively (that is, to all users), all the users space consumption together must be below the quota limit. This is similar to NetApp qtrees quotas. All users combined are limited to 2000 MB of space usage in the engineer directory.
59
11) Select the Exempt Users and Groups tab.
Confirm that administrators and other listed groups are exempt from this policy. If other groups or users need to be exempt from this policy, click Add and add groups or users. The groups or users would typically be chosen from the Windows AD domain to which the storage system belongs, or from a domain trusted by the storage systems domain. 12) Click OK to complete the configuration of this quota policy.
The creation of the Engineer Quota Policy is complete. There are currently no files saved to this folder. The quota policy will apply to all users. In order to prevent users other than engineers from accessing this folder, appropriate NTFS permissions need to be applied.
60
CREATION OF A GLOBAL SHARE BASED POLICY -- EACH DOMAIN USER HAS A QUOTA LIMIT: POLICY ANALOGOUS TO NETAPP DEFAULT USER/GROUP QUOTA THAT APPLIES ACROSS FILERS NTP Software Smart Policy Manager, the framework under which QFS functions, allows you to organize your quota & file policies in a way that is a unique fit to your organization. Once you have laid out your management structure, NTP Software Smart Policy Manager provides policy replication throughout your enterprise. It allows storage systems to access the policies in their container and to inherit policies from all levels above that point in your hierarchy. As we start to configure a global, share based policy, we begin with our location container, Java, the top-level container under the root object. 1) Creating a Global Quota & File Sentinel Application At this time, we have three server objects in our organization (the default server object and two storage system objects). Each of the two storage systems has policies that are configured at the storage system level and apply only to the individual appliance. What we need to do is create a configuration container for QFS whose scope extends beyond individual storage systems. To do this we will add the Quota & File Sentinel Application to the location object, Java, as illustrated below.
Highlight Java. Right-click and select New Quota & File Sentinel Application. We now have a Quota & File Sentinel Application that resides directly inside the Java location. All policies created in this object will be inherited by heckle.
61
2) Create a New Global Quota Policy Using Shares In the tree panel, under the Java object, expand the Quota & File Sentinel Application hierarchy. Right-click on Disk Quota Policies and select New Folder Policy Using Shares.
62
3) On the General tab enter Global_public in the Policy Name window.
4) Select the Quota tab and enter an Absolute Quota Limit of 500 MB and check the Deny Writes at 100% of Quota option.
63
This policy will not have an Overdraft. The 500 MB limit for each individual user will be absolute with no grace period. Often, in a public folder, the data being written is not crucial to business operations. In this case, users should take the time to reduce their space consumption immediately. 5) Select the Managed Users and Groups tab and select Certain Users. For this policy, we want the quota limit to apply to each user individually, not cumulatively. Therefore, we must choose Certain Users. Since this is a public share, the group Domain Users will be given NTFS permissions to the public shares. Therefore, this is the appropriate group to place in Managed Users and Groups. Members of Domain Users will have an individual limit of 500 MB to the Public shares. Click OK.
64
6) Click on the Shares tab and click Add. Enter the name of the share to be managed, public and click OK.
With policies based on Shares, the full path to the share is not entered. Instead, the name of the share is used when creating the policy. Since this is a global policy that will be inherited by both eddie and heckle, the public share must already exist on both storage systems. The share can be created on the root of the volume, the qtree, or any subfolder within the qtree or volume. Below is output from both storage systems that indicates that, even though the share names are the same, the path to the actual storage behind the share is not. Thus, QFSs ability to create policies on shares provides a convenient way to manage storage across storage systems in a global policy.
65
7) In this example we will leave the Other Recipients, Thresholds, and Exempts Users and Groups at their defaults. To see more specific examples of configuring these parameters, refer to the examples above. Click OK to complete policy creation. 8) The Global Policy Object:
After creating a global policy, NTP Software Smart Policy Manager replicates the policy down to other objects below. We can see that the Global_Public policy has been replicated to both eddie and heckle. Space usage will be tracked separately on each storage system. A global policy does NOT mean that the users have 500MB of space allocated between both storage systems, with QFS tracking usage on both storage systems together. Rather, a global policy means that users have a quota of 500 MB. After creating a global policy, NTP Software Smart Policy Manager replicates the policy down to other objects below. We can see that the Global_Public policy has been replicated to both eddie and heckle. Each domain user will have a cumulative limit of 1000 MB -- 500 MB on each storage system. That kind of policy allows some flexibility for users. It may be more convenient to save public data to one storage system in one circumstance and to another storage system in another circumstance Global policies can also be implemented on home directories. In that case, administrators could set up a one single policy that applies to more than one storage system and place new employee home folders on the most convenient storage system.
66
SUMMARY OF RESULTS NTP Software QFS for NAS, NetApp Edition provides some significant benefits in quota and file management of NetApp storage systems when managing data accessed from hosts based on Microsoft Windows. NTP Software QFS provides the ability to configure and manage quotas at the directory, share, or file level. The directories are not limited to the volume or qtree level, but can also apply to a directory that has been created inside the volume. NTP Software QFS provides the ability to use Windows Users and Groups as targets for management. This is a significant benefit for storage in NetApp volumes that are accessed solely from Windows hosts. NTP Software QFS can manage policies at a global level. A policy can be created in the hierarchy and will be inherited by all objects below. This allows storage administrators to create one policy that applies to more than one storage systems. NTP Software QFS share and directory policies can have more than one target. Two or more directories or two or more shares can be managed by the same policy. The choice can be made to apply the quota separately to each directory or share or to apply them to the combined targets. NTP Software QFS has many configurable parameters that allow for flexibility, such as the ability to allow a grace period after a quota limit is reached. QFS would not be a viable solution if users are accessing data controlled by policies from both UNIX and Windows machines. QFS manages policies through NetApp fpolicy and only successfully manages quotas on data accessed via qtrees or volumes.
67
7
FILERVIEW QUOTA MANAGEMENT AND FILERVIEW QUOTA REPORTING
7.1. FILERVIEW QUOTA MANAGEMENT INTERFACE FilerView can be used to manage quotas on NetApp storage systems and to view the output of quota reports. The GUI is accessed through the FilerView URL: http://filer_hostname/na_admin . Please replace the "filer_hostname" and "na_admin" fields with your actual data. Quota management and reporting are accessed within the Volume Module. The following sub-modules are available: 1) Add: A wizard that goes through the steps for addition of a new rule. 2) Edit Rules: Allows the storage manager to edit existing rules. 3) Manage: GUI interface for execution of the quota command.Quota on, off, and resize can be executed from here. 4) Report: This sub-module is an interface to the storage system quota report command.
68
FILERVIEW QUOTA MANAGEMENT INTERFACE - ADD A QUOTA RULE To create a new Quota Rule, select Quota Add. The quota rule wizard is launched. The rule wizard is context-sensitive. The actual content of each wizard screen is dependent on choices made at each previous step. Below are the screens encountered when adding a new user quota.
69
FILERVIEW QUOTA MANAGEMENT INTERFACE - EDIT A QUOTA RULE This sub-module is a convenient interface for editing an existing quota rule. After applying the rule, FilerView updates the /etc/quotas file and performs a quota resize for immediate implementation of modifications on existing rules.
FILERVIEW QUOTA MANAGEMENT INTERFACE RUN A QUOTA COMMAND Perform a quota on, quota off, or quota resize on specified volumes in this GUI. If a new rule is added, the quota off and quota on commands must be run, either through FilerView Manage or at the storage system CLI in order to implement the new rules.
70
7.2. FILERVIEW QUOTA REPORTING INTERFACE To view the quota report, click on the sub-module QuotasReport
71
8
DFM QUOTA MANAGEMENT & REPORTING
8.1. DFM QUOTA MANAGEMENT Data Fabric Manager (DFM) provides the ability to manage existing user and group quotas and view report information across all storage systems from one centralized location. The Quota Management and Reporting functionality is enabled with the Core License and is accessed through the Quotas Tab. If SRM is licensed, Quota Management and Reporting functionality is accessed through the SRM tab. The prerequisites for monitoring & managing user quotas are: The storage systems on which you want to monitor user quotas must have Data ONTAP 6.3 or later installed. The storage systems on which you want to monitor user quotas must have Data ONTAP 6.4 or later installed. You must configure the storage systems root login name and root password in DFM for the storage systems which you wish to monitor and manage. You configure the login name and password for the storage system on the Edit Appliance Settings page: Appliance Tab appliance_name Tools Edit You must configure the /etc/quotas file and enable quotas for every volume to be managed and monitored by DFM prior to using DFM for Quota Management and Monitoring.
Note: As of version DFM 3.2, DFM does not have the ability to add quota rules or turn quotas on or off. DFM can edit existing user and group rules. After edits are applied, DFM automatically prompts the storage system to run the quota resize command. Additionally, DFM up to and including version 3.2 cannot be used to edit quotas if the /etc/quotas file contains either the DDirective or the User Quota Mapping Directive. Below is a summary of Quota Management and Monitoring using Data Fabric Manager 3.2. For more information on DFM, consult the Data Fabric Manager Information Library at: http://now.netapp.com/NOW/knowledge/docs/DFM_win/dfm_index.shtml.
72
DFM CONTROL CENTER QUOTA TAB Quota Management and Monitoring are done through the DFM Control Center. To access the control center, start a session with DFM through the management web URL, http://mgmt_station:8080. To begin, click on Control Center and then click on the Quotas Tab. Under the View Menu, choose User Quotas All for a summary of quotas per person.
73
DFM CONTROL CENTER QUOTA TAB EDIT USER SETTINGS To edit a users settings, from the User Quotas, All view, click on the user name to bring up information specific to that user. Click on Edit Settings. A users e-mail notification settings and threshold settings can be configured in this window.
74
DFM CONTROL CENTER QUOTA TAB EDIT QUOTA SETTINGS To edit existing quota space and file limits, from the User Quotas All view, click on a disk space limit, a file, limit, or a threshold value. This will bring up the Edit Quotas Settings window. From this window, new or revised space limits, file limits, thresholds, and soft limits may be configured. The quota rule must already exist, but new entries to the existing rule may be made.
8.2. DFM REPORTING INTERFACE DFM has a number of report views available for quota monitoring. Additionally, DFM has the ability to send Alerts to Administrators. DFM REPORTING INTERFACE AVAILABLE USER QUOTA REPORTS The Quota tab is the primary interface for Quota Reporting and Monitoring. The available reports and views are shown in the graphic below:
75
DFM REPORTING INTERFACE USER QUOTA GRAPHS In addition to the main summary page, User Quotas, All, a graphical representation is available. To see the graphical representation, from the Views menu, choose User Quotas, Graph.
DFM REPORTING INTERFACE EVENTS Events related to Quota Monitoring can be viewed by clicking on the Events tab and then choosing User Quota Events in the View menu. A representation of the Events display is displayed below.
76
DFM REPORTING INTERFACE ALARMS Alarms are configured through DFM Alarms Center. To configure alarms, click on Alarms on the main DFM Menu Bar.
77
9
SUMMARY AND CONCLUSIONS
Data ONTAP provides native quota management which can be used to control space and file usage at the volume and qtree levels. Space and file usage can be managed by Windows, UNIX user, and UNIX group. If the Quota Mapping Directive is used within the /etc/quotas configuration file, combined usage for a users UNIX identity and Windows identity can be tracked. This allows accurate quota management even if a user is accessing data that is in a mixed qtree where some portions of the data may have NTFS effective security style and some portions of the data may have UNIX effective security style. Since qtrees are often used as departmental and project boundaries, it is beneficial to be able to limit a qtree to a certain amount of space within the volume. This is accomplished with qtree quotas. This prevents particular qtrees from taking more space within the volume than is desired. NTP Software QFS NAS, NetApp Edition provides some significant benefits for space quota management within qtrees and volumes which have an NTFS effective security style. QFS allows quota management at the volume, the qtree, and the folder level. The quota management level is not limited to the volume and qtree level as it is in Data ONTAP quota management. Additionally, Windows groups can be used as the entity on which to place quota management. This is a significant benefit for Windows environments. With QFS, a global policy can be implemented that allows storage administrators to implement a single policy which will be inherited by all storage systems below the global policy and will be enforced on each of those storage systems.
10 REFERENCES Data ONTAP Documentation -- Storage Management User Guide http://now.netapp.com/NOW/knowledge/docs/ontap/ontap_index.shtml NTP Software QFS Quick Start and Evaluation Guide http://www.ntpsoftware.com NTP Software QFS Online Help DataFabric Manager 3.2 User Guide http://now.netapp.com/NOW/knowledge/docs/DFM_win/rel32/html/admin/index.htm
78
11 APPENDICESAPPENDIX A: THE QUOTA COMMANDS The quota commands control quotas, and the /etc/quotas file describes the quotas to impose. The quota command functionality is outlined below.
Quota Onquota on volume Activates quotas in the specified volume based on the contents of /etc/quotas. Changing /etc/quotas has no effect until the next time quota on or quota resize is executed. When quotas are first turned on, the storage system scans the file system to determine current file and space usage for each user and group with a quota. On volumes with large file systems, the initialization can take considerable time. During initialization, quotas are not in effect, although the file system is still accessible. Since initialization uses system resources, it is recommended that, if feasible, initializations be done during non-peak storage system usage.
Quota Resizequota resize volume Adjusts currently active quotas in the specified volume to reflect changes in the /etc/quotas file. For instance, if you edit an entry in /etc/quotas to increase a user's quota, quota resize will cause the change to take effect. Quota resize can be used only when quotas are already on. Because it does not rescan the file system to compute usage, quota resize is faster than turning quotas off and then on again. Quota resize will apply all updated entries in /etc/quotas; however, it will generally ignore newly added entries.
Quota Offquota off volume Turns quotas off on the specified volume.
Quota Logmsgquota logmsg Allows the user to specify a time interval for a volume during which quota messages for that volume will be disabled. The options provided are: on { } If this option is specified, quota messages will be logged after every . The default interval rate is 60 minutes. If continuous logging is desired, an interval of 0 should be specified. off If this option is specified, quota messages will not be logged. -v If it is desirable for non-default logging options to apply to only specific volumes, this option may be used to specify a volume name.
79
all To return to the condition where all volumes have the same logging interval, use this option to specify an interval that applies to all the volumes in the system.
Quota Allow/Disallowquota allow volume quota disallow volume These two options became available in Data ONTAP 6.5 and later. These commands enable and disabled quotas on the specified volume. These commands are only supported when MultiStore is licensed. By default, quotas are enabled on all volumes. However, if the administrator wishes to have quotas enabled only on certain volumes, use these two commands to control quota enablement on vfiler volumes. The physical storage system administrator can disallow quotas on a volume that contains storage that belongs to one or more vfilers. This will turn quotas off for all vfilers that have storage on that volume. Quotas may not be turned on again until a quota allow command is issued for the volume. The quota allow/disallow commands are run from the vfiler0 context. Use the quota allow command to re-enable quotas on a volume after quotas have previously been disabled by a quota disallow command. After the quota allow command is run from the vfiler0 context, a quota on command is issued from the appropriate vfiler context. Before turning quotas on for any vfiler volume, the vfiler must have a configured quotas file in its /etc directory.
Quota Reportquota report This command prints the current file and space consumption for each user or group with a quota and for each qtree to the storage system console. If the storage administrator desires to parse the output of the file and look for specific
