+ Admin Guide Overview

From OSNEXUS Online Documentation Site
Revision as of 13:54, 14 April 2015 by Qadmin (Talk | contribs)

Jump to: navigation, search

The QuantaStor Administrators Guide is intended for all administrators and cloud users who plan to manage their storage using QuantaStor Manager as well as for those just looking to get a deeper understanding of how the QuantaStor Storage System Platform (SSP) works.

Contents

Storage System Management Operations

When you initially connect to QuantaStor manager you will see the "Features Management Tab" with tabs named "Storage Management," "Users & Groups," etc.. The "Ribbon Bar" is below the Features Management Tab with items such as "Storage System," "Storage Volume," etc.. The "Stack/Tree View" appears on the left side of the screen. The diagram below shows these three sections:

Main Tree View & Ribbon-bar / Toolbar

By selecting different tabs from the "Features Management" tab items in both the Ribbon Bar and Stack/Tree View change to reflect the available options. In turn selecting different items from the Ribbon bar change items in the Grid/Tree panel.

Note also that you can right-click on the title-bar for each stack item in the tree view to access a pop-up menu. You can also right-click on any object in the UI to access a context sensitive pop-up menu for that item.

License Management

QuantaStor has two different categories of license keys, those are 'System' licenses and 'Feature' licenses. The 'System' licenses specify all the base features and capacity limits for your storage appliance and most systems just have a single 'System' license. 'Feature' licenses stack on top of an existing 'System' license and allow you to add features and capacity to an existing 'System'. In this way you can start small and add more capacity as you need it. Note also that everything is license key controlled with QuantaStor so you do not need to re-install to go from a Trial Edition license to a Silver/Gold/Platinum license. Simply add your new license key and it will replace the old one automatically.

Recovery Manager

The 'Recovery Manager' is accessible from the ribbon-bar at the top of the screen when you login to your QuantaStor system and it allows you to recover all of the system meta-data from a prior installation. The system metadata includes user accounts, storage assignments, host entries, storage clouds, custom roles and more. To use the 'Recovery Manager' just select it then select the database you want to recover and press OK. If you choose the 'network configuration recovery' option it will also recover the network configuration. Be careful with that as it will most likely drop your current connection to QuantaStor when the IP address changes and if something goes wrong you'll need to re-login at the console to find out what the new IP addresses are. In the worst case scenario you may need to manually edit the /etc/network/interfaces file as per the same procedure one would use with any Debian/Ubuntu server.

Recovery manager.png

Upgrade Manager

The Upgrade Manager handles the process of upgrading your system to the next available minor release version. Note that Upgrade Manager will not upgrade QuantaStor from a v2 to a v3 version, that requires a re-installation of the QuantaStor OS and then recovery of meta-data using the 'Recovery Manager'. The Upgrade Manager will display the available versions for the four key packages which includes the core services, web manager, web server, and SCSI target drivers. You can upgrade any of the packages at any time and it will not block iSCSI access or NFS access to your appliance. With upgrades to the SCSI target driver package you will need to restart your storage system/appliance for those new drivers to become active. Note also that you should always upgrade both the manager and service package together, never upgrade just one or the other as this may cause problems when you try to login to the QuantaStor web management interface. On occasion we'll see problems with an upgrade and so we've written a troubleshooting section on how to work out those issues here: Troublshooting Upgrade Issues

System Checklist

The 'System Checklist' aka 'Getting Started' will appear automatically when you login anytime there is no license key assigned to the system. After that you can still bring up the System Checklist by selecting it from the ribbon-bar. As the name implies, it will help you configure your system and in the process help you get acquainted with QuantaStor.

System Hostname & DNS management

To change the name of your system you can simply right-click on the storage system in the tree stack on the left side of the screen and then choose 'Modify Storage System'. This will bring up a screen where you can specify your DNS server(s) and change the hostname for your system as well as control other global network settings like the ARP Filtering policy.

Physical Disk Management

Identifying physical disks in an enclosure

When you right-click on a physical disk you can choose 'Identify' to force the lights on the disk to blink in a pattern which it accomplishes by reading sector 0 on the drive. This is very helpful when trying to identify which disk is which within the chassis. Note that technique doesn't work logical drives exposed by your RAID controller(s) so there is separate 'Identify' option for the hardware disks attached to your RAID controller which you'll find in the 'Hardware Controllers & Enclosures' section.

Scanning for physical disks

When new disks have been added to the system you can scan for new disks using the command. To access this command from the QuantaStor Manager web interface simply right-click where it says 'Physical Disks' and then choose scan for disks. Disks are typically named sdb, sdc, sdd, sde, sdf and so on. The 'sd' part just indicates SCSI disk and the letter uniquely identifies the disk within the system. If you've added a new disk or created a new Hardware RAID Unit you'll typically see the new disk arrive and show up automatically but the rescan operation can explicitly re-execute the disk discovery process.

Importing disks from an Open-ZFS pool configuration

A script included with QuantaStor called qs-zconvert may assist you with importing a storage pool from other Open-ZFS based solutions. QuantaStor has a special naming convention for the storage pools (ZPOOLs) and storage volumes (ZVOLs) which the conversion script will take care of. Note that this command must be run from the console/ssh while logged in as root ('sudo -i').

qs-zconvert is a helper utility for importing ZFS pools and converting them to QuantaStor naming format.
This makes it so that foreign zpools can be managed as a QuantaStor Storage Pools while retaining all
their original data.
WARNING: Please backup your data before converting. This tool has been shown to be reliable but not every
         combination of ZFS to ZFSonLinux has been tested or is guaranteed to work.

Usage:

    qs-zconvert list                   : Displays a list of all the pools available for importing
    qs-zconvert listall                : Displays a detailed list of all the pools available for importing
    qs-zconvert import POOLNAME        : Imports and converts the zpool and associated zvols into QuantaStor naming format
    qs-zconvert convertvols POOLNAME   : Converts just the ZVOLs to quantastor UUID format naming conventions
    qs-zconvert importhg HGFILE        : Creates host groups and host entries using the 'stmfadm list-hg -v' output in HGFILE
    qs-zconvert importlumap LUFILE        : Assigns logical units to host groups.

Note also that if the particular features and version information for your OpenZFS system can be found by running the 'zpool upgrade -v' command. When run on QuantaStor you will see this for the feature list. If your OpenZFS based system has more features and you're using them with your zpool then you may have import problems and the qs-zconvert script may not work for you.

This system supports ZFS pool feature flags.

The following features are supported:

FEAT DESCRIPTION
-------------------------------------------------------------
async_destroy                         (read-only compatible)
     Destroy filesystems asynchronously.
empty_bpobj                           (read-only compatible)
     Snapshots use less space.
lz4_compress
     LZ4 compression algorithm support.

The following legacy versions are also supported:

VER  DESCRIPTION
---  --------------------------------------------------------
 1   Initial ZFS version
 2   Ditto blocks (replicated metadata)
 3   Hot spares and double parity RAID-Z
 4   zpool history
 5   Compression using the gzip algorithm
 6   bootfs pool property
 7   Separate intent log devices
 8   Delegated administration
 9   refquota and refreservation properties
 10  Cache devices
 11  Improved scrub performance
 12  Snapshot properties
 13  snapused property
 14  passthrough-x aclinherit
 15  user/group space accounting
 16  stmf property support
 17  Triple-parity RAID-Z
 18  Snapshot user holds
 19  Log device removal
 20  Compression using zle (zero-length encoding)
 21  Deduplication
 22  Received properties
 23  Slim ZIL
 24  System attributes
 25  Improved scrub stats
 26  Improved snapshot deletion performance
 27  Improved snapshot creation performance
 28  Multiple vdev replacements

For more information on a particular version, including supported releases,
see the ZFS Administration Guide.

Hardware Controller & Enclosure Integration

QuantaStor has custom integration modules 'plug-ins' for a number of major RAID controller cards which monitor the health and status of your hardware RAID units, disks, enclosures, and controllers. When a disk failure occurs within a hardware RAID group, QuantaStor detects this and sends you an email through the QuantaStor alert management system. Note that QuantaStor also has software RAID support for RAID levels 1,5,6 & 10 so you do not need a hardware RAID card but hardware RAID can boost performance and offer you additional RAID configuration options. Also, you can use any RAID controller that works with Ubuntu Server, but QuantaStor will only detect alerts and discover the configuration details of those controllers for which there is a QuantaStor hardware controller plug-in. Note that the plug-in discovery logic is triggered every couple of minutes so in some cases you will find that there is a small delay before the information in the web interface is updated.

QuantaStor has broad support for integrated hardware management including the following controllers:

  • LSI MegaRAID & Nytro MegaRAID (all models)
  • Adaptec 5xxx/6xxx/7xxx/8xxx (all models)
  • IBM ServeRAID (LSI derivative)
  • DELL PERC H7xx/H8xx (LSI derivative)
  • Intel RAID/SSD RAID (LSI derivative)
  • HP SmartArray P4xx/P8xx
  • LSI 3ware 9xxx
  • LSI HBAs
  • Fusion IO PCIe

Adaptec RAID integration

Adaptec controllers are automatically detected and can be managed via the QuantaStor web management interface.

Fusion IO integration

The Fusion IO integration requires that the fio-util and iomemory-vsl packages are installed. Once installed the Fusion IO control and logic devices will automatically show up in the Hardware Enclosures & Controllers view within QuantaStor Manager.

LSI 3ware integration

3ware controllers are automatically discovered and can be managed via the QuantaStor web management interface.

Note that if you arbitrarily remove a disk that was being utilized by a 3ware RAID unit, there are additional steps required before you can re-add it to the appliance. 3ware writes configuration data on the disk in what's called a Disk Control Block (DCB) and this needs to be scrubbed before you can use the disk again as a hot spare or within another unit. There is a great article written here on how to scrub the DCB on a disk so that you can use it again with your LSI 3ware controller. Formatting the disk in another system will also suffice. You can then add it back into the old system and designate it as a spare, and if you have a unit that is degraded it will automatically adopt the spare and begin rebuilding the unit back to a fully fault tolerant status. Of course if you pulled the disk because it was faulty you'll want RMA it to the manufacture for a warranty replacement.

LSI MegaRAID / DELL PERC integration

LSI MegaRAID, DELL PERC, IBM ServeRAID and Intel RAID controllers are fully supported by QuantaStor and can be managed via the web management interface. Note also that QuantaStor includes a command line utility called qs-util which assists with some MegaRAID maintenance operations. These include:

    qs-util megawb                   : Set Write-Back cache mode on all LSI MR units w/ BBU
    qs-util megaforcewb              : (W!) Force Write-Back cache mode on all LSI MR units
    qs-util megaclearforeign         : (W!) Clear the foreign config info from all LSI controllers
    qs-util megaccsetup              : Setup MegaRAID consistency check and patrol read settings
    qs-util megalsiget               : Generates a LSIget log report and sends it to support@osnexus.com

Common Configuration Settings

Disable Copyback

The MegaRAID controller will auto-heal a RAID unit using an available hot-spare in case of a drive failure. When the bad drive is pulled and a new drive is inserted and marked as hot-spare the location of your hot-spare drive will have changed. In fact it will change every time a bad drive is replaced. Generally speaking there is no impact to performance by having your hot-spare in a new location each time but over time it leads to a less organized chassis. As such there is a 'Copy Back' feature which copies the data from the hot-spare back to the original location after a new hot-spare has be inserted where the failed disk was located. Copy back does add time to the rebuild process so some prefer to disable it and just deal with the less organized drive placement in the chassis. To disable copy back on all controllers run this command at the QuantaStor console or via ssh as root:

MegaCli -AdpSetProp -copybackdsbl -1 -aall

To enable the CopyBack feature on all controllers run this command:

MegaCli -AdpSetProp -copybackdsbl -0 -aall

Increasing the RAID unit Rebuild Rate

The default rebuild rate is 30% which can lead to some long rebuilds depending on the size of your RAID unit and the amount of load on it. To increase the rate you can issue the following command at the console or ssh to increase it to 75% or higher:

MegaCli -AdpSetProp RebuildRate 75 -aall

Disabling the Alarm

If your server is in a datacenter then the alarm is not going to help much in identifying the problematic controller card and will only serve to cause grief. As such, you might want to disable the alarms:

MegaCli -AdpSetProp AlarmDsbl -aall

To just silence the current alarm run this:

MegaCli -AdpSetProp AlarmSilence -aall

The two most common cases for an alarm are that a disk needs to be replaced or the battery backup unit is not functioning properly. You can also silence all alarms using the web management interface.

Auto Import Foreign RAID units

The MegaRAID controllers can be a little troublesome if you're moving disks and/or disk chassis around as the disk drives will appear as 'foreign' to the controller when you move them. Most of the time you'll just want to import these foreign units automatically so that you don't have to press space-bar at boot time to continue the boot process. To avoid this, set the policy on the controllers to automatically import foreign units with this command: sudo MegaCli -AdpSetProp AutoEnhancedImportEnbl -aALL

Here's an example of what that looks like:

qadmin@qs-testing:~$ sudo MegaCli -AdpSetProp AutoEnhancedImportEnbl -aALL
[sudo] password for qadmin:

Adapter 0: Set Auto Enhanced Import to Enable success.
Adapter 1: Set Auto Enhanced Import to Enable success.

Exit Code: 0x00

Installing the MegaRAID CLI on older QuantaStor v2 systems

QuantaStor v3 and newer systems work with LSI MegaRAID controllers with no additional software to be installed. For older v2 systems first login to your QuantaStor system at the console. You'll need to make sure that your system is network connected with internet access as it will be downloading some necessary files and packages. Next, run the following two commands to install:

cd /opt/osnexus/quantastor/raid-tools
sudo lsimegaraid-install.sh

It will take a couple of minutes for the QuantaStor service to detect that the MegaRAID CLI is now installed but then you'll see the hardware configuration show up automatically in the web interface. The other thing is that this script will have upgraded the megaraid_sas driver included with QuantaStor. As such you must restart the system using the "Restart Storage System" option in the QuantaStor web management interface. Last, new firmware is required to 3TB and larger drives so if you have a older 9260 or 9280 controller be sure to download and apply the latest firmware. Here's an example of how to upgrade MegaRAID firmware using the MegaCli.

MegaCli -AdpFwFlash -f FW1046E.rom -a0

Adapter 0: PERC H800 Adapter
Vendor ID: 0x1000, Device ID: 0x0079

FW version on the controller: 2.0.03-0772
FW version of the image file: 2.100.03-1046
Download Completed.
Flashing image to adapter...
Adapter 0: Flash Completed.

Exit Code: 0x00

HP SmartArray RAID integration

HP SmartArray controllers are supported out-of-the box with no additional software to be installed. You can manage your HP RAID controller via the QuantaStor web management interface where you can create RAID units, mark hot-spares, replace drives, etc.

Managing Storage Pools

Storage pools combine or aggregate one or more physical disks (SATA, SAS, or SSD) into a single pool of storage from which storage volumes (iSCSI/FC targets) and network shares (CIFS/NFS) can be created. Storage pools can be created using any of the following software RAID types including RAID0, RAID1, RAID5, RAID6 (Z2), RAIDZ3, RAID10, RAID50, RAID60, or RAIDZ3+0. The optimal RAID type for your workload depends on your the I/O access patterns of your target application, number of disks you have, and the amount of fault-tolerance you require. As a general guideline we recommend using RAID10 for all virtualization workloads and databases and RAID6 for applications that require high-performance sequential IO. RAID10 performs very well with sequential IO and random IO patterns but is more expensive since you get 50% usable space from the raw storage due to mirroring. For archival storage or other similar workloads RAID6 is best and provides higher utilization with only two drives used for parity/fault tolerance. RAID5 is not recommended for any deployments because it is not fault tolerant after a single disk failure. If you decide to use RAID6 with virtualization or other workloads that can produce a fair amount of random IO, we strongly recommend that you use a RAID controller with at least 1GB of RAM and a super-capacitor so that you can safely enable the write-cache. RAID6 and other parity RAID mechanisms generally do not perform well when you have many workloads (virtual machines) using the storage due to the serialization of I/O that happens due to parity calculations and updates.

SSD Caching

ZFS based storage pools support the addition of SSD devices for use as read or write cache. SSD cache devices must be dedicated to a specific storage pool and cannot be shared across multiple storage pools. Some hardware RAID controllers support SSD caching but in our testing we've found that ZFS is more effective at managing it layers of cache than the RAID controllers so we do not recommend using SSD caching at the hardware RAID controller unless you're creating a older style XFS storage pool which does not have native SSD caching features.

SSD Write Cache Configuration (ZIL/SLOG)

The write cache is actually a filesystem log device (SLOG/ZIL) for the filesystem where writes can be stored temporarily, coalesced, and written to the storage pool more efficiently. Writes are not held for long in the SSD cache so the cache does not need to be large. Because it is storing writes that have not yet been persisted to the storage pool the write cache must be mirrored so that in the event that an SSD drive fails that there is no data loss. So to enable write caching you should always allocate 2x SSD devices, typically 200GB in size. Note that write cache / log device only holds writes for at most several seconds before flushing the data into the storage pool. Since the data is held for a relatively short time the SSD write cache never uses more than about 10GB of storage within the SSD cache layer. As such large SSD devices are not needed for the SSD cache but we do recommend using a 200GB or larger enterprise grade SSD devices because they are more effective a wear leveling the heavy write IO load placed on the write caching tier. The SSD write cache tier is limited to two (2) devices to be added to the storage pool as this is a limit of ZFS. In special cases you may consider using 4x or 6x SSD cache devices but to do so requires using hardware RAID10 so that only a single logical device is added to the ZFS storage pool thereby working around the 2x ZIL log device limitation.

  • Summary, SSD drives for write-cache should always be added to storage pools for write intensive applications like virtualization and databases. A pair of 200GB Enterprise grade SSD devices is suitable for a broad set of applications and workloads. Larger capacities (>200GB) will not yield benefits unless they yield higher IOPS and higher throughput performance.

SSD Read Cache Configuration (L2ARC)

You can add up to 4x devices for SSD read-cache (L2ARC) to any ZFS based storage pool and these devices do not need to be fault tolerant. You can up to 4x devices directly to the storage pool by selecting 'Add Cache Devices..' after right-clicking on any storage pool. You can also opt to create a RAID0 logical device using the RAID controller out of multiple SSD devices and then add this device to the storage pool as SSD cache. The size of the SSD Cache should be roughly the size of the working set for your application, database, or VMs. For most applications a pair of 400GB SSD drives will be sufficient but for larger configurations you may want to use upwards of 2TB or more of SSD read cache. Note that the SSD read-cache doesn't provide an immediate performance boost because it takes time for it to learn which blocks of data should to be cached to provide better read performance.

RAM Read Cache Configuration (ARC)

ZFS based storage pools use what is called "ARC" as a in-memory read cache rather than the Linux filesystem buffer cache to boost disk read performance. Having a good amount of RAM in your system is critical to delivering solid performance as it is very common with disk systems for blocks to be read multiple times. When they are then cached into RAM it reduces the load on the disks and greatly boosts performance. As such it is recommended to have 32-64GB of RAM for small systems, 96-128GB of RAM for medium sized systems and for large appliances you'll want to have upwards of 256GB or more of RAM. To see the stats on cache hits for both read and write cache layers you'll need to use the command line and run 'sudo qs-iostat -af' which will print an updated status report on cache utilization every couple of seconds.

RAID Levels

RAID1 & RAID5 allow you have one disk fail without it interrupting disk IO. When a disk fails you can remove it and you should add a spare disk to the 'degraded' storage pool as soon as possible to in order to restore it to a fault-tolerant status. You can also assign spare disks to storage pools ahead of time so that the recovery happens automatically. RAID6 allows for up to two disk to fail and will keep running whereas RAID10 can allow for one disk failure per mirror pair. Finally, RAID0 is not fault tolerant at all but it is your only choice if you have only one disk and it can be useful in some scenarios where fault-tolerance is not required. Here's a breakdown of the various RAID types and their pros & cons.

  • RAID0 layout is also called 'striping' and it writes data across all the disk drives in the storage pool in a round robin fashion. This has the effect of greatly boosting performance. The drawback of RAID0 is that it is not fault tolerant, meaning that if a single disk in the storage pool fails then all of your data in the storage pool is lost. As such RAID0 is not recommended except in special cases where the potential for data loss is non-issue.
  • RAID1 is also called 'mirroring' because it achieves fault tolerance by writing the same data to two disk drives so that you always have two copies of the data. If one drive fails, the other has a complete copy and the storage pool continues to run. RAID1 and it's variant RAID10 are ideal for databases and other applications which do a lot of small write I/O operations.
  • RAID5 achieves fault tolerance via what's called a parity calculation where one of the drives contains an XOR calculation of the bits on the other drives. For example, if you have 4 disk drives and you create a RAID5 storage pool, 3 of the disks will store data, and the last disk will contain parity information. This parity information on the 4th drive can be used to recover from any data disk failure. In the event that the parity drive fails, it can be replaced and reconstructed using the data disks. RAID5 (and RAID6) are especially well suited for audio/video streaming, archival, and other applications which do a heavy sequential write I/O operations (such as reading/writing large files) and are not as well suited for database applications which do heavy amounts of small random write I/O operations or with large file-systems containing lots of small files with a heavy write load.
  • RAID6 improves upon RAID5 in that it can handle two drive failures but it requires that you have two disk drives dedicated to parity information. For example, if you have a RAID6 storage pool comprised of 5 disks then 3 disks will contain data, and 2 disks will contain parity information. In this example, if the disks are all 1TB disks then you will have 3TB of usable disk space for the creation of volumes. So there's some sacrifice of usable storage space to gain the additional fault tolerance. If you have the disks, we always recommend using RAID6 over RAID5. This is because all hard drives eventually fail and when one fails in a RAID5 storage pool your data is left vulnerable until a spare disk is utilized to recover your storage pool back to a fault tolerant status. With RAID6 your storage pool is still fault tolerant after the first drive failure. (Note: Fault-tolerant storage pools (RAID1,5,6,10) that have suffered a single disk drive failure are called degraded because they're still operational but they require a spare disk to recover back to a fully fault-tolerant status.)
  • RAID10 is similar to RAID1 in that it utilizes mirroring, but RAID10 also does striping over the mirrors. This gives you the fault tolerance of RAID1 combined with the performance of RAID10. The drawback is that half the disks are used for fault-tolerance so if you have 8 1TB disks utilized to make a RAID10 storage pool, you will have 4TB of usable space for creation of volumes. RAID10 will perform very well with both small random IO operations as well as sequential operations and it is highly fault tolerant as multiple disks can fail as long as they're not from the same mirror-pairing. If you have the disks and you have a mission critical application we highly recommend that you choose the RAID10 layout for your storage pool.
  • RAID60 combines the benefits of RAID6 with some of the benefits of RAID10. It is a good compromise when you need better IOPS performance than RAID6 will deliver and more useable storage than RAID10 delivers (50% of raw).

In some cases it can be useful to create more than one storage pool so that you have low cost fault-tolerant storage available in RAID6 for archive and higher IOPS storage in RAID10 for virtual machines, databases, MS Exchange, or similar workloads.

If you have created an XFS based storage pool with a RAID level it will take some time to 'rebuild'. Once the 'rebuild' process has reached 1% you will see the storage pool appear in QuantaStor Manager and you can begin to create new storage volumes.

WARNING: Although you can begin using the pool at 1% rebuild completion, your XFS storage pool is not fault-tolerant until the rebuild process has completed.

Hot Spare Policies for ZFS Storage Pools

Modern versions of QuantaStor include additional options for how Hot Spares are automatically chosen at the time a rebuild needs to occur to replace a faulted disk.

These Policies can be chosen on a per Storage Pool basis. The below screenshot shows the Policies.

ZFS Storage Pool Hot Spare Policies

Note: If the policy is set to one that includes 'exact match', the ZFS Storage Pool will first attempt to replace the failed data drive with a disk that is of the same model and capacity before trying other options.

Network Interface / Target Port Configuration

Target ports are simply the network ports (NICs) through which your client hosts (initiators) access your storage volumes (aka targets). The terms 'target' and 'initiator' are SCSI terms that are synonymous with 'server' and 'client' respectively. QuantaStor supports both statically assigned IP addresses as well as dynamically assigned (DHCP) addresses. If you selected automatic network configuration when you initially installed QuantaStor then you'll have one port setup with DHCP and the others are likely offline. We recommend that you always use static IP addresses unless you have your DHCP server setup to specifically assign an IP address to your NICs as identified by MAC address. If you don't set the target ports up with static IP addresses you risk the IP address changing and losing access to your storage when the dynamically assigned address expires. To modify the configuration of a target port first select the tree section named "Storage System" under the "Storage Management" tab on the left hand side of the screen. After that, select the "Target Ports" tab in the center of the screen to see the list of target ports that were discovered. To modify the configuration of one of the ports, simply right-click on it and choose "Modify Target Port" from the pop-up menu. Alternatively you can press the "Modify" button in the tool bar at the top of the screen in the "Target Ports" section. Once the "Modify Target Port" dialog appears you can select the target port type for the selected port (static), enter the IP address for the port, subnet mask, and gateway for the port. You can also set the MTU to 9000 for jumbo packet support, but we recommend that you get your network configuration up and running with standard 1500 byte frames as jumbo packet support requires that you custom configure your host side NICs and network switch with 9K frames as well.

NIC Bonding / Trunking

QuantaStor supports NIC bonding, also called trunking, which allows you to combine multiple NICs together to improve performance and reliability. If combine two or more ports together into a virtual port you'll need to make sure that all the bonded ports are connected to the same network switch. There are very few exceptions to this rule. For example, if you have two networks and 4 ports (p1, p2, p3, p4) you'll want to create two separate virtual ports each bonding two NIC ports (p1, p2 / p3, p4) together and each pair connected to a separate network (p1, p2 -> network A / p3, p4 -> network B). This type of configuration is highly recommended as you have both improved bandwidth and have no single point of failure in the network or in the storage system. Of course you'll need your host to have at least 2 NIC ports and they'll each need to connect to the separate networks. For very simple configurations you can just connect everything to one switch but again, the more redundancy you can work into your SAN the better.

By default, QuantaStor uses Linux bonding mode-0, a round-robin policy. This mode provides load balancing and fault tolerance by transmitting packets in sequential order from the first available interface through the last. QuantaStor also supports LACP 802.3ad Dynamic Link aggregation. Use the 'Modify Storage System' dialog in the web management interface to change the default bonding mode for you appliance.

10GbE NIC support

QuantaStor works with all the major 10GbE cards from Chelsio, Intel and others. We recommend the Intel 10GbE cards and you can use NIC bonding in conjunction with 10GbE to further increase bandwidth. If you are using 10GbE we recommend that you designate your slower 1GbE ports as iSCSI disabled so that they are only used for management traffic.

Storage Pool High Availability Group

Hardware Requirements

Storage pools for the High Availability Group feature require special considerations regarding their Hardware configuration.

The Storage Pool that is used for the High Availability Group must have shared physical storage devices that both Head nodes can see. These shared physical storage devices can be either of the below:

  • SAS disks in a SAS JBOD that both nodes are connected to both head nodes via SAS HBA's.
  • FC or iSCSI storage LUNs presented to both nodes from a legacy SAN device that supports SCSI persistent reservations.

Head node requirements:

  • Two QuantaStor appliances
    • Each Quantastor appliance will need adequate memory, processor, and network controller hardware capable of handling the client connections and load required for access to the Storage Volume or Network Share resources intended for use in the deployment.
    • Each QuantaStor appliance will need to have a dedicated connection to the shared storage devices via the appropriate initiator or HBA device. Multiple paths/connections from each head node to the shared storage devices is recommended.

Ha requirements.png

Shared Storage via SAS disk and SAS JBOD requirements:

  • Connection to both QuantaStor Appliances via SAS HBA's.
  • All drives must be SAS or Near-Line SAS drives
  • SAS JBOD should have at least two SAS Expansion ports. Having a JBOD with 3 or more expansions ports and Redundant SAS Expander/Environment Service Modules(ESM) is prefferred.
  • SAS JBOD should be within standard SAS cable lengh(typically under 15 meters) of the SAS HBA's installed in the QuantaStor appliances.
  • For best performance, it is recommended that any faster disk such as SSD or 10/15K platter disk be in sperate enclosures and SAS expansion chains in comparison to slower larger disk.

Cluster-in-a-Box solutions provide these hardware requirements in a single HA QuantaStor Appliance, please contact a reseller if you are interested.

Configuration Summary

  • Install QuantaStor on both appliances
  • SAS Hardware Configuration and Verify connectivity of SAS cables from HBAs to JBOD
  • Network and Cluster Heartbeat Configuration and Verify network connectivity
  • Create a Storage Pool using only drives from the shared JBOD
  • Create a Storage Pool High-availability Group
  • Create one or more Storage Pool HA virtual interfaces
  • Activate the Storage Pool
  • Test failover

Installation

  • Install both QuantaStor Appliances with the most recent release of QuantaStor.
  • Apply the QuantaStor License key and HA Add-on Module key to your QuantaStor Appliances. Activate both appliances.
  • Create a Grid and join both QuantaStor Appliances to the grid.

SAS Hardware Configuration

  • LSI SAS HBA's must be configured with the 'Boot Support' MPT BIOS option configured to 'OS only' mode.
  • Verify that the SAS disks installed in both systems appear to both head nodes in the WebUI Hardware Enclosures and Controllers section.

Network and Cluster Heartbeat Configuration

For the High Availability Group feature, primary Client/host access is provided via one or more Virtual Network Interface on the node that has ownership of the Shared Storage Pool.

A Grid Virtual Network Interface must be configured in the 'Modify Grid' Dialog box. If a management network is preferred, configure the Grid Virtual Network Interface on the Management network subnet.

  • Each Virtual Network Interface requires Three IP Addresses be configured in the same subnet: one for the Virtual Network Interface and one for each Network Device on each QuantaStor Storage Appliance.
    • A Management Network and multiple Data networks can be configured.
    • Both QuantaStor Appliances must have unique IP address for their Network devices.
    • It is preferred that the Network devices be configured the same on both QuantaStor Appliances(i.e. bond0 on both nodes). However, it is not a requirement, the Failover of the Virtual network interface occurs to the partner node based on the network device configured in the same subnet which is why the network devices must be on unique subnets.
    • Each Management and Data network must be on separate subnets to allow for proper routing of requests from clients.
    • A network gateway is best configured on the management network.

Shared Storage Pool Creation

  • Verify in the Physical Disk section of the WebUI that all of the shared storage disks are appearing to both head nodes.
  • Configure the Storage Pool on one of the nodes using the Create Storage Pool dialog.
    • Provide a Name for the Storage Pool
    • Choose the Pool Type of Default (zfs)
    • Choose the RAID Type and I/O profile that will suit your use case best, more details are available in the Soultion Design Guide.
    • Select the shared storage disks that you would like to use that will suit your RAID type and that were previosuly confirmed to be accessible to both QuantaStor Appliances.
    • Click 'OK' to create the Storage Pool once all of the Storage pool settings are configured correctly.

Ha pool.png

High Availability Group creation

High Availability Groups can be created by right clicking on the Storage Pool and choosing the 'Create High Availability Group' option.

Ha group.png

HA Virtual Network Interface creation

HA Virtual Network Interfaces can be created by right clicking on the High Availability Group and choosing 'Create High Availability Network Interface'

  • Configure the IP address and subnet mask for Virtual Network interface and choose the ethernet device that is on the matching subnet

Ha group vif.png

HA Group Activation

The High Availability Group can be activated by right Clicking on the High Availability Group and choosing 'Activate High Availability Group'

Manual HA Failover Steps / Testing Failover

The Manual Failover process will gracefully failover the Shared Storage Pool from the original node with ownership to the partner node who will take ownership of the Share Storage Pool and provide client access to the Storage Volume and/or Network Share resources.

To trigger a Manual Failover for maintenance or for testing, right clicking on the High Availability Group and choose the Failover High Availability Group option. In the dialog, choose the node you would like to failover to and click 'ok' to start the manual failover.

Automatic HA Failover

In the event that a failure is detected on the node that has ownership of the Shared Storage Pool, an Automatic HA Failover event will be triggered. This automatic event will release ownership of the Shared Storage Pool from the affected node and it's partner node will take ownership and provide client access to the Storage Volume and/or Network Share resources.

Triage/Troubleshooting

qs-iofence

qs-iofence devstatus

qs-util devicemap

Volume & Share Remote-Replication (Disaster Recovery / DR Setup)

Volume and Share Remote-replication within QuantaStor allows you to copy a volume or network share from one QuantaStor storage system to another and is a great tool for migrating volumes and network shares between systems and for using a remote system as a DR site. Remote replication is done asynchronously which means that changes/deltas to volumes and network shares on the source volume or share are replicated up to every hour with calendar based schedules, and up to every 15 minutes with timer based schedules.

Once a given set of the volumes and/or network shares have been replicated from one system to another the subsequent periodic replication operations send only the changes and all information sent over the network is compressed to minimize network bandwidth and encrypted for security. ZFS based storage pools use the ZFS send/receive mechanism which efficiently sends just the changes so it works well over limited bandwidth networks. Also, if your storage pool has compression enabled the changes sent over the network are also compressed which further reduces your WAN network load.

Limits of XFS based Volume/Network Share Replication

XFS based storage pools do not have the advanced replication mechanisms like ZFS send/receive so we employ more brute force techniques for replication. Specifically, when you replicate a XFS based storage volume or network share QuantaStor uses the linux rsync utility. It does have compression and it will only send changes but it doesn't work well with large files because the entire file must be scanned and in some cases resent over the network. Because of this we highly recommend using ZFS based storage pools for all deployments unless you specifically need the high sequential IO performance of XFS for a specific application.

Creating a Storage System Link

The first step in setting up DR/remote-replication between two systems is to have at least nodes (storage appliances) configured into a Grid (link). QuantaStor has a grid communication mechanism that connects appliances (nodes) together so that they can share information, coordinate activities like remote-replication, and simplify management operations. After you create the grid you'll need to setup a Storage System Link between the two or more nodes between which you want to replicate data (volumes and/or shares). The Storage System Link represents a low level security key exchange between the two nodes so that they can send data between each other. Creation of the Storage System Link is done through the QuantaStor Manager web interface by selecting the 'Remote Replication' tab, and then pressing the 'Create Storage System Link' button in the tool bar to bring up the the dialog.

Storagelink1.png

Select the IP address on each system to be utilized for communication of remote replication network traffic. If both systems are on the same network then you can simply select one of the IP addresses from one of the local ports but if the remote system is in the cloud or remote location then most likely you will need to specify the external IP address for your QuantaStor system. Note that the two systems communicate over ports 22 and 5151 so you will need to open these ports in your firewall in order for the QuantaStor systems to link up properly.

Creating a Remote Replica

Once you have a Storage System Link created between two systems you can now replicate volumes and network shares in either direction. Simply login to the system that you want to replicate volumes from, right-click on the volume to be replicated, then choose 'Create Remote Replica'. Creating a remote replica is much like creating a local clone only the data is being copied over to a storage pool in a remote storage system. As such, when you create a remote-replica you must specify which storage system you want to replicate too (only systems which have established and online storage system links will be displayed) and which storage pool within that system should be utilized to hold the remote replica. If you have already replicated the specified volume to the remote storage system then you can re-sync the remote volume by choosing the remote-replica association in the web interface and choosing 'resync'. This can also be done via the 'Create Remote Replica' dialog and then choose the option to replicate to an existing target if available.

Creating a Remote Replication Schedule / DR Replication Policy

Remote replication schedules provide a mechanism for replicating the changes to your volumes to a matching checkpoint volume on a remote appliance automatically on a timer or a fixed schedule. To create a schedule navigate to the Remote Replication Schedules section after selecting the Remote Replication tab at the top of the screen. Right-click on the section header and choose 'Create Replication Schedule'.

Drsetup1.png

Besides selection of the volumes and/or shares to be replicated you must select the number of snapshot checkpoints to be maintained on the local and remote systems. You can use these snapshots for off-host backup and other data recovery purposes as well so there is no need to have a Snapshot Schedule which would be redundant with the snapshots which will be crated by your replication schedule. If you choose a Max Replicas of 5 then up to 5 snapshot checkpoints will be retained. If for example you were replicating nightly at 1am each day of the week from Monday to Friday then you will have a week's worth of snapshots as data recovery points. If you are replicating 4 times each day and need a week of snapshots then you would need 5x4 or a Max Replicas setting of 20.

Remote Replication Bandwidth Throttling

WAN links are often limited in bandwidth in a range between 2MB-60MBytes/sec for on-premises deployments and 20MBytes-100MBytes/sec and higher in datacenters depending on the service provider. QuantaStor does automatic load balancing of replication activities to limit the impact to active workloads and to limit the use of your available WAN or LAN bandwidth. By default QuantaStor comes pre-configured to limit replication bandwidth to 50MB/sec but you can increase this or decrease it to better match the bandwidth and network throughput limits of your environment. This default is a good default for datacenter deployments but hybrid cloud deployments where data is replicating to/from an on-premises site(s) should be configured to take up no more than 50% of your available WAN bandwidth so as to not disrupt other activities and workloads.

Here are the CLI commands available for adjusting the replication rate limit. To get the current limit use the 'qs-util rratelimitget' and to set the rate limit to a new value, (example, 4MB/sec) you can set the limit like so 'qs-util rratelimitset 4'.

  Replication Load Balancing
    qs-util rratelimitget            : Current max bandwidth available for all remote replication streams.
    qs-util rratelimitset NN         : Sets the max bandwidth available in MB/sec across all replication streams.
    qs-util rraterebalance           : Rebalances all active replication streams to evenly share the configured limit.
                                       Example: If the rratelimit (NN) is set to 100 (MB/sec) and there are 5 active
                                       replication streams then each stream will be limited to 20MBytes/sec (100/5)
                                       QuantaStor automatically reblanances replication streams every minute unless
                                       the file /etc/rratelimit.disable is present.

To run the above mentioned commands you must login to your storage appliance via SSH or via the console. Here's an example of setting the rate limit to 50MB/sec.

sudo qs-util rratelimitset 50

At any given time you can adjust the rate limit and all active replication jobs will automatically adjust to this new limit within a minute. This means that you can dynamically adjust the rate limit using the 'qs-util rratelimitset NN' command to set different replication rates for different times of day and days of the week using a cron job. If you need that functionality and need help configuring cron to run the 'qs-util rratelimitset NN' command please contact Customer Support.


Permanently Promoting a Replicated Storage Volume or Network Share

The below process details how to Promote a _chkpnt Storage Volume/Network Share in the event of a failure of the primary node. This same procedure can be used to permanently migrate data to a Storage Pool on a different QuantaStor appliance using remote replication.

If the Replication Source system is offline due to a hardware failure of the appliance, you can skip directly to Step 3.

Step 1) Please ensure that all client I/O has been stopped to the current source Storage Volume or Network Share and that one final replication has occurred using the replication links/schedules of any data that has been modified since the last replication occurred.

Step 2) Remove all Hosts and Host Group Associations from the source Storage Volume.

Step 3) Right Click on the Replication Schedule associated with the source and destination Storage Volume/Network Share and click 'Delete Schedule'.

Step 4) Right click on the Replication Link associated with the source and destination Storage Volume/Network Share and select the 'Delete Replica Association' option, which will open the 'Delete Remote Replication Link' Dialog. You will want to use the defaults in this dialog and click 'OK'

Delete Remote Replication Link.png

At this stage there is no longer a replication link or associations between the source and destination _chkpnt Storage Volume/Network Share. Both the original source and Destination _chkpnt Storage Volume/Network Share can be renamed using the Modify Storage Pool or Modify Network Share dialogs and mapped to client access as required.

Please note: If you are looking to use the same name for the _chkpnt Storage Volume/Netwprk share as used on the Source system and the Source QuantaStor appliance is offline/unavailable, you may need to remove it from the grid at this stage as it will not be accessible to perform the rename operation using the Modify Storage Volume or Modify network Share Dialog. In this event after removal of the offline QuantaStor node from the Grid, you can skip directly to step B below.

Renaming the _chkpnt Storage Volume/Network Share to be the same as the original Source Storage Volume/Network Share.

Step A) Right click on the original Storage Volume/Network Share and choose the 'Modify Storage Volume' or 'Modify Network Share' option. In the dialog box, rename the Storage Volume or Network Share to add '_bak' or any other unique postfix to the end and click 'OK'. Once you are done with the Promotion/Migration you can remove this backup(_bak) version and it's associated snapshots. Our multi-delete feature is useful for this sort of batch deletion process.

Example screenshot below showing the Modify Storage Volume for renaming the source Storage Volume to _bak

Modify Storage Volume rename bak.png

Step B) Right click on the replicated _chkpnt Storage Volume/Network Share and choose the 'Modify Storage Volume' or 'Modify Network Share' option. In the dialog box, rename the Storage Volume or Network Share as you see fit and click 'OK'.

Example screenshot below showing the Modify Storage Volume for renaming the destination _chkpnt Storage Volume to the name originally used by the Source volume.

Modify Storage Volume rename.png

Step C) Map client access to the Promoted Storage Volume / Network Share

For Storage Volumes, map lun access to your clients using the Host or Host Groups option detailed here: Managing Hosts

For Network Shares map them out using the CIFS/NFS access permissions as detailed here: Managing Network Shares

Please note: If this procedure was performed for Disaster recovery of a failed Primary QuantaStor node, once the original Primary node is brought online once more the old out of date Storage Volume/Network Share will need to be renamed to an '_bak' or your preferred postfix( or removed to free up space) and for the node to be re-added to the grid. Replication can then be configured from the new Primary Source QuantaStor to the recovered Quantastor appliance in a role as a Secondary replication destination target.

Data Migration / LUN Copy to Storage Volume

Migrating LUNs (iSCSI and FC block storage) from legacy systems can be time consuming and potentially error prone as it generally involves mapping the new storage and the old storage to a host, ensuring the the newly allocated LUN is equal to or larger than the old LUN and then the data makes two hops from Legacy SAN -> host -> New SAN so it uses more network bandwidth and can take more time.

QuantaStor has a built-in data migration feature to help make this process easier and faster. If your legacy SAN is FC based then you'll need to put a Emulex or Qlogic FC adapter into your QuantaStor appliance and will need to make sure that it is in initiator mode. Using the WWPN of this FC initiator you'll then setup the zoning in the switch and the storage access in the legacy SAN so that the QuantaStor appliance can connect directly to the storage in the legacy SAN with no host in-between. Once you've assign some storage from the legacy SAN to the QuantaStor appliance's initiator WWPN you'll need to do a 'Scan for Disks' in the QuantaStor appliance and you will then see your LUNs appear from the legacy SAN (they will appear with devices names like sdd, sde, sdf, sdg, etc). To copy a LUN to the QuantaStor appliance right-click on the disk device and choose 'Migrate Disk...' from the pop-up menu.

Qsmigrate0.png

You will see a dialog like the one above and it will show the details of the source device to be copied on the left. On the right it shows the destination information which will be one of the storage pools on the appliance where the LUN is connected. Enter the name for the new storage volume to be allocated which will be the destination for the copy. A new storage volume will be allocated with that name which is exactly the same size as the source volume. It will then copy all the blocks of the source LUN to the new destination Storage Volume.

Data migration via iSCSI

The process is similar if you are copying a LUN via iSCSI. For that you'll need to login to the QuantaStor appliance via the console or via SSH to use the 'qs-util iscsiinstall', 'qs-util iscsiiqn', and 'qs-util iscsilogin' commands which will assist you in connecting the QuantaStor appliance directly to your legacy (iSCSI) SAN. Here's the step-by-step process:

sudo qs-util iscsiinstall

This command will install the iSCSI initiator software (open-iscsi).

sudo qs-util iscsiiqn

This command will show you the iSCSI IQN for the QuantaStor appliance. You'll need to assign the LUNs in the legacy SAN that you want to copy over to your QuantaStor appliance to this IQN. If your legacy SAN supports snapshots it's a good idea to assign a snapshot LUN to the QuantaStor appliance so that the data isn't changing during the copy.

sudo qs-util iscsilogin 10.10.10.10

Replace the example 10.10.10.10 IP address with the IP address of the legacy SAN which has the LUNs you're going to migrate over. Alternatively you can use the iscsiadm command line utility directly to do this step. There are several of these iscsi helper commands, type 'qs-util' for a full listing. Once you've logged into the devices you'll see information about the devices by running the 'cat /proc/scsi/scsi' command or just go back to the QuantaStor web management interface and use the 'Scan for Disks' command to make the disks appear. Once they appear in the 'Physical Disks' section you can right-click on them and to do a 'Migrate Disk...' operation.

FC Initiator vs Target

Note that for FC data migration you can use either a Qlogic or a Emulex FC HBA in initiator mode but QuantaStor v3 only supports Qlogic QLE24xx/25xx series cards in FC Target mode. You can also use OEM versions of the Qlogic cards. As such it is best to use Qlogic cards as then you can switch the card from initiator to target mode using the FC Port Enable command once you're done migrating LUNs.

Managing Call-home / Alert Configuration Settings

QuantaStor has a number of mechanisms for remote monitoring of system alerts, IO performance and other metrics via traditional protocols like SNMP and new cloud services like Librato Metrics and CopperEgg. Appliances report alerts at various severity levels like 'ERROR' when a disk or battery needs to be replaced to minor informational 'INFO' alerts like automatic resource cleanup. The Alert Manager dialog also allows you to set thresholds for when you're to be sent warnings that the appliance has reached a low space condition. After configuring the call-home mechanism for your environment be sure that you test your alert configuration settings in the Alert Manager by sending a test alert to verify the mechanism(s) you setup are properly receiving alerts.

Drop Session Dialog

The Alert Manager allows you to specify at which thresholds you want to receive email regarding low disk space alerts for your storage pools. It also let's you specify the SMTP settings for routing email and the token for your PagerDuty account if you have one. For more information on the configuration of PagerDuty, Librato Metrics and other monitoring mechanisms see the Monitoring and Cloud Metrics Integration guide here.

Managing Hosts

Hosts represent the client computers that you assign storage volumes to. In SCSI terminology the host computers initiate the communication with your storage volumes (target devices) and so they are called initiators. Each host entry can have one or more initiators associated with it and the reason for this is because an iSCSI initiator (Host) can be identified by IP address or IQN or both at the same time. We recommend using the IQN (iSCSI Qualified Name) at all times as you can have login problems when you try to identify a host by IP address especially when that host has multiple NICs and they're not all specified.

Managing Host Groups

Sometimes you'll have multiple hosts that need to be assigned the same storage volume(s) such as with a VMware or a XenServer resource pool. In such cases we recommend making a Host Group object which indicates all of the hosts in your cluster/resource pool. With a host group you can assign the volume to the group once and save a lot of time. Also, when you add another host to the host group, it automatically gets access to all the volumes assigned to the group so it makes it very easy to add nodes to your cluster and manage storage from a group perspective rather than individual hosts which can be cumbersome especially for larger clusters.

Managing Snapshot Schedules

Snapshot schedules enable you to have your storage volumes automatically protected on a regular schedule by creating snapshots of them. You can have more than one snapshot schedule, and each schedule can be associated with any storage volumes even those utilized in other snapshot schedules. In fact, this is something we recommend. For storage volumes containing critical data you should create a snapshot schedule that makes a snapshot of your volumes at least once a day and we recommend that you keep around 10-20 snapshots so that you have a week or two of snapshots that you can recover from. A second schedule that creates a single snapshot on the weekend of your critical volumes is also recommended. If you set that schedule to retain 10 snapshots that will give you over two months of historical snapshots from which you can recover data from.

Near Continuous Data Protection (N-CDP)

What all this boils down to is a feature we in the storage industry refer to as continuous data protection or CDP. True CDP solutions allow you to recover to any prior point in time at the granularity of seconds. So if you wanted to see what a storage volume look like at 5:14am on Saturday you could look at a 'point-in-time' view of that storage volume at that exact moment. Storage systems that allow you to create large number of snapshots thereby giving you the ability to roll-back or recover from a snapshot that was created perhaps every hour are referred to as NCDP or "near continuous data protection" solutions, and that's exactly what QuantaStor is. This NCDP capability is achieved through snapshot schedules which run at a maximum granularity of once per hour. Using a snapshot schedule you can automatically protect your critical volumes and network shares so that you can recover data from previous points in time.

Managing iSCSI Sessions

A list of active iSCSI sessions can be found by selecting the 'Storage Volume' tree-tab in QuantaStor Manager then selecting the 'Sessions' tab in the center view. Here's a screenshot of a list of active sessions as shown in QuantaStor Manager.

Session List

Dropping Sessions

To drop an iSCSI session, just right-click on it and choose 'Drop Session' from the menu.

Drop Session Dialog

Keep in mind that some initiators will automatically re-establish a new iSCSI session if one is dropped by the storage system. To prevent this, just unassign the storage volume from the host so that the host cannot re-login.

Managing Network Shares

QuantaStor Network Shares provide NAS access to your storage via the NFSv3, NFSv4, and CIFS protocols. Note that you must have first created a Storage Pool before you create Network Shares as they are created within a specific Storage Pool. Storage Pools can be used to provision NAS storage (Network Shares) and can be used to provision SAN storage (Storage Volumes) at the same time.

Creating Network Shares

To create a network share simply right-click on a Storage Pool and select 'Create Network Share...' or select the Network Shares section and then choose Create Network Share from the toolbar or right-click for the pop-up menu. Network Shares can be concurrently accessed via both NFS and CIFS protocols.

Qs create network share.png

After providing a name, and optional description for the share, and selecting the storage pool in which the network share will be created there are a few other options you can set including protocol access types and a share level quota.

Enable Quota

If you have created a ZFS based storage pool then you can set specific quotas on each network share. By default there are no quotas assigned and network shares with no quotas are allowed to use any free space that's available in the storage pool in which they reside.

Enable CIFS/SMB Access

Select this check-box to enable CIFS access to the network share. When you first select to enable CIFS access the default is to make the share public with read/write access. To adjust this so that you can assign access to specific users or to turn on special features you can adjust the CIFS settings further by pressing the CIFS/SMB Advanced Settings button.

Enable Public NFS Access

By default public NFS access is enabled, you can un-check this option to turn off NFS access to this share. Later you can add NFS access rules by right-clicking on the share and choosing 'Add NFS Client Access..'.

Modify Network Shares

After a network share has been created you can modify it via the Network Share Modify dialog.

Qs mod gen network share.png

Compression

Network Shares and Storage Volumes inherit the compression mode and type from whatever is set for the storage pool. You can also customize the compression level to something specific for each given network share. For network shares that contain files which are heavily compressible you might increase the compression level to gzip (gzip6) but note that it'll use more CPU power for higher compression levels. For network shares that contain data that is already compressed, you may opt to turn compression 'off'. Note, this feature is specific to ZFS based Storage Pools.

Sync Policy

The Sync Policy indicates how to handle writes to the network share. Standard mode is the default and it uses a combination of synchronous and asynchronous writes to ensure consistency and optimize for performance. If the write requests have been tagged as "SYNC_IO" then all of the IO is first sent to the filesystem intent log (ZIL) and then staged out to disk, otherwise the data can be written directly to disk without first staging to the intent log. In the "Always" mode the data is always sent to the filesystem intent log first and this is a bit slower but technically safer. If you have a workload that is write intensive it is a good idea to assign a pair of SSD drives to the storage pool for use as write cache so that the writes to the log and overall IOPs performance can be accelerated. Note, this feature is specific to ZFS based Storage Pools and the policy for each network share is by default inherited from the storage pool.

NFS Configuration

Configuring NFS Services

NfsServicesConfig.png

The default NFS mode is NFSv3 but this can be changed from within the "NFS Services Configuration" dialog to NFSv4. To open this dialog navigate to the "Network Shares" tab, and select "Configure NFS" from the ribbon bar at the top, or "Configure NFS Services" by right clicking the open space under the "Network Share" section to bring up the context menu.

Controlling NFS Access

NFS share access is filtered by IP address. This can be done by right clicking on a network share, and selecting "Add Host Access". By default the share is set to have public access. This dialog allows you to specify access to a single IP address, or a range of IP addresses.

AddShareClientAccess.png

NFS Custom Options

You can also specify different custom options from within the "Modify Network Share Client Access" dialog. To open this menu, right click on the share's host access (defaults to public), and select "Modify Host Access". In this dialog you can set different options such as "Read Only", "Insecure", etc. You can also add custom options such as "no_root_squash" in the space provided below.

ContextMenuNfs.png ModifyShareClientAccess.png

CIFS Configuration

QuantaStor v3 uses Samba 3.6 which provides CIFS access to Network Shares via the SMB2 protocol. There is also beta support for Samba 4 but as of Q2/14 it does not have good support for joining existing AD Domains. As such, Samba4 is not planned to be the default until late 2014/early 2015.

Modifing CIFS Access

There are a number of custom options that can be set to adjust the CIFS access to your network share for different use cases. The 'Public' option makes the network share public so that all users can access it. The 'Writable' option makes the share writable as opposed to read-only and the 'Browseable' option makes it so that you can see the share when you browse for it from your Windows server or desktop.

Qs mod user network share.png

Modifing CIFS Configuration Options

Hide Unreadable & Hide Unwriteable

To only show users those folders and files to which they have access you can set these options so that things that they do not have read and/or write access to are hidden.

Media Harmony Support

Media Harmony is a special VFS module for Samba which provides a mechanism for multiple Avid users to edit content at the same time on the same network share. To do this the Media Harmony module maintains separate copies of the Avid meta-data temporary files on a per-user, per-network client basis.

Disable Snapshot Browsing

Snapshots can be used to recover data and by default your snapshots are visible under a special ShareName_snaps folder. If you don't want users to see these snapshot folders you can disable it. Note that you can still access the snapshots for easy file recovery via the Previous Snapshots section of Properties page for the share in Windows.

MMC Share Management

QuantaStor network shares can be managed directly from the MMC console Share Management section from Windows Server. This is often useful in heterogeneous environments where a combination of multiple different filers from multiple different vendors is being used. To turn on this capability for your network share simply select this option. If you want to set this capability to all network shares in the appliance you can do so by manually editing the smb.conf file to add these settings to the [global] section.

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Extended Attributes

Extended attributes are a filesystem feature where extra metadata an be associated with files. This is useful for enabling security controls (ACLs) for DOS and OS/X. Extended attributes can also be used by a variety of other applications so if you need this capability simply enable it by checking the box(es) for DOS, OS/X and/or for plain Extended Attribute support.

Active Directory Configuration

QuantaStor appliances can be joined to your AD domain so that CIFS access can be applied to specific AD users and AD groups.

Joining an AD Domain

To join a domain first navigate to the "Network Shares" section. Now select "Configure CIFS" in the top ribbon bar, or by right clicking in the "Network Shares" space and selecting "Configure CIFS Services" from the context window. Check the box to enable active directory, and provide the necessary information. KDC is most likely your domain controllers FQDN (DC.DOMAIN.COM).
Note: Your storage system name must be <= 15 characters long.
If there are any problems joining the domain please verify that you can ping the IP address of the domain controller, and that you are also able to ping the domain itself.

ContextMenu.png AddDomain.png

You can now see QuantaStor on the domain controller under the Computer entry tab.

AdComputerEntry.png

Leaving a AD Domain

To leave a domain first navigate to the "Network Shares" section. Now select "Configure CIFS" in the top ribbon bar, or by right clicking in the "Network Shares" space and selecting "Configure CIFS Services" from the context window. Unselect the checkbox to disable active directory integration. If you would like to remove the computer entry from to domain controller you must also specify the domain adminstrator and password. After clicking "OK" QuantaStor will then leave the domain.

RemoveDomain.png

Controlling CIFS Access

CIFS access can be controlled on a per user basis. When you are not in a domain, the users you can choose from are the different users you have within QuantaStor. This can be done during share creation by selecting "CIFS/SMB Advanced Settings", or while modifying a share under the tab "CIFS User Access". If you are in a domain, you will also be able to select the different users/groups that are present within the domain. This can be done the same way as using the QuantaStor users, but by selecting "AD Users" or "AD Groups". You can set the access to either "Valid User", "Admin User", or "Invalid User".

Qs mod user network share.png Qs mod aduser network share.png

Verifying Users Have CIFS Passwords

Before using a QuantaStor user for CIFS/SMB access you must first verify that the user has a CIFS password. To check if the user can be used for CIFS/SMB first go to the "Users & Groups". Now select a user, and look for the property "CIFS Ready". If the user is ready to be used within CIFS/SMB it will say "Yes". If the property says "Password Change Required" then one more step is required before that user can be used. You must first right click the user and select "Set Password". If you are signed in as an administrator, then the old password is not required. When setting the password for CIFS/SMB, you can use the same password as what it was set as before. It should now show up as CIFS ready.

Setting CIFS Options

You can modify some of the share options during share creation, or while modifying the share. Most of the options are set by selecting/unselecting the checkboxes. You can also set the file and directory permissions in the modify share dialog under the "CIFS File Permissions" tab.

Qs mod perm network share.png

Managing Scale-out NAS File Storage (GlusterFS) Volumes

QuantaStor provides scale-out NAS capabilities with access via traditional protocols like CIFS/SMB, NFS, as well as via the GlusterFS client. For those not familiar with the Gluster filesystem it is a scale-out filesystem that combines multiple underlying filesystems together across appliances to present them in aggregate as a single filesystem. In QuantaStor appliances Gluster is layered on top of our Storage Pool architecture which is filesystem based. In this way you can use your QuantaStor appliances for file, block, and scale-out file storage needs all at the same time.

Gluster0.png

Multi-protocol Access via CIFS, NFS and GlusterFS Client

Scale-out NAS storage can be accessed via major NAS protocols like CIFS and NFS as well as via native Gluster Clients. Best performance is achieved when the storage is accessed from Linux based clients which mount the storage using the native GlusterFS client. Native clients can directly communicate with the servers containing the respective storage bricks for a given volume. This allows for much more linear scaling of performance and capacity as new appliances are added.

Gluster1.png

Primary Use Cases

Scale-out NAS using GlusterFS technology is great for unstructured data, archive, and many media use cases. It is not good for high IOPS workloads like databases and virtual machines. For that you'll want to make a traditional Storage Volumes or Network Shares in your appliances that can supply the necessary write performance. GlusterFS read/write performance via CIFS/NFS is moderate and can be improved with SSD caching when used with ZFS based storage pools. Performance is better when you can use the native GlusterFS client but note that the native client is only available on Linux based platforms.

  • Good Use Cases
    • Large-scale Media Archive
    • Large-scale Unstructure Data Repository
  • Poor Use Cases
    • Virtual Machine boot devices
    • Databases

We expect that the breadth of good use cases for GlusterFS technology to increase over time but conservatively the above represent our recommendations for 2014.

Grid Setup Procedure

A couple of additional steps are required to setup your appliances before you can start provisioning scale-out NAS shares. The first step is to create a management Grid by right-clicking on the Storage System icon in the tree stack view in the Web Management user interface (WUI) and choose 'Create Grid...'.

Grid0.png

After you create the grid you'll need to add your other appliances to the grid by right-clicking on the Grid icon and choosing 'Add Grid Node...' from the menu. It will ask for the IP address and password for the appliance to be added to the grid and once they're all added you'll be able to manage all the nodes from a single login to the WUI.

Grid1.png

Be aware that the management user accounts across the appliances will be merged. In the event that there are duplicate user accounts the user accounts on the then elected primary/master node in the grid take precedence.

Grid2.png

At this point your Grid should be setup and you should see all the appliance nodes via the WUI. If not please double check the configuration and/or contact support for more assistance.

Network Setup Procedure

You have a number of options for tuning the network setup for Gluster. If you plan to use the native GlusterFS client via Linux servers that will be connecting directly to QuantaStor nodes then you should setup network bonding to bind multiple network ports on each appliance to provide additional bandwidth and automatic fail-over in the event a network cable is pulled. If you plan to use CIFS/NFS as the primary protocols for accessing your storage then you could use bonding or you could separate your ports into a front-end network for clients to access and a back-end network for inter-communication between the nodes. When in doubt start with a simple configuration like LACP bonded ports but ideally you'll want an expert to review your configuration before it goes into production. Getting the networking setup correctly is important for long term reliability and optimal performance so be sure to review your configuration with your reseller to make sure it's ideal for your needs.

Peer Setup

Setting up QuantaStor appliances into a grid allows them to intercommunicate but it doesn't automatically setup the GlusterFS peer relationships between the appliances. For that you'll want to bring up the 'Peer Setup' dialog in the Web Interface and then select the IP address on each node that you want Gluster to use for intercommunication between the nodes for Gluster operations.

Gluster3.png


This will setup a "hosts" file (/etc/hosts) on each appliance so that each node can refer to the other nodes in the grid by name. You can also do this via DNS but by using Peer Setup in QuantaStor it'll ensure that the configuration is kept in sync across the nodes and will allow the nodes to resolve names even if DNS server access is down. Gluster volumes span appliances and on each appliance a volume spans it places a brick. These gluster bricks are referenced with a brick path that looks much like a URL for a web page. By setting up the IP to hostname mappings QuantaStor is able to create brick paths using hostnames rather than IP addresses and this makes it much easier to change the IP address of a node in the future. Finally, in the Peer Setup dialog, there's a check box to setup the Gluster Peer relationships. This does a series of 'gluster peer probe' commands to link the nodes together so that gluster volumes can be created across the appliances. Once the peers are attached you'll see them appear in the Gluster Peers section of the WUI. Once that's done you can begin provisioning Gluster Volumes. Alternatively you can add the peers one at a time using the Peer Attach dialog like so.

Gluster4.png

Provisioning Gluster Volumes

Gluster Volumes are provisioned from the 'Gluster Management' tab in the web user interface. To make a new Gluster Volume simply right-click on the Gluster Volumes section or choose Create Gluster Volume from the tool bar.

Gluster5.png

To make your Gluster Volume highly-available with two copies of each file choose a replica count of two (2). If you only need fault tolerance in case of a disk failure then that is supplied by the storage pools and you can use a replica count of one (1). With a replica count of two (2) you have full read/write access to your scale-out Network Share even if one of the appliance is turned off. With a replica count of (1) you will loose read access to some of your data in the event that one of the appliances is turned off. When the appliance is turned back on it will automatically synchronize with the other nodes to bring itself up to the proper current state via auto-healing.

High-Availability for Gluster Volumes

For a Gluster Volume to be made highly-available you must allocate a volume which has a replica count of (2) two or (3) three. In this way when an appliance is disabled or turned off there is still another appliance with a copy of the files that can serve them up while it's mirror brick(s) are offline. If you are using the native Gluster Client from a Linux server there is no additional steps required to make a volume highly-available as it will communicate with the server nodes to get the peer status information and will do the right thing.

When accessing your Gluster Volume via traditional protocols like CIFS or NFS additional steps are required to make the storage highly available. This is because CIFS and NFS clients communicate with a single IP address associated with a single appliance at a time. If the appliance serving storage through an interface with that IP address is turned off then the IP address must "float" to another node to ensure continued access to storage on that interface. This is precisely what QuantaStor does and it provides this capability by allowing you to create virtual network interfaces for your Gluster Volumes which will float to another node automatically to maintain high-availability to your storage.

Provisioning Gluster Volume Virtual Interfaces

Once you have a Gluster Volume provisioned you can allocate one or more virtual network interfaces to the Gluster Volume. This is not necessary if you are using the native Gluster client as with it failover is automatic because the client communicates with all nodes directly. But, if you're using CIFS or NFS clients to access your scale-out NAS share then you'll want to use an IP address that will automatically float to another node automatically in the event that the node it is currently attached to is disabled or turned off.

GlusterVif.png

In the above diagram a HA Virtual Interface is show attached to Appliance A with Pool-A. In the event that that appliance goes offline the HA Virtual Interface will be moved to Appliance B. Virtual Interfaces are assigned IP addresses (eg. 10.0.3.88) just like physical network interfaces like eth0 except that being virtual they attach to a physical interface and can be moved as necessary.

Gluster6.png

To create a virtual interface for a volume simply right-click on a Gluster Volume and choose Create Gluster Virtual Interface. You'll need to provide a static IP address, netmask, and other basic network configuration information. Note that to use Gluster Virtual Network Interfaces you must first create a Grid virtual interface for your grid. This can be done by right-clicking on the Grid in the tree view and then choose 'Modify Grid...' from the pop-up menu. When you create a Grid virtual interface it enables the cluster resource management components QuantaStor uses for IP address failover so this is a prerequisite.

Configuring NFS and CIFS access to Gluster Volumes

A Network Share will appear in the Network Shares section of the Web Management interface for each Gluster volume that is created. From there you manage the Gluster Volume as a network share just as you would standard single pool network file shares. QuantaStor automatically takes care of synchronizing the configuration changes across nodes automatically to provide CIFS/NFS access across all nodes which a given gluster volume spans. For example, if you have a grid with 5 nodes (A, B, C, D, E) and you have a Gluster Volume which spans nodes A & B then your CIFS/NFS access to the Gluster Volume will only be provided and accessible via nodes A & B.

Snapshots & Quotas

At this time we do not provide support for snapshots and quotas of Gluster volumes. That said, when used with ZFS based Storage Pools QuantaStor allocates the Gluster bricks as filesystems so that we can provide more advanced functionality like snapshot & quotas in a future release.

Configuring the native GlusterFS client access to Gluster Volumes

For scenarios where you have a Linux based host that will be connecting to the Gluster Volume you can install the native GlusterFS client package on your server so that you can connect to your Gluster Volume using the high-performance native client. The most recent versions of the GlusterFS client can be downloaded from the Gluster community web site here.

For Debian/Ubuntu based systems the process of installing the client and connecting to the Gluster Volume looks like this where in this example qs-gfs1 is the name of one of the servers which is serving up a brick of the volume and gvol06 is the name of the volume.

Gluster7.png

sudo apt-get install glusterfs-client
sudo mkdir -p /gvols/gvol06
sudo mount -t glusterfs qs-gfs1:/gvol06 /gvols/gvol06

Installation procedures vary by platform by there is an article here on JamesCoyle.net with excellent examples and detail on Gluster Client configuration.

Expanding Gluster Volumes

By Adding Bricks onto additional Storage Pools

Volumes can be expanded by adding more bricks to an existing volume. The bricks should always be on separate appliances so if you have a volume with two bricks on qs-gfs1 and qs-gfs3 respectively you can safely expand the volume by creating additional bricks on storage pools on appliances qs-gfs2 and qs-gfs4.

Gluster8.png

By Expanding Storage Pools

The other way you can provide additional storage to your Gluster Volumes is by expanding the Storage Pools where the bricks reside. ZFS based Storage Pools provide the capability for online expansion with zero downtime and they can be expanded by concatenating additional storage. As an example, you could have a 128TB Storage Pool with 32x 4TB drives which can be expanded to 256TB by adding a disk expansion unit with another 128TB. No changes need to be made to the Gluster volumes or bricks for them to use the additional space once the pool has been expanded. Note that all the storage pools containing bricks of your Gluster volumes must be expanded evenly.

Gluster File Locking Support

File Locking

The conclusions we found for file locking were from running the tests script provided below. Each scenario was tested in both directions. For example, the CIFS and Gluster Native test was done in the following manor. The CIFS session would take the lock on the file. We would then verify that the lock was unable to be taken by the Gluster Native session. After this was verified, we would kill the lock on the CIFS session and see the Gluster Native session take the lock. We would then rerun the test on the CIFS side to verify that it now fails to take the lock. After that has been verified we would kill the lock on the Gluster Native side and make sure that the CIFS session then obtained the lock. This process was done for every scenario in the table below.

Gluster Lock Testing
Client A Client B Supports Locking
Gluster Native Yes
Gluster Native Gluster Native Yes
Gluster Native NFS Yes
Gluster Native CIFS Yes
NFS Yes
NFS NFS Yes
NFS CIFS Yes
CIFS Yes
CIFS CIFS Yes
  • If you are using CIFS on top of the gluster volume, you will want to make sure you have "oplocks = no" in either your share definition, or your global definitions in your "/etc/samba/smb.conf"

Considerations with Gluster and File Locking

Locking Is Instant. But propagation of file content changes are not instant. As such Client B can open the file and see content in some cases even though Client A truncated the file before unlocking it. (example below)

GlusterPropagation.png

Locking Test Scripts

Our locking tests were done with the following python scripts:

https://s3.amazonaws.com/qstor-downloads/wiki/lockTest.tgz

After unpacking the file, make sure to give yourself read and write access to the file "test.txt" included with lockTest.tgz

Note for Windows testing:

  • You will also need to install pywin32

http://sourceforge.net/projects/pywin32/

Managing Storage Volumes

Each storage volume is a unique block device/target (a.k.a a 'LUN' as it is often referred to in the storage industry) which can be accessed via iSCSI, Fibre Channel, or Infiniband/SRP. A storage volume is essentially a virtual disk drive on the network (the SAN) that you can assign to any host in your environment. Storage volumes are provisioned from a storage pool so you must first create a storage pool before you can start provisioning volumes.

Creating Storage Volumes

Storage volumes can be provisioned 'thick' or 'thin' which indicates whether the storage for the volume should be fully reserved (thick) or not (thin). As an example, a 100GB storage volume in a 1TB storage pool will initially only use 4KB of disk space in the pool when it is created leaving 99.99% of the disk space left over for use with other volumes and additional volume provisioning. In contrast, if you choose 'thick' provisioning by unchecking the 'thin provisioning' option then the entire 100GB will be pre-reserved. The advantage there is that that volume can never run out of disk space due to low storage availability in the pool but since it is reserved up front you will have 900GB free in your 1TB storage pool after it has been allocated so you can end up using up your available disk space fairly rapidly using thick provisioning. As such, we recommend using thin-provisioning and it is the default. The other problem with 100% thick provisioning is that it doesn't leave any room for snapshots and snapshot are also required to do remote replication. If you've provisioned your volumes with thick provisioning by mistake don't worry, the reserved space can be adjusted at the command line using this command 'zfs set refreservation=1G qs-POOLID/VOLUMEID' which customer support can assist you with.

Deleting Storage Volumes

There are two separate dialogs in QuantaStor manager for deleting storage volumes. If you press the the "Delete Volume(s)" button in the ribbon bar you will be presented with a dialog that will allow you to delete multiple volumes all at once and you can even search for volumes based on a partial name match. This can save a lot of time when you're trying to delete a multiple volumes. You can also right-click on a storage volume and choose 'Delete Volume' which will bring up a dialog which will allow you to delete just that volume. If there are snapshots of the volume you are deleting they are not deleted rather, they are promoted. For example, if you have snapshots S1, S2 of volume A1 then the snapshots will become root/primary storage volumes after A1 is deleted. Once a storage volume is deleted all the data is gone so use extreme caution when deleting your storage volumes to make sure you're deleting the right volumes. Technically, storage volumes are internally stored as files XFS based storage pools so it is possible that you could use a filesystem file recovery tool to recover a lost volume but generally speaking one would need to hire a company that specializes in data-recovery to get this data back.

Resizing Storage Volumes

QuantaStor supports increasing the size of storage volumes but due to the high probability of data-loss we do not support shrink. (n.b. all storage volumes are raw files within the storage pool filesystem (usually XFS) so you could theoretically experiment by making a copy of your storage volume file, manually truncate it, rename the old one and then rename the truncated version back into place. This is not recommended, but it's an example of some of the low-level things you could try in a real pinch given the open nature of the platform.)

Creating Snapshots

Some key features of QuantaStor volume snapshots include:

  • massive scalability
    • create snapshots in just seconds
  • supports snapshots of snapshots
    • you can create snapshots of snapshots of snapshots, ad infinitum.
  • snapshots are R/W by default, read-only snapshots are also supported
  • snapshots perform well even when large numbers exist
  • snapshots are 'thin', that is they are a copy of the meta-data associated with the original volume and not a full copy of all the data blocks.

All of these advanced snapshot capabilities make QuantaStor ideally suited for virtual desktop solutions, off-host backup, and near continuous data protection (NCDP). If you're looking to get NCDP functionality, just create a 'snapshot schedule' and snapshots can be created for your storage volumes as frequently as every hour.

To create a snapshot or a batch of snapshots you'll want to select the storage volume that you which to snap, right-click on it and choose 'Snapshot Storage Volume' from the menu.

If you do not supply a name then QuantaStor will automatically choose a name for you by appending the suffix "_snap" to the end of the original's volume name. So if you have a storage volume named 'vol1' and you create a snapshot of it, you'll have a snapshot named 'vol1_snap000'. If you create many snapshots then the system will increment the number at the end so that each snapshot has a unique name.

Creating Clones

Clones represent complete copies of the data blocks in the original storage volume, and a clone can be created in any storage pool in your storage system whereas a snapshot can only be created within the same storage pool as the original. You can create a clone at any time and while the source volume is in use because QuantaStor creates a temporary snapshot in the background to facilitate the clone process. The temporary snapshot is automatically deleted once the clone operation completes. Note also that you cannot use a cloned storage volume until the data copy completes. You can monitor the progress of the cloning by looking at the Task bar at the bottom of the QuantaStor Manager screen. (Note: In contrast to clones (complete copies), snapshots are created near instantly and do not involve data movement so you can use them immediately.)

By default QuantaStor systems are setup with clone bandwidth throttling to 200MB/sec across all clone operations on the appliance. The automatic load balancing ensures minimal impact to workloads due to active clone operations. The following CLI documentation covers how to adjust the cloning rate limit so that you can increase or decrease it.

  Volume Clone Load Balancing
    qs-util clratelimitget            : Current max bandwidth setting to be divided among active clone operations.
    qs-util clratelimitset NN         : Sets the max bandwidth available in MB/sec shareed across all clone operations.
    qs-util clraterebalance           : Rebalances all active volume clone operations to use the shared limit (default 200).
                                       QuantaStor automatically reblanances active clone streams every minute unless
                                       the file /etc/clratelimit.disable is present.

For example, to set the clone operations rate limit to 300MBytes/sec you would need to login to the appliance via SSH or via the console and run this command:

sudo qs-util clratelimitset 300

The new rate is applied automatically to all active clone operations. QuantaStor automatically rebalances clone operation bandwidth, so if you have a limit of 300MB/sec with 3x clone operations active, then each clone operation will be replicating data at 100MB/sec. If one of them completes first then the other two will accelerate up to 150MB/sec, and when a second one completes the last clone operation will accelerate to 300MB/sec. Note also that cloning a storage volume to a new storage volume in the same storage pool will be rate limited to whatever the current setting is but because the source and destination are the same it will have double the impact on workloads running in that storage pool. As such, if you are frequently cloning volumes within the same storage pool and it is impacting workloads you will want to decrease the clone rate to something lower than the default of 200MB/sec. In other cases where you're using pure SSD storage you will want to increase the clone rate limit.

Restoring from Snapshots

If you've accidentally lost some data by inadvertently deleting files in one of your storage volumes, you can recover your data quickly and easily using the 'Restore Storage Volume' operation. To restore your original storage volume to a previous point in time, first select the original, the right-click on it and choose "Restore Storage Volume" from the pop-up menu. When the dialog appears you will be presented with all the snapshots of that original from which you can recover from. Just select the snapshot that you want to restore to and press ok. Note that you cannot have any active sessions to the original or the snapshot storage volume when you restore, if you do you'll get an error. This is to prevent the restore from taking place while the OS has the volume in use or mounted as this will lead to data corruption.

WARNING: When you restore, the data in the original is replaced with the data in 
the snapshot.  As such, there's a possibility of loosing data as everything that 
was written to the original since the time the snapshot was created will be lost.  
Remember, you can always create a snapshot of the original before you restore it 
to a previous point-in-time snapshot.

Converting a Snapshot into a Primary (btrfs only)

A primary volume is simply a storage volume that's not a snapshot of any other storage volume. With BTRFS based Storage Pools you can take any snapshot and make it a primary storage very easily. Just select the storage volume in QuantaStor Manager, then right-click and choose 'Modify Storage Volume' from the pop-up menu. Once you're in the dialog, just un-check the box marked "Is Snapshot?". If the snapshot has snapshots of it then those snapshots will be connected to the previous parent volume of the snapshot. This conversion of snapshot to primary does not involve data movement so it's near instantaneous. After the snapshot becomes a primary it will still have data blocks in common with the storage volume it was previously a snapshot of but that relationship is cleared from a management perspective. BTRFS is not yet ready for production use so at this time we recommend using ZFS based storage pools. ZFS based storage volume snapshots must be cloned to make them a 'primary'.

Managing Storage Tiers

Storage Tiers provide a way of grouping Storage Pools together for simplified provisioning from automated systems and frameworks like OpenStack Cinder. A common problem in cloud environments is that you may have many storage appliances in a grid each with one or more storage pools. This creates a conundrum when you go to provision a Storage Volume or Network Share as several questions must be answered to find the ideal placement for your new volume or share including:

  • Which Storage Pool has the most free space?
  • Which Storage Pool has the least number of storage volumes in it?
  • Which Storage Pool has the least amount of over-provisioning?
  • Does the Storage Pool meet the IOPS and throughput requirements of my workload?

When you create a Storage Tier you select one or more Storage Pools to associate it with and then set various attributes on the Storage Tier so that you provisioning system can make intelligent decisions about which Storage Tier to provision from based on the needs of the workload. Placement is automatic so you don't have to think about which storage pool within the storage tier the storage volume should be provisioned from.

Storagetier1.png

All REST APIs and CLI commands which take a Storage Pool name or ID as an argument can have the pool identifier substituted with the name or ideally the UUID of a Storage Tier instead.

Over-provisioning with Storage Tiers

Note that Storage Tiers provide a convenient grouping mechanism and intelligent placement but you cannot create a storage volume which is larger than the pool with the largest available free space in the Storage Tier. As an example, if you have three storage pools in your storage tier, Pool1 (10TB free), Pool2 (20TB free), Pool3 (4TB free) and you request allocation of a new Storage Volume which is 22TB the provisioning will fail because there are no pools available with that much free space. Note however that you could allocate 10x thin-provisioned storage volumes which are 6TB in size because newly thin-provisioned volumes use a negligible amount of space until data has been written to them. So Storage Tiers do provide support for over-provisioning storage pools with some limits.

Managing Cloud Containers

QuantaStor can be configured to be a NAS gateway to object storage provided by OpenStack SWIFT, SoftLayer Object Storage, Amazon S3, and Google Cloud Storage. This is done by creating one or more Cloud Containers on your QuantaStor appliance which then show up as Network Shares which can be accessed via the standard NFS and CIFS protocols. Cloud Containers use the s3ql filesystem which provides compression, encryption and deduplication of data so that you get maximum utilization of your cloud storage.

Each Cloud Container can have a unique Passphrase/Encryption key. Each Cloud Container is represented by a bucket in your public or private object storage cloud that starts with a qs-bucket-* prefix. Because the data placed into the Cloud Container is written in a reduced and encrypted format, the data is secure and cannot be accessed directly via REST APIs.

Note that a given Cloud Container can only be used by one QuantaStor appliance at a time. If you need to add it to another appliance, please disable it from the first appliance before activating the container on another.

Adding Cloud Provider Credentials

To begin using the Cloud Container feature, you will need to provide the QuantaStor appliance access to your Object Storage using the 'Add Cloud Provider Credentials' dialog available in the Cloud Container tab of the WebUI as shown in the example below:

Adding Cloud Provider Credentials.png

The credentials for your object storage cloud can be found in the security/authentication pages of your Amazon S3, Google Cloud Storage, or SoftLayer Cloud Storage accounts. Once your credentials have been added you can begin creating cloud containers within QuantaStor.

Creating a Cloud Container

Create a Cloud Container using the 'Create Cloud Storage Container' Dialog. In the dialog, specify a name for the Cloud Container, the Cloud Provider, the Location for the Cloud Provider object storage you wish to use (public or private) , which of the appliances in your grid you wish to attach to the Cloud Container and the Passphrase/Encryption Key to secure the object storage and click OK to create your Cloud Container.

This is shown in the example below:

Example Create Cloud Storage Container.png


Once the Cloud Container has been created, you can configure Network Share users and permissions via the Network Shares section of the Web interface: Managing Network Shares

Advanced Cloud Container Topics

Offline/Disable access to a Cloud Container on a a QuantaStor Appliance: Disable Cloud Container

Enabling access to a offline Cloud Container on a a QuantaStor Appliance: Enable Cloud Container

Troubleshooting and Repairing a Cloud Container if a Cloud Container does not mount: Repair Cloud Container

Exporting/removing access to a Cloud Container from a QuantaStor Appliance: Export/Remove Cloud Container

Importing existing Cloud Containers to a QuantaStor Appliance: Import/Add Cloud Container

Permanently deleting a Cloud Container, it's objects and it's bucket in the Object Storage: Delete Cloud Container

Managing Backup Policies

Within QuantaStor you can create backup policies where data from any NFS or CIFS share on your network can be automatically backed up for you to your QuantaStor appliance. To create a backup policy simply right-click on the Network Share where you want the data to be backed up to and choose the 'Create Backup Policy..' option from the pop-up menu. Backup policies will do a CIFS/NFS mount of the specified NAS share on your network locally to the appliance in order to access the data to be archived. When the backup starts it creates a Backup Job object which you will see in the web interface and you can see the progress of any given backup job by monitoring it in the Backup Jobs tab in the center-pane of the web interface after you select the Network Share to which the backup policy is attached.

Qs bp menu.png

Creating Backup Policies

Backup policies in QuantaStor support heavy parallelism so that very large NAS filers with 100m+ files can be easily scanned for changes. The default level of parallelism is 32 concurrent scan+copy threads but this can be reduced or increased to 64 concurrent threads.

Backup to Network Share

This is where you indicate where you want the data to be backed up to on your QuantaStor appliance. With QuantaStor backup policies your data is copied from a NAS share on the network to a network share on your QuantaStor appliance.

Policy Name

This is a friendly name for your backup policy. If you are going to have multiple policies doing backups to the same network share then each policy will be associated with a directory with the name of the policy. For example, if your share is called media-backups and you have a policy called 'project1' and a policy called 'project2' then there will be sub-directories under the media-backups share for project1 and project2. In order to support multiple policies per Network Share you must select the option which says Backup files to policy specific subdirectory. If that is not selected then only one policy can be associated with the network share and the backups will go into the root of the share to form an exact mirror copy.

Selecting the Backup Source

In the section which says Hostname / IP Address: enter the IP address of the NAS filer or server which is sharing the NAS folder you want to backup. For NFS shares you should enter the IP address and press the Scan button. If NFS shares are found they'll show up in the CIFS/NFS Export: list. For CIFS share backups you'll need to enter the network path to the share in a special format starting with double forward slashes like so: //username%password@ipaddress. For example, you might scan for shares on a filer located at 10.10.5.5 using the SMB credentials of 'admin' and password 'password123' using this path: //admin%password123@10.10.5.5. In AD environments you can also include the domain in the SMB path like so //DOMAIN/username%password@ipaddress.

Qs bp create.png

Policy Type

You can indicate that you want the backup policy to backup everything by selecting 'Backup All Files' or you can do a 'Sliding Window Backup'. For backing up data from huge filers with 100m+ files it is sometimes useful to only backup and maintain a sliding window of the most recently modified or created files. If you set the Retention Period to 60 days then all files that have been created or modified within the last 60 days will be retained. Files that are older than that will be purged from the backup folder.

Be careful with the Backup All Files mode. If you have a Purge Policy enabled it will remove any files from the network share which were not found on the source NAS share that's being backed up. If you attached such a backup policy to an existing share which has data on it, the purge policy will remove any data/files that exists in your QuantaStor Network Share which is not on the source NAS share on the remote filer. So use caution with this as Backup All Files really means maintain a mirror copy of the remote NAS share.

Purge Policy

Backup policies may run many times per day to quickly backup new and modified files. A scan to determine what needs purging is typically less important so it is more efficient to run it nightly rather than with each and every backup job. For the Sliding Window policies the purge phase will throw out any files that are older than the retention period. For the Backup All Files policies there is a comparison that is done and any files that are no longer present in the NAS source share are removed from the backup. The Purge Policy can also be set to 'Never delete files' which will backup files to your Network Share but never remove them.

Backup Logs

If you select 'Maintain a log of each backup' then a backup log file will be written out after each backup. Backup logs can be found on your QuantaStor appliance in the /var/log/backup-log/POLICY-NAME directory. The purge process produces a log with the .purgelog suffix and the backup process produces a log with the .changelog suffix.

pwalk

pwalk is a open source command line utility included with QuantaStor (see /usr/bin/pwalk). It was originally written by John Dey to work as a parallelized version of the 'du -a' unix utility which would be suitable for scanning filesystems with 100s of millions of files. It was then reworked at OSNEXUS to support backups, sliding window backups, additional output formats, etc. If you type 'pwalk' by itself at the QuantaStor ssh or console window you'll see the following usage page / documentation. The pwalk utility has three modes, 'walk' which does a parallelized crawl of a directory, 'copy' which does a backup from a SOURCEDIR to a specified --targetdir, and 'purge' mode which removes files in the PURGEDIR which are not found in the --comparedir. In general you would never need to use pwalk directly but the documentation is provided here to support special use cases like custom backup or replication cron jobs.

pwalk version 3.1 Oct 22nd 2013 - John F Dey john@fuzzdog.com, OSNEXUS, eng@osnexus.com

Usage :
pwalk --help --version
          Common Args :
             --dryrun : use this to test commands
                        without making any changes to the system
       --maxthreads=N : indicates the number of threads (default=32)
           --nototals : disables printing of totals after the scan
               --dots : prints a dot and total every 1000 files scanned.
              --quiet : no chatter, speeds up the scan.
             --nosnap : Ignore directories with name .snapshot
              --debug : Verbose debug spam
        Output Format : CSV
               Fields : DateStamp,"inode","filename","fileExtension","UID",
                        "GID","st_size","st_blocks","st_mode","atime",
                        "mtime","ctime","File Count","Directory Size"

Walk Usage :
pwalk SOURCEDIR
         Command Args :
            SOURCEDIR : Fully qualified path to the directory to walk

Copy/Backup Usage :
pwalk --targetdir=TARGETDIR SOURCEDIR
pwalk --retain=30 --targetdir=TARGETDIR SOURCEDIR
         Command Args :
          --targetdir : copy files to specified TARGETDIR
              --atime : copy if access time change (default=no atime)
  --backuplog=LOGFILE : log all files that were copied.
  --status=STATUSFILE : write periodic status updates to specified file
             --retain : copy if file ctime or mtime within retention period
                        specified in days. eg: --retain=60
            --nomtime : ignore mtime (default=use mtime)
            SOURCEDIR : Fully qualified path to the directory to walk

Delete/Purge Usage :
pwalk --purge [--force] --comparedir=COMPAREDIR PURGEDIR
pwalk --purge [--force] --retain=N PURGEDIR
         Command Args :
         --comparedir : compare against this dir but dont touch any files
                        in it. comparedir is usually the SOURCEDIR from
                        a prior copy/sync stage.
              --purge : !!WARNING!! this deletes files older than the
                        retain period -OR- if retain is not specified
                        --comparedir is required. The comparedir is
                        compared against the specified dir and any files
                        not found in the comparedir are purged.
              --force : !NOTE! default is a *dry-run* for purge, you must
                        specify --force option to actually purge files
              --atime : keep if access time within retain period
             --retain : keep if file ctime or mtime within retention period
                        specified in days. eg: --retain=60

OSNEXUS modified version of the C source code for pwalk is available here pwalk.c. The original version is available here.

IO Tuning

ZFS Performance Tuning

One of the most common tuning tasks that is done for ZFS is to set the size of the ARC cache. If your system has less than 10GB of RAM you should just use the default but if you have 32GB or more then it is a good idea to increase the size of the ARC cache to make maximum use of the available RAM for your storage appliance. Before you set the tuning parameters you should run 'top' to verify how much RAM you have in the system. Next, run this command to set the amount of RAM to some percentage of the available RAM. For example to set the ARC cache to use a maximum of 80% of the available RAM, and a minimum of 50% of the available RAM in the system, run these, then reboot:

qs-util setzfsarcmax 80
qs-util setzfsarcmax 50

Example:

sudo -i
qs-util setzfsarcmax 80
INFO: Updating max ARC cache size to 80% of total RAM 1994 MB in /etc/modprobe.d/zfs.conf to: 1672478720 bytes (1595 MB)
qs-util setzfsarcmin 50
INFO: Updating min ARC cache size to 50% of total RAM 1994 MB in /etc/modprobe.d/zfs.conf to: 1045430272 bytes (997 MB)


To see how many cache hits you are getting you can monitor the ARC cache while the system is under load with the qs-iostat command:

qs-iostat -af

ZFS Adaptive Replacement Cache (ARC) / read cache statistics

Name                              Data
---------------------------------------------
hits                              1099360191
misses                            65808011
c_min                             67108864
c_max                             1045925888
size                              26101960
arc_meta_used                     11552968
arc_meta_limit                    261481472
arc_meta_max                      28478856

ZFS Intent Log (ZIL) / writeback cache statistics

Name                              Data
---------------------------------------------
zil_commit_count                  25858
zil_commit_writer_count           25775
zil_itx_count                     12945

Pool Performance Profiles

Read-ahead and request queue size adjustments can help tune your storage pool for certain workloads. You can also create new storage pool IO profiles by editing the /etc/qs_io_profiles.conf file. The default profile looks like this and you can duplicate it and edit it to customize it.

[default]
name=Default
description=Optimizes for general purpose server application workloads
nr_requests=2048
read_ahead_kb=256
fifo_batch=16
chunk_size_kb=128
scheduler=deadline

If you edit the profiles configuration file be sure to restart the management service with 'service quantastor restart' so that your new profile is discovered and is available in the web interface.

Storage Pool Tuning Parameters

QuantaStor has a number of tunable parameters in the /etc/quantastor.conf file that can be adjusted to better match the needs of your application. That said, we've spent a considerable amount of time tuning the system to efficiently support a broad set of application types so we do not recommend adjusting these settings unless you are a highly skilled Linux administrator. The default contents of the /etc/quantastor.conf configuration file are as follows:

[device]
nr_requests=2048
scheduler=deadline
read_ahead_kb=512

[mdadm]
chunk_size_kb=256
parity_layout=left-symmetric

There are tunable settings for device parameters which are applied to the storage media (SSD/SATA/SAS), as well as settings like the MD device array chunk-size and parity configuration settings used with XFS based storage pools. These configuration settings are read from the configuration file dynamically each time one of the settings is needed so there's no need to restart the quantastor service. Simply edit the file and the changes will be applied to the next operation that utilizes them. For example, if you adjust the chunk_size_kb setting for mdadm then the next time a storage pool is created it will use the new chunk size. Other tunable settings like the device settings will automatically be applied within a minute or so of your changes because the system periodically checks the disk configuration and updates it to match the tunable settings. Also, you can delete the quantastor.conf file and it will automatically use the defaults that you see listed above.

Security Configuration

Change Your Passwords

One of the most important steps in the configuration of a new QuantaStor appliance is to just change the admin password for the appliance to something other than the default. You'll want to start by logging into the console using the 'qadmin' account and 'qadmin' password. Next type 'passwd' and change the password from 'qadmin' to something else. Next you'll want to login to the web management interface and change the 'admin' account password from 'password' to something else.

Port Lock-down via IP Tables configuration

QuantaStor comes with non-encrypted port 80 / http access to the appliance enabled. For more secure installations it is recommended that port 80 and non-essential services are blocked. To disable port 80 access run this command:

sudo qs-util disablehttp

To re-enable port 80 access use:

sudo qs-util enablehttp

Note that the web management interface will still be accessible via https on port 443 after you disable http access.

Changing the SSL Key for QuantaStor Web Management Interface

The SSL key provided with QuantaStor is a common self-signed SSL key that is pre-generated and included with all deployments. This is generally OK for most deployments on private networks but for increased security it is recommended to generate a new SSL keystore for the Apache Tomcat server used to serve the QuantaStor web management interface.

Keystore Password Selection

IMPORTANT NOTE You must set the password for the keystore to 'changeit' (without the quotes) as this is the default password that Tomcat uses to unlock the keystore. If you do not want to use the default password ('changeit') you can select a password of your choice but you will also need to manually edit the connector section of the /opt/osnexus/quantastor/tomcat/conf/server.xml file to add a line containing the keystore password (example: keystorePass="YOURPASSWORD"). Here's an example of what that will look like if you select the password "YOURPASSWORD".

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="/opt/osnexus/quantastor/tomcat/conf/keystore"
               keystorePass="YOURPASSWORD"
               clientAuth="false" sslProtocol="TLS" />

New Keystore Generation

To generate a new keystore you'll need to do the following steps.

  • Login to QuantaStor via the console or via SSH then generate a keystore using the keytool utility. It will prompt you to enter a bunch of data including name, company, location, etc. This will produce a new .keystore file in the current directory. Remember to use the default Tomcat 'changeit' password for the keystore unless you plan to edit the /opt/osnexus/quantastor/tomcat/conf/server.xml file to add your custom keystore password.
keytool -genkey -alias tomcat -keyalg RSA -validity 365
  • Next, backup the original keystore file and then overwrite the original with your newly generated keystore file:
cp /opt/osnexus/quantastor/tomcat/conf/keystore ./keystore.qs.conf
cp .keystore /opt/osnexus/quantastor/tomcat/conf/keystore
mv .keystore keystore.custom
  • Finally, restart tomcat services so that the new key is loaded.
service tomcat restart

IMPORTANT NOTE If you are using Firefox as your browser, you must clear the browser history in order to clear the old cached key information. If you don't clear the history you'll see that the "Confirm Security Exception" button will be greyed out and you won't be able to login to your QuantaStor appliance via https. IE and Chrome do not have this issue.

That's the whole process. Here's an example of what we enter into these fields as OSNEXUS Engineering, you'll want to put your own company name and other details here:

keytool -genkey -alias qs-tomcat -keyalg RSA -validity 365

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  OSNEXUS
What is the name of your organizational unit?
  [Unknown]:  OSNEXUS Engineering
What is the name of your organization?
  [Unknown]:  OSNEXUS, Inc.
What is the name of your City or Locality?
  [Unknown]:  Bellevue
What is the name of your State or Province?
  [Unknown]:  Washington
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=OSNEXUS, OU=OSNEXUS Engineering, O="OSNEXUS, Inc.", L=Bellevue, ST=Washington, C=US correct?
  [no]:  yes

Encryption Support

QuantaStor supports both software and hardware encryption. Software encryption leverages the Linux based LUKS key management system which is hardware independent, supports a broad set of encryption algorithms, and provides flexible configuration options for key location. For hardware based encryption you must use a LSI MegaRAID or equivalent OEM version (IBM, Dell, SuperMicro, etc) hardware RAID controller with the SafeStore license key applied along with one or more enterprise SED SAS drives.

Hardware Encryption

There are three CLI commands for setting up hardware encryption using the 'qs' command line utility. They are 'hw-unit-encrypt', 'hw-controller-create-security-key', and 'hw-controller-change-security-key'. The process for setting up encryption is as follows:

1) Create a hardware RAID unit using the 'Create Unit..' dialog in the QuantaStor web management interface as per your workload requirements (RAID10, RAID6, etc).

2) Go to the console/ssh window and assign a security key to the controller if one is not already set.

    hw-controller-create-security-key [hwc-create-security-key]
      :: Create the security key for encryption on SED/FDE-enabled drives on hardware RAID
         controller.
        <--controller>   :: Name or ID of a hardware RAID controller.
        <--security-key> :: Security key on HW Controller card for encryption on FDE-enabled secure
                            disk drives.

3) Encrypt the hardware RAID unit that you created in step one.

    hw-unit-encrypt [hwu-encrypt]
      :: Enable hardware SED/FDE encryption for the specified hardware RAID unit.
        <--unit>         :: Name of a hardware RAID unit or it unique ID.
        [--options]      :: Special options to hardware encryption policy.

4) Create a new storage pool using the now encrypted RAID unit

Note that your system will be setup so that no pass-phrase is required at boot time. In this mode you're protected against someone taking all the hard drives from your system but if they can take the entire server and/or RAID controller with the disks then the drives can be decrypted without a password. In general the no pass-phrase option is preferred so that the system can be rebooted without administrative involvement but it is less secure.

Setting Up Boot Passphrase

As noted above, the hw-controller-create-security-key command will setup the hardware RAID controller so that no pass-phrase is required at boot time. To change the keys so that a pass-phrase is required at boot time you'll need to use the MegaCli CreateSecurityKey command to set a security key for the controller that includes a pass-phrase. Here's a snippet of the LSI documentation on how to create a key.

Syntax: MegaCli -CreateSecurityKey -SecurityKey sssssssssss | [-Passphrase sssssssssss] |[-KeyID kkkkkkkkkkk] -aN

Description:
        Command enables security feature on specified controller.
        The possible parameters are:
        SecurityKey: Security key will be used to generate lock key when drive security is enabled.
        Passphrase: Pass phrase to provide additional security.
        KeyID: Security key Id.

Convention:
          -aN         N specifies the adapter number for the command.
        Note:
        -       Security key is mandatory and pass phrase is optional.
        -       Security key and pass phrase have special requirements.
        Security key & pass phrase should have 8 - 32 chars, case-sensitive; 1 number, 1 lowercase letter, 1 uppercase letter, 1 non-alphanumeric character (no spaces).
       - In case of Unix based systems, if the character '!' is used as one of the input characters in the value of Security key or pass phrase, it must be preceded by a back slash character('\').

A good way to generate a secure passphrase and/or security key is to use the uuidgen tool as follows:

uuidgen | cut -c 25-

This will output a randomly generated string of characters that looks like '6bb45eb7b615'. You can then run the tool like so but be sure to replace the generated text '1dabc3b0d467' and '6bb45eb7b615' with your own unique keys generated by the uuidgen tool:

MegaCli -CreateSecurityKey -SecurityKey 1dabc3b0d467 -Passphrase 6bb45eb7b615 -a0

Be sure to write down both keys someplace safe. The pass-phrase will be needed every time the system boots and the security key will be needed in the event that you need to replace the RAID controller.

Software Encryption

QuantaStor uses the LUKS (Linux Unified Key Setup) system for key management but also comes with tools to greatly simplify the configuration and setup of encryption. Specifically, the qs-util CLI utility comes with a series of additional commands to encrypt disk devices including cryptformat, cryptopen, cryptclose, cryptdestroy, and cryptswap. There's also a devicemap command which will scan for and display a list of devices available on the system.

  Device Encryption Commands
    qs-util cryptformat <device> [keyfile]  : Enrypts the specified device using LUKS format, generates key if needed.
    qs-util cryptopen <device>       : Opens the specified LUKS encrypted device.
    qs-util cryptclose <device>      : Closes the specified LUKS encrypted device.
    qs-util cryptdestroy <device>    : Closes the LUKS device and deletes the keys and header backups.
    qs-util cryptswap <device>       : Enables swap device encryption, updates /etc/fstab and /etc/crypttab.

Summary of Software Encryption Setup Procedure

1. qs-util cryptswap

2. qs-util devicemap

  • Shows a list of the devices on the system

3. qs-util cryptformat <device>

  • Formats the specified device with an encryption header and sets up /etc/crypttab to automatically open the device at boot time

4. Use the Scan for Disks.. command and your encrypted (dm-name-enc-) device(s) will appear in the QuantaStor web management interface.

  • There is a known issue in that you have to logout out and log back in to the web interface after you run the Scan for Disks. This will cleanup the list of disks.

5. Create a new storage pool using your encrypted device(s)

Note also that if you are using SSD caching that you must also cryptformat your SSD read/write cache devices before using them with an encrypted pool. If you don't you will be creating a security hole.

Setup: Selecting Drives for Encryption

The first step in setting up software encryption is selecting the drives to be encrypted. Use the 'qs-util devicemap' command and you'll see a list of devices that will look something like this:

/dev/sdj        /dev/disk/by-id/scsi-350000393a8c96130, TOSHIBA, MK1001TRKB, Y1M0A01HFM16
/dev/sdv        /dev/disk/by-id/scsi-350000393a8c960c4, TOSHIBA, MK1001TRKB, Y1M0A011FM16
/dev/sdt        /dev/disk/by-id/scsi-350000393a8c960b4, TOSHIBA, MK1001TRKB, Y1M0A00XFM16
/dev/sdu        /dev/disk/by-id/scsi-350000393a8c960a4, TOSHIBA, MK1001TRKB, Y1M0A00TFM16
/dev/sdr        /dev/disk/by-id/scsi-350000393a8c960bc, TOSHIBA, MK1001TRKB, Y1M0A00ZFM16

Make sure that you are connected to the QuantaStor web management interface so that you can be sure that you're selecting the correct disks. NOTE: You cannot encrypt drives that already have data on them. You must setup encryption on the drives before you create the storage pool on top.

Setup: Formatting Drives with Encryption Header

Use the qs-util cryptformat <device> command to encrypt devices. WARNING: Any data on these drives will be lost as cryptformat will be imprinting the device with an encryption header. For example, to encrypt the devices noted in the previous section, one would run these commands:

qs-util cryptformat /dev/sdj
qs-util cryptformat /dev/sdv
qs-util cryptformat /dev/sdt
qs-util cryptformat /dev/sdu
qs-util cryptformat /dev/sdr

The cryptformat command does several things:

  1. Generates a new key (1MB) for the device using /dev/urandom and stores it in /etc/cryptconf/keys/
  2. Formats (luksFormat) the device with the new encryption header using the generated key (default is AES 256-bit encryption)
  3. Makes a backup of the encryption header and stores it in /etc/cryptconf/headers/
  4. Updates the /etc/crypttab configuration file so that the appliance automatically opens the device at boot time
  5. Opens (luksOpen) the device using the generated key so that you can start using it

Note that even though we've specified the devices by their short names (/dev/sdj) that the utility automatically looks up the correct persistent device name with the scsi- prefix so that the encryption driver can locate the correct device even if the device lettering changes after a reboot.

Setup: Custom Key Generation (Optional)

You can use the lower-level cryptsetup commands like 'cryptsetup luksFormat' to prepare and open your devices using your own custom generated keys and decryption script. That is ok, but you must follow the naming convention where devices named /dev/disk/by-id/scsi- are given the same name with the enc- prefix added. For example, the encrypted target name for device /dev/disk/by-id/scsi-35001517bb282023a must be set to enc-scsi-35001517bb282023a. This is automatically setup for you in the /etc/crypttab file when you use the 'qs-util cryptformat' command. Note also that you don't need to use the /etc/crypttab file to open your devices at boot time. You can have a custom script that is run from /etc/rc.local or you can have a script that requires a passphrase in order to unlock the keys and open the devices.

Setup: Backing up your Encryption Keys

You should immediately make a backup of your encryption keys and headers to someplace secure (NOTE: You can use a tool like Filezilla to sftp into the appliance to get the keys from /etc/cryptconf). You can make an encrypted backup of your key files and headers using this command:

tar -cj /etc/cryptconf/ | openssl des3 -salt > mykeys.tar.enc

You can then decrypt it later using this command:

cat mykeys.tar.enc | openssl des3 -d -salt | tar -xvj

You'll see output that looks like this:

enter des-ede3-cbc decryption password:
etc/cryptconf/
etc/cryptconf/keys/
etc/cryptconf/keys/enc-scsi-350000393a8c960c8.key
etc/cryptconf/keys/enc-scsi-35001517bb282023a.key
etc/cryptconf/keys/enc-scsi-35001517bb2820591.key
etc/cryptconf/headers/
etc/cryptconf/headers/enc-scsi-35001517bb2820591.header
etc/cryptconf/headers/enc-scsi-350000393a8c960c8.header
etc/cryptconf/headers/enc-scsi-35001517bb282023a.header

Setup: Securing your Encryption Keys

The qs-util cryptformat command places your keys on the appliance boot/system drive in /etc/cryptconf. On most systems this is a vulnerable place to have the keys as the boot drives can be removed from most servers with the data drives. If the boot devices have physical locks on them so that the devices containing the keys cannot be stolen or if the boot devices are on the interior of the storage appliance chassis where they cannot be easily removed or accessed then that may be sufficient for your needs. That said, in most cases you'll want to copy the generated keys to someplace safer and shred the local copies. Some strategies you might use include:

  • Connect a small capacity USB stick/media to the inside of the server and have the /etc/fstab setup to mount the device to /etc/cryptconf. Now when you cryptformat devices the keys are stored on removable media which cannot be taken from the server without physical access to open the chassis to take out the USB device.
  • Connect a small capacity USB stick/media to the outside of the server and have the /etc/fstab setup to mount the device to /etc/cryptconf. Now when you cryptformat devices the keys are stored on removable media which you can remove from the appliance after it has been booted and the devices have been opened.
  • Copy the keys to a Key Server and have the appliance reference the keys via a custom script which calls 'cryptsetup luksOpen'. The process for setting this up will depend on your key server software, etc.
  • Put the keys on an secure NFS/CIFS share which is only accessible to the appliance and which mounts the share to /etc/cryptconf automatically at boot-time. In the even that the hardware is stolen the keys are not in the appliance so the data cannot be accessed/decrypted.
  • After the system starts, manually run a script that decrypts your key backups mykeys.tar.enc which requires a pass-phrase and places the keys into /tmp. The script should then use cryptsetup luksOpen to open each device using the decrypted keys and then delete the decrypted keys from /tmp automatically. Then run 'qs pool-start poolname' to start the encrypted storage pool to expose access to the encrypted resources.

Whatever strategy you choose to secure the keys, you'll want to make sure you have backup copies and you'll want to be sure to adjust the /etc/crypttab file accordingly if you change the location of the keys. The /etc/crypttab is configured automatically when you use the 'qs-util cryptformat <device>' command and it'll look something like this:

# <target name> <source device>         <key file>      <options>
enc-scsi-35001517bb282023a      /dev/disk/by-id/scsi-35001517bb282023a  /etc/cryptconf/keys/enc-scsi-35001517bb282023a.key      luks
enc-scsi-35001517bb2820591      /dev/disk/by-id/scsi-35001517bb2820591  /etc/cryptconf/keys/enc-scsi-35001517bb2820591.key      luks
swap    /dev/disk/by-id/scsi-SATA_ST32000641AS_9WM288LS-part5   /dev/urandom    swap,cipher=aes-cbc-essiv:sha256,size=256
If you have copied the keys to a new location such as /mykeys you'll need to update the paths in the /etc/crypttab to replace /etc/cryptconf/keys/ with /mykeys/. Note also that you'll want to shred the old keys after you have copied them to the new location and make backups. You can do that securely with the shred command like so:
shred /etc/cryptconf/keys/enc-scsi-35001517bb282023a.key
which will ensure there are no remnants of the old key left on the boot drive.

Setup: Swap Device Encryption

QuantaStor appliances use swap devices which can temporary contain a cache of unencrypted data that was in memory. This is a security risk which is easily resolved by making your swap device encrypted like so:

qs-util cryptswap

This command updates the /etc/fstab and /etc/crypttab so that the system will have an encrypted swap device after the next reboot. Note that it generates a new key every time the system boots using a randomly generated key.

NOTE: You will see an entry in the /etc/crypttab that looks like this:
swap    /dev/disk/by-id/scsi-SATA_ST32000641AS_9WM288LS-part5   /dev/urandom    swap,cipher=aes-cbc-essiv:sha256,size=256
You will also see an updated entry in the /etc/fstab for your swap device that looks like this:
/dev/mapper/swap swap swap defaults 0 0

Setup: Scan for Devices & Create Storage Pool(s)

At this point your encrypted devices are all setup. If you have restarted the system then you'll see new devices in the Physical Disks section of the web management interface with device names prefixed with 'dm-name-enc-'. These are your encrypted devices you can now create a storage pool from. If you haven't rebooted after completing the above steps you can find your new encryption formatted devices by using the 'Scan for Disks..' command in the web management interface. You can access this by right-clicking on the Physical Disks section header.

Setup: Verifying Encrypted Storage Pool(s)

After you have created your encrypted storage pool(s) it is recommended that you reboot to make sure that the swap device is encrypted and that your storage pools have come back online automatically. You can check the swap device by running the swapon command like so:

swapon -s<pre>

The output of which should look like this with the path to the swap device under /dev/mapper/swap:

<pre>
Filename                                Type            Size    Used    Priority
/dev/mapper/swap                        partition       6281212 0       -1

Next, look at the encrypted storage pool in the web interface and you should see that all of the devices for your pool should start with the prefix of dm-name-enc-. If the pool is offline try starting the pool using 'Start Pool..'. For the pool to start you must have already opened the encrypted devices as per the naming convention noted above.

Internal SAS Device Multi-path Configuration

If your appliance is dual-path connected to a SAS JBOD or has an internal SAS expander with SAS disks you have the option of setting up multiple paths to the SAS devices for redundancy and in some cases improved performance. If you are not familiar with ZFS or using the Linux shell utilities we strongly recommend getting help with these steps from customer support.

Multi-path Configuration with RAID Controllers

If you are using a RAID controller it will internally manage the multiple paths to the device automatically so there is no additional configuration required except to make sure that you have two cables connecting the controller to the SAS expander.

Multi-path Configuration with HBAs

For appliances with SAS HBAs there are some additional steps required to setup the QuantaStor appliance for multipath access. Specifically, you must add entries to the /etc/multipath.conf file then restart the multipath services.

Configuring the /etc/multipath.conf File

QuantaStor being Linux based uses the DMMP (Device Mapper Multi-Path) driver to manage multipathing. The multipath service can be restarted at any time at the command line using the command 'service multipath-tools restart'. Configuration of this service is managed via the configuration file located at /etc/multipath.conf which contains a set of rules indicating which devices (identified by Vendor / Model) should be managed by the multipath service and which should be ignored. The base configuration is setup so that no multipath management is done for SAS devices as this is the most common and simplest configuration mode. To enable multipath management you must add a section to the 'blacklist_exceptions' area of the file indicating the vendor and model of your SAS devices. The vendor model information for your SAS devices can be found using this command 'grep Vendor /proc/scsi/scsi'. To summarize:

  • grep Vendor /proc/scsi/scsi
    • Returns the vendor / model information for your SAS devices
  • nano /etc/multipath.conf
    • Add a section to the blacklist_exceptions area for your SAS device, example (note the use of a wildcard '*') :
   device {
           vendor "SEAGATE"
           model "ST33000*"
   }
  • service multipath-tools restart
    • Restarts the multipath service
  • multipath -ll
    • Shows your devices with multiple paths to them

Pool Configuration

Once all the above is done you'll need to go into the QuantaStor web management interface and choose 'Scan for Disks' to make the new device mapper paths appear. If you have already created a storage pool using standard paths rather than the /dev/mapper/mpath* paths then you'll need to run a zpool export/import operation to re-import the pool using the device mapper paths. To do this you will need to first do a 'Stop Storage Pool' then at the command line / console you'll need to run these commands:

  • zpool export qs-POOLID
  • zpool import -d /dev/mapper qs-POOLID

Note that you must replace qs-POOLID with the actual ID of the storage pool. You can also get this ID by running the 'zpool status' command.

Troubleshooting Multipath Configurations

  • Only Single Path
    • If you only see one path to your device but the multipath driver is recognizing your device by displaying it in the output of 'multipath -ll' then you may have a cabling problem that is only providing the appliance with a single path to the device.
  • No Paths Appear
    • If you don't see any devices in the output of 'multipath -ll' then there's probably something wrong with the device entry you added to the multipath.conf file into the blacklist_exceptions for your particular vendor/model of SAS device. Double check the output from 'cat /proc/scsi/scsi' to make sure that you have a correct rule added to the multipath.conf file.

Samba v4 / SMB3 Support

QuantaStor versions 3.8.2 and newer have support for Samba v4 but an additional configuration step is required to upgrade your system from the default Samba server (Samba v3.6.3) to Samba v4. The command you need to run as root at the console/SSH is:

sudo samba4-install

It will ask you a few questions about your Active Directory configuration. Your answers might look similar to these (note you must use the default 'dc' mode, we do not yet support the other modes). Note also that you must provide a strong password for the domain 'Administrator password' or the script will fail and you'll need to retry using the procedure outlined below.

Realm [UNASSIGNED-DOMAIN]: osnexus.net
 Domain [osnexus]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.1]: none
Administrator password:
Retype password:


If you make a mistake and need to reconfigure the AD configuration settings just re-run the installer and it will prompt you again to enter the AD configuration settings. In some cases you will have to uninstall samba4, and cleanup the remnants of the failed install, then try again like so:

sudo -i
apt-get remove samba4
rm -rf /opt/samba4
samba4-install

As of 12/19/2013 we only support the default 'dc' mode and have not yet complete testing of the other modes, namely 'standalone' and 'member'. After the installation completes you can run this command to verify that the samba4 services are running:

service samba4 status
smbstatus -V

Starting in QuantaStor v3.9 the samba4-install script will turn off the enforcement of strong passwords but you can manually adjust it meet your company's security requirements by running this command. For strong passwords you'd want a minimum password length of 10 with the complexity requirement turned 'on' rather than 'off'. Note also that any existing user 'local' user accounts will need to have their passwords re-applied when you upgrade to Samba4, but that does not apply to AD accounts. If you have strong passwords enabled and a given user has a password that is not strong left over from a prior config then it will block the login when they attempt to access it from their Windows host.

samba-tool domain passwordsettings set --min-pwd-length=1 --complexity=off

If you have any questions please feel free to contact us at support (at) osnexus.com or via the Community Support Forum.