Saturday, November 7, 2009

Restrict snapmirror access by host and volume on NetApp

Recently one of my fellow NetApp admin friend asked me a very general question,

“How do you restrict your data to be copied through snapmirror?”

As like any other normal NetApp guy my answer was also same old vanilla type.

“Go to snapmirror.allow file and put the host name if your have set snapmirror.access to legacy or you can directly put hostname in host=host1,host2 format in snapmirror.access option.”

But he wanted more granular level of permission, so my another answer was,

“You can also use snapmirror.checkip.enable so any system reporting same hostname will not be able to access data.”

But even on that he wasn’t happy and was asking if there is any other way so he can restrict snapmirror access on volume basis. At this point I said “No, NetApp doesn’t provide this level of granular access.”

So the topic stopped there, but this question was there in my mind and always hunted me why there isn’t any such way.

Fast forward Past week when I had some extra time in my hand I started searching on net for this and fortunate enough I got a way on NOW site to get this work.

It was recorded under Bugs section with Bug ID # 80611 Which reads as.

“There is an unsupported undocumented feature of the /etc/snapmirror.allow file, such that if it is filled as follows:
    hostA:vol1
    hostA:vol29
    hostB:/vol/vol0/q42
    hostC
and "options snapmirror.access legacy" is issued, then the desired access policy will be implemented. Again note that this is unsupported and undocumented so use at your own risk.”

Yes, though NetApp says that there is a way to do that but they also say well sometimes it may break other functionality or may not work as expected.

Finding this I sent the details to my friend but unfortunately he don’t want to give it a try on his production systems and test systems are not available with him.

So if anyone of you want to try it or have tried it before please put your experience in comments field.

4 comments:

Anonymous said...

Are you familiar with the Netapp Data OnTap simulator? It's free and you may be able to use fir this kind of testing. You can get it here: http://now.netapp.com/NOW/cgi-bin/simulator

Lovik said...

yeah I am familiar with simulator but hardly I get enough time to play with, so when it comes for deployment or new setup then I use real filers to test these things because it's not always possible to replicate your environment and you get different results in some cases on simulator specially when it comes to real life scenario... :)

Anonymous said...

Tested on test systems and worked perfectly. OnTap 7.3.1.1P1. Errors were exactly as expected in /etc/messages and /etc/log/snapmirror, as well as returned from the Initialize command.

Also tested two lines in /etc/snapmirror.allow with the same Destination filer but two different volumes, and both work.

Thanks for finding that Burt!

Mohit said...

Thanks mate :)