Isilon

OneFS
Version 7.2.0

CLI Administration Guide

Copyright 2013-2015 EMC Corporation. All rights reserved. Published in USA.

Published July, 2015
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with
respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a
particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable
software license.
EMC, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other
countries. All other trademarks used herein are the property of their respective owners.
For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com).
EMC Corporation
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.EMC.com

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Chapter 1

Introduction to this guide

25

About this guide............................................................................................26

Isilon scale-out NAS overview........................................................................26
Where to go for support.................................................................................26

Chapter 2

Isilon scale-out NAS

27

OneFS storage architecture........................................................................... 28

Isilon node components................................................................................28
Internal and external networks...................................................................... 29
Isilon cluster................................................................................................. 29
Cluster administration......................................................................29
Quorum............................................................................................29
Splitting and merging.......................................................................30
Storage pools...................................................................................31
IP address pools.............................................................................. 31
The OneFS operating system......................................................................... 31
Data-access protocols......................................................................32
Identity management and access control......................................... 32
Structure of the file system............................................................................33
Data layout...................................................................................... 33
Writing files......................................................................................34
Reading files.................................................................................... 34
Metadata layout...............................................................................34
Locks and concurrency.....................................................................35
Striping............................................................................................ 35
Data protection overview...............................................................................35
N+M data protection........................................................................ 36
Data mirroring.................................................................................. 37
The file system journal..................................................................... 37
Virtual hot spare.............................................................................. 37
Balancing protection with storage space.......................................... 37
VMware integration....................................................................................... 37
Software modules......................................................................................... 38

Chapter 3

Introduction to the OneFS command-line interface

39

OneFS command-line interface overview....................................................... 40

Syntax diagrams........................................................................................... 40
Universal options.......................................................................................... 41
Command-line interface privileges................................................................ 41
SmartLock compliance command permissions.............................................. 45
OneFS time values.........................................................................................48

Chapter 4

General cluster administration

49

General cluster administration overview........................................................50

User interfaces.............................................................................................. 50
Connecting to the cluster...............................................................................51
Log in to the web administration interface........................................51
OneFS 7.2.0 CLI Administration Guide

CONTENTS

Open an SSH connection to a cluster................................................51

Licensing.......................................................................................................51
License status..................................................................................52
License configuration....................................................................... 54
Activate a license through the command-line interface.....................55
View license information.................................................................. 55
Unconfigure a license.......................................................................55
Certificates....................................................................................................56
Replace or renew the SSL certificate................................................. 56
Verify an SSL certificate update........................................................ 57
Self-signed SSL certificate data example.......................................... 58
Cluster identity..............................................................................................58
Set the cluster name ....................................................................... 58
Cluster contact information........................................................................... 59
Specify contact information .............................................................59
Cluster date and time.................................................................................... 60
Set the cluster date and time........................................................... 60
Specify an NTP time server............................................................... 61
SMTP email settings...................................................................................... 61
Configure SMTP email settings ........................................................ 61
View SMTP email settings.................................................................62
Configuring the cluster join mode..................................................................62
Specify the cluster join mode .......................................................... 62
File system settings.......................................................................................63
Specify the cluster character encoding............................................. 63
Enable or disable access time tracking ............................................ 64
Cluster monitoring.........................................................................................64
Monitor the cluster...........................................................................65
View node status............................................................................. 65
Monitoring cluster hardware..........................................................................65
View node hardware status.............................................................. 65
Chassis and drive states.................................................................. 65
Check battery status........................................................................ 68
SNMP monitoring............................................................................. 68
Events and notifications................................................................................ 72
Coalesced events............................................................................. 72
Viewing event information................................................................74
Responding to events.......................................................................76
Managing event notification settings................................................78
Managing event notification rules.................................................... 80
Cluster maintenance..................................................................................... 82
Replacing node components............................................................ 82
Upgrading node components........................................................... 82
Managing drive firmware..................................................................82
Managing cluster nodes................................................................... 87
Upgrading OneFS............................................................................. 89
Remote support.............................................................................................90
Remote support using SupportIQ..................................................... 90
Remote support using ESRS Gateway............................................... 93
Cluster administration commands.................................................................95
isi config.......................................................................................... 96
isi email......................................................................................... 100
isi email list................................................................................... 101
isi exttools..................................................................................... 101
isi license activate......................................................................... 101
isi license status............................................................................ 101
4

OneFS 7.2.0 CLI Administration Guide

CONTENTS

isi license unconfigure................................................................... 102

isi perfstat......................................................................................102
isi pkg create................................................................................. 102
isi pkg delete................................................................................. 102
isi pkg info..................................................................................... 103
isi pkg install................................................................................. 103
isi remotesupport connectemc modify............................................104
isi remotesupport connectemc view............................................... 105
isi services..................................................................................... 105
isi set.............................................................................................106
isi snmp.........................................................................................109
isi snmp list................................................................................... 110
isi statistics client.......................................................................... 110
isi statistics describe..................................................................... 116
isi statistics drive........................................................................... 116
isi statistics heat............................................................................118
isi statistics history........................................................................ 121
isi statistics list all......................................................................... 123
isi statistics list classes..................................................................124
isi statistics list events...................................................................124
isi statistics list nodes................................................................... 125
isi statistics list nooutput...............................................................125
isi statistics list operations............................................................ 126
isi statistics list orderby................................................................. 126
isi statistics list output...................................................................127
isi statistics list protocols.............................................................. 127
isi statistics list stats..................................................................... 128
isi statistics list totalby.................................................................. 128
isi statistics protocol......................................................................129
isi statistics pstat...........................................................................134
isi statistics query.......................................................................... 136
isi statistics system........................................................................137
isi status........................................................................................ 139
isi update.......................................................................................139
isi version...................................................................................... 140
isi_for_array...................................................................................141
isi get.............................................................................................143
isi_gather_info...............................................................................144
Event commands.........................................................................................149
isi events cancel............................................................................ 149
isi events list..................................................................................149
isi events notifications create.........................................................151
isi events notifications modify........................................................152
isi events notifications delete........................................................ 154
isi events notifications list............................................................. 154
isi events quiet.............................................................................. 154
isi events sendtest......................................................................... 154
isi events settings list.................................................................... 155
isi events settings set.....................................................................155
isi events show.............................................................................. 155
isi events unquiet.......................................................................... 156
Hardware commands.................................................................................. 156
isi batterystatus............................................................................. 156
isi devices......................................................................................157
isi servicelight status..................................................................... 158
isi servicelight off...........................................................................158
OneFS 7.2.0 CLI Administration Guide

CONTENTS

isi servicelight on........................................................................... 159

isi drivefirmware status.................................................................. 159
isi firmware package...................................................................... 160
isi firmware status..........................................................................160
isi firmware update........................................................................ 162
isi readonly off............................................................................... 163
isi readonly on............................................................................... 164
isi readonly show........................................................................... 165

Chapter 5

Access zones

167

Access zones overview ............................................................................... 168

Access zone base directory rules.................................................................168
Access zones best practices........................................................................169
Access zone limits.......................................................................................169
Quality of service........................................................................................ 170
Managing access zones.............................................................................. 170
Create an access zone....................................................................170
Associate an IP address pool with an access zone..........................171
Modify an access zone................................................................... 171
Add an authentication provider to an access zone..........................171
Remove an authentication provider from an access zone............... 172
Delete an access zone....................................................................172
Access zone commands.............................................................................. 172
isi zone restrictions create............................................................. 172
isi zone restrictions delete............................................................. 173
isi zone restrictions list.................................................................. 174
isi zone zones create......................................................................174
isi zone zones delete..................................................................... 177
isi zone zones list.......................................................................... 177
isi zone zones modify.....................................................................178
isi zone zones view........................................................................ 184

Chapter 6

Authentication and access control

185

Authentication and access control overview................................................ 186

Role-based access...................................................................................... 186
Roles and privileges.......................................................................186
Data backup and restore privileges................................................ 197
User permissions utility..................................................................198
Authentication............................................................................................ 198
Supported authentication providers...............................................198
Authentication provider features.................................................... 199
Kerberos authentication.................................................................199
LDAP.............................................................................................. 200
Active Directory.............................................................................. 200
NIS.................................................................................................201
File provider................................................................................... 201
Local provider................................................................................ 202
Data access control..................................................................................... 202
Authorization.............................................................................................. 202
SMB...............................................................................................203
NFS................................................................................................ 203
Mixed-permission environments.................................................... 204
Managing roles........................................................................................... 205
View roles...................................................................................... 205
6

OneFS 7.2.0 CLI Administration Guide

CONTENTS

View privileges...............................................................................205
Create and modify a custom role.................................................... 206
Delete a custom role...................................................................... 206
Managing authentication providers............................................................. 206
Managing LDAP providers.............................................................. 207
Managing Active Directory providers.............................................. 208
Managing NIS providers................................................................. 209
Managing file providers..................................................................210
Managing local users and groups...................................................214
Managing MIT Kerberos authentication.......................................... 218
Managing access permissions.....................................................................225
View expected user permissions.................................................... 226
Configure access management settings......................................... 227
Modify ACL policy settings..............................................................227
Update cluster permissions............................................................227
Authentication and access control commands............................................ 228
isi auth access............................................................................... 228
isi auth ads create..........................................................................229
isi auth ads delete......................................................................... 232
isi auth ads list.............................................................................. 233
isi auth ads modify.........................................................................234
isi auth ads spn check................................................................... 237
isi auth ads spn create................................................................... 238
isi auth ads spn delete...................................................................238
isi auth ads spn list........................................................................239
isi auth ads trusts controllers list................................................... 240
isi auth ads trusts list.....................................................................240
isi auth ads trusts view.................................................................. 241
isi auth ads view............................................................................ 241
isi auth error.................................................................................. 241
isi auth file create.......................................................................... 242
isi auth file delete.......................................................................... 245
isi auth file list............................................................................... 245
isi auth file modify......................................................................... 246
isi auth file view............................................................................. 252
isi auth groups create.................................................................... 253
isi auth groups delete.................................................................... 254
isi auth groups flush...................................................................... 254
isi auth groups list......................................................................... 255
isi auth groups modify................................................................... 255
isi auth groups members list.......................................................... 257
isi auth groups view....................................................................... 258
isi auth id.......................................................................................258
isi auth krb5 realm create...............................................................258
isi auth krb5 realm delete.............................................................. 259
isi auth krb5 realm modify............................................................. 259
isi auth krb5 realm list................................................................... 260
isi auth krb5 realm view................................................................. 260
isi auth krb5 create........................................................................ 260
isi auth krb5 delete........................................................................ 261
isi auth krb5 list............................................................................. 261
isi auth krb5 view...........................................................................262
isi auth krb5 domain create........................................................... 262
isi auth krb5 domain delete........................................................... 262
isi auth krb5 domain modify.......................................................... 263
isi auth krb5 domain list................................................................ 263
OneFS 7.2.0 CLI Administration Guide

CONTENTS

isi auth krb5 domain view.............................................................. 263

isi auth krb5 spn create..................................................................264
isi auth krb5 spn delete................................................................. 264
isi auth krb5 spn check.................................................................. 264
isi auth krb5 spn fix....................................................................... 265
isi auth krb5 spn import................................................................. 265
isi auth krb5 spn list...................................................................... 265
isi auth settings krb5 modify.......................................................... 266
isi auth settings krb5 view............................................................. 266
isi auth ldap create........................................................................ 266
isi auth ldap delete........................................................................ 273
isi auth ldap list............................................................................. 274
isi auth ldap modify....................................................................... 274
isi auth ldap view...........................................................................284
isi auth local list.............................................................................284
isi auth local view.......................................................................... 284
isi auth local modify.......................................................................285
isi auth log-level............................................................................ 286
isi auth mapping delete................................................................. 287
isi auth mapping dump.................................................................. 288
isi auth mapping flush................................................................... 289
isi auth mapping idrange............................................................... 289
isi auth mapping import................................................................. 291
isi auth mapping view.................................................................... 291
isi auth mapping modify................................................................ 292
isi auth mapping create..................................................................293
isi auth mapping token.................................................................. 294
isi auth netgroups list.................................................................... 294
isi auth nis create...........................................................................295
isi auth nis delete.......................................................................... 298
isi auth nis list............................................................................... 298
isi auth nis modify..........................................................................299
isi auth nis view............................................................................. 304
isi auth privileges...........................................................................304
isi auth refresh...............................................................................305
isi auth roles create........................................................................305
isi auth roles delete....................................................................... 305
isi auth roles list............................................................................ 306
isi auth roles members list............................................................. 306
isi auth roles modify.......................................................................307
isi auth roles privileges list.............................................................309
isi auth roles view.......................................................................... 309
isi auth settings global modify....................................................... 310
isi auth settings global view........................................................... 312
isi auth status................................................................................ 312
isi auth users create.......................................................................313
isi auth users delete.......................................................................315
isi auth users flush.........................................................................315
isi auth users list............................................................................316
isi auth users modify......................................................................317
isi auth users view......................................................................... 319

Chapter 7

Identity management

321

Identity management overview....................................................................322

Identity types.............................................................................................. 322
8

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Access tokens............................................................................................. 323

Access token generation............................................................................. 324
ID mapping.................................................................................... 324
User mapping................................................................................ 326
On-disk identity............................................................................. 328
Managing ID mappings............................................................................... 329
Create an identity mapping............................................................ 329
Modify an identity mapping............................................................330
Delete an identity mapping............................................................ 330
View an identity mapping...............................................................330
Flush the identity mapping cache...................................................331
View a user token...........................................................................331
Configure identity mapping settings...............................................332
View identity mapping settings...................................................... 332
Managing user identities.............................................................................332
View user identity.......................................................................... 333
Create a user-mapping rule............................................................ 334
Merge Windows and UNIX tokens................................................... 335
Retrieve the primary group from LDAP............................................ 335
Mapping rule options..................................................................... 336
Mapping rule operators..................................................................337

Chapter 8

Auditing

339

Auditing overview........................................................................................340
Syslog......................................................................................................... 340
Enable syslog.................................................................................340
Syslog forwarding.......................................................................... 341
Protocol audit events.................................................................................. 341
Sample config audit log................................................................. 342
Supported event types................................................................................ 343
Supported audit tools................................................................................. 343
Managing audit settings..............................................................................344
Enable system configuration auditing............................................ 344
Enable protocol access auditing.....................................................345
Auditing settings............................................................................346
Integrating with the EMC Common Event Enabler.........................................347
Install CEE for Windows..................................................................347
Configure CEE for Windows............................................................ 348
Auditing commands.................................................................................... 349
isi audit settings modify.................................................................349
isi audit settings view.................................................................... 351
isi audit topics list..........................................................................352
isi audit topics modify....................................................................352
isi audit topics view....................................................................... 353

Chapter 9

File sharing

355

File sharing overview...................................................................................356

Mixed protocol environments.........................................................356
Write caching with SmartCache...................................................... 357
SMB............................................................................................................ 358
SMB shares in access zones.......................................................... 359
SMB Multichannel..........................................................................359
SMB share management through MMC.......................................... 361
Symbolic links and SMB clients......................................................361
OneFS 7.2.0 CLI Administration Guide

CONTENTS

Anonymous access to SMB shares................................................. 363

Managing SMB settings................................................................. 363
Managing SMB shares................................................................... 365
SMB commands.............................................................................371
NFS............................................................................................................. 395
NFS exports....................................................................................395
NFS aliases.................................................................................... 395
NFS log files................................................................................... 396
Managing the NFS service.............................................................. 396
Managing NFS exports................................................................... 397
Managing NFS aliases.................................................................... 400
NFS commands.............................................................................. 403
FTP.............................................................................................................. 444
View FTP settings........................................................................... 444
Enable FTP file sharing................................................................... 444
Configure FTP file sharing............................................................... 445
FTP commands...............................................................................445
HTTP and HTTPS.......................................................................................... 460
Enable and configure HTTP.............................................................460

Chapter 10

Home directories

463

Home directories overview.......................................................................... 464

Home directory permissions........................................................................464
Authenticating SMB users........................................................................... 464
Home directory creation through SMB......................................................... 464
Create home directories with expansion variables..........................465
Create home directories with the --inheritable-path-acl option....... 466
Create special home directories with the SMB share %U variable...467
Home directory creation through SSH and FTP............................................. 468
Set the SSH or FTP login shell ........................................................ 468
Set SSH/FTP home directory permissions....................................... 468
Set SSH/FTP home directory creation options.................................469
Provision home directories with dot files........................................470
Home directory creation in a mixed environment......................................... 471
Interactions between ACLs and mode bits................................................... 471
Default home directory settings in authentication providers........................ 471
Supported expansion variables................................................................... 472
Domain variables in home directory provisioning........................................ 474

Chapter 11

Snapshots

475

Snapshots overview.................................................................................... 476

Data protection with SnapshotIQ.................................................................476
Snapshot disk-space usage........................................................................ 476
Snapshot schedules....................................................................................477
Snapshot aliases........................................................................................ 477
File and directory restoration.......................................................................477
Best practices for creating snapshots..........................................................478
Best practices for creating snapshot schedules........................................... 478
File clones...................................................................................................479
Shadow-store considerations.........................................................480
Snapshot locks........................................................................................... 480
Snapshot reserve........................................................................................ 481
SnapshotIQ license functionality.................................................................481
Creating snapshots with SnapshotIQ...........................................................481
10

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Create a SnapRevert domain.......................................................... 482

Create a snapshot schedule........................................................... 482
Create a snapshot.......................................................................... 482
Snapshot naming patterns............................................................. 483
Managing snapshots .................................................................................. 485
Reducing snapshot disk-space usage............................................ 485
Delete a snapshot.......................................................................... 486
Modify snapshot attributes............................................................ 486
Modify a snapshot alias ................................................................ 486
View snapshots..............................................................................487
Snapshot information.................................................................... 487
Restoring snapshot data............................................................................. 488
Revert a snapshot ......................................................................... 488
Restore a file or directory using Windows Explorer..........................488
Restore a file or directory through a UNIX command line.................489
Clone a file from a snapshot...........................................................489
Managing snapshot schedules....................................................................490
Modify a snapshot schedule ......................................................... 490
Delete a snapshot schedule .......................................................... 490
View snapshot schedules ..............................................................490
Managing snapshot aliases.........................................................................491
Configure a snapshot alias for a snapshot schedule.......................491
Assign a snapshot alias to a snapshot........................................... 491
Reassign a snapshot alias to the live file system............................ 492
View snapshot aliases................................................................... 492
Snapshot alias information............................................................ 492
Managing with snapshot locks.................................................................... 493
Create a snapshot lock...................................................................493
Modify a snapshot lock expiration date..........................................493
Delete a snapshot lock...................................................................494
Snapshot lock information............................................................. 494
Configure SnapshotIQ settings ................................................................... 494
SnapshotIQ settings ......................................................................495
Set the snapshot reserve.............................................................................496
Snapshot commands.................................................................................. 496
Snapshot naming patterns............................................................. 496
isi snapshot schedules create........................................................ 499
isi snapshot schedules modify....................................................... 500
isi snapshot schedules delete........................................................502
isi snapshot schedules list.............................................................502
isi snapshot schedules view.......................................................... 504
isi snapshot schedules pending list............................................... 504
isi snapshot snapshots create........................................................505
isi snapshot snapshots modify.......................................................506
isi snapshot snapshots delete....................................................... 507
isi snapshot snapshots list............................................................ 507
isi snapshot snapshots view.......................................................... 509
isi snapshot settings modify.......................................................... 509
isi snapshot settings view.............................................................. 511
isi snapshot locks create................................................................511
isi snapshot locks modify...............................................................512
isi snapshot locks delete............................................................... 513
isi snapshot locks list.................................................................... 514
isi snapshot locks view.................................................................. 515
isi snapshot aliases create.............................................................515
isi snapshot aliases modify............................................................515
OneFS 7.2.0 CLI Administration Guide

11

CONTENTS

isi snapshot aliases delete.............................................................516

isi snapshot aliases list..................................................................516
isi snapshot aliases view............................................................... 517

Chapter 12

Deduplication with SmartDedupe

519

Deduplication overview...............................................................................520
Deduplication jobs......................................................................................520
Data replication and backup with deduplication..........................................521
Snapshots with deduplication.....................................................................521
Deduplication considerations......................................................................521
Shadow-store considerations......................................................................522
SmartDedupe license functionality..............................................................522
Managing deduplication............................................................................. 522
Assess deduplication space savings ............................................. 523
Specify deduplication settings ...................................................... 523
View deduplication space savings .................................................524
View a deduplication report ...........................................................524
Deduplication job report information............................................. 524
Deduplication information............................................................. 525
Deduplication commands........................................................................... 526
isi dedupe settings modify............................................................. 526
isi dedupe settings view.................................................................527
isi dedupe stats............................................................................. 527
isi dedupe reports list.................................................................... 528
isi dedupe reports view ................................................................. 529

Chapter 13

Data replication with SyncIQ

531

SyncIQ backup and recovery overview......................................................... 532

Replication policies and jobs...................................................................... 532
Automated replication policies.......................................................533
Source and target cluster association.............................................533
Full and differential replication.......................................................534
Controlling replication job resource consumption.......................... 534
Replication reports.........................................................................535
Replication snapshots.................................................................................535
Source cluster snapshots............................................................... 535
Target cluster snapshots................................................................ 536
Data failover and failback with SyncIQ.........................................................536
Data failover.................................................................................. 537
Data failback..................................................................................537
Recovery times and objectives for SyncIQ....................................................537
SyncIQ license functionality........................................................................ 538
Creating replication policies........................................................................ 538
Excluding directories in replication.................................................538
Excluding files in replication.......................................................... 539
File criteria options........................................................................ 540
Configure default replication policy settings ..................................542
Create a replication policy..............................................................542
Create a SyncIQ domain................................................................. 543
Assess a replication policy ............................................................ 543
Managing replication to remote clusters......................................................543
Start a replication job.....................................................................544
Pause a replication job ..................................................................544
Resume a replication job ...............................................................544
12

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Cancel a replication job .................................................................544

View active replication jobs ...........................................................545
Replication job information ........................................................... 545
Initiating data failover and failback with SyncIQ.......................................... 545
Fail over data to a secondary cluster ..............................................546
Revert a failover operation............................................................. 546
Fail back data to a primary cluster ................................................. 547
Performing disaster recovery for SmartLock directories................................547
Recover SmartLock directories on a target cluster ..........................547
Migrate SmartLock directories ....................................................... 548
Managing replication policies..................................................................... 550
Modify a replication policy ............................................................ 550
Delete a replication policy ............................................................. 550
Enable or disable a replication policy ............................................ 551
View replication policies ............................................................... 551
Replication policy information .......................................................552
Managing replication to the local cluster..................................................... 552
Cancel replication to the local cluster ............................................ 553
Break local target association ....................................................... 553
View replication policies targeting the local cluster........................ 553
Remote replication policy information ........................................... 554
Managing replication performance rules..................................................... 554
Create a network traffic rule ...........................................................554
Create a file operations rule .......................................................... 554
Modify a performance rule .............................................................555
Delete a performance rule ............................................................. 555
Enable or disable a performance rule ............................................ 555
View performance rules .................................................................556
Managing replication reports.......................................................................556
Configure default replication report settings ..................................556
Delete replication reports...............................................................556
View replication reports ................................................................ 557
Replication report information........................................................558
Managing failed replication jobs................................................................. 559
Resolve a replication policy ........................................................... 559
Reset a replication policy .............................................................. 559
Perform a full or differential replication.......................................... 560
Managing changelists................................................................................. 560
Create a changelist........................................................................ 561
View a changelist........................................................................... 561
Changelist information...................................................................562
Data replication commands.........................................................................564
isi sync policies create................................................................... 564
isi sync policies modify.................................................................. 572
isi sync policies delete................................................................... 580
isi sync policies list........................................................................ 581
isi sync policies view......................................................................583
isi sync policies disable................................................................. 584
isi sync policies enable.................................................................. 584
isi sync jobs start........................................................................... 584
isi sync jobs pause.........................................................................585
isi sync jobs resume.......................................................................585
isi sync jobs cancel........................................................................ 586
isi sync jobs list............................................................................. 586
isi sync jobs view........................................................................... 587
isi sync jobs reports list..................................................................587
OneFS 7.2.0 CLI Administration Guide

13

CONTENTS

isi sync jobs reports view............................................................... 588

isi sync settings modify..................................................................588
isi sync settings view..................................................................... 589
isi sync policies resolve................................................................. 589
isi sync policies reset..................................................................... 590
isi sync target cancel......................................................................590
isi sync target list........................................................................... 590
isi sync target view.........................................................................591
isi sync target break....................................................................... 592
isi sync target reports list............................................................... 592
isi sync target reports view............................................................. 594
isi sync target reports subreports list..............................................594
isi sync target reports subreports view........................................... 596
isi sync reports list......................................................................... 596
isi sync reports view.......................................................................598
isi sync reports rotate.....................................................................598
isi sync reports subreports list....................................................... 598
isi sync reports subreports view..................................................... 600
isi sync recovery allow-write........................................................... 600
isi sync recovery resync-prep..........................................................601
isi sync rules create........................................................................601
isi sync rules modify.......................................................................602
isi sync rules delete....................................................................... 603
isi sync rules list............................................................................ 604
isi sync rules view.......................................................................... 604
isi_changelist_mod........................................................................605

Chapter 14

Data layout with FlexProtect

609

FlexProtect overview....................................................................................610
File striping................................................................................................. 610
Requested data protection.......................................................................... 610
FlexProtect data recovery.............................................................................611
Smartfail........................................................................................ 611
Node failures................................................................................. 611
Requesting data protection......................................................................... 612
Requested protection settings.....................................................................612
Requested protection disk space usage...................................................... 613

Chapter 15

NDMP backup

615

NDMP backup and recovery overview.......................................................... 616

NDMP two-way backup................................................................................616
Snapshot-based incremental backups........................................................ 617
NDMP protocol support............................................................................... 618
Supported DMAs......................................................................................... 618
NDMP hardware support............................................................................. 619
NDMP backup limitations............................................................................ 619
NDMP performance recommendations........................................................ 620
Excluding files and directories from NDMP backups.................................... 621
Configuring basic NDMP backup settings.................................................... 623
Configure and enable NDMP backup.............................................. 623
Disable NDMP backup ...................................................................623
View NDMP backup settings .......................................................... 623
NDMP backup settings .................................................................. 623
Managing NDMP user accounts................................................................... 624
14

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Create an NDMP user account ....................................................... 624

Modify the password of an NDMP user account ............................. 624
Delete an NDMP user account ....................................................... 624
View NDMP user accounts ............................................................. 624
Managing NDMP backup devices.................................................................625
Detect NDMP backup devices ........................................................ 625
Modify an NDMP backup device entry name .................................. 625
Delete a device entry for a disconnected NDMP backup device.......625
View NDMP backup devices .......................................................... 626
Managing NDMP backup ports.................................................................... 626
Modify NDMP backup port settings ................................................626
Enable or disable an NDMP backup port.........................................626
View NDMP backup ports .............................................................. 627
NDMP backup port settings ........................................................... 627
Managing NDMP backup sessions...............................................................627
End an NDMP session ................................................................... 627
View NDMP sessions ..................................................................... 628
NDMP session information ............................................................ 628
Managing restartable backups.................................................................... 629
Configure restartable backups for EMC NetWorker..........................629
View restartable backup contexts...................................................630
Delete a restartable backup context............................................... 630
Configure restartable backup settings............................................ 630
View restartable backup settings................................................... 631
Managing file list backups.......................................................................... 631
Format of a backup file list............................................................. 632
Placement of the file list.................................................................632
Start a file list backup.................................................................... 632
Parallel restore operation............................................................................ 633
Specify a serial restore operation................................................... 633
Sharing tape drives between clusters.......................................................... 634
Managing default NDMP settings.................................................................634
Set default NDMP settings for a directory....................................... 634
Modify default NDMP settings for a directory.................................. 634
View default NDMP settings for directories..................................... 635
NDMP environment variables......................................................... 635
Managing snapshot based incremental backups.........................................638
Enable snapshot-based incremental backups for a directory.......... 638
Delete snapshots for snapshot-based incremental backups...........638
View snapshots for snapshot-based incremental backups............. 639
View NDMP backup logs ............................................................................. 639
NDMP backup commands........................................................................... 639
isi ndmp user create.......................................................................639
isi ndmp user modify..................................................................... 640
isi ndmp user delete...................................................................... 640
isi ndmp user list........................................................................... 640
isi tape rescan............................................................................... 641
isi tape rename.............................................................................. 641
isi tape delete................................................................................ 642
isi tape list..................................................................................... 642
isi fc set......................................................................................... 643
isi fc disable.................................................................................. 644
isi fc enable................................................................................... 644
isi fc list......................................................................................... 645
isi ndmp kill................................................................................... 646
isi ndmp list................................................................................... 646
OneFS 7.2.0 CLI Administration Guide

15

CONTENTS

isi ndmp probe...............................................................................647

isi ndmp settings set......................................................................647
isi ndmp settings list......................................................................648
isi ndmp settings variables create.................................................. 649
isi ndmp settings variables modify................................................. 649
isi ndmp settings variables delete..................................................650
isi ndmp settings variables list.......................................................651
isi ndmp dumpdates delete........................................................... 651
isi ndmp dumpdates list................................................................ 651
isi ndmp extensions context delete................................................ 652
isi ndmp extensions contexts list................................................... 652
isi ndmp extensions contexts view................................................. 653
isi ndmp extensions settings modify.............................................. 654
isi ndmp extensions settings view..................................................654

Chapter 16

File retention with SmartLock

655

SmartLock overview.................................................................................... 656

Compliance mode....................................................................................... 656
SmartLock directories................................................................................. 656
Replication and backup with SmartLock...................................................... 657
SmartLock replication and backup limitations................................657
SmartLock license functionality...................................................................658
SmartLock considerations........................................................................... 658
Set the compliance clock............................................................................ 659
View the compliance clock.......................................................................... 659
Creating a SmartLock directory.................................................................... 659
Retention periods...........................................................................659
Autocommit time periods............................................................... 660
Create a SmartLock directory..........................................................660
Managing SmartLock directories................................................................. 661
Modify a SmartLock directory......................................................... 661
View SmartLock directory settings..................................................661
SmartLock directory configuration settings.....................................662
Managing files in SmartLock directories...................................................... 665
Set a retention period through a UNIX command line..................... 665
Set a retention period through Windows Powershell.......................665
Commit a file to a WORM state through a UNIX command line........ 666
Commit a file to a WORM state through Windows Explorer..............666
Override the retention period for all files in a SmartLock directory.. 666
Delete a file committed to a WORM state ....................................... 667
View WORM status of a file.............................................................667
SmartLock commands.................................................................................668
isi worm domains create................................................................ 668
isi worm domains modify............................................................... 671
isi worm domains list..................................................................... 675
isi worm domains view .................................................................. 676
isi worm cdate set.......................................................................... 676
isi worm cdate view........................................................................677
isi worm files delete....................................................................... 677
isi worm files view..........................................................................677

Chapter 17

Protection domains

679

Protection domains overview...................................................................... 680

Protection domain considerations...............................................................680
16

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Create a protection domain ........................................................................ 681

Delete a protection domain ........................................................................ 681

Chapter 18

Data-at-rest-encryption

683

Data-at-rest encryption overview................................................................. 684

Self-encrypting drives..................................................................................684
Data security on self-encrypted drives......................................................... 684
Data migration to a self-encrypted-drives cluster......................................... 685
Chassis and drive states............................................................................. 685
Smartfailed drive REPLACE state..................................................................688
Smartfailed drive ERASE state..................................................................... 689

Chapter 19

SmartQuotas

691

SmartQuotas overview................................................................................ 692

Quota types................................................................................................ 692
Default quota type.......................................................................................693
Usage accounting and limits....................................................................... 695
Disk-usage calculations.............................................................................. 696
Quota notifications..................................................................................... 697
Quota notification rules...............................................................................697
Quota reports..............................................................................................698
Creating quotas...........................................................................................698
Create an accounting quota........................................................... 699
Create an enforcement quota......................................................... 699
Managing quotas........................................................................................ 700
Search for quotas...........................................................................700
Manage quotas.............................................................................. 700
Export a quota configuration file.................................................... 701
Import a quota configuration file.................................................... 702
Managing quota notifications.........................................................702
Email quota notification messages.................................................704
Managing quota reports................................................................. 706
Basic quota settings...................................................................... 708
Advisory limit quota notification rules settings............................... 708
Soft limit quota notification rules settings...................................... 709
Hard limit quota notification rules settings.....................................710
Limit notification settings...............................................................710
Quota report settings..................................................................... 711
Quota commands........................................................................................712
isi quota quotas create.................................................................. 712
isi quota quotas delete.................................................................. 714
isi quota quotas modify................................................................. 715
isi quota quotas list....................................................................... 718
isi quota quotas view..................................................................... 720
isi quota quotas notifications clear................................................ 721
isi quota quotas notifications create.............................................. 722
isi quota quotas notifications delete.............................................. 725
isi quota quotas notifications disable............................................ 726
isi quota quotas notifications list................................................... 728
isi quota quotas notifications modify............................................. 730
isi quota quotas notifications view.................................................733
isi quota reports create.................................................................. 734
isi quota reports delete.................................................................. 735
isi quota reports list....................................................................... 736
OneFS 7.2.0 CLI Administration Guide

17

CONTENTS

isi quota settings notifications clear...............................................736

isi quota settings notifications create.............................................736
isi quota settings notifications delete............................................ 739
isi quota settings notifications list................................................. 740
isi quota settings notifications modify............................................740
isi quota settings notifications view............................................... 742
isi quota settings reports modify.................................................... 743
isi quota settings reports view........................................................745

Chapter 20

Storage Pools

747

Storage pools overview............................................................................... 748

Storage pool functions................................................................................ 748
Autoprovisioning.........................................................................................750
Node pools................................................................................................. 750
Node compatibilities......................................................................750
Manual node pools........................................................................ 751
Virtual hot spare..........................................................................................751
Spillover..................................................................................................... 752
Suggested protection.................................................................................. 752
Protection policies...................................................................................... 753
SSD strategies.............................................................................................753
Global namespace acceleration.................................................................. 754
L3 cache overview....................................................................................... 755
Migration to L3 cache.....................................................................756
L3 cache on HD400 node pools......................................................756
Tiers............................................................................................................756
File pool policies......................................................................................... 756
Managing node pools through the command-line interface......................... 757
Add a compatible node to a node pool........................................... 758
Merge compatible node pools........................................................ 758
Delete a compatibility.................................................................... 759
Create a node pool manually..........................................................759
Add a node to a manually managed node pool...............................760
Change the name or protection policy of a node pool..................... 760
Remove a node from a manually managed node pool.....................760
Managing L3 cache from the command-line interface.................................. 761
Set L3 cache as the default for new node pools..............................761
Enable L3 cache on a specific node pool ....................................... 761
Restore SSDs to storage drives for a node pool.............................. 762
Managing tiers............................................................................................ 762
Create a tier................................................................................... 762
Add or move node pools in a tier.................................................... 762
Rename a tier.................................................................................763
Delete a tier................................................................................... 763
Creating file pool policies............................................................................763
Create a file pool policy..................................................................764
File-matching options for file pool policies..................................... 764
Valid wildcard characters............................................................... 766
SmartPools settings....................................................................... 766
Default file pool requested protection settings............................... 769
Default file pool I/O optimization settings...................................... 770
Managing file pool policies......................................................................... 771
Modify a file pool policy................................................................. 771
Modify default storage pool settings.............................................. 772
Configure default file pool policy settings.......................................772
18

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Prioritize a file pool policy.............................................................. 773

Delete a file pool policy..................................................................773
Monitoring storage pools............................................................................ 774
Monitor storage pools.................................................................... 774
View the health of storage pools.................................................... 774
View results of a SmartPools job.................................................... 774
Storage pool commands............................................................................. 775
isi filepool apply............................................................................ 775
isi filepool default-policy modify.................................................... 777
isi filepool default-policy view........................................................779
isi filepool policies create.............................................................. 779
isi filepool policies delete.............................................................. 782
isi filepool policies list................................................................... 783
isi filepool policies modify............................................................. 783
isi filepool policies view................................................................. 787
isi filepool templates list................................................................787
isi filepool templates view..............................................................788
isi storagepool compatibilities active create...................................788
isi storagepool compatibilities active delete.................................. 789
isi storagepool compatibilities active list....................................... 789
isi storagepool compatibilities active view..................................... 790
isi storagepool compatibilities available list.................................. 791
isi storagepool health.................................................................... 792
isi storagepool list......................................................................... 792
isi storagepool nodepools create................................................... 792
isi storagepool nodepools delete................................................... 793
isi storagepool nodepools list........................................................ 793
isi storagepool nodepools modify.................................................. 794
isi storagepool nodepools view......................................................795
isi storagepool settings modify...................................................... 796
isi storagepool settings view.......................................................... 797
isi storagepool tiers create............................................................. 797
isi storagepool tiers delete.............................................................798
isi storagepool tiers list..................................................................798
isi storagepool tiers modify............................................................ 799
isi storagepool tiers view................................................................799

Chapter 21

System jobs

801

System jobs overview..................................................................................802

System jobs library......................................................................................802
Job operation.............................................................................................. 805
Job performance impact.............................................................................. 806
Job priorities............................................................................................... 807
Managing system jobs................................................................................ 807
Start a job...................................................................................... 808
Pause a job.................................................................................... 808
Modify a job...................................................................................808
Resume a job................................................................................. 809
Cancel a job................................................................................... 809
Modify job type settings................................................................. 810
View active jobs............................................................................. 810
View job history............................................................................. 810
Managing impact policies........................................................................... 811
Create an impact policy..................................................................811
View impact policy settings............................................................ 812
OneFS 7.2.0 CLI Administration Guide

19

CONTENTS

Modify an impact policy................................................................. 812

Delete an impact policy..................................................................813
Viewing job reports and statistics................................................................813
View statistics for a job in progress................................................ 813
View a report for a completed job...................................................814
Job management commands....................................................................... 815
isi job events list............................................................................815
isi job jobs cancel.......................................................................... 817
isi job jobs list............................................................................... 817
isi job jobs modify..........................................................................818
isi job jobs pause...........................................................................819
isi job jobs resume.........................................................................820
isi job jobs start............................................................................. 820
isi job jobs view............................................................................. 822
isi job policies create..................................................................... 823
isi job policies delete..................................................................... 823
isi job policies list.......................................................................... 824
isi job policies modify.................................................................... 825
isi job policies view........................................................................826
isi job reports list........................................................................... 827
isi job reports view.........................................................................828
isi job statistics list........................................................................ 829
isi job statistics view......................................................................830
isi job types list..............................................................................831
isi job status.................................................................................. 832
isi job types modify........................................................................ 833
isi job types view........................................................................... 834

Chapter 22

Networking

837

Networking overview................................................................................... 838

Internal network overview........................................................................... 838
Internal IP address ranges..............................................................838
Internal network failover................................................................ 839
External client network overview................................................................. 839
External network settings............................................................... 839
IP address pools............................................................................ 840
IPv6 support.................................................................................. 840
SmartConnect module....................................................................841
Connection balancing.................................................................... 841
IP address allocation......................................................................842
IP address failover......................................................................... 843
IP address rebalancing...................................................................843
SmartConnect DNS service.............................................................844
DNS name resolution..................................................................... 844
NIC aggregation............................................................................. 845
Routing options............................................................................. 845
VLANs............................................................................................ 847
Managing internal network settings.............................................................847
Add or remove an internal IP address range................................... 847
Modify an internal network netmask.............................................. 847
Configure and enable internal network failover.............................. 848
Disable internal network failover....................................................849
Managing external network settings............................................................ 849
Configure DNS settings.................................................................. 849
Managing external network subnets............................................................850
20

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Create a subnet..............................................................................850
Modify a subnet............................................................................. 850
Delete a subnet..............................................................................851
View subnets................................................................................. 851
Enable or disable VLAN tagging......................................................852
Add or remove a DSR address........................................................ 852
Managing IP address pools......................................................................... 853
Create an IP address pool...............................................................853
Modify an IP address pool.............................................................. 853
Delete an IP address pool...............................................................853
View IP address pools.................................................................... 854
Add or remove an IP address range................................................ 854
Configure IP address allocation......................................................855
Configure an IP rebalance policy.................................................... 855
Configure an IP failover policy........................................................ 856
Managing SmartConnect Settings................................................................857
Configure a SmartConnect zone..................................................... 857
Add or remove a SmartConnect zone alias......................................858
Configure a SmartConnect connection balancing policy................. 858
Configure a SmartConnect service IP address................................. 859
Configure a SmartConnect service subnet...................................... 859
Managing network interface members.........................................................860
Add or remove a network interface................................................. 860
Configure NIC Aggregation..............................................................860
Add or remove a static route...........................................................862
View network interfaces................................................................. 862
Managing network interface provisioning rules............................................863
Create a network interface provisioning rule...................................863
Modify a network interface provisioning rule.................................. 863
Delete a network interface provisioning rule...................................864
View network interface provisioning rules...................................... 864
Managing routing options........................................................................... 865
Enable or disable source-based routing......................................... 865
Add or remove a static route...........................................................865
Networking commands................................................................................866
isi networks................................................................................... 866
isi networks create pool................................................................. 868
isi networks create rule.................................................................. 872
isi networks create subnet............................................................. 873
isi networks delete pool................................................................. 875
isi networks delete rule.................................................................. 875
isi networks delete subnet............................................................. 876
isi networks dnscache disable....................................................... 876
isi networks dnscache enable........................................................ 876
isi networks dnscache flush........................................................... 877
isi networks dnscache modify........................................................ 877
isi networks dnscache statistics.....................................................878
isi networks list interfaces..............................................................878
isi networks list pools.................................................................... 879
isi networks list rules..................................................................... 880
isi networks list subnets................................................................ 881
isi networks modify pool................................................................ 881
isi networks modify rule................................................................. 886
isi networks modify subnet............................................................ 887
isi networks sbr enable.................................................................. 889
isi networks sbr disable................................................................. 889
OneFS 7.2.0 CLI Administration Guide

21

CONTENTS

Chapter 23

Hadoop

891

Hadoop overview........................................................................................ 892

Hadoop architecture....................................................................................892
Hadoop compute layer................................................................... 892
HDFS storage layer......................................................................... 892
How Hadoop is implemented on OneFS.......................................................893
Hadoop distributions supported by OneFS.................................................. 893
WebHDFS.................................................................................................... 894
Secure impersonation................................................................................. 894
Ambari agent.............................................................................................. 895
Virtual HDFS racks.......................................................................................895
HDFS implementation considerations..........................................................896
HDFS directories and Hadoop user accounts.................................. 896
HDFS settings in access zones....................................................... 896
HDFS and SmartConnect................................................................ 896
Implementing Hadoop with OneFS................................................. 897
Managing the HDFS service......................................................................... 897
Configure HDFS service settings..................................................... 897
HDFS service settings.....................................................................898
View HDFS service settings.............................................................899
Enable or disable the HDFS service................................................ 899
Managing HDFS access zone settings..........................................................900
Supported HDFS authentication methods.......................................900
Set the HDFS authentication method in an access zone..................900
Configure HDFS authentication properties on the Hadoop client.....901
Create a local Hadoop user............................................................ 902
Set the HDFS root directory in an access zone................................ 902
Enable or disable WebHDFS within an access zone........................ 902
Configure Ambari agent settings.................................................... 903
Configuring secure impersonation...............................................................903
Create a proxy user........................................................................ 903
Modify a proxy user........................................................................904
Delete a proxy user........................................................................ 904
List the members of a proxy user....................................................904
View proxy users............................................................................ 905
Managing virtual HDFS racks....................................................................... 905
Create a virtual HDFS rack.............................................................. 906
Modify a virtual HDFS rack..............................................................906
Delete a virtual HDFS rack.............................................................. 907
View virtual HDFS racks..................................................................907
HDFS commands......................................................................................... 908
isi hdfs settings modify.................................................................. 908
isi hdfs settings view......................................................................909
isi hdfs proxyusers create.............................................................. 909
isi hdfs proxyusers modify............................................................. 911
isi hdfs proxyusers delete.............................................................. 912
isi hdfs proxyusers members list.................................................... 913
isi hdfs proxyusers list................................................................... 914
isi hdfs proxyusers view................................................................. 914
isi hdfs racks create....................................................................... 915
isi hdfs racks modify...................................................................... 915
isi hdfs racks delete....................................................................... 916
isi hdfs racks list............................................................................ 917
isi hdfs racks view..........................................................................917

22

OneFS 7.2.0 CLI Administration Guide

CONTENTS

Chapter 24

Antivirus

919

Antivirus overview....................................................................................... 920

On-access scanning.................................................................................... 920
Antivirus policy scanning............................................................................ 921
Individual file scanning............................................................................... 921
Antivirus scan reports................................................................................. 921
ICAP servers................................................................................................ 921
Supported ICAP servers............................................................................... 922
Anitvirus threat responses...........................................................................922
Configuring global antivirus settings........................................................... 923
Exclude files from antivirus scans ..................................................923
Configure on-access scanning settings ..........................................923
Configure antivirus threat response settings ..................................924
Configure antivirus report retention settings...................................924
Enable or disable antivirus scanning.............................................. 924
Managing ICAP servers................................................................................ 924
Add and connect to an ICAP server ................................................ 924
Test an ICAP server connection.......................................................925
Temporarily disconnect from an ICAP server .................................. 925
Reconnect to an ICAP server .......................................................... 925
Remove an ICAP server .................................................................. 925
Create an antivirus policy ........................................................................... 926
Managing antivirus policies.........................................................................926
Modify an antivirus policy ............................................................. 926
Delete an antivirus policy .............................................................. 926
Enable or disable an antivirus policy ............................................. 927
View antivirus policies .................................................................. 927
Managing antivirus scans............................................................................927
Scan a file...................................................................................... 927
Manually run an antivirus policy.....................................................927
Stop a running antivirus scan.........................................................928
Managing antivirus threats..........................................................................928
Manually quarantine a file .............................................................928
Remove a file from quarantine .......................................................928
View threats .................................................................................. 928
Antivirus threat information........................................................... 929
Managing antivirus reports..........................................................................929
Export an antivirus report............................................................... 929
View antivirus reports ....................................................................929
View antivirus events..................................................................... 930
Antivirus commands................................................................................... 930
isi avscan policy add......................................................................930
isi avscan policy edit......................................................................931
isi avscan policy delete.................................................................. 933
isi avscan policy.............................................................................933
isi avscan policy run.......................................................................933
isi avscan manual.......................................................................... 934
isi avscan quarantine..................................................................... 934
isi avscan unquarantine................................................................. 934
isi avscan report threat.................................................................. 935
isi avscan report scan.................................................................... 935
isi avscan report purge...................................................................936
isi avscan settings......................................................................... 937
isi avscan get................................................................................. 939

OneFS 7.2.0 CLI Administration Guide

23

CONTENTS

Chapter 25

VMware integration

941

VMware integration overview.......................................................................942

VAAI............................................................................................................ 942
VASA...........................................................................................................942
Isilon VASA alarms......................................................................... 942
VASA storage capabilities.............................................................. 943
Configuring VASA support........................................................................... 943
Enable VASA.................................................................................. 943
Download the Isilon vendor provider certificate..............................944
Add the Isilon vendor provider....................................................... 944
Disable or re-enable VASA...........................................................................945
Troubleshooting VASA storage display failures............................................945

24

OneFS 7.2.0 CLI Administration Guide

CHAPTER 1
Introduction to this guide

This section contains the following topics:

l
l
l

About this guide....................................................................................................26

Isilon scale-out NAS overview................................................................................26
Where to go for support.........................................................................................26

Introduction to this guide

25

Introduction to this guide

About this guide

This guide describes how the Isilon OneFS command-line interface provides access to
cluster configuration, management, and monitoring functionality. This guide also lists
and describes all OneFS-specific commands that extend the standard UNIX command set.
We value your feedback. Please let us know how we can improve this document.
l

Take the survey at https://www.research.net/s/isi-docfeedback.

Send your comments or suggestions to [email protected].

Isilon scale-out NAS overview

The EMC Isilon scale-out NAS storage platform combines modular hardware with unified
software to harness unstructured data. Powered by the OneFS operating system, an EMC
Isilon cluster delivers a scalable pool of storage with a global namespace.
The platform's unified software provides centralized web-based and command-line
administration to manage the following features:
l

A cluster that runs a distributed file system

Scale-out nodes that add capacity and performance

Storage options that manage files, block data, and tiering

Flexible data protection and high availability

Software modules that control costs and optimize resources

Where to go for support

You can contact EMC Isilon Technical Support for any questions about EMC Isilon
products.
Online Support

Live Chat
Create a Service Request

Telephone Support

United States: 1-800-SVC-4EMC (800-782-4362)

Canada: 800-543-4782
Worldwide: +1-508-497-7901
For local phone numbers in your country, see EMC Customer
Support Centers.

Help with online

support

26

OneFS 7.2.0 CLI Administration Guide

For questions specific to EMC Online Support registration or

access, email [email protected].

CHAPTER 2
Isilon scale-out NAS

This section contains the following topics:

l
l
l
l
l
l
l
l
l

OneFS storage architecture................................................................................... 28

Isilon node components........................................................................................28
Internal and external networks.............................................................................. 29
Isilon cluster......................................................................................................... 29
The OneFS operating system................................................................................. 31
Structure of the file system....................................................................................33
Data protection overview.......................................................................................35
VMware integration............................................................................................... 37
Software modules................................................................................................. 38

Isilon scale-out NAS

27

Isilon scale-out NAS

OneFS storage architecture

EMC Isilon takes a scale-out approach to storage by creating a cluster of nodes that runs
a distributed file system. OneFS combines the three layers of storage architecturefile
system, volume manager, and data protectioninto a scale-out NAS cluster.
Each node adds resources to the cluster. Because each node contains globally coherent
RAM, as a cluster becomes larger, it becomes faster. Meanwhile, the file system expands
dynamically and redistributes content, which eliminates the work of partitioning disks
and creating volumes.
Nodes work as peers to spread data across the cluster. Segmenting and distributing data
a process known as stripingnot only protects data, but also enables a user
connecting to any node to take advantage of the entire cluster's performance.
OneFS uses distributed software to scale data across commodity hardware. Each node
helps control data requests, boosts performance, and expands the cluster's capacity. No
master device controls the cluster; no slaves invoke dependencies. Instead, each node
helps control data requests, boosts performance, and expands the cluster's capacity.

Isilon node components

As a rack-mountable appliance, a storage node includes the following components in a
2U or 4U rack-mountable chassis with an LCD front panel: CPUs, RAM, NVRAM, network
interfaces, InfiniBand adapters, disk controllers, and storage media. An Isilon cluster
comprises three or more nodes, up to 144.
When you add a node to a cluster, you increase the cluster's aggregate disk, cache, CPU,
RAM, and network capacity. OneFS groups RAM into a single coherent cache so that a
data request on a node benefits from data that is cached anywhere. NVRAM is grouped to
write data with high throughput and to protect write operations from power failures. As
the cluster expands, spindles and CPU combine to increase throughput, capacity, and
input-output operations per second (IOPS).
EMC Isilon makes several types of nodes, all of which can be added to a cluster to
balance capacity and performance with throughput or IOPS:
Node

Use Case

S-Series

IOPS-intensive applications

X-Series

High-concurrency and throughput-driven workflows

NL-Series Near-primary accessibility, with near-tape value

HD-Series Maximum capacity

The following EMC Isilon nodes improve performance:

Node

Function

A-Series Performance Accelerator Independent scaling for high performance

A-Series Backup Accelerator

28

OneFS 7.2.0 CLI Administration Guide

High-speed and scalable backup-and-restore solution for tape

drives over Fibre Channel connections

Isilon scale-out NAS

Internal and external networks

A cluster includes two networks: an internal network to exchange data between nodes
and an external network to handle client connections.
Nodes exchange data through the internal network with a proprietary, unicast protocol
over InfiniBand. Each node includes redundant InfiniBand ports so you can add a second
internal network in case the first one fails.
Clients reach the cluster with 1 GigE or 10 GigE Ethernet. Since every node includes
Ethernet ports, the cluster's bandwidth scales with performance and capacity as you add
nodes.

Isilon cluster
An Isilon cluster consists of three or more hardware nodes, up to 144. Each node runs the
Isilon OneFS operating system, the distributed file-system software that unites the nodes
into a cluster. A clusters storage capacity ranges from a minimum of 18 TB to a maximum
of 15.5 PB.

Cluster administration
OneFS centralizes cluster management through a web administration interface and a
command-line interface. Both interfaces provide methods to activate licenses, check the
status of nodes, configure the cluster, upgrade the system, generate alerts, view client
connections, track performance, and change various settings.
In addition, OneFS simplifies administration by automating maintenance with a job
engine. You can schedule jobs that scan for viruses, inspect disks for errors, reclaim disk
space, and check the integrity of the file system. The engine manages the jobs to
minimize impact on the cluster's performance.
With SNMP versions 2c and 3, you can remotely monitor hardware components, CPU
usage, switches, and network interfaces. EMC Isilon supplies management information
bases (MIBs) and traps for the OneFS operating system.
OneFS also includes a RESTful application programming interfaceknown as the Platform
APIto automate access, configuration, and monitoring. For example, you can retrieve
performance statistics, provision users, and tap the file system. The Platform API
integrates with OneFS role-based access control to increase security. See the Isilon
Platform API Reference.

Quorum
An Isilon cluster must have a quorum to work properly. A quorum prevents data conflicts
for example, conflicting versions of the same filein case two groups of nodes become
unsynchronized. If a cluster loses its quorum for read and write requests, you cannot
access the OneFS file system.
For a quorum, more than half the nodes must be available over the internal network. A
seven-node cluster, for example, requires a four-node quorum. A 10-node cluster requires
a six-node quorum. If a node is unreachable over the internal network, OneFS separates
the node from the cluster, an action referred to as splitting. After a cluster is split, cluster
operations continue as long as enough nodes remain connected to have a quorum.
In a split cluster, the nodes that remain in the cluster are referred to as the majority
group. Nodes that are split from the cluster are referred to as the minority group.
Internal and external networks

29

Isilon scale-out NAS

When split nodes can reconnect with the cluster and resynchronize with the other nodes,
the nodes rejoin the cluster's majority group, an action referred to as merging.
A OneFS cluster contains two quorum properties:
l

read quorum (efs.gmp.has_quorum)

write quorum (efs.gmp.has_super_block_quorum)

By connecting to a node with SSH and running the sysctl command-line tool as root,
you can view the status of both types of quorum. Here is an example for a cluster that has
a quorum for both read and write operations, as the command's output indicates with a
1, for true:
sysctl efs.gmp.has_quorum
efs.gmp.has_quorum: 1
sysctl efs.gmp.has_super_block_quorum
efs.gmp.has_super_block_quorum: 1

The degraded states of nodessuch as smartfail, read-only, offline, and so onaffect

quorum in different ways. A node in a smartfail or read-only state affects only write
quorum. A node in an offline state, however, affects both read and write quorum. In a
cluster, the combination of nodes in different degraded states determines whether read
requests, write requests, or both work.
A cluster can lose write quorum but keep read quorum. Consider a four-node cluster in
which nodes 1 and 2 are working normally. Node 3 is in a read-only state, and node 4 is
in a smartfail state. In such a case, read requests to the cluster succeed. Write requests,
however, receive an input-output error because the states of nodes 3 and 4 break the
write quorum.
A cluster can also lose both its read and write quorum. If nodes 3 and 4 in a four-node
cluster are in an offline state, both write requests and read requests receive an inputoutput error, and you cannot access the file system. When OneFS can reconnect with the
nodes, OneFS merges them back into the cluster. Unlike a RAID system, an Isilon node
can rejoin the cluster without being rebuilt and reconfigured.

Splitting and merging

Splitting and merging optimize the use of nodes without your intervention.
OneFS monitors every node in a cluster. If a node is unreachable over the internal
network, OneFS separates the node from the cluster, an action referred to as splitting.
When the cluster can reconnect to the node, OneFS adds the node back into the cluster,
an action referred to as merging.
When a node is split from a cluster, it will continue to capture event information locally.
You can connect to a split node with SSH and run the isi events list command to
view the local event log for the node. The local event log can help you troubleshoot the
connection issue that resulted in the split. When the split node rejoins the cluster, local
events gathered during the split are deleted. You can still view events generated by a
split node in the node's event log file located at /var/log/
isi_celog_events.log.
If a cluster splits during a write operation, OneFS might need to re-allocate blocks for the
file on the side with the quorum, which leads allocated blocks on the side without a
quorum to become orphans. When the split nodes reconnect with the cluster, the OneFS
Collect system job reclaims the orphaned blocks.
Meanwhile, as nodes split and merge with the cluster, the OneFS AutoBalance job
redistributes data evenly among the nodes in the cluster, optimizing protection and
conserving space.
30

OneFS 7.2.0 CLI Administration Guide

Isilon scale-out NAS

Storage pools
Storage pools segment nodes and files into logical divisions to simplify the management
and storage of data.
A storage pool comprises node pools and tiers. Node pools group equivalent nodes to
protect data and ensure reliability. Tiers combine node pools to optimize storage by
need, such as a frequently used high-speed tier or a rarely accessed archive.
The SmartPools module groups nodes and files into pools. If you do not activate a
SmartPools license, the module provisions node pools and creates one file pool. If you
activate the SmartPools license, you receive more features. You can, for example, create
multiple file pools and govern them with policies. The policies move files, directories, and
file pools among node pools or tiers. You can also define how OneFS handles write
operations when a node pool or tier is full. SmartPools reserves a virtual hot spare to
reprotect data if a drive fails regardless of whether the SmartPools license is activated.

IP address pools
Within a subnet, you can partition a cluster's external network interfaces into pools of IP
address ranges. The pools empower you to customize your storage network to serve
different groups of users. Although you must initially configure the default external IP
subnet in IPv4 format, you can configure additional subnets in IPv4 or IPv6.
You can associate IP address pools with a node, a group of nodes, or NIC ports. For
example, you can set up one subnet for storage nodes and another subnet for accelerator
nodes. Similarly, you can allocate ranges of IP addresses on a subnet to different teams,
such as engineering and sales. Such options help you create a storage topology that
matches the demands of your network.
In addition, network provisioning rules streamline the setup of external connections.
After you configure the rules with network settings, you can apply the settings to new
nodes.
As a standard feature, the OneFS SmartConnect module balances connections among
nodes by using a round-robin policy with static IP addresses and one IP address pool for
each subnet. Activating a SmartConnect Advanced license adds features, such as
defining IP address pools to support multiple DNS zones.

The OneFS operating system

A distributed operating system based on FreeBSD, OneFS presents an Isilon cluster's file
system as a single share or export with a central point of administration.
The OneFS operating system does the following:
l

Supports common data-access protocols, such as SMB and NFS.

Connects to multiple identity management systems, such as Active Directory and

LDAP.

Authenticates users and groups.

Controls access to directories and files.

Storage pools

31

Isilon scale-out NAS

Data-access protocols
With the OneFS operating system, you can access data with multiple file-sharing and
transfer protocols. As a result, Microsoft Windows, UNIX, Linux, and Mac OS X clients can
share the same directories and files.
OneFS supports the following protocols.
SMB
The Server Message Block (SMB) protocol enables Windows users to access the
cluster. OneFS works with SMB 1, SMB 2, and SMB 2.1, as well as SMB 3.0 for
Multichannel only. With SMB 2.1, OneFS supports client opportunity locks (oplocks)
and large (1 MB) MTU sizes. The default file share is /ifs.
NFS
The Network File System (NFS) protocol enables UNIX, Linux, and Mac OS X systems
to remotely mount any subdirectory, including subdirectories created by Windows
users. OneFS works with NFS versions 3 and 4. The default export is /ifs.
HDFS
The Hadoop Distributed File System (HDFS) protocol enables a cluster to work with
Apache Hadoop, a framework for data-intensive distributed applications. HDFS
integration requires you to activate a separate license.
FTP
FTP allows systems with an FTP client to connect to the cluster and exchange files.
HTTP
HTTP gives systems browser-based access to resources. OneFS includes limited
support for WebDAV.

Identity management and access control

OneFS works with multiple identity management systems to authenticate users and
control access to files. In addition, OneFS features access zones that allow users from
different directory services to access different resources based on their IP address. Rolebased access control, meanwhile, segments administrative access by role.
OneFS authenticates users with the following identity management systems:
l

Microsoft Active Directory (AD)

Lightweight Directory Access Protocol (LDAP)

Network Information Service (NIS)

Local users and local groups

A file provider for accounts in /etc/spwd.db and /etc/group files. With the file
provider, you can add an authoritative third-party source of user and group
information.

You can manage users with different identity management systems; OneFS maps the
accounts so that Windows and UNIX identities can coexist. A Windows user account
managed in Active Directory, for example, is mapped to a corresponding UNIX account in
NIS or LDAP.
To control access, an Isilon cluster works with both the access control lists (ACLs) of
Windows systems and the POSIX mode bits of UNIX systems. When OneFS must
transform a file's permissions from ACLs to mode bits or from mode bits to ACLs, OneFS
merges the permissions to maintain consistent security settings.
OneFS presents protocol-specific views of permissions so that NFS exports display mode
bits and SMB shares show ACLs. You can, however, manage not only mode bits but also
32

OneFS 7.2.0 CLI Administration Guide

Isilon scale-out NAS

ACLs with standard UNIX tools, such as the chmod and chown commands. In addition,
ACL policies enable you to configure how OneFS manages permissions for networks that
mix Windows and UNIX systems.
Access zones
OneFS includes an access zones feature. Access zones allow users from different
authentication providers, such as two untrusted Active Directory domains, to access
different OneFS resources based on an incoming IP address. An access zone can
contain multiple authentication providers and SMB namespaces.
RBAC for administration
OneFS includes role-based access control (RBAC) for administration. In place of a
root or administrator account, RBAC lets you manage administrative access by role.
A role limits privileges to an area of administration. For example, you can create
separate administrator roles for security, auditing, storage, and backup.

Structure of the file system

OneFS presents all the nodes in a cluster as a global namespacethat is, as the default
file share, /ifs.
In the file system, directories are inode number links. An inode contains file metadata
and an inode number, which identifies a file's location. OneFS dynamically allocates
inodes, and there is no limit on the number of inodes.
To distribute data among nodes, OneFS sends messages with a globally routable block
address through the cluster's internal network. The block address identifies the node and
the drive storing the block of data.
Note

It is recommended that you do not save data to the root /ifs file path but in directories
below /ifs. The design of your data storage structure should be planned carefully. A
well-designed directory optimizes cluster performance and cluster administration.

Data layout
OneFS evenly distributes data among a cluster's nodes with layout algorithms that
maximize storage efficiency and performance. The system continuously reallocates data
to conserve space.
OneFS breaks data down into smaller sections called blocks, and then the system places
the blocks in a stripe unit. By referencing either file data or erasure codes, a stripe unit
helps safeguard a file from a hardware failure. The size of a stripe unit depends on the
file size, the number of nodes, and the protection setting. After OneFS divides the data
into stripe units, OneFS allocates, or stripes, the stripe units across nodes in the cluster.
When a client connects to a node, the client's read and write operations take place on
multiple nodes. For example, when a client connects to a node and requests a file, the
node retrieves the data from multiple nodes and rebuilds the file. You can optimize how
OneFS lays out data to match your dominant access patternconcurrent, streaming, or
random.

Structure of the file system

33

Isilon scale-out NAS

Writing files
On a node, the input-output operations of the OneFS software stack split into two
functional layers: A top layer, or initiator, and a bottom layer, or participant. In read and
write operations, the initiator and the participant play different roles.
When a client writes a file to a node, the initiator on the node manages the layout of the
file on the cluster. First, the initiator divides the file into blocks of 8 KB each. Second, the
initiator places the blocks in one or more stripe units. At 128 KB, a stripe unit consists of
16 blocks. Third, the initiator spreads the stripe units across the cluster until they span a
width of the cluster, creating a stripe. The width of the stripe depends on the number of
nodes and the protection setting.
After dividing a file into stripe units, the initiator writes the data first to non-volatile
random-access memory (NVRAM) and then to disk. NVRAM retains the information when
the power is off.
During the write transaction, NVRAM guards against failed nodes with journaling. If a
node fails mid-transaction, the transaction restarts without the failed node. When the
node returns, it replays the journal from NVRAM to finish the transaction. The node also
runs the AutoBalance job to check the file's on-disk striping. Meanwhile, uncommitted
writes waiting in the cache are protected with mirroring. As a result, OneFS eliminates
multiple points of failure.

Reading files
In a read operation, a node acts as a manager to gather data from the other nodes and
present it to the requesting client.
Because an Isilon cluster's coherent cache spans all the nodes, OneFS can store different
data in each node's RAM. By using the internal InfiniBand network, a node can retrieve
file data from another node's cache faster than from its own local disk. If a read operation
requests data that is cached on any node, OneFS pulls the cached data to serve it
quickly.
In addition, for files with an access pattern of concurrent or streaming, OneFS pre-fetches
in-demand data into a managing node's local cache to further improve sequential-read
performance.

Metadata layout
OneFS protects metadata by spreading it across nodes and drives.
Metadatawhich includes information about where a file is stored, how it is protected,
and who can access itis stored in inodes and protected with locks in a B+ tree, a
standard structure for organizing data blocks in a file system to provide instant lookups.
OneFS replicates file metadata across the cluster so that there is no single point of
failure.
Working together as peers, all the nodes help manage metadata access and locking. If a
node detects an error in metadata, the node looks up the metadata in an alternate
location and then corrects the error.

34

OneFS 7.2.0 CLI Administration Guide

Isilon scale-out NAS

Locks and concurrency

OneFS includes a distributed lock manager that orchestrates locks on data across all the
nodes in a cluster.
The lock manager grants locks for the file system, byte ranges, and protocols, including
SMB share-mode locks and NFS advisory locks. OneFS also supports SMB opportunistic
locks and NFSv4 delegations.
Because OneFS distributes the lock manager across all the nodes, any node can act as a
lock coordinator. When a thread from a node requests a lock, the lock manager's hashing
algorithm typically assigns the coordinator role to a different node. The coordinator
allocates a shared lock or an exclusive lock, depending on the type of request. A shared
lock allows users to share a file simultaneously, typically for read operations. An
exclusive lock allows only one user to access a file, typically for write operations.

Striping
In a process known as striping, OneFS segments files into units of data and then
distributes the units across nodes in a cluster. Striping protects your data and improves
cluster performance.
To distribute a file, OneFS reduces it to blocks of data, arranges the blocks into stripe
units, and then allocates the stripe units to nodes over the internal network.
At the same time, OneFS distributes erasure codes that protect the file. The erasure codes
encode the file's data in a distributed set of symbols, adding space-efficient redundancy.
With only a part of the symbol set, OneFS can recover the original file data.
Taken together, the data and its redundancy form a protection group for a region of file
data. OneFS places the protection groups on different drives on different nodescreating
data stripes.
Because OneFS stripes data across nodes that work together as peers, a user connecting
to any node can take advantage of the entire cluster's performance.
By default, OneFS optimizes striping for concurrent access. If your dominant access
pattern is streaming--that is, lower concurrency, higher single-stream workloads, such as
with video--you can change how OneFS lays out data to increase sequential-read
performance. To better handle streaming access, OneFS stripes data across more drives.
Streaming is most effective on clusters or subpools serving large files.

Data protection overview

An Isilon cluster is designed to serve data even when components fail. By default, OneFS
protects data with erasure codes, enabling you to retrieve files when a node or disk fails.
As an alternative to erasure codes, you can protect data with two to eight mirrors.
When you create a cluster with five or more nodes, erasure codes deliver as much as 80
percent efficiency. On larger clusters, erasure codes provide as much as four levels of
redundancy.
In addition to erasure codes and mirroring, OneFS includes the following features to help
protect the integrity, availability, and confidentiality of data:
Feature

Description

Antivirus

OneFS can send files to servers running the Internet Content Adaptation
Protocol (ICAP) to scan for viruses and other threats.

Locks and concurrency

35

Isilon scale-out NAS

Feature

Description

Clones

OneFS enables you to create clones that share blocks with other files to save
space.

NDMP backup and

restore

OneFS can back up data to tape and other devices through the Network Data
Management Protocol. Although OneFS supports both NDMP 3-way and 2way backup, 2-way backup requires an Isilon Backup Accelerator node.

Protection
domains

You can apply protection domains to files and directories to prevent

changes.

The following software modules also help protect data, but they require you to activate a
separate license:
Licensed
Feature

Description

SyncIQ

SyncIQ replicates data on another Isilon cluster and automates failover and
failback operations between clusters. If a cluster becomes unusable, you can
fail over to another Isilon cluster.

SnapshotIQ

You can protect data with a snapshota logical copy of data stored on a
cluster.

SmartLock

The SmartLock tool prevents users from modifying and deleting files. You can
commit files to a write-once, read-many state: The file can never be modified
and cannot be deleted until after a set retention period. SmartLock can help
you comply with Securities and Exchange Commission Rule 17a-4.

N+M data protection

OneFS supports N+M erasure code levels of N+1, N+2, N+3, and N+4.
In the N+M data model, N represents the number of nodes, and M represents the number
of simultaneous failures of nodes or drives that the cluster can handle without losing
data. For example, with N+2 the cluster can lose two drives on different nodes or lose two
nodes.
To protect drives and nodes separately, OneFS also supports N+M:B. In the N+M:B
notation, M is the number of disk failures, and B is the number of node failures. With N
+3:1 protection, for example, the cluster can lose three drives or one node without losing
data.
The default protection level for clusters larger than 18 TB is N+2:1. The default for
clusters smaller than 18 TB is N+1.
The quorum rule dictates the number of nodes required to support a protection level. For
example, N+3 requires at least seven nodes so you can maintain a quorum if three nodes
fail.
You can, however, set a protection level that is higher than the cluster can support. In a
four-node cluster, for example, you can set the protection level at 5x. OneFS protects the
data at 4x until a fifth node is added, after which OneFS automatically reprotects the data
at 5x.

36

OneFS 7.2.0 CLI Administration Guide

Isilon scale-out NAS

Data mirroring
You can protect on-disk data with mirroring, which copies data to multiple locations.
OneFS supports two to eight mirrors. You can use mirroring instead of erasure codes, or
you can combine erasure codes with mirroring.
Mirroring, however, consumes more space than erasure codes. Mirroring data three
times, for example, duplicates the data three times, which requires more space than
erasure codes. As a result, mirroring suits transactions that require high performance.
You can also mix erasure codes with mirroring. During a write operation, OneFS divides
data into redundant protection groups. For files protected by erasure codes, a protection
group consists of data blocks and their erasure codes. For mirrored files, a protection
group contains all the mirrors of a set of blocks. OneFS can switch the type of protection
group as it writes a file to disk. By changing the protection group dynamically, OneFS can
continue writing data despite a node failure that prevents the cluster from applying
erasure codes. After the node is restored, OneFS automatically converts the mirrored
protection groups to erasure codes.

The file system journal

A journal, which records file-system changes in a battery-backed NVRAM card, recovers
the file system after failures, such as a power loss. When a node restarts, the journal
replays file transactions to restore the file system.

Virtual hot spare

When a drive fails, OneFS uses space reserved in a subpool instead of a hot spare drive.
The reserved space is known as a virtual hot spare.
In contrast to a spare drive, a virtual hot spare automatically resolves drive failures and
continues writing data. If a drive fails, OneFS migrates data to the virtual hot spare to
reprotect it. You can reserve as many as four disk drives as a virtual hot spare.

Balancing protection with storage space

You can set protection levels to balance protection requirements with storage space.
Higher protection levels typically consume more space than lower levels because you
lose an amount of disk space to storing erasure codes. The overhead for the erasure
codes depends on the protection level, the file size, and the number of nodes in the
cluster. Since OneFS stripes both data and erasure codes across nodes, the overhead
declines as you add nodes.

VMware integration
OneFS integrates with several VMware products, including vSphere, vCenter, and ESXi.
For example, OneFS works with the VMware vSphere API for Storage Awareness (VASA) so
that you can view information about an Isilon cluster in vSphere. OneFS also works with
the VMware vSphere API for Array Integration (VAAI) to support the following features for
block storage: hardware-assisted locking, full copy, and block zeroing. VAAI for NFS
requires an ESXi plug-in.
With the Isilon for vCenter plug-in, you can backup and restore virtual machines on an
Isilon cluster. With the Isilon Storage Replication Adapter, OneFS integrates with the

Data mirroring

37

Isilon scale-out NAS

VMware vCenter Site Recovery Manager to recover virtual machines that are replicated
between Isilon clusters.

Software modules
You can access advanced features by activating licenses for EMC Isilon software
modules.
SmartLock
SmartLock protects critical data from malicious, accidental, or premature alteration
or deletion to help you comply with SEC 17a-4 regulations. You can automatically
commit data to a tamper-proof state and then retain it with a compliance clock.
SyncIQ automated failover and failback
SyncIQ replicates data on another Isilon cluster and automates failover and failback
between clusters. If a cluster becomes unusable, you can fail over to another Isilon
cluster. Failback restores the original source data after the primary cluster becomes
available again.
File clones
OneFS provides provisioning of full read/write copies of files, LUNs, and other
clones. OneFS also provides virtual machine linked cloning through VMware API
integration.
SnapshotIQ
SnapshotIQ protects data with a snapshota logical copy of data stored on a
cluster. A snapshot can be restored to its top-level directory.
SmartPools
SmartPools enable you to create multiple file pools governed by file-pool policies.
The policies move files and directories among node pools or tiers. You can also
define how OneFS handles write operations when a node pool or tier is full.
SmartConnect
If you activate a SmartConnect Advanced license, you can balance policies to evenly
distribute CPU usage, client connections, or throughput. You can also define IP
address pools to support multiple DNS zones in a subnet. In addition, SmartConnect
supports IP failover, also known as NFS failover.
InsightIQ
The InsightIQ virtual appliance monitors and analyzes the performance of your Isilon
cluster to help you optimize storage resources and forecast capacity.
Aspera for Isilon
Aspera moves large files over long distances fast. Aspera for Isilon is a cluster-aware
version of Aspera technology for non-disruptive, wide-area content delivery.
HDFS
OneFS works with the Hadoop Distributed File System protocol to help clients
running Apache Hadoop, a framework for data-intensive distributed applications,
analyze big data.
SmartQuotas
The SmartQuotas module tracks disk usage with reports and enforces storage limits
with alerts.

38

OneFS 7.2.0 CLI Administration Guide

CHAPTER 3
Introduction to the OneFS command-line
interface

This section contains the following topics:

l
l
l
l
l
l

OneFS command-line interface overview............................................................... 40

Syntax diagrams....................................................................................................40
Universal options.................................................................................................. 41
Command-line interface privileges........................................................................ 41
SmartLock compliance command permissions...................................................... 45
OneFS time values.................................................................................................48

Introduction to the OneFS command-line interface

39

Introduction to the OneFS command-line interface

OneFS command-line interface overview

The OneFS command-line interface extends the standard UNIX command set to include
commands that enable you to manage an Isilon cluster outside of the web administration
interface or LCD panel. You can access the command-line interface by opening a secure
shell (SSH) connection to any node in the cluster.
You can run isi commands to configure, monitor, and manage Isilon clusters and the
individual nodes in a cluster. Brief descriptions, usage information, and examples are
provided for each command.

Syntax diagrams
The format of each command is described in a syntax diagram.
The following conventions apply for syntax diagrams:
Element Description
[]

Square brackets indicate an optional element. If you omit the contents of the square
brackets when specifying a command, the command still runs successfully.

<>

Angle brackets indicate a placeholder value. You must replace the contents of the
angle brackets with a valid value, otherwise the command fails.

{}

Braces indicate a group of elements. If the contents of the braces are separated by a
vertical bar, the contents are mutually exclusive. If the contents of the braces are not
separated by a bar, the contents must be specified together.

Vertical bars separate mutually exclusive elements within the braces.

...

Ellipses indicate that the preceding element can be repeated more than once. If
ellipses follow a brace or bracket, the contents of the braces or brackets can be
repeated more than once.

Each isi command is broken into three parts: command, required options, and optional
options. Required options are positional, meaning that you must specify them in the
order that they appear in the syntax diagram. However, you can specify a required option
in an alternative order by preceding the text displayed in angle brackets with a double
dash. For example, consider isi snapshot snapshots create.
isi snapshot snapshots create <name> <path>
[--expires <timestamp>]
[--alias <string>]
[--verbose]

If the <name> and <path> options are prefixed with double dashes, the options can be
moved around in the command. For example, the following command is valid:
isi snapshot snapshots create --verbose --path /ifs/data --alias
newSnap_alias --name newSnap

Shortened versions of commands are accepted as long as the command is unambiguous

and does not apply to multiple commands. For example, isi snap snap c
newSnap /ifs/data is equivalent to isi snapshot snapshots create
newSnap /ifs/data because the root of each word belongs to one command
40

OneFS 7.2.0 CLI Administration Guide

Introduction to the OneFS command-line interface

exclusively. If a word belongs to more than one command, the command fails. For
example, isi sn snap c newSnap /ifs/data is not equivalent to isi
snapshot snapshots create newSnap /ifs/data because the root of isi
sn could belong to either isi snapshot or isi snmp.
If you begin typing a word and then press TAB, the rest of the word automatically appears
as long as the word is unambiguous and applies to only one command. For example, isi
snap completes to isi snapshot because that is the only valid possibility. However,
isi sn does not complete, because it is the root of both isi snapshot and isi
snmp.

Universal options
Some options are valid for all commands.
Syntax
isi [--timeout <integer>] [--debug] <command> [--help]

--timeout <integer>
Specifies the number of seconds before the command times out.
--debug
Displays all calls to the Isilon OneFS Platform API. If a traceback occurs, displays
traceback in addition to error message.
--help
Displays a basic description of the command and all valid options for the command.
Examples
The following command causes the isi sync policies list command to timeout
after 30 seconds:
isi --timeout 30 sync policies list

The following command displays help output for isi sync policies list:
isi sync policies list --help

Command-line interface privileges

You can perform most tasks granted by a privilege through the command-line interface.
Some OneFS commands require root access; however, if you do not have root access,
most of the commands associated with a privilege can be performed through the sudo
program. The system automatically generates a sudoers file of users based on existing
roles.
Prefixing a command with sudo allows you to run commands that require root access.
For example, if you do not have root access, the following command fails:
isi sync policies list

However, if you are on the sudoers list, the following command succeeds:
sudo isi sync policies list

Universal options

41

Introduction to the OneFS command-line interface

The following tables list all One FS commands available, the associated privilege or rootaccess requirement, and whether sudo is required to run the command.
Note

If you are running in compliance mode, more commands will require sudo.
Table 1 Privileges sorted by CLI command

42

isi command

Privilege

Requires sudo

isi alert

ISI_PRIV_EVENT

isi audit

ISI_PRIV_AUDIT

isi auth - excluding isi

auth role

ISI_PRIV_AUTH

isi auth role

ISI_PRIV_ROLE

isi avscan

ISI_PRIV_ANTIVIRUS

isi batterystatus

ISI_PRIV_STATISTICS

isi config

root

isi dedupe - excluding

isi dedupe stats

ISI_PRIV_JOB_ENGINE

isi dedupe stats

ISI_PRIV_STATISTICS

isi devices

ISI_PRIV_DEVICES

isi domain

root

isi email

ISI_PRIV_CLUSTER

isi events

ISI_PRIV_EVENT

isi exttools

root

isi fc

root

isi filepool

ISI_PRIV_SMARTPOOLS

isi firmware

root

isi ftp

ISI_PRIV_FTP

isi get

root

isi hdfs

root

isi iscsi

ISI_PRIV_ISCSI

isi job

ISI_PRIV_JOB_ENGINE

isi license

ISI_PRIV_LICENSE

isi lun

ISI_PRIV_ISCSI

isi ndmp

ISI_PRIV_NDMP

isi networks

ISI_PRIV_NETWORK

isi nfs

ISI_PRIV_NFS

OneFS 7.2.0 CLI Administration Guide

Introduction to the OneFS command-line interface

Table 1 Privileges sorted by CLI command (continued)

isi command

Privilege

Requires sudo

isi perfstat

ISI_PRIV_STATISTICS

isi pkg

root

isi quota

ISI_PRIV_QUOTA

isi readonly

root

isi remotesupport

ISI_PRIV_REMOTE_SUPPORT

isi servicelight

ISI_PRIV_DEVICES

isi services

root

isi set

root

isi smartlock

root

isi smb

ISI_PRIV_SMB

isi snapshot

ISI_PRIV_SNAPSHOT

isi snmp

ISI_PRIV_SNMP

isi stat

ISI_PRIV_STATISTICS

isi statistics

ISI_PRIV_STATISTICS

isi status

ISI_PRIV_STATISTICS

isi storagepool

ISI_PRIV_SMARTPOOLS

isi sync

ISI_PRIV_SYNCIQ

isi tape

ISI_PRIV_NDMP

isi target

ISI_PRIV_ISCSI

isi update

root

isi version

ISI_PRIV_CLUSTER

isi worm

root

isi zone

ISI_PRIV_AUTH

Table 2 CLI commands sorted by privilege

Privilege

isi commands

Requires sudo

ISI_PRIV_ANTIVIRUS

isi avscan

ISI_PRIV_AUDIT

isi audit

ISI_PRIV_AUTH

isi auth - excluding isi

auth role

isi zone

isi email

isi version

ISI_PRIV_CLUSTER

Command-line interface privileges

43

Introduction to the OneFS command-line interface

Table 2 CLI commands sorted by privilege (continued)

Privilege

isi commands

ISI_PRIV_DEVICES

isi devices

isi servicelight

isi alert

isi events

ISI_PRIV_EVENT

ISI_PRIV_FTP

isi ftp

ISI_PRIV_ISCSI

isi iscsi

isi lun

isi target

isi job

isi dedupe - excluding

isi dedupe stats

ISI_PRIV_JOB_ENGINE

44

Requires sudo
x

x
x

ISI_PRIV_LICENSE

isi license

ISI_PRIV_NDMP

isi ndmp

isi tape

ISI_PRIV_NETWORK

isi networks

ISI_PRIV_NFS

isi nfs

ISI_PRIV_QUOTA

isi quota

ISI_PRIV_ROLE

isi auth role

ISI_PRIV_REMOTE_SUPPORT

isi remotesupport

ISI_PRIV_SMARTPOOLS

isi filepool

isi storagepool

ISI_PRIV_SMB

isi smb

ISI_PRIV_SNAPSHOT

isi snapshot

ISI_PRIV_SNMP

isi snmp

ISI_PRIV_STATISTICS

isi batterystatus

isi dedupe stats

isi perfstat

isi stat

isi statistics

isi status

ISI_PRIV_SYNCIQ

isi sync

root

isi config

isi domain

OneFS 7.2.0 CLI Administration Guide

x
x

Introduction to the OneFS command-line interface

Table 2 CLI commands sorted by privilege (continued)

Privilege

isi commands
l

isi exttools

isi fc

isi firmware

isi get

isi hdfs

isi pkg

isi readonly

isi services

isi set

isi smartlock

isi update

isi worm

Requires sudo

SmartLock compliance command permissions

If a cluster is running in SmartLock compliance mode, root access is disabled on the
cluster. Because of this, if a command requires root access, you can run the command
only through the sudo program.
In compliance mode, you can run all isi commands that are followed by a space through
sudo. For example, you can run isi sync policies create through sudo. In
addition, you can also run the following isi_ commands through sudo; these
commands are internal and are typically run only by Isilon Technical Support:
l

isi_bootdisk_finish

isi_bootdisk_provider_dev

isi_bootdisk_status

isi_bootdisk_unlock

isi_checkjournal

isi_clean_idmap

isi_client_stats

isi_cpr

isi_cto_update

isi_disk_firmware_reboot

isi_dmi_info

isi_dmilog

isi_dongle_sync

isi_drivenum

isi_dsp_install
SmartLock compliance command permissions

45

Introduction to the OneFS command-line interface

46

isi_dumpjournal

isi_eth_mixer_d

isi_evaluate_provision_drive

isi_fcb_vpd_tool

isi_flexnet_info

isi_flush

isi_for_array

isi_fputil

isi_gather_info

isi_gather_auth_info

isi_gather_cluster_info

isi_gconfig

isi_get_itrace

isi_get_profile

isi_hangdump

isi_hw_check

isi_hw_status

isi_ib_bug_info

isi_ib_fw

isi_ib_info

isi_ilog

isi_imdd_status

isi_inventory_tool

isi_ipmicmc

isi_job_d

isi_kill_busy

isi_km_diag

isi_lid_d

isi_linmap_mod

isi_logstore

isi_lsiexputil

isi_make_abr

isi_mcp

isi_mps_fw_status

isi_netlogger

isi_nodes

isi_ntp_config

isi_ovt_check

isi_patch_d

isi_promptsupport

OneFS 7.2.0 CLI Administration Guide

Introduction to the OneFS command-line interface

isi_radish

isi_rbm_ping

isi_repstate_mod

isi_restill

isi_rnvutil

isi_sasphymon

isi_save_itrace

isi_savecore

isi_sed

isi_send_abr

isi_smbios

isi_stats_tool

isi_transform_tool

isi_ufp

isi_umount_ifs

isi_update_cto

isi_update_serialno

isi_vitutil

isi_vol_copy

isi_vol_copy_vnx

In addition to isi commands, you can run the following UNIX commands through sudo:
l

date

gcore

ifconfig

kill

killall

nfsstat

ntpdate

nvmecontrol

pciconf

pkill

ps

renice

shutdown

sysctl

tcpdump

top

SmartLock compliance command permissions

47

Introduction to the OneFS command-line interface

OneFS time values

OneFS uses different values for time depending on the application.
You can specify time periods, such as a month, for multiple OneFS applications. However,
because some time values have more than one meaning, OneFS defines time values
based on the application. The following table describes the time values for OneFS
applications:
Module

48

Month

Year

SnapshotIQ 30 days

365 days (does not account for leap year)

SmartLock

31 days

365 days (does not account for leap year)

SyncIQ

30 days

365 days (does not account for leap year)

OneFS 7.2.0 CLI Administration Guide

CHAPTER 4
General cluster administration

This section contains the following topics:

l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l

General cluster administration overview................................................................50

User interfaces...................................................................................................... 50
Connecting to the cluster.......................................................................................51
Licensing...............................................................................................................51
Certificates............................................................................................................56
Cluster identity......................................................................................................58
Cluster contact information................................................................................... 59
Cluster date and time............................................................................................ 60
SMTP email settings.............................................................................................. 61
Configuring the cluster join mode..........................................................................62
File system settings...............................................................................................63
Cluster monitoring.................................................................................................64
Monitoring cluster hardware..................................................................................65
Events and notifications........................................................................................ 72
Cluster maintenance............................................................................................. 82
Remote support.....................................................................................................90
Cluster administration commands.........................................................................95
Event commands.................................................................................................149
Hardware commands.......................................................................................... 156

General cluster administration

49

General cluster administration

General cluster administration overview

You can manage general OneFS settings and module licenses for the EMC Isilon cluster.
General cluster administration covers several areas. You can manage general settings
such as cluster name, date and time, and email. You can monitor the cluster status and
performance, including hardware components. You can configure how events and
notifications are handled, and you can perform cluster maintenance such as adding,
removing, and restarting nodes.
Most management tasks are accomplished through both the web administration or
command-line interface; however, you will occasionally encounter a task that can only be
managed by one or the other.

User interfaces
OneFS provides several interfaces for managing the EMC Isilon cluster.

50

Interface

Description

Comment

OneFS web
administration
interface

The browser-based OneFS web administration The OneFS web

interface provides secure access with OneFS- administration interface uses
supported browsers. Use this interface to view port 8080 as its default port.
robust graphical monitoring displays and to
perform cluster-management tasks.

OneFS command- Run OneFS isi commands in the commandline interface

line interface to configure, monitor, and
manage the cluster. Access to the commandline interface is through a secure shell (SSH)
connection to any node in the cluster.

The OneFS command-line

interface provides an
extended standard UNIX
command set for managing
the cluster.

OneFS API

The OneFS application programming interface

(API) is divided into two functional areas: one
area enables cluster configuration,
management, and monitoring functionality,
and the other area enables operations on files
and directories on the cluster. You can send
requests to the OneFS API through a
Representational State Transfer (REST)
interface, which is accessed through resource
URIs and standard HTTP methods.

You should have a solid

understanding of HTTP/1.1
and experience writing HTTPbased client software before
you implement client-based
software through the OneFS
API.

Node front panel

With the exception of accelerator nodes, the

front panel of each node contains an LCD
screen with five buttons that you can use to
monitor node and cluster details.

Node status, events, cluster

details, capacity, IP and MAC
addresses, throughput, and
drive status are available
through the node front panel.

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Connecting to the cluster

EMC Isilon cluster access is provided through the web administration interface or through
SSH. You can use a serial connection to perform cluster-administration tasks through the
command-line interface.
You can also access the cluster through the node front panel to accomplish a subset of
cluster-management tasks. For information about connecting to the node front panel, see
the installation documentation for your node.

Log in to the web administration interface

You can monitor and manage your EMC Isilon cluster from the browser-based web
administration interface.
Procedure
1. Open a browser window and type the URL for your cluster in the address field,
replacing <yourNodeIPaddress> in the following example with the first IP address you
provided when you configured ext-1:
https://<yourNodeIPaddress>:8080
The system displays a message if your security certificates have not been configured.
Resolve any certificate configurations and continue to the web site.
2. Log in to OneFS by typing your OneFS credentials in the Username and Password
fields.
After you log into the web administration interface, there is a 4-hour login timeout and
a 24-hour session inactivity timeout.

Open an SSH connection to a cluster

You can use any SSH client such as OpenSSH or PuTTY to connect to an EMC Isilon
cluster.
Before you begin
You must have valid OneFS credentials to log in to a cluster after the connection is open.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster, using the IP address
of the node and port number 22.
2. Log in with your OneFS credentials.
At the OneFS command line prompt, you can use isi commands to monitor and
manage your cluster.

Licensing
Advanced cluster features are available when you activate licenses for OneFS software
modules. Each optional OneFS software module requires you to activate a separate
license.
For more information about the following optional software modules, contact your EMC
Isilon sales representative.
l

HDFS
Connecting to the cluster

51

General cluster administration

InsightIQ

Isilon for vCenter

SmartConnect Advanced

SmartDedupe

SmartLock

SmartPools

SmartQuotas

SnapshotIQ

SyncIQ

License status
The status of a OneFS module license indicates whether the functionality provided by a
module is available on the cluster.
Licenses exist in one of the following states:
Status

Description

Inactive

The license has not been activated on the cluster. You cannot access the features
provided by the corresponding module.

Evaluation The license has been temporarily activated on the cluster. You can access the
features provided by the corresponding module for a limited period of time. After the
license expires, the features become unavailable unless the license is reactivated.
Activated

The license has been activated on the cluster. You can access the features provided
by the corresponding module.

Expired

The evaluation license has expired on the cluster. You can no longer access the
features provided by the corresponding module. The features will remain unavailable
unless you reactivate the license.

The following table describes what functionality is available for each license depending
on the license's status:

52

License

Inactive

Evaluation/
Activated

Expired

HDFS

Clients cannot
access the cluster
through HDFS.

You can configure

HDFS settings and
clients can access
the cluster through
HDFS.

You cannot configure HDFS

settings. After the HDFS
service restarts, clients can
no longer access the cluster
through HDFS.

InsightIQ

You cannot monitor

the cluster with
InsightIQ.

You can monitor the

cluster with
InsightIQ.

InsightIQ stops monitoring

the cluster. Data previously
collected by InsightIQ is still
available on the InsightIQ
instance.

Isilon for vCenter

You cannot back up You can back up

You cannot create new
virtual machines that virtual machines that backups of virtual machines
are stored on an
are stored on an

OneFS 7.2.0 CLI Administration Guide

General cluster administration

License

Inactive

Evaluation/
Activated

Expired

Isilon cluster with

Isilon for vCenter.

Isilon cluster with

Isilon for vCenter.

that are stored on an Isilon

cluster.

SmartPools

All files belong to the

default file pool and
are governed by the
default file pool
policy. Virtual hot
spare allocation,
which reserves
space for data repair
if a drive fails, is also
available.

You can create

multiple file pools
and file pool
policies. You can
also manage
spillover, which
defines how write
operations are
handled when a
storage pool is not
writable.

You can no longer manage

file pool policies, and the
SmartPools job will no
longer run. Newly added
files will be governed by the
default file pool policy, and
the SetProtectPlus job will
eventually apply the default
file pool policy to all files in
the cluster.
If the SmartPools job is
running when the license
expires, the job completes
before becoming disabled.

SmartConnect
Advanced

Client connections
are balanced by
using a round robin
policy. IP address
allocation is static.
Each external
network subnet can
be assigned only
one IP address pool.

You can access

You can no longer specify
features such as CPU SmartConnect Advanced
utilization,
settings.
connection counting,
and client
connection policies
in addition to the
round robin policy.
You can also
configure address
pools to support
multiple DNS zones
within a single
subnet, and support
IP failover.

SmartDedupe

You cannot
deduplicate data
with SmartDedupe.

You can deduplicate

data with
SmartDedupe.

You can no longer

deduplicate data. Previously
deduplicated data remains
deduplicated.

SmartLock

You cannot enforce

file retention with
SmartLock.

You can enforce file

retention with
SmartLock.

You cannot create new

SmartLock directories or
modify SmartLock directory
configuration settings for
existing directories.
You can still commit files to
a write once read many
(WORM) state, even after the
SmartLock license is
unconfigured, but you
cannot delete WORMcommitted files from
enterprise directories.

License status

53

General cluster administration

License

Inactive

Evaluation/
Activated

Expired

SnapshotIQ

You can view and

manage snapshots
generated by OneFS
applications.
However, you cannot
create snapshots or
configure
SnapshotIQ settings.

You can create, view,

and manage
snapshots. You can
also configure
snapshot settings.

You will no longer be able to

generate snapshots.
Existing snapshot schedules
are not deleted; however,
the schedules will not
generate snapshots.
You can still delete
snapshots and access
snapshot data.

SmartQuotas

You cannot create

quotas with
SmartQuotas.

You can create

quotas with
SmartQuotas.

OneFS disables all quotas.

Exceeding advisory and soft
thresholds does not trigger
events. Hard and soft
thresholds are not enforced.

SyncIQ

You cannot replicate

data with SyncIQ.

You can replicate

data with SyncIQ

You will no longer be able to

replicate data to remote
clusters, and remote
clusters will not be able to
replicate data to the local
cluster. Replication policies
will still display a status of
enabled; however, future
replication jobs created by
the policy will fail.
If a replication job is in
progress when the license
expires, the job completes.

License configuration
You can configure or unconfigure some OneFS module licenses.
You can configure a license by performing specific operations through the corresponding
module. Not all actions that require you to activate a license will configure the license.
Also, not all licenses can be configured. Configuring a license does not add or remove
access to any features provided by a module.
You can unconfigure a license only through the isi license unconfigure
command. You may want to unconfigure a license for a OneFS software module if, for
example, you enabled an evaluation version of a module but later decided not to
purchase a permanent license. Unconfiguring a module license does not deactivate the
license. Unconfiguring a license does not add or remove access to any features provided
by a module.
The following table describes both the actions that cause each license to be configured
and the results of unconfiguring each license:

54

License

Cause of configuring

Result of unconfiguring

HDFS

Cannot configure this license.

No system impact.

InsightIQ

Cannot configure this license.

No system impact.

OneFS 7.2.0 CLI Administration Guide

General cluster administration

License

Cause of configuring

Isilon for vCenter Cannot configure this license.

Result of unconfiguring
No system impact.

SmartPools

Create a file pool policy (other than the OneFS deletes all file pool policies
default file pool policy).
(except the default file pool policy).

SmartConnect

Configure SmartConnect Advanced

settings for at least one IP address
pool.

OneFS converts dynamic IP address

pools to static IP address pools.

SmartDedupe

Cannot configure this license.

No system impact.

SmartLock

Cannot configure this license.

No system impact.

SnapshotIQ

Create a snapshot schedule.

Deletes all snapshot schedules.

SmartQuotas

Create a quota.

No system impact.

SyncIQ

Create a replication policy.

No system impact.

Activate a license through the command-line interface

You can activate licenses to access optional OneFS modules, which provide advanced
cluster features.
Before you begin
Before you can activate a license, you must obtain a valid license key, and you must have
root user privileges on your cluster. To obtain a license key, contact your EMC Isilon sales
representative.
Procedure
1. Run the isi license activate command.
The following command activates a license:
isi license activate 1UL9A83P1209Q378C12M0938

View license information

You can view information about the current status of any optional Isilon software
modules.
Procedure
1. Run the following command:
isi license status

Unconfigure a license
You can unconfigure a licensed module through the command-line interface.
You must have root user privileges on your Isilon cluster to unconfigure a module license.
This procedure is available only through the command-line interface (CLI).
Note

Unconfiguring a license does not deactivate the license.

Activate a license through the command-line interface

55

General cluster administration

Procedure
1. Open a secure shell (SSH) connection to any node in the cluster.
You must log in as root.
2. Run the isi license unconfigure command.
The following command unconfigures the license for SmartConnect:
isi license unconfigure -m smartconnect

If you do not know the module name, run the isi license command for a list of
OneFS modules and their status.
OnesFS returns a confirmation message similar to the following text: The
SmartConnect module has been unconfigured. The license is
unconfigured, and any processes enabled for the module are disabled.

Certificates
You can renew the Secure Sockets Layer (SSL) certificate for the Isilon web administration
interface or replace it with a third-party SSL certificate.
All Platform API communication, which includes communication through the web
administration interface, is over SSL. You can replace or renew the self-signed certificate
with a certificate that you generate. To replace or renew an SSL certificate, you must be
logged in as root.

Replace or renew the SSL certificate

You can replace or renew the Secure Sockets Layer (SSL) certificate, which is used to
access the EMC Isilon cluster through a browser.
Before you begin
When you renew or replace a self-signed SSL certificate, you must provide information for
your organization in the format that is described in the Self-signed SSL certificate data
example.
The following folders are the default locations for the server.crt and server.key
files in OneFS 6.0 and higher.
l

SSL certificate: /usr/local/apache2/conf/ssl.crt/server.crt

SSL certificate key: /usr/local/apache2/conf/ssl.key/server.key

Procedure
1. Establish an SSH connection to any node in the cluster.
2. At the command prompt, run the following command to create the appropriate
directory.
mkdir /ifs/local/

3. At the command prompt, run the following command to change to the directory.
cd /ifs/local/

56

OneFS 7.2.0 CLI Administration Guide

General cluster administration

4. Choose the type of certificate you want to install.

Option

Description

Third-party
(public or
private) CAissued
certificate

a. At the command prompt, run the following command to

generate a new Certificate Signing Request (CSR) in addition to
a new key, where <common_name> is the host name, such as
isilon.example.com:
openssl req -new -nodes -newkey rsa:1024 -keyout
<common name>.key \
-out <common-name>.csr

b. Send the contents of the <common_name>.csr file from the

cluster to your Certificate Authority (CA) for signing. When you
receive the signed certificate (now a .crt file) from the CA,
copy the certificate to /ifs/local/<common-name>.crt.
Self-signed
a. At the command prompt, run the following command to create
certificate
a two-year certificate. Increase or decrease the value for -days
based on the
to generate a certificate with a different expiration date.
existing (stock)
ssl.key
cp /usr/local/apache2/conf/ssl.key/server.key ./openssl

req -new \/
-days 730 -nodes -x509 -key server.key -out server.crt

A renewal certificate is created, based on the existing (stock) ssl.key file.

5. (Optional) At the command prompt, run the following command to verify the attributes
in an SSL certificate.
openssl x509 -text -noout -in <common-name>.crt

6. Run the following commands to install the certificate and key:

isi services -a isi_webui disable
chmod 640 <common name>.key
isi_for_array -s 'cp /ifs/local/<common-name>.key /usr/local/
apache2/conf/ssl.key/server.key'
isi_for_array -s 'cp /ifs/local/<common-name>.crt /usr/local/
apache2/conf/ssl.crt/server.crt'
isi services -a isi_webui enable

7. Run the following command to remove the files in /ifs/local.

rm /ifs/local/*

Verify an SSL certificate update

You can verify the details stored in a Secure Sockets Layer (SSL) certificate.
Procedure
1. Establish an SSH connection to any node in the cluster.

Verify an SSL certificate update

57

General cluster administration

2. At the command prompt, run the following command to open and verify the attributes
in an SSL certificate.
echo QUIT | openssl s_client -connect localhost:8080

Self-signed SSL certificate data example

Self-signed SSL certificate renewal or replacement requires you to provide data such as
your fully qualified domain name and a contact email address.
When you renew or replace a self-signed SSL certificate, you are asked to provide data in
the format shown in the following example. Some fields in the certificate file contain a
default value. If you type '.', the field is left blank when the certificate is generated.
l

Country Name (2 letter code) [XX]:US

State or Province Name (full name) [Some-State]:Washington

Locality Name (for example, city) [default city]:Seattle

Organization Name (for example, company) [Internet Widgits Pty Ltd]:Isilon

Organizational Unit Name (for example, section) []:Support

Common Name (for example, server FQDN or server name) []:isilon.example.com

Email Address []:[email protected]

In addition, you should add the following attributes to be sent with your certificate
request:
l

Challenge password []:Isilon1

Optional company name []:

Cluster identity
You can specify identity attributes for the EMC Isilon cluster.
Cluster name
The cluster name appears on the login page, and it makes the cluster and its nodes
more easily recognizable on your network. Each node in the cluster is identified by
the cluster name plus the node number. For example, the first node in a cluster
named Images may be named Images-1.
Cluster description
The cluster description appears below the cluster name on the login page. The
cluster description is useful if your environment has multiple clusters.
Login message
The login message appears as a separate box on the login page. The login message
can convey cluster information, login instructions, or warnings that a user should
know before logging into the cluster.

Set the cluster name

You can assign a name and add a login message to your EMC Isilon cluster to make the
cluster and its nodes more easily recognizable on your network.
Cluster names must begin with a letter and can contain only numbers, letters, and
hyphens. The cluster name is added to the node number to identify each node in the
cluster. For example, the first node in a cluster named Images may be named Images-1.
58

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Procedure
1. Open the isi config command prompt by running the following command:
isi config

2. Run the name command.

The following command sets the name of the cluster to NewName:
name NewName

3. Save your changes by running the following command:

commit

Cluster contact information

Isilon Technical Support personnel and event notification recipients will communicate
with the specified contacts.
You can specify the following contact information for your EMC Isilon cluster:
l

Company name and location

Primary and secondary contact names

Phone number and email address for each contact

Specify contact information

You can specify contact information so that Isilon Technical Support personnel and event
notification recipients can contact you.
SupportIQ is the contact mechanism and must be enabled in order to specify contact
information. Please enter company name
Procedure
1. Enable SupportIQ by running the following command:
isi_promptsupport -e

The system displays the following message:

Would you like to enable SupportIQ? [yes]

2. Type yes and then press ENTER.

The system displays the following message:
Please enter company name:

3. Type your company name and then press ENTER.

The system displays the following message:
Please enter contact name:

4. Type your contact name and then press ENTER.

Cluster contact information

59

General cluster administration

The system displays the following message:

Please enter contact phone:

5. Type your contact phone and then press ENTER.

The system displays the following message:
Please enter contact email:

6. Type your contact email address and then press ENTER.

Cluster date and time

The Network Time Protocol (NTP) service is configurable manually, so you can ensure that
all nodes in a cluster are synchronized to the same time source.
The NTP method automatically synchronizes cluster date and time settings through an
NTP server. Alternatively, you can set the date and time reported by the cluster by
manually configuring the service.
Windows domains provide a mechanism to synchronize members of the domain to a
master clock running on the domain controllers, so OneFS adjusts the cluster time to that
of Active Directory with a service. If there are no external NTP servers configured, OneFS
uses the Windows domain controller as the NTP time server. When the cluster and
domain time become out of sync by more than 4 minutes, OneFS generates an event
notification.
Note

If the cluster and Active Directory become out of sync by more than 5 minutes,
authentication will not work.

Set the cluster date and time

You can set the date, time, and time zone that is used by the EMC Isilon cluster.
Procedure
1. Run the isi config command.
The command-line prompt changes to indicate that you are in the isi config
subsystem.
2. Specify the current date and time by running the date command.
The following command sets the cluster time to 9:47 AM on July 22, 2015:
date 2015/07/22 09:47:00

3. To verify your time zone setting, run the timezone command. The current time zone
setting displays. For example:
The current time zone is:

Pacific Time Zone

4. To view a list of valid time zones, run the help timezone command. The following
options display:
Greenwich Mean Time
Eastern Time Zone
Central Time Zone
Mountain Time Zone
Pacific Time Zone
60

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Arizona
Alaska
Hawaii
Japan
Advanced

5. To change the time zone, enter the timezone command followed by one of the
displayed options.
The following command changes the time zone to Hawaii:
timezone Hawaii

A message confirming the new time zone setting displays. If your desired time zone
did not display when you ran the help timezone command, enter timezone
Advanced. After a warning screen, you will proceed to a list of regions. When you
select a region, a list of specific time zones for that region appears. Select the desired
time zone (you may need to scroll), then enter OK or Cancel until you return to the
isi config prompt.
6. Run the commit command to save your changes and exit isi config.

Specify an NTP time server

You can specify one or more Network Time Protocol (NTP) servers to synchronize the
system time on the EMC Isilon cluster. The cluster periodically contacts the NTP servers
and sets the date and time based on the information it receives.
Procedure
1. Run the isi_ntp_config command.
The following command specifies ntp.time.server1.com:
isi_ntp_config add server ntp.time.server1.com

SMTP email settings

If your network environment requires the use of an SMTP server or if you want to route
EMC Isilon cluster event notifications with SMTP through a port, you can configure SMTP
email settings.
SMTP settings include the SMTP relay address and port number that email is routed
through. You can specify an origination email and subject line for all event notification
emails sent from the cluster.
If your SMTP server is configured to support authentication, you can specify a username
and password. You can also specify whether to apply encryption to the connection.

Configure SMTP email settings

You can send event notifications through the SMTP mail server. You can also enable
SMTP authentication if your SMTP server is configured to use it.
You can configure SMTP email settings if your network environment requires the use of an
SMTP server or if you want to route EMC Isilon cluster event notifications with SMTP
through a port.
Procedure
1. Run the isi email command.
Specify an NTP time server

61

General cluster administration

The following example configures SMTP email settings:

isi email --mail-relay 10.7.180.45 \
--mail-sender [email protected] \
--mail-subject "Isilon cluster event" --use-smtp-auth yes \
--auth-user SMTPuser --auth-pass Password123 --use-encryption yes

View SMTP email settings

You can view SMTP email settings.
Procedure
1. Run the following command:
isi email list

The system displays information similar to the following example:

SMTP relay address:
SMTP relay port:
Send email as:
Subject:
Use SMTP AUTH:
Uername:
Password:
Use Encryption (TLS):

25

No
********
No

Configuring the cluster join mode

The join mode specifies how a node is added to the EMC Isilon cluster and whether
authentication is required. OneFS supports manual and secure join modes for adding
nodes to the EMC Isilon cluster.
Mode

Description

Manual Allows you to manually add a node to the cluster without requiring authorization.
Secure

Requires authorization of every node added to the cluster and the node must be added
through the web administration interface or through the isi devices -a add -d
<unconfigured_node_serial_no> command in the command-line interface.
Note

If you specify a secure join mode, you cannot join a node to the cluster through serial
console wizard option [2] Join an existing cluster.

Specify the cluster join mode

You can specify the method to use when nodes are added to the EMC Isilon cluster.
Procedure
1. Open the isi config command prompt by running the following command:
isi config

62

OneFS 7.2.0 CLI Administration Guide

General cluster administration

2. Run the joinmode command.

The following command prevents nodes from joining the cluster unless the join is
initiated by the cluster:
joinmode secure

3. Save your changes by running the following command:

commit

File system settings

You can configure global file system settings on an EMC Isilon cluster pertaining to
access time tracking and character encoding.
You can enable or disable access time tracking, which monitors the time of access on
each file. If necessary, you can also change the default character encoding on the cluster.

Specify the cluster character encoding

You can modify the character encoding set for the EMC Isilon cluster after installation.
Only OneFS-supported character sets are available for selection. UTF-8 is the default
character set for OneFS nodes.
Note

If the cluster character encoding is not set to UTF-8, SMB share names are case-sensitive.
You must restart the cluster to apply character encoding changes.
CAUTION

Character encoding is typically established during installation of the cluster. Modifying

the character encoding setting after installation may render files unreadable if done
incorrectly. Modify settings only if necessary after consultation with Isilon Technical
Support
Procedure
1. Run the isi config command.
The command-line prompt changes to indicate that you are in the isi config
subsystem.
2. Modify the character encoding by running the encoding command.
The following command sets the encoding for the cluster to ISO-8859-1:
encoding ISO-8859-1

3. Run the commit command to save your changes and exit the isi config
subsystem.
4. Restart the cluster to apply character encoding modifications.

File system settings

63

General cluster administration

Enable or disable access time tracking

You can enable access time tracking to support features that require it.
By default, the EMC Isilon cluster does not track the timestamp when files are accessed.
You can enable this feature to support OneFS features that use it. For example, accesstime tracking must be enabled to configure SyncIQ policy criteria that match files based
on when they were last accessed.
Note

Enabling access-time tracking may affect cluster performance.

Procedure
1. Enable or disable access time tracking by setting the atime_enabled system control.
l

To enable access time tracking, run the following command:

sysctl efs.bam.atime_enabled=1

To disable access time tracking, run the following command:

sysctl efs.bam.atime_enabled=0

2. To specify how often to update the last-accessed time, set the atime_grace_period
system control.
Specify the amount of time as a number of seconds.
The following command configures OneFS to update the last-accessed time every two
weeks:
sysctl efs.bam.atime_grace_period=1209600

Cluster monitoring
You can view health and status information for the EMC Isilon cluster and monitor cluster
and node performance.
Run the isi status command to review the following information:
l

Cluster, node, and drive health

Storage data such as size and amount used

IP addresses

Throughput

Critical events

Job status

Additional commands are available to review performance information for the following
areas:

64

General cluster statistics

Statistics by protocol or by clients connected to the cluster

Performance data by drive

Historical performance data

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Advanced performance monitoring and analytics are available through the InsightIQ
module, which requires you to activate a separate license. For more information about
optional software modules, contact your EMC Isilon sales representative.

Monitor the cluster

You can monitor the health and performance of a cluster with charts and tables.
Procedure
1. Run the following command:
isi status

View node status

You can view the status of a node.
Procedure
1. (Optional) Run the isi status command:
The following command displays information about a node with a logical node
number (LNN) of 1:
isi status -n 1

Monitoring cluster hardware

You can manually check the status of hardware on the EMC Isilon cluster as well as
enable SNMP to remotely monitor components.

View node hardware status

You can view the hardware status of a node.
Procedure
1. Click Dashboard > Cluster Overview > Cluster Status.
2. (Optional) In the Status area, click the ID number for a node.
3. In the Chassis and drive status area, click Platform.

Chassis and drive states

You can view chassis and drive state details.
In a cluster, the combination of nodes in different degraded states determines whether
read requests, write requests, or both work. A cluster can lose write quorum but keep
read quorum. OneFS provides details about the status of chassis and drives in your
cluster. The following table describes all the possible states that you may encounter in
your cluster.
State

Description

Interface

HEALTHY

All drives in the node are functioning

correctly.

Command-line
interface, web

Monitor the cluster

Error
state

65

General cluster administration

State

Description

Interface

Error
state

administration
interface

SMARTFAIL or
Smartfail or
restripe in
progress

The drive is in the process of being

removed safely from the file system,
either because of an I/O error or by
user request. Nodes or drives in a
smartfail or read-only state affect only
write quorum.

Command-line
interface, web
administration
interface

NOT AVAILABLE

A drive is unavailable for a variety of

reasons. You can click the bay to view
detailed information about this
condition.

Command-line
interface, web
administration
interface

Note

In the web administration interface,

this state includes the ERASE and

SED_ERROR command-line
interface states.

66

SUSPENDED

This state indicates that drive activity

is temporarily suspended and the
drive is not in use. The state is
manually initiated and does not occur
during normal cluster activity.

Command-line
interface, web
administration
interface

NOT IN USE

A node in an offline state affects both

read and write quorum.

Command-line
interface, web
administration
interface

REPLACE

The drive was smartfailed successfully Command-line

and is ready to be replaced.
interface only

STALLED

The drive is stalled and undergoing

Command-line
stall evaluation. Stall evaluation is the interface only
process of checking drives that are
slow or having other issues.
Depending on the outcome of the
evaluation, the drive may return to
service or be smartfailed. This is a
transient state.

NEW

The drive is new and blank. This is the Command-line

state that a drive is in when you run
interface only
the isi dev command with the -a
add option.

USED

The drive was added and contained

Command-line
an Isilon GUID but the drive is not
interface only
from this node. This drive likely will be
formatted into the cluster.

OneFS 7.2.0 CLI Administration Guide

General cluster administration

State

Description

Interface

PREPARING

The drive is undergoing a format

operation. The drive state changes to
HEALTHY when the format is
successful.

Command-line
interface only

EMPTY

No drive is in this bay.

Command-line
interface only

WRONG_TYPE

The drive type is wrong for this node. Command-line

For example, a non-SED drive in a SED interface only
node, SAS instead of the expected
SATA drive type.

BOOT_DRIVE

Unique to the A100 drive, which has

boot drives in its bays.

Command-line
interface only

SED_ERROR

The drive cannot be acknowledged by

the OneFS system.

Command-line
interface, web
administration
interface

Note

Error
state

In the web administration interface,

this state is included in Not

available.
ERASE

The drive is ready for removal but

needs your attention because the
data has not been erased. You can
erase the drive manually to guarantee
that data is removed.

Command-line
interface only

Note

In the web administration interface,

this state is included in Not

available.
INSECURE

Data on the self-encrypted drive is

accessible by unauthorized
personnel. Self-encrypting drives
should never be used for nonencrypted data purposes.

Command-line
interface only

Web
administration
interface only

Note

In the web administration interface,

this state is labeled Unencrypted

SED.
UNENCRYPTED SED

Data on the self-encrypted drive is

accessible by unauthorized
personnel. Self-encrypting drives
should never be used for nonencrypted data purposes.

Chassis and drive states

67

General cluster administration

State

Description

Interface

Error
state

Note

In the command-line interface, this

state is labeled INSECURE.

Check battery status

You can monitor the status of NVRAM batteries and charging systems.
This functionality is available only from the command line on node hardware that
supports the command.
Procedure
1. Run the isi batterystatus command to view the status of all NVRAM batteries
and charging systems on the node.
The system displays output similar to the following example:
battery 1 : Good
battery 2 : Good

SNMP monitoring
You can use SNMP to remotely monitor the EMC Isilon cluster hardware components,
such as fans, hardware sensors, power supplies, and disks. The default Linux SNMP tools
or a GUI-based SNMP tool of your choice can be used for this purpose.
You can enable SNMP monitoring on individual nodes on your cluster, and you can also
monitor cluster information from any node. Generated SNMP traps are sent to your SNMP
network. You can configure an event notification rule that specifies the network station
where you want to send SNMP traps for specific events, so that when an event occurs, the
cluster sends the trap to that server. OneFS supports SNMP in read-only mode. OneFS
supports SNMP version 2c, which is the default value, and SNMP version 3.
Note

OneFS does not support SNMP v1. Although an option for v1/v2c may be displayed, if you
select the v1/v2c pair, OneFS will only monitor through SNMP v2c.
You can configure settings for SNMP v3 alone or for both SNMP v2c and v3.
Note

If you configure SNMP v3, OneFS requires the SNMP-specific security level of AuthNoPriv
as the default value when querying the cluster. The security level AuthPriv is not
supported.
Elements in an SNMP hierarchy are arranged in a tree structure, similar to a directory tree.
As with directories, identifiers move from general to specific as the string progresses from
left to right. Unlike a file hierarchy, however, each element is not only named, but also
numbered.
For example, the SNMP
entity .iso.org.dod.internet.private.enterprises.isilon.oneFSss.s
68

OneFS 7.2.0 CLI Administration Guide

General cluster administration

sLocalNodeId.0 maps to .1.3.6.1.4.1.12124.3.2.0. The part of the name that

refers to the OneFS SNMP namespace is the 12124 element. Anything further to the right
of that number is related to OneFS-specific monitoring.
Management Information Base (MIB) documents define human-readable names for
managed objects and specify their data types and other properties. You can download
MIBs that are created for SNMP-monitoring of an Isilon cluster from the webadministration interface or manage them using the command-line interface. MIBs are
stored in /usr/local/share/snmp/mibs/ on a OneFS node. The OneFS ISILONMIBs serve two purposes:
l

Augment the information available in standard MIBs

Provide OneFS-specific information that is unavailable in standard MIBs

ISILON-MIB is a registered enterprise MIB. Isilon clusters have two separate MIBs:
ISILON-MIB
Defines a group of SNMP agents that respond to queries from a network monitoring
system (NMS) called OneFS Statistics Snapshot agents. As the name implies, these
agents snapshot the state of the OneFS file system at the time that it receives a
request and reports this information back to the NMS.
ISILON-TRAP-MIB
Generates SNMP traps to send to an SNMP monitoring station when the
circumstances occur that are defined in the trap protocol data units (PDUs).
The OneFS MIB files map the OneFS-specific object IDs with descriptions. Download or
copy MIB files to a directory where your SNMP tool can find them, such as /usr/share/
snmp/mibs/ or /usr/local/share/snmp/mibs, depending on the tool that you
use.
To enable Net-SNMP tools to read the MIBs to provide automatic name-to-OID mapping,
add -m All to the command, as in the following example:
snmpwalk -v2c -c public -m All <node IP> isilon

If the MIB files are not in the default Net-SNMP MIB directory, you may need to specify the
full path, as in the following example. Note that all three lines are a single command.
snmpwalk -m /usr/local/share/snmp/mibs/ISILON-MIB.txt:/usr/local\
/share/snmp/mibs/ISILON-TRAP-MIB.txt:/usr/local/share/snmp/mibs \
/ONEFS-TRAP-MIB.txt -v2c -C c -c public <node IP> enterprises.onefs
Note

The previous examples are run from the snmpwalk command on a cluster. Your SNMP
version may require different arguments.

Managing SNMP settings

SNMP can be used to monitor cluster hardware and system information. Settings can be
configured through either the web administration interface or the command-line
interface.
You can enable SNMP monitoring on individual nodes in the cluster, and you can monitor
information cluster-wide from any node when you enable SNMP on each node. When
using SNMP on an Isilon cluster, you should use a fixed general username. A password
for the general user can be configured in the web administration interface.
You should configure a network monitoring system (NMS) to query each node directly
through a static IP address. This approach allows you to confirm that all nodes have
SNMP monitoring

69

General cluster administration

external IP addresses and therefore respond to SNMP queries. Because the SNMP proxy
is enabled by default, the SNMP implementation on each node is configured
automatically to proxy for all other nodes in the cluster except itself. This proxy
configuration allows the Isilon Management Information Base (MIB) and standard MIBs to
be exposed seamlessly through the use of context strings for supported SNMP versions.
After you download and save the appropriate MIBs, you can configure SNMP monitoring
through either the web administration interface or though the command-line interface.

Configure SNMP settings

You can configure SNMP monitoring settings
Note

When SNMP v3 is used, OneFS requires the SNMP-specific security level of AuthNoPriv as
the default value when querying the EMC Isilon cluster. The security level AuthPriv is not
supported.
Procedure
1. Run the isi snmp command.
The following command allows access only through SNMP version 3:
isi snmp --protocols "v3"

Configure the cluster for SNMP monitoring

You can configure your EMC Isilon cluster to remotely monitor hardware components
using SNMP.
Before you begin
When SNMP v3 is used, OneFS requires the SNMP-specific security level of AuthNoPriv as
the default value when querying the cluster. The security level AuthPriv is not supported.
You can enable or disable SNMP monitoring, allow SNMP access by version, and
configure other settings, some of which are optional. All SNMP access is read-only.
Note

The Isilon cluster does not generate SNMP traps unless you configure an event
notification rule to send events.
Procedure
1. Click Cluster Management > General Settings > SNMP Monitoring.
2. In the Service area of the SNMP Monitoring page, enable or disable SNMP monitoring.
a. To disable SNMP monitoring, click Disable, and then click Submit.
b. To enable SNMP monitoring, click Enable, and then continue with the following
steps to configure your settings.
3. In the Downloads area, click Download for the MIB file that you want to download.
Follow the download process that is specific to your browser.
4. (Optional) If you are using Internet Explorer as your browser, right-click the Download
link, select Save As from the menu, and save the file to your local drive.
You can save the text in the file format that is specific to your Net-SNMP tool.

70

OneFS 7.2.0 CLI Administration Guide

General cluster administration

5. Copy MIB files to a directory where your SNMP tool can find them, such as /usr/
share/snmp/mibs/ or /usr/local/share/snmp/mibs, depending on the
SNMP tool that you use.
To have Net-SNMP tools read the MIBs to provide automatic name-to-OID mapping,
add -m All to the command, as in the following example: snmpwalk -v2c -c
public -m All <node IP> isilon
6. Navigate back to the SNMP Monitoring page and configure General Settings.
a. In the Settings area, configure protocol access by selecting the version that you
want.
OneFS does not support writable OIDs; therefore, no write-only community string
setting is available.
b. In the System location field, type the system name.
This setting is the value that the node reports when responding to queries. Type a
name that helps to identify the location of the node.
c. Type the contact email address in the System contact field.
7. (Optional) If you selected SNMP v1/v2 as your protocol, locate the SNMP v1/v2c
Settings section and type the community name in the Read-only community field.
The default community name is I$ilonpublic.
Note

OneFS no longer supports SNMP v1. Although an option for v1/v2c may be displayed,
if you select the v1/v2c pair, OneFS will only monitor through SNMP v2c.
8. Configure SNMP v3 Settings.
a. In the Read-only user field, type the SNMP v3 security name to change the name of
the user with read-only privileges.
The default read-only user is general.
The password must contain at least eight characters and no spaces.
b. In the SNMP v3 password field, type the new password for the read-only user to
set a new SNMP v3 authentication password.
The default password is password. We recommend that you change the
password to improve security.
c. Type the new password in the Confirm password field to confirm the new
password.
9. Click Submit.

View SNMP settings

You can review SNMP monitoring settings.
Procedure
1. Run the following command:
isi snmp list

SNMP monitoring

71

General cluster administration

Events and notifications

You can monitor the health and performance of your EMC Isilon cluster through OneFS
event notifications.
When OneFS identifies an occurrence on your cluster that may require additional
attention, an event is generated. OneFS records events related to file system integrity,
network connections, hardware, and other vital components of your cluster.
You can select the events that you want to monitor, and you can cancel, quiet, or unquiet
events.
In addition, you can configure event notification rules to determine who receives a
notification when an event occurs.

Coalesced events
OneFS coalesces related, group events or repeated, duplicate events into a single event.

Coalesced group events

Group events are different types of events that are all related to a single occurrence.
In the following example, a single connection issue might generate the following events:
Event

Description

100010005 A SAS PHY topology problem or change was detected.

100010006 A drive's error log counter indicates there may be a problem.
100010007 A SAS link has exceeded the maximum Bit Error Rate (BER) .
100010008 A SAS link has been disabled for exceeding the maximum Bit Error Rate (BER).

Because the events are triggered by a single occurrence, OneFS creates a group event
and combines the related messages under the new group event numbered 24.294.
Instead of seeing four events, you will see a single group event alerting you to storage
transport issues. You can still view all the grouped events individually if you choose.
To view this coalesced event, run the following command:
isi events show 24.924

The system displays the following example output of the coalesced group event:
ID:
Type:
Severity:
Value:
Message:
Node:
Lifetime:
Quieted:
Specifiers:

72

OneFS 7.2.0 CLI Administration Guide

24.924
199990001
critical
0.0
Disk Errors detected (Bay 1)
21
Sun Jun 17 23:29:29 2012 - Now
Not quieted
disk: 35
val: 0.0

General cluster administration

devid: 24
drive_serial: 'XXXXXXXXXXXXX'
lba: 1953520064L
lnn: 21
drive_type: 'HDD'
device: 'da1'
bay: 1
unit: 805306368
Coalesced by: -Coalescer Type: Group
Coalesced events:
ID
STARTED
ENDED SEV LNN MESSAGE
24.911 06/17 23:29 -- I
21 Disk stall: Bay 1, Type HDD, LNUM 35.
Disk ...
24.912 06/17 23:29 -- I
21 Sector error: da1 block 1953520064
24.913 06/17 23:29 -- I
21 Sector error: da1 block 2202232
24.914 06/17 23:29 -- I
21 Sector error: da1 block 2202120
24.915 06/17 23:29 -- I
21 Sector error: da1 block 2202104
24.916 06/17 23:29 -- I
21 Sector error: da1 block 2202616
24.917 06/17 23:29 -- I
21 Sector error: da1 block 2202168
24.918 06/17 23:29 -- I
21 Sector error: da1 block 2202106
24.919 06/17 23:29 -- I
21 Sector error: da1 block 2202105
24.920 06/17 23:29 -- I
21 Sector error: da1 block 1048670
24.921 06/17 23:29 -- I
21 Sector error: da1 block 223
24.922 06/17 23:29 -- C
21 Disk Repair Initiated: Bay 1, Type
HDD, LNUM...

Coalesced duplicate events

Duplicate events are the same message repeated in response to an ongoing issue.
In the following example, a SmartQuotas maximum threshold is repeatedly exceeded,
and the system coalesces this sequence of identical but discrete occurrences into one
event numbered 1.3035.
To view this coalesced event, run the following command:
isi events show 1.3035

The system displays the following example output of the coalesced duplicate event:
ID: 1.3035
Type: 500010001
Severity: info
Value: 0.0
Message: SmartQuotas threshold violation on quota violated,
domain direc...
Node: All
Lifetime: Thu Jun 14 01:00:00 2012 - Now
Quieted: Not quieted
Specifiers: enforcement: 'advisory'
domain: 'directory /ifs/quotas'
name: 'violated'
val: 0.0
devid: 0
lnn: 0
Coalesced by: -Coalescer Type: Duplicate
Coalesced events:
ID STARTED ENDED SEV LNN MESSAGE

Coalesced events

73

General cluster administration

18.621
vio...
18.630
vio...
18.638
vio...
18.647
vio...
18.655
vio...

06/14 01:00 -- I

All SmartQuotas threshold violation on quota

06/15 01:00 -- I

All SmartQuotas threshold violation on quota

06/16 01:00 -- I

All SmartQuotas threshold violation on quota

06/17 01:00 -- I

All SmartQuotas threshold violation on quota

06/18 01:00 -- I

All SmartQuotas threshold violation on quota

Viewing event information

You can view event details, event history, and event logs.

View a list of events

You can view a list of all events.
You can also filter event results by the following criteria:
l

Oldest events

Newest events

Historical events

Coalesced events

Severity level

Events on a specific node

Event types

Procedure
1. Run the isi events list command.
The system displays output similar to the following example:
ID
STARTED
2.2
04/24 03:53
3, 4, 5, 6, ...
1.166 04/24 03:54
expire on ...
1.167 04/24 03:54
will expir...
1.168 04/24 03:54
will expir...
2.57 04/25 17:41
'HDFS' will...
2.58 04/25 17:41
'{license}'...
1.2
05/02 16:40
3, 4, 5, 6, ...
3.1
05/02 16:50
3, 4, 5, 6, ...
1.227 04/29 20:25
1.228 04/29 20:26
1.229 04/29 22:33
1.259 05/01 00:00
2.59 04/25 17:41
'{license}'...

74

OneFS 7.2.0 CLI Administration Guide

ENDED
--

SEV LNN MESSAGE

C
2
One or more drives (bay(s)

--

All Software license 'HDFS' will

--

All Software license '{license}'

--

All Software license '{license}'

--

All Recurring: Software license

--

All Recurring: Software license

--

One or more drives (bay(s)

--

One or more drives (bay(s)

C
C
C
I
I

All
All
All
1
All

Test event sent from CLI

Test event sent from CLI
Test event sent from CLI
Monthly status
Recurring: Software license

04/29
04/29
04/29
05/01
05/02

20:25
20:26
22:33
00:00
20:17

General cluster administration

The following example command displays a list of events with a severity value of
critical:
isi events list --severity=critical

The system displays output similar to the following example:

ID
2.2
3, 4,
1.2
3, 4,
3.1
3, 4,
1.227
1.228
1.229

STARTED
04/24 03:53
5, 6, ...
05/02 16:40
5, 6, ...
05/02 16:50
5, 6, ...
04/29 20:25
04/29 20:26
04/29 22:33

ENDED
--

SEV LNN MESSAGE

C
2
One or more drives (bay(s)

--

One or more drives (bay(s)

--

One or more drives (bay(s)

04/29 20:25 C
04/29 20:26 C
04/29 22:33 C

All Test event sent from CLI

All Test event sent from CLI
All Test event sent from CLI

View event details

You can view the details of a specific event.
Procedure
1. (Optional) To identify the instance ID of the notification that you want to view, run the
following command:
isi events list

2. To view the details of a specific event, run the isi events show command and
specify the event instance ID
The following example command displays the details for the event with the instance
ID of :
isi events show --instanceid=2.57

The system displays output similar to the following example:

ID: 2.57
Type: 400070004
Severity: info
Value: 28.0
Message: Recurring: Software license 'HDFS'
May 23, 2014
Node: All
Lifetime: Fri Apr 25 17:41:34 2014 - Now
Quieted: Not quieted
Specifiers: license: 'HDFS'
val: 24
devid: 0
lnn: 0
thresh: 0.0
exp_date: 'May 23, 2014'
Coalesced by: -Coalescer Type: Repeat
Coalesced events:
ID
STARTED
ENDED SEV LNN MESSAGE
1.171 04/25 17:41 -I
All Software license
expire on May 23...
2.43 04/29 00:14 -I
All Software license
expire on May 23...
1.200 04/29 18:34 -I
All Software license

will expire on

'HDFS' will
'HDFS' will
'HDFS' will

Viewing event information

75

General cluster administration

expire on May 23...

1.232 04/30 17:00 -expire on May 23...
2.72 05/01 03:07 -expire on May 23...
2.75 05/02 16:51 -expire on May 23...

All Software license 'HDFS' will

All Software license 'HDFS' will

All Software license 'HDFS' will

View the event log

You can log in to a node through the command-line interface and view the contents of the
local event log.
Event logs are typically used for support purposes. You can only view the event log using
the command-line interface.
Procedure
1. Establish an SSH connection to any node in the EMC Isilon cluster.
2. View the /var/log/isi_celog_events.log file.
The log file lists all event activity. Each event row contains one of the following event
labels:
Event label

Description

COALESCED: FIRST EVENT

An event was tagged as a possible first event in a series of events

that can be coalesced. The first event label is a only a placeholder
for a potential parent coalescer event.

COALESCER EVENT: ADDED

A parent coalescer event was created.

COALESCED

An event was added as a child beneath a coalescer event.

CREATOR EV COALID UPDATED A group was created and the placeholder first event label was
updated to include actual group information.
DROPPED

An event did not include any new information and was not stored
in the master event database.

FORWARDED_TO_MASTER

An event was forwarded to the master node to be stored in the

master event database.

DB: STORED

An event was stored in the master event database.

DB: PURGED

An event was removed from the master event database. The

database has a limit of 50,000 entries, and old events are purged
when that limit is reached.

INVALID EVENT: DROPPED

An event contained invalid information and was not stored in the

master event database.

UPDATE EVENT: DROPPED

A request to update the group information in a parent coalescer

event was discontinued.

Responding to events
You can view event details and respond to cluster events.
You can view and manage new events, open events, and recently ended events. You can
also view coalesced events and additional, more-detailed information about a specific
event. You also can quiet or cancel events.

76

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Quieting, unquieting, and canceling events

You can change an event's state by quieting, unquieting, or canceling an event.
You can select the following actions to change the state of an event:
Quiet
Acknowledges and removes the event from the list of new events and adds the event
to a list of quieted events.
Note

If a new event of the same event type is triggered, it is a separate new event and
must be quieted.
Unquiet
Returns a quieted event to an unacknowledged state in the list of new events and
removes the event from the list of quieted events.
Cancel
Permanently ends an occurrence of an event. The system cancels an event when
conditions are met that end its duration, which is bounded by a start time and an
end time, or when you cancel the event manually.
Most events are canceled automatically by the system when the event reaches the end of
its duration. The event remains in the system until you manually acknowledge or quiet
the event. You can acknowledge events through either the web administration interface
or the command-line interface.

Quiet an event
You can acknowledge and remove an event from the event list by quieting it.
Procedure
1. (Optional) To identify the instance ID of the event that you want to quiet, run the
following command:
isi events list

2. Quiet the event by running the isi events quiet command.

The following example command quiets an event with the instance ID of 1.227:
isi events quiet --instanceid=1.227

Unquiet an event
You can return a quieted event to an unacknowledged state by unquieting the event.
Procedure
1. (Optional) To identify the instance ID of the event that you want to unquiet, run the
following command:
isi events list

2. Unquiet the event by running the isi events unquiet command.

Responding to events

77

General cluster administration

The following example command unquiets an event with the instance ID of 1.227:
isi events unquiet --instanceid=1.227

Cancel an event
You can end the occurrence of an event by canceling it.
Procedure
1. (Optional) To identify the instance ID of the event that you want to cancel, run the
following command:
isi events list

2. Cancel the event by running the isi events cancel command.

The following example command cancels an event with the instance ID of 2.59:
isi events cancel --instanceid=2.59

Managing event notification settings

You can view and modify event notification settings and configure batch notifications.

Event notification methods

You can define the method by which OneFS delivers notifications.
Email
You can send email messages to distribution lists and apply email templates to
notifications. You can also specify SMTP, authorization, and security settings.
SupportIQ
You can deliver notifications to Isilon Technical Support over HTTPS, SMTP, or both.
SNMP trap
You can send SNMP traps to one or more network monitoring stations or trap
receivers. Each event can generate one or more SNMP traps. You can download
management information base files (MIBs) from the cluster at /usr/local/
share/snmp/mibs/. The ISILON-TRAP-MIB.txt file describes the traps that
the cluster can generate, and the ISILON-MIB.txt file describes the associated
varbinds that accompany the traps.
ESRS
You can receive alerts from the EMC Secure Remote Support (ESRS) Gateway. The
ESRS Gateway is a secure, IP-based customer service support system.
The ESRS Gateway is similar to SupportIQ and performs many of the same functions:
l
l

78

Send alerts regarding the health of your devices.

Enable support personnel to run the same scripts used by SupportIQ to gather
data from your devices.
Allow support personnel to establish remote access to troubleshoot your cluster.

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Event notification settings

You can specify whether you want to receive event notifications as aggregated batches or
as individual notifications for each event. Batch notifications are sent every 10 seconds.
The batch options that are described in this table affect both the content and the subject
line of notification emails that are sent in response to system events. You can specify
event notification batch options when you configure SMTP email settings.
Setting

Option

Description

Notification batch
mode

Batch all

Generates a single email for each event

notification.

Batch by severity

Generates an email that contains

aggregated notifications for each event of
the same severity, regardless of event
category.

Batch by category

Generates an email that contains

aggregated notifications for event of the
same category, regardless of severity.

No batching

Generates one email per event.

No custom notification
template is set

Sends the email notification in the default

OneFS notification template format.

Set custom notification

template

Sends the email notifications in the format

that you defined in your custom template
file.

Custom notification
template

View event notification settings

You can view the current values for event notification settings.
Procedure
1. Run the isi events settings list command.
The system displays output similar to the following example:
Setting
Value
-----------------------------------batch_mode
none
user_template
/etc/email/email_template.txt
max_email_size
5242880

Modify event notification settings

You can modify settings that affect how event notifications are sent.
You can modify the batch mode, user template, and email size.
Procedure
1. Modify event notifications by running the isi events settings set command
followed by the name and value of the setting you want to change.

Managing event notification settings

79

General cluster administration

The following example command specifies that event notifications of the same
severity must be sent in a batch:
isi events settings set --name batch_mode --value severity

Managing event notification rules

You can create, modify, or delete event notification rules to determine when and how you
receive information about specific system events.

View event notification rules

You can view a list of all notification rules or details for a specific rule.
Procedure
1. To view all notification rules, run the isi events notifications list
command.
The system displays output similar to the following example:
NAME
TYPE
RECIPIENTS
Isilon support smtp
1
SupportIQ
supportiq 3
categories, 1 event types
CritSupport
smtp
5

DESCRIPTION
10 categories, 1 event types
10
10 categories, 2 event types

2. To view the details of a specific notification rule, run the isi events
notifications list and specify the event name.
The name of the notification rule is case-sensitive.
The following example command displays the details for the SupportIQ notification
rule:
isi events notifications list --name=SupportIQ

The system displays output similar to the following example:

Name: SupportIQ
Type: supportiq
Recipients:
Categories:
LEVELS EVENT TYPE
CE
SYS_DISK_EVENTS (100000000)
CE
NODE_STATUS_EVENTS (200000000)
CE
REBOOT_EVENTS (300000000)
CE
SW_EVENTS (400000000)
CE
QUOTA_EVENTS (500000000)
CE
SNAP_EVENTS (600000000)
CE
WINNET_EVENTS (700000000)
CE
FILESYS_EVENTS (800000000)
CE
HW_EVENTS (900000000)
CE
CPOOL_EVENTS (1100000000)
Specific Event types:
LEVELS EVENT TYPE
I
SW_CLUSTER_MONTHLY_STATUS (400090001)

Create an event notification rule

You can configure event notification rules based on specified events and event types.
You can configure email notification and SNMP trap generation for a specific event.
80

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Procedure
1. Run the isi events notifications create command.
The following example command creates a rule called example rule that specifies that
a notification should be sent to [email protected] when any critical event occurs:
isi events notifications create --name=test-rule \
[email protected] --include-critical=all

The name of the notification rule is case-sensitive.

Modify an event notification rule

You can modify event notification rules that you created. System event notification rules
cannot be modified.
Procedure
1. (Optional) To identify the name of the notification that you want to cancel, run the
following command:
isi events notifications list

2. Modify an event notification rule by running the isi events notifications

modify command.
The following example command modifies the notification rule named test-rule by
adding all emergency level events to list of events that trigger a notification email:
isi events notifications modify --name=test-rule --addemergency=all

The name of the notification rule is case-sensitive.

Send a test event notification

You can generate a test event notification to confirm that event notifications are working
as you intend.
Procedure
1. Run the isi events sendtest command.
The command returns the instance ID of the test event.
2. (Optional) Run the isi events list command to verify that the test event
notification was sent and that the returned instance ID is displayed in the list.

Delete an event notification rule

You can delete event notification rules that you created. System event notification rules
cannot be deleted.
Procedure
1. (Optional) To identify the name of the notification that you want to cancel, run the
following command:
isi events notifications list

2. Delete an event notification rule by running the isi events notifications

delete command.
Managing event notification rules

81

General cluster administration

The following example command deletes the notification rule named test-rule:
isi events notifications delete --name-test-rule

The name of the notification rule is case-sensitive.

Cluster maintenance
Trained service personnel can replace or upgrade components in Isilon nodes.
Isilon Technical Support can assist you with replacing node components or upgrading
components to increase performance.

Replacing node components

If a node component fails, Isilon Technical Support will work with you to quickly replace
the component and return the node to a healthy status.
Trained service personnel can replace the following field replaceable units (FRUs):
l

battery

boot flash drive

SATA/SAS Drive

memory (DIMM)

fan

front panel

intrusion switch

network interface card (NIC)

InfiniBand card

NVRAM card

SAS controller

power supply

If you configure your cluster to send alerts to Isilon, Isilon Technical Support will contact
you if a component needs to be replaced. If you do not configure your cluster to send
alerts to Isilon, you must initiate a service request.

Upgrading node components

You can upgrade node components to gain additional capacity or performance.
Trained service personnel can upgrade the following components in the field:
l

drive

memory (DIMM)

network interface card (NIC)

If you want to upgrade components in your nodes, contact Isilon Technical Support.

Managing drive firmware

If the firmware of any drive in a cluster becomes obsolete, the cluster performance or
hardware reliability might get affected. To ensure overall data integrity, you may update
82

OneFS 7.2.0 CLI Administration Guide

General cluster administration

the drive firmware to the latest revision by installing the drive support package or the
drive firmware package.
You can determine whether the drive firmware on your cluster is of the latest revision by
viewing the status of the drive firmware.
Note

We recommend that you contact EMC Isilon Technical Support before updating the drive
firmware.

Drive firmware update overview

You can update the drive firmware through drive support packages or drive firmware
packages.
Download and install either of these packages from http://support.emc.com depending
on the OneFS version running on your cluster and the type of drives on the nodes.
Drive Support Package
For clusters running OneFS 7.1.1 and later, install a drive support package to update the
drive firmware. You do not need to reboot the affected nodes to complete the firmware
update. A drive support package provides the following additional capabilities:
l

Updates the following drive configuration information:

n

List of supported drives

Drive firmware metadata

SSD wear monitoring data

SAS and SATA settings and attributes

Automatically updates the drive firmware for new and replacement drives to the latest
revision before those drives are formatted and used in a cluster. This is applicable
only for clusters running OneFS 7.2 and later.
Note

Firmware of drives in use cannot be updated automatically.

Drive Firmware Package
For clusters running OneFS versions earlier than 7.1.1, or for clusters with non-bootflash
nodes, install a cluster-wide drive firmware package to update the drive firmware. You
must reboot the affected nodes to complete the firmware update.

Install a drive support package

For clusters running OneFS 7.1.1 and later, install the drive support package to update
your drive firmware to the latest supported revision.
Procedure
1. Go to the EMC Support page that lists all the available versions of the drive support
package.
2. Click the latest version of the drive support package and download the file.
3. Open a secure shell (SSH) connection to any node in the cluster and log in.
4. Create or check for the availability of the directory structure /ifs/data/
Isilon_Support/dsp.
5. Copy the downloaded file to the dsp directory through SCP, FTP, SMB, NFS, or any
other supported data-access protocols.
Managing drive firmware

83

General cluster administration

6. Unpack the file by running the tar command.

For example, unpack drive support package version 1.4 as follows:
tar -zxvf Drive_Support_v1.4.tgz

7. Install the package by running the isi_dsp_install command.

For example, install drive support package version 1.4 as follows:
isi_dsp_install Drive_Support_v1.4.tar
Note
l

You must run the isi_dsp_install command to install the drive support
package. Do not use the isi pkg command.

The installation process takes care of installing all the necessary files from the
drive support package followed by the uninstallation of the package. You do not
need to delete the package after its installation or prior to installing a later version.

View drive firmware status

You can view the status of the drive firmware on the cluster to determine whether you
need to update the firmware.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Perform one of the following tasks:
l

To view the drive firmware status of all the nodes, run the following command:
isi drivefirmware status

To view the drive firmware status of drives on a specific node, run the isi
devices command with the -a fwstatus option. Run the following command
to view the drive firmware status of each drive on node 1:
isi devices -a fwstatus -d 1

The output of the previous command is shown in the following example:

Node 1
Bay 1
Bay 2
Bay 3

Model
HGST HUS724030ALA640
HGST HUS724030ALA640
HGST HUS724030ALA640

FW
MF80AAC0
MF80AAC0
MF80AAC0

Desired FW

Run the following command to view the drive firmware status on node 1 and disk
12:
isi devices -a fwstatus -d 1:12

If a drive firmware update is not required, the Desired FW column is empty.

84

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Update the drive firmware

Determine the type of drive in the node, and then execute the update. The node restarts
automatically after the loading process is complete.
Before you begin
Install the drive firmware package.
Note

Do not restart or power off the node before the update is complete. When the update
process completes successfully, the node restarts automatically.
Procedure
1. Log in to the node through either a serial console port or an internal SSH connection
between nodes.
Note

External network interfaces are disabled as part of the reboot process. The command
in the next step will fail if you run the command from an external network interface.
2. Determine whether a drive firmware update is required by typing the following
command:
isi_disk_firmware_reboot

3. Determine whether any of the drives on the node that need to be updated are Western
Digital drives by typing the following command:
isi_radish -q
CAUTION

If you are performing a drive firmware update on Western Digital drives, you must
update the drives sequentially to avoid significant drive damage.
4. Type one of the following commands depending on whether the node contains any
Western Digital drives that require a drive firmware update:
l

To update the drive firmware of a node with any Western Digital drives, type the
following command to perform a sequential update:
isi_disk_firmware_reboot -sv

To update the drive firmware of a node without any Western Digital drives, type the
following command to perform a parallel update:
isi_disk_firmware_reboot -p

A drive firmware update takes 2060 seconds, depending on the drive model. A node
containing Western Digital drives takes approximately fifteen minutes to complete the
entire process.
After the update process is complete, the node reboots automatically.
If the update is unsuccessful, the LED display on the front panel of the node will
indicate an error and the node will not reboot. Wait for a few minutes and then run the
reboot command to reboot the node manually. If this process is unsuccessful,
contact EMC Isilon Technical Support.

Managing drive firmware

85

General cluster administration

Verify a drive firmware update

After you update the drive firmware in a node, confirm that the firmware is updated
properly and that the affected drives are operating correctly.
Procedure
1. Ensure that no drive firmware updates are currently in progress by running the
following command:
isi devices

If a drive is currently being updated, [FW_UPDATE] appears in the status column.

2. Verify that all drives have been updated by running the following command:
isi drivefirmware status

If all drives have been updated, the Desired FW column is empty.

3. Verify that all affected drives are operating in a healthy state by running the following
command:
isi devices

If a drive is operating in a healthy state, [HEALTHY] appears in the status column.

Drive firmware status information

You can view information about the status of the drive firmware through the OneFS
command-line interface.
The following example shows the output of the isi drivefirmware status
command:
Model
HGST HUS724030ALA640

FW
MF80AAC0

Desired FW
30

Count
1

Nodes

Where:
Model
Displays the name of the drive model.
FW
Displays the version number of the firmware currently running on the drives.
Desired FW
If the drive firmware should be upgraded, displays the version number of the drive
firmware that the firmware should be updated to.
Count
Displays the number of drives of this model that are currently running the specified
drive firmware.
Nodes
Displays the LNNs of nodes that the specified drives exist in.
The following example shows the output of the isi devices command with the -a
fwstatus option:
Node 1

86

OneFS 7.2.0 CLI Administration Guide

Model

FW

Desired FW

General cluster administration

Bay 1
Bay 2
Bay 3

HGST HUS724030ALA640
HGST HUS724030ALA640
HGST HUS724030ALA640

MF80AAC0
MF80AAC0
MF80AAC0

Where:
Drive
Displays the number of the bay that the drive is in.
Note

This column is not labeled in the output. The information appears under the node
number.
Model
Displays the name of the drive model.
FW
Displays the version number of the firmware currently running on the drive.
Desired FW
Displays the version number of the drive firmware that the drive should be updated
to. If a drive firmware update is not required, the Desired FW column is empty.

Automatic update of drive firmware

For clusters running OneFS 7.2 or later, install the latest drive support package on a node
to automatically update the firmware for a new or replacement drive.
The information within the drive support package determines whether the firmware of a
drive must be updated before the drive is formatted and used. If an update is available,
the drive is automatically updated with the latest firmware.
Note

New and replacement drives added to a cluster are formatted regardless of the status of
their firmware revision. You can identify a firmware update failure by viewing the firmware
status for the drives on a specific node. In case of a failure, run the isi devices
command with the fwupdate action on the node to update the firmware manually. For
example, run the following command to manually update the firmware on node 1:
isi devices -a fwupdate -d 1

Managing cluster nodes

You can add and remove nodes from a cluster. You can also shut down or restart the
entire cluster.

Add a node to a cluster

You can add a new node to an existing EMC Isilon cluster.
Before you begin
Before you add a node to a cluster, verify that an internal IP address is available. Add IP
addresses as necessary before you add a new node.
If a new node is running a different version of OneFS than a cluster, the system changes
the node version of OneFS to match the cluster.
Managing cluster nodes

87

General cluster administration

Note

For specific information about version compatibility between OneFS and EMC Isilon
hardware, refer to the Isilon Supportability and Compatibility Guide.
Procedure
1. Identify the serial number of the node to be added by running the following command:
isi devices --action discover

2. Join the node to the cluster by running the following command, where <serial _num> is
the serial number of the node:
isi devices --action add --device <serial_num>

Remove a node from the cluster

You can remove a node from a cluster. When you remove a node, the system smartfails
the node to ensure that data on the node is transferred to other nodes in the cluster.
Removing a storage node from a cluster deletes the data from that node. Before the
system deletes the data, the FlexProtect job safely redistributes data across the nodes
remaining in the cluster.
Procedure
1. Run the isi devices command.
The following command removes a node with a logical node number (LNN) of 2 from
the cluster:
isi devices --action smartfail --device 2

Modify the LNN of a node

You can modify the logical node number (LNN) of a node. This procedure is available only
through the command-line interface (CLI).
The nodes within your cluster can be renamed to any name/integer between 1 and 144.
By changing the name of your node, you are resetting the LNN.
Note

Although you can specify any integer as an LNN, we recommend that you do not specify
an integer greater than 144. Specifying LNNs above 144 can result in significant
performance degradation.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Open the isi config command prompt by running the following command:
isi config

3. Run the lnnset command.

The following command switches the LNN of a node from 12 to 73:
lnnset 12 73
88

OneFS 7.2.0 CLI Administration Guide

General cluster administration

4. Enter commit .
Results
You might need to reconnect to your SSH session before the new node name is
automatically changed.

Restart or shut down the cluster

You can restart or shut down the EMC Isilon cluster.
Procedure
1. Run the isi config command.
The command-line prompt changes to indicate that you are in the isi config
subsystem
2. Restart or shutdown nodes on the cluster.
l

To restart a single node or all nodes on the cluster, run the reboot command.
The following command restarts a single node by specifying the logical node
number (lnn):
reboot 7

To shut down a single node or all nodes on the cluster, run the shutdown
command.
The following command shuts down all nodes on the cluster:
shutdown all

Upgrading OneFS
Two options are available for upgrading the OneFS operating system: a rolling upgrade or
a simultaneous upgrade. Before upgrading OneFS software, a pre-upgrade check must be
performed.
A rolling upgrade individually upgrades and restarts each node in the EMC Isilon cluster
sequentially. During a rolling upgrade, the cluster remains online and continues serving
clients with no interruption in service, although some connection resets may occur on
SMB clients. Rolling upgrades are performed sequentially by node number, so a rolling
upgrade takes longer to complete than a simultaneous upgrade. The final node in the
upgrade process is the node that you used to start the upgrade process.
Note

Rolling upgrades are not available for all clusters. For instructions on how to plan an
upgrade, prepare the cluster for upgrade, and perform an upgrade of the operating
system, see the OneFS Upgrade Planning and Process Guide.
A simultaneous upgrade installs the new operating system and restarts all nodes in the
cluster at the same time. Simultaneous upgrades are faster than rolling upgrades but
require a temporary interruption of service during the upgrade process. Your data is
inaccessible during the time that it takes to complete the upgrade process.
Before beginning either a simultaneous or rolling upgrade, OneFS compares the current
cluster and operating system with the new version to ensure that the cluster meets
certain criteria, such as configuration compatibility (SMB, LDAP, SmartPools), disk
availability, and the absence of critical cluster events. If upgrading puts the cluster at
risk, OneFS warns you, provides information about the risks, and prompts you to confirm
whether to continue the upgrade.
Upgrading OneFS

89

General cluster administration

If the cluster does not meet the pre-upgrade criteria, the upgrade does not proceed, and
the unsupported statuses are listed.

Remote support
Isilon Technical Support personnel can remotely manage your Isilon cluster to
troubleshoot an open support case with your permission.
You can enable remote customer service support through SupportIQ or the EMC Secure
Remote Support (ESRS) Gateway.

Remote support using SupportIQ

Isilon Technical Support personnel can remotely manage your Isilon cluster to
troubleshoot an open support case with your permission. The Isilon SupportIQ module
allows Isilon Technical Support personnel to gather diagnostic data about the cluster.
Isilon Technical Support representatives run scripts that gather data about cluster
settings and operations. The SupportIQ agent then uploads the information to a secure
Isilon FTP site so it is available for Isilon Technical Support personnel to review. These
scripts do not affect cluster services or data availability.
Note

The SupportIQ scripts are based on the Isilon isi_gather_info log-gathering tool.
The SupportIQ module is included with the OneFS operating system and does not require
you to activate a separate license. You must enable and configure the SupportIQ module
before SupportIQ can run scripts to gather data. The feature may have been enabled
when the cluster was first set up, but you can enable or disable SupportIQ through the
Isilon web administration interface.
In addition to enabling the SupportIQ module to allow the SupportIQ agent to run scripts,
you can enable remote access, which allows Isilon Technical Support personnel to
monitor cluster events and remotely manage your cluster using SSH or the web
administration interface. Remote access helps Isilon Technical Support to quickly identify
and troubleshoot cluster issues. Other diagnostic tools are available for you to use in
conjunction with Isilon Technical Support to gather and upload information such as
packet capture metrics.
Note

If you enable remote access, you must also share cluster login credentials with Isilon
Technical Support personnel. Isilon Technical Support personnel remotely access your
cluster only in the context of an open support case and only after receiving your
permission.

Configuring SupportIQ
OneFS logs contain data that Isilon Technical Support personnel can securely upload,
with your permission, and then analyze to troubleshoot cluster problems. The SupportIQ
technology must be enabled and configured for this process.
When SupportIQ is enabled, Isilon Technical Support personnel can request logs through
scripts that gather cluster data and then upload the data to a secure location. You must
enable and configure the SupportIQ module before SupportIQ can run scripts to gather
data. The feature may have been enabled when the cluster was first set up.

90

OneFS 7.2.0 CLI Administration Guide

General cluster administration

You can also enable remote access, which allows Isilon Technical Support personnel to
troubleshoot your cluster remotely and run additional data-gathering scripts. Remote
access is disabled by default. To enable remote SSH access to your cluster, you must
provide the cluster password to a Technical Support engineer.

Enable and configure SupportIQ

You can enable and configure SupportIQ to allow the SupportIQ agent to run scripts that
gather and upload information about your cluster to Isilon Technical Support personnel.
Procedure
1. Run the following command:
isi_promptsupport -e

2. Follow the command prompts to enter the following information:

l

Company name

Contact name

Contact phone

Contact email

3. Log into the web administration interface and click Cluster Management > General
Settings > SupportIQ.
SupportIQ alerts, HTTPS proxy, and remote access must be configured through the
web administration interface.
4. In the SupportIQ Settings area, select the Enable SupportIQ check box.
5. For SupportIQ alerts, select an option.
l

Send alerts via SupportIQ agent (HTTPS) and by email (SMTP) SupportIQ
delivers notifications to Isilon through the SupportIQ agent over HTTPS and by
email over SMTP.

Send alerts via SupportIQ agent (HTTPS) SupportIQ delivers notifications to

Isilon only through the SupportIQ agent over HTTPS.

6. (Optional) Enable HTTPS proxy support for SupportIQ.

a. Select the HTTPS proxy for SupportIQ check box.
b. In the Proxy host field, type the IPv4 address, IPv6 address, or fully qualified
domain name (FQDN) of the HTTP proxy server.
c. In the Proxy port field, type the port number on which the HTTP proxy server
receives requests.
d. (Optional) In the Username field, type the user name for the proxy server.
e. (Optional) In the Password field, type the password for the proxy server.
7. (Optional) Enable remote access to the cluster.
a. Select the Enable remote access to cluster via SSH and web interface check box.
b. Review the remote-access end user license agreement (EULA) and, if you agree to
the terms and conditions, select the I have read and agree to... check box.
8. Click Submit.
A successful configuration is indicated by a message similar to SupportIQ
settings have been updated.
Remote support using SupportIQ

91

General cluster administration

Disable SupportIQ
You can disable SupportIQ so the SupportIQ agent does not run scripts to gather and
upload data about your Isilon cluster.
Procedure
1. Run the following command:
isi_promptsupport -e

2. Follow the command prompts.

SupportIQ scripts
When SupportIQ is enabled, Isilon Technical Support personnel can request logs with
scripts that gather cluster data and then upload the data. The SupportIQ scripts are
located in the /usr/local/SupportIQ/Scripts/ directory on each node.
The following table lists the data-gathering activities that SupportIQ scripts perform.
These scripts can be run automatically, at the request of an Isilon Technical Support
representative, to collect information about your cluster's configuration settings and
operations. The SupportIQ agent then uploads the information to a secure Isilon FTP site,
so that it is available for Isilon Technical Support personnel to analyze. The SupportIQ
scripts do not affect cluster services or the availability of your data.

92

Action

Description

Clean watch folder

Clears the contents of /var/crash.

Get application data

Collects and uploads information about OneFS application

programs.

Generate dashboard file

daily

Generates daily dashboard information.

Generate dashboard file

sequence

Generates dashboard information in the sequence that it occurred.

Get ABR data (as built

record)

Collects as-built information about hardware.

Get ATA control and GMirror

status

Collects system output and invokes a script when it receives an

event that corresponds to a predetermined eventid.

Get cluster data

Collects and uploads information about overall cluster

configuration and operations.

Get cluster events

Gets the output of existing critical events and uploads the

information.

Get cluster status

Collects and uploads cluster status details.

Get contact info

Extracts contact information and uploads a text file that contains

it.

Get contents (var/crash)

Uploads the contents of /var/crash.

Get job status

Collects and uploads details on a job that is being monitored.

Get domain data

Collects and uploads information about the clusters Active

Directory Services (ADS) domain membership.

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Action

Description

Get file system data

Collects and uploads information about the state and health of the
OneFS /ifs/ file system.

Get IB data

Collects and uploads information about the configuration and

operation of the InfiniBand back-end network.

Get logs data

Collects and uploads only the most recent cluster log information.

Get messages

Collects and uploads active /var/log/messages files.

Get network data

Collects and uploads information about cluster-wide and nodespecific network configuration settings and operations.

Get NFS clients

Runs a command to check if nodes are being used as NFS clients.

Get node data

Collects and uploads node-specific configuration, status, and

operational information.

Get protocol data

Collects and uploads network status information and configuration

settings for the NFS, SMB, FTP, and HTTP protocols.

Get Pcap client stats

Collects and uploads client statistics.

Get readonly status

Warns if the chassis is open and uploads a text file of the event
information.

Get usage data

Collects and uploads current and historical information about

node performance and resource usage.

isi_gather_info

Collects and uploads all recent cluster log information.

isi_gather_info -incremental

Collects and uploads changes to cluster log information that have

occurred since the most recent full operation.

isi_gather_info -incremental single

node

Collects and uploads details for a single node.

Prompts you for the node number.

isi_gather_info
single node

Collects and uploads changes to cluster log information that have

occurred since the most recent full operation.
Prompts you for the node number.

Upload the dashboard file

Uploads dashboard information to the secure Isilon Technical

Support FTP site.

Remote support using ESRS Gateway

EMC Isilon clusters support enablement of the ESRS Gateway.
The EMC Secure Remote Support (ESRS) Gateway is a secure, IP-based customer service
support system. The EMC ESRS Gateway features include 24x7 remote monitoring and
secure authentication with AES 256-bit encryption and RSA digital certificates. You can
select monitoring on a node-by node basis, allow or deny remote support sessions, and
review remote customer service activities.
The ESRS Gateway is similar to SupportIQ and performs many of the same functions:
l

Send alerts regarding the health of your devices.

Enable support personnel to run the same scripts used by SupportIQ to gather data
from your devices.
Remote support using ESRS Gateway

93

General cluster administration

Allow support personnel to establish remote access to troubleshoot your cluster.

An important difference between SupportIQ and the ESRS Gateway is that SupportIQ
management is cluster-wide; SupportIQ manages all nodes. The ESRS Gateway manages
nodes individually; you select which nodes should be managed.
You can only enable one remote support system on your Isilon cluster. The EMC products
you use and your type of environment determine which system is most appropriate for
your Isilon cluster:
l

If your environment comprises one or more EMC products that can be monitored, use
the ESRS Gateway.

If ESRS is currently implemented in your environment, use the ESRS Gateway.

If your use of ESRS requires the ESRS Client, use SupportIQ. Isilon nodes do not
support ESRS Client connectivity.

If you have a high-security environment, use the ESRS Gateway.

If the only EMC products in your environment are Isilon nodes, use SupportIQ.

See the most recent version of the document titled EMC Secure Remote Support Technical
Description for a complete description of EMC Secure Remote Support features and
functionality.
Additional documentation on ESRS can be found on the EMC Online Support site.

Configuring ESRS Gateway support

You can configure support for the ESRS Gateway on your Isilon cluster.
Before configuring ESRS Gateway support on your Isilon cluster, at least one ESRS
Gateway server must be installed and configured. The server acts as the single point of
entry and exit for IP-based remote support activities and monitoring notifications. You
can also set up a secondary gateway server as a failover, specify whether to use SMTP if
ESRS transmission fails, and specify whether an email should be sent upon transmission
failure.
ESRS Gateway support also requires you to designate a subnet as a point for remote
access by support personnel. We recommend that you designate a subnet that is
dedicated to remote connections through the ESRS Gateway, and that the subnet
contains a static IP address pool in the System access zone. If you cannot dedicate a
subnet for remote connections, ensure that the first IP address pool in the designated
subnet is configured to use static IP addresses and is assigned to the System access
zone.
When you enable support for the ESRS Gateway on a cluster, the serial number and IP
address of each node is sent to the ESRS Gateway server. Once node information is
received, you can:
l

Select which nodes you want managed through the ESRS Gateway with the ESRS
Configuration Tool.

Create rules for remote support connection to Isilon nodes with the ESRS Policy
Manager.

See the most recent version of the document titled EMC Secure Remote Site Planning Guide
for a complete description of ESRS Gateway server requirements, installation, and
configuration.
See the most recent version of the document titled EMC Secure Remote Support Gateway
for Windows Operations Guide for a complete description of the ESRS Configuration Tool.
See the most recent version of the document titled EMC Secure Remote Support Policy
Manager Operations Guide for a complete description of the ESRS Policy Manger.
94

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Additional documentation on ESRS can be found on the EMC Online Support site.

Enable and configure ESRS Gateway support

You can enable support for the ESRS Gateway on an Isilon cluster.
Before you begin
An ESRS Gateway server must be installed and configured before you can enable ESRS
Gateway support on an Isilon cluster. SupportIQ must be disabled.
Procedure
1. Run the isi remotesupport connectemc modify command to enable and
configure ESRS Gateway support.
The following command enables ESRS Gateway support, specifies a primary gateway,
a remote support subnet, and that an SMTP failover should be used.
isi remotesupport connectemc modify --enabled yes \
-- primary-esrs-gateway gw-serv-esrs1 --use-smtp-failover yes \
--remote-support-subnet subnet0

Disable ESRS Gateway support

You can disable ESRS Gateway support on the Isilon cluster.
You can disable support for the ESRS Gateway in order to use SupportIQ. Isilon clusters
only allow one remote support system to be enabled at a time.
Procedure
1. Disable ESRS Gateway support on an Isilon cluster by running the following command:
isi remotesupport connectemc modify --enabled no

View ESRS Gateway settings

You can view ESRS Gateway settings specified on an EMC Isilon cluster.
Procedure
1. Run the isi remotesupport connectemc view command.
The system displays output similar to the following example:
Enabled:
Primary Esrs Gateway:
Secondary Esrs Gateway:
Use Smtp Failover:
Email Customer On Failure:
Remote Support Subnet:

yes
gw-serv-esrs1
gw-serv-esrs2
yes
no
subnet0

Cluster administration commands

You can configure, monitor, and manage the Isilon cluster using cluster administration
commands.

Cluster administration commands

95

General cluster administration

isi config
Opens a new prompt where node and cluster settings can be altered.
The command-line prompt changes to indicate that you are in the isi config
subsystem. While you are in the isi config subsystem, other OneFS commands are
unavailable and only isi config commands are valid.
Syntax
isi config
Note
l

The following commands are not recognized unless you are currently at the isi
config command prompt.

Changes are not applied until you run the commit command.

Some commands require you to restart the cluster.

Commands
changes
Displays a list of changes to the configuration that have not been committed.
commit
Commits configuration settings and then exits isi config.
date <time-and-date>
Displays or sets the current date and time on the cluster.
<time-and-date>
Sets cluster time to the time specified.
Specify <time-and-date> in the following format:
<YYYY>-<MM>-<DD>[T<hh>:<mm>[:<ss>]]

Specify <time> as one of the following values.

Y
Specifies years
M
Specifies months
W
Specifies weeks
D
Specifies days
h
Specifies hours
s
Specifies seconds
deliprange [<interface-name> [<ip-range>]]
96

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Displays a list of internal network IP addresses that can be assigned to nodes or

removes specified addresses from the list.
<interface-name>
Specifies the name of the interface as one of the following values:

int-a
int-b
failover
<ip-range>
Specifies the range of IP addresses that can no longer be assigned to nodes.
Specify in the form <lowest-ip>-<highest-ip>.

encoding [list] [<encoding>]

Sets the default encoding character set for the cluster.
CAUTION

Character encoding is typically established during installation of the cluster.

Incorrectly modifying character encoding settings may render files unreadable.
Modify settings only if necessary and after consultation with Isilon Technical
Support.
list
Displays the list of supported character sets.
exit
Exits the isi config subsystem.
help
Displays a list of all isi config commands. For information about specific
commands, the syntax is help [<command>].
interface <interface-name> {enable | disable}
The interface command displays the IP ranges, netmask, and MTU and enables or
disables internal interfaces. When issued with no argument, this command displays
IP ranges, netmask, and MTU of all interfaces. When issued with an <interface-name>
argument, this command displays IP ranges, netmask, and MTU for only the specified
interface.
{enable | disable}
Enables or disables the specified interface.
<interface-name>
Specifies the name of the interface as int-a or int-b.

iprange [<interface-name> [<lowest-ip>-<highest-ip>]]

Displays a list of internal IP addresses that can be assigned to nodes, or adds
addresses to the list.
<interface-name>
Specifies the name of the interface as int-a, int-b, or failover.
<lowest-ip>-<highest-ip>
Specifies the range of IP addresses that can be assigned to nodes.

ipset
isi config

97

General cluster administration

Obsolete. Use lnnset to renumber cluster nodes. The IP address cannot be set
manually.
joinmode [<mode>]
Displays the setting for how nodes are added to the current cluster. Options <mode>
specifies the cluster add node setting as one of the following values.
manual
Configures the cluster so that joins can be initiated by either the node or the
cluster.
secure
Configures the cluster so that joins can be initiated by only the cluster.
lnnset [<old-lnn> <new-lnn>]
Displays a table of logical node number (LNN), device ID, and internal IP address for
each node in the cluster when run without arguments. Changes the LNN when
specified.
<old lnn>
Specifies the old LNN that is to be changed.
<new lnn>
Specifies the new LNN that is replacing the old LNN value for that node.
Note

The new LNN must not be currently assigned to another node. Users logged in to
the shell or web administration interface of a node whose LNN is changed must
log in again to view the new LNN.
migrate [<interface-name> [[<old-ip-range>] {<new-ip-range> [-n <netmask>]}]]
Displays a list of IP address ranges that can be assigned to nodes or both adds and
removes IP ranges from that list.
<interface-name>
Specifies the name of the interface as int-a, int-b, and failover.
<old-ip-range>
Specifies the range of IP addresses that can no longer be assigned to nodes. If
unspecified, all existing IP ranges are removed before the new IP range is added.
Specify in the form of <lowest-ip>-<highest-ip>.
<new-ip-range>
Specifies the range of IP addresses that can be assigned to nodes. Specify in the
form of <lowest-ip>-<highest-ip>.

-n <netmask>
Specifies a new netmask for the interface.
Note

If more than one node is given a new IP address, the cluster reboots when the change
is committed. If only one node is given a new IP address, only that node is rebooted.
mtu [<value>]
Displays the size of the maximum transmission unit (MTU) that the cluster uses for
internal network communications when run with no arguments. Sets a new size of the
MTU value, when specified. This command is for the internal network only.
98

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Note

This command is not valid for clusters with an InfiniBand back end.
<value>
Specifies the new size of the MTU value. Any value is valid, but not all values
may be compatible with your network. The most common settings are 1500 for
standard frames and 9000 for jumbo frames.

name [<new_name>]
Displays the names currently assigned to clusters when run with no arguments.
Assigns new names to clusters, as specified.
<new name>
Specifies a new name for the cluster.

netmask [<interface-name> [<ip-mask>]]

Displays the subnet IP mask that the cluster is currently using or sets new subnet IP
masks, as specified. Specifies the interface name as int-a and int-b.
<interface-name>
Specifies the name of the interface. Valid names are int-a and int-b.
<ip-mask>
Specifies the new IP mask for the interface.

quit
Exits the isi config subsystem.
reboot [{<node_lnn> | all}]
Reboots one or more nodes, specified by LNN. If no nodes are specified, reboots the
node from which the command is run. To reboot the cluster, specify all.
Note

If run on an unconfigured node, this command does not accept any arguments.
remove
Deprecated. Instead, run the isi devices -a smartfail command.
shutdown [{<node_lnn> | all}]
Shuts down one or more nodes, specified by LNN. If no nodes are specified, shuts
down the node from which the command is run. To shut down the cluster, specify
all.
Note

If run on an unconfigured node, this command does not accept any arguments.
status [advanced]
Displays current information on the status of the cluster. To display additional
information, including device health, specify advanced.
timezone [<timezone identifier>]
Displays the current time zone or specifies new time zones. Specifies the new
timezone for the cluster as one of the following values:

isi config

99

General cluster administration

<timezone identifier>
Specifies the new time zone for the cluster as one of the following values:

Greenwich Mean Time

Eastern Time Zone
Central Time Zone
Mountain Time Zone
Pacific Time Zone
Arizona
Alaska
Hawaii
Japan
Advanced. Opens a prompt with more time zone options.
version
Displays information about the current OneFS version.
wizard
Activates a wizard on unconfigured nodes and reactivates the wizard if you exit it
during the initial node configuration process. The wizard prompts you through the
node-configuration steps.

isi email
Configures email settings for the cluster.
Syntax
isi email
[--mail-relay] <string>]
[--smtp-port <integer>]
[--mail-sender <string>]
[--mail-subject <string>]
[--use-smtp-auth {yes | no}]
[--auth-user <string>]
[--use-encryption {yes | no}]

Options
--mail-relay <string>
Specifies the SMTP relay address.
--smtp-port <integer>
Specifies the SMTP relay port. The default value is 25.
--mail-sender <string>
Specifies the originator email address.
--mail-subject <string>
Specifies the prefix string for the email subject.
--use-smtp-auth {yes | no}
Specifies whether using SMTP authentication. Yes enables SMTP authentication.
100

OneFS 7.2.0 CLI Administration Guide

General cluster administration

{--auth-user | -u} <string>

Specifies the username for SMTP authentication.
{--auth-pass | -p} <string>
Specifies the password for SMTP authentication.
--use-encryption {yes | no}
Specifies whether using encryption (TLS) for SMTP authentication. Yes enables
encryption.

isi email list

Displays email settings for the cluster
Syntax
isi email list

isi exttools
Provides subcommands for interacting with supported third-party tools.
Nagios is the only third-party tool that is supported in this release. Multiple Isilon clusters
can be monitored with the configuration file that is generated when this command is
used.
Syntax
isi exttools nagios_config

isi license activate

Activates a OneFS module license.
Syntax
isi license activate --key <key>

Options
{--key | -k} <key>
Activates the specified license key. Multiple keys can be specified by separating
them with either spaces or commas.

isi license status

Displays the license status of all OneFS modules.
Syntax
isi license status

isi email list

101

General cluster administration

isi license unconfigure

Unconfigures a OneFS module license.
Unconfiguring a license disables any recurring jobs or scheduled operations that you
have activated for that module, but it does not deactivate the license.
Syntax
isi license unconfigure --module <module>

Options
--module <module>
Specifies the name of the license that you want to unconfigure.

isi perfstat
Displays a realtime snapshot of network and file I/O performance.
Syntax
isi perfstat

isi pkg create

Creates OneFS patches. The isi pkg create command is intended solely for use by
EMC Isilon Engineering personnel to create new patches for the OneFS operating system.
As such, it does not function as intended in a customer environment. This description is
information-only.
Syntax
isi pkg create <patch-spec-file>

Options
<patch-spec-file>

Provide the description and parameters for the patch that you are creating.

isi pkg delete

Uninstalls a patch.
Syntax
isi pkg delete <patch-name>

Options
<patch-name>

Required. Uninstalls a patch from the cluster. The patch name must be the name of
an installed patch.

102

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Examples
To uninstall a package named patch-example.tar from the cluster, run the following
command.
isi pkg delete patch-example.tar

Use the isi pkg info command to verify that the patch was successfully uninstalled.

isi pkg info

Displays information about patches that are installed on the cluster.
Syntax
isi pkg info <patch-name>

Options
<patch-name>

Displays information about only the specified patch. <patch-name> can be the path to
a tar archive or the URL of a patch on an HTTP or FTP site. If you omit this option, the
system displays all installed patches.
Examples
When you examine a specific patch, more information is returned than when you run isi
pkg info without arguments to get information on all patches.
To get information for a patch named patch-example.tar, run the following command.
isi pkg info <path> patch-example.tar

The system displays the package name and date of installation, similar to the following
output.
Information for patch-example:
Description:
Package Name : patch-example - 2009-10-11

If the patch is not installed, the system displays the following output.
patch-example.tar It is not installed.

isi pkg install

Installs a patch from a tar archive or an HTTP or FTP site
Syntax
isi pkg install <patch-name>

Options
<patch-name>

Required. Installs the specified patch on the cluster. <patch-name> can be either a
path to a tar archive or a URL for a patch on an HTTP or FTP site.
isi pkg info

103

General cluster administration

Examples
To install a patch named patch-example.tar on the cluster, run the following command.
isi pkg install patch-example.tar

The system displays output similar to the following example.

Preparing to install the package... Installing
the package... Committing the installation...
Package successfully installed

If necessary, use the isi pkg info command to verify that the patch was successfully
installed.

isi remotesupport connectemc modify

Enables or disables support for EMC Secure Remote Support (ESRS) Gateway on an Isilon
node.
Syntax
isi remotesupport connectemc modify
[--enabled {yes|no}]
[--primary-esrs-gateway <string>]
[--secondary-esrs-gateway <string>]
[--use-smtp-failover {yes|no}]
[--email-customer-on-failure {yes|no}]
[--remote-support-subnet <string>]

Options
--enabled {yes|no}
Specifies whether support for ESRS Gateway is enabled on the Isilon cluster.
--primary-esrs-gateway <string>
Specifies the primary ESRS Gateway server. The gateway server acts as the single
point of entry and exit for IP-based remote support activities and monitoring
notifications. You can specify the gateway as an IP address or as the gateway name.
--secondary-esrs-gateway <string>
Specifies an optional secondary ESRS Gateway server that acts as a failover server.
You can specify the gateway as an IP address or as the gateway name.
--use-smtp-failover {yes|no}
Specifies whether to send event notifications to a failover SMTP address upon ESRS
transmission failure. The SMTP email address is specified using the isi email
command.
--email-customer-on-failure {yes|no}
Specifies whether to send an alert to a customer email address upon failure of other
notification methods.
--remote-support-subnet <string>
Specifies the subnet on the Isilon cluster to be used for remote support connections.

104

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Note

We recommend that you designate a subnet that is dedicated to remote connections

through the ESRS Gateway, and that the subnet contains a static IP address pool in
the System access zone. If you cannot dedicate a subnet for remote connections,
ensure that the first IP address pool in the designated subnet is configured to use
static IP addresses and is assigned to the System access zone.
Examples
The following command enables ESRS Gateway support, specifies an IP address as the
primary gateway, specifies subnet3 as the subnet that handles remote support, and
directs OneFS to email the customer contact if all transmission methods fail:
isi remotesupport connectemc modify --enabled=yes \
-- primary-esrs-gateway=198.51.100.24 \
--email-customer-on-failure=yes --remote-support-subnet=subnet3

isi remotesupport connectemc view

Displays EMC Secure Remote Support (ESRS) Gateway settings on an Isilon node.
Syntax
isi remotesupport connectemc view

Options
This command has no options.

isi services
Displays a list of available services. The -l and -a options can be used separately or
together.
Syntax
isi services
[-l | -a]
[<service> [{enable | disable}]]

Options
-l
Lists all available services and the current status of each. This is the default value for
this command.
- a
Lists all services, including hidden services, and the current status of each.
<service> {enable | disable}

Enables or disables the specified service.

Examples
The following example shows the command to enable a specified hidden service.
isi services -a <hidden-service> enable

isi remotesupport connectemc view

105

General cluster administration

isi set
Works similar to chmod, providing a mechanism to adjust OneFS-specific file attributes,
such as the requested protection, or to explicitly restripe files. Files can be specified by
path or LIN.
Syntax
isi set
[-f -F -L -n -v -r
-R]
[-p <policy>]
[-w <width>]
[-c {on | off}]
[-g <restripe_goal>]
[-e <encoding>]
[-d <@r drives>]
[-a {<default> | <streaming> | <random> | <custom{1..5}>}]
[-l {<concurrency> | <streaming> | <random>}]
[--diskpool {<id> | <name>}]
[-A {on | off}]
[-P {on | off}]
[{--strategy | -s} {<avoid> | <metadata> | <metadata-write> |
<data>]
[<file> {<path> | <lin>}]

Options
-f
Suppresses warnings on failures to change a file.
-F
Includes the /ifs/.ifsvar directory content and any of its subdirectories. Without
-F, the /ifs/.ifsvar directory content and any of its subdirectories are skipped.
This setting allows the specification of potentially dangerous, unsupported protection
policies.
-L
Specifies file arguments by LIN instead of path.
-n
Displays the list of files that would be changed without taking any action.
-v
Displays each file as it is reached.
-r
Runs a restripe.
-R
Sets protection recursively on files.
-p <policy>
Specifies protection policies in the following forms:
+M
Where M is the number of node failures that can be tolerated without loss of
data. +M must be a number from, where numbers 1 through 4 are valid.

106

OneFS 7.2.0 CLI Administration Guide

General cluster administration

+D:M
Where D indicates the number of drive failures and M indicates number of node
failures that can be tolerated without loss of data. D must be a number from 1
through 4 and M must be any value that divides into D evenly. For example, +2:2
and +4:2 are valid, but +1:2 and +3:2 are not.
Nx
Where N is the number of independent mirrored copies of the data that will be
stored. N must be a number, with 1 through 8 being valid choices.
-w <width>
Specifies the number of nodes across which a file is striped. Typically, w = N + M, but
width can also mean the total of the number of nodes that are used.
You can set a maximum width policy of 32, but the actual protection is still subject to
the limitations on N and M.
-c {on | off}
Specifies whether write-coalescing is turned on.
-g <restripe goal>
Specifies the restripe goal. The following values are valid:
repair
reprotect
rebalance
retune
-e <encoding>
Specifies the encoding of the filename. The following values are valid:
EUC-JP
EUC-JP-MS
EUC-KR
ISO-8859-1
ISO-8859-10
ISO-8859-13
ISO-8859-14
ISO-8859-15
ISO-8859-160
ISO-8859-2
ISO-8859-3
ISO-8859-4
ISO-8859-5
ISO-8859-6
ISO-8859-7
ISO-8859-8
ISO-8859-9
UTF-8
isi set

107

General cluster administration

UTF-8-MAC
Windows-1252
Windows-949
Windows-SJIS
-d <@r drives>
Specifies the minimum number of drives that the file is spread across.
-a <value>
Specifies the file access pattern optimization setting. The following values are valid:
default
streaming
random
custom1
custom2
custom3
custom4
custom5
-l <value>
Specifies the file layout optimization setting. This is equivalent to setting both the -a
and -d flags.
concurrency
streaming
random
--diskpool <id | name>
Sets the preferred diskpool for a file.
-A {on | off}
Specifies whether file access and protections settings should be managed manually.
-P {on | off}
Specifies whether the file inherits values from the applicable file pool policy.
{--strategy | -s} <value>
Sets the SSD strategy for a file. The following values are valid:
If the value is metadata-write, all copies of the file's metadata are laid out on SSD
storage if possible, and user data still avoids SSDs. If the value is data, Both the file's
meta- data and user data (one copy if using mirrored protection, all blocks if FEC) are
laid out on SSD storage if possible.
avoid
Writes all associated file data and metadata to HDDs only. The data and
metadata of the file are stored so that SSD storage is avoided, unless doing so
would result in an out-of-space condition.
metadata
Writes both file data and metadata to HDDs. One mirror of the metadata for the
file is on SSD storage if possible, but the strategy for data is to avoid SSD
storage.
108

OneFS 7.2.0 CLI Administration Guide

General cluster administration

metadata-write
Writes file data to HDDs and metadata to SSDs, when available. All copies of
metadata for the file are on SSD storage if possible, and the strategy for data is
to avoid SSD storage.
data
Uses SSD node pools for both data and metadata. Both the metadata for the file
and user data, one copy if using mirrored protection and all blocks if FEC, are on
SSD storage if possible.
<file> {<path> |<lin>}
Specifies a file by path or LIN.

isi snmp
Manages SNMP settings.
When SNMP v3 is used, OneFS requires AuthNoPriv as the default value. AuthPriv is not
supported.
Syntax
isi snmp
[--syslocation <string>]
[--syscontact <string>]
[--protocols <value>]
[--rocommunity <string>]
[--v3-rouser <string>]
[--v3-password <string>]

Options
--syslocation <string>
Specifies the SNMP network. read-only field that the SNMP implementation on the
cluster can report back to a user when queried. It's purely informational for the user.
This just sets the value of the standard system location OID.
--syscontact <string>
Sets the SNMP network contact address.
--protocols <value>
Specifies SNMP protocols. The following values are valid:
v1/v2c
v3
all
Note

v1 and v2 are controlled together and must be specified together, as shown.

{ --rocommunity | -c} <string>
Specifies the read-only community name.
{--v3-rouser | -u} <string>
Specifies the SNMP v3 read-only user security name.
{--v3-password | -p} <string>
isi snmp

109

General cluster administration

Specifies the SNMP v3 auth password.

isi snmp list

Displays SNMP settings.
Syntax
isi snmp list

isi statistics client

Displays the most active, by throughput, clients accessing the cluster for each supported
protocol. You can specify options to track access by user, for example, more than one
user on the same client host access the cluster.
Syntax
isi statistics client
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--nodes <value>]
[--protocols <value>]
[--classes <string>]
[--orderby <column>]
[--total]
[--totalby <column>]
[--nooutput <column>]
[--output <column>]
[--long]
[--zero]
[--local_addrs <integer>]
[--local_names <string>]
[--remote_addrs <integer>]
[--remote_names <string>]
[--user_ids <integer>]
[--user_names <string>]
[--numeric]
[--wide]

Options
{--csv | -c}
Displays data as comma-separated values.
Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Displays data as a csv-style separated list, with the specified string as separator.

110

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Note

If specified, --csvstring overrides --csv and disables top-style display and

dynamic unit conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units within the data table.
--noheader
Displays data without column headings.
{--top | -t}
Displays results in top-style display, where data is continuously overwritten in a
single table.
Note

If you specify--top without --repeat, the report runs indefinitely.

{--interval | -i}<integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To run the report to run indefinitely, specify -1.

{--degraded | -d}
Causes the report to continue if some nodes do not respond.
{--timeout | -o} <integer>
Specifies the number of seconds before remote commands time out.
--nodes
Specifies which nodes to report statistics on. Multiple values can be specified in a
comma-separated list, for example, --nodes=1-2,5-9. The default value is all.
The following values are valid:
l

all

<int>

<int>-<int>

--protocols <value>
Specifies which protocols to report statistics on. Multiple values can be specified in a
comma-separated list, for example --protocols=http,papi. The following
values are valid:
l

all

external

ftp

hdfs

http
isi statistics client

111

General cluster administration

internal

irp

iscsi

jobd

lsass_in

lsass_out

nlm

nfs3

nfs4

papi

siq

smb1

smb2

--classes <string>
Specify which operation classes to report statistics on. The default setting is all
classes. The following values are valid:
all
All classes
read
File and stream reading
write
File and stream writing
create
File link node stream and directory creation
delete
File link node stream and directory deletion
namespace_read
Attribute stat and ACL reads; lookup directory reading
namespace_write
Renames; attribute setting; permission time and ACL writes
file_state
Open close; locking: acquire release break check; notification
session_state
Negotiation inquiry or manipulation of protocol connection or session state
other
File-system information for other uncategorized operations
--orderby <column>
Specifies how rows are ordered. The following values are valid:

112

Class

In

InAvg

InMax

OneFS 7.2.0 CLI Administration Guide

General cluster administration

InMin

LocalAddr

LocalName

Node

NumOps

Ops

Out

OutAvg

OutMax

OutMin

Proto

RemoteAddr

RemoteName

TimeAvg

TimeMax

TimeMin

TimeStamp

UserID

UserName

--total
Groups and aggregates results as implied by filtering options.
--totalby <column>
Aggregates results according to specified fields. The following values are valid:
l

Class

Group

LocalAddr

LocalName

Node

Proto

RemoteAddr

RemoteName

UserId

UserName
Note

--totalby overrides --total option, when specified.

--nooutput <column>
Specifies which columns are not displayed. Columns are excluded from the list of
currently active columns specified by the --output option or --long options or
from the default column list if it is not overridden by other output options.
--output <column>
isi statistics client

113

General cluster administration

Specifies which columns to display. The following values are valid:

TimeStamp
Displays the time at which the isi statistics tool last gathered data. Displayed in
POSIX time (number of seconds elapsed since January 1, 1970).
NumOps
Displays the number of times an operation has been performed.
Ops
Displays the rate at which an operation has been performed. Displayed in
operations per second.
InMax
Displays the maximum input (received) bytes for an operation.
InMin
Displays the minimum input (received) bytes for an operation.
In
Displays the rate of input for an operation since the last time isi statistics
collected the data. Displayed in bytes per second.
InAvg
Displays the average input (received) bytes for an operation.
OutMax
Displays the maximum output (sent) bytes for an operation.
OutMin
Displays the minimum ouput (sent) bytes for an operation.
Out
Displays the rate of ouput for an operation since the last time isi statistics
collected the data. Displayed in bytes per second.
OutAvg
Displays the average ouput (sent) bytes for an operation.
TimeMax
Displays the maximum elapsed time taken to complete an operation. Displayed
in microseconds.
TimeMin
Displays the minimum elapsed time taken to complete an operation. Displayed
in microseconds.
TimeAvg
Displays the average elapsed time taken to complete an operation. Displayed in
microseconds.
Node
Displays the node on which the operation was performed.
Proto
Displays the protocol of the operation.
Class
Displays the class of the operation.
UserID
Displays the numeric UID of the user issuing the operation request or the unique
logical unit number (LUN) identifier in the case of the iSCSI protocol.

114

OneFS 7.2.0 CLI Administration Guide

General cluster administration

UserName
Displays the resolved text name of the UserID, or the target and LUN in the case
of the iSCSI protocol. In either case, if resolution cannot be performed,
UNKNOWN is displayed.
LocalAddr
Displays the IP address of the host receiving the operation request. Displayed in
dotted-quad form.
LocalName
Displays the resolved text name of the LocalAddr, if resolution can be performed.
RemoteAddr
Displays the IP address of the host sending the operation request. Displayed in
dotted-quad form.
RemoteName
Displays the resolved text name of the RemoteAddr, if resolution can be
performed.
--long
Displays all possible columns.
--zero
Shows table entries with no values.
--local_addrs <integer>
Specifies local IP addresses for which statistics will be reported.
--local-names <string>
Specifies local host names for which statistics will be reported.
--remote_addrs <integer>
Specifies remote IP addresses for which statistics will be reported.
--remote_names <string>
Specifies remote client names for which statistics will be reported.
--user_ids <integer>
Specifies user ids for which statistics will be reported. The default setting is all users.
--user_names <string>
Specifies user names for which statistics will be reported. The default setting is all
users.
--numeric
If text identifiers of local hosts, remote clients, or users are in the list of columns to
display (the default setting is for them to be displayed), display the unresolved
numeric equivalent of these columns.
--wide
Displays resolved names with a wide column width.

isi statistics client

115

General cluster administration

isi statistics describe

Displays documentation on given statistics.
Syntax
isi statistics describe --stats <statistics-key-string>

Options
{--stats | -s} <statistics-key-string>
Displays documentation on specified statistics. For a complete list of statistics, run
isi statistics list stats.

isi statistics drive

Displays performance information by drive.
Syntax
isi statistics drive
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--long]
[--nodes <value>]
[--timestamp]
[--type <value>]
[--orderby <column>]

Options
{--csv | -c}
Displays data as a comma-separated list.
Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Display data as a csv-style separated list with the specified string as separator.
Note

Overrides --csv, if specified, and disables top-style display and dynamic unit
conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this
parameter also disables the display of units within the data table.
--noheader
Displays data without column headings.
116

OneFS 7.2.0 CLI Administration Guide

General cluster administration

{--top | -t}
Displays the results in a top-style display, where data is continuously overwritten in a
single table.
Note

If you specify --top without--repeat, the report runs indefinitely.

{--interval | -I} <integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
Sets the report to continue running if some nodes do not respond.
{--timeout | -o} <integer>
Specifies the number of seconds before remote commands timeout.
--long
Displays all possible columns.
--nodes
Specifies which nodes to report statistics on. The default value is all. The following
values are valid:
l
all
l

<int>

<int>-<int>
*

--orderby <column>
Specifies how the rows are ordered. The following values are valid:
Busy
BytesIn
BytesOut
Drive
Inodes
OpsIn
OpsOut
Queued
SizeIn
SizeOut
Slow
TimeAvg
TimeInQ
Type
isi statistics drive

117

General cluster administration

Used
--timestamp
Displays the time at which the isi statistics tool last gathered data. Time is
displayed in Epoch seconds.
--type
Specifies the drive types for which statistics will be reported. The default setting is all
drives. The following values are valid:
sata
sas
ssd

isi statistics heat

Displays the most active /ifs paths for varous metrics.
Syntax
isi statistics heat
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--nodes <value>]
[--events <string>]
[--classes <string>]
[--orderby <column>
[--totalby <column>]
[--maxpath <integer>]
[--pathdepth <integer>]
[--limit <integer>]
[--output <column>]
[--long]

Options
{--csv | -c}
Displays data as a comma-separated list.
Note

Disables the top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Displays data as a csv-style separated list with specified string as separator.
Note

Overrides --csv, if specified, and disables top-style display and dynamic unit
conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units within the data table.
118

OneFS 7.2.0 CLI Administration Guide

General cluster administration

--noheader
Displays data without column headings.
{--top | -t}
Displays the results in top-style display, where data is continuously overwritten in a
single table.
Note

If you specify --top without --repeat, the report runs indefinitely.

{--interval | -I} <integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
Sets the report to continue running if some nodes do not respond.
{--timeout | -o} <integer>
Specifies the number of seconds before remote commands timeout.
--nodes
Specifies which nodes to report statistics on. Multiple values can be specified in a
comma-separated listfor example, --nodes=1-2,5-9. The default value is all.
The following values are valid:
l
all
l
<int>
l
<int>-<int>
--events <string>
Specifies which event types for the specified information are reported. The following
values are valid:
blocked
Access to the LIN was blocked waiting for a resource to be released by another
operation. Class is other.
contended
A LIN is experiencing cross-node contention; it is being accessed simultaneously
through multiple nodes. Class is other.
deadlocked
The attempt to lock the LIN resulted in deadlock. Class is other.
link
The LIN has been linked into the file system; the LIN associated with this event is
the parent directory and not the linked LIN. Class is namespace_write.
lock
The LIN is locked. Class is other.
lookup
A name is looked up in a directory; the LIN for the directory searched is the one
associated with the event. Class is namespace_read.
isi statistics heat

119

General cluster administration

read
A read was performed. Class is read.
rename
A file or directory was renamed. The LIN associated with this event is the
directory where the rename took place for either the source directory or the
destination directory, if they differ. Class is namespace_write.
getattr
A file or directory attribute has been read. Class is namespace_read.
setattr
A file or directory attribute has been added, modified, or deleted. Class is
namespace_write.
unlink
A file or directory has been unlinked from the file system, the LIN associated with
this event is the parent directory of the removed item. Class is
namespace_write.
write
A write was performed. Class is write.
--classes <string>
Specifies which classes for the specified information will be reported. The default
setting is all classes. The following values are valid:
read
File and stream reading
write
File and stream writing
create
File, link, node, stream, and directory creation
delete
File, link, node, stream, and directory deletion
namespace_read
Attribute, stat, and ACL reads; lookup, directory reading
namespace_write
Renames; attribute setting; permission, time, and ACL writes
file_state
Open, close; locking: acquire, release, break, check; notification
session_state
Negotiation, inquiry, or manipulation of protocol connection or session state
other
File-system information
--orderby <column>
Specifies how rows are ordered. The following values are valid:

120

Class

Event

LIN

Node

Ops

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Path

TimeStamp

--totalby <column>
Aggregates results according to specified fields. The following values are valid:
Class

Event

LIN

Node

Ops

Path

TimeStamp

--maxpath <integer>
Specifies the maximum path length to look up in the file system.
-pathdepth <integer>
Reduces paths to the specified depth.
--limit <integer>
Displays only the specified number of entries after totaling and ordering.
--output <column>
Specifies the columns to display. The following values are valid:
timestamp
Displays the time at which the isi statistics tool last gathered data. Displayed in
POSIX time (number of seconds elapsed since January 1, 1970).
Ops
Displays the rate at which an operation has been performed. Displayed in
operations per second.
Node
Displays the node on which the operation was performed.
Event
Displays the name of the event.
Class
Displays the class of the operation.
LIN
Displays the LIN for the file or directory associated with the event.
Path
Displays the path associated with the event LIN.
--long
Displays all possible columns.

isi statistics history

Displays historical statistics.
Syntax
isi statistics history
[--csv]

isi statistics history

121

General cluster administration

[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <number>]
[--repeat <number>]
[--degraded]
[--timeout <number>]
[--nodes <value>]
[--stats <string>]
[--onecolumn]
[--formattime]
[--begin <number>]
[--end <number>]
[--resolution <number>]
[--zero]

Options
{--csv | -c}
Displays data as a comma-separated list.
Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Display data as a csv-style separated list with specified string as separator.
Note

Overrides --csv, if specified, and disables top-style display and dynamic unit
conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units within the data table.
--noheader
Displays data without column headings.
{--top | -t}
Displays results in a top-style display, where data is continuously overwritten in a
single table.
Note

If you specify --top without --repeat, the report runs indefinitely.

{--interval | -I} <integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <number>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
122

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Sets the report to continue running if some nodes do not respond.

{--timeout | -o} <number>
Specifies number of seconds before remote commands time out.
--nodes
Specifies which nodes to report statistics on. Multiple values can be specified in a
comma-separated listfor example, --nodes=1-2,5-9. The default value is all.
The following values are valid:
l

all

<int>

<int>-<int>

--stats <string>
Specifies which statistics should be reported for requested nodes, where the value
for <string> is a statistics key. Use the isi statistics list stats command
for a complete listing of statistics keys.
{--onecolumn | -1}
Displays output one series at a time in one column rather than in a grid format.
{--formattime | -F}
Formats series times rather than using UNIX Epoch timestamp format.
--begin <number>
Specifies begin time in UNIX Epoch timestamp format.
--end <number>
Specifies end time in UNIX Epoch timestamp format.
--resolution <number>
Specifies the minimum interval between series data points in seconds.
--zero
Displays grid rows with no valid series points.

isi statistics list all

Displays a list of valid list-mode arguments.
Syntax
isi statistics list all
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
isi statistics list all

123

General cluster administration

--drive
Displays valid option values for drive mode.

isi statistics list classes

Displays a list of valid arguments for the --classes option.
Syntax
isi statistics list classes
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list events

Displays a list of valid arguments for the --events option.
Syntax
isi statistics list events
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--protocol
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

124

OneFS 7.2.0 CLI Administration Guide

General cluster administration

isi statistics list nodes

Displays a list of valid arguments for the --nodes option.
Syntax
isi statistics list nodes
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list nooutput

Displays a list of valid arguments for the --nooutput option.
Syntax
isi statistics list nooutput
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list nodes

125

General cluster administration

isi statistics list operations

Displays a list of valid arguments for the --operations option.
Syntax
isi statistics list operations
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list orderby

Displays a list of valid arguments for the --orderby option.
Syntax
isi statistics list orderby
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

126

OneFS 7.2.0 CLI Administration Guide

General cluster administration

isi statistics list output

Displays a list of valid arguments for the --output option.
Syntax
isi statistics list output
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list protocols

Displays a list of valid arguments for the --protocols option.
Syntax
isi statistics list protocols
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list output

127

General cluster administration

isi statistics list stats

Displays a list of valid arguments for the --stats option.
Syntax
isi statistics list stats
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

isi statistics list totalby

Displays a list of valid arguments for the --totalby option.
Syntax
isi statistics list totalby
[--client]
[--protocol]
[--heat]
[--drive]

Options
--client
Displays valid option values for client mode.
--protocol
Displays valid option values for protocol mode.
--heat
Displays valid option values for heat mode.
--drive
Displays valid option values for drive mode.

128

OneFS 7.2.0 CLI Administration Guide

General cluster administration

isi statistics protocol

Displays statistics by protocol, such as NFSv3 and HTTP.
Syntax
isi statistics protocol
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--long]
[--nodes {all | <int> | <int>-<int>}]
[--protocols <protocol>...]
[--classes <class>...]
[--orderby <column>...]
[--total]
[--totalby <column>...]
[--nooutput <column>...]
[--output <column>...]
[--long]
[--zero]
[--operations <operation>...]

Options
{--csv | -c}
Displays data as comma-separated values.
Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Displays data as a csv-style separated list, with the specified string as a separator.
Note

If specified, --csvstring overrides --csv and disables top-style display and

dynamic unit conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units in the data table.
--noheader
Displays data without column headings.
{--top | -t}
Displays results in top-style display, where data is continuously overwritten in a
single table.
Note

If you specify --top without --repeat, the report runs indefinitely.

isi statistics protocol

129

General cluster administration

{--interval | -I} <integer>

Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
Causes the report to continue running if some nodes do not respond.
{--timeout | -o} <integer>
Specifies the number of seconds before remote commands timeout.
--nodes
Specifies which nodes to report statistics on. Multiple values can be specified in a
comma-separated listfor example, --nodes=1-2,5-9. The default value is all.
The following values are valid:
l

all

<int>

<int>-<int>

--protocols <value>
Specifies which protocols to report statistics on. Multiple values can be specified in a
comma-separated listfor example, --protocols=http,papi. The following values
are valid:
l

all

external

ftp

hdfs

http

internal

irp

iscsi

jobd

lsass_in

lsass_out

nlm

nfs3

nfs4

papi

siq

smb1

smb2

--classes <class>
130

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Specifies which operation classes to report statistics on. The default setting is all.
The following values are valid:
all
All classes
read
File and stream reading
write
File and stream writing
create
File link node stream and directory creation
delete
File link node stream and directory deletion
namespace_read
Attribute stat and ACL reading; lookup directory reading
namespace_write
Renames; attribute setting; permission time and ACL writes
file_state
Open, close; locking: acquire, release, break, check; notification
session_state
Negotiation inquiry or manipulation of protocol connection or session state
other
File-system information. Multiple values can be specified in a comma-separated
list.
--orderby <column>
Specifies how rows are ordered. The following values are valid:
l

Class

In

InAvg

InMax

InMin

InStdDev

Node

NumOps

Ops

Out

OutAvg

OutMax

OutMin

OutStdDev

Proto

TimeAvg

TimeMax

TimeMin
isi statistics protocol

131

General cluster administration

TimeStamp

TimeStdDev

--total
Groups and aggregates the results according to the filtering options.
--totalby <column>
Aggregates results according to specified fields. The following values are valid:
l

Class

Node

Proto

Op

Note

--totalby overrides --total, when specified.

--nooutput <column>
Specifies which columns are not displayed. The columns are excluded from the list of
the active columns that are specified by --output or --long or from the default
column list if it is not overridden by other output options. Multiple values can be
specified in a comma-separated list. The following values are valid:
l

Class

In

InAvg

InMax

InMin

InStdDev

Node

NumOps

Ops

Out

OutAvg

OutMax

OutMin

OutStdDev

Proto

TimeAvg

TimeMax

TimeMin

TimeStamp

TimeStdDev

--output <column>
Specifies which columns to display. The following values are valid:

132

OneFS 7.2.0 CLI Administration Guide

General cluster administration

timestamp
Displays the time at which the isi statistics tool last gathered data.
Displayed in POSIX time (number of seconds elapsed since January 1, 1970).
Specify <time-and-date> in the following format:
<YYYY>-<MM>-<DD>[T<hh>:<mm>[:<ss>]]

Specify <time> as one of the following values.

Y
Specifies years
M
Specifies months
W
Specifies weeks
D
Specifies days
h
Specifies hours
s
Specifies seconds
NumOps
Displays the number of times an operation has been performed. Multiple values
can be specified in a comma-separated list.
Ops
Displays the rate at which an operation has been performed. Displayed in
operations per second.
InMax
Displays the maximum input (received) bytes for an operation.
InMin
Displays the minimum input (received) bytes for an operation.
In
Displays the rate of input for an operation since the last time isi statistics
collected the data. Displayed in bytes per second.
InAvg
Displays the average input (received) bytes for an operation.
OutMax
Displays the maximum output (sent) bytes for an operation.
OutMin
Displays the minimum ouput (sent) bytes for an operation.
Out
Displays the rate of ouput for an operation since the last time isi statistics
collected the data. Displayed in bytes per second.
OutAvg
Displays the average ouput (sent) bytes for an operation.
TimeMax
Displays the maximum elapsed time taken to complete an operation. Displayed
in microseconds.

isi statistics protocol

133

General cluster administration

TimeMin
Displays the minimum elapsed time taken to complete an operation. Displayed
in microseconds.
TimeAvg
Displays the average elapsed time taken to complete an operation. Displayed in
microseconds.
Node
Displays the node on which the operation was performed.
Proto
Displays the protocol of the operation.
Class
Displays the class of the operation.
InStdDev
Displays the standard deviation of the input (received) bytes for an operation.
Displayed in bytes.
OutStdDev
Displays the standard deviation of the output (sent) bytes for an operation.
Displayed in bytes.
Op
Displays the name of the operation
--long
Displays all possible columns.
--zero
Shows table entries with no values.
--operations <operation>
Specifies the operations on which statistics are reported. To view a list of valid
values, run the isi statistics list operations command. Multiple values
can be specified in a comma-separated list.

isi statistics pstat

Displays a selection of cluster-wide and protocol data.
Syntax
isi statistics pstat
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--protocol <protocol>]

Options
{--csv | -c}
Displays data as comma-separated values.

134

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Displays data as a csv-style separated list, with the specified string as separator.
Note

If specified, --csvstring overrides --csv and disables top-style display and

dynamic unit conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units within the data table.
--noheader
Displays data without column headings.
{--top | -t}
Displays results in top-style display, where data is continuously overwritten in a
single table.
Note

If you specify --top without --repeat, the report runs indefinitely.

{--interval | -i} <integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
Sets the report to continue running if some nodes do not respond.
{--timeout | -o} <integer>
Specifies number of seconds before remote commands time out.
--protocol <protocol>
Specifies which protocols to report statistics on. Multiple values can be specified in a
comma-separated listfor example, --protocols=http,papi. The following values
are valid:
l

ftp

hdfs

http

irp

iscsi

jobd

lsass_in
isi statistics pstat

135

General cluster administration

lsass_out

nlm

nfs3

nfs4

papi

siq

smb1

smb2

isi statistics query

Displays highly customizable information on any statistic in the cluster statistics library.
Syntax
isi statistics query
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--nofooter]
[--nodes {all | <int>[-<int>]}]
[--stats <string>]

Options
{--csv | -c}
Displays data as comma-separated values.
Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Displays data as a csv-style separated list, with the specified string as a separator.
Note

If specified, --csvstring overrides --csv and disables top-style display and

dynamic unit conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units within the data table.
--noheader
Displays data without column headings.
{--top | -t}
Displays results in top-style display, where data is continuously overwritten in a
single table.

136

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Note

If you specify --top without --repeat, the report runs indefinitely.

{--interval | -I}<integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
Causes the report to continue if some nodes do not respond.
{--timeout | -o} <integer>
Specifies the number of seconds before remote commands time out.
--nofooter
Suppresses display of the footer row that contains aggregation data.
--nodes {all | <int>[-<int>]}
Specifies which nodes to report statistics on. Multiple values can be specified in a
comma-separated listfor example, --nodes=1-2,5-9. The default value is all.
{--stats | statistics key} <key>
Specifies which statistics should be reported for requested nodes. Run the isi
statistics list stats command for a complete list of statistics keys.

isi statistics system

Displays general cluster statistics, including op rates for all supported protocols and
network and disk traffic.
Syntax
isi statistics system
[--csv]
[--csvstring <string>]
[--noconversion]
[--noheader]
[--top]
[--interval <integer>]
[--repeat <integer>]
[--degraded]
[--timeout <integer>]
[--running <integer>]
[--nodes]
[--timestamp]
[--oprates]

Options
{--csv | -c}
Displays data as a comma-separated list.

isi statistics system

137

General cluster administration

Note

Disables top-style display and dynamic unit conversion.

{--csvstring | -C} <string>
Display data as a csv-style separated list with specified string as separator.
Note

Overrides --csv, if specified, and disables top-style display and dynamic unit
conversion.
--noconversion
Displays all data in base quantities, without dynamic conversion. If set, this option
also disables the display of units within the data table.
--noheader
Displays data without column headings.
{--top | -t}
Displays results in a top-style display, where data is continuously overwritten in a
single table.
Note

If you specify --top without --repeat, the report runs indefinitely.

{--interval | -I} <integer>
Reports data at the interval specified in seconds.
{--repeat | -r} <integer>
Specifies how many times to run the report before quitting.
Note

To set the report to run indefinitely, specify -1.

{--degraded | -d}
Sets the report to continue running if some nodes do not respond.
{--timeout | -o} <integer>
Specifies number of seconds before remote commands time out.
--running <integer>
Displays statistics with aggregation of cluster statistics over a given interval in the
number of iterations of the tool repetition interval. If running averages are requested,
they appear on the row labeled Avg.
--nodes
Displays information on individual nodes.
--timestamp
Displays the time at which the isi statistics tool last gathered data. ;The
timestamp is displayed in Epoch seconds.
--oprates
Displays the protocol operation rate statistics instead of the default throughput
statistics.
138

OneFS 7.2.0 CLI Administration Guide

General cluster administration

isi status
Displays information about the current status of the cluster, events, and jobs.
Syntax
isi status
[-q]
[-r]
[-w]
[-D]
[-d <storage-pool-name>]
[-n <id>]

Options
-q
Omits event and protection operations and displays only information on the status of
the cluster.
-r
Displays the raw size.
-w
Displays results without truncations.
-D
Displays more detailed information on running protection operations, including a list
of worker processes. Also displays more information on failed protection operations,
including a list of errors.
-d <storage-pool-name>
Displays a node pool or tier view of the file system instead of a cluster view. If a
storage pool name such as a tier or a node pool is specified, only information for that
pool is reported.
-n <id>
Displays the same information for an individual node, specified by logical node
number (LNN), in addition to statistics for each disk in the node.

isi update
Updates a cluster to a newer version of OneFS.
You are prompted to specify where the image to use to update the cluster is located. After
the image is loaded, you are prompted to reboot the cluster.
Syntax
isi update
[--rolling]
[--manual]
[--drain-time <duration>]
[--check-only]

Options
--rolling

isi status

139

General cluster administration

Performs a rolling update, allowing the cluster to remain available during the update.
When a rolling update is interrupted, the same update command can be issued to
restart the rolling update. The update then attempts to continue where the previous
update was interrupted. Rolling updates are not supported for all versions. Contact
your Isilon representative for information about which versions support this option.
--manual
Causes rolling update process to pause and wait for user input before rebooting each
node.
--drain-time <duration>
Sets the update process to suspend a node from its SmartConnect pool. The process
then waits for clients to disconnect or for the specified <duration> to elapse before
rebooting the node. The default <duration> units are in seconds. You can specify
different time units by adding a letter to the end of the time, however. The following
values are valid:
m
Minutes
h
Hours
d
Days
w
Weeks
--check-only
Provides information about potential failures across the cluster but does not initiate
the upgrade process.

isi version
Displays detailed information about the Isilon cluster software properties.
Syntax
isi version
[<os-info>]

Options
<os-info>

Optional variable that limits the output to specified pieces of information. If you do
not include an <os-info> value, the system displays all information. Only the following
values for <os-info> are acceptable.
osversion
Displays the name, build, release date, and current operating system version.
osbuild
Displays build information.
osrelease
Displays the version string for the software.

140

OneFS 7.2.0 CLI Administration Guide

General cluster administration

ostype
Displays the name of the operating system.
osrevision
Displays the revision number as a base-10 number.
copyright
Displays the current copyright information for the software.
Examples
The following command displays the name of the operating system only.
isi version ostype

isi_for_array
Runs commands on multiple nodes in an array, either in parallel or in serial.
When options conflict, the one specified last takes precedence.
Note

The -k, -u, -p, and -q options are valid only for SSH transport.
Syntax
isi_for_array
[--array-name <array>]
[--array-file <filename>]
[--directory <directory>]
[--diskless]
[--known-hosts-file <filename>]
[--user <user>]
[--nodes <nodes>]
[--password <password>]
[--pre-command <command>]
[--query-password]
[--quiet]
[--serial]
[--storage]
[--transport <transport-type>]
[--throttle <setting>]
[--exclude-nodes <nodes>]
[--exclude-down-nodes]

Options
{--array-name | -a} <array>
Uses <array>.
{--array-file | -A} <filename>
Reads array information from<filename>. The default looks first for
$HOME/.array.xml, then for /etc/ifs/array.xml.
{--directory | -d} <directory>
Runs commands from the specified directory on remote computers. The current
working directory is the default directory. An empty <directory> results in commands
being run in the user's home directory on the remote computer.
{--diskless | -D}
Runs commands from diskless nodes.
isi_for_array

141

General cluster administration

{--known-hosts-file | -k} <filename>

Uses <filename> for SSH known hosts file instead of the default /dev/null directory.
{--user | -u | -l} <user>
Logs in as <user> instead of as the default root user.
{--nodes | -n} <nodes>
Runs commands on the specified nodes, which can be specified multiple times. Must
be a list of either node names or ranges of node IDs; for example,
1,3-5,neal8,10. If no nodes are explicitly listed, the whole array is used.
{--password | -p | --pw} <password>
Uses the specified password instead of the default password.
{--pre-command | -P} <command>
Runs the specified command before any other commands. This is useful for setting
up the environment and it can be specified multiple times. You can specify - to reset
the list of pre-commands.
{--query-password | -q}
Prompts the user for a password.
{--quiet | -Q}
Suppresses printing of the host prefix for each output line.
{--serial | -s}
Runs commands in serial instead of parallel.
{--storage | -S}
Run commands from storage nodes.
{--transport | -t} <transport-type>
Specifies the network transport type. The default value is rpc. Valid transports
values are rpc or ssh.
{--throttle | -T} <setting>
Adjusts throttling. To disable throttling, specify 0. The default value is 24.
{--exclude-nodes | -x} <nodes>
Excludes specified nodes from the command. This argument is specified in the same
manner as the -n option.
{--exclude-down-nodes | -X}
Excludes offline nodes from the command. This command is limited to cluster local
use only.
Examples
In SmartLock compliance mode, to run isi_for_array for a command that requires
root privileges, you must specify sudo twice. For example, the following command runs
isi stat on each node in a compliance cluster.
sudo isi_for_array -u compadmin sudo isi stat

142

OneFS 7.2.0 CLI Administration Guide

General cluster administration

isi get
Displays information about a set of files, including the requested protection, current
actual protection, and whether write-coalescing is enabled.
Requested protection appears in one of three colors: green, yellow, or red. Green
indicates full protection. Yellow indicates degraded protection under a mirroring policy.
Red indicates a loss of one or more data blocks under a parity policy.
Syntax
isi get {{[-a] [-d] [-g] [-s] [{-D | -DD | -DDC}] [-R] <path>}
| {[-g] [-s] [{-D | -DD | -DDC}] [-R] -L <lin>}}

Options
-a
Displays the hidden "." and ".." entries of each directory.
-d
Displays the attributes of a directory instead of the contents.
-g
Displays detailed information, including snapshot governance lists.
-s
Displays the protection status using words instead of colors.
-D
Displays more detailed information.
-DD
Includes information about protection groups and security descriptor owners and
groups.
-DDC
Includes cyclic redundancy check (CRC) information.
-R
Displays information about the subdirectories and files of the specified directories.
<path>
Displays information about the specified file or directory.
Specify as a file or directory path.
-L <lin>
Displays information about the specified file or directory.
Specify as a file or directory LIN.
Examples
The following command displays information on ifs/home/ and all of its
subdirectories:
isi get -R /ifs/home

isi get

143

General cluster administration

The system displays output similar to the following example:

POLICY
default
default
default
default
default
default

LEVEL
4x/2
8x/3
4x/2
4x/2
4x/2
4x/2

PERFORMANCE
concurrency
concurrency
concurrency
concurrency
concurrency
concurrency

COAL
on
on
on
on
on
on

FILE
./
../
admin/
ftp/
newUser1/
newUser2/

/ifs/home/admin:
default 4+2/2 concurrency on

.zshrc

/ifs/home/ftp:
default
4x/2 concurrency on
default
4x/2 concurrency on

incoming/
pub/

/ifs/home/ftp/incoming:
/ifs/home/ftp/pub:
/ifs/home/newUser1:
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency

on
on
on
on
on
on
on
on
on

.cshrc
.login
.login_conf
.mail_aliases
.mailrc
.profile
.rhosts
.shrc
.zshrc

/ifs/home/newUser2:
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency
default 4+2/2 concurrency

on
on
on
on
on
on
on
on
on

.cshrc
.login
.login_conf
.mail_aliases
.mailrc
.profile
.rhosts
.shrc
.zshrc

isi_gather_info
Collects and uploads the most recent cluster log information to SupportIQ.
Multiple instances of -i, -f, -s, -S, and -1 are allowed.
gather_expr and analysis_expr can be quoted.
The default temporary directory is /ifs/data/Isilon_Support/ (change with -L or
-T).
Syntax
isi_gather_info
[-h]
[-v]
[-u <user>]
[-p <password>]
[-i]
[--incremental]
[-l]
[-f <filename>]

144

OneFS 7.2.0 CLI Administration Guide

General cluster administration

[-n <nodes>]
[--local-only]
[--skip-node-check]
[-s gather-script]
[-S gather-expr]
[-1 gather-expr]
[-a analysis-script]
[-A analysis-expr]
[-t <tarfile>]
[-x exclude_tool]
[-I]
[-L]
[-T <temp-dir>]
[--tardir <dir>]
[--symlinkdir <dir>]
[--varlog_recent]
[--varlog_all]
[--nologs]
[--group <name>]
[--noconfig]
[--save-only]
[--save]
[--upload]
[--noupload]
[--re-upload <filename>]
[--verify-upload]
[--http]
[--nohttp]
[--http-host <host>]
[--http-path <dir>]
[--http-proxy <host>]
[--http-proxy-port <port>]
[--ftp]
[--noftp]
[--ftp-user <user>]
[--ftp-pass <password>]
[--ftp-host <host>]
[--ftp-path <dir>]
[--ftp-port <alt-port>]
[--ftp-proxy <host>]
[--ftp-proxy-port <port>]
[--ftp-mode <mode>]
[--esrs]
[--email]
[--noemail]
[--email-addresses]
[--email-subject]
[--email-body]
[--skip-size-check]

Options
-h
Prints this message and exits.
-v
Prints version info and exits.
-u <user>
Specifies the login as <user> instead of as the default root user.
-p <password>
Uses <password>.
-i

isi_gather_info

145

General cluster administration

Includes only the listed utility. See also the -l option for a list of utilities to include.
The special value all may be used to include every known utility.
--incremental
Gathers only those logs that changed since last log upload.
-l
Lists utilities and groups that can be included. See -i and --group.
-f <filename>
Gathers <filename> from each node. The value must be an absolute path.
-n <nodes>
Gathers information from only the specified nodes. Nodes must be a list or range of
LNNs, for example, 1,4-10,12,14. If no nodes are specified, the whole array is
used. Note that nodes are automatically excluded if they are down.
--local-only
Gathers information only from only the local node. Run this option when gathering
files from the /ifs filesystem.
--skip-node-check
Skips the check for node availability.
-s gather-script
Runs <gather-script> on every node.
-S gather-expr
Runs <gather-expr> on every node.
-1 gather-expr
Runs <gather-expr> on the local node.
-a analysis-script
Runs <analysis-script> on results.
-A analysis-expr
Runs <analysis-expr> on every node.
-t <tarfile>
Saves all results to the specified <tarfile> rather than to the default tar file.
-x exclude_tool
Excludes the specified tool or tools from being gathered from each node. Multiple
tools can be listed as comma-separated values.
-I
Saves results to /ifs. This is the default setting.
-L
Save all results to local storage /var/crash/support/.
-T <temp-dir>
Saves all results to <temp-dir> instead of the default directory. -T overrides -L and l.
--tardir <dir>
Places the final package directly into the specified directory.
--symlinkdir <dir>
146

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Creates a symlink to the final package in the specified directory.

--varlog_recent
Gathers all logs in /var/log, with the exception of the compressed and rotated old
logs. The default setting is all logs.
--varlog_all
Gathers all logs in /var/log, including compressed and rotated old logs. This is the
default setting.
--nologs
Does not gather the required minimum number of logs.
--group <name>
Adds a specific group of utilities to the tar file.
--noconfig
Uses built-in default values and bypasses the configuration file.
--save-only
Saves the CLI-specified configuration to file and exits.
--save
Saves the CLI-specified configuration to file and runs it.
--upload
Uploads logs to Isilon Technical Support automatically. This is the default setting.
--noupload
Specifies no automatic upload to Isilon Technical Support.
--re-upload <filename>
Re-uploads the specified <filename>.
--verify-upload
Creates a tar file and uploads to test connectivity.
--http
Attempts HTTP upload. This is the default setting.
--nohttp
Specifies no HTTP upload attempt.
--http-host <host>
Specifies an alternate HTTP site for upload.
--http-path <dir>
Specifies an alternate HTTP upload directory.
--http-proxy <host>
Specifies the proxy server to use.
--http-proxy-port <port>
Specifies the proxy port to use.
--ftp
Attempts FTP upload. This setting is the default value.
--noftp
Specifies no FTP upload attempt.
--ftp-user <user>
isi_gather_info

147

General cluster administration

Specifies an alternate user for FTP (default: anonymous).

--ftp-pass <password>
Specifies an alternate password for FTP.
--ftp-host <host>
Specifies an alternate FTP site for upload.
--ftp-path DIR
Specifies an alternate FTP upload directory.
--ftp-port <alt-port>
Specifies an alternate FTP port for upload.
--ftp-proxy <host>
Specifies the proxy server to use.
--ftp-proxy-port <port>
Specifies the proxy port to use.
--ftp-mode <mode>
Specifies the mode of FTP file transfer. The following values are valid: both, active,
passive. The default value is both.
--esrs
Attempts ESRS upload.
--email
Attempts SMTP upload. If set, SMTP is tried first.
--noemail
Specifies no SMTP upload attempt. This is the default value.
--email-addresses
Specifies email addresses as comma-separated strings.
--email-subject
Specifies an alternative email subject.
--email-body
Specifies alternative email text shown on head of body.
--skip-size-check
Does not check the size of the gathered file.

148

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Event commands
You can access and configure OneFS events and notification rules settings using the
event commands. Running isi events without subcommands is equivalent to running
isi events list.

isi events cancel

Cancels events.
Syntax
isi events cancel --instanceids <id>

Options
{--instanceids | -i} {<id> | <id,id,id...>}
Specifies the instance ID of the event that you want to cancel.
Specifies multiple event instances in a comma-separated list.
You can specify all event instances with all.

isi events list

Displays a list of system events.
Syntax
isi events list
[--oldest {-<rel-time> | <spec-time>}]
[--newest {-<rel-time> | <spec-time>}]
[--history]
[--coalesced]
[--severity <value>]
[--limit <integer>]
[--localdb]
[--nodes <node>]
[--types <integer>]
[--columns <column>]
[--sort-by <column>]
[--csv]
[--wide]

Options
{--oldest | -o} {-<rel-time> | <spec-time>}
Displays only events that have a start time after a specified date and time.
Specify -<rel-time> in the following format, where d, h, and m specify days, hours and
minutes:
<integer>{d | h | m}

Specify <spec-time> in the following format, where <mm>/<dd>/]YYYY <HH>:<MM> are the
numerical month, day, year, hour and minute:
<mm>/<dd>/]YYYY <HH>:<MM>

Event commands

149

General cluster administration

{--newest | -n} {-<rel-time> | <spec-time>

Displays only events that have a start time after a specified date and time
Specify -<rel-time> in the following format, where d, h, and m specify days, hours and
minutes:
<integer>{d | h | m}

Specify <spec-time>in the following format, where <MM>/<DD>/]YYYY <hh>:<mm> are the
numerical month, day, year, hour and minute:
<MM>/<DD>/]YYYY <hh>:<mm>

{--history | -s}
Retrieves only historical events, which are those that have an end date or are quieted
events.
{--coalesced | -C}
Includes coalesced events in results.
{--severity} | -v}<value>
Retrieves events for a specified level or levels . Multiple levels can be specified in a
comma-separated list. the following values are valid:
info
warn
critical
emergency
{--limit | -L} <integer>
Limits results to the specified number of events.
{--localdb | -l}
Uses the local DB rather than the master.
--nodes <node>
Specifies which nodes to report statistics on. Default is all. The following values are
valid:
l

all

<int>

<int>-<int>

{--types | -i} <integer>

Retrieves all instances of the listed event types. Multiple types can be specified in a
comma-separated list.
{--columns| -c}<column>
Specifies event list columns in a comma-separated list. The following values are
valid:
type
id
coalesce_id
start_time
end_time
150

OneFS 7.2.0 CLI Administration Guide

General cluster administration

lnn
severity
value
quiet
message
{--sort-by | -b} <column>
Specifies which column to sort the rows by. The default sort column is start_time.
--csv
Displays rows in CSV format and suppresses headers.
{--wide | -w}
Displays table in wide mode without truncations.

isi events notifications create

Creates a new event notification rule. Notifications rule parameters must be created in
order. For example, an --exclude parameter that is specified after an --include
parameter is not the same as specifying --include before --exclude.
Syntax
isi events notifications create --name <name>
[--email <email-address>]
[--snmp
<SNMP-community>@<<SNMP host>]
[--include-all <id>[,<id>]]
[--include-info <id>[,<id>]]
[--include-warn <id>[,<id>]]
[--include-critical <id>[,<id>]]
[--include-emergency <id>[,<id>]]
[--exclude-all <id>[,<id>]]
[--exclude-info <id>[,<id>]]
[--exclude-warn <id>[,<id>]]
[--exclude-critical <id>[,<id>]]
[--exclude-emergency <id>[,<id>]]

Options
--name <name>
Specifies the name of the notification rule being created.
--email <email-address>
Specifies the email address to send an SNMP event. Multiple email address can be
delimited with commas.
--snmp <SNMP-community>@<SNMP host>
Specifies the SNMP community and hostname to send snmp event. Community and
hostname are connected by an @ symbol. Multiple entries can be specified in a
comma-separated list.
--include-all <id>[,<id>]
Configures specified events for all severities (info, warn, critical, emergency). -include=all configures all events for all severities.
--include-info <id>[,<id>]

isi events notifications create

151

General cluster administration

Configures specified events for info severity. --include-info=all configures all

events for info.
--include-warn <id>[,<id>]
Configures specified events for warn severity. --include-warn=all configures
all events for warn.
--include-critical <id>[,<id>]
Configures specified events for critical severity. --include-critical=all
configures all events for critical.
--include-emergency <id>[,<id>]
Configures specified events for emergency severity. --include-critical=all
configures all events for emergency.
--exclude-all <id>[,<id>]
Excludes specified events for all severities (info, warn, critical, emergency). -exclude-all=all results in no configured events.
--exclude-info <id>[,<id>]
Excludes specified events for info severity. --exclude-info=all excludes all info
events.
--exclude-warn <id>[,<id>]
Excludes specified events for warn severity. --exclude-warn=all excludes all
warn events.
--exclude-critical <id>[,<id>]
Excludes specified events for critical severity. --exclude-critical=all
excludes all critical events.
--exclude-emergency <id>[,<id>]
Excludes specified events for emergency severity. --exclude-emergency=all
excludes all emergency events.

isi events notifications modify

Modifies an event notification rule. Notifications rule parameters must be created in
order.
Syntax
isi events notifications modify <name>
[--email <email-address>]
[--snmp
<SNMP-community>@<<SNMP host>]
[--add-all <id>[,<id>]]
[--add-info <id>[,<id>]]
[--add-warn <id>[,<id>]]
[--add-critical <id>[,<id>]]
[--add-emergency <id>[,<id>]]
[--delete-all <id>[,<id>]]
[--delete-info <id>[,<id>]]
[--delete-warn <id>[,<id>]]
[--delete-critical <id>[,<id>]]
[--delete-emergency <id>[,<id>]]

Options
<name>
152

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Specifies the name of the notification rule being modified.

--target-name <name>
Specifies a new name for the notification rule.
--email <email-address>
Specifies the email address to send an SNMP event. Multiple email address can be
delimited with commas.
--snmp <SNMP-community>@<SNMP host>
Specifies the SNMP community and hostname to send snmp event. Community and
hostname are connected by an @ symbol. Multiple entries can be specified in a
comma-separated list.
--add-all <id>[,<id>]
Configures specified events for all severities (info, warn, critical, emergency). -add=all configures all events for all severities.
--add-info <id>[,<id>]
Configures specified events for info severity. --add-info=all configures all
events for info.
--add-warn <id>[,<id>]
Configures specified events for warn severity. --add-warn=all configures all
events for warn.
--add-critical <id>[,<id>]
Configures specified events for critical severity. --add-critical=all configures
all events for critical.
--add-emergency <id>[,<id>]
Configures specified events for emergency severity. --add-critical=all
configures all events for emergency.
--delete-all <id>[,<id>]
Excludes specified events for all severities (info, warn, critical, emergency). -deletes-all=all results in no configured events.
--delete-info <id>[,<id>]
Excludes specified events for info severity. --deletes-info=all deletes all info
events.
--delete-warn <id>[,<id>]
Excludes specified events for warn severity. --deletes-warn=all deletes all
warn events.
--delete-critical <id>[,<id>]
Excludes specified events for critical severity. --deletes-critical=all deletes
all critical events.
--delete-emergency <id>[,<id>]
Excludes specified events for emergency severity. --deletes-emergency=all
deletes all emergency events.

isi events notifications modify

153

General cluster administration

isi events notifications delete

Deletes a notification rule.
Syntax
isi events notifications delete --name <name>

Options
{--name | -n} <name>
Specifies the name of the notification rule to delete.

isi events notifications list

Displays a list of settings for a notification rule.
Syntax
isi events notifications list
[--name <name>]

Options
{--name | -n} <name>
Specifies the name of the event notification rule.

isi events quiet

Marks an event as quieted. A quieted event is acknowledged when it is marked. The
event is not removed or canceled.
Syntax
isi events quiet --instanceids <id>

Options
{--instanceids | -i} [<id> | <id,id,id...>]
Specifies the instance ID of the event that you want to quiet.
Specifies multiple event instances in a comma-separated list.
You can specify all event instances with all.

isi events sendtest

Sends a test event notification to verify event notification settings.
Syntax
isi events sendtest
--wait

Options
{--wait | -w}
154

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Specifies a wait for an event existence in the master database.

isi events settings list

Displays a list of global settings and values.
Syntax
isi events settings list --name <name>

Options
{--name | -n} <name>
Specifies the name of the setting to display.

isi events settings set

Changes the values of global settings.
Syntax
isi events settings set --name <name> --value <value>

Options
{--name | -n} <name>>
Specifies the name of the setting to be changed.
{--value | -v} <value>
Specifies the new value for the specified setting.

isi events show

Displays information for an event.
Syntax
isi events show --instanceid <id>
[--wide]
[--localdb]

Options
{--instanceid | -i} <id>
Specifies the ID of the event to view.
{--wide | -w}
Displays the event information in wide mode.
{--localdb | -l}
Uses localdb instead of the master.

isi events settings list

155

General cluster administration

isi events unquiet

Returns a quieted event to an unacknowledged state.
Syntax
isi events unquiet --instanceid <id>

Options
{--instanceid | -i} {<id> | <id,id,id...>}
Instance ID of the event that you want to unquiet.
Specify multiple event instances in a comma-separated list.
Specify all event instances with all.

Hardware commands
You can check the status of your cluster harware, including specific node components,
through the hardware commands.

isi batterystatus
Displays the current state of NVRAM batteries and charging systems on node hardware
that supports this feature.
Syntax
isi batterystatus

Options
There are no options for this command.
Examples
To view the current state of NVRAM batteries and charging systems, run the following
command:
isi batterystatus

The system displays output similar to the following example:

battery 1 : Good (10)
battery 2 : Good (10)

If the node hardware is not compatible, the system displays output similar to the
following:
Battery status not supported on this hardware.

156

OneFS 7.2.0 CLI Administration Guide

General cluster administration

isi devices
Displays information about devices in the cluster and changes their status.
Syntax
isi devices
[--action <action>]
[--device {<LNN>:<drive> | <node-serial>}]
[--grid]
[--log <syslog-tag>]
[--timeout <timeout>]

Options
If no options are specified with this command, the current status of the local node is
displayed.
--action <action>
Designates the action to perform on a target device.
The following actions are available:
status
Displays the status of the given device.
smartfail
SmartFails the given node or drive.
stopfail
Ends the SmartFail operation on the given node. If the node is still attached to
the cluster, the node is returned to a healthy state. If the node has been removed
from the cluster, the node enters a suspended state.
add
Adds the given node or drive to the cluster.
format
Formats the specified drive.
fwstatus
Displays the firmware status of drives.
fwupdate
Updates the firmware of drives.
discover
Scans the internal cluster network for nodes that have not been added to the
cluster.
confirm
Displays the join status of the node.
queue
Queues the specified node to be added to the cluster. Once the node is
connected to the internal cluster network, the node will be automatically added
to the cluster. Specify --device as a node serial number.
unqueue
Removes the specified node from the queue of nodes to be added to the cluster.
If the node is connected to the internal cluster network, the node will not be
automatically added to the cluster. Specify --device as a node serial number.
queuelist
Displays the list of nodes that are queued to be added to the cluster.
isi devices

157

General cluster administration

{--device | -d} {<LNN>:<drive> | <node-serial>}

Sets the target device on which to perform an action. If only <LNN>: is specified, the
action is performed on the entire node. If only :<drive> is specified, the action is
performed on the specified drive in the local node.
The following values are valid for <drive> :
<N>

Where <N> is a valid bay number.

bay<N>

Where <N> is a valid bay number.

lnum<N> Where <N> is a valid lnum number.

Specify <node-serial> as a node serial number.

{--grid | -g}
Formats the requested system output to display in a grid to represent the physical
layout of the drive bays in the node chassis.
{--log | -L} <syslog-tag>
If the command succeeds, tags the command output with the specified tag and logs it
in /var/log/messages. This option is valid only if one of the following actions is
being performed: smartfail, stopfail, add, format, purpose, fwupdate,
queue, unqueue, queuelist.
{--timeout | -t} <timeout>
Establishes a timeout limit for the cluster information gathering period.

isi servicelight status

Indicates whether the LED service light on the back panel of a node is on or off.
Syntax
isi servicelight status

Options
There are no options for this command.
Examples
To display the status of the service light, run the following command.
isi servicelight status

The system displays output similar to the following example.

The service LED is off

isi servicelight off

Turns off the LED service light on the back panel of a node.
Syntax
isi servicelight off

158

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Options
There are no options for this command.
Examples
To turn off the LED service light on the back panel of a node, run the following command.
isi servicelight off

isi servicelight on
Turns on the LED service light on the back panel of a node.
Syntax
isi servicelight on

Options
There are no options for this command.
Examples
To turn on the LED service light on the back panel of a node, run the following command.
isi servicelight on

isi drivefirmware status

Displays the status of drive firmware on the cluster.
Syntax
isi drivefirmware status
[--action <action>]
[--device <node>:<drive>]
[--grid]
[--log <syslog-tag>]
[--timeout <timeout>]

Options
If no options are specified with this command, the current drive firmware status of the
local node is displayed.
{--local | -L}
Displays information from the local node only.
{--diskless | -D}
Displays information only from diskless nodes such as accelerators.
{--storage | -S}
Displays information only from storage nodes.
{--include-nodes | -n} <nodes>
Displays information only from the specified nodes.
{--exclude-nodes | -x} <nodes>
Displays information from all nodes except those that are specified.
--verbose
Displays more detailed information.

isi servicelight on

159

General cluster administration

isi firmware package

Displays information related to the installed firmware package.
Syntax
isi firmware package
[--local]
[--diskless]
[--storage]
[--include-nodes <nodes>]
[--exclude-nodes <nodes>]

Options
{--local | -L}
Displays information from the local node only.
{--diskless | -D}
Displays information only from diskless nodes such as accelerators.
{--storage | -S}
Displays information only from storage nodes.
{--include-nodes | -n} <nodes>
Displays information only from the specified nodes.
{--exclude-nodes | -x} <nodes>
Displays information from all nodes except those that are specified.
Examples
To display the status of all firmware, run the following command:
isi firmware status

To display firmware package information from all storage nodes in the cluster, run the
following command:
isi firmware package --storage

isi firmware status

Displays information on firmware types and versions.
Syntax
isi firmware status
[--local]
[--diskless]
[--storage]
[--include-nodes <nodes>]
[--exclude-nodes <nodes>]
[--include-device <device>]
[--exclude-device <device>]
[--include-type <device-type>]
[--exclude-type <device-type>]
[--save]
[--verbose]

160

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Options
{--local | -L}
Displays information from the local node only.
{--diskless | -D}
Displays information only from diskless nodes such as accelerators.
{--storage | -S}
Displays information only from storage nodes.
{--include-nodes | -n} <nodes>
Displays information only from the specified nodes.
{--exclude-nodes | -x} <nodes>
Displays information from all nodes except those that are specified.
{--include-device | -d} <device>
Displays information only from the specified device.
--exclude-device <device>
Displays information from all devices except those that are specified.
{--include-type | -t} <device-type>
Displays information only from the specified device type.
--exclude-type <device-type>
Displays information from all device types except those that are specified.
--save
Save the output of the status to /etc/ifs/firmware_versions.
{--verbose | -v}
Displays more detailed information.
Examples
To display firmware package information from nodes two and three, run the following
command:
isi firmware status --include-nodes 2,3

The system displays output similar to the following example.

Device
-- -----------IsilonIB
Lsi

Type
--------Network
DiskCtrl

Firmware
--------------------------------4.8.930+205-0002-05_A
6.28.00.00+01.28.02.00+1.17+0.99c

Nodes
----2-3
2-3

To display firmware package information for the network device type, run the following
command:
isi firmware status --include-type network

The system displays output similar to the following example.

Device
-- -----------IsilonIB

Type
--------Network

Firmware
Nodes
------------------------- ------------4.8.930+205-0002-05_A
1-6

isi firmware status

161

General cluster administration

isi firmware update

Updates firmware on devices within the cluster to match those in the installed firmware
package.
Each node is updated one at a time. Each time a node is updated, the node is restarted.
The system does not begin to update the next node until the previous node has rejoined
the cluster.
Syntax
isi firmware update
[--local]
[--diskless]
[--storage]
[--include-nodes <nodes>]
[--exclude-nodes <nodes>]
[--include-device <device>]
[--exclude-device <device>]
[--include-type <device-type>]
[--exclude-type <device-type>]
[--force]
[--verbose]

Options
{--local | -L}
Updates the local node only.
{--diskless | -D}
Updates diskless nodes such as accelerators only.
{--storage | -S}
Updates storage nodes only.
{--include-nodes | -n} <nodes>
Updates the specified nodes only.
{--exclude-nodes | -x} <nodes>
Updates all nodes except those that are specified.
{--include-device | -d} <device>
Updates the specified device only.
--exclude-device <device>
Updates all devices except those that are specified.
{--include-type | -t} <device-type>
Updates the specified device type only.
--exclude-type <device-type>
Updates all device types except those that are specified.
--force
Forces the update.
{--verbose | -v}
Displays more detailed information.

162

OneFS 7.2.0 CLI Administration Guide

General cluster administration

Examples
To update the firmware on nodes two and three, run the following command:
isi firmware update --include-nodes 2,3

To update the firmware for the network device type only, run the following command:
isi firmware update --include-type network

isi readonly off

Sets nodes to read-write mode.
This command only clears any user-specified requests for read-only mode. If the node
has been placed into read-only mode by the system, it will remain in read-only mode until
the conditions which triggered read-only mode have cleared.
Syntax
isi readonly off
[--nodes <nodes>]
[--verbose]

Options
If no options are specified, the local node is set to read-write mode.
--nodes <nodes>
Specifies the nodes to apply read-write settings to. The following values for <nodes>
are valid:
l
all
l

<int>

<int>-<int>

Multiple values can be specified in a comma-separated list.

{--verbose | -v}
Displays more detailed information.
Examples
To apply read-write settings to every node in the cluster, run the following command.
isi readonly off --nodes all

The system displays output similar to the following example.

Read-only changes committed successfully

Use the isi readonly show command to confirm the read-write settings of the
cluster. The system displays output similar to the following example.
node
---1
2
3
4

mode
-----------read/write
read/write
read/write
read/write

status
----------------------------------------------

isi readonly off

163

General cluster administration

5
6

read/write
read/write

isi readonly on
Sets nodes to read-only mode.
If read-only mode is currently disallowed for this node, it will remain read/write until
read-only mode is allowed again.
Syntax
isi readonly on
[--nodes <nodes>]
[--verbose]

Options
If no options are specified, the local node is set to read-only mode.
--nodes <nodes>
Specifies the nodes to apply read-only settings to. The following values for <nodes>
are valid:
l

all

<int>

<int>-<int>

Multiple values can be specified in a comma-separated list.

{--verbose | -v}
Displays more detailed information.
Examples
To apply read-only settings to every node in the cluster, run the following command.
isi readonly on --nodes all

The system displays output similar to the following example.

Read-only changes committed successfully

Use the isi readonly show command to confirm the read-only settings of the
cluster. The system displays output similar to the following example.
node
---1
2
3
4
5
6

164

mode
-----------read-only
read-only
read-only
read-only
read-only
read-only

OneFS 7.2.0 CLI Administration Guide

status
---------------------------------------------user-ui
user-ui
user-ui
user-ui
user-ui
user-ui

General cluster administration

isi readonly show

Displays a list of read-only settings for the cluster.
Syntax
isi readonly show

Options
There are no options for this command.
Examples
To display the read-only settings for the cluster, run the following command.
isi readonly show

The system displays output similar to the following example.

node
---1
2
3
4
5
6

mode
-----------read/write
read/write
read/write
read/write
read/write
read/write

status
----------------------------------------------

isi readonly show

165

General cluster administration

166

OneFS 7.2.0 CLI Administration Guide

CHAPTER 5
Access zones

This section contains the following topics:

l
l
l
l
l
l
l

Access zones overview ....................................................................................... 168

Access zone base directory rules.........................................................................168
Access zones best practices................................................................................169
Access zone limits...............................................................................................169
Quality of service.................................................................................................170
Managing access zones...................................................................................... 170
Access zone commands...................................................................................... 172

Access zones

167

Access zones

Access zones overview

Although the default view of an EMC Isilon cluster is that of one physical machine, you
can partition a cluster into multiple virtual containers called access zones. Access zones
allow you to isolate data and control who can access data in each zone.
Access zones support all configuration settings for authentication and identity
management services on a cluster, so you can configure authentication providers and
provision SMB shares and NFS exports on a zone-by-zone basis. When you create an
access zone, a local provider is created automatically, which allows you to configure each
access zone with a list of local users and groups. You can also authenticate through a
different authentication provider in each access zone.
To control data access, you can direct incoming connections to the access zone through a
specific IP address pool. Associating an access zone with an IP address pool restricts
authentication to the associated access zone and reduces the number of available and
accessible SMB shares and NFS exports. Another advantage to multiple access zones is
the ability to configure audit protocol access for individual access zones. You can modify
the default list of successful and failed protocol audit events and then generate reports
through a third-party tool for an individual access zone.
A cluster includes a built-in access zone named System, where you manage all aspects of
a cluster and other access zones. By default, all cluster IP addresses connect to the
System zone. Even if you create additional access zones, you configure all access zones
in the System zone. Role-based access, which primarily allows configuration actions, is
available through only the System zone. All administrators, including those given
privileges by a role, must connect to the System zone to configure a cluster.
Configuration management of a non-System access zone is not permitted through SSH,
the OneFS Platform API, or the web administration interface. However, you can create and
delete SMB shares in an access zone through the Microsoft Management Console (MMC).

Access zone base directory rules

You must assign a base directory to each access zone. A base directory defines the file
system tree exposed by an access zone and isolates data contained in the directory to
the access zone.
A base directory path is unique for each access zone and cannot overlap or be nested
inside base directories of other access zones.
Base directories restrict configuration options for several features such as SMB share
paths, NFS exports, the HDFS root directory, and the local provider home directory
template. You must observe the following rules when specifying a base directory:

168

The base directory cannot be identical to the base directory of any other access zone,
except the System zone. For example, you cannot specify /ifs/data/hr to both
the zone2 and zone3 access zones.

Cannot overlap with the file system tree of a base directory in any other access zone,
except the System zone. For example, if /ifs/data/hr is assigned to zone2, you
cannot assign /ifs/data/hr/personnel to zone3.

The base directory of the default System access zone is /ifs and cannot be
modified.

OneFS 7.2.0 CLI Administration Guide

Access zones

Note

Assigning a base directory that is identical to or overlaps with the System zone is
allowed, but only recommended as a temporary base directory when modifying the base
directory path and migrating data to the new directory.

Access zones best practices

You can avoid configuration problems on the EMC Isilon cluster when creating access
zones by following best practices guidelines.
Best practice

Details

Create unique base directories.

The base directory path of each access zone must be unique

and cannot overlap or be nested inside the base directory of
another access zone.

Separate the function of the

System zone from other access
zones.

If you choose to create any additional access zones, do not

allow data access in both the System zone and created zones.
Reserve the System zone for configuration access, and create
additional zones for data access. Move current data out of the
System zone and into a new access zone.

Create access zones to isolate

data access for different clients
or users.

Do not create access zones if a workflow requires data sharing

between different classes of clients or users.

Assign only one authentication

provider of each type to each
access zone.

An access zone is limited to a single Active Directory provider;

however, OneFS allows multiple LDAP, NIS, and file
authentication providers in each access zone. It is
recommended that you assign only one type of each provider
per access zone in order to simplify administration.

Avoid overlapping UID or GID

ranges for authentication
providers in the same access
zone.

The potential for zone access conflicts is slight but possible if

overlapping UIDs/GIDs are present in the same access zone.

Configure a single DNS server

for all access zones.

OneFS does not support one DNS server per access zone. It is
recommended that all access zones point to a single DNS
server.

Access zone limits

You can follow access zone limits guidelines to help size the workloads on the OneFS
system.
If you configure multiple access zones on an EMC Isilon cluster, limits guidelines are
recommended for optimal system performance. The limits described in the EMC Isilon
Guidelines for Large Workloads publication are recommended for heavy enterprise
workflows on a cluster, treating each access zone as a separate physical machine.

Access zones best practices

169

Access zones

Quality of service
You can set upper bounds on quality of service by assigning specific physical resources
to each access zone.
Quality of service addresses physical hardware performance characteristics that can be
measured, improved, and sometimes guaranteed. Characteristics measured for quality of
service include but are not limited to throughput rates, CPU usage, and disk capacity.
When you share physical hardware in an EMC Isilon cluster across multiple virtual
instances, competition exists for the following services:
l

CPU

Memory

Network bandwidth

Disk I/O

Disk capacity

Access zones do not provide logical quality of service guarantees to these resources, but
you can partition these resources between access zones on a single cluster. The following
table describes a few ways to partition resources to improve quality of service:
Use

Notes

NICs

You can assign specific NICs on specific nodes to an IP address pool that is
associated with an access zone. By assigning these NICs, you can determine the
nodes and interfaces that are associated with an access zone. This enables the
separation of CPU, memory, and network bandwidth.

SmartPools

SmartPools are separated by node hardware equivalence classes, usually into

multiple tiers of high, medium, and low performance. The data written to a
SmartPool is written only to the disks in the nodes of that pool.
Associating an IP address pool with only the nodes of a single SmartPool enables
partitioning of disk I/O resources.

SmartQuotas Through SmartQuotas, you can limit disk capacity by a user or a group or in a
directory. By applying a quota to an access zone's base directory, you can limit
disk capacity used in that access zone.

Managing access zones

You can create access zones on the EMC Isilon cluster, view and modify access zone
settings, and delete access zones.

Create an access zone

You can create an access zone to isolate data and restrict which users can access the
data.
Procedure
1. Run the isi zone zones create command.

170

OneFS 7.2.0 CLI Administration Guide

Access zones

The following command creates an access zone named zone3 and sets the base
directory to /ifs/hr/data:
isi zone zones create zone3 /ifs/hr/data

The following command creates an access zone named zone3, sets the base directory
to /ifs/hr/data and creates the directory on the EMC Isilon cluster if it does not
already exist:
isi zone zones create zone3 /ifs/hr/data --create-path

Associate an IP address pool with an access zone

You can associate an IP address pool with an access zone to ensure that clients can only
connect to the access zone through IP addresses in the pool.
Procedure
1. Run the isi networks modify pool command.
You must specify the name of the IP address pool in the following format: <subnetname>:<pool-name>.
The following command associates zone3 with pool1 on subnet1:
isi networks modify pool --name=subnet1:pool1 --access-zone=zone3

Modify an access zone

You can modify the properties of any access zone except the name of the built-in System
zone.
Procedure
1. Run the isi zone zones modify command.
The following command renames the zone3 access zone to zone5 and removes all
current authentication providers from the access zone:
isi zone zones modify zone3 --name=zone5 --clear-auth-providers

Add an authentication provider to an access zone

You can add an authentication provider to an existing access zone.
Procedure
1. Run the isi zone zones modify command with the --add-auth-providers
option.
You must specify the name of the authentication provider in the following format:
<provider-type>:<provider-name>.
The following command adds a file authentication provider named HR-Users to the
zone3 access zone:
isi zone zones modify zone3 --add-auth-providers=file:hr-users

Associate an IP address pool with an access zone

171

Access zones

Remove an authentication provider from an access zone

You can remove an authentication provider from an access zone. This does not remove
the authentication provider from the EMC Isilon cluster; the provider remains available for
future use.
Procedure
1. Run the isi zone zones modify command with the --remove-authproviders option.
You must specify the name of the authentication provider in the following format:
<provider-type>:<provider-name>.
The following command removes the file authentication provider named HR-Users
from the zone3 access zone:
isi zone zones modify zone3 --remove-auth-providers=file:hr-users

The following command removes all authentication providers from the zone3 access
zone:
isi zone zones modify zone3 --clear-auth-providers

Delete an access zone

You can delete any access zone except the built-in System zone. When you delete an
access zone, all associated authentication providers remain available to other access
zones, but IP addresses are not reassigned to other access zones. SMB shares, NFS
exports, and HDFS data paths are deleted when you delete an access zone; however, the
directories and data still exist, and you can map new shares, exports, or paths in another
access zone.
Procedure
1. Run the isi zone zones delete command.
The following command deletes the zone3 access zone :
isi zone zones delete zone3

Access zone commands

You can configure and manage access zones through access zone commands.

isi zone restrictions create

Prohibits user or group access to the /ifs directory. Attempts to read or write files by
restricted users or groups return ACCESS DENIED errors.
Syntax
isi zone restrictions create <zone> {<user> | --uid <integer>
| --group <string> | --gid <integer> | --sid <string>
| --wellknown <string>}
[--verbose]

Options
<zone>
172

OneFS 7.2.0 CLI Administration Guide

Access zones

Specifies an access zone by name.

<user>
Specifies a user by name.
--uid <integer>
Specifies a user by UID.
--group <string>
Specifies a group by name.
--gid <integer>
Specifies a group by GID.
--sid <string>
Specifies an object by user or group SID.
--wellknown <name>
Specifies a well-known user, group, machine, or account name.
{--verbose | -v}
Returns a success or fail message after running the command.

isi zone restrictions delete

Removes a restriction that prohibits user or group access to the /ifs directory.
Syntax
isi zone restrictions delete <zone> {<user> | --uid <integer>
| --group <string> | --gid <integer> | --sid <string>
| --wellknown <string>}
[--force]
[--verbose]

Options
<zone>
Specifies an access zone by name.
<user>
Specifies a user by name.
--uid <integer>
Specifies a user by UID.
--group <string>
Specifies a group by name.
--gid <integer>
Specifies a group by GID.
--sid <string>
Specifies an object by user or group SID.
--wellknown <string>
Specifies an object by well-known SID.
{--force | -f}
Suppresses command-line prompts and messages.
isi zone restrictions delete

173

Access zones

{--verbose | -v}
Returns a success or fail message after running the command.

isi zone restrictions list

Displays a list of users or groups that are prohibited from accessing the /ifs directory.
Syntax
isi zone restrictions list <zone>
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
<zone>
Specifies an access zone by name.
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.
Examples
To display a list of restricted users for the built-in System zone, run the following
command:
isi zone restrictions list system

isi zone zones create

Creates an access zone.
Syntax
isi zone zones create <name> <path>
[--cache-size <size>]
[--map-untrusted <workgroup>]
[--auth-providers <provider-type>:<provider-name>]
[--netbios-name <string>]
[--all-auth-providers {yes | no}]
[--user-mapping-rules <string>]
[--home-directory-umask <integer>]
[--skeleton-directory <string>]
[--audit-success <operations>]
[--audit-failure <operations>]
[--hdfs-authentication {all | simple_only | kerberos_only}]

174

OneFS 7.2.0 CLI Administration Guide

Access zones

[--hdfs-root-directory <path>]
[--webhdfs-enabled {yes | no}]
[--hdfs-ambari-server <string>]
[--hdfs-ambari-namenode <string>]
[--syslog-forwarding-enabled {yes | no}]
[--syslog-audit-events <operations>]
[--create-path]
[--verbose]

Options
<name>
Specifies the name of the access zone.
<path>
Specifies the base directory path for the zone. Paths for zones must not overlap,
meaning that you cannot create nested zones.
--cache-size <size>
Specifies the maximum size of the zones in-memory identity cache in bytes. Valid
values are integers in the range 1000000 - 50000000. The default value is
5000000.
--map-untrusted <workgroup>
Maps untrusted domains to the specified NetBIOS workgroup during authentication.
--auth-providers <provider-type>:<provider-name>
Specifies one or more authentication providers, separated by commas, for
authentication to the access zone. Authentication providers are checked in the order
specified. You must specify the name of the authentication provider in the following
format: <provider-type>:<provider-name>.
--netbios-name <string>
Specifies the NetBIOS name.
--all-auth-providers {yes | no}
Specifies whether to authenticate through all available authentication providers. If
no, authentication is through the list of providers specified by the --authproviders option.
--user-mapping-rules <string>
Specifies one or more user mapping rules, separated by commas, for the access
zone.
--home-directory-umask <integer>
Specifies the permissions to set on auto-created user home directories.
--skeleton-directory <string>
Sets the skeleton directory for user home directories.
--audit-success <operations>
Specifies one or more filters, separated by commas, for auditing protocol operations
that succeeded. The following operations are valid:
l

close

create

delete

get_security
isi zone zones create

175

Access zones

logoff

logon

read

rename

set_security

tree_connect

write

--audit-failure <operations>
Specifies one or more filters, separated by commas, for auditing protocol operations
that failed. The following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

--hdfs-authentication <operations>
Specifies the allowed authentication type for the HDFS protocol. Valid values are
all, simple_only, or kerberos_only
--hdfs-root-directory <path>
Specifies the root directory for the HDFS protocol.
--webhdfs-enabled {yes | no}
Enables or disables WebHDFS on the zone.
--hdfs-ambari-server <string>
Specifies the Ambari server that receives communication from an Ambari agent. The
value must be a resolvable hostname, FQDN, or IP address.
--hdfs-ambari-namenode <string>
Specifies a point of contact in the access zone that Hadoop services managed
through the Ambari interface should connect through. The value must be a resolvable
IP address or a SmartConnect zone name.
--syslog-forwarding-enabled {yes | no}
Enables or disables syslog forwarding of zone audit events.
--syslog-audit-events <operations>
Sets the filter for the auditing protocol operations to forward to syslog. You must
specify the --syslog-audit-events parameter for each additional filter. The
following operations are valid:
176

OneFS 7.2.0 CLI Administration Guide

Access zones

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

The all option specifies all valid filter operations.

--create-path
Specifies that the value entered as the access zone path is to be created if it doesn't
already exist.
{--verbose | -v}
Displays the results of running the command.

isi zone zones delete

Deletes an access zone. All authentication providers that are associated with the access
zone remain available to other zones, but IP addresses are not reassigned. You cannot
delete the built-in System zone.
Syntax
isi zone zones delete <zone>
[--force]
[--verbose]

Options
<zone>
Specifies the name of the access zone to delete.
{--force | -f}
Suppresses command-line prompts and messages.
{--verbose | -v}
Displays the results of running the command.

isi zone zones list

Displays a list of access zones in the cluster.
Syntax
isi zone zones list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]

isi zone zones delete

177

Access zones

[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.
Examples
To view a list of all access zones in the cluster, run the following command:
isi zone zones list

isi zone zones modify

Modifies an access zone.
Syntax
isi zone zones modify <zone>
[--name <string>]
[--path <path>]
[--cache-size <size>]
[--map-untrusted <string>]
[--auth-providers <provider-type>:<provider-name>]
[--clear-auth-providers]
[--add-auth-providers <provider-type>:<provider-name>]
[--remove-auth-providers <provider-type>:<provider-name>]
[--netbios-name <string>]
[--all-auth-providers {yes | no}]
[--user-mapping-rules <string>]
[--clear-user-mapping-rules]
[--add-user-mapping-rules <string>]
[--remove-user-mapping-rules <string>]
[--home-directory-umask <integer>]
[--skeleton-directory <string>]
[--audit-success <operations>]
[--clear-audit-success]
[--add-audit-success <operations>]
[--remove-audit-success <operations>]
[--audit-failure <operations>]
[--clear-audit-failure]
[--add-audit-failure <operations>]
[--remove-audit-failure <operations>]
[--hdfs-authentication {all | simple_only | kerberos_only}]
[--hdfs-root-directory <path>]
[--webhdfs-enabled {yes | no}]
[--hdfs-ambari-server <string>]
[--hdfs-ambari-namenode <string>]
[--syslog-forwarding-enabled {yes | no}]

178

OneFS 7.2.0 CLI Administration Guide

Access zones

[--syslog-audit-events <operations>]
[--clear-syslog-audit-events <operations>]
[--add-syslog-audit-events <operations>]
[--remove-syslog-audit-events <string>]
[--create-path]
[--verbose]

Options
<zone>

Specifies the name of the access zone to modify.

--name <string>
Specifies a new name for the access zone. You cannot change the name of the builtin System access zone.
--path <path>
Specifies the base directory path for the zone. Paths for zones must not overlap,
meaning that you cannot create nested zones.
--cache-size <size>
Specifies the maximum size of the zones in-memory cache in bytes. Valid values are
integers in the range 1000000 - 50000000. The default value is 50000000.
--map-untrusted <string>
Specifies the NetBIOS workgroup to map untrusted domains to during authentication.
--auth-providers <provider-type>:<provider-name>
Specifies one or more authentication providers, separated by commas, for
authentication to the access zone. This option overwrites any existing entries in the
authentication providers list. To add or remove providers without affecting the current
entries, configure settings for --add-auth-providers or --remove-authproviders.
--clear-auth-providers
Removes all authentication providers from the access zone.
--add-auth-providers <provider-type>:<provider-name>
Adds one or more authentication providers, separated by commas, to the access
zone.
--remove-auth-providers <provider-type>:<provider-name>
Removes one or more authentication providers, separated by commas, from the
access zone.
--netbios-name <string>
Specifies the NetBIOS name.
--all-auth-providers {yes | no}
Specifies whether to authenticate through all available authentication providers. If
no, authentication is through the list of providers specified by the --authproviders option.
--user-mapping-rules <string>
Specifies one or more user mapping rules, separated by commas, for the access zon.
This option overwrites all entries in the user mapping rules list. To add or remove
mapping rules without overwriting the current entries, configure settings with -add-user-mapping-rules or --remove-user-mapping-rules.
isi zone zones modify

179

Access zones

--clear-user-mapping-rules
Removes all user mapping rules from the access zone.
--add-user-mapping-rules <string>
Adds one or more user mapping rules, separated by commas, to the access zone.
--remove-user-mapping-rules <string>
Removes one or more user mapping rules, separated by commas, from the access
zone.
--home-directory-umask <integer>
Specifies the permissions to set on auto-created user home directories.
--skeleton-directory <string>
Sets the skeleton directory for user home directories.
--audit-success <operations>
Specifies one or more filters, separated by commas, for auditing protocol operations
that succeeded. This option overwrites the current list of filter operations. The
following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

To add or remove filters without affecting the current list, configure settings with -add-audit-success or --remove-audit-success.
--clear-audit-success
Clears all filters for auditing protocol operations that succeeded.
--add-audit-success <operations>
Adds one or more filters, separated by commas, for auditing protocol operations that
succeeded. The following operations are valid:

180

close

create

delete

get_security

logoff

logon

read

OneFS 7.2.0 CLI Administration Guide

Access zones

rename

set_security

tree_connect

write

all

--remove-audit-success <operations>
Removes one or more filters, separated by commas, for auditing protocol operations
that succeeded. The following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

--audit-failure <operations>
Specifies one or more filters, separated by commas, for auditing protocol operations
that failed. The following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

This option overwrites the current list of filter operations. To add or remove filters
without affecting the current list, configure settings with --add-audit-failure
or --remove-audit-failure.
--clear-audit-failure
Clears all filters for auditing protocol operations that failed.
--add-audit-failure <operations>
isi zone zones modify

181

Access zones

Adds one or more filters, separated by commas, for auditing protocol operations that
failed. The following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

--remove-audit-failure <operations>
Removes one or more filters, separated by commas, for auditing protocol operations
that failed. The following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

--hdfs-authentication <operations>
Specifies the allowed authentication type for the HDFS protocol. Valid values are
all, simple_only, or kerberos_only.
--hdfs-root-directory <path>
Specifies the root directory for the HDFS protocol.
--webhdfs-enabled {yes | no}
Enables or disables WebHDFS on the zone.
--hdfs-ambari-server <string>
Specifies the Ambari server that receives communication from an Ambari agent. The
value must be a resolvable hostname, FQDN, or IP address.
--hdfs-ambari-namenode <string>

182

OneFS 7.2.0 CLI Administration Guide

Access zones

Specifies a point of contact in the access zone that Hadoop services managed
through the Ambari interface should connect through. The value must be a resolvable
IP address or a SmartConnect zone name.
--syslog-forwarding-enabled {yes | no}
Enables or disables syslog forwarding of zone audit events.
--syslog-audit-events <operations>
Sets the filter for the auditing protocol operations to forward to syslog. You must
specify the --syslog-audit-events parameter for each additional filter. The
following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

The all option specifies all valid filter operations.

--clear-syslog-audit-events <operations>
Clears the filter setting for the auditing protocol operations that are forwarded to
syslog. You can specify all to clear all valid filter operations.
--add-syslog-audit-events <operations>
Adds a filter for the auditing protocol operations to forward to syslog. You must
specify the --syslog-audit-events parameter for each additional filter. The
following operations are valid:
l

close

create

delete

get_security

logoff

logon

read

rename

set_security

tree_connect

write

all

--remove-syslog-audit-events <string>
isi zone zones modify

183

Access zones

Removes a filter for the auditing protocol operations to forward to syslog. You must
specify the --syslog-audit-events parameter for each additional filter. The
all option specifies all valid filter operations. Specify --remove-syslogaudit-events for each filter setting that you want to add.
--create-path
Specifies that the zone path is to be created if it doesn't already exist.
{--verbose | -v}
Displays the results of running the command.

isi zone zones view

Displays the properties of an access zone.
Syntax
isi zone zones view <zone>

Options
<zone>
Specifies the name of the access zone to view.

184

OneFS 7.2.0 CLI Administration Guide

CHAPTER 6
Authentication and access control

This section contains the following topics:

l
l
l
l
l
l
l
l
l

Authentication and access control overview........................................................ 186

Role-based access.............................................................................................. 186
Authentication.................................................................................................... 198
Data access control............................................................................................. 202
Authorization...................................................................................................... 202
Managing roles................................................................................................... 205
Managing authentication providers..................................................................... 206
Managing access permissions.............................................................................225
Authentication and access control commands.....................................................228

Authentication and access control

185

Authentication and access control

Authentication and access control overview

OneFS supports several methods for ensuring that your cluster remains secure, including
UNIX- and Windows-style permissions for data-level access control, access zones for data
isolation, and role-based administration control access to system configuration settings.
OneFS is designed for a mixed environment that allows you to configure both Access
Control Lists (ACLs) and standard UNIX permissions on the cluster file system.
Note

In most situations, the default settings are sufficient. You can configure additional access
zones, custom roles, and permissions policies as necessary for your particular
environment.

Role-based access
You can assign role-based access to delegate administrative tasks to selected users.
Role based access control (RBAC) allows the right to perform particular administrative
actions to be granted to any user who can authenticate to a cluster. Roles are created by
a Security Administrator, assigned privileges, and then assigned members. All
administrators, including those given privileges by a role, must connect to the System
zone to configure the cluster. When these members log in to the cluster through a
configuration interface, they have these privileges. All administrators can configure
settings for access zones, and they always have control over all access zones on the
cluster.
Roles also give you the ability to assign privileges to member users and groups. By
default, only the root user and the admin user can log in to the web administration
interface through HTTP or the command-line interface through SSH. Using roles, the root
and admin users can assign others to built-in or customer roles that have login and
administrative privileges to perform specific administrative tasks.
Note

As a best practice, assign users to roles that contain the minimum set of necessary
privileges. For most purposes, the default permission policy settings, system access
zone, and built-in roles are sufficient. You can create role-based access management
policies as necessary for your particular environment.

Roles and privileges

In addition to controlling access to files and directories through ACLs and POSIX mode
bits, OneFS controls configuration-level access through administrator roles. A role is a
collection of OneFS privileges that are usually associated with a configuration subsystem.
Those privileges are granted to members of that role as they log in to the cluster through
the Platform API, command-line interface, or web administration interface

Roles
You can permit and limit access to administrative areas of your EMC Isilon cluster on a
per-user basis through roles.
OneFS includes built-in administrator roles with predefined sets of privileges that cannot
be modified. The following list describes what you can and cannot do through roles:
186

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

You can assign privileges through role membership.

You can add any user to a role as long as the user can authenticate to the cluster.

You can create custom roles and assign privileges to those roles.

You can add users singly or as groups, including well-known groups.

You can assign a user as a member of more than one role.

You can add a group to a role, which grants to all users who are members of that
group all of the privileges associated with the role.

You cannot assign privileges directly to users or groups.

Note

When OneFS is first installed, only users with root- or admin-level can log in and assign
users to roles.

Built-in roles
Built-in roles include privileges to perform a set of administrative functions.
The following tables describe each of the built-in roles from most powerful to least
powerful. The tables include the privileges and read/write access levels, if applicable,
that are assigned to each role. You can assign users and groups to built-in roles and to
roles that you create.
Table 3 SecurityAdmin role

Description

Privileges

Read/write
access

Administer security configuration on the cluster,

including authentication providers, local users and
groups, and role membership.

ISI_PRIV_LOGIN_CONSOLE N/A
ISI_PRIV_LOGIN_PAPI

N/A

ISI_PRIV_LOGIN_SSH

N/A

ISI_PRIV_AUTH

Read/write

ISI_PRIV_ROLE

Read/write

Table 4 SystemAdmin role

Description

Privileges

Read/write
access

Administer all aspects of cluster configuration that

are not specifically handled by the SecurityAdmin
role.

ISI_PRIV_LOGIN_CONSOLE

N/A

ISI_PRIV_LOGIN_PAPI

N/A

ISI_PRIV_LOGIN_SSH

N/A

ISI_PRIV_SYS_SHUTDOWN

N/A

ISI_PRIV_SYS_SUPPORT

N/A

ISI_PRIV_SYS_TIME

N/A

ISI_PRIV_ANTIVIRUS

Read/write

ISI_PRIV_AUDIT

Read/write

ISI_PRIV_CLUSTER

Read/write

Roles and privileges

187

Authentication and access control

Table 4 SystemAdmin role (continued)

Description

Privileges

Read/write
access

ISI_PRIV_DEVICES

Read/write

ISI_PRIV_EVENT

Read/write

ISI_PRIV_FTP

Read/write

ISI_PRIV_HDFS

Read/write

ISI_PRIV_HTTP

Read/write

ISI_PRIV_ISCSI

Read/write

ISI_PRIV_JOB_ENGINE

Read/write

ISI_PRIV_LICENSE

Read/write

ISI_PRIV_NDMP

Read/write

ISI_PRIV_NETWORK

Read/write

ISI_PRIV_NFS

Read/write

ISI_PRIV_NTP

Read/write

ISI_PRIV_QUOTA

Read/write

ISI_PRIV_REMOTE_SUPPORT Read/write
ISI_PRIV_SMARTPOOLS

Read/write

ISI_PRIV_SMB

Read/write

ISI_PRIV_SNAPSHOT

Read/write

ISI_PRIV_STATISTICS

Read/write

ISI_PRIV_SYNCIQ

Read/write

ISI_PRIV_VCENTER

Read/write

ISI_PRIV_WORM

Read/write

ISI_PRIV_NS_TRAVERSE

N/A

ISI_PRIV_NS_IFS_ACCESS

N/A

Table 5 AuditAdmin role

Description

Privileges

View all system configuration settings. ISI_PRIV_LOGIN_CONSOLE

188

OneFS 7.2.0 CLI Administration Guide

Read/write access
N/A

ISI_PRIV_LOGIN_PAPI

N/A

ISI_PRIV_LOGIN_SSH

N/A

ISI_PRIV_ANTIVIRUS

Read-only

ISI_PRIV_AUDIT

Read-only

ISI_PRIV_CLUSTER

Read-only

Authentication and access control

Table 5 AuditAdmin role (continued)

Description

Privileges

Read/write access

ISI_PRIV_DEVICES

Read-only

ISI_PRIV_EVENT

Read-only

ISI_PRIV_FTP

Read-only

ISI_PRIV_HDFS

Read-only

ISI_PRIV_HTTP

Read-only

ISI_PRIV_ISCSI

Read-only

ISI_PRIV_JOB_ENGINE

Read-only

ISI_PRIV_LICENSE

Read-only

SI_PRIV_NDMP

Read-only

ISI_PRIV_NETWORK

Read-only

ISI_PRIV_NFS

Read-only

ISI_PRIV_NTP

Read-only

ISI_PRIV_QUOTA

Read-only

ISI_PRIV_REMOTE_SUPPORT Read-only
ISI_PRIV_SMARTPOOLS

Read-only

ISI_PRIV_SMB

Read-only

ISI_PRIV_SNAPSHOT

Read-only

ISI_PRIV_STATISTICS

Read-only

ISI_PRIV_SYNCIQ

Read-only

ISI_PRIV_VCENTER

Read-only

ISI_PRIV_WORM

Read-only

Table 6 VMwareAdmin role

Description

Privileges

Read/write
access

Administers remotely all aspects of storage

needed by VMware vCenter.

ISI_PRIV_LOGIN_PAPI

N/A

ISI_PRIV_ISCSI

Read/write

ISI_PRIV_NETWORK

Read/write

ISI_PRIV_SMARTPOOLS

Read/write

ISI_PRIV_SNAPSHOT

Read/write

ISI_PRIV_SYNCIQ

Read/write

ISI_PRIV_VCENTER

Read/write

ISI_PRIV_NS_TRAVERSE

N/A

Roles and privileges

189

Authentication and access control

Table 6 VMwareAdmin role (continued)

Description

Privileges

Read/write
access

ISI_PRIV_NS_IFS_ACCESS N/A
Table 7 BackupAdmin role

Description

Privileges

Allows backup and restore of files from /ifs ISI_PRIV_IFS_BACKUP

Read/write access
Read-only

ISI_PRIV_IFS_RESTORE Read-only

Custom roles
Custom roles supplement built-in roles.
You can create custom roles and assign privileges mapped to administrative areas in your
EMC Isilon cluster environment. For example, you can create separate administrator roles
for security, auditing, storage provisioning, and backup.
You can designate certain privileges as read-only or read/write when adding the privilege
to a role. You can modify this option at any time.
You can add or remove privileges as user responsibilities grow and change.

Privileges
Privileges permit users to complete tasks on an EMC Isilon cluster.
Privileges are associated with an area of cluster administration such as Job Engine, SMB,
or statistics.
Privileges have one of two forms:
Action
Allows a user to perform a specific action on a cluster. For example, the
ISI_PRIV_LOGIN_SSH privilege allows a user to log in to a cluster through an SSH
client.
Read/Write
Allows a user to view or modify a configuration subsystem such as statistics,
snapshots, or quotas. For example, the ISI_PRIV_SNAPSHOT privilege allows an
administrator to create and delete snapshots and snapshot schedules. A read/write
privilege can grant either read-only or read/write access. Read-only access allows a
user to view configuration settings; read/write access allows a user to view and
modify configuration settings.
Privileges are granted to the user on login to a cluster through the OneFS API, the web
administration interface, SSH, or a console session. A token is generated for the user,
which includes a list of all privileges granted to the user. Each URI, web-administration
interface page, and command requires a specific privilege to view or modify the
information available through any of these interfaces.

190

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Note

Privileges are not granted to users that do not connect to the System Zone during login or
to users that connect through the deprecated Telnet service, even if they are members of
a role.

OneFS privileges
Privileges in OneFS are assigned through role membership; privileges cannot be assigned
directly to users and groups.
Table 8 Login privileges

OneFS privilege

User right

Privilege type

ISI_PRIV_LOGIN_CONSOLE Log in from the console

Action

ISI_PRIV_LOGIN_PAPI

Log in to the Platform API

and the web
administration interface

Action

ISI_PRIV_LOGIN_SSH

Log in through SSH

Action

User right

Privilege type

Table 9 System privileges

OneFS privilege

ISI_PRIV_SYS_SHUTDOWN Shut down the system

Action

ISI_PRIV_SYS_SUPPORT

Run cluster diagnostic

tools

Action

ISI_PRIV_SYS_TIME

Change the system time

Action

OneFS privilege

User right

Privilege type

ISI_PRIV_AUTH

Configure external
authentication providers

Read/write

ISI_PRIV_ROLE

Create new roles and

assign privileges

Read/write

Table 10 Security privileges

Table 11 Configuration privileges

OneFS privilege

User right

Privilege type

ISI_PRIV_ANTIVIRUS

Configure antivirus
scanning

Read/write

IS_PRIV_AUDIT

Configure audit
capabilities

Read/write

ISI_PRIV_CLUSTER

Configure cluster identity

and general settings

Read/write

Roles and privileges

191

Authentication and access control

Table 11 Configuration privileges (continued)

192

OneFS privilege

User right

Privilege type

ISI_PRIV_DEVICES

Create new roles and

assign privileges

Read/write

ISI_PRIV_EVENT

View and modify system

events

Read/write

ISI_PRIV_FTP

Configure FTP server

Read/write

ISI_PRIV_HDFS

Configure HDFS server

Read/write

ISI_PRIV_HTTP

Configure HTTP server

Read/write

ISI_PRIV_ISCSI

Configure iSCSI server

Read/write

ISI_PRIV_JOB_ENGINE

Schedule cluster-wide
jobs

Read/write

ISI_PRIV_LICENSE

Activate OneFS software

licenses

Read/write

ISI_PRIV_NDMP

Configure NDMP server

Read/write

ISI_PRIV_NETWORK

Configure network
interfaces

Read/write

ISI_PRIV_NFS

Configure the NFS server

Read/write

ISI_PRIV_NTP

Configure NTP

Read/write

ISI_PRIV_QUOTA

Configure file system

quotas

Read/write

ISI_PRIV_REMOTE_SUPPO
RT

Configure remote support

Read/write

ISI_PRIV_SMARTPOOLS

Configure storage pools

Read/write

ISI_PRIV_SMB

Configure the SMB server

Read/write

ISI_PRIV_SNAPSHOT

Schedule, take, and view

snapshots

Read/write

ISI_PRIV_SNMP

Configure SNMP server

Read/write

ISI_PRIV_STATISTICS

View file system

performance statistics

Read/write

ISI_PRIV_SYNCIQ

Configure SyncIQ

Read/write

ISI_PRIV_VCENTER

Configure VMware for

vCenter

Read/write

ISI_PRIV_WORM

Configure SmartLock
directories

Read/write

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Table 12 Platform API-only privileges

OneFS privilege

User right

Privilege type

ISI_PRIV_EVENT

View and modify system

events

Read/write

ISI_PRIV_LICENSE

Activate OneFS software

licenses

Read/write

ISI_PRIV_STATISTICS

View file system

performance statistics

Read/write

Table 13 File access privileges

OneFS privilege

User right

Privilege type

ISI_PRIV_IFS_BACKUP

Back up files from /ifs.

Action

Note

This privilege circumvents

traditional file access
checks, such as mode bits
or NTFS ACLs.
ISI_PRIV_IFS_RESTORE

Restore files from /ifs.

Action

Note

This privilege circumvents

traditional file access
checks, such as mode bits
or NTFS ACLs.

Command-line interface privileges

You can perform most tasks granted by a privilege through the command-line interface.
Some OneFS commands require root access, but if you do not have root access, you can
perform most of the commands associated with a privilege through the sudo program.
The system automatically generates a sudoers file of users based on existing roles.
Prefixing a command with sudo allows you to run commands that require root access. For
example, if you do not have root access, the following command fails:
isi alert list

If you are on the sudoers list because you are a member of a role that has the
ISI_PRIV_EVENT privilege, the following command succeeds:
sudo isi alert list

The following tables list all One FS commands available, the associated privilege or rootaccess requirement, and whether sudo is required to run the command.

Roles and privileges

193

Authentication and access control

Note

If you are running in compliance mode, additional sudo commands are available.
Table 14 Privileges sorted by CLI command

194

isi command

Privilege

Requires sudo

isi alert

ISI_PRIV_EVENT

isi audit

ISI_PRIV_AUDIT

isi auth - excluding isi auth

role

ISI_PRIV_AUTH

isi auth role

ISI_PRIV_ROLE

isi avscan

ISI_PRIV_ANTIVIRUS

isi batterystatus

ISI_PRIV_STATISTICS

isi config

root

isi dedupe - excluding isi

dedupe stats

ISI_PRIV_JOB_ENGINE

isi dedupe stats

ISI_PRIV_STATISTICS

isi devices

ISI_PRIV_DEVICES

isi drivefirmware

root

isi domain

root

isi email

ISI_PRIV_CLUSTER

isi events

ISI_PRIV_EVENT

isi exttools

root

isi fc

root

isi filepool

ISI_PRIV_SMARTPOOLS

isi firmware

root

isi ftp

ISI_PRIV_FTP

isi get

root

isi hdfs

ISI_PRIV_HDFS

isi iscsi

ISI_PRIV_ISCSI

isi job

ISI_PRIV_JOB_ENGINE

isi license

ISI_PRIV_LICENSE

isi lun

ISI_PRIV_ISCSI

isi ndmp

ISI_PRIV_NDMP

isi networks

ISI_PRIV_NETWORK

isi nfs

ISI_PRIV_NFS

isi perfstat

ISI_PRIV_STATISTICS

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Table 14 Privileges sorted by CLI command (continued)

isi command

Privilege

Requires sudo

isi pkg

root

isi quota

ISI_PRIV_QUOTA

isi readonly

root

isi remotesupport

ISI_PRIV_REMOTE_SUPPORT

isi servicelight

ISI_PRIV_DEVICES

isi services

root

isi set

root

isi smb

ISI_PRIV_SMB

isi snapshot

ISI_PRIV_SNAPSHOT

isi snmp

ISI_PRIV_SNMP

isi stat

ISI_PRIV_STATISTICS

isi statistics

ISI_PRIV_STATISTICS

isi status

ISI_PRIV_STATISTICS

isi storagepool

ISI_PRIV_SMARTPOOLS

isi sync

ISI_PRIV_SYNCIQ

isi tape

ISI_PRIV_NDMP

isi target

ISI_PRIV_ISCSI

isi update

root

isi version

ISI_PRIV_CLUSTER

isi worm

ISI_PRIV_WORM

isi zone

ISI_PRIV_AUTH

Table 15 CLI commands sorted by privilege

Privilege

isi commands

ISI_PRIV_ANTIVIRUS

isi avscan

ISI_PRIV_AUDIT

isi audit

ISI_PRIV_AUTH

isi auth - excluding isi auth

role

isi zone

ISI_PRIV_IFS_BACKUP

N/A

ISI_PRIV_CLUSTER

isi email

isi version

Requires sudo
x

N/A
x

Roles and privileges

195

Authentication and access control

Table 15 CLI commands sorted by privilege (continued)

Privilege

isi commands

ISI_PRIV_DEVICES

isi devices

isi servicelight

isi alert

isi events

ISI_PRIV_FTP

isi ftp

ISI_PRIV_HDFS

isi hdfs

ISI_PRIV_ISCSI

isi iscsi

isi lun

isi target

isi job

isi dedupe - excluding isi

dedupe stats

ISI_PRIV_LICENSE

isi license

ISI_PRIV_NDMP

isi ndmp

isi tape

ISI_PRIV_NETWORK

isi networks

ISI_PRIV_NFS

isi nfs

ISI_PRIV_QUOTA

isi quota

ISI_PRIV_ROLE

isi auth role

ISI_PRIV_REMOTE_SUPPORT

isi remotesupport

ISI_PRIV_IFS_RESTORE

N/A

ISI_PRIV_SMARTPOOLS

isi filepool

isi storagepool

ISI_PRIV_SMB

isi smb

ISI_PRIV_SNAPSHOT

isi snapshot

ISI_PRIV_SNMP

isi snmp

ISI_PRIV_STATISTICS

isi batterystatus

isi dedupe stats

isi perfstat

isi stat

ISI_PRIV_EVENT

ISI_PRIV_JOB_ENGINE

196

OneFS 7.2.0 CLI Administration Guide

Requires sudo
x

N/A

Authentication and access control

Table 15 CLI commands sorted by privilege (continued)

Privilege

isi commands

Requires sudo

isi statistics

isi status

ISI_PRIV_SYNCIQ

isi sync

ISI_PRIV_WORM

isi worm

root

isi config

isi domain

isi drivefirmware

isi exttools

isi fc

isi firmware

isi get

isi pkg

isi readonly

isi services

isi set

isi update

Data backup and restore privileges

You can assign privileges to a user that are explicitly for cluster data backup and restore
actions.
Two privileges allow a user to backup and restore cluster data over supported client-side
protocols: ISI_PRIV_IFS_BACKUP and ISI_PRIV_IFS_RESTORE.
CAUTION

These privileges circumvent traditional file access checks, such as mode bits or NTFS
ACLs.
Most cluster privileges allow changes to cluster configuration in some manner. The
backup and restore privileges allow access to cluster data from the System zone, the
traversing of all directories, and reading of all file data and metadata regardless of file
permissions.
Users assigned these privileges use the protocol as a backup protocol to another
machine without generating access-denied errors and without connecting as the root
user. These two privileges are supported over the following client-side protocols:
l

SMB

RAN API

FTP

SSH
Data backup and restore privileges

197

Authentication and access control

Over SMB, the ISI_PRIV_IFS_BACKUP and ISI_PRIV_IFS_RESTORE privileges emulate the

Windows privileges SE_BACKUP_NAME and SE_RESTORE_NAME. The emulation means
that normal file-open procedures are protected by file system permissions. To enable the
backup and restore privileges over the SMB protocol, you must open files with the
FILE_OPEN_FOR_BACKUP_INTENT option, which occurs automatically through Windows
backup software such as Robocopy. Application of the option is not automatic when files
are opened through general file browsing software such as Windows File Explorer.
Both ISI_PRIV_IFS_BACKUP and ISI_PRIV_IFS_RESTORE privileges primarily support
Windows backup tools such as Robocopy. A user must be a member of the BackupAdmin
built-in role to access all Robocopy features, which includes copying file DACL and SACL
metadata.

User permissions utility

You can view expected user or group permissions to a given file or directory with the
expected user permissions utility.
The command-line interface expected user permissions utility provides quick discovery of
user and group permissions, displaying ACL or mode bits permissions. The utility does
not display privileges or SMB share permissions, however.
Note

You must be a member of a role that has ISI_PRIV_LOGIN_SSH and ISI_PRIV_AUTH

privileges to run this utility.
For information about viewing group or user permissions, see the View expected user
permissions topic.

Authentication
OneFS supports local and remote authentication providers to verify that users attempting
to access an EMC Isilon cluster are who they claim to be. Anonymous access, which does
not require authentication, is supported for protocols that allow it.
OneFS supports concurrent multiple authentication provider types, which are analogous
to directory services. For example, OneFS is often configured to authenticate Windows
clients with Active Directory and to authenticate UNIX clients with LDAP. You can also
configure NIS, designed by Sun Microsystems, to authenticate users and groups when
they access a cluster.
Note

OneFS is RFC 2307-compliant.

Supported authentication providers

You can configure local and remote authentication providers to authenticate or deny user
access to an EMC Isilon cluster.
The following table compares features that are available with each of the authentication
providers that OneFS supports. In the following table, an x indicates that a feature is fully
supported by a provider; an asterisk (*) indicates that additional configuration or support
from another provider is required.

198

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Authentication
provider

NTLM Kerberos User/group

Netgroups UNIX
Windows
management
properties properties
(RFC 2307)

Active Directory

LDAP

NIS
Local

File

MIT Kerberos

x
x

Authentication provider features

You can configure authentication providers for your environment.
Authentication providers support a mix of the features described in the following table.
Feature

Description

Authentication

All authentication providers support plain-text authentication. You

can configure some providers to support NTLM or Kerberos
authentication also.

Users and groups

OneFS provides the ability to manage users and groups directly on

the cluster.

Netgroups

Specific to NFS, netgroups restrict access to NFS exports.

UNIX-centric user and group

properties

Login shell, home directory, UID, and GID. Missing information is

supplemented by configuration templates or additional
authentication providers.

Windows-centric user and

group properties

NetBIOS domain and SID. Missing information is supplemented by

configuration templates.

Kerberos authentication
Kerberos is a network authentication provider that negotiates encryption tickets for
securing a connection. OneFS supports Active Directory Kerberos and MIT Kerberos
authentication providers on an EMC Isilon cluster. If you configure an Active Directory
provider, Kerberos authentication is provided automatically. MIT Kerberos works
independently of Active Directory.
For MIT Kerberos authentication, you define an administrative domain known as a realm.
Within this realm, an authentication server has the authority to authenticate a user, host,
or service. You can optionally define a Kerberos domain to allow additional domain
extensions to be associated with a realm.
The authentication server in a Kerberos environment is called the Key Distribution Center
(KDC) and distributes encrypted tickets. When a user authenticates with an MIT Kerberos
provider within a realm, an encrypted ticket with the user's service principal name (SPN)
is created and validated to securely pass the user's identification for the requested
service.

Authentication provider features

199

Authentication and access control

You can include an MIT Kerberos provider in specific access zones for authentication.
Each access zone may include at most one MIT Kerberos provider. You can discontinue
authentication through an MIT Kerberos provider by removing the provider from all the
referenced access zones.

Keytabs and SPNs overview

A Key Distribution Center (KDC) is an authentication server that stores accounts and
keytabs for users connecting to a network service within an EMC Isilon cluster. A keytab is
a key table that stores keys to validate and encrypt Kerberos tickets.
One of the fields in a keytab entry is a service principal name (SPN). An SPN identifies a
unique service instance within a cluster. Each SPN is associated with a specific key in the
KDC. Users can use the SPN and its associated keys to obtain Kerberos tickets that
enable access to various services on the cluster. A member of the SecurityAdmin role can
create new keys for the SPNs and modify them later as necessary. An SPN for a service
typically appears as <service>/<fqdn>@<realm>.
Note

SPNs must match the SmartConnect zone name and the FQDN hostname of the cluster. If
the SmartConnect zone settings are changed, you must update the SPNs on the cluster to
match the changes.

MIT Kerberos protocol support

MIT Kerberos supports certain standard network communication protocols such as HTTP,
HDFS, and NFS. MIT Kerberos does not support SMB, SSH, and FTP protocols.
For the NFS protocol support, MIT Kerberos must be enabled for an export and also a
Kerberos provider must be included within the access zone.

LDAP
The Lightweight Directory Access Protocol (LDAP) is a networking protocol that enables
you to define, query, and modify directory services and resources.
OneFS can authenticate users and groups against an LDAP repository in order to grant
them access to the cluster. OneFS supports Kerberos authentication for an LDAP provider.
The LDAP service supports the following features:
l
Users, groups, and netgroups.
l
Configurable LDAP schemas. For example, the ldapsam schema allows NTLM
authentication over the SMB protocol for users with Windows-like attributes.
l
Simple bind authentication, with and without SSL.
l
Redundancy and load balancing across servers with identical directory data.
l
Multiple LDAP provider instances for accessing servers with different user data.
l
Encrypted passwords.

Active Directory
The Active Directory directory service is a Microsoft implementation of Lightweight
Directory Access Protocol (LDAP), Kerberos, and DNS technologies that can store
information about network resources. Active Directory can serve many functions, but the
primary reason for joining the cluster to an Active Directory domain is to perform user and
group authentication.
When the cluster joins an Active Directory domain, a single Active Directory machine
account is created. The machine account establishes a trust relationship with the domain
200

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

and enables the cluster to authenticate and authorize users in the Active Directory forest.
By default, the machine account is named the same as the cluster. If the cluster name is
more than 15 characters long, the name is hashed and displayed after joining the
domain.
Note

If you configure an Active Directory provider, Kerberos authentication is provided

automatically.
Whenever possible, observe the following guidelines when you configure Active Directory
providers on a cluster:
l

Configure a single Active Directory instance if all domains have a trust relationship.

Configure multiple Active Directory instances only to grant access to multiple sets of
mutually-untrusted domains.

NIS
The Network Information Service (NIS) provides authentication and identity uniformity
across local area networks. OneFS includes an NIS authentication provider that enables
you to integrate the cluster with your NIS infrastructure.
NIS, designed by Sun Microsystems, can authenticate users and groups when they
access the cluster. The NIS provider exposes the passwd, group, and netgroup maps from
an NIS server. Hostname lookups are also supported. You can specify multiple servers for
redundancy and load balancing.
Note

NIS is different from NIS+, which OneFS does not support.

File provider
A file provider enables you to supply an authoritative third-party source of user and group
information to an EMC Isilon cluster. A third-party source is useful in UNIX and Linux
environments that synchronize /etc/passwd, /etc/group, and etc/netgroup
files across multiple servers.
Standard BSD /etc/spwd.db and /etc/group database files serve as the file
provider backing store on a cluster. You generate the spwd.db file by running the
pwd_mkdb command in the OneFS command-line interface (CLI). You can script updates
to the database files.
On an Isilon cluster, a file provider hashes passwords with libcrypt. For the best
security, we recommend that you use the Modular Crypt Format in the source /etc/
passwd file to determine the hashing algorithm. OneFS supports the following
algorithms for the Modular Crypt Format:
l

MD5

NT-Hash

SHA-256

SHA-512

For information about other available password formats, run the man 3 crypt
command in the CLI to view the crypt man pages.

NIS

201

Authentication and access control

Note

The built-in System file provider includes services to list, manage, and authenticate
against system accounts such as root, admin, and nobody. We recommended that you do
not modify the System file provider.

Local provider
The local provider provides authentication and lookup facilities for user accounts added
by an administrator.
Local authentication is useful when Active Directory, LDAP, or NIS directory services are
not configured or when a specific user or application needs access to the cluster. Local
groups can include built-in groups and Active Directory groups as members.
In addition to configuring network-based authentication sources, you can manage local
users and groups by configuring a local password policy for each node in the cluster.
OneFS settings specify password complexity, password age and re-use, and passwordattempt lockout policies.

Data access control

You can configure an EMC Isilon cluster so that both UNIX and Windows users have
access to content over NFS and SMB, regardless of the protocol that stored the data.
The OneFS operating system supports multiprotocol data access over Server Message
Block (SMB) and Network File System (NFS) with a unified security model. For NFS, the
default export on a cluster, /ifs, enables Linux and UNIX clients to remotely mount any
subdirectory, including subdirectories created by Windows users. Linux and UNIX clients
also can mount ACL-protected subdirectories created by a OneFS administrator.
Conversely, for SMB the default file share on a cluster, /ifs, provides Windows users
access to file system resources over the network that includes resources stored by UNIX
and Linux systems. The same access model applies to directories and files.
By default, OneFS maintains the same file permissions regardless of the clients
operating system, the users identity management system, or the file sharing protocol.
When OneFS must transform a files permissions from ACLs to mode bits or vice versa, it
merges the permissions into an optimal representation that uniquely balances user
expectations and file security.

Authorization
OneFS supports two types of authorization data on a file: Windows-style access control
lists (ACLs) and POSIX mode bits (UNIX permissions). Authorization type is based on the
ACL policies that are set and on the file-creation method.
Access to a file or directory is governed by either a Windows access control list (ACL) or
UNIX mode bits. Regardless of the security model, OneFS enforces access rights
consistently across access protocols. A user is granted or denied the same rights to a file
when using SMB for Windows file sharing as when using NFS for UNIX file sharing.
An EMC Isilon cluster includes global policy settings that enable you to customize the
default ACL and UNIX permissions to best support your environment. Generally, files that
are created over SMB or in a directory that has an ACL receive an ACL; otherwise, OneFS
relies on the POSIX mode bits that define UNIX permissions. In either case, the owner is
represented by a UNIX identifier (UID or GID) or by its Windows identifier (SID). The
202

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

primary group is represented by a GID or SID. Although mode bits are present when a file
has an ACL, the mode bits are provided for only protocol compatibility, not for access
checks.
Note

Although you can configure ACL policies to optimize a cluster for UNIX or Windows, you
should do so only if you understand how ACL and UNIX permissions interact.
The OneFS file system installs with UNIX permissions as the default. By using Windows
Explorer or OneFS administrative tools, you can give a file or directory an ACL. In addition
to Windows domain users and groups, ACLs in OneFS can include local, NIS, and LDAP
users and groups. After you give a file an ACL, OneFS stops enforcing the file's mode bits,
which remain only as an estimate of the effective permissions.

SMB
You can configure SMB shares to provide Windows clients network access to file system
resources on the cluster. You can grant permissions to users and groups to carry out
operations such as reading, writing, and setting access permissions on SMB shares.

ACLs
In Windows environments, file and directory permissions, referred to as access rights, are
defined in access control lists (ACLs). Although ACLs are more complex than mode bits,
ACLs can express much more granular sets of access rules. OneFS checks the ACL
processing rules commonly associated with Windows ACLs.
A Windows ACL contains zero or more access control entries (ACEs), each of which
represents the security identifier (SID) of a user or a group as a trustee. In OneFS, an ACL
can contain ACEs with a UID, GID, or SID as the trustee. Each ACE contains a set of rights
that allow or deny access to a file or folder. An ACE can optionally contain an inheritance
flag to specify whether the ACE should be inherited by child folders and files.
Note

Instead of the standard three permissions available for mode bits, ACLs have 32 bits of
fine-grained access rights. Of these, the upper 16 bits are general and apply to all object
types. The lower 16 bits vary between files and directories but are defined in a way that
allows most applications to apply the same bits for files and directories.
Rights grant or deny access for a given trustee. You can block user access explicitly
through a deny ACE or implicitly by ensuring that a user does not directly, or indirectly
through a group, appear in an ACE that grants the right.

NFS
You can configure NFS exports to provide UNIX clients network access to file system
resources on the cluster.

SMB

203

Authentication and access control

UNIX permissions
In a UNIX environment, file and directory access is controlled by POSIX mode bits, which
grant read, write, or execute permissions to the owning user, the owning group, and
everyone else.
OneFS supports the standard UNIX tools for viewing and changing permissions, ls,
chmod, and chown. For more information, run the man ls, man chmod, and man
chown commands.
All files contain 16 permission bits, which provide information about the file or directory
type and the permissions. The lower 9 bits are grouped as three 3-bit sets, called triples,
which contain the read, write, and execute (rwx) permissions for each class of users
owner, group, and other. You can set permissions flags to grant permissions to each of
these classes.
Unless the user is root, OneFS checks the class to determine whether to grant or deny
access to the file. The classes are not cumulative: The first class matched is applied. It is
therefore common to grant permissions in decreasing order.

Mixed-permission environments
When a file operation requests an objects authorization data, for example, with the ls l command over NFS or with the Security tab of the Properties dialog box in Windows
Explorer over SMB, OneFS attempts to provide that data in the requested format. In an
environment that mixes UNIX and Windows systems, some translation may be required
when performing create file, set security, get security, or access operations.

NFS access of Windows-created files

If a file contains an owning user or group that is a SID, the system attempts to map it to a
corresponding UID or GID before returning it to the caller.
In UNIX, authorization data is retrieved by calling stat(2) on a file and examining the
owner, group, and mode bits. Over NFSv3, the GETATTR command functions similarly. The
system approximates the mode bits and sets them on the file whenever its ACL changes.
Mode bit approximations need to be retrieved only to service these calls.
Note

SID-to-UID and SID-to-GID mappings are cached in both the OneFS ID mapper and the
stat cache. If a mapping has recently changed, the file might report inaccurate
information until the file is updated or the cache is flushed.

SMB access of UNIX-created files

No UID-to-SID or GID-to-SID mappings are performed when creating an ACL for a file; all
UIDs and GIDs are converted to SIDs or principals when the ACL is returned.
OneFS initiates a two-step process for returning a security descriptor, which contains
SIDs for the owner and primary group of an object:
1. The current security descriptor is retrieved from the file. If the file does not have a
discretionary access control list (DACL), a synthetic ACL is constructed from the files
lower 9 mode bits, which are separated into three sets of permission triplesone
each for owner, group, and everyone. For details about mode bits, see the UNIX
permissions topic.
2. Two access control entries (ACEs) are created for each triple: the allow ACE contains
the corresponding rights that are granted according to the permissions; the deny ACE
204

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

contains the corresponding rights that are denied. In both cases, the trustee of the
ACE corresponds to the file owner, group, or everyone. After all of the ACEs are
generated, any that are not needed are removed before the synthetic ACL is returned.

Managing roles
You can view, add, or remove members of any role. Except for built-in roles, whose
privileges you cannot modify, you can add or remove OneFS privileges on a role-by-role
basis.
Note

Roles take both users and groups as members. If a group is added to a role, all users who
are members of that group are assigned the privileges associated with the role. Similarly,
members of multiple roles are assigned the combined privileges of each role.

View roles
You can view information about built-in and custom roles.
Procedure
1. Run one of the following commands to view roles.
l

To view a basic list of all roles on the cluster, run the following command:
isi auth roles list

To view detailed information about each role on the cluster, including member and
privilege lists, run the following command:
isi auth roles list --verbose

To view detailed information about a single role, run the following command,
where <role> is the name of the role:
isi auth roles view <role>

View privileges
You can view user privileges.
This procedure must be performed through the command-line interface (CLI). You can
view a list of your privileges or the privileges of another user using the following
commands:
Procedure
1. Establish an SSH connection to any node in the cluster.
2. To view privileges, run one of the following commands.
l

To view a list of all privileges, run the following command:

isi auth privileges --verbose

To view a list of your privileges, run the following command:

isi auth id

Managing roles

205

Authentication and access control

To view a list of privileges for another user, run the following command, where
<user> is a placeholder for another user by name:
isi auth mapping token <user>

Create and modify a custom role

You can create an empty custom role and then add users and privileges to the role.
Procedure
1. Establish an SSH connection to any node in the cluster.
2. Run the following command to create a role, where <name> is the name that you want
to assign to the role and <string> specifies an optional description:
isi auth roles create <name> [--description <string>]

3. Run the following command to add a user to the role, where <role> is the name of the
role and <string> is the name of the user:
isi auth roles modify <role> [--add-user <string>]
Note

You can also modify the list of users assigned to a built-in role.
4. Run the following command to add a privilege with read/write access to the role,
where <role> is the name of the role and <string> is the name of the privilege:
isi auth roles modify <role> [--add-priv <string>]

5. Run the following command to add a privilege with read-only access to the role, where
<role> is the name of the role and <string> is the name of the privilege:
isi auth roles modify <role> [--add-priv-ro <string>]

Delete a custom role

Deleting a role does not affect the privileges or users that are assigned to it. Built-in roles
cannot be deleted.
Procedure
1. Run the following command to delete a custom role, where <name> is the name of the
role that you want to delete:
isi auth roles delete <name>

Managing authentication providers

You can configure one or more LDAP, Active Directory, NIS, file, and Kerberos providers. A
local provider is created automatically when you create an access zone, which allows you
to create a configuration for each access zone so it has its own list of local users that can
authenticate to it. You also can create a password policy for each local provider to
enforce password complexity.
206

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Managing LDAP providers

You can view, configure, modify, and delete LDAP providers. You can discontinue
authentication through an LDAP provider by removing it from all access zones that are
using it.

Configure an LDAP provider

By default, when you configure an LDAP provider, it is automatically added to the System
access zone.
Procedure
1. If the LDAP server allows anonymous queries, you can create an LDAP provider by
running the isi auth ldap create command with the following parameters,
where variables in angle brackets are placeholders for values specific to your
environment:
isi auth ldap create <name> --base-dn=<base-distinguished-name> \
--server-uris=<uri>

The following command joins the user test to the LDAP server test-ldap.example.com:
isi auth ldap create test \
--base-dn="dc=test-ldap,dc=example,dc=com" \
--server-uris="ldap://test-ldap.example.com"
Note

You can specify multiple servers by repeating the --server-uris parameter with
the URI value or with a comma-separated list, such as --server-uris="ldap://
a.example.com,ldap://b.example.com".
2. If the LDAP server does not allow anonymous queries, you can create an LDAP
provider by running the isi auth ldap create command, where variables in
angle brackets are placeholders for values specific to your environment:
isi auth ldap create <name> --bind-dn=<distinguished-name> \
--bind-password=<password> --server-uris=<uri>

The following command joins the LDAP server test-ldap.example.com and binds to
user test in the organizational unit users:
isi auth ldap create test-ldap \
--bind-dn="cn=test,ou=users,dc=test-ldap,dc=example,dc=com" \
--bind-password="mypasswd" \
--server-uris="ldap://test-ldap.example.com"
Note

The bind DN must have the proper permissions set.

Managing LDAP providers

207

Authentication and access control

Modify an LDAP provider

You can modify any setting for an LDAP provider except its name. You must specify at
least one server for the provider to be enabled.
Procedure
1. Run the following command to modify an LDAP provider, where <provider-name> is a
placeholder for the name of the provider that you want to modify:
isi auth ldap modify <provider-name>

Delete an LDAP provider

When you delete an LDAP provider, it is removed from all access zones. As an alternative,
you can stop using an LDAP provider by removing it from each access zone that contains
it so that the provider remains available for future use.
For information about the parameters and options that are available for this procedure,
run the isi auth ldap delete --help command.
Procedure
1. Run the following command to delete an LDAP provider, where <name> is a placeholder
for the name of the LDAP provider that you want to delete.
isi auth ldap delete <name>

Managing Active Directory providers

You can view, configure, modify, and delete Active Directory providers. OneFS includes a
Kerberos configuration file for Active Directory in addition to the global Kerberos
configuration file, both of which you can configure through the command-line interface.
You can discontinue authentication through an Active Directory provider by removing it
from all access zones that are using it.

Configure an Active Directory provider

You can configure one or more Active Directory providers, each of which must be joined to
a separate Active Directory domain. By default, when you configure an Active Directory
provider, it is automatically added to the System access zone.
Note

Consider the following information when you configure an Active Directory provider:
l

When you join Active Directory from OneFS, cluster time is updated from the Active
Directory server, as long as an NTP server has not been configured for the cluster.

If you migrate users to a new or different Active Directory domain, you must re-set the
ACL domain information after you configure the new provider. You can reset the
domain information with third-party tools, such as Microsoft SubInACL.

Procedure
1. Run the following command to configure an Active Directory provider, where <name> is
a placeholder for the fully qualified Active Directory name and <user> is a placeholder
for a user name with permission to join machines to the given domain.
isi auth ads create <name> <user>
208

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Modify an Active Directory provider

You can modify the advanced settings for an Active Directory provider.
Procedure
1. Run the following command to modify an Active Directory provider, where <providername> is a placeholder for the name of the provider that you want to modify.
isi auth ads modify <provider-name>

Delete an Active Directory provider

When you delete an Active Directory provider, you disconnect the cluster from the Active
Directory domain that is associated with the provider, disrupting service for users who
are accessing it. After you leave an Active Directory domain, users can no longer access
the domain from the cluster.
Procedure
1. Run the following command to Delete an Active Directory provider, where <name> is a
placeholder for the Active Directory name that you want to delete.
isi auth ads delete <name>

Managing NIS providers

You can view, configure, and modify NIS providers or delete providers that are no longer
needed. You can discontinue authentication through an NIS provider by removing it from
all access zones that are using it.

Configure an NIS provider

You can configure multiple NIS providers, each with its own settings, and add them to
one or more access zones. By default, when you configure an NIS provider, it is
automatically added to the System access zone.
Procedure
1. Configure an NIS provider by running the isi auth nis create command with
the following syntax:
isi auth nis create <name> --servers=<server> \
--nis-domain=<domain>

The following example joins the NIS server nistest.example.com to nistest:

isi auth nis create nistest --servers="nistest.example.com" \
--nis-domain="example.com"
Note

You can specify multiple servers by repeating the --servers parameter for each
server or with a comma-separated list, such as -server="a.example.com,b.example.com".

Managing NIS providers

209

Authentication and access control

Modify an NIS provider

You can modify any setting for an NIS provider except its name. You must specify at least
one server for the provider to be enabled.
Procedure
1. Run the following command to modify an NIS provider, where <provider-name> is a
placeholder for provider that you want to modify.
isi auth nis modify <provider-name>

Delete an NIS provider

When you delete an NIS provider, it is removed from all access zones. As an alternative,
you can stop using an NIS provider by removing it from each access zone that contains it,
so that the provider remains available for future use.
Procedure
1. Run the following command to delete an NIS provider, where <name> is a placeholder
for the name of the NIS provider that you want to delete.
isi auth nis delete <name>

Managing file providers

You can configure one or more file providers, each with its own combination of
replacement files, for each access zone. Password database files, which are also called
user database files, must be in binary format.
Each file provider pulls directly from up to three replacement database files: a group file
that has the same format as /etc/group; a netgroups file; and a binary password file,
spwd.db, which provides fast access to the data in a file that has the /etc/
master.passwd format. You must copy the replacement files to the cluster and
reference them by their directory path.
Note

If the replacement files are located outside the /ifs directory tree, you must distribute
them manually to every node in the cluster. Changes that are made to the system
provider's files are automatically distributed across the cluster.

Configure a file provider

You can specify replacement files for any combination of users, groups, and netgroups.
Procedure
1. Run the following command to configure a file provider, where <name> is your name for
the file provider.
isi auth file create <name>

Generate a password file

Password database files, which are also called user database files, must be in binary
format.
This procedure must be performed through the command-line interface (CLI). For
command-usage guidelines, run the man pwd_mkdb command.
210

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Procedure
1. Establish an SSH connection to any node in the cluster.
2. Run the pwd_mkdb <file> command, where <file> is the location of the source password
file.
Note

By default, the binary password file, spwd.db, is created in the /etc directory. You
can override the location to store the spwd.db file by specifying the -d option with a
different target directory.
The following command generates an spwd.db file in the /etc directory from a
password file that is located at /ifs/test.passwd:
pwd_mkdb /ifs/test.passwd

The following command generates an spwd.db file in the /ifs directory from a
password file that is located at /ifs/test.passwd:
pwd_mkdb -d /ifs /ifs/test.passwd

Modify a file provider

You can modify any setting for a file provider, including its name.
Note

Although you can rename a file provider, there are two caveats: you can rename a file
provider through only the web administration interface and you cannot rename the
System file provider.
Procedure
1. Run the following command to modify a file provider, where <provider-name> is a
placeholder for the name that you supplied for the provider.
isi auth file modify <provider-name>

Delete a file provider

To stop using a file provider, you can clear all of its replacement file settings or you can
permanently delete the provider.
Note

You cannot delete the System file provider.

Procedure
1. Run the following command to delete a file provider, where <name> is a placeholder for
the name of the provider that you want to delete.
isi auth file delete <name>

Managing file providers

211

Authentication and access control

Password file format

The file provider uses a binary password database file, spwd.db. You can generate a
binary password file from a master.passwd-formatted file by running the pwd_mkdb
command.
The master.passwd file contains ten colon-separated fields, as shown in the following
example:
admin:*:10:10::0:0:Web UI Administrator:/ifs/home/admin:/bin/zsh

The fields are defined below in the order in which they appear in the file.
Note

UNIX systems often define the passwd format as a subset of these fields, omitting the
Class, Change, and Expiry fields. To convert a file from passwd to master.passwd
format, add :0:0: between the GID field and the Gecos field.
Username
The user name. This field is case-sensitive. OneFS does not limit the length; many
applications truncate the name to 16 characters, however.
Password
The users encrypted password. If authentication is not required for the user, you can
substitute an asterisk (*) for a password. The asterisk character is guaranteed to not
match any password.
UID
The UNIX user identifier. This value must be a number in the range 0-4294967294
that is not reserved or already assigned to a user. Compatibility issues occur if this
value conflicts with an existing account's UID.
GID
The group identifier of the users primary group. All users are a member of at least
one group, which is used for access checks and can also be used when creating
files.
Class
This field is not supported by OneFS and should be left empty.
Change
OneFS does not support changing the passwords of users in the file provider. This
field is ignored.
Expiry
OneFS does not support the expiration of user accounts in the file provider. This field
is ignored.
Gecos
This field can store a variety of information but is usually used to store the users full
name.
Home
The absolute path to the users home directory, beginning at /ifs.
Shell
The absolute path to the users shell. If this field is set to /sbin/nologin, the
user is denied command-line access.

212

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Group file format

The file provider uses a group file in the format of the /etc/group file that exists on
most UNIX systems.
The group file consists of one or more lines containing four colon-separated fields, as
shown in the following example:
admin:*:10:root,admin

The fields are defined below in the order in which they appear in the file.
Group name
The name of the group. This field is case-sensitive. Although OneFS does not limit
the length of the group name, many applications truncate the name to 16 characters.
Password
This field is not supported by OneFS and should contain an asterisk (*).
GID
The UNIX group identifier. Valid values are any number in the range 0-4294967294
that is not reserved or already assigned to a group. Compatibility issues occur if this
value conflicts with an existing group's GID.
Group members
A comma-delimited list of user names.

Netgroup file format

A netgroup file consists of one or more netgroups, each of which can contain members.
Hosts, users, or domains, which are members of a netgroup, are specified in a member
triple. A netgroup can also contain another netgroup.
Each entry in a netgroup file consists of the netgroup name, followed by a spacedelimited set of member triples and nested netgroup names. If you specify a nested
netgroup, it must be defined on a separate line in the file.
A member triple takes the following form:
(<host>, <user>, <domain>)

Where <host> is a placeholder for a machine name, <user> is a placeholder for a user name,
and <domain> is a placeholder for a domain name. Any combination is valid except an
empty triple: (,,).
The following sample file contains two netgroups. The rootgrp netgroup contains four
hosts: two hosts are defined in member triples and two hosts are contained in the nested
othergrp netgroup, which is defined on the second line.
rootgrp (myserver, root, somedomain.com) (otherserver, root,
somedomain.com) othergrp
othergrp (other-win,, somedomain.com) (other-linux,, somedomain.com)
Note

A new line signifies a new netgroup. You can continue a long netgroup entry to the next
line by typing a backslash character (\) in the right-most position of the first line.

Managing file providers

213

Authentication and access control

Managing local users and groups

When you create an access zone, each zone includes a local provider that allows you to
create and manage local users and groups. Although you can view the users and groups
of any authentication provider, you can create, modify, and delete users and groups in
the local provider only.

View a list of users and groups by provider

You can view users and groups by a provider type.
Procedure
1. Run the following command to view a list of users and groups for a specified provider,
where <provider-type> is a placeholder for your provider-type string and <provider-name>
is a placeholder for the name that you assigned the specific provider:
isi auth users list --provider="<provider-type>:<provider-name>"

2. To list users and groups for an LDAP provider type that is named Unix LDAP, run a
command similar to the following example:
isi auth users list --provider="lsa-ldap-provider:Unix LDAP"

Create a local user

Each access zone includes a local provider that allows you to create and manage local
users and groups. When creating a local user account, you can configure its name
password, home directory, UNIX user identifier (UID), UNIX login shell, and group
memberships.
Procedure
1. Run the following command to create a local user, where <name> is your name for the
user, <provider-name> specifies the provider for this user, and <string> is the password
for this user.
isi auth users create <name> --provider="local:<provider-name>" \
--password="<string>"
Note

A user account is disabled if no password is specified. If you do not create a password

when you create the user account, you can add a password later by running the isi
auth users modify command, specifying the appropriate user by username,
UID, or SID.

214

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Create a local group

In the local provider of an access zone, you can create groups and assign members to
them.
Procedure
1. Run the following command to create a local group, where <name> and <provider-name>
are values that you provide to define the group.
isi auth groups create <name> --provider "local:<provider-name>"

Naming rules for local users and groups

Local user and group names must follow naming rules in order to ensure proper
authentication and access to the EMC Isilon cluster.
You must adhere to the following naming rules when creating and modifying local users
and groups:
l

The maximum name length is 104 characters. It is recommended that names do not
exceed 64 characters.

Names cannot contain the following invalid characters:

"/\[]:;|=,+*?<>

Names can contain any special character that is not in the list of invalid characters. It
is recommend that names do not contain spaces.

Names are not case sensitive.

Configure or modify a local password policy

You can configure and modify a local password policy for a local provider.
This procedure must be performed through the command-line interface (CLI).
Note

Separate password policies are configured for each access zone. Each access zone in the
cluster contains a separate instance of the local provider, which allows each access zone
to have its own list of local users who can authenticate. Password complexity is
configured for each local provider, not for each user.
Procedure
1. Establish an SSH connection to any node in the cluster.
2. (Optional) Run the following command to view the current password settings:
isi auth local view system

3. Run the isi auth local modify command, choosing from the parameters
described in Local password policy default settings.
The --password-complexity parameter must be specified for each setting.
isi auth local modify system --password-complexity=lowercase \
--password-complexity=uppercase -password-complexity=numeric \
--password-complexity=symbol

The following command configures a local password policy for a local provider:
Managing local users and groups

215

Authentication and access control

isi auth local modify <provider-name> \

--min-password-length=20 \
--lockout-duration=20m \
--lockout-window=5m \
--lockout-threshold=5 \
--add-password-complexity=uppercase \
--add-password-complexity=numeric

Local password policy settings

You can configure local password policy settings and specify the default for each setting
through the isi auth local modify command. Password complexity increases the
number of possible passwords that an attacker must check before the correct password
is guessed.

216

Setting

Description

Comments

min-password-length

Minimum password length

in characters.

Long passwords are best. The

minimum length should not be so
long that users have a difficult time
entering or remembering the
password.

password-complexity

A list of cases that a new

password must contain. By
default, the list is empty.

You can specify as many as four

cases. The following cases are valid:
l

uppercase

lowercase

numeric

symbol (excluding # and @)

min-password-age

The minimum password

age. You can set this value
using characters for units;
for example, 4W for 4
weeks, 2d for 2 Days.

A minimum password age ensures

that a user cannot enter a temporary
password and then immediately
change it to the previous password.
Attempts to check or set a password
before the time expires are denied.

max-password-age

The maximum password

age. You can set this value
using characters for units;
for example, 4W for 4
weeks, 2d for 2 Days.

Attempts to login after a password

expires forces a password change. If
a password change dialog cannot be
presented, the user is not allowed to
login.

password-historylength

The number of historical

passwords to keep. New
passwords are checked
against this list and
rejected if the password is
already present. The max
history length is 24.

To avoid recycling of passwords, you

can specify the number of previous
passwords to remember. If a new
password matches a remembered
previous password, it is rejected.

lockout-duration

The length of time in

seconds that an account is
locked after a configurable

After an account is locked, it is

unavailable from all sources until it is
unlocked. OneFS provides two
configurable options to avoid

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Setting

Description

Comments

number of bad passwords

are entered.

administrator interaction for every

locked account:
l

Specify how much time must

elapse before the account is
unlocked.

Automatically reset the incorrectpassword counter after a

specified time, in seconds.

lockout-threshold

The number of incorrect

password attempts before
an account is locked. A
value of zero disables
account lockout.

After an account is locked, it is

unavailable from all sources until it is
unlocked.

lockout-window

The time that elapses

before the incorrect
password attempts count is
reset.

If the configured number of incorrect

password attempts is reached, the
account is locked and lockoutduration determines the length of
time that the account is locked. A
value of zero disables the window.

Modify a local user

You can modify any setting for a local user account except the user name.
Procedure
1. Run the following command to modify a local group, where<name> or <gid> or <sid> are
placeholders for the user identifiers and <provider-name> is a placeholder for the name
of the local provider associated with the user:
isi auth users modify (<name> or --gid <gid> or --sid <sid>) \
--provider "local:<provider-name>"

Modify a local group

You can add or remove members from a local group.
Procedure
1. Run the following command to modify a local group, where <name> or <gid> or <sid> are
placeholders for the group identifiers and <provider-name> is a placeholder for the
name of the local provider associated with the group:
isi auth groups modify (<name> or --gid <gid> or --sid <sid>) \
--provider "local:<provider-name>"

Managing local users and groups

217

Authentication and access control

Delete a local user

A deleted user can no longer access the cluster through the command-line interface, web
administration interface, or file access protocol. When you delete a local user account, its
home directory remains in place.
Procedure
1. Run the following command to delete a local user, where <uid> and <sid> are
placeholders for the UID and SID of the user that you want to delete, and <providername> is a placeholder for the local provider associated with the user.
isi auth users delete <name> --uid <uid> --sid <sid> \
--provider "local:<provider-name>"

Delete a local group

You can delete a local group even if members are assigned to it. Deleting a group does
not affect the members of that group.
Procedure
1. Run the following command to delete a local group, where <group> is a placeholder for
the name of the group that you want to delete:
isi auth groups delete <group>
Note

You can run the command with <gid> or <sid> instead of <group>.

Managing MIT Kerberos authentication

You can configure an MIT Kerberos provider for authentication without Active Directory.
Configuring an MIT Kerberos provider involves creating an MIT Kerberos realm, creating a
provider, and joining a predefined realm. Optionally, you can configure an MIT Kerberos
domain for the provider. You can also update the encryption keys if there are any
configuration changes to the Kerberos provider. You can include the provider in one or
more access zones.

Managing MIT Kerberos realms

An MIT Kerberos realm is an administrative domain that defines the boundaries within
which an authentication server has the authority to authenticate a user or service. You
can create, view, edit, or delete a realm. As a best practice, specify a realm name using
uppercase characters.

Create an MIT Kerberos realm

You can create an MIT Kerberos realm by defining a Key Distribution Center (KDC) and an
administrative server.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to create an MIT
Kerberos realm.
Procedure
1. Run the isi auth krb5 realm create command to create an MIT Kerberos
realm.
218

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

For example, run the following command to create a realm by specifying a KDC and an
administrative server:
isi auth krb5 realm create <realm> --kdc <kdc> --admin-server
<admin-server>

Modify an MIT Kerberos realm

You can modify an MIT Kerberos realm by modifying the Key Distribution Center (KDC), the
domain (optional), and the administrative server settings for that realm.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to delete an MIT
Kerberos provider.
Procedure
1. Run the isi auth krb5 realm modify command to modify an MIT Kerberos
realm.
For example, run the following command to modify an MIT Kerberos realm by
specifying an alternate KDC and an administrative server:
isi auth krb5 realm modify <realm> --is-default-realm true --kdc
<kdc> --admin-server <admin-server>

View an MIT Kerberos realm

You can view details related to the name, Key Distribution Centers (KDCs), and the
administrative server associated with an MIT Kerberos realm.
Procedure
1. Run the isi auth krb5 realm view command to view details for an MIT
Kerberos realm.
For example, run the following command to view the details for a realm:
isi auth krb5 realm view <realm>

Delete an MIT Kerberos realm

You can delete one or more MIT Kerberos realms and all the associated MIT Kerberos
domains.
Before you begin
Kerberos realms are referenced by Kerberos providers. Before you can delete a realm for
which you have created a provider, you must first delete that provider.
You must be a member of a role that has ISI_PRIV_AUTH privileges to delete an MIT
Kerberos realm.
Procedure
1. Run the isi auth krb5 realm delete command to delete an MIT Kerberos
realm.

Managing MIT Kerberos authentication

219

Authentication and access control

For example, run the following command to delete a realm:

isi auth krb5 realm delete <realm>

Managing MIT Kerberos providers

You can create view, delete, or modify an MIT Kerberos provider. You can also configure
the Kerberos provider settings.

Creating an MIT Kerberos provider

You can create an MIT Kerberos provider by obtaining the credentials for accessing a
cluster through the Key Distribution Center (KDC) of the Kerberos realm. This process is
also known as joining a realm. Thus when you create a Kerberos provider you also join a
realm that has been previously defined.
Depending on how OneFS manages your Kerberos environment, you can create a
Kerberos provider through one of the following methods:
l

Accessing the Kerberos administration server and creating keys for services on the
OneFS cluster.

Manually transferring the Kerberos key information in the form of keytabs.

Create an MIT Kerberos provider and join a realm with administrator credentials
You can create an MIT Kerberos provider and join an MIT Kerberos realm using the
credentials authorized to access the Kerberos administration server. You can then create
keys for the various services on the EMC Isilon cluster. This is the recommended method
for creating a Kerberos provider and joining a Kerberos realm.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to access the Kerberos
administration server.
Procedure
1. Run the following command to create a Kerberos provider and join a Kerberos realm,
where <realm> is the name of the Kerberos realm which already exists or is created
if it does not exist:
isi auth krb5 create <realm> <user> --<kdc>=<string>

The following example joins a user with admin credentials to the clustername.company.com realm:
isi auth krb5 create cluster-name.company.com aima/admin -kdc=<kdc-name>.domain.company.com

Create an MIT Kerberos provider and join a realm with a keytab file
You can create an MIT Kerberos provider and join an MIT Kerberos realm through a keytab
file. Follow this method only if your Kerberos environment is managed by manually
transferring the Kerberos key information through the keytab files.
Before you begin
Make sure that the following prerequisites are met:

220

You must create and copy a keytab file to a node on the cluster.

You must be a member of a role that has ISI_PRIV_AUTH privileges to access the
Kerberos administration server.

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Procedure
1. Run the following command to create a Kerberos provider and join a Kerberos realm,
where <realm> is the placeholder for the realm name which should exist as a realm
object already:
isi auth krb5 create <realm> --keytab-file=<string>

For example, run the following command to create a Kerberos provider and join the
cluster-name.company.com realm using a keytab file:
isi auth krb5 create cluster-name.company.com --keytab-file=/tmp/
krb5.keytab

View an MIT Kerberos provider

You can view the properties of an MIT Kerberos provider after creating it.
Procedure
1. Run the following command to view the properties of a Kerberos provider:
isi auth krb5 view <provider-name>

List the MIT Kerberos providers

You can list one or more MIT Kerberos providers and display the list in a specific format.
You can also specify a limit for the number of providers to be listed.
Procedure
1. Run the isi auth krb5 list command to list one or more Kerberos providers.
For example, run the following command to list the first five Kerberos providers in a
tabular format without any headers or footers:
isi auth krb5 list -l 5 --format table --no-header --no-footer

Delete an MIT Kerberos provider

You can delete an MIT Kerberos provider and remove it from all the referenced access
zones. When you delete a provider, you also leave an MIT Kerberos realm.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to delete a Kerberos
provider.
Procedure
1. Run the isi auth krb5 delete command as follows to delete a Kerberos
provider.
isi auth krb5 delete <provider-name>

Configure MIT Kerberos provider settings

You can configure the settings of a Kerberos provider to allow the DNS records to locate
the Key Distribution Center (KDC), Kerberos realms, and the authentication servers
associated with a Kerberos realm. These settings are global to all Kerberos users across
Managing MIT Kerberos authentication

221

Authentication and access control

all nodes, services, and zones. Some settings are applicable only to client-side Kerberos
and are independent of the Kerberos provider.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to view or modify
the settings of a Kerberos provider.
Procedure
1. Run the isi auth settings krb5 command with the view or modify
subcommand.
2. Specify the settings to modify.

Managing MIT Kerberos domains

You can optionally define MIT Kerberos domains to allow additional domain extensions to
be associated with an MIT Kerberos realm. You can always specify a default domain for a
realm.
You can create, modify, delete, and view an MIT Kerberos domain. A Kerberos domain
name is a DNS suffix that you specify typically using lowercase characters.

Add an MIT Kerberos domain to a realm

You can optionally add an MIT Kerberos domain to an MIT Kerberos realm to enable
additional Kerberos domain extensions to be associated with a Kerberos realm.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to associate a
Kerberos domain with a Kerberos realm.
Procedure
1. Add a Kerberos domain by running the isi auth krb5 domain create
command.
For example, run the following command to add a Kerberos domain to a Kerberos
realm:
isi auth krb5 domain create <domain>

Modify an MIT Kerberos domain

You can modify an MIT Kerberos domain by modifying the realm settings.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to modify an MIT
Kerberos domain.
Procedure
1. Run the isi auth krb5 domain modify command to modify a Kerberos
domain.
For example, run the following command to modify a Kerberos domain by specifying
an alternate Kerberos realm:
isi auth krb5 domain modify <domain> --realm <realm>

222

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

View an MIT Kerberos domain mapping

You can view the properties of an MIT Kerberos domain mapping.
Procedure
1. Run the isi auth krb5 domain view command with a value specified for the
<domain> variable to view the properties of a Kerberos domain mapping:
isi auth krb5 domain view <domain>

List MIT Kerberos domains

You can list one or more MIT Kerberos domains and display the list in a tabular, JSON,
CSV, or list format. You can also specify a limit for the number of domains to be listed.
Procedure
1. Run the isi auth krb5 domain list command to list one or more MIT
Kerberos domains.
For example, run the following command to list the first ten MIT Kerberos domains in a
tabular format without any headers or footers:
isi auth krb5 domain list -l=10 --format=table --no-header --nofooter

Delete an MIT Kerberos domain mapping

You can delete one or more MIT Kerberos domain mappings.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to delete an MIT
Kerberos domain mapping.
Procedure
1. Run the isi auth krb5 domain delete command to delete an MIT Kerberos
domain mapping.
For example, run the following command to delete a domain mapping:
isi auth krb5 domain delete <domain>

Managing SPNs and keys

A service principal name (SPN) is the name referenced by a client to identify an instance
of a service on an EMC Isilon cluster. An MIT Kerberos provider authenticates services on
a cluster through SPNs.
You can perform the following operations on SPNs and their associated keys:
l

Update the SPNs if there are any changes to the SmartConnect zone settings that are
based on those SPNs

List the registered SPNs to compare them against a list of discovered SPNs

Update keys associated with the SPNs either manually or automatically

Import keys from a keytab table

Delete specific key versions or delete all the keys associated with an SPN
Managing MIT Kerberos authentication

223

Authentication and access control

View SPNs and keys

You can view the service principal names (SPNs) and their associated keys that are
registered for an MIT Kerberos provider. Clients obtain Kerberos tickets and access
services on EMC Isilon clusters through SPNs and their associated keys.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to view SPNs and
keys.
Procedure
1. Run the isi auth krb5 spn list command to list one or more SPNs and their
associated keys and the Key version numbers (Kvnos).
For example, run the following command to list the first five SPNs for an MIT Kerberos
provider in a tabular format without any headers or footers:
isi auth krb5 list <provider-name> -l 5 --format table --no-header
--no-footer <spn-list>

Delete keys
You can delete specific key versions or all the keys associated with a service principal
name (SPN).
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to delete keys.
After creating new keys due to security reasons or to match configuration changes, follow
this procedure to delete older version of the keys so that the keytab table is not
populated with redundant keys.
Procedure
1. Run the isi auth krb5 spn delete command to delete all keys for a specified
SPN or a specific version of a key.
For example, run the following command to delete all the keys associated with an SPN
for an MIT Kerberos provider:
isi auth krb5 spn delete <provider-name> <spn> --all

The <provider-name> is the name of the MIT Kerberos provider. You can delete a
specific version of the key by specifying a key version number value for the kvno
argument and including that value in the command syntax.

Manually add or update a key for an SPN

You can manually add or update keys for a service principal name (SPN). This process
creates a new key for the specified SPN.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to add or update a key
for an SPN.
Procedure
1. Run the isi auth krb5 spn create command to add or update keys for an
SPN.
224

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

For example, run the following command to add or update a key for an SPN by
specifying the <provider-name>, <user>, and <spn> positional arguments:
isi auth krb5 spn create <provider-name> <user> <spn>

Automatically update an SPN

You can automatically update or add a service principal name (SPN) if it is registered with
an MIT Kerberos provider but does not appear in the list of discovered SPNs.
Before you begin
You must be a member of a role that has ISI_PRIV_AUTH privileges to automatically
update an SPN.
Procedure
1. Run the isi auth krb5 spn check command to compare the list of registered
SPNs against the list of discovered SPNs.
Proceed to the next step if the comparison does not show similar results.
2. Run the isi auth krb5 spn fix command to fix the missing SPNs.
For example, run the following command to add missing SPNs for an MIT Kerberos
service provider:
isi auth krb5 spn fix <provider-name> <user>

You can optionally specify a password for <user> which is the placeholder for a user
who has the permission to join clients to the given domain.

Import a keytab file

An MIT Kerberos provider joined through a legacy keytab file might not have the ability to
manage keys through the Kerberos admin credentials. In such a case, import a new
keytab file and then add the keytab file keys to the provider.
Before you begin
Make sure that the following pre-requisites are met before you import a keytab file:
l

You must create and copy a keytab file to a node on the cluster where you will
perform this procedure.

You must be a member of a role that has ISI_PRIV_AUTH privileges to import a keytab
file.

Procedure
1. Import the keys of a keytab file by running the isi auth krb5 spn import
command.
For example, run the following command to import the keys of the <keytab-file> to the
provider referenced as <provider-name>:
isi auth krb5 spn import <provider-name> <keytab-file>

Managing access permissions

The internal representation of identities and permissions can contain information from
UNIX sources, Windows sources, or both. Because access protocols can process the
Managing access permissions

225

Authentication and access control

information from only one of these sources, the system may need to make
approximations to present the information in a format the protocol can process.

View expected user permissions

You can view the expected permissions for user access to a file or directory.
This procedure must be performed through the command-line interface (CLI).
Procedure
1. Establish an SSH connection to any node in the cluster.
2. View expected user permissions by running the isi auth access command.
The following command displays permissions in /ifs/ for the user that you specify
in place of <username>:
isi auth access <username> /ifs/

The system displays output similar to the following example:

User
Name : <username>
UID : 2018
SID :
SID:S-1-5-21-2141457107-1514332578-1691322784-1018
File
Owner : user:root
Group : group:wheel
Mode : drwxrwxrwx
Relevant Mode : d---rwx--Permissions
Expected : user:<username> \
allow
dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

3. View mode-bits permissions for a user by running the isi auth access command.
The following command displays verbose-mode file permissions information in /
ifs/ for the user that you specify in place of <username>:
isi auth access <username> /ifs/ -v

The system displays output similar to the following example:

User Name : <username> UID \
: 2018 SID : SID:S-1-5-21-2141457107-1514332578-1691322784-1018
File Owner : user:root Group : group:wheel Mode : drwxrwxrwx
Relevant Mode : d---rwx--- Permissions Expected : user:<username>
allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

4. View expected ACL user permissions on a file for a user by running the isi auth
access command.
The following command displays verbose-mode ACL file permissions for the file
file_with_acl.tx in /ifs/data/ for the user that you specify in place of
<username>:
isi auth access <username> /ifs/data/file_with_acl.tx -v

226

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

The system displays output similar to the following example:

User Name : <username> \
UID : 2097 SID :
SID:S-1-7-21-2141457107-1614332578-1691322789-1018
File Owner : user:<username> Group : group:wheel
Permissions Expected : user:<username>
allow file_gen_read,file_gen_write,std_write_dac
Relevant Acl: group:<group-name> Users allow file_gen_read
user:<username> allow std_write_dac,file_write,
append,file_write_ext_attr,file_write_attr
group:wheel allow file_gen_read,file_gen_write

Configure access management settings

Default access settings include whether to send NTLMv2 responses for SMB connections,
the identity type to store on disk, the Windows workgroup name for running in local
mode, and character substitution for spaces encountered in user and group names.
Procedure
1. Configure access management settings by running the isi auth settings
global modify command.
The following command modifies global settings for a workgroup:
isi auth settings global modify \
--send-ntlmv2=false --on-disk-identity=native \
--space-replacement="_" --workgroup=WORKGROUP

Modify ACL policy settings

You can modify ACL policy settings but the default ACL policy settings are sufficient for
most cluster deployments.
CAUTION

Because ACL policies change the behavior of permissions throughout the system, they
should be modified only as necessary by experienced administrators with advanced
knowledge of Windows ACLs. This is especially true for the advanced settings, which are
applied regardless of the cluster's environment.
For UNIX, Windows, or balanced environments, the optimal permission policy settings are
selected and cannot be modified. You can choose to manually configure the cluster's
default permission settings if necessary to support your particular environment, however.
Procedure
1. Run the following command to modify ACL policy settings, where <provider-name>
specifies the name of the provider:
isi auth ads modify <provider-name>

Update cluster permissions

You can update file permissions or ownership by running the PermissionRepair job.
To prevent permissions issues that can occur after changing the on-disk identity, run this
authentication and access control job with convert mode specified to ensure that the
changes are fully propagated throughout the cluster.
Configure access management settings

227

Authentication and access control

Procedure
1. Update cluster permissions by running the isi job jobs start command with
the following syntax.
The following command updates cluster permissions, where permissionrepair
specifies the job type, where variables in angle brackets are placeholders for values
specific to your environment:
isi job start permissionrepair --priority <1-10> \
--policy <policy> --mode <clone | inherit | convert > \
--mapping-type=<system | sid | unix | native> --zone <zone-name>
Note

You cannot combine the --template parameter with the convert mode option,
but you can combine the parameter with the clone and inherit mode options.
Conversely, you cannot combine the --mapping-type and --zone parameters
with the clone and inherit mode options, but you can combine the parameters
with the convert mode option.
Example 1 Examples

The following example updates cluster permissions, where permissionrepair

specifies the job type, the priority is 3, the chosen mode is convert, and the mapping type
is unix:
isi job jobs start permissionrepair --priority=3 \
--policy myPolicy --mode=convert --mapping-type=unix \
--template <isi path> --path </ifs directory> --zone zone2

Authentication and access control commands

You can control access to your cluster through the authentication and access control
commands.

isi auth access

Lists that permissions that a user has to access a given file.
Note

This command does not display SMB share permissions or privileges.

Syntax
isi auth access {<name> | --uid <integer> | --sid <string>} <path>
[--zone <string>]
[--numeric]
[--verbose]

Options
<name>

Specifies the user name.

228

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--sid <string>
Specifies the user by SID.
--uid <integer>
Specifies the user by UID
<path>

Specifies the file path in /ifs.

--zone <string>
Specifies the access zone for the user.
{--numeric | -n}
Displays the numeric identifier of the user.
{--verbose | -v}
Displays more detailed information.

isi auth ads create

Configures an Active Directory provider and joins an Active Directory domain.
Syntax
isi auth ads create <name> <user>
[--password <string>]
[--account <string>]
[--organizational-unit <string>]
[--kerberos-nfs-spn {yes | no} ]
[--dns-domain <dns-domain>]
[--allocate-gids {yes | no}]
[--allocate-uids {yes | no}]
[--cache-entry-expiry <duration>]
[--assume-default-domain {yes | no}]
[--check-online-interval <duration>]
[--create-home-directory {yes | no}]
[--domain-offline-alerts {yes | no}]
[--home-directory-template <path>]
[--ignore-all-trusts {yes | no}]
[--ignored-trusted-domains <dns-domain>]
[--include-trusted-domains <dns-domain>]
[--ldap-sign-and-seal {yes | no}]
[--node-dc-affinity <string>]
[--node-dc-affinity-timeout <timestamp>]
[--login-shell <path>]
[--lookup-domains <dns-domain>]
[--lookup-groups {yes | no}]
[--lookup-normalize-groups {yes | no}]
[--lookup-normalize-users {yes | no}]
[--lookup-users {yes | no}]
[--machine-password-changes {yes | no}]
[--machine-password-lifespan <duration>]
[--nss-enumeration {yes | no}]
[--sfu-support {none | rfc2307}]
[--store-sfu-mappings {yes | no}]
[--verbose]

Options
<name>

Specifies a fully qualified Active Directory domain name, which will also be used as
the provider name.
<user>
isi auth ads create

229

Authentication and access control

Specifies the user name of an account that has permission to join machine accounts
to the Active Directory domain.
--password <string>
Specifies the password of the provided user account. If you omit this option, you will
be prompted to supply a password.
--account <string>
Specifies the machine account name to use in Active Directory. By default, the cluster
name is used.
--organizational-unit <string>
Specifies the name of the organizational unit (OU) to connect to on the Active
Directory server. Specify the OU in the form OuName or OuName1/SubName2.
--kerberos-nfs-spn {yes | no}
Specifies whether to add SPNs for using Kerberized NFS.
--dns-domain <dns-domain>
Specifies a DNS search domain to use instead of the domain that is specified in the
--name setting.
--allocate-gids {yes | no}
Enables or disables GID allocation for unmapped Active Directory groups. Active
Directory groups without GIDs can be proactively assigned a GID by the ID mapper. If
this option is disabled, GIDs are not proactively assigned, but when a user's primary
group does not include a GID, the system may allocate one.
--allocate-uids {yes | no}
Enables or disables UID allocation for unmapped Active Directory users. Active
Directory users without UIDs can be proactively assigned a UID by the ID mapper. If
this option is disabled, UIDs are not proactively assigned, but when a user's identity
does not include a UID, the system may allocate one.
--cache-entry-expiry <duration>
Specifies how long to cache a user or group, in the format <integer>{Y|M|W|D|H|m|s}.
--assume-default-domain {yes | no}
Specifies whether to look up unqualified user names in the primary domain. If this
option is set to no, the primary domain must be specified for each authentication
operation.
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>{Y|M|W|D|H|
m|s}.
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time that a user logs in, if a
home directory does not already exist for the user.
--domain-offline-alerts {yes | no}
Specifies whether to send an alert if the domain goes offline. If this option is set to
yes, notifications are sent as specified in the global notification rules. The default
value is no.
--home-directory-template <path>
Specifies the template path to use when creating home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
230

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--ignore-all-trusts {yes | no}
Specifies whether to ignore all trusted domains.
--ignored-trusted-domains <dns-domain>
Specifies a list of trusted domains to ignore if --ignore-all-trusts is disabled.
Repeat this option to specify multiple list items.
--include-trusted-domains <dns-domain>
Specifies a list of trusted domain to include if --ignore-all-trusts is enabled.
Repeat this option to specify multiple list items.
--ldap-sign-and-seal {yes | no}
Specifies whether to use encryption and signing on LDAP requests to a DC.
{--node-dc-affinity | -x} <string>
Specifies the domain controller that the node should exclusively communicate with
(affinitize to). This option should be used with a timeout value, which is configured
using the --node-dc-affinity-timeout option. Otherwise, the default timeout
value of 30 minutes is assigned.
Note

This setting is for debugging purposes and should be left unconfigured during normal
operation. To disable this feature, use a timeout value of 0.
{--node-dc-affinity-timeout} <timestamp>
Specifies the timeout setting for the local node affinity to a domain controller, using
the date format <YYYY>-<MM>-<DD> or the date/time format <YYYY>-<MM><DD>T<hh>:<mm>[:<ss>].
Note

A value of 0 disables the affinity. When affinitization is disabled, communication with

the specified domain controller may not end immediately. It may persist until another
domain controller can be chosen.
--login-shell <path>
Specifies the full path to the login shell to use if the Active Directory server does not
provide login-shell information. This setting applies only to users who access the file
system through SSH.
--lookup-domains <string>
Specifies a list of domains to which user and group lookups are to be limited. Repeat
this option to specify multiple list items.
--lookup-groups {yes | no}
Specifies whether to look up Active Directory groups in other providers before
allocating a GID.
--lookup-normalize-groups {yes | no}
Specifies whether to normalize Active Directory group names to lowercase before
looking them up.
isi auth ads create

231

Authentication and access control

--lookup-normalize-users {yes | no}

Specifies whether to normalize Active Directory user names to lowercase before
looking them up.
--lookup-users {yes | no}
Specifies whether to look up Active Directory users in other providers before
allocating a UID.
--machine-password-password {yes | no}
Specifies whether to enable periodic changes of the machine account password for
security purposes.
--machine-password-lifespan <duration>
Sets the maximum age of the machine account password, in the format <integer>{Y|M|
W|D|H|m|s}.
--nss-enumeration {yes | no}
Specifies whether to allow the Active Directory provider to respond to getpwent and
getgrent requests.
--sfu-support {none | rfc2307}
Specifies whether to support RFC 2307 attributes for Windows domain controllers.
RFC 2307 is required for Windows UNIX Integration and for Services For UNIX (SFU)
technologies.
--store-sfu-mappings {yes | no}
Specifies whether to store SFU mappings permanently in the ID mapper.
{--verbose | -v}
Displays the results of running the command.

isi auth ads delete

Deletes an Active Directory provider, which includes leaving the Active Directory domain
that the provider is joined to. Leaving an Active Directory domain disrupts service for
users who are accessing the domain. After you leave an Active Directory domain, users
can no longer access the domain from the cluster.
Syntax
isi auth ads delete <provider-name>
[--force]
[--verbose]

Options
<provider-name>

Specifies the name of the provider to delete.

{--force | -f}
Suppresses command-line prompts and messages.
{--verbose | -v}
Displays the results of running the command.

232

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Examples
To leave an Active Directory domain named some.domain.org and delete the
authentication provider that is associated with it, run the following command:
isi auth ads delete some.domain.org

At the confirmation prompt, type y.

isi auth ads list

Displays a list of Active Directory providers.
Syntax
isi auth ads list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.
Examples
To view a list of all the Active Directory providers that the cluster is joined to, run the
following command:
isi auth ads list

The system displays output similar to the following example:

Name
Authentication Status DC Name Site
-------------------------------------------------------AD.EAST.EMC.COM
Yes
online BOS
AD.NORTH.EMC.COM
Yes
online VAN
AD.SOUTH.EMC.COM
No
online TIJ
AD.WEST.EMC.COM
Yes
online SEA
-------------------------------------------------------Total: 4

isi auth ads list

233

Authentication and access control

isi auth ads modify

Modifies an Active Directory authentication provider.
Syntax
isi auth ads modify <provider-name>
[--reset-schannel {yes | no}]
[--domain-controller <string>]
[--allocate-gids {yes | no}]
[--allocate-uids {yes | no}]
[--cache-entry-expiry <duration>]
[--assume-default-domain {yes | no}]
[--check-online-interval <duration>]
[--create-home-directory {yes | no}]
[--domain-offline-alerts {yes | no}]
[--home-directory-template <path>]
[--ignore-all-trusts {yes | no}]
[--ignored-trusted-domains <dns-domain>]
[--clear-ignored-trusted-domains]
[--add-ignored-trusted-domains <dns-domain>]
[--remove-ignored-trusted-domains <dns-domain>]
[--include-trusted-domains <dns-domain>]
[--clear-include-trusted-domains]
[--add-include-trusted-domains <dns-domain>]
[--remove-include-trusted-domains <dns-domain>]
[--ldap-sign-and-seal {yes | no}]
[--node-dc-affinity <string>]
[--node-dc-affinity-timeout <timestamp>]
[--login-shell <path>]
[--lookup-domains <dns-domain>]
[--clear-lookup-domains]
[--add-lookup-domains <dns-domain>]
[--remove-lookup-domains <dns-domain>]
[--lookup-groups {yes | no}]
[--lookup-normalize-groups {yes | no}]
[--lookup-normalize-users {yes | no}]
[--lookup-users {yes | no}]
[--machine-password-changes {yes | no}]
[--machine-password-lifespan <duration>]
[--nss-enumeration {yes | no}]
[--sfu-support {none | rfc2307}]
[--store-sfu-mappings {yes | no}]
[--verbose]

Options
<provider-name>

Specifies the domain name that the Active Directory provider is joined to, which is
also the Active Directory provider name.
--reset-schannel {yes | no}
Resets the secure channel to the primary domain.
--domain-controller <dns-domain>
Specifies a domain controller.
--allocate-gids {yes | no}
Enables or disables GID allocation for unmapped Active Directory groups. Active
Directory groups without GIDs can be proactively assigned a GID by the ID mapper. If
this option is disabled, GIDs are not assigned proactively, but when a user's primary
group does not include a GID, the system may allocate one.
--allocate-uids {yes | no}
234

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Enables or disables UID allocation for unmapped Active Directory users. Active
Directory users without UIDs can be proactively assigned a UID by the ID mapper. If
this option is disabled, UIDs are not assigned proactively, but when a user's identity
does not include a UID, the system may allocate one.
--cache-entry-expiry <duration>
Specifies how long to cache a user or group, in the format <integer>{Y|M|W|D|H|m|s}.
--assume-default-domain {yes | no}
Specifies whether to look up unqualified user names in the primary domain. If this
option is set to no, the primary domain must be specified for each authentication
operation.
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>{Y|M|W|D|H|
m|s}.
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user.
--domain-offline-alerts {yes | no}
Specifies whether to send an alert if the domain goes offline. If this option is set to
yes, notifications are sent as specified in the global notification rules. The default
value is no.
--home-directory-template <path>
Specifies the template path to use when creating home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--ignore-all-trusts {yes | no}
Specifies whether to ignore all trusted domains.
--ignored-trusted-domains <dns-domain>
Specifies a list of trusted domains to ignore if --ignore-all-trusts is disabled.
Repeat this option to specify multiple list items.
--clear-ignored-trusted-domains
Clears the list of ignored trusted domains if --ignore-all-trusts is disabled.
--add-ignored-trusted-domains <dns-domain>
Adds a domain to the list of trusted domains to ignore if --ignore-all-trusts is
disabled. Repeat this option to specify multiple list items.
--remove-ignored-trusted-domains <dns-domain>
Removes a specified domain from the list of trusted domains to ignore if --ignoreall-trusts is disabled. Repeat this option to specify multiple list items.
--include-trusted-domains <dns-domain>
Specifies a list of trusted domains to include if --ignore-all-trusts is enabled.
Repeat this option to specify multiple list items.
--clear-include-trusted-domains

isi auth ads modify

235

Authentication and access control

Clears the list of trusted domains to include if --ignore-all-trusts is enabled.

--add-include-trusted-domains <dns-domain>
Adds a domain to the list of trusted domains to include if --ignore-all-trusts
is enabled. Repeat this option to specify multiple list items.
--remove-include-trusted-domains <dns-domain>
Removes a specified domain from the list of trusted domains to include if -ignore-all-trusts is enabled. Repeat this option to specify multiple list items.
--ldap-sign-and-seal {yes | no}
Specifies whether to use encryption and signing on LDAP requests to a domain
controller.
{--node-dc-affinity | -x} <string>
Specifies the domain controller that the node should exclusively communicate with
(affinitize). This option should be used with a timeout value, which is configured
using the --node-dc-affinity-timeout option. Otherwise, the default timeout
value of 30 minutes is assigned.
Note

This setting is for debugging purposes and should be left unconfigured during normal
operation. To disable this feature, use a timeout value of 0.
{--node-dc-affinity-timeout} <timestamp>
Specifies the timeout setting for the local node affinity to a domain controller, using
the date format <YYYY>-<MM>-<DD> or the date/time format <YYYY>-<MM><DD>T<hh>:<mm>[:<ss>].
Note

A value of 0 disables the affinity. When affinitization is disabled, communication with

the specified domain controller may not end immediately. It may persist until another
domain controller can be chosen.
--login-shell <path>
Specifies the path to the login shell to use if the Active Directory server does not
provide login-shell information. This setting applies only to users who access the file
system through SSH.
--lookup-domains <string>
Specifies a list of domains to which user and group lookups are to be limited. Repeat
this option to specify multiple list items.
--clear-lookup-domains
Clears the list of restricted domains for user and group lookups.
--add-lookup-domains <string>
Adds an entry to the restricted list of domains to use for user and group lookups.
Repeat this option to specify multiple list items.
--remove-lookup-domains <string>
Removes an entry from the list of domains to use for user and group lookups. Repeat
this option to specify multiple list items.
--lookup-groups {yes | no}

236

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies whether to look up Active Directory groups in other providers before

allocating a GID.
--lookup-normalize-groups {yes | no}
Specifies whether to normalize Active Directory group names to lowercase before
looking them up.
--lookup-normalize-users {yes | no}
Specifies whether to normalize Active Directory user names to lowercase before
looking them up.
--lookup-users {yes | no}
Specifies whether to look up Active Directory users in other providers before
allocating a UID.
--machine-password-password {yes | no}
Specifies whether to enable periodic changes of the machine account password for
security purposes.
--machine-password-lifespan <duration>
Sets the maximum age of the machine account password, in the format <integer>{Y|M|
W|D|H|m|s}.
--nss-enumeration {yes | no}
Specifies whether to allow the Active Directory provider to respond to getpwent and
getgrent requests.
--sfu-support {none | rfc2307}
Specifies whether to support RFC 2307 attributes for domain controllers. RFC 2307 is
required for Windows UNIX Integration and for Services For UNIX (SFU) technologies.
--store-sfu-mappings {yes | no}
Specifies whether to store SFU mappings permanently in the ID mapper.
{--verbose | -v}
Displays the results of running the command.

isi auth ads spn check

Checks valid service principal names (SPNs).
Syntax
isi auth ads spn check --domain <string>
[--machinecreds]
[--user <string> [--password <string>]]
[--repair]

Options
{--domain | -D} <string>
Specifies the DNS domain name for the user or group that is attempting to connect to
the cluster.
--machinecreds
Directs the system to use machine credentials when connecting to the cluster.
{--user | -U} <string>
Specifies an administrative user account to connect to the cluster, if required.
isi auth ads spn check

237

Authentication and access control

{--password | -P} <string>

Specifies the administrative user account password.
{--repair | -r}
Repairs missing SPNs.

isi auth ads spn create

Adds one or more service principal names (SPNs) for a machine account. SPNs must be
propagated to all domain controllers to make them available to clients.
Syntax
isi auth ads spn create --spn <string>
[--domain <string>]
[--account <string>]
[--machinecreds]
[--user <string> [--password <string>]]

Options
{--spn | -s} <string>
Specifies an SPN to register. Repeat this option to specify multiple list items.
{--domain | -D} <string>
Specifies the DNS domain name for the user or group that is attempting to connect to
the cluster.
{--account | -a} <string>
Specifies the address of the machine account. If no account is specified, the machine
account of the cluster is used.
{--user | -U} <string>
Specifies an administrative user account to connect to the cluster, if required.
{--password | -P} <string>
Specifies the administrative user account password.
--machinecreds
Directs the system to use machine credentials when connecting to the cluster.

isi auth ads spn delete

Deletes one or more SPNs that are registered against a machine account.
Syntax
isi auth ads spn delete --spn <string>
[--domain <string>]
[--account <string>]
[--machinecreds]
[--user <string> [--password <string>]]

Options
{--spn | -s} <string>
Specifies an SPN to delete. Repeat this option to specify multiple list items.
{--domain | -D} <string>
Specifies the DNS domain name for the user or group that is attempting to connect to
the cluster.
238

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

{--account | -a} <string>

Specifies the address of the machine account. If no account is specified, the machine
account of the cluster is used.
--machinecreds
Directs the system to use machine credentials when connecting to the cluster.
{--user | -U} <string>
Specifies an administrative user account to connect to the cluster, if required.
{--password | -P} <string>
Specifies the administrative user account password.

isi auth ads spn list

Displays a list of service principal names (SPNs) that are registered against a machine
account.
Syntax
isi auth ads spn list --domain <string>
[--account <string>
[--machinecreds]
[--user <string> [--password <string>]]

Options
{--domain | -D} <string>
Specifies the DNS domain name for the user or group that is attempting to connect to
the cluster.
{--account | -a} <string>
Specifies the address of the machine account. If no account is specified, the machine
account of the cluster is used.
--machinecreds
Directs the system to use machine credentials when connecting to the cluster.
{--user | -U} <string>
Specifies an administrative user account to connect to the cluster, if required.
{--password | -P} <string>
Specifies the administrative user account password.
Examples
Run the following command to view a list of SPNs that are currently registered against the
machine account:
isi auth ads spn list

The system displays output similar to the following example:

HOST/test
HOST/test.sample.isilon.com

isi auth ads spn list

239

Authentication and access control

isi auth ads trusts controllers list

Displays a list of domain controllers for a trusted domain.
Syntax
isi auth ads trusts controllers list <provider>
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
<provider>

Specifies an Active Directory provider.

{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.
Examples
The following command displays a list of trusted domains in an Active Directory provider
named ad.isilon.com:
isi auth ads trusts controllers list ad.isilon.com

isi auth ads trusts list

Displays a list of trusted domains.
Syntax
isi auth ads trusts list <provider>

Options
<provider>

Specifies an Active Directory provider.

240

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth ads trusts view

Displays the properties of a trusted domain.
Syntax
isi auth ads trusts view <provider> <domain>

Options
<provider>

Specifies an Active Directory provider.

<domain>

Specifies the trusted domain to view.

isi auth ads view

Displays the properties of an Active Directory provider.
Syntax
isi auth ads view <provider-name>
[--verbose]

Options
<provider-name>

Specifies the name of the provider to view.

{--verbose | -v}
Displays more detailed information.

isi auth error

Displays error code definitions from the authentication log files.
Syntax
isi auth error <error-code>

Options
<error-code>

Specifies the error code to convert.

Examples
To view the definition of error code 4, run the following command:
isi auth error 4

The system displays output similar to the following example:

4 = ERROR_TOO_MANY_OPEN_FILES

isi auth ads trusts view

241

Authentication and access control

isi auth file create

Creates a file provider.
Syntax
isi auth file create <name>
[--password-file <path>]
[--group-file <path>]
[--authentication {yes | no}]
[--cache-entry-expiry <duration>]
[--create-home-directory {yes | no}]
[--enabled {yes | no}]
[--enumerate-groups {yes | no}]
[--enumerate-users {yes | no}]
[--findable-groups <string>]
[--findable-users <string>]
[--group-domain <string>]
[--home-directory-template <path>]
[--listable-groups <string>]
[--listable-users <string>]
[--login-shell <path>]
[--modifiable-groups <string>]
[--modifiable-users <string>]
[--netgroup-file <path>]
[--normalize-groups {yes | no}]
[--normalize-users {yes | no}]
[--ntlm-support {all | v2only | none}]
[--provider-domain <string>]
[--restrict-findable {yes | no}]
[--restrict-listable {yes | no}]
[--restrict-modifiable {yes | no}]
[--unfindable-groups <string>]
[--unfindable-users <string>]
[--unlistable-groups <string>]
[--unlistable-users <string>]
[--unmodifiable-groups <string>]
[--unmodifiable-users <string>]
[--user-domain <string>]
[--verbose]

Options
<name>

Sets the file provider name.

--password-file <path>
Specifies the path to a passwd.db replacement file.
--group-file <path>
Specifies the path to a group replacement file.
--authentication {yes | no}
Enables or disables the use of the provider for authentication as well as identity. The
default value is yes.
--cache-entry-expiry <duration>
Specifies the length of time after which the cache entry will expire, in the format
<integer>[{Y | M | W | D | H | m | s}]. To turn off cache expiration, set this value to off.
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user.
242

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--enabled {yes | no}

Enables or disables the provider.
--findable-groups <string>
Specifies a list of groups that can be found in this provider if --restrictfindable is enabled. Repeat this option to specify each additional findable group.
If populated, groups that are not included in this list cannot be resolved.
--findable-users <string>
Specifies a list of users that can be found in this provider if --restrictfindable is enabled. Repeat this option to specify each additional findable user. If
populated, users that are not included in this list cannot be resolved.
--group-domain <string>
Specifies the domain that this provider will use to qualify groups. The default group
domain is FILE_GROUPS.
--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--listable-groups <string>
Specifies a group that can be listed if --restrict-listable is enabled. Repeat
this option to specify multiple list items. If populated, any groups that are not
included in this list cannot be listed.
--listable-users <string>
Specifies a user that can be listed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, any users that
are not included in this list cannot be listed.
--login-shell <path>
Specifies the path to the user's login shell. This setting applies only to users who
access the file system through SSH.
--modifiable-groups <string>
Specifies a group that can be modified in this provider if --restrictmodifiable is enabled. Repeat this option to specify multiple list items. If
populated, any groups that are not included in this list cannot be modified.
--modifiable-users <string>
Specifies a user that can be modified in this provider if --restrict-modifiable
is enabled. Repeat this option to specify multiple list items. If populated, any users
that are not included in this list cannot be modified.
--netgroup-file <path>
Specifies the path to a netgroup replacement file.
--normalize-groups {yes | no}
Normalizes group names to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user names to lowercase before lookup.
isi auth file create

243

Authentication and access control

--ntlm-support {all | v2only | none}

For users with NTLM-compatible credentials, specifies which NTLM versions to
support. Valid values are all, v2only, and none. NTLMv2 provides additional
security over NTLM.
--provider-domain <string>
Specifies the domain that the provider will use to qualify user and group names.
--restrict-findable {yes | no}
Specifies whether to check the provider for filtered lists of findable and unfindable
users and groups.
--restrict-listable {yes | no}
Specifies whether to check the provider for filtered lists of listable and unlistable
users and groups.
--restrict-modifiable {yes | no}
Specifies whether to check the provider for filtered lists of modifiable and
unmodifiable users and groups.
--unfindable-groups <string>
If --restrict-findable is enabled and the findable groups list is empty,
specifies a group that cannot be resolved by this provider. Repeat this option to
specify multiple list items.
--unfindable-users <string>
If --restrict-findable is enabled and the findable users list is empty, specifies
a user that cannot be resolved by this provider. Repeat this option to specify multiple
list items.
--unlistable-groups <string>
If --restrict-listable is enabled and the listable groups list is empty,
specifies a group that cannot be listed by this provider. Repeat this option to specify
multiple list items.
--unlistable-users <string>
If --restrict-listable is enabled and the listable users list is empty, specifies
a user that cannot be listed by this provider. Repeat this option to specify multiple list
items.
--unmodifiable-groups <string>
If --restrict-modifiable is enabled and the modifiable groups list is empty,
specifies a group that cannot be modified. Repeat this option to specify multiple list
items.
--unmodifiable-users <string>
If --restrict-modifiable is enabled and the modifiable users list is empty,
specifies a user that cannot be modified. Repeat this option to specify multiple list
items.
--user-domain <string>
Specifies the domain that this provider will use to qualify users. The default user
domain is FILE_USERS.
{--verbose | -v}
Displays more detailed information.

244

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth file delete

Deletes a file provider.
Syntax
isi auth file delete <provider-name>
[--force]
[--verbose]

Options
<provider-name>

Specifies the name of the provider to delete.

{--force | -f}
Suppresses command-line prompts and messages.
{--verbose | -v}
Displays more detailed information.

isi auth file list

Displays a list of file providers.
Syntax
isi auth file list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth file delete

245

Authentication and access control

isi auth file modify

Modifies a file provider.
Syntax
isi auth file modify <provider-name>
[--provider <string>]
[--password-file <path>]
[--group-file <path>]
[--authentication {yes | no}]
[--cache-entry-expiry <duration>]
[--create-home-directory {yes | no}]
[--enabled {yes | no}]
[--enumerate-groups {yes | no}]
[--enumerate-users {yes | no}]
[--findable-groups <string>]
[--clear-findable-groups]
[--add-findable-groups <string>]
[--remove-findable-groups <string>]
[--findable-users <string>]
[--clear-findable-users]
[--add-findable-users <string>]
[--remove-findable-users <string>]
[--group-domain <string>]
[--home-directory-template <path>]
[--listable-groups <string>]
[--clear-listable-groups]
[--add-listable-groups <string>]
[--remove-listable-groups <string>]
[--listable-users <string>]
[--clear-listable-users]
[--add-listable-users <string>]
[--remove-listable-users <string>]
[--login-shell <path>]
[--modifiable-groups <string>]
[--clear-modifiable-groups]
[--add-modifiable-groups <string>]
[--remove-modifiable-groups <string>]
[--modifiable-users <string>]
[--clear-modifiable-users]
[--add-modifiable-users <string>]
[--remove-modifiable-users <string>]
[--netgroup-file <path>]
[--normalize-groups {yes | no}]
[--normalize-users {yes | no}]
[--ntlm-support {all | v2only | none}]
[--provider-domain <string>]
[--restrict-findable {yes | no}]
[--restrict-listable {yes | no}]
[--restrict-modifiable {yes | no}]
[--unfindable-groups <string>]
[--clear-unfindable-groups]
[--add-unfindable-groups <string>]
[--remove-unfindable-groups <string>]
[--unfindable-users <string>]
[--clear-unfindable-users]
[--add-unfindable-users <string>]
[--remove-unfindable-users <string>]
[--unlistable-groups <string>]
[--clear-unlistable-groups]
[--add-unlistable-groups <string>]
[--remove-unlistable-groups <string>]
[--unlistable-users <string>]
[--clear-unlistable-users]
[--add-unlistable-users <string>]
[--remove-unlistable-users <string>]

246

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

[--unmodifiable-groups <string>]
[--clear-unmodifiable-groups]
[--add-unmodifiable-groups <string>]
[--remove-unmodifiable-groups <string>]
[--unmodifiable-users <string>]
[--clear-unmodifiable-users]
[--add-unmodifiable-users <string>]
[--remove-unmodifiable-users <string>]
[--user-domain <string>]
[--verbose]

Options
<provider-name>

Specifies the name of the file provider to modify. This setting cannot be modified.
--provider <string>
Specifies an authentication provider of the format <type>:<instance>. Valid provider
types are ads, ldap, nis, file, and local. For example, an LDAP provider named
auth1 can be specified as ldap:auth1.
--password-file <path>
Specifies the path to a passwd.db replacement file.
--group-file <path>
Specifies the path to a group replacement file.
--authentication {yes | no}
Enables or disables the use of the provider for authentication as well as identity. The
default value is yes.
--cache-entry-expiry <duration>
Specifies the length of time after which the cache entry will expire, in the format
<integer>[{Y | M | W | D | H | m | s}]. To turn off cache expiration, set this value to off.
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user.
--enabled {yes | no}
Enables or disables the provider.
--enumerate-groups {yes | no}
Specifies whether to allow the provider to enumerate groups.
--enumerate-users {yes | no}
Specifies whether to allow the provider to enumerate users.
--findable-groups <string>
Specifies a group that can be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. If populated, any groups
that are not included in this list cannot be resolved. This option overwrites any
existing entries in the findable groups list; to add or remove groups without affecting
current entries, use --add-findable-groups or --remove-findablegroups.
--clear-findable-groups
Removes all entries from the list of findable groups.
isi auth file modify

247

Authentication and access control

--add-findable-groups <string>
Adds an entry to the list of findable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-findable-groups <string>
Removes an entry from the list of findable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--findable-users <string>
Specifies a user that can be found in the provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. If populated, any users that
are not included in this list cannot be resolved. This option overwrites any existing
entries in the findable users list; to add or remove users without affecting current
entries, use --add-findable-users or --remove-findable-users.
--clear-findable-users
Removes all entries from the list of findable users.
--add-findable-users <string>
Adds an entry to the list of findable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-findable-users <string>
Removes an entry from the list of findable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--group-domain <string>
Specifies the domain that the provider will use to qualify groups. The default group
domain is FILE_GROUPS.
--group-file <path>
Specifies the path to a group replacement file.
--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--listable-groups <string>
Specifies a group that can be viewed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, any groups
that are not included in this list cannot be viewed. This option overwrites any existing
entries in the listable groups list; to add or remove groups without affecting current
entries, use --add-listable-groups or --remove-listable-groups.
--clear-listable-groups
Removes all entries from the list of viewable groups.
--add-listable-groups <string>
Adds an entry to the list of viewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-listable-groups <string>

248

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Removes an entry from the list of viewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--listable-users <string>
Specifies a user that can be viewed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, any users that
are not included in this list cannot be viewed. This option overwrites any existing
entries in the listable users list; to add or remove users without affecting current
entries, use --add-listable-users or --remove-listable-users.
--clear-listable-users
Removes all entries from the list of viewable users.
--add-listable-users <string>
Adds an entry to the list of viewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-listable-users <string>
Removes an entry from the list of viewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--login-shell <path>
Specifies the path to the user's login shell. This setting applies only to users who
access the file system through SSH.
--modifiable-groups <string>
Specifies a group that can be modified if --restrict-modifiable is enabled.
Repeat this option to specify multiple list items. If populated, any groups that are not
included in this list cannot be modified. This option overwrites any existing entries in
the modifiable groups list; to add or remove groups without affecting current entries,
use --add-modifiable-groups or --remove-modifiable-groups.
--clear-modifiable-groups
Removes all entries from the list of modifiable groups.
--add-modifiable-groups <string>
Adds an entry to the list of modifiable groups that is checked if --restrictmodifiable is enabled. Repeat this option to specify multiple list items.
--remove-modifiable-groups <string>
Removes an entry from the list of modifiable groups that is checked if --restrictmodifiable is enabled. Repeat this option to specify multiple list items.
--modifiable-users <string>
Specifies a user that can be modified if --restrict-modifiable is enabled.
Repeat this option to specify multiple list items. If populated, any users that are not
included in this list cannot be modified. This option overwrites any existing entries in
the modifiable users list; to add or remove users without affecting current entries,
use --add-modifiable-users or --remove-modifiable-users.
--clear-modifiable-users
Removes all entries from the list of modifiable users.
--add-modifiable-users <string>
Adds an entry to the list of modifiable users that is checked if --restrictmodifiable is enabled. Repeat this option to specify multiple list items.

isi auth file modify

249

Authentication and access control

--remove-modifiable-users <string>
Removes an entry from the list of modifiable users that is checked if --restrictmodifiable is enabled. Repeat this option to specify multiple list items.
--netgroup-file <path>
Specifies the path to a netgroup replacement file.
--normalize-groups {yes | no}
Normalizes group names to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user names to lowercase before lookup.
--ntlm-support {all | v2only | none}
For users with NTLM-compatible credentials, specifies which NTLM versions to
support. Valid values are all, v2only, and none. NTLMv2 provides additional
security over NTLM and is recommended.
--password-file <path>
Specifies the path to a passwd.db replacement file.
--provider-domain <string>
Specifies the domain that this provider will use to qualify user and group names.
--restrict-findable {yes | no}
Specifies whether to check this provider for filtered lists of findable and unfindable
users and groups.
--restrict-listable {yes | no}
Specifies whether to check this provider for filtered lists of viewable and unviewable
users and groups.
--restrict-modifiable {yes | no}
Specifies whether to check this provider for filtered lists of modifiable and
unmodifiable users and groups.
--unfindable-groups <string>
If --restrict-findable is enabled and the findable groups list is empty,
specifies a group that cannot be resolved by this provider. Repeat this option to
specify multiple list items. This option overwrites any existing entries in the
unfindable groups list; to add or remove groups without affecting current entries, use
--add-unfindable-groups or --remove-unfindable-groups.
--clear-unfindable-groups
Removes all entries from the list of unfindable groups.
--add-unfindable-groups <string>
Adds an entry to the list of unfindable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-groups <string>
Removes an entry from the list of unfindable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--unfindable-users <string>
If --restrict-findable is enabled and the findable users list is empty, specifies
a user that cannot be resolved by this provider. Repeat this option to specify multiple
250

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

list items. This option overwrites any existing entries in the unfindable users list; to
add or remove users without affecting current entries, use --add-unfindableusers or --remove-unfindable-users.
--clear-unfindable-users
Removes all entries from the list of unfindable groups.
--add-unfindable-users <string>
Adds an entry to the list of unfindable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-users <string>
Removes an entry from the list of unfindable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--unlistable-groups <string>
If --restrict-listable is enabled and the viewable groups list is empty,
specifies a group that cannot be listed by this provider. Repeat this option to specify
multiple list items. This option overwrites any existing entries in the unlistable groups
list; to add or remove groups without affecting current entries, use --addunlistable-groups or --remove-unlistable-groups.
--clear-unlistable-groups
Removes all entries from the list of unviewable groups.
--add-unlistable-groups <string>
Adds an entry to the list of unviewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-groups <string>
Removes an entry from the list of unviewable groups that is checked if -restrict-listable is enabled. Repeat this option to specify multiple list items.
--unlistable-users <string>
If --restrict-listable is enabled and the viewable users list is empty,
specifies a user that cannot be listed by this provider. Repeat this option to specify
multiple list items. This option overwrites any existing entries in the unlistable users
list; to add or remove users without affecting current entries, use --addunlistable-users or --remove-unlistable-users.
--clear-unlistable-users
Removes all entries from the list of unviewable users.
--add-unlistable-users <string>
Adds an entry to the list of unviewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-users <string>
Removes an entry from the list of unviewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--unmodifiable-groups <string>
If --restrict-modifiable is enabled and the modifiable groups list is empty,
specifies a group that cannot be modified. Repeat this option to specify multiple list
items. This option overwrites any existing entries in this providers unmodifiable

isi auth file modify

251

Authentication and access control

groups list; to add or remove groups without affecting current entries, use --addunmodifiable-groups or --remove-unmodifiable-groups.
--clear-unmodifiable-groups
Removes all entries from the list of unmodifiable groups.
--add-unmodifiable-groups <string>
Adds an entry to the list of unmodifiable groups that is checked if --restrictmodifiable is enabled. Repeat this option to specify multiple list items.
--remove-unmodifiable-groups <string>
Removes an entry from the list of unmodifiable groups that is checked if -restrict-modifiable is enabled. Repeat this option to specify multiple list
items.
--unmodifiable-users <string>
If --restrict-modifiable is enabled and the modifiable users list is empty,
specifies a user that cannot be modified. Repeat this option to specify multiple list
items. This option overwrites any existing entries in this providers unmodifiable
users list; to add or remove users without affecting current entries, use --addunmodifiable-users or --remove-unmodifiable-users.
--clear-unmodifiable-users
Removes all entries from the list of unmodifiable users.
--add-unmodifiable-users <string>
Adds an entry to the list of unmodifiable users that is checked if --restrictmodifiable is enabled. Repeat this option to specify multiple list items.
--remove-unmodifiable-users <string>
Removes an entry from the list of unmodifiable users that is checked if -restrict-modifiable is enabled. Repeat this option to specify multiple list
items.
--user-domain <string>
Specifies the domain that this provider will use to qualify users. The default user
domain is FILE_USERS.
{--verbose | -v}
Displays the results of running the command.

isi auth file view

Displays the properties of a file provider.
Syntax
isi auth file view <provider-name>

Options
<provider-name>

Specifies the name of the provider to view.

252

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth groups create

Creates a local group.
Syntax
isi auth groups create <name>
[--gid <integer>]
[--add-user <name>]
[--add-uid <integer>]
[--add-sid <string>
[--add-wellknown <name>]
[--sid <string>]
[--zone <string>]
[--provider <string>]
[--verbose]
[--force]

Options
<name>

Specifies the group name.

--gid <integer>
Overrides automatic allocation of the UNIX group identifier (GID) with the specified
value. Setting this option is not recommended.
--add-user <name>
Specifies the name of the user to add to the group. Repeat this option to specify
multiple users.
--add-uid <integer>
Specifies the UID of the user to add to the group. Repeat this option to specify
multiple users.
--add-sid <string>
Specifies the SID of the user to add to the group. Repeat this option to specify
multiple users.
--add-wellknown <name>
Specifies a wellknown persona name to add to the group. Repeat this option to
specify multiple personas.
--sid <string>
Sets the Windows security identifier (SID) for the group, for example S-1-5-21-13.
--zone <string>
Specifies the access zone in which to create the group.
--provider <string>
Specifies a local authentication provider in the specified access zone.
{--verbose | -v}
Displays more detailed information.
{--force | -f}
Suppresses command-line prompts and messages.

isi auth groups create

253

Authentication and access control

isi auth groups delete

Removes a local group from the system. Members of a group are removed before the
group is deleted.
Syntax
isi auth groups delete {<group> | --gid <integer> | --sid <string>}
[--zone <string>]
[--provider <string>]
[--force]
[--verbose]

Options
This command requires <group>, --gid <integer>, or --sid <string>.
<group>

Specifies the group by name.

--gid <integer>
Specifies the group by GID.
<group>
--sid <string>

Specifies the group by SID.

--zone <string>
Specifies the name of the access zone that contains the group.
--provider <string>
Specifies the group's authentication provider.
{--force | -f}
Suppresses command-line prompts and messages.
{--verbose | -v}
Displays the results of running the command.

isi auth groups flush

Flushes cached group information.
Syntax
isi auth groups flush

Options
There are no options for this command.
Examples
To flush all cached group information, run the following command:
isi auth groups flush

254

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth groups list

Displays a list of groups.
Syntax
isi auth groups list
[--domain <string>]
[--zone <string>]
[--provider <string>]
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
--domain <string>
Specifies the provider domain.
--zone <string>
Specifies an access zone.
--provider <string>
Specifies an authentication provider.
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth groups modify

Modifies a local group.
Syntax
isi auth groups modify {<group> | --gid <integer> | --sid <string>}
[--new-gid <integer>]
[--add-uid <integer>]
[--remove-uid <integer>]
[--add-user <name>]
[--remove-user <name>]
[--add-sid <string>]
[--remove-sid <string>]
[--add-wellknown <name>]
[--remove-wellknown <name>]
[--zone <string>]
[--provider <string>]

isi auth groups list

255

Authentication and access control

[--verbose]
[--force]

Options
This command requires <group>, --gid <integer>, or --sid <string>.
<group>

Specifies the group by name.

--gid <integer>
Specifies the group by GID.
--sid <string>
Specifies the group by SID.
--new-gid <integer>
Specifies a new GID for the group. Setting this option is not recommended.
--add-uid <integer>
Specifies the UID of a user to add to the group. Repeat this option to specify multiple
list items.
--remove-uid <integer>
Specifies the UID of a user to remove from the group. Repeat this option to specify
multiple list items.
--add-user <name>
Specifies the name of a user to add to the group. Repeat this option to specify
multiple list items.
--remove-user <name>
Specifies the name of a user to remove from the group. Repeat this option to specify
multiple list items.
--add-sid <string>
Specifies the SID of an object to add to the group, for example S-1-5-21-13.
Repeat this option to specify multiple list items.
--remove-sid <string>
Specifies the SID of an object to remove from the group. Repeat this option to specify
multiple list items.
--add-wellknown <name>
Specifies a well-known SID to add to the group. Repeat this option to specify multiple
list items.
--remove-wellknown <name>
Specifies a well-known SID to remove from the group. Repeat this option to specify
multiple list items.
--zone <string>
Specifies the group's access zone.
--provider <string>
Specifies the group's authentication provider.
{--verbose | -v}
Displays more detailed information.
256

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

{--force | -f}
Suppresses command-line prompts and messages.

isi auth groups members list

Displays a list of members that are associated with a group.
Syntax
isi auth groups members list {<group> | --gid <integer> | --sid
<string>}
[--zone <string>]
[--provider <string>]
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
This command requires <group>, --gid <integer>, or --sid <string>.
<group>

Specifies the group by name.

--gid <integer>
Specifies the group by GID.
--sid <string>
Specifies the group by SID.
--zone <string>
Specifies an access zone.
--provider <string>
Specifies an authentication provider.
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth groups members list

257

Authentication and access control

isi auth groups view

Displays the properties of a group.
Syntax
isi auth groups view {<group> | --gid <integer> | --sid <string>}
[--zone <string>]
[--show-groups]
[--provider <string>]

Options
This command requires <group>, --gid <integer>, or --sid <string>.
<group>

Specifies the group by name.

--gid <integer>
Specifies the group by GID.
--sid <string>
Specifies the group by SID.
--zone <string>
Specifies an access zone.
--show-groups
Displays groups that include this group as a member.
--provider <string>
Specifies an authentication provider.

isi auth id
Displays your access token.
Syntax
isi auth id

Options
There are no options for this command.

isi auth krb5 realm create

Creates an MIT Kerberos realm.
Syntax
isi auth krb5 realm create <realm>
[--is-default-realm <boolean>]
[--kdc <string>]
[--admin-server <string>]
[--default-domain <string>]

Options
<realm>

Specifies the name of the realm.

258

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--is-default-realm <boolean>
Specifies whether realm will be the default.
--kdc <string>
Specifies the hostname or IP address of a Key Distribution Center (KDC). Specify -kdc for each additional hostname or IP address of a KDC.
--admin-server <string>
Specifies the hostname or IP address of the administrative server (master KDC).
--default-domain <string>
Specifies the default domain for the realm used for translating the v4 principal
names.

isi auth krb5 realm delete

Deletes an MIT Kerberos realm.
Syntax
isi auth krb5 realm delete <realm>
[--force]

Options
<realm>

Specifies the Kerberos realm name.

{--force | -f}
Specifies not to ask for a confirmation.

isi auth krb5 realm modify

Modifies an MIT Kerberos realm.
Syntax
isi auth krb5 realm modify <realm>
[--is-default-realm <boolean>]
[--kdc <string>]
[--admin-server <string>]
[--default-domain <string>]

Options
<realm>

Specifies the Kerberos realm name.

--is-default-realm <boolean>
Specifies whether the Kerberos realm will be the default.
--kdc <string>
Specifies the hostname or IP address of the Key Distribution Center (KDC). Specify -kdc for each additional hostname or IP address of the KDC.
--admin-server <string>
Specifies the hostname or IP address of the administrative server (master KDC).
--default-domain <string>
isi auth krb5 realm delete

259

Authentication and access control

Specifies the default domain for the Kerberos realm used for translating the v4
principal names.

isi auth krb5 realm list

Displays a list of MIT Kerberos realms.
Syntax
isi auth krb5 realm list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]

Options
{--limit | -l} <integer>
Specifies the number of Kerberos realms to display.
--format {table | json | csv | list}
Specifies whether to display the Kerberos realms in a tabular, JSON, CSV, or list
format.
{--no-header | -a}
Specifies not to display the headers in the CSV or tabular formats.
{--no-footer | -z}
Specifies not to display the table summary footer information.

isi auth krb5 realm view

Displays the properties of an MIT Kerberos realm.
Syntax
isi auth krb5 realm view <realm>

Options
<realm>

Specifies the Kerberos realm name.

isi auth krb5 create

Creates an MIT Kerberos provider and joins a user to an MIT Kerberos realm.
Syntax
isi auth krb5 create <realm> {<user> | --keytab-file <string> }
[--password <string>]
[--spn<string>]
[--is-default-realm <boolean>]
[--kdc <string>]
[--admin-server <string>]
[--default-domain <string>]

Options
<realm>

Specifies the Kerberos realm name.

260

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

<user>

Specifies a user name with permissions to create the service principal names (SPNs)
in the given Kerberos realm.
--keytab-file <string>
Specifies the keytab file to import.
--password <string>
Specifies the password used for joining a Kerberos realm.
--spn <string>
Specifies the SPNs to register. Specify --spn for each additional SPN that you want to
register.
--is-default-realm <boolean>
Specifies whether the Kerberos realm will be the default.
--kdc <string>
Specifies the hostname or IP address of the Key Distribution Center (KDC). Specify -kdc for each additional hostname or IP address of the KDC.
--admin-server <string>
Specifies the hostname or IP address of the administrative server (master KDC).
--default-domain<string>
Specifies the default Kerberos domain for the Kerberos realm used for translating v4
principal names.

isi auth krb5 delete

Deletes an MIT Kerberos authentication provider and removes the user from an MIT
Kerberos realm.
Syntax
isi auth krb5 delete <provider-name>
[--force]

Options
<provider-name>

Specifies the Kerberos provider name.

{--force | -f}
Specifies not to ask for a confirmation.

isi auth krb5 list

Displays a list of MIT Kerberos authentication providers.
Syntax
isi auth krb5 list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]

isi auth krb5 delete

261

Authentication and access control

Options
{--limit | -l} <integer>
Specifies the number of Kerberos providers to display.
--format {table | json | csv | list}
Specifies to display the Kerberos providers in a tabular, JSON, CSV, or list format.
{--no-header | -a}
Specifies not to display the headers in the CSV or tabular formats.
{--no-footer | -z}
Specifies not to display the table summary footer information.

isi auth krb5 view

Displays the properties of an MIT Kerberos authentication provider.
Syntax
isi auth krb5 view <provider-name>

Options
<provider-name>

Specifies the Kerberos provider name.

isi auth krb5 domain create

Creates an MIT Kerberos domain mapping.
Syntax
isi auth krb5 domain create <domain>
[--realm <string>]

Options
<domain>

Specifies the name of the Kerberos domain.

--realm <string>
Specifies the name of the Kerberos realm.

isi auth krb5 domain delete

Deletes an MIT Kerberos domain mapping.
Syntax
isi auth krb5 domain delete <domain>
[--force]

Options
<domain>

Specifies the name of the Kerberos domain.

{--force | -f}

262

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies not to ask for a confirmation.

isi auth krb5 domain modify

Modifies an MIT Kerberos domain mapping.
Syntax
isi auth krb5 domain modify <domain>
[--realm <string>]

Options
<domain>

Specifies the Kerberos domain name.

--realm <string>
Specifies the Kerberos realm name.

isi auth krb5 domain list

Displays a list of MIT Kerberos domain mappings.
Syntax
isi auth krb5 domain list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]

Options
{--limit | -l} <integer>
Specifies the number of Kerberos domain mappings to display.
--format {table | json | csv | list}
Specifies whether to display the Kerberos domain mappings in a tabular, JSON, CSV,
or list formats.
{--no-header | -a}
Specifies not to display the headers in the CSV or tabular formats.
{--no-footer | -z}
Specifies not to display the table summary footer information.

isi auth krb5 domain view

Displays the properties of an MIT Kerberos domain mapping.
Syntax
isi auth krb5 domain view <domain>

Options
<domain>

Specifies the Kerberos domain name.

isi auth krb5 domain modify

263

Authentication and access control

isi auth krb5 spn create

Creates or updates keys for an MIT Kerberos provider.
Syntax
isi auth krb5 spn create <provider-name> <user> <spn>
[--password <string>]

Options
<provider-name>

Specifies the Kerberos provider name.

<user>

Specifies a user name with permissions to create the service principal names (SPNs)
in the Kerberos realm.
<spn>

Specifies the SPN.

--password <string>
Specifies the password used during the modification of a Kerberos realm.

isi auth krb5 spn delete

Deletes keys from an MIT Kerberos provider.
Syntax
isi auth krb5 spn delete <provider-name> <spn> {<kvno> | --all}

Options
<provider-name>

Specifies the Kerberos provider name.

<spn>

Specifies the service principal name (SPN).

<kvno>

Specifies the key version number.

--all
Deletes all the key versions.

isi auth krb5 spn check

Checks for missing service principal names (SPNs) for an MIT Kerberos provider.
Syntax
isi auth krb5 spn check <provider-name>

Options
<provider-name>

Specifies the Kerberos provider name.

264

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth krb5 spn fix

Adds the missing service principal names (SPNs) for an MIT Kerberos provider.
Syntax
isi auth krb5 spn fix <provider-name> <user>
[--password <string>]
[--force]

Options
<provider-name>

Specifies the Kerberos provider name.

<user>

Specifies a user name with permissions to join clients to the given Kerberos domain.
--password <string>
Specifies the password that was used when modifying the Kerberos realm.
{--force | -f}
Specifies not to ask for a confirmation.

isi auth krb5 spn import

Imports keys from a keytab file for an MIT Kerberos provider.
Syntax
isi auth krb5 spn import <provider-name> <keytab-file>

Options
<provider-name>

Specifies the Kerberos provider name.

<keytab-file>

Specifies the keytab file to import.

isi auth krb5 spn list

Lists the service principal names (SPNs) and keys registered for an MIT Kerberos provider.
Syntax
isi auth krb5 spn list <provider-name>
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]

Options
<provider-name>

Specifies the Kerberos provider name.

{--limit | -l} <integer>
Specifies the number of SPNs and keys to display.
--format {table | json | csv | list}
isi auth krb5 spn fix

265

Authentication and access control

Specifies to display the SPNs and keys in a tabular, JSON, CSV, or list format.
{--no-header | -a}
Specifies not to display the headers in the CSV or tabular formats.
{--no-footer | -z}
Specifies not to display the table summary footer information.

isi auth settings krb5 modify

Modifies the global settings of an MIT Kerberos authentication provider.
Syntax
isi auth settings krb5 modify
[--always-send-preauth <boolean> | --revert-always-sendpreauth]
[--default-realm <string>]
[--dns-lookup-kdc <boolean> | --revert-dns-lookup-kdc]
[--dns-lookup-realm <boolean> | --revert-dns-lookup-realm]

Options
--always-send-preauth <boolean>
Specifies whether to send preauth.
--revert-always-send-preauth
Sets the value of --always-send-preauth to the system default.
--default-realm <string>
Specifies the default Kerberos realm name.
--dns-lookup-kdc <boolean>
Allows DNS to find Key Distribution Centers (KDCs).
--revert-dns-lookup-kdc
Sets the value of --dns-lookup-kdc to the system default.
--dns-lookup-realm <boolean>
Allows DNS to find the Kerberos realm names.
--revert-dns-lookup-realm
Sets the value of --dns-lookup-realm to the system default.

isi auth settings krb5 view

Displays MIT Kerberos provider authentication settings.
Syntax
isi auth settings krb5 view

isi auth ldap create

Creates an LDAP provider.
Syntax
isi auth ldap create <name>
[--base-dn <string>]

266

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

[--server-uris <string>]
[--alternate-security-identities-attribute <string>]
[--authentication {yes | no}]
[--balance-servers {yes | no}]
[--bind-dn <string>]
[--bind-timeout <integer>]
[--cache-entry-expiry <duration>]
[--certificate-authority-file <string>]
[--check-online-interval <duration>]
[--cn-attribute <string>]
[--create-home-directory {yes | no}]
[--crypt-password-attribute <string>]
[--email-attribute <string>]
[--enabled {yes | no}]
[--enumerate-groups {yes | no}]
[--enumerate-users {yes | no}]
[--findable-groups <string>]
[--findable-users <string>]
[--gecos-attribute <string>]
[--gid-attribute <string>]
[--group-base-dn <string>]
[--group-domain <string>]
[--group-filter <string>]
[--group-members-attribute <string>]
[--group-search-scope <scope>]
[--home-directory-template <string>]
[--homedir-attribute <string>]
[--ignore-tls-errors {yes | no}]
[--listable-groups <string>]
[--listable-users <string>]
[--login-shell <string>]
[--member-of-attribute <string>]
[--name-attribute <string>]
[--netgroup-base-dn <string>]
[--netgroup-filter <string>]
[--netgroup-members-attribute <string>]
[--netgroup-search-scope <scope>]
[--netgroup-triple-attribute <string>]
[--normalize-groups {yes | no}]
[--normalize-users {yes | no}]
[--nt-password-attribute <string>]
[--ntlm-support {all | v2only | none}]
[--provider-domain <string>]
[--require-secure-connection {yes | no}]
[--restrict-findable {yes | no}]
[--restrict-listable {yes | no}]
[--search-scope <scope>]
[--search-timeout <integer>]
[--shell-attribute <string>]
[--uid-attribute <string>]
[--unfindable-groups <string>]
[--unfindable-users <string>]
[--unique-group-members-attribute <string>]
[--unlistable-groups <string>]
[--unlistable-users <string>]
[--user-base-dn <string>]
[--user-domain <string>]
[--user-filter <string>]
[--user-search-scope <scope>]
[--bind-password <string>]
[--set-bind-password]
[--verbose]

Options
<name>
Sets the LDAP provider name.
--base-dn <string>
isi auth ldap create

267

Authentication and access control

Sets the root of the tree in which to search for identities. For example,
CN=myuser,CN=Users,DC=mycompany,DC=com.
--server-uris <string>
Specifies a list of LDAP server URIs to be used when accessing the server. Repeat this
option to specify multiple items.
--alternate-security-identities-attribute <string>
Specifies the name to be used when searching for alternate security identities. This
name is used when OneFS attempts to resolve a kerberos principal to a user.
--authentication {yes | no}
Enables or disables the use of the provider for authentication as well as identity. The
default value is yes.
--balance-servers {yes | no}
Makes the provider connect to a random server on each request.
--bind-dn <string>
Specifies the distinguished name to use when binding to the LDAP server. For
example, CN=myuser,CN=Users,DC=mycompany,DC=com.
--bind-timeout <integer>
Specifies the timeout in seconds when binding to the LDAP server.
--cache-entry-expiry <duration>
Specifies the duration of time to cache a user or group, in the format <integer>[{Y | M |
W | D | H | m | s}].
--certificate-authority-file <path>
Specifies the path to the root certificates file.
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>[{Y | M | W | D
| H | m | s}].
--cn-attribute <string>
Specifies the LDAP attribute that contains common names. The default value is cn.
--create-home-directory {yes | no}
Specifies whether to automatically create a home directory the first time a user logs
in, if a home directory does not already exist for the user.
--crypt-password-attribute <string>
Specifies the LDAP attribute that contains UNIX passwords. This setting has no
default value.
--email-attribute <string>
Specifies the LDAP attribute that contains email addresses. The default value is
mail.
--enabled {yes | no}
Enables or disables the provider.
--enumerate-groups {yes | no}
Specifies whether to allow the provider to enumerate groups.
--enumerate-users {yes | no}
268

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies whether to allow the provider to enumerate users.

--findable-groups <string>
Specifies a list of groups that can be found in this provider if --restrictfindable is enabled. Repeat this option to specify each additional findable group.
If populated, groups that are not included in this list cannot be resolved.
--findable-users <string>
Specifies a list of users that can be found in this provider if --restrictfindable is enabled. Repeat this option to specify each additional findable user. If
populated, users that are not included in this list cannot be resolved.
--gecos-attribute <string>
Specifies the LDAP attribute that contains GECOS fields. The default value is gecos.
--gid-attribute <string>
Specifies the LDAP attribute that contains GIDs. The default value is gidNumber.
--group-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for
groups.
--group-domain <string>
Specifies the domain that the provider will use to qualify groups. The default group
domain is LDAP_GROUPS.
--group-filter <string>
Sets the LDAP filter for group objects.
--group-members-attribute <string>
Specifies the LDAP attribute that contains group members. The default value is
memberUid.
--group-search-scope <scope>
Defines the default depth from the base distinguished name (DN) to perform LDAP
searches for groups.
The following values are valid:
default
Applies the setting in --search-scope.
Note

You cannot specify --search-scope=default. For example, if you specify

--group-search-scope=default, the search scope is set to the value of
--search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.

isi auth ldap create

269

Authentication and access control

--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information about home
directory variables, see Home directories.
--homedir-attribute <string>
Specifies the LDAP attribute that contains home directories. The default value is
homeDirectory.
--ignore-tls-errors {yes | no}
Continues over a secure connection even if identity checks fail.
--listable-groups <string>
Specifies a list of groups that can be viewed in this provider if --restrictlistable is enabled. Repeat this option to specify multiple list items. If populated,
groups that are not included in this list cannot be viewed.
--listable-users <string>
Specifies a list of users that can be viewed in this provider if --restrictlistable is enabled. Repeat this option to specify multiple list items. If populated,
users that are not included in this list cannot be viewed.
--login-shell <path>
Specifies the pathname of the user's login shell for users who access the file system
through SSH.
--member-of-attribute <string>
Sets the attribute to be used when searching LDAP for reverse memberships. This
LDAP value should be an attribute of the user type posixAccount that describes the
groups in which the POSIX user is a member.
--name-attribute <string>
Specifies the LDAP attribute that contains UIDs, which are used as login names. The
default value is uid.
--netgroup-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for
netgroups.
--netgroup-filter <string>
Sets the LDAP filter for netgroup objects.
--netgroup-members-attribute <string>
Specifies the LDAP attribute that contains netgroup members. The default value is
memberNisNetgroup.
--netgroup-search-scope <scope>
Defines the depth from the base distinguished name (DN) to perform LDAP searches
for netgroups.
The following values are valid:

270

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

default
Applies the setting in --search-scope.
Note

You cannot specify --search-scope=default. For example, if you specify

--group-search-scope=default, the search scope is set to the value of
--search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--netgroup-triple-attribute <string>
Specifies the LDAP attribute that contains netgroup triples. The default value is
nisNetgroupTriple.
--normalize-groups {yes | no}
Normalizes group names to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user names to lowercase before lookup.
--nt-password-attribute <string>
Specifies the LDAP attribute that contains Windows passwords. The default value is
ntpasswdhash.
--ntlm-support {all | v2only | none}
For users with NTLM-compatible credentials, specifies which NTLM versions to
support.
--provider-domain <string>
Specifies the domain that the provider will use to qualify user and group names.
--require-secure-connection {yes | no}
Specifies whether to require a TLS connection.
--restrict-findable {yes | no}
Specifies whether to check the provider for filtered lists of findable and unfindable
users and groups.
--restrict-listable {yes | no}
Specifies whether to check the provider for filtered lists of listable and unlistable
users and groups.
--search-scope <scope>
Defines the default depth from the base distinguished name (DN) to perform LDAP
searches.
The following values are valid:

isi auth ldap create

271

Authentication and access control

base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN itself.
--search-timeout <integer>
Specifies the number of seconds after which to stop retrying and fail a search. The
default value is 100.
--shell-attribute <string>
Specifies the LDAP attribute that contains a user's UNIX login shell. The default value
is loginShell.
--uid-attribute <string>
Specifies the LDAP attribute that contains UID numbers. The default value is
uidNumber.
--unfindable-groups <string>
If --restrict-findable is enabled and the findable groups list is empty,
specifies a list of groups that cannot be resolved by this provider. Repeat this option
to specify multiple list items.
--unfindable-users <string>
If --restrict-findable is enabled and the findable users list is empty, specifies
a list of users that cannot be resolved by this provider. Repeat this option to specify
multiple list items.
--unique-group-members-attribute <string>
Specifies the LDAP attribute that contains unique group members. This attribute is
used to determine which groups a user belongs to if the LDAP server is queried by the
users DN instead of the users name. This setting has no default value.
--unlistable-groups <string>
If --restrict-listable is enabled and the listable groups list is empty,
specifies a list of groups that cannot be listed by this provider that cannot be viewed.
Repeat this option to specify multiple list items.
--unlistable-users <string>
If --restrict-listable is enabled and the listable users list is empty, specifies
a list of users that cannot be listed by this provider that cannot be viewed. Repeat
this option to specify multiple list items.
--user-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for
users.
--user-domain <string>
Specifies the domain that the provider will use to qualify users. The default user
domain is LDAP_USERS.
--user-filter <string>
Sets the LDAP filter for user objects.
272

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--user-search-scope <scope>
Defines the depth from the base distinguished name (DN) to perform LDAP searches
for users.
The following values are valid:
default
Applies the search scope that is defined in the default query settings.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN itself.
--bind-password <string>
Sets the password for the distinguished name that is used when binding to the LDAP
server. To set the password interactively, use the --set-bind-password option
instead.
--set-bind-password
Interactively sets the password for the distinguished name that is used when binding
to the LDAP server. This option cannot be used with --bind-password.
{--verbose | -v}
Displays the results of running the command.

isi auth ldap delete

Deletes an LDAP provider.
Syntax
isi auth ldap delete <provider-name>
[--force]
[--verbose]

Options
<provider-name>

Specifies the name of the provider to delete.

{--force | -f}
Suppresses command-line prompts and messages.
<provider-name>

Specifies the name of the provider to delete.

{--verbose | -v}
Displays more detailed information.

isi auth ldap delete

273

Authentication and access control

isi auth ldap list

Displays a list of LDAP providers.
Syntax
isi auth ldap list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth ldap modify

Modifies an LDAP provider.
Syntax
isi auth ldap modify <provider-name>
[--base-dn <string>]
[--server-uris <string>]
[--clear-server-uris]
[--add-server-uris <string>]
[--remove-server-uris <string>]
[--alternate-security-identities-attribute <string>]
[--authentication {yes | no}]
[--balance-servers {yes | no}]
[--bind-dn <string>]
[--bind-timeout <integer>]
[--cache-entry-expiry <duration>]
[--certificate-authority-file <string>]
[--check-online-interval <duration>]
[--cn-attribute <string>]
[--create-home-directory {yes | no}]
[--crypt-password-attribute <string>]
[--email-attribute <string>]
[--enabled {yes | no}]
[--enumerate-groups {yes | no}]
[--enumerate-users {yes | no}]
[--findable-groups <string>]
[--clear-findable-groups]
[--add-findable-groups <string>]
[--remove-findable-groups <string>]

274

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

[--findable-users <string>]
[--clear-findable-users]
[--add-findable-users <string>]
[--remove-findable-users <string>]
[--gecos-attribute <string>]
[--gid-attribute <string>]
[--group-base-dn <string>]
[--group-domain <string>]
[--group-filter <string>]
[--group-members-attribute <string>]
[--group-search-scope <scope>]
[--homedir-attribute <string>]
[--home-directory-template <string>]
[--ignore-tls-errors {yes | no}]
[--listable-groups <string>]
[--clear-listable-groups]
[--add-listable-groups <string>]
[--remove-listable-groups <string>]
[--listable-users <string>]
[--clear-listable-users]
[--add-listable-users <string>]
[--remove-listable-users <string>]
[--login-shell <string>]
[--member-of-attribute <string>]
[--name-attribute <string>]
[--netgroup-base-dn <string>]
[--netgroup-filter <string>]
[--netgroup-members-attribute <string>]
[--netgroup-search-scope <scope>]
[--netgroup-triple-attribute <string>]
[--normalize-groups {yes | no}]
[--normalize-users {yes | no}]
[--nt-password-attribute <string>]
[--ntlm-support {all | v2only | none}]
[--provider-domain <string>]
[--require-secure-connection {yes | no}]
[--restrict-findable {yes | no}]
[--restrict-listable {yes | no}]
[--search-scope <scope>]
[--search-timeout <integer>]
[--shell-attribute <string>]
[--uid-attribute <string>]
[--unfindable-groups <string>]
[--clear-unfindable-groups]
[--add-unfindable-groups <string>]
[--remove-unfindable-groups <string>]
[--unfindable-users <string>]
[--clear-unfindable-users]
[--add-unfindable-users <string>]
[--remove-unfindable-users <string>]
[--unique-group-members-attribute <string>]
[--unlistable-groups <string>]
[--clear-unlistable-groups]
[--add-unlistable-groups <string>]
[--remove-unlistable-groups <string>]
[--unlistable-users <string>]
[--clear-unlistable-users]
[--add-unlistable-users <string>]
[--remove-unlistable-users <string>]
[--user-base-dn <string>]
[--user-domain <string>]
[--user-filter <string>]
[--user-search-scope <scope>]
[--bind-password <string>]
[--set-bind-password]
[--verbose]

isi auth ldap modify

275

Authentication and access control

Options
<provider-name>

Specifies the name of the LDAP provider to modify.

--base-dn <string>
Sets the root of the tree in which to search for identities. For example,
CN=myuser,CN=Users,DC=mycompany,DC=com.
--server-uris <string>
Specifies a list of LDAP server URIs to be used when accessing the server. Repeat this
option to specify multiple items.
--clear-server-uris
Removes all entries from the list of server URIs.
--add-server-uris <string>
Adds an entry to the list of server URIs. Repeat this option to specify multiple list
items.
--remove-server-uris <string>
Removes an entry from the list of server URIs. Repeat this option to specify multiple
list items.
--alternate-security-identities-attribute <string>
Specifies the name to be used when searching for alternate security identities. This
name is used when OneFS attempts to resolve a kerberos principal to a user.
--authentication {yes | no}
Enables or disables the use of this provider for authentication as well as identity. The
default value is yes.
--balance-servers {yes | no}
Makes this provider connect to a random server on each request.
--bind-dn <string>
Specifies the distinguished name to use when binding to the LDAP server. For
example, CN=myuser,CN=Users,DC=mycompany,DC=com.
--bind-timeout <integer>
Specifies the timeout in seconds when binding to the LDAP server.
--cache-entry-expiry <duration>
Specifies the amount of time to cache a user or group, in the format <integer>[{Y | M | W
| D | H | m | s}].
--certificate-authority-file <path>
Specifies the path to the root certificates file.
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>[{Y | M | W | D
| H | m | s}].
--cn-attribute <string>
Specifies the LDAP attribute that contains common names. The default value is cn.
--create-home-directory {yes | no}

276

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user. The directory path is specified in the
path template through the --home-directory-template command.
--crypt-password-attribute <string>
Specifies the LDAP attribute that contains UNIX passwords. This setting has no
default value.
--email-attribute <string>
Specifies the LDAP attribute that contains email addresses. The default value is
mail.
--enabled {yes | no}
Enables or disables this provider.
--enumerate-groups {yes | no}
Specifies whether to allow the provider to enumerate groups.
--enumerate-users {yes | no}
Specifies whether to allow the provider to enumerate users.
--findable-groups <string>
Specifies a list of groups that can be found in this provider if --restrictfindable is enabled. Repeat this option to specify multiple list items. If populated,
groups that are not included in this list cannot be resolved in this provider. This
option overwrites the entries in the findable groups list; to add or remove groups
without affecting current entries, use --add-findable-groups or --removefindable-groups.
--clear-findable-groups
Removes the list of findable groups.
--add-findable-groups <string>
Adds an entry to the list of findable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-findable-groups <string>
Removes an entry from the list of findable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--findable-users <string>
Specifies a list of users that can be found in this provider if --restrictfindable is enabled. Repeat this option to specify multiple list items. If populated,
users that are not included in this list cannot be resolved in this provider. This option
overwrites the entries in the findable users list; to add or remove users without
affecting current entries, use --add-findable-users or --removefindable-users.
--clear-findable-users
Removes the list of findable users.
--add-findable-users <string>
Adds an entry to the list of findable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-findable-users <string>

isi auth ldap modify

277

Authentication and access control

Removes an entry from the list of findable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--gecos-attribute <string>
Specifies the LDAP attribute that contains GECOS fields. The default value is gecos.
--gid-attribute <string>
Specifies the LDAP attribute that contains GIDs. The default value is gidNumber.
--group-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for
groups.
--group-domain <string>
Specifies the domain that this provider will use to qualify groups. The default group
domain is LDAP_GROUPS.
--group-filter <string>
Sets the LDAP filter for group objects.
--group-members-attribute <string>
Specifies the LDAP attribute that contains group members. The default value is
memberUid.
--group-search-scope <scope>
Defines the default depth from the base distinguished name (DN) to perform LDAP
searches for groups.
The following values are valid:
default
Applies the setting in --search-scope.
Note

You cannot specify --search-scope=default. For example, if you specify

--group-search-scope=default, the search scope is set to the value of
--search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--homedir-attribute <string>
278

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies the LDAP attribute that is used when searching for the home directory. The
default value is homeDirectory.
--ignore-tls-errors {yes | no}
Continues over a secure connection even if identity checks fail.
--listable-groups <string>
Specifies a list of groups that can be viewed in this provider if --restrictlistable is enabled. Repeat this option to specify multiple list items. If populated,
groups that are not included in this list cannot be viewed in this provider. This option
overwrites the entries in the listable groups list; to add or remove groups without
affecting current entries, use --add-listable-groups or --removelistable-groups.
--clear-listable-groups
Removes all entries from the list of viewable groups.
--add-listable-groups <string>
Adds an entry to the list of listable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-listable-groups <string>
Removes an entry from the list of viewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--listable-users <string>
Specifies a list of users that can be viewed in this provider if --restrictlistable is enabled. Repeat this option to specify multiple list items. If populated,
users that are not included in this list cannot be viewed in this provider. This option
overwrites the entries in the listable users list; to add or remove users without
affecting current entries, use --add-listable-users or --removelistable-users.
--clear-listable-users
Removes all entries from the list of viewable users.
--add-listable-users <string>
Adds an entry to the list of listable users that is checked if --restrict-listable
is enabled. Repeat this option to specify multiple list items.
--remove-listable-users <string>
Removes an entry from the list of viewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--login-shell <path>
Specifies the pathname to the user's login shell, for users who access the file system
through SSH.
--member-of-attribute <string>
Sets the attribute to be used when searching LDAP for reverse memberships. This
LDAP value should be an attribute of the user type posixAccount that describes the
groups in which the POSIX user is a member.
--name-attribute <string>
Specifies the LDAP attribute that contains UIDs, which are used as login names. The
default value is uid.

isi auth ldap modify

279

Authentication and access control

--netgroup-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for
netgroups.
--netgroup-filter <string>
Sets the LDAP filter for netgroup objects.
--netgroup-members-attribute <string>
Specifies the LDAP attribute that contains netgroup members. The default value is
memberNisNetgroup.
--netgroup-search-scope <scope>
Defines the depth from the base distinguished name (DN) to perform LDAP searches
for netgroups.
The following values are valid:
default
Applies the setting in --search-scope.
Note

You cannot specify --search-scope=default. For example, if you specify

--group-search-scope=default, the search scope is set to the value of
--search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--netgroup-triple-attribute <string>
Specifies the LDAP attribute that contains netgroup triples. The default value is
nisNetgroupTriple.
--normalize-groups {yes | no}
Normalizes group names to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user names to lowercase before lookup.
--nt-password-attribute <string>
Specifies the LDAP attribute that contains Windows passwords. The default value is
ntpasswdhash.
--ntlm-support {all | v2only | none}
For users with NTLM-compatible credentials, specifies which NTLM versions to
support.
The following values are valid:
all
v2only
280

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

none
--provider-domain <string>
Specifies the domain that this provider will use to qualify user and group names.
--require-secure-connection {yes | no}
Specifies whether to require a TLS connection.
--restrict-findable {yes | no}
Specifies whether to check this provider for filtered lists of findable and unfindable
users and groups.
--restrict-listable {yes | no}
Specifies whether to check this provider for filtered lists of viewable and unviewable
users and groups.
--search-scope <scope>
Defines the default depth from the base distinguished name (DN) to perform LDAP
searches.
The following values are valid:
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN itself.
--search-timeout <integer>
Specifies the number of seconds after which to stop retrying and fail a search. The
default value is 100.
--shell-attribute <string>
Specifies the LDAP attribute that is used when searching for a user's UNIX login shell.
The default value is loginShell.
--uid-attribute <string>
Specifies the LDAP attribute that contains UID numbers. The default value is
uidNumber.
--unfindable-groups <string>
Specifies a group that cannot be found in this provider if --restrict-findable
is enabled. Repeat this option to specify multiple list items. This option overwrites
the entries in the unfindable groups list; to add or remove groups without affecting
current entries, use --add-unfindable-groups or --remove-unfindablegroups.
--clear-unfindable-groups
Removes all entries from the list of unfindable groups.
--add-unfindable-groups <string>
Adds an entry to the list of unfindable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-groups <string>
isi auth ldap modify

281

Authentication and access control

Removes an entry from the list of unfindable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--unfindable-users <string>
Specifies a user that cannot be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. This option overwrites the
entries in the unfindable users list; to add or remove users without affecting current
entries, use --add-unfindable-users or --remove-unfindable-users.
--clear-unfindable-users
Removes all entries from the list of unfindable groups.
--add-unfindable-users <string>
Adds an entry to the list of unfindable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-users <string>
Removes an entry from the list of unfindable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--unique-group-members-attribute <string>
Specifies the LDAP attribute that contains unique group members. This attribute is
used to determine which groups a user belongs to if the LDAP server is queried by the
users DN instead of the users name. This setting has no default value.
--unlistable-groups <string>
Specifies a group that cannot be listed in this provider if --restrict-listable
is enabled. Repeat this option to specify multiple list items. This option overwrites
the entries in the unlistable groups list; to add or remove groups without affecting
current entries, use --add-unlistable-groups or --remove-unlistablegroups.
--clear-unlistable-groups
Removes all entries from the list of unviewable groups.
--add-unlistable-groups <string>
Adds an entry to the list of unviewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-groups <string>
Removes an entry from the list of unviewable groups that is checked if -restrict-listable is enabled. Repeat this option to specify multiple list items.
--unlistable-users <string>
Specifies a user that cannot be viewed in this provider if --restrict-listable
is enabled. Repeat this option to specify multiple list items. This option overwrites
the entries in the unlistable users list; to add or remove users without affecting
current entries, use --add-unlistable-users or --remove-unlistableusers.
--clear-unlistable-users
Removes all entries from the list of unviewable users.
--add-unlistable-users <string>
Adds an entry to the list of unviewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
282

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--remove-unlistable-users <string>
Removes an entry from the list of unviewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--user-base-dn <string>
Specifies the distinguished name of the entry at which to start LDAP searches for
users.
--user-domain <string>
Specifies the domain that this provider will use to qualify users. The default user
domain is LDAP_USERS.
--user-filter <string>
Sets the LDAP filter for user objects.
--user-search-scope <scope>
Defines the depth from the base distinguished name (DN) to perform LDAP searches
for users. The valid values are as follows:
The following values are valid:
default
Applies the setting in --search-scope.
Note

You cannot specify --search-scope=default. For example, if you specify

--user-search-scope=default, the search scope is set to the value of -search-scope.
base
Searches only the entry at the base DN.
onelevel
Searches all entries exactly one level below the base DN.
subtree
Searches the base DN and all entries below it.
children
Searches all entries below the base DN, excluding the base DN.
--bind-password <string>
Sets the password for the distinguished name that is used when binding to the LDAP
server. To set the password interactively, use the --set-bind-password option
instead.
--set-bind-password
Interactively sets the password for the distinguished name that is used when binding
to the LDAP server. This option cannot be used with --bind-password.
{--verbose | -v}
Displays the results of running the command.

isi auth ldap modify

283

Authentication and access control

isi auth ldap view

Displays the properties of an LDAP provider.
Syntax
isi auth ldap view <provider-name>

Options
<provider-name>

Specifies the name of the provider to view.

isi auth local list

Displays a list of local providers.
Syntax
isi auth local list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth local view

Displays the properties of a local provider.
Syntax
isi auth local view <provider-name>

Options
<provider-name>

Specifies the name of the provider to view.

284

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth local modify

Modifies a local provider.
Syntax
isi auth local modify <provider-name>
[--authentication {yes | no}]
[--create-home-directory {yes | no}]
[--home-directory-template <string>]
[--lockout-duration <duration>]
[--lockout-threshold <integer>]
[--lockout-window <duration>]
[--login-shell <string>]
[--machine-name <string>]
[--min-password-age <duration>]
[--max-password-age <duration>]
[--min-password-length <integer>]
[--password-prompt-time <duration>]
[--password-complexity{lowercase | uppercase |
numeric | symbol}]
[--clear-password-complexity]
[--add-password-complexity {lowercase | uppercase |
numeric | symbol}]
[--remove-password-complexity <string>]
[--password-history-length <integer>]
[--verbose]

Options
<provider-name>

Specifies the name of the local provider to modify.

--authentication {yes | no}
Uses the provider for authentication as well as identity. The default setting is yes.
--create-home-directory {yes | no}
Creates a home directory the first time a user logs in.
--home-directory-template <string>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--lockout-duration <duration>
Sets the length of time that an account will be inaccessible after multiple failed login
attempts.
--lockout-threshold <integer>
Specifies the number of failed login attempts after which an account will be locked
out.
--lockout-window <duration>
Sets the time in which the number of failed attempts specified by the --lockoutthreshold option must be made for an account to be locked out. Duration is
specified in the format <integer>[{Y | M | W | D | H | m | s}].
--login-shell <string>
isi auth local modify

285

Authentication and access control

Specifies the path to the UNIX login shell.

--machine-name <string>
Specifies the domain to use to qualify user and group names for the provider.
--min-password-age <duration>
Sets the minimum password age, in the format <integer>[{Y | M | W | D | H | m | s}].
--max-password-age <duration>
Sets the maximum password age, in the format <integer>[{Y | M | W | D | H | m | s}].
--min-password-length <integer>
Sets the minimum password length.
--password-prompt-time <duration>
Sets the remaining time until a user is prompted for a password change, in the format
<integer>[{Y | M | W | D | H | m | s}].
--password-complexity {lowercase | uppercase | numeric | symbol}
Specifies the conditions that a password is required to meet. A password must
contain at least one character from each specified option to be valid. For example, if
lowercase and numeric are specified, a password must contain at least on
lowercase character and one digit to be valid. Symbols are valid, excluding # and @.
--clear-password-complexity
Clears the list of parameters against which to validate new passwords.
--add-password-complexity {lowercase | uppercase | numeric |
symbol
Adds items to the list of parameters against which to validate new passwords. Repeat
this command to specify additional password-complexity options.
--remove-password-complexity <string>
Removes items from the list of parameters against which to validate new passwords.
Repeat this command to specify each password- complexity option that you want to
remove.
--password-history-length <integer>
Specifies the number of previous passwords to store to prevent reuse of a previous
password. The max password history length is 24.
{--verbose | -v}
Displays more detailed information.

isi auth log-level

Displays or modifies the run-time log level of the authentication service.
Syntax
isi auth log-level [--set <string>]

Options
{--set | -s} <string>
Sets the log level for the current node. The log level determines how much
information is logged.
The following values are valid and are organized from least to most information:
286

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

always

error

warning

info

verbose

debug

trace

Note

Levels verbose, debug, and trace may cause performance issues. Levels debug and
trace log information that likely will be useful only when consulting EMC Isilon
Technical Support.
Examples
To set the log level to debug, run the following command:
isi auth log-level --set=debug

isi auth mapping delete

Deletes one or more identity mappings.
Syntax
isi auth mapping delete {<source>| --source-uid <integer>
| --source-gid <integer> | --source-sid <string> | --all}
[{--only-generated | --only-external | --2way | --target <string>
| --target-uid <integer> | --target-gid <integer> | --target-sid
<string>}]
[--zone<string>]

Options
<source>

Specifies the mapping source by identity type, in the format <type>:<value>for

example, UID:2002.
--source-uid <integer>
Specifies the mapping source by UID.
--source-gid <integer>
Specifies the mapping source by GID.
--source-sid <string>
Specifies the mapping source by SID.
--all
Deletes all identity mappings in the specified access zone. Can be used in
conjunction with --only-generated and --only-external for additional
filtering.
--only-generated
Only deletes identity mappings that were created automatically and that include a
generated UID or GID from the internal range of user and group IDs. Must be used in
conjunction with --all.
--only-external
isi auth mapping delete

287

Authentication and access control

Only deletes identity mappings that were created automatically and that include a
UID or GID from an external authentication source. Must be used in conjunction with
--all.
--2way
Specifies or deletes a two-way, or reverse, mapping.
--target <string>
Specifies the mapping target by identity type, in the format <type>:<value>for
example, UID:2002.
--target-uid <integer>
Specifies the mapping target by UID.
--target-gid <integer>
Specifies the mapping target by GID.
--target-sid <string>
Specifies the mapping target by SID.
--zone<string>
Deletes identity mappings in the specified access zone. If no access zone is
specified, mappings are deleted from the default System zone.

isi auth mapping dump

Displays or prints the kernel mapping database.
Syntax
isi auth mapping dump
[--file <path>]
[--zone <string>]

Options
If no option is specified, the full kernel mapping database is displayed.
{--file | -f} <path>
Prints the database to the specified output file.
--zone <string>
Displays the database from the specified access zone. If no access zone is specified,
displays all mappings.
Examples
To view the kernel mapping database, run the following command:
isi auth mapping dump

The system displays output similar to the following example:

["ZID:1",
["ZID:1",
["ZID:1",
["ZID:1",

288

OneFS 7.2.0 CLI Administration Guide

"UID:6299", [["SID:S-1-5-21-1195855716-1407", 128]]]

"GID:1000000", [["SID:S-1-5-21-1195855716-513", 48]]]
"SID:S-1-5-21-1195855716-1407", [["UID:6299", 144]]]
"SID:S-1-5-21-1195855716-513", [["GID:1000000", 32]]]

Authentication and access control

isi auth mapping flush

Flushes the cache for one or all identity mappings. Flushing the cache might be useful if
the ID mapping rules have been modified.
Syntax
isi auth mapping flush {--all | --source <string>
| --source-uid <integer> | --source-gid <integer>
| --source-sid <string>}
[--zone<string>]

Options
You must specify either --all or one of the source options.
--all
Flushes all identity mappings on the EMC Isilon cluster.
--source <string>
Specifies the mapping source by identity type, in the format <type>:<value>for
example, UID:2002.
--source-uid <integer>
Specifies the source identity by UID.
--source-gid <integer>
Specifies the source identity by GID.
--source-sid <string>
Specifies the source identity by SID.
--zone<string>
Specifies the access zone of the source identity. If no access zone is specified, any
mapping for the specified source identity is flushed from the default System zone.

isi auth mapping idrange

Displays or modifies the range that UIDs and GIDs are generated from.
Syntax
isi auth mapping idrange {--set-uid-low <integer>
|--set-uid-high <integer> | --set-uid-hwm <integer>
|--set-gid-low <integer> | --set-gid-high <integer>
|--set-gid-hwm <integer> | --get-uid-range | --get-gid-range}...

isi auth mapping flush

289

Authentication and access control

Options
Note

When modifying a UID or GID range, make sure that your settings meet the following
requirements:
l

Existing IDs are not included

A mapping does not overlap with another range that might be used by other IDs on
the cluster

The mapping is large enough to avoid running out of unused IDs; if all IDs in the
range are in use, ID allocation will fail.

--set-uid-low <integer>
Sets the lowest UID value in the range.
--set-uid-high <integer>
Sets the highest UID value in the range.
--set-uid-hwm <integer>
Specifies the next UID that will be allocated (the high water mark).
Note
l

If the high water mark is set to more than the high UID value, UID allocation will
fail.

The high water mark cannot be set to less than the lowest UID value in the range.
If the specified <integer> value is less than the low UID value, the high water mark
is set to the low UID value.

--set-gid-low <integer>
Sets the lowest GID value in the range.
--set-gid-high <integer>
Sets the highest GID value in the range.
--set-gid-hwm <integer>
Specifies the next GID that will be used (the high water mark).
Note
l

If the high water mark is set to more than the high GID value, GID allocation will
fail.

High water mark cannot be set to less than the lowest GID value in the range. If
the specified <integer> value is less than the low GID value, high water mark is set
to the low GID value.

--get-uid-range
Displays the current UID range.
--get-gid-range
Displays the current GID range.

290

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth mapping import

Imports mappings from a source file to the ID mapping database.
Syntax
isi auth mapping import --file <path>
[--overwrite]

Options
{--file | -f} <path>
Specifies the full path to the file to import. File content must be in the same format as
the output that is displayed by running the isi auth mapping dump command.
{--overwrite | -o}
Overwrites existing entries in the mapping database file.

isi auth mapping view

Displays mappings for an identity.
Syntax
isi auth mapping view {<id>| --uid <integer>
| --gid <integer> | --sid <string>}
[--nocreate]
[--zone <string>]

Options
<id>

Specifies the ID of the source identity type in the format <type>:<value>for example,
UID:2002.
--uid <integer>
Specifies the mapping source by UID.
--gid <integer>
Specifies the mapping source by GID.
--sid <string>
Specifies the mapping source by SID.
--nocreate
Specifies that nonexistent mappings should not be created.
--zone
Specifies the access zone of the source identity. If no access zone is specified, OneFS
displays mappings from the default System zone.
Examples
The following command displays mappings for a user whose UID is 2002 in the zone3
access zone:
isi auth mapping view uid:2002 --zone=zone3

isi auth mapping import

291

Authentication and access control

The system displays output similar to the following example:

Type
---------Name
On-disk
Unix UID
Unix GID
SMB
NFSv4

Mapping
---------------------------------------------test1
UID:2002
2002
None
S-1-5-21-1776575851-2890035977-2418728619-1004
test1

isi auth mapping modify

Sets or modifies a mapping between two identities.
Syntax
isi auth mapping modify {<source>| --source-uid <integer>
| --source-gid <integer> | --source-sid <string> | --target
<string>
| --target-uid <integer> | --target-gid <string> | -target-sid <string>}
[--on-disk]
[--2way]
[--zone<string>]

Options
<source>

Specifies the mapping source by identity type, in the format <type>:<value>for

example, UID:2002.
--source-uid <integer>
Specifies the mapping source by UID.
--source-gid <integer>
Specifies the mapping source by GID.
--source-sid <string>
Specifies the mapping source by SID.
--target <string>
Specifies the mapping target by identity type, in the format <type>:<value>for
example, UID:2002.
--target-uid <integer>
Specifies the mapping target by UID.
--target-gid <integer>
Specifies the mapping target by GID.
--target-sid <string>
Specifies the mapping target by SID.
--on-disk
Specifies that the source on-disk identity should be represented by the target
identity.
--2way
Specifies a two-way, or reverse, mapping.
--zone<string>
292

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies the access zone that the ID mapping is applied to. If no access zone is
specified, the mapping is applied to the default System zone.

isi auth mapping create

Creates a manual mapping between a source identity and target identity or automatically
generates a mapping for a source identity.
Syntax
isi auth mapping create {<source>| --source-uid <integer>
| --source-gid <integer> | --source-sid <string>}
[{--uid | --gid | --sid}]
[--on-disk]
[--2way]
[{--target <string> | --target-uid <integer>
| --target-gid <string> | --target-sid <string>}]
[--zone<string>]

Options
<source>

Specifies the mapping source by identity type, in the format <type>:<value>for

example, UID:2002.
--source-uid <integer>
Specifies the mapping source by UID.
--source-gid <integer>
Specifies the mapping source by GID.
--source-sid <string>
Specifies the mapping source by SID.
--uid
Generates a mapping if one does not exist for the identity; otherwise, retrieves the
mapped UID.
--gid
Generates a mapping if one does not exist for the identity; otherwise, retrieves the
mapped GID.
--sid
Generates a mapping if one does not exist for the identity; otherwise, retrieves the
mapped SID.
--on-disk
Specifies that the source on-disk identity should be represented by the target
identity.
--2way
Specifies a two-way, or reverse, mapping.
--target <string>
Specifies the mapping target by identity type, in the format <type>:<value>for
example, UID:2002.
--target-uid <integer>
Specifies the mapping target by UID.
--target-gid <integer>
isi auth mapping create

293

Authentication and access control

Specifies the mapping target by GID.

--target-sid <string>
Specifies the mapping target by SID.
--zone<string>
Specifies the access zone that the ID mapping is applied to. If no access zone is
specified, the mapping is applied to the default System zone.

isi auth mapping token

Displays the access token that is calculated for a user during authentication.
Syntax
isi auth mapping token {<user> | --uid <integer>
| --kerberos-principal <string>}
[--zone <string>]
[--primary-gid <integer>]
[--gid <integer>]

Options
This command requires <user> or --uid <integer> or --kerberos-principal <string>.
<user>

Specifies the user by name.

--uid <integer>
Specifies the user by UID.
--kerberos-principal <string>
Specifies the Kerberos principal by name. For example, [email protected].
--zone <string>
Specifies the name of the access zone that contains the mapping.
--primary-gid <integer>
Specifies the primary GID.
--gid <integer>
Specifies a token GID. Repeat this option to specify multiple GIDs.

isi auth netgroups list

Displays information about a netgroup.
Syntax
isi auth netgroups list --netgroup <string>
[--recursive]
[--ignore]
[--raw]

Options
--netgroup <string>
Specifies the name of a netgroup.
--recursive
Recursively resolves nested netgroups.
294

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--ignore
Ignores errors and unresolvable netgroups.
--raw
Displays raw netgroup information.

isi auth nis create

Creates an NIS provider.
Syntax
isi auth nis create <name>
[--nis-domain <string>]
[--servers <string>]
[--authentication {yes | no}]
[--balance-servers {yes | no}]
[--cache-entry-expiry <duration>]
[--check-online-interval <duration>]
[--create-home-directory {yes | no}]
[--enabled {yes | no}]
[--enumerate-groups {yes | no}]
[--enumerate-users {yes | no}]
[--findable-groups <string>]
[--findable-users <string>]
[--group-domain <string>]
[--home-directory-template <path>]
[--hostname-lookup {yes | no}]
[--listable-groups <string>]
[--listable-users <string>]
[--login-shell <path>]
[--normalize-groups {yes | no}]
[--normalize-users {yes | no}]
[--provider-domain <string>]
[--ntlm-support {all | v2only | none}]
[--request-timeout <integer>]
[--restrict-findable {yes | no}]
[--restrict-listable {yes | no}]
[--retry-time <integer>]
[--unfindable-groups <string>]
[--unfindable-users <string>]
[--unlistable-groups <string>]
[--unlistable-users <string>]
[--user-domain <string>]
[--ypmatch-using-tcp {yes | no}]
[--verbose]

Options
<name>

Sets the name of the NIS provider.

--nis-domain <string>
Specifies the NIS domain name.
--servers <string>
Specifies a list of NIS servers to be used by this provider. Repeat this option to
specify multiple list items.
--authentication {yes | no}
Enables or disables the use of the provider for authentication as well as identity. The
default value is yes.
--balance-servers {yes | no}
isi auth nis create

295

Authentication and access control

Makes the provider connect to a random server on each request.

--cache-entry-expiry <duration>
Specifies amount of time to cache a user or group, in the format <integer>[{Y | M | W | D |
H | m | s}] .
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>[{Y | M | W | D
| H | m | s}].
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user.
--enabled {yes | no}
Enables or disables the provider.
--enumerate-groups {yes | no}
Specifies whether to allow the provider to enumerate groups.
--enumerate-users {yes | no}
Specifies whether to allow the provider to enumerate users.
--findable-groups <string>
Specifies a group that can be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. If populated, groups that
are not included in this list cannot be resolved.
--findable-users <string>
Specifies a user that can be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. If populated, users that are
not included in this list cannot be resolved.
--group-domain <string>
Specifies the domain that this provider will use to qualify groups. The default group
domain is NIS_GROUPS.
--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--hostname-lookup {yes | no}
Enables or disables host name lookups.
--listable-groups <string>
Specifies a group that can be viewed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, groups that
are not included in this list cannot be viewed.
--listable-users <string>
Specifies a user that can be viewed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, users that are
not included in this list cannot be viewed.
296

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--login-shell <path>
Specifies the path to the user's login shell. This setting applies only to users who
access the file system through SSH.
--normalize-groups {yes | no}
Normalizes group name to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user name to lowercase before lookup.
--provider-domain <string>
Specifies the domain that this provider will use to qualify user and group names.
--ntlm-support {all | v2only | none}
For users with NTLM-compatible credentials, specifies which NTLM versions to
support. Valid values are all, v2only, and none. NTLMv2 provides additional
security over NTLM.
--request-timeout <integer>
Specifies the request timeout interval in seconds.
--restrict-findable {yes | no}
Specifies whether to check this provider for filtered lists of findable and unfindable
users and groups.
--restrict-listable {yes | no}
Specifies whether to check this provider for filtered lists of viewable and unviewable
users and groups.
--retry-time <integer>
Sets the timeout period in seconds after which a request will be retried.
--unfindable-groups <string>
If --restrict-findable is enabled and the findable groups list is empty,
specifies a group that cannot be resolved by this provider. Repeat this option to
specify multiple list items.
--unfindable-users <string>
If --restrict-findable is enabled and the findable users list is empty, specifies
a user that cannot be resolved by this provider. Repeat this option to specify multiple
list items.
--unlistable-groups <string>
If --restrict-listable is enabled and the listable groups list is empty,
specifies a group that cannot be viewed by this provider. Repeat this option to specify
multiple list items.
--unlistable-users <string>
If --restrict-listable is enabled and the listable users list is empty, specifies
a user that cannot be viewed by this provider. Repeat this option to specify multiple
list items.
--user-domain <string>
Specifies the domain that this provider will use to qualify users. The default user
domain is NIS_USERS.
--ypmatch-using-tcp {yes | no}
Uses TCP for YP Match operations.
isi auth nis create

297

Authentication and access control

{--verbose | -v}
Displays the results of running the command.

isi auth nis delete

Deletes an NIS provider.
Syntax
isi auth nis delete <provider-name>
[--force]
[--verbose]

Options
<provider-name>

Specifies the name of the provider to delete.

{--force | -f}
Suppresses command-line prompts and messages.
{--verbose | -v}
Returns a success or fail message after running the command.

isi auth nis list

Displays a list of NIS providers and indicates whether a provider is functioning correctly.
Syntax
isi auth nis list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

298

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth nis modify

Modifies an NIS provider.
Syntax
isi auth nis modify <provider-name>
[--nis-domain <string>]
[--servers <string>]
[--clear-servers]
[--add-servers <string>]
[--remove-servers <string>]
[--authentication {yes | no}]
[--balance-servers {yes | no}]
[--cache-entry-expiry <duration>]
[--check-online-interval <duration>]
[--create-home-directory {yes | no}]
[--enabled {yes | no}]
[--enumerate-groups {yes | no}]
[--enumerate-users {yes | no}]
[--findable-groups <string>]
[--clear-findable-groups]
[--add-findable-groups <string>]
[--remove-findable-groups <string>]
[--findable-users <string>]
[--clear-findable-users]
[--add-findable-users <string>]
[--remove-findable-users <string>]
[--group-domain <string>]
[--home-directory-template <string>]
[--hostname-lookup {yes | no}]
[--listable-groups <string>]
[--clear-listable-groups]
[--add-listable-groups <string>]
[--remove-listable-groups <string>]
[--listable-users <string>]
[--clear-listable-users]
[--add-listable-users <string>]
[--remove-listable-users <string>]
[--login-shell <string>]
[--normalize-groups {yes | no}]
[--normalize-users {yes | no}]
[--provider-domain <string>]
[--ntlm-support {all | v2only | none}]
[--request-timeout <integer>]
[--restrict-findable {yes | no}]
[--restrict-listable {yes | no}]
[--retry-time <integer>]
[--unfindable-groups <string>]
[--clear-unfindable-groups]
[--add-unfindable-groups <string>]
[--remove-unfindable-groups <string>]
[--unfindable-users <string>]
[--clear-unfindable-users]
[--add-unfindable-users <string>]
[--remove-unfindable-users <string>]
[--unlistable-groups <string>]
[--clear-unlistable-groups]
[--add-unlistable-groups <string>]
[--remove-unlistable-groups <string>]
[--unlistable-users <string>]
[--clear-unlistable-users]
[--add-unlistable-users <string>]
[--remove-unlistable-users <string>]
[--user-domain <string>]
[--ypmatch-using-tcp {yes | no}]
[--verbose]

isi auth nis modify

299

Authentication and access control

Options
<provider-name>

Specifies the name of the NIS provider to modify.

--nis-domain <string>
Specifies the NIS domain name.
--servers <string>
Specifies a list of NIS server to be used by this provider. Repeat this option to specify
multiple list items. This option overwrites the entries in the NIS servers list; to add or
remove servers without affecting current entries, use --add-servers or -remove-servers.
--clear-servers
Removes all entries from the list of NIS servers.
--add-servers <string>
Adds an entry to the list of NIS servers. Repeat this option to specify multiple items.
--remove-servers <string>
Removes an entry from the list of NIS servers. Repeat this option to specify multiple
items.
--authentication {yes | no}
Enables or disables the use of this provider for authentication as well as identity. The
default value is yes.
--balance-servers {yes | no}
Makes this provider connect to a random server on each request.
--cache-entry-expiry <duration>
Specifies amount of time to cache a user or group, in the format <integer>[{Y | M | W | D |
H | m | s}].
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>[{Y | M | W | D
| H | m | s}].
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time a user logs in, if a home
directory does not already exist for the user.
--enabled {yes | no}
Enables or disables this provider.
--enumerate-groups {yes | no}
Specifies whether to allow this provider to enumerate groups.
--enumerate-users {yes | no}
Specifies whether to allow this provider to enumerate users.
--findable-groups <string>
Specifies a group that can be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. If populated, groups that
are not included in this list cannot be resolved. This option overwrites the entries in
the findable groups list; to add or remove groups without affecting current entries,
use --add-findable-groups or --remove-findable-groups.
300

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--clear-findable-groups
Removes all entries from the list of findable groups.
--add-findable-groups <string>
Adds an entry to the list of findable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-findable-groups <string>
Removes an entry from the list of findable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--findable-users <string>
Specifies a user that can be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. If populated, users that are
not included in this list cannot be resolved. This option overwrites the entries in the
findable users list; to add or remove users without affecting current entries, use -add-findable-users or --remove-findable-users.
--clear-findable-users
Removes all entries from the list of findable users.
--add-findable-users <string>
Adds an entry to the list of findable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-findable-users <string>
Removes an entry from the list of findable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--group-domain <string>
Specifies the domain that this provider will use to qualify groups. The default group
domain is NIS_GROUPS.
--home-directory-template <path>
Specifies the path to use as a template for naming home directories. The path must
begin with /ifs and can include special character sequences that are dynamically
replaced with strings at home directory creation time that represent specific
variables. For example, %U, %D, and %Z are replaced with the user name, provider
domain name, and zone name, respectively. For more information, see the Home
directories section.
--hostname-lookup {yes | no}
Enables or disables host name lookups.
--listable-groups <string>
Specifies a group that can be viewed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, groups that
are not included in this list cannot be viewed. This option overwrites the entries in the
listable groups list; to add or remove groups without affecting current entries, use -add-listable-groups or --remove-listable-groups.
--clear-listable-groups
Removes all entries from the list of viewable groups.
--add-listable-groups <string>

isi auth nis modify

301

Authentication and access control

Adds an entry to the list of viewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-listable-groups <string>
Removes an entry from the list of viewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--listable-users <string>
Specifies a user that can be viewed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. If populated, users that are
not included in this list cannot be viewed. This option overwrites the entries in the
listable users list; to add or remove users without affecting current entries, use -add-listable-users or --remove-listable-users.
--clear-listable-users
Removes all entries from the list of viewable users.
--add-listable-users <string>
Adds an entry to the list of viewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-listable-users <string>
Removes an entry from the list of viewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--login-shell <path>
Specifies the path to the user's login shell. This setting applies only to users who
access the file system through SSH.
--normalize-groups {yes | no}
Normalizes group names to lowercase before lookup.
--normalize-users {yes | no}
Normalizes user names to lowercase before lookup.
--provider-domain <string>
Specifies the domain that this provider will use to qualify user and group names.
--ntlm-support {all | v2only | none}
For users with NTLM-compatible credentials, specifies which NTLM versions to
support. Valid values are all, v2only, and none. NTLMv2 provides additional
security over NTLM.
--request-timeout <integer>
Specifies the request timeout interval in seconds.
--restrict-findable {yes | no}
Specifies whether to check this provider for filtered lists of findable and unfindable
users and groups.
--restrict-listable {yes | no}
Specifies whether to check this provider for filtered lists of viewable and unviewable
users and groups.
--retry-time <integer>
Sets the timeout period in seconds after which a request will be retried.
--unfindable-groups <string>
302

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies a group that cannot be found in this provider if --restrict-findable

is enabled. Repeat this option to specify multiple list items. This option overwrites
the entries in the unfindable groups list; to add or remove groups without affecting
current entries, use --add-unfindable-groups or --remove-unfindablegroups.
--clear-unfindable-groups
Removes all entries from the list of unfindable groups.
--add-unfindable-groups <string>
Adds an entry to the list of unfindable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-groups <string>
Removes an entry from the list of unfindable groups that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--unfindable-users <string>
Specifies a user that cannot be found in this provider if --restrict-findable is
enabled. Repeat this option to specify multiple list items. This option overwrites the
entries in the unfindable users list; to add or remove users without affecting current
entries, use --add-unfindable-users or --remove-unfindable-users.
--clear-unfindable-users
Removes all entries from the list of unfindable groups.
--add-unfindable-users <string>
Adds an entry to the list of unfindable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--remove-unfindable-users <string>
Removes an entry from the list of unfindable users that is checked if --restrictfindable is enabled. Repeat this option to specify multiple list items.
--unlistable-groups <string>
Specifies a group that cannot be listed in this provider if --restrict-listable
is enabled. Repeat this option to specify multiple list items. This option overwrites
the entries in the unlistable groups list; to add or remove groups without affecting
current entries, use --add-unlistable-groups or --remove-unlistablegroups.
--clear-unlistable-groups
Removes all entries from the list of unlistable groups.
--add-unlistable-groups <string>
Adds an entry to the list of unviewable groups that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-groups <string>
Removes an entry from the list of unviewable groups that is checked if -restrict-listable is enabled. Repeat this option to specify multiple list items.
--unlistable-users <string>
Specifies a user that cannot be listed in this provider if --restrict-listable is
enabled. Repeat this option to specify multiple list items. This option overwrites the

isi auth nis modify

303

Authentication and access control

entries in the unlistable users list; to add or remove users without affecting current
entries, use --add-unlistable-users or --remove-unlistable-users.
--clear-unlistable-users
Removes all entries from the list of unviewable users.
--add-unlistable-users <string>
Adds an entry to the list of unviewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--remove-unlistable-users <string>
Removes an entry from the list of unviewable users that is checked if --restrictlistable is enabled. Repeat this option to specify multiple list items.
--user-domain <string>
Specifies the domain that this provider will use to qualify users. The default user
domain is NIS_USERS.
--ypmatch-using-tcp {yes | no}
Uses TCP for YP Match operations.
{--verbose | -v}
Displays the results of running the command.

isi auth nis view

Displays the properties of an NIS provider.
Syntax
isi auth nis view <provider-name>

Options
<provider-name>

Specifies the name of the provider to view.

isi auth privileges

Displays a list of system privileges.
Syntax
isi auth privileges
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
304

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

{--verbose | -v}
Displays more detailed information.
Note

When using the --verbose option, the output Read Write: No means that the
privileges are read-only.

isi auth refresh

Refreshes authentication system configuration settings.
Syntax
isi auth refresh

Options
There are no options for this command.

isi auth roles create

Creates a custom role.
This command creates an empty role. To assign privileges and add members to the role,
run the isi auth roles modify command.
Syntax
isi auth roles create <name>
[--description <string>]
[--verbose]

Options
<name>

Specifies the name of the role.

--description <string>
Specifies a description of the role.
{--verbose | -v}
Displays the results of running the command.

isi auth roles delete

Deletes a role.
Syntax
isi auth roles delete <role>
[--force]
[--verbose]

Options
<role>

Specifies the name of the role to delete.

{--force | -f}
Suppresses command-line prompts and messages.
isi auth refresh

305

Authentication and access control

{--verbose | -v}
Displays more detailed information.

isi auth roles list

Displays a list of roles.
Syntax
isi auth roles list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth roles members list

Displays a list of the members of a role.
Syntax
isi auth roles members list <role>
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
<role>

Specifies a role by name.

{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
306

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.
Examples
To view the members of the SystemAdmin role, run the following command:
isi auth roles members list systemadmin

In the following sample output, the SystemAdmin role currently contains one member, a
user named admin:
Type Name
---------user admin
---------Total: 1

isi auth roles modify

Modifies a role.
Syntax
isi auth roles modify <role>
[--name <string>]
[--description <string>]
[--add-group <string>]
[--remove-group <string>]
[--add-gid <integer>]
[--remove-gid <integer>]
[--add-uid <integer>]
[--remove-uid <integer>]
[--add-user <string>]
[--remove-user <string>]
[--add-sid <string>]
[--remove-sid <string>]
[--add-wellknown <string>]
[--remove-wellknown <string>]
[--add-priv <string>]
[--add-priv-ro <string>]
[--remove-priv <string>]
[--verbose]

Options
<role>

Specifies the name of the role to modify.

--name <string>
Specifies a new name for the role. Applies to custom roles only.
--description <string>
Specifies a description of the role.
--add-group <string>
Adds a group with the specified name to the role. Repeat this option for each
additional item.
--remove-group <string>

isi auth roles modify

307

Authentication and access control

Removes a group with the specified name from the role. Repeat this option for each
additional item.
--add-gid <integer>
Adds a group with the specified GID to the role. Repeat this option for each additional
item.
--remove-gid <integer>
Removes a group with the specified GID from the role. Repeat this option for each
additional item.
--add-uid <integer>
Adds a user with the specified UID to the role. Repeat this option for each additional
item.
--remove-uid <integer>
Removes a user with the specified UID from the role. Repeat this option for each
additional item.
--add-user <string>
Adds a user with the specified name to the role. Repeat this option for each
additional item.
--remove-user <string>
Removes a user with the specified name from the role. Repeat this option for each
additional item.
--add-sid <string>
Adds a user or group with the specified SID to the role. Repeat this option for each
additional item.
--remove-sid <string>
Removes a user or group with the specified SID from the role. Repeat this option for
each additional item.
--add-wellknown <string>
Adds a well-known SID with the specified namefor example, Everyoneto the role.
Repeat this option for each additional item.
--remove-wellknown <string>
Removes a well-known SID with the specified name from the role. Repeat this option
for each additional item.
--add-priv <string>
Adds a read/write privilege to the role. Applies to custom roles only. Repeat this
option for each additional item.
--add-priv-ro <string>
Adds a read-only privilege to the role. Applies to custom roles only. Repeat this
option for each additional item.
--remove-priv <string>
Removes a privilege from the role. Applies to custom roles only. Repeat this option for
each additional item.
{--verbose | -v}
Displays the results of running the command.

308

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth roles privileges list

Displays a list of privileges that are associated with a role.
Syntax
isi auth roles privileges list <role>
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
<role>

Specifies a role by name.

{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.
Examples
To list the privileges that are associated with the built-in SecurityAdmin role, run the
following command:
isi auth roles privileges list securityadmin

The system displays output similar to the following example:

ID
---------------------ISI_PRIV_LOGIN_CONSOLE
ISI_PRIV_LOGIN_PAPI
ISI_PRIV_LOGIN_SSH
ISI_PRIV_AUTH
ISI_PRIV_ROLE
---------------------Total: 5

isi auth roles view

Displays the properties of a role.
Syntax
isi auth roles view <role>

isi auth roles privileges list

309

Authentication and access control

Options
<role>
Specifies the name of the role to view.

isi auth settings global modify

Modifies the global authentication settings.
Syntax
isi auth settings global modify
[{--send-ntlmv2 {yes | no} | --revert-send-ntlmv2}]
[{--space-replacement <character> | --revert-space-replacement}]
[{--workgroup <string> | --revert-workgroup}]
[--provider-hostname-lookup <string>]
[{--cache-cred-lifetime <duration> | --revert-cache-cred-lifetime}]
[{--cache-id-lifetime <duration> | --revert-cache-id-lifetime}]
[{--on-disk-identity {native | unix | sid}
| --revert-on-disk-identity}]
[{--rpc-max-requests <integer> | --revert-rpc-max-requests}]
[{--unknown-gid <integer> | --revert-unknown-gid}]
[{--unknown-uid <integer> | --revert-unknown-uid}]
[--verbose]

Options
--send-ntlmv2 {yes | no}
Specifies whether to send only NTLMv2 responses to an SMB client. The default value
is no. Valid values are yes, no. The default value is no.
--revert-send-ntlmv2
Reverts the --send-ntlmv2 setting to the system default value.
--space-replacement <character>
For clients that have difficulty parsing spaces in user and group names, specifies a
substitute character. Be careful to choose a character that is not in use.
--revert-space-replacement
Reverts the --space-replacement setting to the system default value.
--workgroup <string>
Specifies the NetBIOS workgroup. The default value is WORKGROUP.
--revert-workgroup
Reverts the --workgroup setting to the system default value.
--provider-hostname-lookup <string>
Allows hostname lookup through authentication providers. Applies to NIS only.
--alloc-retries <integer>
Specifies the number of times to retry an ID allocation before failing.
--revert-alloc-retries
Reverts the --alloc-retries setting to the system default value.
--cache-cred-lifetime <duration>
Specifies the length of time to cache credential responses from the ID mapper, in the
format <integer>[{Y | M | W | D | H | m | s}].
--revert-cache-cred-lifetime
Reverts the --cache-cred-lifetime setting to the system default value.
310

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--cache-id-lifetime <duration>
Specifies the length of time to cache ID responses from the ID mapper, in the format
<integer>[{Y | M | W | D | H | m | s}].
--revert-cache-id-lifetime
Reverts the --cache-id-lifetime setting to the system default value.
--on-disk-identity <string>
Controls the preferred identity to store on disk. If OneFS is unable to convert an
identity to the preferred format, it is stored as is. This setting does not affect
identities that are already stored on disk.
The accepted values are listed below.
native
Allows OneFS to determine the identity to store on disk. This is the
recommended setting.
unix
Always stores incoming UNIX identifiers (UIDs and GIDs) on disk.
sid
Stores incoming Windows security identifiers (SIDs) on disk unless the SID was
generated from a UNIX identifier. If the SID was generated from a UNIX identifier,
OneFS converts it back to the UNIX identifier and stores it on disk.
Note

To prevent permission errors after changing the on-disk identity, run isi job jobs
start PermissionRepair with the convert mode specified.
--revert-on-disk-identity
Sets the --on-disk-identity setting to the system default value.
--rpc-max-requests <integer>
Specifies the maximum number of simultaneous ID mapper requests allowed. The
default value is 64.
--revert-rpc-max-requests
Sets the --rpc-max-requests setting to the system default value.
--unknown-gid <integer>
Specifies the GID to use for the unknown (anonymous) group.
--revert-unknown-gid
Sets the --unknown-gid setting to the system default value.
--unknown-uid <integer>
Specifies the UID to use for the unknown (anonymous) user.
--revert-unknown-uid
Sets the --unknown-uid setting to the system default value.
{--verbose | -v}
Displays more detailed information.

isi auth settings global modify

311

Authentication and access control

isi auth settings global view

Displays global authentication settings.
Syntax
isi auth settings global view

Options
There are no options for this command.
Examples
To view the current authentication settings on the cluster, run the following command:
isi auth settings global view

The system displays output similar to the following example:

Send NTLMv2:
Space Replacement:
Workgroup:
Provider Hostname Lookup:
Alloc Retries:
Cache Cred Lifetime:
Cache ID Lifetime:
On Disk Identity:
RPC Block Time:
RPC Max Requests:
RPC Timeout:
System GID Threshold:
System UID Threshold:
GID Range Enabled:
GID Range Min:
GID Range Max:
UID Range Enabled:
UID Range Min:
UID Range Max:
Min Mapped Rid:
Group UID:
Null GID:
Null UID:
Unknown GID:
Unknown UID:

No
WORKGROUP
disabled
5
15m
15m
native
5s
16
30s
80
80
Yes
1000000
2000000
Yes
1000000
2000000
2147483648
4294967292
4294967293
4294967293
4294967294
4294967294

isi auth status

Displays provider status, including available authentication providers and which
providers are function correctly.
Syntax
isi auth status [<zone><string>]
[--limit [-l | <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
<zone><string>
Specifies an access zone by name.
312

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

--limit [ -l | <integer>]
Specifies the number of providers to display.
--format {table | json | csv | list}
Displays providers in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi auth users create

Creates a user account.
Syntax
isi auth users create <name>
[--enabled {yes | no}]
[--expiry <timestamp>]
[--email <string>]
[--gecos <string>]
[--home-directory <path>]
[--password <string>]
[--password-expires {yes | no}]
[{--primary-group <name> | --primary-group-gid <integer>
| --primary-group-sid <string>}]
[--prompt-password-change {yes | no}]
[--shell <path>]
[--uid <integer>]
[--zone <string>]
[--provider <string>]
[--set-password]
[--verbose]
[--force]

Options
<name>

Specifies the user name.

--enabled {yes | no}
Enables or disables the user.
{--expiry | -x} <timestamp>
Specifies the time at which the user account will expire, using the date format <YYYY><MM>-<DD> or the date/time format <YYYY>-<MM>-<DD>T<hh>:<mm>[:<ss>].
--email <string>
Specifies the email address of the user.
--gecos <string>
Specifies the values for the following Gecos field entries in the user's password file:
Full Name:
Office Location:

isi auth users create

313

Authentication and access control

Office Phone:
Home Phone:
Other information:

Values must be entered as a comma-separated list, and values that contain spaces
must be enclosed in quotation marks. For example, the --gecos="Jane
Doe",Seattle,555-5555,,"Temporary worker" option with these values
results in the following entries:
Full Name: Jane Doe
Office Location: Seattle
Office Phone: 555-5555
Home Phone:
Other information: Temporary worker

--home-directory <path>
Specifies the path to the user's home directory.
--password <string>
Sets the user's password to the specified value. This option cannot be used with the
--set-password option.
--password-expires {yes | no}
Specifies whether to allow the password to expire.
--primary-group <name>
Specifies the user's primary group by name.
--primary-group-gid <integer>
Specifies the user's primary group by GID.
--primary-group-sid <string>
Specifies the user's primary group by SID.
--prompt-password-change {yes | no}
Prompts the user to change the password during the next login.
--shell <path>
Specifies the path to the UNIX login shell.
--uid <integer>
Overrides automatic allocation of the UNIX user identifier (UID) with the specified
value. Setting this option is not recommended.
--zone <string>
Specifies the access zone in which to create the user.
--provider <string>
Specifies a local authentication provider in the specified access zone.
--set-password
Sets the password interactively. This option cannot be used with the --password
option.
{--verbose | -v}
Displays the results of running the command.
{--force | -f}
Suppresses command-line prompts and messages.
314

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth users delete

Deletes a local user from the system.
Syntax
isi auth users delete {<user> | --uid <integer> | --sid <string>}
[--zone <string>]
[--provider <string>]
[--force]
[--verbose]

Options
This command requires <user>, --uid <integer>, or --sid <string>.
<user>

Specifies the user by name.

--uid <integer>
Specifies the user by UID.
--sid <string>
Specifies the user by SID.
--zone <string>
Specifies the name of the access zone that contains the user.
--provider <string>
Specifies the name of the authentication provider that contains the user.
{--force | -f}
Suppresses command-line prompts and messages.
{--verbose | -v}
Displays the results of running the command.

isi auth users flush

Flushes cached user information.
Syntax
isi auth users flush

Options
There are no options for this command.
Examples
To flush all cached user information, run the following command:
isi auth user flush

isi auth users delete

315

Authentication and access control

isi auth users list

Displays a list of users. If no options are specified, all users in the System access zone
are displayed.
Note

The --domain option must be specified to list Active Directory users.

Syntax
isi auth users list
[--domain <string>]
[--zone <string>]
[--provider <string>]
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
--domain <string>
Displays only the users in the specified provider domain.
--zone <string>
Specifies the access zone whose users you want to list. The default access zone is
System.
--provider <string>
Displays only the users in the specified authentication provider. The syntax for
specifying providers is <provider-type>:<provider-name>, being certain to use the colon
separator; for example, isi auth users list --provider="lsa-ldapprovider:Unix LDAP".
{--limit | -l} <integer>.
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

316

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

isi auth users modify

Modifies a local user.
Syntax
isi auth users modify {<user> | --uid <integer> | --sid <string>}
[--enabled {yes | no}]
[--expiry <timestamp>]
[--unlock]
[--email <string>]
[--gecos <string>]
[--home-directory <path>]
[--password <string>]
[--password-expires {yes | no}]
[{--primary-group <string> | --primary-group-gid <integer>
| --primary-group-sid <string>}]
[--prompt-password-change {yes | no}]
[--shell <path>]
[--new-uid <integer>]
[--zone <string>]
[--add-group <name>]
[--add-gid <id>]
[--remove-group <name>]
[--remove-gid <id>]
[--provider <string>]
[--set-password]
[--verbose]
[--force]

Options
This command requires <user>, --uid <integer>, or --sid <string>.
<user>

Specifies the user by name.

--uid <integer>
Specifies the user by UID.
--sid <string>
Specifies the user by SID.
--enabled {yes | no}
Enables or disables the user.
{--expiry | -x} <timestamp>
Specifies the time at which the user account will expire, using the date format <YYYY><MM>-<DD> or the date/time format <YYYY>-<MM>-<DD>[T<hh>:<mm>[:<ss>].
--unlock
Unlocks the user account if locked.
--email <string>
Specifies the email address of the user.
--gecos <string>
Specifies the values for the following Gecos field entries in the user's password file:
Full Name:
Office Location:
Office Phone:

isi auth users modify

317

Authentication and access control

Home Phone:
Other information:

Values must be entered as a comma-separated list, and values that contain spaces
must be enclosed in quotation marks. For example, the --gecos= "Jane
Doe",Seattle,555-5555,,"Temporary worker" option with these values
results in the following entries:
Full Name: Jane Doe
Office Location: Seattle
Office Phone: 555-5555
Home Phone:
Other information: Temporary worker

--home-directory <path>
Specifies the path to the user's home directory.
--password <string>
Sets the user's password to the specified value. This option cannot be used with the
--set-password option.
--password-expires {yes | no}
Specifies whether to allow the password to expire.
--primary-group <name>
Specifies the user's primary group by name.
--primary-group-gid <integer>
Specifies the user's primary group by GID.
--primary-group-sid <string>
Specifies the user's primary group by SID.
--prompt-password-change {yes | no}
Prompts the user to change the password during the next login.
--shell <path>
Specifies the path to the UNIX login shell.
--new-uid <integer>
Specifies a new UID for the user. Setting this option is not recommended.
--zone <string>
Specifies the name of the access zone that contains the user.
--add-group <name>
Specifies the name of a group to add the user to. Repeat this option to specify
multiple list items.
--add-gid <integer>
Specifies the GID of a group to add the user to. Repeat this option to specify multiple
list items.
--remove-group <name>
Specifies the name of a group to remove the user from. Repeat this option to specify
multiple list items.
--remove-gid <integer>
318

OneFS 7.2.0 CLI Administration Guide

Authentication and access control

Specifies the GID of a group to remove the user from. Repeat this option to specify
multiple list items.
--provider <string>
Specifies an authentication provider of the format <type>:<instance>. Valid provider
types are ads, ldap, nis, file, and local. For example, an LDAP provider named
auth1 can be specified as ldap:auth1.
--set-password
Sets the password interactively. This option cannot be used with the --password
option.
{--verbose | -v}
Displays the results of running the command.
{--force | -f}
Suppresses command-line prompts and messages.

isi auth users view

Displays the properties of a user.
Syntax
isi auth users view {<user> | --uid <integer> | --sid <string>}
[--cached]
[--show-groups]
[--resolve-names]
[--zone <string>]
[--provider <string>]

Options
This command requires <user>, --uid <integer>, or --sid <string>.
<user>

Specifies the user by name.

--uid <integer>
Specifies the user by UID.
--sid <string>
Specifies the user by SID.
--cached
Returns only cached information.
--show-groups
Displays groups that include the user as a member.
--resolve-names
Resolves the names of all related groups and related identities.
--zone <string>
Specifies the name of the access zone that contains the user.
--provider <string>
Specifies the name of the authentication provider that contains the user in the format
<type>:<instance>. Valid values for type are ads, ldap, nis, file, and local. For
example an LDAP provider named auth1 can be specified as ldap:auth1, or an
Active Directory provider can be specified as ads:YORK.east.com.
isi auth users view

319

Authentication and access control

320

OneFS 7.2.0 CLI Administration Guide

CHAPTER 7
Identity management

This section contains the following topics:

l
l
l
l
l
l

Identity management overview............................................................................322

Identity types...................................................................................................... 322
Access tokens..................................................................................................... 323
Access token generation..................................................................................... 324
Managing ID mappings........................................................................................329
Managing user identities.....................................................................................332

Identity management

321

Identity management

Identity management overview

In environments with several different types of directory services, OneFS maps the users
and groups from the separate services to provide a single unified identity on an EMC
Isilon cluster and uniform access control to files and directories, regardless of the
incoming protocol. This process is called identity mapping.
Isilon clusters are frequently deployed in multiprotocol environments with multiple types
of directory services, such as Active Directory and LDAP. When a user with accounts in
multiple directory services logs in to a cluster, OneFS combines the users identities and
privileges from all the directory services into a native access token.
You can configure OneFS settings to include a list of rules for access token manipulation
to control user identity and privileges. For example, you can set a user mapping rule to
merge an Active Directory identity and an LDAP identity into a single token that works for
access to files stored over both SMB and NFS. The token can include groups from Active
Directory and LDAP. The mapping rules that you create can solve identity problems by
manipulating access tokens in many ways, including the following examples:
l

Authenticate a user with Active Directory but give the user a UNIX identity.

Select a primary group from competing choices in Active Directory or LDAP.

Disallow login of users that do not exist in both Active Directory and LDAP.

For more information about identity management, see the white paper Managing identities
with the Isilon OneFS user mapping service at EMC Online Support.

Identity types
OneFS supports three primary identity types, each of which you can store directly on the
file system. Identity types are user identifier and group identifier for UNIX, and security
identifier for Windows.
When you log on to an EMC Isilon cluster, the user mapper expands your identity to
include your other identities from all the directory services, including Active Directory,
LDAP, and NIS. After OneFS maps your identities across the directory services, it
generates an access token that includes the identity information associated with your
accounts. A token includes the following identifiers:
l

A UNIX user identifier (UID) and a group identifier (GID). A UID or GID is a 32-bit
number with a maximum value of 4,294,967,295.

A security identifier (SID) for a Windows user account. A SID is a series of authorities
and sub-authorities ending with a 32-bit relative identifier (RID). Most SIDs have the
form S-1-5-21-<A>-<B>-<C>-<RID>, where <A>, <B>, and <C> are specific to a domain or
computer and <RID> denotes the object in the domain.

A primary group SID for a Windows group account.

A list of supplemental identities, including all groups in which the user is a member.

The token also contains privileges that stem from administrative role-based access
control.
On an Isilon cluster, a file contains permissions, which appear as an access control list
(ACL). The ACL controls access to directories, files, and other securable system objects.
When a user tries to access a file, OneFS compares the identities in the users access
token with the files ACL. OneFS grants access when the files ACL includes an access
control entry (ACE) that allows the identity in the token to access the file and that does
322

OneFS 7.2.0 CLI Administration Guide

Identity management

not include an ACE that denies the identity access. OneFS compares the access token of
a user with the ACL of a file.
Note

For more information about access control lists, including a description of the
permissions and how they correspond to POSIX mode bits, see the white paper titled EMC
Isilon multiprotocol data access with a unified security model on the EMC Online Support
web site.
When a name is provided as an identifier, it is converted into the corresponding user or
group object and the correct identity type. You can enter or display a name in various
ways:
l

UNIX assumes unique case-sensitive namespaces for users and groups. For example,
Name and name represent different objects.

Windows provides a single, case-insensitive namespace for all objects and also
specifies a prefix to target an Active Directory domain; for example, domain\name.

Kerberos and NFSv4 define principals, which require names to be formatted the same
way as email addresses; for example, [email protected].

Multiple names can reference the same object. For example, given the name support and
the domain example.com, support, EXAMPLE\support and [email protected] are all
names for a single object in Active Directory.

Access tokens
An access token is created when the user first makes a request for access.
Access tokens represent who a user is when performing actions on the cluster and supply
the primary owner and group identities during file creation. Access tokens are also
compared against the ACL or mode bits during authorization checks.
During user authorization, OneFS compares the access token, which is generated during
the initial connection, with the authorization data on the file. All user and identity
mapping occurs during token generation; no mapping takes place during permissions
evaluation.
An access token includes all UIDs, GIDs, and SIDs for an identity, in addition to all OneFS
privileges. OneFS reads the information in the token to determine whether a user has
access to a resource. It is important that the token contains the correct list of UIDs, GIDs,
and SIDs. An access token is created from one of the following sources:
Source

Authentication

Username

SMB impersonate user

Kerberized NFSv3

Kerberized NFSv4

NFS export user mapping

HTTP

FTP

HDFS

SMB NTLM

Privilege Attribute Certificate (PAC)

Access tokens

323

Identity management

Source

Authentication

User identifier (UID)

Active Directory Kerberos

NFS AUTH_SYS mapping

Access token generation

For most protocols, the access token is generated from the username or from the
authorization data that is retrieved during authentication.
The following steps present a simplified overview of the complex process through which
an access token is generated:
Step Process

Description

Using the initial identity, the user is looked up in all configured

authentication providers in the access zone, in the order in which they
are listed, until a match is found. The user identity and group list are
retrieved from the authenticating provider. Any SIDs, UIDs, or GIDs are
added to the initial token.

User identity
lookup

Note

An exception to this behavior occurs if the AD provider is configured to

call other providers, such as LDAP or NIS.
2

ID mapping

The user's identifiers are associated across directory services. All SIDs
are converted to their equivalent UID/GID and vice versa. These ID
mappings are also added to the access token.

User mapping

Access tokens from other directory services are combined. If the

username matches any user mapping rules, the rules are processed in
order and the token is updated accordingly.

On-disk identity The default on-disk identity is calculated from the final token and the
calculation
global setting. These identities are used for newly created files.

ID mapping
The Identity (ID) mapping service maintains relationship information between mapped
Windows and UNIX identifiers to provide consistent access control across file sharing
protocols within an access zone.
Note

ID mapping and user mapping are different services, despite the similarity in names.
During authentication, the authentication daemon requests identity mappings from the
ID mapping service in order to create access tokens. Upon request, the ID mapping
service returns Windows identifiers mapped to UNIX identifiers or UNIX identifiers
mapped to Windows identifiers. When a user authenticates to a cluster over NFS with a
UID or GID, the ID mapping service returns the mapped Windows SID, allowing access to
files that another user stored over SMB. When a user authenticates to the cluster over

324

OneFS 7.2.0 CLI Administration Guide

Identity management

SMB with a SID, the ID mapping service returns the mapped UNIX UID and GID, allowing
access to files that a UNIX client stored over NFS.
Mappings between UIDs or GIDs and SIDs are stored according to access zone in a
cluster-distributed database called the ID map. Each mapping in the ID map is stored as a
one-way relationship from the source to the target identity type. Two-way mappings are
stored as complementary one-way mappings.

Mapping Windows IDs to UNIX IDs

When a Windows user authenticates with an SID, the authentication daemon searches
the external Active Directory provider to look up the user or group associated with the
SID. If the user or group has only an SID in the Active Directory, the authentication
daemon requests a mapping from the ID mapping service.
Note

User and group lookups may be disabled or limited, depending on the Active Directory
settings. You enable user and group lookup settings through the isi auth ads
modify command.
If the ID mapping service does not locate and return a mapped UID or GID in the ID map,
the authentication daemon searches other external authentication providers configured
in the same access zone for a user that matches the same name as the Active Directory
user.
If a matching user name is found in another external provider, the authentication daemon
adds the matching user's UID or GID to the access token for the Active Directory user, and
the ID mapping service creates a mapping between the UID or GID and the Active
Directory user's SID in the ID map. This is referred to as an external mapping.
Note

When an external mapping is stored in the ID map, the UID is specified as the on-disk
identity for that user. When the ID mapping service stores a generated mapping, the SID
is specified as the on-disk identity.
If a matching user name is not found in another external provider, the authentication
daemon assigns a UID or GID from the ID mapping range to the Active Directory user's
SID, and the ID mapping service stores the mapping in the ID map. This is referred to as a
generated mapping. The ID mapping range is a pool of UIDs and GIDs allocated in the
mapping settings.
After a mapping has been created for a user, the authentication daemon retrieves the UID
or GID stored in the ID map upon subsequent lookups for the user.

Mapping UNIX IDs to Windows IDs

The ID mapping service creates temporary UID-to-SID and GID-to-SID mappings only if a
mapping does not already exist. The UNIX SIDs that result from these mappings are never
stored on disk.
UIDs and GIDs have a set of predefined mappings to and from SIDs.
If a UID-to-SID or GID-to-SID mapping is requested during authentication, the ID mapping
service generates a temporary UNIX SID in the format S-1-22-1-<UID> or S-1-22-2-<GID> by
applying the following rules:
l

For UIDs, the ID mapping service generates a UNIX SID with a domain of S-1-22-1 and
a resource ID (RID) matching the UID. For example, the UNIX SID for UID 600 is
S-1-22-1-600.
ID mapping

325

Identity management

For GIDs, the ID mapping service generates a UNIX SID with a domain of S-1-22-2 and
an RID matching the GID. For example, the UNIX SID for GID 800 is S-1-22-2-800.

ID mapping ranges
In access zones with multiple external authentication providers, such as Active Directory
and LDAP, it is important that the UIDs and GIDs from different providers that are
configured in the same access zone do not overlap. Overlapping UIDs and GIDs between
providers within an access zone might result in some users gaining access to other users'
directories and files.
The range of UIDs and GIDs that can be allocated for generated mappings is configurable
in each access zone through the isi auth settings mappings modify
command. The default range for both UIDs and GIDs is 10000002000000 in each
access zone.
Do not include commonly used UIDs and GIDs in your ID ranges. For example, UIDs and
GIDs below 1000 are reserved for system accounts and should not be assigned to users
or groups.

User mapping
User mapping provides a way to control permissions by specifying a user's security
identifiers, user identifiers, and group identifiers. OneFS uses the identifiers to check file
or group ownership.
With the user-mapping feature, you can apply rules to modify which user identity OneFS
uses, add supplemental user identities, and modify a user's group membership. The
user-mapping service combines a users identities from different directory services into a
single access token and then modifies it according to the rules that you create.
Note

You can configure mapping rules on a per-zone basis. Mapping rules must be configured
separately in each access zone that uses them. OneFS maps users only during login or
protocol access.

Default user mappings

Default user mappings determine access if explicit user-mapping rules are not created.
If you do not configure rules, a user who authenticates with one directory service receives
the identity information in other directory services when the account names are the same.
For example, a user who authenticates with an Active Directory domain as Desktop\jane
automatically receives identities in the final access token for the corresponding UNIX user
account for jane from LDAP or NIS.
In the most common scenario, OneFS is connected to two directory services, Active
Directory and LDAP. In such a case, the default mapping provides a user with the
following identity attributes:
l

A UID from LDAP

The user SID from Active Directory

An SID from the default group in Active Directory

The user's groups come from Active Directory and LDAP, with the LDAP groups and the
autogenerated group GID added to the list. To pull groups from LDAP, the mapping
service queries the memberUid attribute. The users home directory, gecos, and shell
come from Active Directory.

326

OneFS 7.2.0 CLI Administration Guide

Identity management

Elements of user-mapping rules

You combine operators with user names to create a user-mapping rule.
The following elements affect how the user mapper applies a rule:
l

The operator, which determines the operation that a rule performs

Fields for usernames

Options

A parameter

Wildcards

User-mapping best practices

You can follow best practices to simplify user mapping.
Use Active Directory with RFC 2307 and Windows Services for UNIX
Use Microsoft Active Directory with Windows Services for UNIX and RFC 2307
attributes to manage Linux, UNIX, and Windows systems. Integrating UNIX and Linux
systems with Active Directory centralizes identity management and eases
interoperability, reducing the need for user-mapping rules. Make sure your domain
controllers are running Windows Server 2003 or later.
Employ a consistent username strategy
The simplest configurations name users consistently, so that each UNIX user
corresponds to a similarly named Windows user. Such a convention allows rules
with wildcard characters to match names and map them without explicitly specifying
each pair of accounts.
Do not use overlapping ID ranges
In networks with multiple identity sources, such as LDAP and Active Directory with
RFC 2307 attributes, you should ensure that UID and GID ranges do not overlap. It is
also important that the range from which OneFS automatically allocates UIDs and
GIDs does not overlap with any other ID range. OneFS automatically allocates UIDs
and GIDs from the range 1,000,000-2,000,000. If UIDs and GIDs overlap multiple
directory services, some users might gain access to other users directories and files.
Avoid common UIDs and GIDs
Do not include commonly used UIDs and GIDs in your ID ranges. For example, UIDs
and GIDs below 1000 are reserved for system accounts; do not assign them to users
or groups.
Do not use UPNs in mapping rules
You cannot use a user principal name (UPN) in a user mapping rule. A UPN is an
Active Directory domain and username that are combined into an Internet-style
name with an @ symbol, such as an email address: jane@example. If you include a
UPN in a rule, the mapping service ignores it and may return an error. Instead,
specify names in the format DOMAIN\user.com.

User mapping

327

Identity management

Group rules by type and order them

The system processes every mapping rule by default, which can present problems
when you apply a deny-all rulefor example, to deny access to all unknown users. In
addition, replacement rules might interact with rules that contain wildcard
characters. To minimize complexity, it is recommended that you group rules by type
and organize them in the following order:
1. Replacement rules: Specify all rules that replace an identity first to ensure that
OneFS replaces all instances of the identity.
2. Join, add, and insert rules: After the names are set by any replacement
operations, specify join, add, and insert rules to add extra identifiers.
3. Allow and deny rules: Specify rules that allow or deny access last.
Note

Stop all processing before applying a default deny rule. To do so, create a rule
that matches allowed users but does nothing, such as an add operator with no
field options, and has the break option. After enumerating the allowed users,
you can place a catchall deny at the end to replace anybody unmatched with an
empty user.
To prevent explicit rules from being skipped, in each group of rules, order explicit
rules before rules that contain wildcard characters.
Add the LDAP or NIS primary group to the supplemental groups
When an Isilon cluster is connected to Active Directory and LDAP, a best practice is
to add the LDAP primary group to the list of supplemental groups. This lets OneFS
honor group permissions on files created over NFS or migrated from other UNIX
storage systems. The same practice is advised when an Isilon cluster is connected to
both Active Directory and NIS.

On-disk identity
After the user mapper resolves a user's identities, OneFS determines an authoritative
identifier for it, which is the preferred on-disk identity.
OnesFS stores either UNIX or Windows identities in file metadata on disk. On-disk identity
types are UNIX, SID, and native. Identities are set when a file is created or a file's access
control data is modified. Almost all protocols require some level of mapping to operate
correctly, so choosing the preferred identity to store on disk is important. You can
configure OneFS to store either the UNIX or the Windows identity, or you can allow OneFS
to determine the optimal identity to store.
On-disk identity types are UNIX, SID, and native. Although you can change the type of ondisk identity, the native identity is best for a network with UNIX and Windows systems. In
native on-disk identity mode, setting the UID as the on-disk identity improves NFS
performance.
Note

The SID on-disk identity is for a homogeneous network of Windows systems managed
only with Active Directory. When you upgrade from a version earlier than OneFS 6.5, the
on-disk identity is set to UNIX. When you upgrade from OneFS 6.5 or later, the on-disk
identity setting is preserved. On new installations, the on-disk identity is set to native.
The native on-disk identity type allows the OneFS authentication daemon to select the
correct identity to store on disk by checking for the identity mapping types in the
following order:
328

OneFS 7.2.0 CLI Administration Guide

Identity management

Order Mapping
type

Description

Algorithmic
mapping

An SID that matches S-1-22-1-UID or S-1-22-2-GID in the internal ID

mapping database is converted back to the corresponding UNIX identity,
and the UID and GID are set as the on-disk identity.

External
mapping

A user with an explicit UID and GID defined in a directory service (such as
Active Directory with RFC 2307 attributes, LDAP, NIS, or the OneFS file
provider or local provider) has the UNIX identity set as the on-disk
identity.

Persistent
mapping

Mappings are stored persistently in the identity mapper database. An

identity with a persistent mapping in the identity mapper database uses
the destination of that mapping as the on-disk identity, which occurs
primarily with manual ID mappings. For example, if there is an ID
mapping of GID:10000 to S-1-5-32-545, a request for the on-disk storage
of GID:10000 returns S-1-5-32-545.

No mapping

If a user lacks a UID or GID even after querying the other directory
services and identity databases, its SID is set as the on-disk identity. In
addition, to make sure a user can access files over NFS, OneFS allocates
a UID and GID from a preset range of 1,000,000 to 2,000,000. In native
on-disk identity mode, a UID or GID that OneFS generates is never set as
the on-disk identity.

Note

If you change the on-disk identity type, you should run the PermissionRepair job in
convert mode to make sure that the disk representation of all files is consistent with the
changed setting.

Managing ID mappings
You can create, modify, and delete identity mappings and configure ID mapping settings.

Create an identity mapping

You can create a manual identity mapping between source and target identities or
automatically generate a mapping for a source identity.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping create command.
The following command specifies IDs of source and target identities in the zone3
access zone to create a two-way mapping between the identities:
isi auth mapping create --2way --source-sid=S-1-5-21-12345 \
--target-uid=5211 --zone=zone3

Managing ID mappings

329

Identity management

Modify an identity mapping

You can modify the configuration of an identity mapping.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping modify command.
The following command modifies the mapping of the user with UID 4236 in the zone3
access zone to include a reverse, 2-way mapping between the source and target
identities:
isi auth mapping modify --source-uid=4236 \
--target-sid=S-1-5-21-12345 --zone=zone3 --2way

Delete an identity mapping

You can delete one or more identity mappings.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping delete command.
The following command deletes all identity mappings in the zone3 access zone:
isi auth mapping delete --all --zone=zone3

The following command deletes all identity mappings in the zone3 access zone that
were both created automatically and include a UID or GID from an external
authentication source:
isi auth mapping delete --all --only-external --zone=zone3

The following command deletes the identity mapping of the user with UID 4236 in the
zone3 access zone:
isi auth mapping delete --source-uid=4236 --zone=zone3

View an identity mapping

You can display mapping information for a specific identity.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping view command.
The following command displays mappings for the user with UID 4236 in the zone3
access zone:
isi auth mapping view --uid=4236 --zone=zone3

330

OneFS 7.2.0 CLI Administration Guide

Identity management

The system displays output similar to the following example:

Name: user_36
On-disk: UID: 4236
Unix uid: 4236
Unix gid: -100000
SMB: S-1-22-1-4236

Flush the identity mapping cache

You can flush the ID map cache to remove in-memory copies of all or specific identity
mappings.
Modifications to ID mappings may cause the cache to become out-of-sync and users
might experience slowness or stalls when authenticating. You can flush the cache to
synchronize the mappings.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping flush command.
The following command flushes all identity mappings on the EMC Isilon cluster:
isi auth mapping flush --all

The following command flushes the mapping of the user with UID 4236 in the zone3
access zone:
isi auth mapping flush --source-uid-4236 --zone=zone3

View a user token

You can view the contents of an access token generated for a user during authentication.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth mapping token command.
The following command displays the access token of a user with UID 4236 in the
zone3 access zone:
isi auth mapping token --uid=4236 --zone=zone3

The system displays output similar to the following example:

User
Name: user_36
UID: 4236
SID: S-1-22-1-4236
On Disk: 4236
ZID: 3
Zone: zone3
Privileges: Primary Group
Name: user_36
GID: 4236

Flush the identity mapping cache

331

Identity management

SID: S-1-22-2-4236
On Disk: 4236

Configure identity mapping settings

You can enable or disable automatic allocation of UIDs and GIDS and customize the
range of ID values in each access zone. The default range is 10000002000000.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth settings mapping modify command.
The following command enables automatic allocation of both UIDs and GIDs in the
zone3 access zone and sets their allocation ranges to 2500050000:
isi auth settings mapping modify --gid-range-enabled=yes \
--gid-range-min=25000 --gid-range-max=50000 --uid-rangeenabled=yes \
--uid-range-min=25000 --uid-range-max=50000 --zone=zone3

View identity mapping settings

You can view the current configuration of identity mapping settings in each zone.
This procedure is available only through the command-line interface.
Procedure
1. Open a secure shell (SSH) connection to any node in the cluster and log in.
2. Run the isi auth settings mapping view command.
The following command displays the current settings in the zone3 access zone:
isi auth settings mapping view --zone=zone3

The system displays output similar to the following example:

GID Range Enabled:
GID Range Min:
GID Range Max:
UID Range Enabled:
UID Range Min:
UID Range Max:

Yes
25000
50000
Yes
25000
50000

Managing user identities

You can manage user identities by creating user-mapping rules.
When you create user-mapping rules, it is important to remember the following
information:

332

You can only create user-mapping rules if you are connected to the EMC Isilon cluster
through the System zone; however, you can apply user-mapping rules to specific
access zones. If you create a user-mapping rule for a specific access zone, the rule
applies only in the context of its zone.

When you change user-mapping on one node, OneFS propagates the change to the
other nodes.

OneFS 7.2.0 CLI Administration Guide

Identity management

After you make a user-mapping change, the OneFS authentication service reloads the
configuration.

View user identity

You can view the identities and group membership that a specified user has within the
Active Directory and LDAP directory services.
This procedure must be performed through the command-line interface (CLI).
Note

The OneFS user access token contains a combination of identities from Active Directory
and LDAP if both directory services are configured. You can run the following commands
to discover the identities that are within each specific directory service.
Procedure
1. Establish an SSH connection to any node in the cluster.
2. View a user identity from Active Directory only by running the isi auth users
view command.
The following command displays the identity of a user named stand in the Active
Directory domain named YORK:
isi auth users view --user=YORK\\stand --show-groups

The system displays output similar to the following example:

Name: YORK\stand
DN:
CN=stand,CN=Users,DC=york,DC=hull,DC=example,DC=com
DNS Domain: york.hull.example.com
Domain: YORK
Provider: lsa-activedirectory-provider:YORK.HULL.EXAMPLE.COM
Sam Account Name: stand
UID: 4326
SID: S-1-5-21-1195855716-1269722693-1240286574-591111
Primary Group
ID : GID:1000000
Name : YORK\york_sh_udg
Additional Groups: YORK\sd-york space group
YORK\york_sh_udg
YORK\sd-york-group
YORK\sd-group
YORK\domain users

3. Vew a user identity from LDAP only by running the isi auth users view
command.
The following command displays the identity of an LDAP user named stand:
isi auth user view --user=stand --show-groups

The system displays output similar to the following example:

Name: stand
DN:
uid=stand,ou=People,dc=colorado4,dc=hull,dc=example,dc=com
DNS Domain: Domain: LDAP_USERS
Provider: lsa-ldap-provider:Unix LDAP
Sam Account Name: stand
View user identity

333

Identity management

UID: 4326
SID: S-1-22-1-4326
Primary Group
ID : GID:7222
Name : stand
Additional Groups: stand
sd-group
sd-group2

Create a user-mapping rule

You can create user-mapping rules to manage user identities on the cluster.
You can create the first mapping rule with the --user-mapping-rules option for the
isi zone zones modify System command. If you try to add a second rule with the
command above, however, it replaces the existing rule rather than adding the new rule to
the list of rules. To add more rules to the list of rules, you must use the --add-usermapping-rules option with the isi zone zones modify System command.
Note

If you do not specify an access zone, user-mapping rules are created in the System zone.
Procedure
1. To create a rule to merge the Active Directory user with a user from LDAP, run the
following command, where <user-a> and <user-b> are placeholders for the identities to
be merged; for example, user_9440 and lduser_010, respectively:
isi zone zones modify System --add-user-mapping-rules \
"<DOMAIN> <user-a> &= <user-b>"

Run the following command to view the rule:

isi zone zones view System

If the command runs successfully, the system displays the mapping rule, which is
visible in the User Mapping Rules line of the output:
Name:
Cache Size:
Map Untrusted:
SMB Shares:
Auth Providers:
Local Provider:
NetBIOS Name:
All SMB Shares:
All Auth Providers:
User Mapping Rules:
Home Directory Umask:
Skeleton Directory:
Zone ID:

System
4.77M
Yes
Yes
Yes
<DOMAIN>\<user_a> &= <user_b>
0077
/usr/share/skel
1

2. To verify the changes to the token, run a command similar to the following example:
isi auth mapping token <DOMAIN>\\<user-a>

If the command runs successfully, the system displays output similar to the following
example:
User

Name : <DOMAIN>\<user-a>

334

OneFS 7.2.0 CLI Administration Guide

Identity management

UID : 1000201
SID : S-1-5-21-1195855716-1269722693-1240286574-11547
ZID: 1
Zone: System
Privileges: Primary Group
Name : <DOMAIN>\domain users
GID : 1000000
SID : S-1-5-21-1195855716-1269722693-1240286574-513
Supplemental Identities
Name : Users
GID : 1545
SID : S-1-5-32-545
Name : lduser_010
UID : 10010
SID : S-1-22-1-10010
Name : example
GID : 10000
SID : S-1-22-2-10000
Name : ldgroup_20user
GID : 10026
SID : S-1-22-2-10026

Merge Windows and UNIX tokens

You can use either the join or append operator to merge two user names into a single
token.
When Windows and UNIX user names do not match across directory services, you can
write user-mapping rules that use either the join or the append operator to merge two
user names into a single token. For example, if a user's Windows username is win_bob
and the users UNIX username is UNIX_bob, you can join or append them.
When you append an account to another account, the append operator adds information
from one identity to another. OneFS appends the fields that the options specify from the
source identity to the target identity. OneFS appends the identifiers to the additional
group list.
Procedure
1. Establish an SSH connection to any node in the cluster.
2. Write a rule similar to the following example to join the Windows and UNIX user
names, where <win-username> and <UNIX-username> are placeholders for the user's
Windows and UNIX accounts:
MYDOMAIN\<win-username> &= <UNIX-username> []

3. Write a rule similar to the following example to append the UNIX account to the
Windows account with the groups option:
MYDOMAIN\<win-username> ++ <UNIX-username> [groups]

Retrieve the primary group from LDAP

You can create a user-mapping rule to insert or append primary group information from
LDAP into a user's access token.
By default, the user-mapping service combines information from AD and LDAP but gives
precedence to the information from AD. Mapping rules control how OneFS combines the
information. You can retrieve the primary group information from LDAP instead of AD.
Merge Windows and UNIX tokens

335

Identity management

Procedure
1. Establish an SSH connection to any node in the cluster.
2. Write a rule similar to the following example to insert information from LDAP into a
user's access token:
*\* += * [group]

3. Write a rule similar to the following example to append other information from LDAP to
a user's access token:
*\* ++ * [user,groups]

Mapping rule options

Mapping rules can contain options that target the fields of an access token.
A field represents an aspect of a cross-domain access token, such as the primary UID and
primary user SID from a user that you select. You can see some of the fields in the OneFS
web administration interface. User in the web administration interface is the same as
username. You can also see fields in an access token by running the command isi
auth mapping token.
When you create a rule, you can add an option to manipulate how OneFS combines
aspects of two identities into a single token. For example, an option can force OneFS to
append the supplement groups to a token.
A token includes the following fields that you can manipulate with user mapping rules:
l

username

unix_name

primary_uid

primary_user_sid

primary_gid

primary_group_sid

additional_ids (includes supplemental groups)

Options control how a rule combines identity information in a token. The break option is
the exception: It stops OneFS from processing additional rules.
Although several options can apply to a rule, not all options apply to all operators. The
following table describes the effect of each option and the operators that they work with.

336

Option

Operator

Description

user

insert, append

Copies the primary UID and primary user SID, if they exist, to the
token.

groups

insert, append

Copies the primary GID and primary group SID, if they exist, to the
token.

groups

insert, append

Copies all the additional identifiers to the token. The additional

identifiers exclude the primary UID, the primary GID, the primary
user SID, and the primary group SID.

OneFS 7.2.0 CLI Administration Guide

Identity management

Option

Operator

Description

default_user all operators

except remove
groups

If the mapping service fails to find the second user in a rule, the
service tries to find the username of the default user. The name
of the default user cannot include wildcards. When you set the
option for the default user in a rule with the command-line
interface, you must set it with an underscore: default_user.

break

Stops the mapping service from applying rules that follow the
insertion point of the break option. The mapping service
generates the final token at the point of the break.

all operators

Mapping rule operators

The operator determines what a mapping rule does.
You can create user-mapping rules through either the web-administration interface,
where the operators are spelled out in a list, or from the command-line interface.
When you create a mapping rule with the OneFS command-line interface (CLI), you must
specify an operator with a symbol. The operator affects the direction in which the
mapping service processes a rule. For more information about creating a mapping rule,
see the white paper Managing identities with the Isilon OneFS user mapping service. The
following table describes the operators that you can use in a mapping rule.
A mapping rule can contain only one operator.
Operator

Web interface

CLI Direction

Description

append

Append fields
from a user

++

Left-to-right

Modifies an access token by adding fields to

it. The mapping service appends the fields
that are specified in the list of options (user,
group, groups) to the first identity in the
rule. The fields are copied from the second
identity in the rule. All appended identifiers
become members of the additional groups
list. An append rule without an option
performs only a lookup operation; you must
include an option to alter a token.

insert

Insert fields
from a user

+=

Left-to-right

Modifies an existing access token by adding

fields to it. Fields specified in the options
list (user, group, groups) are copied from
the new identity and inserted into the
identity in the token. When the rule inserts a
primary user or primary group, it become the
new primary user and primary group in the
token. The previous primary user and
primary group move to the additional
identifiers list. Modifying the primary user
leaves the tokens username unchanged.
When inserting the additional groups from
an identity, the service adds the new groups
to the existing groups.

replace

Replace one
user with a
different user

=>

Left-to-right

Removes the token and replaces it with the

new token that is identified by the second
username. If the second username is empty,
Mapping rule operators

337

Identity management

Operator

Web interface

CLI Direction

Description
the mapping service removes the first
username in the token, leaving no
username. If a token contains no username,
OneFS denies access with a no such

user error.

338

remove
groups

Remove
supplemental
groups from a
user

--

join

Join two users

together

&= Bidirectional Inserts the new identity into the token. If the
new identity is the second user, the
mapping service inserts it after the existing
identity; otherwise, the service inserts it
before the existing identity. The location of
the insertion point is relevant when the
existing identity is already the first in the list
because OneFS uses the first identity to
determine the ownership of new file system
objects.

OneFS 7.2.0 CLI Administration Guide

Unary

Modifies a token by removing the

supplemental groups.

CHAPTER 8
Auditing

This section contains the following topics:

l
l
l
l
l
l
l
l

Auditing overview................................................................................................340
Syslog................................................................................................................. 340
Protocol audit events.......................................................................................... 341
Supported event types........................................................................................ 343
Supported audit tools......................................................................................... 343
Managing audit settings......................................................................................344
Integrating with the EMC Common Event Enabler.................................................347
Auditing commands............................................................................................ 349

Auditing

339

Auditing

Auditing overview
You can audit system configuration changes and SMB and NFS protocol activity on an
EMC Isilon cluster. All audit data is stored and protected in the cluster file system and
organized by audit topics.
When you enable system configuration auditing, no additional configuration is required;
all configuration events that are handled by the application programming interface (API)
through the command-line interface (CLI) are tracked and recorded in the config audit
topic directories.
Auditing can detect many potential sources of data loss, including fraudulent activities,
inappropriate entitlements, and unauthorized access attempts. Customers in industries
such as financial services, health care, life sciences, and media and entertainment, as
well as in governmental agencies, must meet stringent regulatory requirements
developed to protect against these sources of data loss.
You can enable and configure protocol auditing for one or more access zones in a cluster.
If you enable protocol auditing for an access zone, file-access events through the SMB
and NFS protocol are recorded in the protocol audit topic directories. The protocol
audit log file is consumable by auditing applications that support the EMC Common Event
Enabler (CEE). You can specify which events to log in each access zone. For example, you
might want to audit the default set of protocol events in the System access zone but
audit only successful attempts to delete files in a different access zone.
The audit events are logged on the individual nodes where the SMB or NFS client initiated
the activity. The events are then stored in a binary file under /ifs/.ifsvar/audit/
logs. The logs automatically roll over to a new file after the size reaches 1 GB.

Syslog
Syslog is a protocol that is used to convey certain event notification messages. The root
user can configure an Isilon cluster to log audit events and forward them to syslog by
using the syslog forwarder.
By default, all protocol events that occur on a particular node are forwarded to
the /var/log/audit_protocol.log file, regardless of the access zone the event
originated from.
Syslog is configured with an identity of audit_protocol, a facility of syslog, and a
priority level of info.

Enable syslog
By default, audit event forwarding to syslog is not enabled when auditing is enabled. To
enable this feature, you must configure audit syslog settings through the command line
interface for zones.
Before you begin
Note

To enable audit event forwarding, you must configure audit syslog settings for each
access zone. This procedure is available only through the command-line interface (CLI).

340

OneFS 7.2.0 CLI Administration Guide

Auditing

Procedure
1. Open a Secure Shell (SSH) connection to any node in the cluster and log in.
2. Run the isi zone zones modify command with the --syslog-forwardingenabled option to enable or disable audit syslog.
The following command enables audit syslog for an access zone named UserZone:
isi zone zones modify UserZone --syslog-forwarding-enabled=yes

The following command disables audit syslog for the UserZone access zone:
isi zone zones modify UserZone --syslog-forwarding-enabled=no

3. To view the audit settings, run the following command:

isi audit settings view

4. To view the audit configuration settings, run the following command:

isi zone zones view <zone>

Note

The syslog forwarder forwards only the zone's audit events to syslog that are set by
the --syslog-audit-events parameter. This parameter is set to a list of commaseparated audit event types or "all" to set all the audit events. Only audit events that
are defined by running the isi zone zones modify command with the -audit-success and --audit-failure options are eligible for forwarding to
syslog.

Syslog forwarding
The syslog forwarder is a daemon that, when enabled, retrieves configuration changes
and protocol audit events in an access zone and forwards the events to syslog. Only userdefined audit success and failure events are eligible for being forwarded to syslog.
On each node there is an audit syslog forwarder daemon running that will log audit
events to the same node's syslog daemon.

Protocol audit events

By default, audited access zones track only certain events on the EMC Isilon cluster,
including successful and failed attempts to access files and directories.
The default tracked events are create, close, delete, rename, and set_security.
The names of generated events are loosely based on the Windows I/O request packet
(IRP) model in which all operations begin with a create event to obtain a file handle. A
create event is required before all I/O operations, including the following: close, create,
delete, get_security, read, rename, set_security, and write. A close event marks when the
client is finished with the file handle that was produced by a create event.
These internally stored events are translated to events that are forwarded through CEE to
the auditing application. The CEE export facilities on OneFS perform this mapping. CEE
can be used to connect to any third party application that supports CEE.
Different SMB and NFS clients issue different requests, and one particular version of a
platform such as Windows or Mac OS X using SMB might differ from another. Similarly,
Syslog forwarding

341

Auditing

different versions of an application such as Microsoft Word or Windows Explorer might

make different protocol requests. For example, a client with a Windows Explorer window
open might generate many events if an automatic or manual refresh of that window
occurs. Applications issue requests with the logged-in user's credentials, but you should
not assume that all requests are purposeful user actions.
When enabled, OneFS audit will track all changes that are made to the files and
directories in SMB shares and NFS exports.

Sample config audit log

You can view both configuration audit and protocol audit logs by running the
isi_audit_viewer command on any node in the Isilon cluster.
The isi_audit_viewer -t config command produces output similar to the
following example:
[0: Fri Jan 23 16:17:03 2015] {"id":"524e0928a35e-11e4-9d0c-005056302134","timestamp":
1422058623106323,"payload":"PAPI config logging started."}
[1: Fri Jan 23 16:17:03 2015] {"id":"5249b99da35e-11e4-9d0c-005056302134","timestamp":1422058623112992,"payload":
{"user":{"token": {"UID":0, "GID":0, "SID": "SID:S-1-22-1-0", "GSID":
"SID:S-1-22-2-0", "GROUPS": ["SID:S-1-5-11", "GID:5", "GID:20", "GID:
70", "GID:10"], "protocol": 17, "zone id": 1, "client":
"10.7.220.97", "local": "10.7.177.176" }},"uri":"/1/protocols/smb/
shares","method":"POST","args":"","body":{"path": "/ifs/data",
"name": "Test"}}}
[2: Fri Jan 23 16:17:05 2015] {"id":"5249b99da35e-11e4-9d0c-005056302134","timestamp":1422058625144567,"payload":
{"status":201,"statusmsg":"Created","body":{"id":"Test"}}}
[3: Fri Jan 23 16:17:39 2015] {"id":"67e7ca62a35e-11e4-9d0c-005056302134","timestamp":1422058659345539,"payload":
{"user":{"token": {"UID":0, "GID":0, "SID": "SID:S-1-22-1-0", "GSID":
"SID:S-1-22-2-0", "GROUPS": ["SID:S-1-5-11", "GID:5", "GID:20", "GID:
70", "GID:10"], "protocol": 17, "zone id": 1, "client":
"10.7.220.97", "local": "10.7.177.176" }},"uri":"/1/audit/
settings","method":"PUT","args":"","body":{"config_syslog_enabled":
true}}}
[4: Fri Jan 23 16:17:39 2015] {"id":"67e7ca62a35e-11e4-9d0c-005056302134","timestamp":1422058659387928,"payload":
{"status":204,"statusmsg":"No Content","body":{}}}

Events come in pairs; a pre event is logged before the command is carried out and a post
event is logged after the event is triggered. These events can be correlated by matching
the id field. In the above logs, events 1 and 2 are paired, and events 3 and 4 are paired.
The pre event always comes first, and contains user token information, the PAPI path,
and whatever arguments were passed to the PAPI call. In event 1, a POST request was
made to /1/protocols/smb/shares with arguments path=/ifs/data and
name=Test. The post event contains the HTTP return status and any output returned
from the server.

342

OneFS 7.2.0 CLI Administration Guide

Auditing

Supported event types

You can view or modify the event types that are audited in an access zone.
For the most current list of supported auditing tools, see the Isilon Third-Party Software &
Hardware Compatibility Guide.
The following event types are configured by default on each audited access zone:
Event name Example protocol activity
create

close

Create a file or directory

Open a file, directory, or share

Mount a share

Delete a file

Close a directory

Close a modified or unmodified file

rename

Rename a file or directory

delete

Delete a file or directory

set_security

Attempt to modify file or directory permissions

The following event types are available for exporting through CEE:
Event name Example protocol activity
read

The first read request on an open file handle

write

The first write request on an open file handle

close

The client is finished with an open file handle

get_security

The client reads security information for an open file handle

The following protocol audit events can not be exported through CEE:
Event name Example protocol activity
logon

SMB session create request by a client

logoff

SMB session logoff

tree_connect SMB first attempt to access a share

Supported audit tools

You can configure OneFS to send protocol auditing logs to servers that support the EMC
Common Event Enabler (CEE).
CEE has been tested and verified to work on several third-party software vendors. For the
most current list of supported auditing tools, see the Isilon Third-Party Software &
Hardware Compatibility Guide.

Supported event types

343

Auditing

Note

We recommend that you install and configure third-party auditing applications before you
enable the OneFS auditing feature. Otherwise, the large backlog consumed by this
feature may cause results to not be updated for a considerable amount of time.

Managing audit settings

You can enable and disable system configuration and protocol access audit settings, in
addition to configuring integration with the EMC Common Event Enabler.

Enable system configuration auditing

OneFS can audit system configuration events on your Isilon cluster. When you enable or
disable system configuration auditing, no additional configuration is required. If you
enable configuration auditing, all configuration events that are handled by the platform
API including writes, modifications, and deletions are tracked and recorded in the config
audit topic directories.
To start collecting auditing information, enable configuration change auditing in either
the OneFS web administration interface or the OneFS command-line interface (CLI).
After being enabled, the audit function will track all configuration changes made over the
WebUI or CLI, including the date and time the change occurred, what user made the
change, and what the change was.
Configuration events are logged to /var/log/audit_config.log. Configuration
events are not forwarded to the Common Event Enabler (CEE).
You can generate a config log by enabling configuration change auditing and making a
modification to the cluster via PAPI. Configuration change logs are populated in the
config topic in the audit back-end store under /ifs/.ifsvar/audit.
Procedure
1. Run the isi audit settings modify command.
The following command enables system configuration auditing on the cluster:
isi audit settings modify --config-auditing-enabled=yes

Sample config audit log

You can view both configuration audit and protocol audit logs by running the
isi_audit_viewer command on any node in the Isilon cluster.
The isi_audit_viewer -t config command produces output similar to the
following example:
[0: Fri Jan 23 16:17:03 2015] {"id":"524e0928a35e-11e4-9d0c-005056302134","timestamp":
1422058623106323,"payload":"PAPI config logging started."}
[1: Fri Jan 23 16:17:03 2015] {"id":"5249b99da35e-11e4-9d0c-005056302134","timestamp":1422058623112992,"payload":
{"user":{"token": {"UID":0, "GID":0, "SID": "SID:S-1-22-1-0", "GSID":
"SID:S-1-22-2-0", "GROUPS": ["SID:S-1-5-11", "GID:5", "GID:20", "GID:
70", "GID:10"], "protocol": 17, "zone id": 1, "client":

344

OneFS 7.2.0 CLI Administration Guide

Auditing

"10.7.220.97", "local": "10.7.177.176" }},"uri":"/1/protocols/smb/

shares","method":"POST","args":"","body":{"path": "/ifs/data",
"name": "Test"}}}
[2: Fri Jan 23 16:17:05 2015] {"id":"5249b99da35e-11e4-9d0c-005056302134","timestamp":1422058625144567,"payload":
{"status":201,"statusmsg":"Created","body":{"id":"Test"}}}
[3: Fri Jan 23 16:17:39 2015] {"id":"67e7ca62a35e-11e4-9d0c-005056302134","timestamp":1422058659345539,"payload":
{"user":{"token": {"UID":0, "GID":0, "SID": "SID:S-1-22-1-0", "GSID":
"SID:S-1-22-2-0", "GROUPS": ["SID:S-1-5-11", "GID:5", "GID:20", "GID:
70", "GID:10"], "protocol": 17, "zone id": 1, "client":
"10.7.220.97", "local": "10.7.177.176" }},"uri":"/1/audit/
settings","method":"PUT","args":"","body":{"config_syslog_enabled":
true}}}
[4: Fri Jan 23 16:17:39 2015] {"id":"67e7ca62a35e-11e4-9d0c-005056302134","timestamp":1422058659387928,"payload":
{"status":204,"statusmsg":"No Content","body":{}}}

Events come in pairs; a pre event is logged before the command is carried out and a post
event is logged after the event is triggered. These events can be correlated by matching
the id field. In the above logs, events 1 and 2 are paired, and events 3 and 4 are paired.
The pre event always comes first, and contains user token information, the PAPI path,
and whatever arguments were passed to the PAPI call. In event 1, a POST request was
made to /1/protocols/smb/shares with arguments path=/ifs/data and
name=Test. The post event contains the HTTP return status and any output returned
from the server.

Enable protocol access auditing

You can audit SMB and NFS protocol access to generate events on a per-access zone
basis and forward the events to the EMC Common Event Enabler (CEE) for export to thirdparty products.
The following protocol events are collected for audited access zones by default: create,
delete, rename, and set_security. You can modify the set of events that are audited in an
access zone by running the isi zone zones modify command.
Note

Because each audited event consumes system resources, we recommend that you only
configure zones for events that are needed by your auditing application. In addition, we
recommend that you install and configure third-party auditing applications before you
enable the OneFS auditing feature. Otherwise, the large backlog performed by this
feature may cause results to not be updated for a considerable amount of time.
Additionally, you can manually configure the time that you want audit events to be
forwarded by running the isi audit settings modify --cee log-time
command.
Procedure
1. Run the isi audit settings modify command.

Enable protocol access auditing

345

Auditing

The following command enables SMB and NFS protocol access auditing in the System
access zone, and forwards logged events to a CEE server:
isi audit settings modify --protocol-auditing-enabled=yes \
--cee-server-uris=http://sample.com:12228/cee \
--hostname=cluster.domain.com --audited-zones=System

Protocol events are written to the /var/log/audit_protocol.log file. After the

auditing event has been logged, a CEE forwarder service handles forwarding the event
to CEE. The event is forwarded through an HTTP PUT operation. At this point, CEE will
forward the audit event to a defined endpoint.

Auditing settings
Basic settings for audit configuration are available through the isi audit settings
modify command. When you audit protocol events for an access zone, a default set of
audit events are logged. You can modify the list of audit events to log by running the isi
zone zones modify <zone> command, where <zone> is the name of an audited access
zonefor example, the System zone.
Options
--protocol-auditing-enabled {yes | no}
Enables or disables the auditing of I/O events.
--audited-zones <zones>
Specifies one or more access zones, separated by commas, that will be audited if
protocol auditing is enabled. This option overwrites all entries in the list of access
zones; to add or remove access zones without affecting current entries, use --addaudited-zones or --remove-audited-zones.
--clear-audited-zones
Clears the list of access zones to audit.
--add-audited-zones <zones>
Adds one or more access zones, separated by commas, to the list of zones that will
be audited if protocol auditing is enabled.
--remove-audited-zones <zones>
Removes one or more access zones, separated by commas, which will be audited if
protocol auditing is enabled.
--cee-server-uris <uris>
Specifies one or more CEE server URIs, separated by commas, where audit logs will
be forwarded if protocol auditing is enabled. This option overwrites all entries in the
list of CEE server URIs. To add or remove URIs without affecting current entries, use
--add-cee-server-uris or --remove-cee-server-uris.
--clear-cee-server-uris
Clears the list of CEE server URIs to which audit logs are forwarded.
--add-cee-server-uris <uris>
Adds one or more CEE server URIs, separated by commas, where audit logs are
forwarded if protocol auditing is enabled.
--remove-cee-server-uris <uris>
Removes one or more CEE server URIs, separated by commas, from the list of URIs
where audit logs are forwarded if protocol auditing is enabled.
346

OneFS 7.2.0 CLI Administration Guide

Auditing

--cee-log-time <date>
Specifies a date after which the audit CEE forwarder will forward logs. To forward SMB
or NFS traffic logs, specify topic. Specify <date> in the following format:
[protocol]@<YYYY>-<MM>-<DD> <HH>:<MM>:<SS>

--syslog-log-time <date>
Specifies a date after which the audit syslog forwarder will forward logs. To forward
SMB or NFS traffic logs, specify topic. To forward configuration change logs, specify
config. Specify <date> in the following format:
[protocol|config]@<YYYY>-<MM>-<DD> <HH>:<MM>:<SS>

--hostname <string>
Specifies the hostname of this cluster for reporting protocol events to CEE servers.
This is typically the SmartConnect zone name. The hostname is used to construct the
UNC path of audited files and directoriesfor example, \\hostname\ifs\data
\file.txt.
--config-auditing-enabled {yes | no}
Enables or disables the auditing of requests to modify application programming
interface (API) configuration settings.
{--verbose | -v}
Displays the results of running the command.

Integrating with the EMC Common Event Enabler

OneFS integration with the EMC Common Event Enabler (CEE) enables third-party auditing
applications to collect and analyze SMB and NFS protocol auditing logs.
For the most current list of supported auditing tools, see the Isilon Third-Party Software &
Hardware Compatibility Guide.
OneFS supports the Common Event Publishing Agent (CEPA) component of CEE for
Windows. For integration with OneFS, you must install and configure CEE for Windows on
a supported Windows client.
Note

We recommend that you install and configure third-party auditing applications before you
enable the OneFS auditing feature. Otherwise, the large backlog performed by this
feature may cause results to not be updated for a considerable time.

Install CEE for Windows

To integrate CEE with OneFS, you must first install CEE on a computer that is running the
Windows operating system.
Before you begin
Be prepared to extract files from the .iso file, as described in the following steps. If you
are not familiar with the process, consider choosing one of the following methods:
1. Install WinRAR or another suitable archival program that can open .iso files as an
archive, and copy the files.
Integrating with the EMC Common Event Enabler

347

Auditing

2. Burn the image to a CD-ROM, and then copy the files.

3. Install SlySoft Virtual CloneDrive, which allows you to mount an ISO image as a drive
that you can copy files from.
Note

You should install a minimum of two servers. We recommend that you install CEE 6.6.0 or
later.
Procedure
1. Download the CEE framework software from EMC Online Support:
a. In a web browser, go to https://support.emc.com/search/.
b. In the search field, type Common Event Enabler for Windows, and then click
the Search icon.
c. Click Common Event Enabler <Version> for Windows, where <Version> is 6.2 or later,
and then follow the instructions to open or save the .iso file.
2. From the .iso file, extract the 32-bit or 64-bit EMC_CEE_Pack executable file that
you need.
After the extraction completes, the EMC Common Event Enabler installation wizard
opens.
3. Click Next to proceed to the License Agreement page.
4. Select the I accept... option to accept the terms of the license agreement, and then
click Next.
5. On the Customer Information page, type your user name and organization, select your
installation preference, and then click Next.
6. On the Setup Type page, select Complete, and then click Next.
7. Click Install to begin the installation.
The Installing EMC Common Event Enabler page displays the progress of the
installation. When the installation is complete, the InstallShield Wizard Completed
page appears.
8. Click Finish to exit the wizard.
9. Restart the system.

Configure CEE for Windows

After you install CEE for Windows on a client computer, you must configure additional
settings through the Windows Registry Editor (regedit.exe).
Procedure
1. Open the Windows Registry Editor.
2. Configure the following registry keys, if supported by your audit application:

348

Setting

Registry location

Key

Value

CEE HTTP
listen port

[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE
\Configuration]

HttpPort

12228

Enable
audit

[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP
\Audit\Configuration]

Enabled

OneFS 7.2.0 CLI Administration Guide

Auditing

Setting

Registry location

Key

Value

[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP
\Audit\Configuration]

EndPoint

<EndPoint>

remote
endpoints
Audit
remote
endpoints

Note
l

The HttpPort value must match the port in the CEE URIs that you specify during
OneFS protocol audit configuration.

The EndPoint value must be in the format <EndPoint_Name>@<IP_Address>. You can

specify multiple endpoints by separating each value with a semicolon (;).

The following key specifies a single remote endpoint:

[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration] EndPoint =
[email protected]

The following key specifies multiple remote endpoints:

[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration] EndPoint =
[email protected];[email protected]

3. Close the Windows Registry Editor.

Auditing commands
You can audit system configuration events and SMB and NFS protocol access events on
the EMC Isilon cluster. All audit data is stored in files called audit topics, which collect log
information that you can process further with auditing tools for Windows.

isi audit settings modify

Enables or disables auditing of system configuration changes and protocol access, and
configures additional protocol-auditing settings.
To enable auditing of system configuration changes, you must set the --configauditing-enabled option to yes. No other settings are available.
To enable auditing of protocol access, you must set the --protocol-auditingenabled option to yes, and you must also specify which access zones to audit by
setting the --audited-zones option.
Note

If you are integrating with a third-party auditing application, It is recommended that you
install and configure third-party auditing applications before you enable the OneFS
auditing feature. Otherwise, the large backlog performed by this feature may cause
results to not be updated for a considerable time.

Auditing commands

349

Auditing

Syntax
isi audit settings modify
[--protocol-auditing-enabled {yes | no} ]
[--audited-zones <zones> | --clear-audited-zones]
[--add-audited-zones <zones>]
[--remove-audited-zones <zones>]
[--cee-server-uris <uris> | --clear-cee-server-uris]
[--add-cee-server-uris <uris>]
[--remove-cee-server-uris <uris>]
[--hostname <string>]
[--config-auditing-enabled {yes | no}]
[--config-syslog-enabled {yes | no}]
[--verbose]

Options
--protocol-auditing-enabled {yes | no}
Enables or disables the auditing of data-access requests through the SMB and NFS
protocol.
--audited-zones <zones>
Specifies one or more access zones, separated by commas, which will be audited if
protocol auditing is enabled. This option overwrites all entries in the list of access
zones; to add or remove access zones without affecting current entries, use --addaudited-zones or --remove-audited-zones.
--clear-audited-zones
Clears the list of access zones to audit.
--add-audited-zones <zones>
Adds one or more access zones, separated by commas, to the list of zones that will
be audited if protocol auditing is enabled.
--remove-audited-zones <zones>
Removes one or more access zones, separated by commas, which will be audited if
protocol auditing is enabled.
--cee-server-uris <uris>
Specifies one or more CEE server URIs, separated by commas, where audit logs will
be forwarded if protocol auditing is enabled. The OneFS CEE export service uses
round robin load-balancing when exporting events to multiple CEE servers. This
option overwrites all entries in the list of CEE server URIs. To add or remove URIs
without affecting current entries, use --add-cee-server-uris or --removecee-server-uris.
--clear-cee-server-uris
Clears the list of CEE server URIs to which audit logs are forwarded.
--add-cee-server-uris <uris>
Adds one or more CEE server URIs, separated by commas, to the list of URIs where
audit logs are forwarded.
--remove-cee-server-uris <uris>
Removes one or more CEE server URIs, separated by commas, from the list of URIs
where audit logs are forwarded.
--cee-log-time <date>

350

OneFS 7.2.0 CLI Administration Guide

Auditing

Specifies a date after which the audit CEE forwarder will forward logs. To forward SMB
or NFS traffic logs, specify topic. Specify <date> in the following format:
[protocol]@<YYYY>-<MM>-<DD> <HH>:<MM>:<SS>

--syslog-log-time <date>
Specifies a date after which the audit syslog forwarder will forward logs. To forward
SMB or NFS traffic logs, specify topic. To forward configuration change logs, specify
config. Specify <date> in the following format:
[protocol|config]@<YYYY>-<MM>-<DD> <HH>:<MM>:<SS>

--hostname <string>
Specifies the name of the storage cluster to use when forwarding protocol events
typically, the SmartConnect zone name. When SmartConnect is not implemented, the
value must match the hostname of the cluster as your third-party audit application
recognizes it. If the field is left blank, events from each node are filled with the node
name (clustername + lnn). This setting is required only if needed by your third-party
audit application.
--config-auditing-enabled {yes | no}
Enables or disables the auditing of requests made through the API for system
configuration changes.
--config-syslog-enabled {yes | no}
Enables or disables the forwarding of system configuration changes to syslog.
{--verbose | -v}
Displays the results of running the command.
Note

OneFS collects the following protocol events for audited access zones by default:
create, close, delete, rename, and set_security. You can specify the
successful and failed events that are audited in an access zone by running the isi
zone zones modify command. Because each audited event consumes system
resources, you should only log events that are supported by your auditing application.

isi audit settings view

Displays audit configuration settings.
Syntax
isi audit settings view

Options
There are no options for this command.
Examples
To view current audit settings, run the following command:
isi audit settings view

isi audit settings view

351

Auditing

The system displays output similar to the following text:

Protocol Auditing Enabled: Yes
Audited Zones: System, zoneA
CEE Server URIs: http://example.com:12228/cee
Hostname: mycluster
Config Auditing Enabled: Yes
Config Syslog Enabled: Yes

isi audit topics list

Displays a list of configured audit topics, which are internal collections of audit data.
Syntax
isi audit topics list
[--limit <integer>]
[--format {table | json | csv | list}]
[--no-header]
[--no-footer]
[--verbose]

Options
{--limit | -l} <integer>
Displays no more than the specified number of items.
--format {table | json | csv | list}
Displays output in table (default), JavaScript Object Notation (JSON), commaseparated value (CSV), or list format.
{--no-header | -a}
Displays table and CSV output without headers.
{--no-footer | -z}
Displays table output without footers.
{--verbose | -v}
Displays more detailed information.

isi audit topics modify

Modifies the properties of an audit topic.
Syntax
isi audit topics modify <name>
[--max-cached-messages <integer>]
[--verbose]

Options
<name>

Specifies the name of the audit topic to modify. Valid values are protocol and
config.
--max-cached-messages <integer>

352

OneFS 7.2.0 CLI Administration Guide

Auditing

Specifies the maximum number of audit messages to cache before writing them to a
persistent store. The larger the number, the more efficiently audit events can be
processed. If you specify 0, each audit event is sent synchronously.
{--verbose | -v}
Displays the results of running the command.

isi audit topics view

Displays the properties of an audit topic.
Syntax
isi audit topics view <name>

Options
<name>

Specifies the name of the audit topic whose properties you want to view. Valid values
are protocol and config.

isi audit topics view

353

Auditing

354

OneFS 7.2.0 CLI Administration Guide

CHAPTER 9
File sharing

This section contains the following topics:

l
l
l
l
l

File sharing overview........................................................................................... 356

SMB.................................................................................................................... 358
NFS..................................................................................................................... 395
FTP...................................................................................................................... 444
HTTP and HTTPS.................................................................................................. 460

File sharing

355

File sharing<