Manual Chapter :
Namespace
Applies To:
Show VersionsARX
- 6.3.0
Character encoding is the mapping between binary numbers and written characters. Some character-encoding schemes use only a single byte for each character; these typically support alphabets without any Asian characters. Multi-byte encoding schemes encompass Asian character sets. Unicode (such as UTF-8) can also use more than one byte per character, and encompasses most character sets and languages. Use the character-encoding command to set the namespaces character encoding for NFS file names. Use no character-encoding to reset NFS file names back to the single-byte default. | |
utf-8 specifies UTF-8 (Unicode) character encoding. shift-jis specifies Shift_JIS (Japanese) character encoding. cp932 is Code Page 932, or Windows-31J (Japanese) character encoding. This is the Microsoft version of Shift_JIS. euc-jp specifies EUC-JP (Extended Unix Code - Japanese) character encoding. ksc5601 is KSC5601 (Korean) character encoding. iso-8859-1 is ISO 8859-1 (Latin1, single-byte) character encoding. | |
A multi-protocol (NFS and CIFS) namespace does not allow a CIFS client to name a file or directory with characters that are not supported by NFS character encoding. If NFS names support only single-byte characters, the namespace enforces the same restriction on CIFS names. During the initial import of multi-protocol shares, the volume uses the NFS-side name of each file (possibly a filer-generated name), and renames each directory so that it is valid in NFS. (You can use no import rename-directories to prevent directory renames on import.) We recommend UTF-8 character encoding for multi-protocol namespaces and the filers behind them. The no form of the command returns the namespace to default character encoding. If a single front-end nfs service has exports from more than one namespace, this setting must be the same for all of the exported namespaces. The export (gbl-nfs) command exports a namespace volume through NFS. | |
bstnA(gbl-ns[wwmed])# no character-encoding nfs | |
There are only a small set of photocopiers that require this access before they save files to the namespace. The F5 Data Solutions Compatibility Matrix (included with this doc set) lists all the photocopiers that are known to require this feature. The cifs anonymous-access command permits anonymous queries to the virtual IPC$ share, but does not permit scanners and photocopiers to actually save files to any of the namespaces volumes. As always, the scanner/copier must provide a valid Windows username and password to perform the file-save operation. If a single front-end cifs service has exports from more than one namespace, this setting must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) Therefore, if this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s). | |
provA(gbl-ns[provMed])# cifs anonymous-access bstnA(gbl-ns[insur])# no cifs anonymous-access | |
Use the cifs authentication command to enable an authentication protocol (Kerberos, NTLM, and/or NTLMv2) for the namespaces CIFS clients. Use no cifs authentication to disable a CIFS-authentication protocol for this namespace. | |
CIFS clients access namespace storage through a front-end CIFS service. If a single CIFS service has exports from more than one namespace, the authentication settings must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) Therefore, if this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s). | |
The namespaces front-end CIFS service must join a Windows domain to support Kerberos authentication. Use the domain-join command to enable Kerberos for a front-end cifs service. | |
The domain-join command can also enable a CIFS service for NTLM or NTLMv2. If you (or an authorized Domain Administrator) go to the domain controller (DC) and set up constrained delegation for the CIFS service, clients can authenticate with NTLM, NTLMv2, or Kerberos. No further configuration is required. In this case, the namespace software connects to its back-end filers with Kerberos, whether or not the client uses a variant of NTLM. | |
A CIFS service that is configured for unconstrained delegation, or is not even joined to its domain, requires more configuration to support NTLM or NTLMv2. For these configurations, you must install an application onto one or more DCs. This DC application, called the Secure Agent, enables the namespace to authenticate a client once and then access storage on multiple back-end filers. See the ARX Secure Agent Installation Guide for instructions on installing a Secure Agent onto a DC. Then you can use ntlm-auth-server and ntlm-auth-server (gbl-ns) to connect the namespace software to the Secure Agent application. | |
bstnA(gbl-ns[ns1])# cifs authentication kerberos bstnA(gbl-ns[ns1])# cifs authentication ntlmv2 bstnA(gbl-ns[insur])# no cifs authentication ntlm | |
Use the cifs filer-signatures command to enable (or perhaps require) SMB signing between this namespace and the external filers behind it. SMB signing is the process of placing a digital signature into each Server Message Block (SMB) exchanged between a CIFS server (each filer) and client (the namespace software). SMB signing prevents man-in-the-middle attacks at the cost of slower performance. Use no cifs filer-signatures to disable SMB signing between the namespace and its filers. This breaks all CIFS communication with any filers that require SMB signing. | |
required (optional) obligates all CIFS filers to use SMB signing in their communication with the namespace. If any of the namespaces filers refuse to support SMB signing, the namespace cannot make any CIFS connections to the filer. | |
This applies only to namespaces that support CIFS. Use the protocol command to set the file-access protocols for the namespace. If you use this command with the required option, the namespace can only connect to filers that support SMB signing. The namespace refuses to make a CIFS connection to any filer that does not support SMB signatures. The least-restrictive setting is to enable SMB signing without requiring it (using the cifs filer-signatures syntax). The namespace can then connect to any filer, whether it requires or refuses SMB signing. If the namespace software has a choice, it prefers not to use SMB signing for performance reasons. To control the SMB-signing policy between the ARX and its clients, you can use the signatures command in gbl-cifs mode. To see the number of filers and/or clients who have used SMB signing, along with some success and failure statistics, use the show fastpath cifs-signatures command. | |
bstnA(gbl-ns[insur])# cifs filer-signatures bstnA(gbl-ns[ns1])# cifs filer-signatures required bstnA(gbl-ns[ns4])# no cifs filer-signatures | |
Use the optional description command to set a descriptive string for the current namespace, volume, or share. This appears in the show namespace command. Use the no form of the command to delete the description. | |
description text text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces. | |
bstnA(gbl-ns[wwmed])# description namespace for World-Wide Medical network bstnA(gbl-ns-vol-shr[medarcv~/rcrds~rx])# description prescriptions since 2002 | |
show global-config namespace |
Use the enable command to activate the current namespace or volume, or its shares. Use no enable to stop access to the current namespace or volume. | |
shares (optional) causes all of the namespaces or volumes shares to be enabled. take-ownership (optional) causes the namespace or managed volume to take ownership of all back-end shares. Use this option only if you are sure that the shares are not in active use by a managed volume on another ARX. For example, some sites use filer applications to replicate all data from one site to another; if an ARX had managed volumes at the primary site, the ARXs ownership marker (a file) would be copied to the second site. An ARX at the second site could only import the share if you use the take-ownership option. The option has no effect on a direct volume, or on any direct volumes in the namespace. | |
Important: This option could possibly remove a share from another managed volume that is in service. Use the take-ownership option only for cases where some shares are spuriously marked by another ARX. The CLI prompts for confirmation if you use this option; enter yes to proceed. | |
The enable command causes a managed volume to import external files and directories into its shares. For large directory structures, this takes some time. If there are any name collisions, they occur when you issue the enable command. The import happens asynchronously; you can monitor its progress with the show namespace or show namespace status commands. | |
Important: For shares backed by NetApp or EMC, you may need to access the filer directly and pre-create some qtrees or EMC tree quotas. This rare configuration issue only occurs if: - this is a managed volume, - you want to support both free-space quotas (freespace cifs-quota), and - you also want to support filer-subshares in this volume. In this case, a NetApp share requires one qtree per subshare, and an EMC import share must be an EMC File System with one quota tree per subshare. Pre-create the NetApp qtrees and/or EMC quota trees before you enable the share. See the Guidelines: Subshare Replication with Free-Space Quotas section of the filer-subshares documentation. | |
Each volume belongs to a volume group, which shares a memory pool as well as CPU time. The volume group is associated with several resource limits that are enforced as soon as the volume is enabled. Refer to the volume-group and reserve files commands for details. The no enable command makes the volume(s) inaccessible to clients. When a volume is disabled, client applications get no response from it. Different applications react to this in different ways; some hang, others log error messages to an internal log. The shutdown is cleaner for your clients if you first perform no export (gbl-nfs), no export (gbl-cifs), and no browsing for all NFS and/or CIFS services that export the volume. | |
A direct volume is a collection of directory attach points that is easier to configure than a managed volume but does not offer any policy features. Each attach-point directory in the direct volume is attached to an actual directory on a back-end filer. A direct volume keeps no metadata. You use the direct command to declare a volume to be a direct volume. The enable command does not trigger an import in a direct volume, since there is no metadata to construct. The enable operation is therefore much faster. Also, the take-ownership option has no effect on a direct volume. | |
A CIFS volume with filer-subshares or cifs access-based-enum enabled performs some additional processing during import. Specifically, the volume software discovers CIFS subshares (shares under the imported shares) and ABE settings, and it makes these settings consistent at every back-end filer. This process produces a report to show its results, named syncSshrNewStorageReport_timestamp.rpt. You can use show reports to get a list of reports, and show reports report-name to read a particular report. | |
bstnA(gbl-ns[ns])# enable shares take-ownership bstnA(gbl-ns-vol[unused-ns~/vol2])# no enable | |
Use the metadata cache-size command to specify how much cache memory (in MB) to reserve for managed-volume metadata. This size is used for each volume-group domain used by the current namespace. Use the no form of this command to revert to the default cache size. | |
cache-size (64-1750) is the size, in megabytes (MB), of memory to reserve for the current namespaces metadata cache(s). | |
Each of the namespaces volume groups has a separate memory cache, shared by all managed volumes assigned to the domain. Use the volume-group command to assign a volume to a group. On the ARX-500, you can increase the maximum number of volume groups. The memory and CPU resources are more scarce on this platform than its newer counterparts, so it is shipped with a lower volume-group maximum. If you increase the maximum number of volume groups (using the max-volume-groups command), you should also consult with F5 to change this metadata cache size. The total memory used for this namespace is the total number of volume groups times this cache size. All platforms can use swap space (from their internal disks) to add to memory size if memory gets low. You can use the show processors usage command to monitor memory and swap-space usage on the system. | |
bstnA(gbl-ns[wwmed])# metadata cache-size 500 | |
show global-config namespace |
Use the namespace command to create a new namespace, or edit an existing one. Use the no form of the command to delete a namespace. | |
namespace name no namespace name name (1-30 characters) is a name you choose for the namespace. The name all is reserved and cannot be used. | |
The CLI prompts for confirmation before creating a namespace; enter yes to continue. (You can use terminal expert to eliminate confirmation prompts for creating new objects.) This places you in gbl-ns mode, where you must establish one or more managed volumes and/or direct volumes for the namespace. Each managed volume is like a file system in the namespace; it is composed of files and directories from various back-end filers. A direct volume contains shares with attach points, which are analogous to NFS mount points and mapped CIFS shares. A managed volume contains metadata and supports policy rules, a direct volume does not. Use the volume command to create either type of volume. From gbl-ns mode, you must also set the file-access protocol (NFSv2, NFSv3 (over UDP), and/or CIFS), and you must configure any security parameters to properly authenticate clients. Use the protocol command to set the file-access protocol(s). Use the enable (gbl-ns, gbl-ns-vol) command to enable the namespace. | |
You must remove all of the namespaces volumes before you can remove the namespace with no namespace. Removing a volume is a complex process, described in the documentation for the volume command. The remove namespace command removes all volumes for you; best practices dictate that you use that command instead. The remove service command removes the namespace and all other configuration objects that are exclusively dedicated to the namespace, such as external filers and global servers. | |
bstnA(gbl)# namespace ns bstnA(gbl)# no namespace myNameSpace | |
show global-config namespace |
This command is only necessary behind a cifs service that uses unconstrained delegation (or is not joined to its domain). Best practices dictate that you use constrained delegation, as described in the domain-join documentation, and avoid this CLI command. Use the ntlm-auth-db command to assign an NTLM-authentication database to the current namespace. Use the no form of the command to remove an NTLM authentication database. | |
ntlm-auth-db name no ntlm-auth-db name name (1-64 characters) is the name of an NTLM authentication database. Use the show ntlm-auth-db command for a list of configured NTLM databases. | |
This feature is designed for demonstrations with limited CIFS-service offerings. This is for CIFS services that either do not support Kerberos or support Kerberos with unconstrained delegation. For a namespace behind a non-Kerberos service, or a service with unconstrained delegation, the ntlm-auth-server is designed for long-term use. This command assigns an NTLM authentication database to a namespace. One database can be used in multiple namespaces. Use the gbl-mode ntlm-auth-db command to create an NTLM authentication demo database. You must also use cifs authentication ntlm and/or cifs authentication ntlmv2 for the namespace to support NTLM or NTLMv2 authentication. If a single front-end cifs service has exports from more than one namespace, this group of NTLM-Authentication DBs must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s). | |
bstnA(gbl-ns[ns1])# ntlm-auth-db DEMO | |
This command is only necessary behind a cifs service that uses unconstrained delegation (or is not joined to its domain). Best practices dictate that you use constrained delegation, as described in the domain-join documentation, and avoid this CLI command. Use the ntlm-auth-server command to assign an ARX Secure Agent (ASA) server to the current namespace. To support clients from multiple Windows domains, you can use this command multiple times. Use the no form of the command to remove an ASA from the namespace. This prevents clients in the ASAs Windows Domain from using NTLM or NTLMv2 authentication. | |
ntlm-auth-server name no ntlm-auth-server name name (1-128 characters) is the name of an ASA. | |
Use this command to assign an ARX Secure Agent (ASA) server to a namespace. The ASA facilitates NTLM and/or NTLMv2 authentication for the namespaces clients. Each ASA runs on a Windows-Domain Controller (DC) for a single Windows Domain. See the ARX Secure Agent Installation Guide for more information. After you install the ASA on a DC, use the ntlm-auth-server command to configure it on the ARX. Then use this command to make it available to the current namespace. Use the show ntlm-auth-server command to display the configured ASAs along with connection statistics. | |
Note: If the namespaces front-end CIFS Service uses constrained delegation, introduced with Windows Server 2003, the Secure Agent (and this command) is unnecessary. An administrator with Domain Administrator privileges can go to the DC and configure constrained delegation for this CIFS service. You can use the probe delegate-to command to find all back-end filers behind a CIFS service, which the DC administrator adds to the CIFS services delegate-to list. Once the CIFS service is set up this way at the DC, the services NTLM/NTLMv2 clients can authenticate without help from a Secure Agent. | |
A namespace can authenticate its clients with NTLM, NTLMv2, and Kerberos concurrently. This facilitates network transitions from NTLM to Kerberos. Use cifs authentication to configure NTLM, NTLMv2, Kerberos, or any combination of those authentication protocols. Each client chooses a protocol from that set. | |
If a single front-end cifs service has exports from more than one namespace, this group of ASAs must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s). | |
Removing an ASA (with no ntlm-auth-server) may stop NTLM and NTLMv2 support for the ASAs Windows domain; if this is the only ASA for the domain, clients from that domain can no longer authenticate through NTLM. This may also affect Kerberos clients in the domain if they drop down to NTLMv2 or NTLM. You can add a new ASA to the namespace at any time to support NTLM and/or NTLMv2 in a new Windows domain. This is not an issue if the cifs services in from of the namespace all support constrained delegation. You can use show cifs-service all to see all CIFS services, the namespace behind each service, and whether or not the service supports constrained delegation. | |
For demonstration purposes, there is an alternative to configuring an external ASA: you can use ntlm-auth-db to map a small group of clients to a single set of valid NTLM credentials. The switch uses the back-end credentials to authenticate to CIFS filers. | |
bstnA(gbl-ns[insur])# ntlm-auth-server server1 | |
Use the protocol command to establish the protocol for accessing the files in this namespace (NFSv2UDP, NFSv3UDP, CIFS, or NFSv3TCP). | |
nfs2 | nfs3 | cifs | nfs3tcp is a required choice: nfs2 is NFS version 2 over UDP, nfs3 is NFS version 3 over UDP, cifs is CIFS, and nfs3tcp is NFS version 3 over TCP. | |
All of the namespaces shares must support all of the file-access protocols you set for the namespace. For example, if you set nfs2 for the namespace, all of the shares in this namespace must support NFSv2. To make any of the above changes after the volume is imported, you must use nsck ... destage, change the protocol with this command, then bring the volume back online with enable (gbl-ns, gbl-ns-vol). For other protocol changes, such as adding NFSv2 to a running NFSv3 namespace, you must disable the volume (no enable (gbl-ns, gbl-ns-vol)) and its front-end service (no enable (gbl-cifs, gbl-nfs)), change the protocol, then re-enable both. This causes a shorter service outage. | |
bstnA(gbl-ns[ns])# protocol nfs2 bstnA(gbl-ns[ns1])# protocol cifs | |
Use the no form of the command to remove a proxy-user configuration from this namespace. | |
proxy-user name name (1-32 characters) is the Windows proxy user to associate with the current namespace. | |
From gbl mode, use the proxy-user command to add a proxy-user configuration to the ARX. If the proxy user has an FQDN for its windows-domain (gbl-proxy-user), it uses Kerberos to authenticate with back-end filers. If it fails to get a Kerberos ticket, it drops down to NTLMv2, and then (if that fails, too) NTLM. Use the show proxy-user command to view all configured proxy-users and their associated usernames and Windows domains. | |
Note: This has no relationship to the proxy-user (gbl-filer) command, which a snapshot-supporting volume uses to log into the filers CLI. This command supports CIFS imports and policy migrations, and the gbl-filer command supports coordinated snapshots. You must assign both types of proxy users to support both features. | |
bstnA(gbl-ns[medarcv])# proxy-user acoProxy2 | |
show global-config namespace |
Use the remove namespace command to remove a namespace or volume, along with all of its associated metadata and front-end exports. | |
name (1-30 characters) identifies the namespace. volume (optional, 1-1024 characters) focuses on a single volume. seconds (optional, 300-10,000) sets a time limit for the removal of each namespace (or volume) component. sync (optional) shows the operations progress at the command line. With this option, the CLI prompt does not return until all components have been removed. | |
The CLI prompts for confirmation before removing any configuration objects or metadata; enter yes to proceed. By default, this command generates a report to show all of the actions it takes to remove the volume(s), in order. The CLI shows the report name after you issue the command, and then returns. You can enter CLI commands as the namespace software removes the objects in the background. Use tail to follow the report as it is written. Use show reports file-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. Use the sync option to send the status to the command line instead; the command does not generate a report if you use the sync option. To remove a namespace and all other configuration objects dedicated to the namespace (including global servers and external filers), use remove service. To remove a share from a volume, use remove-share migrate or remove-share nomigrate. Use the remove namespace ... policy-only command to remove all policy objects (rules, share farms, and/or filesets) from a namespace or volume. The remove namespace ... volume ... exports-only command finds all front-end exports for a volume and removes them, leaving the volume itself intact. | |
prtlndA# remove namespace insur_bkup sync | |
A properly-empowered CIFS client can edit the list of users and groups who are permitted to access a file. For example, the owner of a file can allow read-access for a trusted group. A Windows server keeps a list of all available groups in its Security Account Management (SAM) database; a namespace proxies all of its SAM requests to one of the CIFS servers behind it. For installations that use Local Groups on some filers, it is possible for the switch to choose a filer that is unaware of all groups in the namespace. You can use the sam-reference command to choose the filer manually. This command is unnecessary unless at least one of the filers uses Local Groups. Use no sam-reference to allow the namespace to choose the SAM-reference filer. This is appropriate to an installation that only uses globally-defined groups. | |
ext-filer (1-64 characters) identifies the external filer to use. For a list of configured external filers, use show external-filer. cluster-name (optional, 1-64 characters) is only relevant if the ARX is part of a disaster-recovery (DR) configuration. In a DR configuration, there is an active ARX cluster with one set of filers and a backup cluster with a mirrored set of filers. This determines which cluster uses this ext-filer for its SAM queries. Run the sam-reference command twice per namespace if you use DR: once to designate the SAM-reference filer for the active cluster, and again to determine the SAM-reference filer at the backup cluster. Use show cluster for a list of configured clusters. If you omit this option, the command assumes that this is the local cluster. | |
If a single front-end cifs service has exports from more than one namespace, this SAM-reference filer must be the same for all of the exported namespaces. By extension, the single SAM-reference filer must define all the Local Groups behind all of the namespaces behind the CIFS service. (The export (gbl-cifs) command exports a namespace volume through CIFS.) | |
bstnA(gbl-ns[medarcv])# sam-reference fs2 bstnA(gbl-ns[medarcv])# no sam-reference | |
show global-config namespace |
Use the show namespace command to show summaries of all namespaces, or to include a single namespace name to view configuration details for that namespace. | |||||||||||||||||||||
name (optional, 1-30 characters) identifies the namespace. If you omit this, the output lists all namespaces on the switch. vol-path (optional, 1-1024 characters) is the name of the volume. share-name (optional, 1-64 characters) is the name of the share. all lists details for all configured namespaces. | |||||||||||||||||||||
This shows the full configuration and status of a namespace. For status only (to monitor the progress of an import), you can use the smaller show namespace status command. The show namespace output displays the following fields: Description is set with the description (gbl-ns, gbl-ns-...) command. Metadata Cache Size is the internal cache size in MB (512 MB is the default). To change the cache size, use the metadata cache-size command. Proxy User is the username/password used by the ARX to access back-end CIFS shares. Use the proxy-user (gbl-ns) command to set this. Filer SMB Signatures describes this namespaces setting for SMB signing, a CIFS security feature. This is Enabled (use SMB signing if and only if the filer requires it), Required (only connect to CIFS filers that agree to use SMB signing), or Not Enabled (only connect to filers that do not require SMB signing). You can change this with the cifs filer-signatures command. NFS Character Encoding only appears in a namespace that supports NFS. This shows the character encoding used for all file and directory names sent to NFS clients. You can change this with the character-encoding nfs command. SAM Reference Filer only appears if explicitly set with the sam-reference command. This shows the CIFS filer used to answer all CIFS-client queries to the Security Account Management (SAM) database. Supported Protocols lists the protocols (NFSv2, CIFS, and so on) supported by the namespace. This is set with the protocol command. | |||||||||||||||||||||
Protocols is a list of the authentication used (NTLM, NTLMv2, and/or Kerberos). Use cifs authentication to change this setting.
NTLM Servers (only appears if configured) is a list of external authentications servers, set by ntlm-auth-server (gbl-ns). NTLM Database (only appears if configured) is set by ntlm-auth-db (gbl-ns). Participating Switches is a list of ARXes that support the namespace. For each switch, the volume groups are shown in parenthesis; this is where the namespace software runs. Before you enable a volume (not after), you can specify its volume group with the volume-group command. | |||||||||||||||||||||
Metadata shares is shown only if the namespace uses a metadata-only share. Use the metadata share command to use a metadata-only share for the namespace. This is a table with the following columns (one row per configured share): Filer is the IP address or DNS name for the filer, Backend Path is the filers share name or NFS-export path, Contains Metadata is yes for the one export that holds metadata, and Status is the current status of the share. For possible status values, see Guidelines: Import Status below. | |||||||||||||||||||||
Windows Management Authorization Policies appears for namespaces that support CIFS and management by authorized Windows clients. The Microsoft Management Console (MMC) bundled with Windows is a typical interface for remote management. The windows-mgmt-auth (gbl-ns) command assigns a group of authorized clients to a namespace. If any Windows-management-authorization (WMA) groups are assigned to the namespace, they are listed in this table. | |||||||||||||||||||||
CIFS: is a list of supported CIFS options, if applicable. The following commands set these options: compressed-files, named-streams, persistent-acls, sparse-files, unicode-on-disk, cifs case-sensitive, and cifs file-system-name. Volume freespace is the amount of free space advertised to this volumes clients. After the free-space amount is the calculation method for free space: automatic, or manual, or clients use dir-master-only.
Volume total space is the sum of total space on all shares behind the volume. This is the actual space. The volumes clients may see different space settings, as determined by the settings above. CIFS quotas is Enabled if the volume supports path-based quotas on its back-end filers. This indicates that the volume shows free-space values based on these back-end quotas; each client sees his or her space quota, not the entire size of the volume. You can use the freespace cifs-quota command to enable or disable this feature. | |||||||||||||||||||||
Auto Sync Files: Enabled appears only if the volume is permitted to synchronize metadata that is found to be incorrect. This means that certain client-access errors will trigger an auto-sync operation. Use the auto sync files command to enable or disable this feature. | |||||||||||||||||||||
Auto Sync Options: Rename-Files appears only if the volume is permitted to rename files when auto-synchronizing. That is, if auto-sync discovers a file whose name is the same as an already-imported file, this feature allows the volume to rename the newly-discovered file. As above, use the auto sync files command to enable or disable this feature. Metadata size is the amount of metadata space allotted to this volume. Metadata free space is the amount of free space left on this volumes metadata share. This does not appear if metadata is stored on the internal disks. Filer Subshares: Enabled appears only if the filer-subshares flag is enabled. This applies only to managed volumes that support CIFS; it indicates that the volume can pass a client from a CIFS subshare at the front-end service through to the corresponding subshare at the back-end filer. This pass-through mechanism makes it possible to support share-level ACLs for the volumes subshares. The additional text, native-names-only, appears if the filer-subshares command was invoked with a flag of the same name. Oplock support appears only for volumes that support CIFS. This shows whether or not this volume supports CIFS opportunistic locks (oplocks). This can be Enabled, Disabled, or Automatic, as set by the cifs oplocks-disable command. Notify-change mode shows the degree of support for the CIFS change notification feature. This is Normal (tell clients only of changes in the top level of the directory requested, ignoring any request to track changes in its subtree), Use Subtree Flag (inform CIFS clients of all back-end file system changes that they request), or No changes sent (silently ignore all client requests for change notification). You can change this with cifs notify-change-mode. | |||||||||||||||||||||
CIFS path cache only appears for volumes that support CIFS. This is Enabled or Not Enabled, depending on the cifs path-cache setting. If enabled, NSM processors keep a cache of the volumes CIFS paths as it learns them. This prevents repetitive queries to the volume process on an ACM processor. Otherwise, NSM processors query the volume process for each CIFS-client request. CIFS access based enum also appears only for volumes that support CIFS. This is Enabled or Not Enabled, possibly followed by some combination of Auto-Enable, Ignore Metadata Skew, and/or Full Autosync. This output depends on the cifs access-based-enum setting. If enabled, the volume changes its behavior for sending directory listings to its CIFS clients; if a back-end share omits some files or directories, the volume assumes that the omissions are caused by ABE, and makes no attempt at correction. Additionally, the volume only allows a share to import if the share has ABE enabled at its back-end filer; the volume rejects shares with ABE disabled, or automatically enables ABE if the Auto-enable flag is raised. If Not Enabled, the volume presumes that none of its filers have ABE enabled, and therefore may amend a directory listing with omissions. Snapshots is either Enabled or Not Enabled, depending on whether or not the volume contains at least one snapshot rule. Migration method: Direct is either Staged or Direct. This indicates the method for migrating files; either performing a network transfer to a staging area first, or performing the transfer directly to the final location. The direct method fails if the migration is interrupted by a snapshot. You can use the policy migrate-method command to change this setting. | |||||||||||||||||||||
State is usually Enabled or Disabled, as set by the enable (gbl-ns, gbl-ns-vol) command. This cycles through several stages during import. The namespace imports the files and directories from back-end storage when you create and enable the volume and its share(s). See Guidelines: Volume State, below, for an explanation of all possible volume states. Host Switch is the ARX with the volume-group where this volume resides. This is typically the ARX peer where the volume was originally created. If you want to use show volume-group to show this volumes group, run the command on the ARX shown in this field. Instance is an integer ID for the volume processes. Volume Group is the volume group where this volumes processes run. Several volumes from the same namespace can run in a given volume group. The volume group is automatically assigned when the volume is enabled. You can optionally use the volume-group command to pre-set the volume group beforehand. Processor shows the physical CPU where the volume group is currently running. A volume group can fail over between peers in a redundant pair. The processor appears in slot.processor format. Files is the number of files in the volume, and the file credits that are remaining for the volume. This also shows the maximum possible number of file credits if auto reserve files is set. The auto-reserve feature adds file credits as the volume grows. | |||||||||||||||||||||
Metadata shares is shown only if the volume uses a metadata-only share. Use the metadata share command to use a metadata-only share for the volume. This is a table with the same columns as shown above in Guidelines: Metadata Shares (Namespace). | |||||||||||||||||||||
Share name (s) are the configured shares in the volume. Use the share command to add a share to the volume. | |||||||||||||||||||||
Note: Instead of using show namespace for this information, you can use the shorter show namespace status or show share status command to display share, filer, path, and import status only. | |||||||||||||||||||||
If the share has been designated as a replica-snap share, a replica of one of the other shares that is dedicated to snapshots, [replica-snap] appears next to the share name. Many of the detailed fields (below) do not appear for replica-snap shares because they are irrelevant to snapshots. Description appears only if someone set a description (gbl-ns, gbl-ns-...) for the share. Filer is the filer that hosts the back-end share. This is set by the filer command. If [Acopia Namespace] appears after the filer name, the filer is a managed-volume in a direct volume; this shows the namespace name and the Volume Path field (below) shows the volume name. Volume Path only appears for managed-volume shares in direct volumes. This is the name of the volume behind this direct share, as set by the managed-volume command. NFS Export is the name of the NFS export at the back-end filer. This is also set by the filer command. CIFS Share (also set by filer) is the name of the CIFS share at the filer. In a multi-protocol namespace, both the NFS Export and CIFS Share appear for each namespace share. | |||||||||||||||||||||
Features is a list of multi-protocol features supported at the back-end share:
| |||||||||||||||||||||
CIFS Maximum Request Size is the maximum size (in bytes) for a CIFS request (other than a write request). This is a maximum found at the back-end filer. This information is for internal use only. CIFS Access-based Enum is Exclude if someone issued cifs access-based-enum exclude for the share. Otherwise, this field does not appear in the output. The Exclude flag indicates that the filer behind the share cannot support access-based enumeration (ABE), so this share is excluded from the volumes ABE-consistency checking. SID Translation only appears for a CIFS volume that translates Security IDs (SIDs) for all files migrated to or from this share. This indicates that the filer uses Local Group support, so the SID for each group name is unique at this filer. Use the sid-translation command to enable SID translation for a share. Ignore SID errors only appears for a volume that supports CIFS. A Yes indicates that the back-end server is configured to return an error for a file or directory with an unknown SID, but accept the file/directory anyway. A No indicates that SID errors from the filer indicate a rejection of the file or directory. You can change this with the ignore-sid-errors command. Status is the current status of the share. This cycles through several stages during import. The namespace imports the files and directories from back-end storage when you create and enable the share. See Guidelines: Share-Import Status, below. Volume Root Backing appears if the share is designated to hold new files created in the root of the volume. This is the first share imported into the volume, which is typically the first share configured. Critical Share appears if the share has been tagged with the critical command. If a redundant switch loses contact with a critical share, it may fail over to its peer switch. | |||||||||||||||||||||
Migrate Retain Files: Yes only appears the share is set to keep copies of all files migrated away from it. The copies are kept in a hidden directory at the root of the share. Use migrate retain-files to edit this setting. Strict Attr Consistency: No only appears if you disable strict-attribute consistency. This is recommended for multi-protocol (CIFS and NFS) shares, which may have directories with different CIFS-side and NFS-side names. If the volume cannot find the CIFS-side name of a directory, it may not be able to find all of its CIFS attributes. The volume must either rename these directories (see below) or be allowed to operate without strict-attribute consistency; it cannot import the share otherwise. You can use no strict-attribute-consistency to set this. | |||||||||||||||||||||
Import Sync Attributes: Yes only appears if (during import) the volume is allowed to synchronize the attributes of colliding directories in this share. That is, if a directory in this share has the same name as an already-imported directory but different file attributes (such as read/write permissions), the volume can change the attributes. This is strongly recommended for shares in multi-protocol namespaces. Use import sync-attributes to change this. Import Rename Files: No only appears if (during import) the volume is prevented from renaming collision files in this share. A file is said to collide if it has the same name and path as an already-imported file or directory. Use modify to allow the volume to change files at all during import, and use no import rename-files to disallow file-name changes in this particular share. | |||||||||||||||||||||
Import Skip Managed Check: Yes is another import option. This only appears if someone used import skip-managed-check on this share. It means that the volume will not run a time-consuming test on any of the shares directories during import. The test confirms that the directory is not already managed by another ARX volume. Import Rename Directories: No only appears if (during import) the volume is prevented from renaming collision directories in this share. Use modify to allow the volume to change directories at all during import, and use no import rename-directories to disallow directory-name changes in this particular share. Import Rename Non Mappable Directories: Yes only appears if the volume is allowed to rename a multi-protocol directory with a CIFS-side name that is unmappable to the NFS character-encoding. Filers create unintelligible NFS-side names for these files; this indicates that the volume is allowed to rename these directories during import. Use import rename-directories unmapped-unicode to set this. Import Priority shows the priority for this share over other shares in the same volume. If two shares have a conflicting file or directory and their import priorities are different, the share with the higher priority wins the conflict. The file or directory on the winning share is the master, and the other file or directory may have to change according to one of the import settings above. You can use the import priority command to change the import priority for any given share. | |||||||||||||||||||||
Free space on storage is the remaining space on the share. The expression, (excluded from volume), appears after the number if someone used the freespace ignore command in this share; it means that this shares free space is not being counted toward the volumes free space. Freespace adjustment only appears if someone used freespace adjust to change the advertised free space for this share. This is the adjustment to the free space advertised for this back-end share. For example, if this is 1024 bytes, the volume adds 1024 bytes to the shares current free space. Total space on storage is the sum of the shares free space (above) and used space. Apparent size of storage is the size of the share that is advertised to clients. You can change this with the freespace apparent-size command; this field only appears if that command is set. Policy Maintain Freespace is the amount of free space to maintain on the share. The policy engine does not migrate files to this share if it drops below this amount of free space. You can change this with the policy freespace (gbl-ns, gbl-ns-vol) command. Policy Resume Freespace is another free-space threshold for this share. If the share drops below the free-space to maintain (above), the share is ineligible for any more migrations until it rises back up to this resume value. You can change this threshold with the same policy freespace (gbl-ns, gbl-ns-vol) command that you use for the maintain threshold. Free files on storage (NFS shares only) is the maximum number of files that can be added to the back-end export. All file systems impose a limit on the maximum number of files on a share. Virtual inodes (NFS direct shares only) is the total number of inodes (files) that can be supported at the direct share. | |||||||||||||||||||||
Transitions shows the number of times that the share has changed from offline to online, or from online to offline. Last Transition is the date of the last transition. Last Probe Status only appears if the most-recent probe of the share resulted in a failure. The volume probes the share at regular intervals to confirm its health; if this field appears, the share failed the latest probe and the failure status appears here. This often indicates a problem with the back-end filer or filer connection; contact F5 Support if you see this field and require any guidance. | |||||||||||||||||||||
In the Volumes State field, any of the following messages may appear:
| |||||||||||||||||||||
| |||||||||||||||||||||
In the Shares Status field, the following messages show the progress of a successful import:
| |||||||||||||||||||||
| |||||||||||||||||||||
An Error at the beginning of the message indicates the import failed. There are a large number of specific import errors, to help with diagnosis and recovery. See Table 21.1 on page 21-49 for a full list of possible errors and suggestions for troubleshooting each error. Once the error is corrected, you can use the no share command to remove the share, then share to re-import it. For metadata shares, the entire volume must be re-imported: use the nsck ... rebuild command for the volume. | |||||||||||||||||||||
bstnA# show namespace lists all namespaces. See Figure 21.1 for sample output. bstnA# show namespace medarcv bstnA# show namespace wwmed shows all volumes in an NFS namespace; see Figure 21.3 on page 21-43 for sample output. prtlndA# show namespace nemed volume /acctShdw shows one volume with manual free-space calculations. See Figure 21.4 on page 21-45 for sample output. bstnA# show namespace insur volume /claims shows one volume in a multi-protocol (NFS and CIFS) namespace. See Figure 21.5 on page 21-46 for sample output. bstnA# show namespace medco volume /vol share generic shows one share in a direct volume. See Figure 21.6 on page 21-48 for sample output. | |||||||||||||||||||||
Figure 21.1 Sample Output: show namespace
bstnA# show namespace
Figure 21.2 Sample Output: show namespace medarcv (CIFS)
bstnA# show namespace medarcv
Figure 21.3 Sample Output: show namespace wwmed (NFS)
bstnA# show namespace wwmed
prtlndA# show namespace nemed volume /acctShdw
bstnA# show namespace insur volume /claims
bstnA# show namespace medco volume /vol share generic
One of the shares directories has a name with Unicode characters that are unsupported by the character-encoding nfs setting. CIFS file names are Unicode and can contain any character, but NFS servers and clients must each configure their character encoding for file names. The volume cannot import a directory with any un-mappable characters in its name. You can use the import rename-directories unmapped-unicode command to allow the volume to rename such directories during import, or you can rename them manually at the filer. Then restart the share import: enter gbl-ns-vol-shr mode and re use the enable (gbl-ns-vol-shr) command. | |||||
A share with a higher import priority has failed its import, so this share cannot import. If any share import fails, the managed volume cannot import any shares with lower import priorities. Find the import error for the failed share(s), look for the error in this table, and take action as directed. This error is resolved as soon as all higher-priority shares successfully import. | |||||
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show exports command examine all permission settings at the filer. Use the show ip proxy-addresses command to list all configured proxy IP addresses. For CIFS shares, the switch uses the namespaces proxy user (username and password). The proxy-user credentials must belong to the Administrators group at every filer behind the namespace. Use the probe exports command to check this. The proxy-user (gbl-ns) command sets the proxy user credentials for a namespace. | |||||
This share is a parent to an already-imported share. Namespace shares cannot overlap. Use the filer command to change the path or share name. | |||||
The shares root directory has attributes (such as owner, group, and permission settings) that are inconsistent with those of the already-imported shares. You can access the back-end filer directly to change these attributes, or you can use the import sync-attributes command to allow the volume to change the attributes for you. Then re-enable the share (enable (gbl-ns-vol-shr)) to restart its import. | |||||
For NFS exports, check your back-end filer configuration: the back-end share should allow root access to all of the ARXs proxy IP addresses. Use the show exports command examine all permission settings at the filer. Use the show ip proxy-addresses command to list all configured proxy IP addresses. For CIFS shares, the switch uses the namespaces proxy user (username and password). The proxy-user credentials must belong to the Administrators group at every filer behind the namespace. The proxy-user (gbl-ns) command sets the proxy user credentials for a namespace. | |||||
The share cannot be found on the external filer. Use the filer command to change the path or share name for this share, then re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
(CIFS) The volume supports cifs access-based-enum (ABE), and attempted to replicate ABE settings between its back-end shares. This replication process failed. The same process also checks for CIFS subshares (filer-subshares), so you can use sync subshares from-namespace ... tentative to get a full report on this issue. This often occurs because the ARX does not have proper permissions to check for ABE support on this back-end share. The ARX uses the namespaces proxy user (username and password) as its identity when it checks for ABE support. The proxy-user credentials must belong to the Administrators group at this back-end filer. You can use the proxy-user (gbl-ns) command to choose new proxy user credentials for the namespace. After you find and fix this issue, use nsck ... rebuild volume to reimport all shares in the volume. | |||||
(CIFS) This is a CIFS error that is not an access or network error, but prevented the import. The syslog shows the specific error. Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog. After you correct the error, re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
(multi-protocol) The volume software encountered an NFS symbolic link on this back-end share, and the volume has cifs deny-symlinks enabled. You can resolve this issue by using the no cifs deny-symlinks command to allow the volume software to follow these links. Alternatively, you can remove all NFS symbolic links from the back-end share. | |||||
(CIFS) The back-end filer returned an unexpected CIFS error during import. The syslog shows the specific error. Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog. You may need to escalate to F5 Support. After you correct the error, re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
(CIFS) The filer returned an unexpected error during the import, and the error indicates a problem at the filer itself. The syslog shows the specific error. (Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog.) Check the filer itself and correct the problem there. After you correct the error, re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
(CIFS) The back-end share returned an error indicating that it does not support a CIFS option that the ARX requires. Consult the F5 Data Solutions Compatibility Matrix (included in this doc set) to confirm that the filer has been qualified for use behind the ARX. If the share cannot possibly support CIFS behind an ARX, you can use no share to remove the share from the volume. | |||||
(CIFS) The namespace software attempted to write a test file to the share and failed. Go to the filer and check permissions for the namespaces proxy-user (gbl-ns); the proxy user must be part of the Backup Operators and/or Administrators group on the filer. After you correct the error, re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
(CIFS) The volume supports filer-subshares and/or cifs access-based-enum (ABE), and attempted to replicate subshares, subshare ACLs, and/or ABE settings between its back-end shares. This replication process, also known as subshare synchronization, failed. As a result, any front-end export of the failed subshare will be degraded. The output of show cifs-service fqdn shows all of the degraded subshares in a given fqdn service. Use sync subshares from-namespace ... tentative to get a full report on this issue. To repair it, use the sync subshares from-namespace or sync subshares from-service command without the tentative option. | |||||
Use the proxy-user command to add or edit these credentials, and use the proxy-user (gbl-ns) command to apply them to a namespace. After you correct the error, re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
You can use show cifs-service open-files to find the open file, close cifs file to close it, and then retry the share import (with enable (gbl-ns-vol-shr)). | |||||
Failure to update file attributes can be caused by loss of connectivity during the import. Use the show exports command and/or ping to check the connection to the filer. Special, immutable directories can also cause this. The .snapshot directory (on some systems) is an example of an immutable directory, though .snapshot directories are properly ignored by the import software. To ignore other directories on this filer, use the gbl-ext-filer ignore-name command. After you correct the error, re-enable the share (enable (gbl-ns-vol-shr)) to retry the import. | |||||
Two or more of the volumes shares had common file names that either collided or had NFS/CIFS naming inconsistencies, and this volume disallows import if it encounters either of these problems. As an example of a collision, suppose share A and share B had the same file in the same path, \docs\index.htm: these files would collide. A naming inconsistency can only occur for a directory in a multi-protocol (NFS and CIFS) namespace; the CIFS-side directory name has unicode characters that are inexpressible on the NFS-side (see the documentation for the character-encoding nfs command). The volume must be allowed to modify the directory (or one of the colliding files) for the import to succeed: the directory or file must be renamed. All duplicate files and naming inconsistencies are recorded in the import reports for each share. These reports are named import.job-id.share-name.share-id.rpt. Use show reports to list all import reports and read their contents. Using the import report for each share, resolve all file collisions and naming inconsistencies before re-importing. Go to the filers and rename the files, move them, and/or resolve that certain file renames are acceptable. Once the issues are cleared, use the gbl-ns-vol reimport-modify and modify commands to allow modification (renames) on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) To rename inconsistent NFS/CIFS directories, use the import rename-directories unmapped-unicode command, too. | |||||
To retry the import, you can use the enable (gbl-ns-vol-shr) command on this share. | |||||
Managed volumes do not support Distributed File System (DFS) links. To find all of the DFS links on all of a volumes shares, you can import the share(s) with no modify. Remove all DFS links from the back-end share. Then use the enable (gbl-ns-vol-shr) command to retry the import. | |||||
To allow the volume to modify directory attributes on import, you can use modify on the volume and import sync-attributes on the share. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) Then use the enable (gbl-ns-vol-shr) command to retry the import. | |||||
This can only occur for NFS-only directories, with names that are illegal in CIFS. If possible, change the directory name(s) so that they are accessible from CIFS. As an alternative, you can use no strict-attribute-consistency to remove the requirement for strict-attribute consistency; this reduces all undiscovered CIFS attributes to zero. Once the volume has stopped importing any shares, you can do this for all shares in the volume. Then restart this share import with the enable (gbl-ns-vol-shr) command. | |||||
To allow the volume to correct this by changing the directory name on import, you can use modify on the volume and import rename-directories on the share. Alternatively, you can directly access the filer(s) and correct the problem there. Retry this share import (with enable (gbl-ns-vol-shr)) after you address the issue. | |||||
Two or more of the volumes shares had common file/directory names that somehow collided, causing one of the shares to fail its import. The following collisions can cause this failure:
All duplicate files and naming inconsistencies are recorded in the import reports for the share. These reports are named import.job-id.share-name.share-id.rpt. Use show reports type Imp to list all import reports, and use show reports report-name to read a report. Using the import report for this share, resolve all file collisions and naming inconsistencies before re-importing. Go to the filers and rename the files, move them, and/or resolve that certain file renames are acceptable. You can also use some share-import options to have the volume automatically rename files, rename directories, or reset directory attributes in this share during import (import rename-files, import rename-directories, or import sync-attributes). If you use any share-import options, use the gbl-ns-vol reimport-modify and modify commands to allow modification (renames) on import. | |||||
The share import failed for an undetermined reason. Run the collect diag-info CLI command to collect diagnostic information, then contact F5 Support. | |||||
An internal import operation timed out, possibly due to a filer-connectivity issue. Use the show exports command and/or ping to troubleshoot the connection to the filer. | |||||
The managed volume software supports a maximum of 1024 hard links per file. One or more files on this back-end share exceed this limit. These files are recorded in the shares import report, named import.job-id.share-name.share-id.rpt. Use show reports type Imp to list all import reports, and use show reports report-name to read a particular report. Then access the filer directly to reduce the number of hard links for all of these files. | |||||
If this happens to all shares after a switch replacement, the old switchs UUID was not properly applied to the replacement switch. Consult the appropriate Hardware Installation manual for switch-replacement instructions. | |||||
Check the share configuration at the filer: the ARX requires read/write access throughout the shares directory tree. Use the show exports command to examine all permission settings at the filer.
| |||||
Once some space is free, you can use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
This indicates permissions problems at the back-end filer. Use the show exports command to examine all permission settings at the filer.
| |||||
The back-end device could not be located with the IP address configured for the filer. From gbl-ext-filer mode, use the ip address command to reset the filers address. Use the show exports command, expect traceroute, and/or ping to check the connection to the filer. After the filer connection is re-established, you can use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
(NFS) These errors indicate an NFS-server problem at the filer. Once the filers NFS service is restored, you can use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
This may indicate a full disk on the back-end filer or permissions problems. Use the show exports command to examine all permission settings at the filer.
| |||||
You can use show cifs-service open-files to find the open file, close cifs file to close it, and then retry the share import (with the enable (gbl-ns-vol-shr) command). | |||||
(NFS) These errors indicate an NFS-server problem at the filer. Once the filers NFS service is fully restored, you can use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
The back-end device could not be located with the filer name or IP address configured for the filer. From gbl-ext-filer mode, use the ip address command to reset the filers address. Use the show exports command and/or ping to troubleshoot the connection to the filer. After the filer connection is re-established, you can use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
(CIFS) The namespace supports Kerberos authentication (see cifs authentication), but the namespace software is unable to confirm that the share is configured to support Kerberos, too. Check the connection to the back-end filer with show exports and/or ping. Restart the import (with enable (gbl-ns-vol-shr)) after you correct the problem. | |||||
The share import failed due to an internal-software conflict, possibly due to a timing issue or a brief filer-connectivity issue. Retry the import by using the enable (gbl-ns-vol-shr) command on this share. If this error returns, contact F5 Support. | |||||
A file on this share has the same name and path as a file on an already-imported share. To fix this, you can manually go to the filer and rename the file, or you can set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the file on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) You must also have the default settings for import rename-files and import rename-directories on this share. | |||||
Check the directory at the back-end share, and rename it so that both versions have the same name. Alternatively, you can set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the directory on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) You may also need to set import rename-directories unmapped-unicode for this share; this allows the volume to rename directories whose CIFS names do not map to the character encoding for NFS. Then restart the import with the enable (gbl-ns-vol-shr) command. | |||||
A file on this share has the same name and path as a file on an already-imported share. To fix this, you can manually go to the filer and rename the file, or you can set the modify flag on this volume. By setting the modify flag, you allow the volume to rename the file on import. (If any other shares are still importing, you must wait for their imports to finish before you can use the modify command.) You must also have the default settings for import rename-files and import rename-directories on this share. | |||||
Rename the file at the filer share, then use nsck ... rebuild volume to reimport all shares in the volume. | |||||
The protocol(s) configured for the back-end share are not actually supported at the filer. Use the show exports command to check the protocols supported by the filer. Use the show global-config namespace command to view the required protocols for the namespace. The share must support all of the namespaces protocols. You can remove the share from the volume (with no share), or you can add protocol support at the back-end filer. If you add the protocol support to the filer, you can then restart the share import with the enable (gbl-ns-vol-shr) command. | |||||
The import report shows the name of the conflicting file or directory. The name appears with an FC notation. The report is named import.job-id.share-name.share-id.rpt. Use show reports to list all import reports and read their contents. | |||||
The back-end filer behind this share returned an error that the ARX does not recognize. You can use the show logs syslog command to view the system log and learn more about the circumstances around the failure. We recommend that you contact F5 Support if you see this import error. You may be requested to run the collect command, which assembles diagnostic information for F5 Engineering. | |||||
The import failed because the back-end filer returned a link count of zero or a negative number for a file, which is invalid. A files link count should be one or more. The ARX syslog contains the file with the invalid link count; use grep link count logs syslog to find the path. Use this path to help diagnose and correct the filer issue. Then use the enable (gbl-ns-vol-shr) command to retry the import. | |||||
Use the show exports command and/or ping to check the connection to the filer. Restart the import (with enable (gbl-ns-vol-shr)) after the connection is restored. | |||||
This share contains more files than the volume can hold. Use the auto reserve files command to automatically increase the number of files that this volume can hold as the volume grows. If you prefer to manually set the maximum files for the volume, use reserve files to manually increase the maximum. Then restart the share import with the enable (gbl-ns-vol-shr) command. | |||||
These errors each indicate an internal software problem. Run the collect diag-info CLI command to collect diagnostic information, then contact F5 Support. | |||||
The specific directory and file name appears in a syslog message labeled ERROR_MAX_HASH_COLLISIONS. Use grep ERROR_MAX_HASH_COLLISIONS logs syslog to search for this error in the syslog. | |||||
There was a database I/O failure for the share. This may be caused by a transient network error, or a filer problem. You can use the show exports command to check the filer and connection for common problems. Once the external problem is resolved, use nsck ... rebuild volume to reimport all shares in the volume. | |||||
Use nsck ... rebuild volume to re-initialize the metadata share and reimport all shares in the volume. | |||||
The switch could not contact the metadata share. Use the show exports command and/or ping to check the connection to the metadata shares filer. The show export command also verifies that the share is accessible by root (for NFS shares) or the namespaces proxy-user (gbl-ns) (for CIFS shares). | |||||
(multi-protocol) The NFS character-encoding setting for the namespace does not match the character encoding supported at the filer. If this share was imported, lost NFS files could result. Reset the namespace character encoding (using the character-encoding nfs command) and retry the import. You can use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
(multi-protocol) The filer command specified an NFS export and a CIFS share over two different directory trees. This is unsupported. Retry the command with the correct share and export names, then retry the import with enable (gbl-ns-vol-shr). | |||||
(multi-protocol) During import, the volume creates a test file through CIFS and then attempts to read it through NFS. The volume was unable to read the file as root. Check the NFS configuration at the back-end share, correct the problem, and retry the import (enable (gbl-ns-vol-shr)). | |||||
(multi-protocol) During import, the volume creates a test file through CIFS and then attempts to delete it through NFS. The volume could read and write the file (as root), but was unable to remove it. This may indicate a permissions problem in the top-level directory for the share. Check the NFS configuration at the back-end share, correct the problem, and retry the import (enable (gbl-ns-vol-shr)). | |||||
(multi-protocol) During import, the volume creates a test file through CIFS and then attempts to write to it through NFS. The volume could read the file, but was unable to write to it (as root). Check the NFS configuration at the back-end share, correct the problem, and retry the import (enable (gbl-ns-vol-shr)). | |||||
(NFS) The back-end share does not support the NFS version(s) configured for the external filer. Use the show exports command to check the protocols supported by the filer. Use the filer command to change the configured NFS version(s) for the share/export. | |||||
Use the show exports command, expect traceroute, and/or ping to troubleshoot the connection to the filer. After the filer connection is re-established, you can restart the share import with the enable (gbl-ns-vol-shr) command. | |||||
(CIFS) A connection error occurred in the middle of a CIFS-permissions test. Use the show exports command, expect traceroute, and/or ping to troubleshoot the connection to the filer. Once the connection is fully restored, you can restart the share import with the enable (gbl-ns-vol-shr) command. | |||||
The namespaces proxy-user does not have adequate privileges to write to this CIFS share, so the import failed. The proxy user must belong to the Administrators group on this filer. You can choose new, more-privileged credentials for your proxy user, or you can go to the filer and add the current proxy user to a more-privileged group. The probe exports command can verify that the new proxy-user credentials pass this write test. Then restart the import with the enable (gbl-ns-vol-shr) command. | |||||
An administrator issued the cancel import command to stop this share import. You can restart the import with the enable (gbl-ns-vol-shr) command. | |||||
For NFS exports, check your back-end filer configuration: the back-end share should allow access to all of the ARXs proxy IP addresses. Use the show exports command to check the filers permissions and configuration. Use the show ip proxy-addresses command to list all configured proxy IP addresses. For CIFS shares, the switch uses the proxy user for the namespace; the proxy-user (gbl-ns) command sets these credentials. The proxy user must belong to the Administrators group. | |||||
(CIFS) The back-end filer returned an unexpected CIFS error during import. The syslog shows the specific error. Use show logs syslog to read the syslog, or grep string logs syslog to search for a specific string in the syslog. You may need to escalate to F5 Support. | |||||
(multi-protocol) The proxy user is a Windows username and password that the volume can use as its identity for share import and for policy operations. In a multi-protocol (CIFS and NFS) namespace, the proxy user on the Windows side must map to the root user on the UNIX side. You can select a new proxy user for the namespace with the command. If necessary, map the proxy user to root at the filer itself; the ARX Site Planning Guide has instructions for creating this mapping on common multi-protocol filers. | |||||
An administrator failed to remove the share with no share because client-visible files are still present on the share. Use the remove-file-entries option to remove all of the file entries from the volume; this produces a client-visible effect, so do this with caution. | |||||
Check your back-end filer configuration: the back-end share should have no-root-squash set for all of the ARXs proxy IP addresses. (On some filers, you accomplish this by mapping the anonymous user to UID 0 (zero).) Use the show exports command to check the filers permission settings. Use the show ip proxy-addresses command to list all configured proxy IP addresses. | |||||
(CIFS) The CIFS attributes set for the volume (with compressed-files, named-streams, persistent-acls, sparse-files, and/or unicode-on-disk) are not all supported at the back-end share. Use the show exports command to check the supported CIFS attributes for the share. You can remove the share from the volume (with no share) or disable the conflicting CIFS attribute(s) in the managed volume. If you elect to keep the share in the volume, use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
(CIFS) The namespace supports Kerberos authentication (see cifs authentication), but this share does not. The share must support extended security negotiations for the import to succeed. Also, the ARX needs the correct service-principal name (SPN) for the filer; you can use show exports ... capabilities to verify that the ARX has discovered the correct SPN for the filer, or you can use the spn command to set it manually. After you ensure that the filer support Kerberos and the ARX has the filers SPN, you can restart the import (enable (gbl-ns-vol-shr)). Alternatively, you can remove the share from the volume with no share. | |||||
Each back-end share must support all of the namespaces configured protocols (any combination of NFSv2, NFSv3(/UDP), NFSv3/TCP, and CIFS). Use the show global-config namespace command to view the namespaces protocols. You can remove the share from the volume (with no share) or enable the missing service(s) at the filer. If you elect to keep the share in the volume, use the enable (gbl-ns-vol-shr) command to restart the share import. | |||||
The export name is incorrect in the external-filer configuration. Use the filer command to change the configured name for the share/export. | |||||
(NFS) The ARX was unable to access the attributes of a file or directory. Check the NFS service at the back-end filer. To check the ARXs connectivity to the filer and perceived permissions at the filer, use show exports. You can restart the share import with enable (gbl-ns-vol-shr) after you resolve the filer issue. | |||||
From gbl-ns-vol-shr mode in the CLI, use no filer to detach from the back-end share. Then choose another back-end path with the filer command, or use no share to remove the share from the volume. To restart the import (with or without this share), use nsck ... rebuild volume to reimport all shares in the volume. | |||||
Someone attempted to remove a share (with no filer, no share, remove-share migrate, remove-share nomigrate, or remove service), and an internal error caused the removal to fail. Contact F5 Support if you see this message. | |||||
The connection to the back-end CIFS share failed due to possible configuration errors or a broken connection to the back-end filer. Use the show exports command, expect traceroute, and/or ping to troubleshoot the connection to the filer. Once the connection is fully established, you can restart the share import with the enable (gbl-ns-vol-shr) command. | |||||
Once the filer issue is corrected, use nsck ... rebuild volume to reimport all shares in the volume. | |||||
A CIFS-permission test failed at the filer for an undetermined reason. This may be a filer issue or a connectivity issue. Check the filer and the connection, and retry the share import (with enable (gbl-ns-vol-shr)). If this error stops the import a second time, run the collect diag-info CLI command to collect diagnostic information and contact F5 Support. | |||||
(CIFS) A file on this share has the same name and path as a file on an already-imported share, based on a case-blind comparison, and the volume is configured with no cifs case-sensitive. That is, some of the characters have differing cases, but the characters match (for example, index.htm matches index.HTM). If the volume is not case-sensitive, it cannot see the difference between the two names.
| |||||
An administrator stopped the import with the cancel import command. You may be able to restart the import with no enable (gbl-ns-vol-shr) and then enable. If the import was stopped too far in the process, you must first use nsck ... destage to shut down the volume, remove and re-add the share, then enable the volume again. | |||||
Internal Error (number) | Internal problem; contact F5 personnel. | ||||
No imports are possible unless the volume is enabled. Use the enable (gbl-ns, gbl-ns-vol) command to enable the volume. | |||||
The metadata share for the volume failed to import. Use metadata share to designate a new dedicated share for metadata. | |||||
An administrator stopped the share removal with the cancel remove command. To restart the removal process, use remove-share migrate, remove-share nomigrate, no share, or no filer. | |||||
The import process was interrupted by an nsck ... rebuild force. The rebuild operation will re-import the share. | |||||
DNAS, the internal name for volume software, is shutting down. This may be the result of administrative action, such as a remove service, during the import. The volume has stopped running, so the import is canceled. | |||||
show namespace mapping namespace namespace (1-30 characters) focuses on one namespace. Without this, the command displays the shares behind all namespaces. vol-path (1-1024 characters) focuses on one volume. | |
The output is a two-column table with the namespace and volume in the left column and the physical filer shares in the right column. For direct volumes, this shows one line per attach point. The word, [replica-snap], appears next to any replica-snap shares. Use show server-mapping to show all of the filer shares behind client-side share, from a front-end service such as cifs or nfs. | |
bstnA# show namespace mapping bstnA# show namespace mapping wwmed volume /acct | |
show global-config namespace |
Figure 21.7 Sample Output: show namespace mapping
bstnA# show namespace mapping
bstnA# show namespace mapping wwmed volume /acct
show namespace status namespace namespace (1-30 characters) identifies a namespace. vol-path (1-1024 characters) focuses on one volume. share-name (1-64 characters) narrows the focus to a single share. all displays status for all namespaces. | |||||||||||||||||||||
A managed-volume share imports files from its back-end filer when it is enabled and its parent volume is also enabled. A direct-volume share does not import; it only connects to its attach points (see attach). Use enable (gbl-ns-vol-shr) to enable a share, and use enable (gbl-ns, gbl-ns-vol) to enable a volume. This shows one table for each namespace and a sub-table for each volume. The top row of each volume table contains the name of the volume and its status. The Status is one of these values:
Shares are grouped under their volumes. For each share, this shows the Share name (or metadata-share for a metadata-only share), the name of the external Filer, the NFS Export or CIFS Share behind this namespace share, and the Status of the share. An [rs] appears before a replica-snap share, which holds snapshots of a standard share in the same volume. | |||||||||||||||||||||
In the Status column, the following messages show the progress of a successful import:
Use the show namespace command for more-detailed progress and error messages. | |||||||||||||||||||||
bstnA# show namespace status all shows volume shares and filer import status for all configured namespaces. For sample output, see Figure 21.9 on page 21-71. bstnA# show namespace status wwmed shows volume shares and filer import status for the wwmed namespace. See Figure 21.10 on page 21-73. bstnA# show namespace status wwmed volume /acct | |||||||||||||||||||||
show global-config namespace |
Figure 21.9 Sample Output: show namespace status all
bstnA# show namespace status all
Figure 21.10 Sample Output: show namespace status wwmed
bstnA# show namespace status wwmed
bstnA# show namespace status wwmed volume /acct
If a CIFS service has MMC browsing enabled, only authorized Windows clients can manage the service. You can use the windows-mgmt-auth command to create a Windows-management-authorization (WMA) group, a list of Windows clients with MMC permissions, and then you can use this command to apply one or more such groups to the current namespace. Use no windows-mgmt-auth to remove a WMA group from the current namespace. | |
windows-mgmt-auth name no windows-mgmt-auth name name (1-64 characters) identifies the WMA group. | |
Each WMA group has special MMC access to the namespace. The Windows clients in the group share the same MMC permissions. All cifs services backed by this namespace (if they have browsing enabled) use the WMA group(s) that you identify with this command. You can also use WMA groups to manage CIFS-client access to snapshots. Use the permit snapshot monitor (see permit (gbl-mgmt-auth)) command to allow group members to view snapshots, and use the snapshot privileged-access command in any volume where the group(s) should access snapshots. Use this command multiple times to associate multiple WMA groups with the namespace. The show windows-mgmt-auth command shows all available groups and their configurations. If a single front-end cifs service has exports from more than one namespace, this set of WMA groups must be the same for all of the exported namespaces. (The export (gbl-cifs) command exports a namespace volume through CIFS.) If this command makes the current namespace inconsistent with the other namespace(s) behind the same CIFS service, the CLI prompts with an opportunity to make the same change in the other namespace(s). Enter yes to allow the CLI to propagate the change to the other namespace(s). | |
bstnA(gbl-ns[medarcv])# windows-mgmt-auth testers bstnA(gbl-ns[medarcv])# windows-mgmt-auth fullAccess bstnA(gbl-ns[medarcv])# windows-mgmt-auth readOnly bstnA(gbl-ns[medarcv])# no windows-mgmt-auth testers | |