ONTAP tools for VMware vSphere 10 Manuals ( CA08871-301 )

ONTAP tools for VMware vSphere 10.4

Concepts

ONTAP tools for VMware vSphere overview

Key concepts and terms

Role based access control

Learn about RBAC

RBAC with VMware vSphere

vCenter Server environment

Use RBAC with vCenter server

RBAC with ONTAP

ONTAP environment

Use RBAC with ONTAP

High availability for ONTAP tools for VMware vSphere

ONTAP tools Manager user interface

Deploy ONTAP tools for VMware vSphere

Quick start for ONTAP tools for VMware vSphere

High availability (HA) deployment workflow

Prerequisites

Before you get started

Deploy ONTAP tools for VMware vSphere

Deployment error codes

Configure ONTAP tools for VMware vSphere

Add vCenter Server instances

Register VASA Provider to vCenter Server

Install the NFS VAAI plug-in

Configure ESXi host settings

Configure ONTAP user roles and privileges

Add a storage backend

Associate a storage backend with a vCenter Server instance

Configure network access

Create a datastore

Protect datastores and virtual machines

Protect using host cluster protection

Protect using SRA protection

Enable SRA to protect datastores

Configure SRA for SAN and NAS environments

Configure SRA for highly scaled environments

Configure SRA on the VMware Live Site Recovery appliance

Update SRA credentials

Configure protected and recovery sites

Configure protected and recovery site resources

Configure network mappings

Configure folder mappings

Configure resource mappings

Configure placeholder datastores

Configure SRA using array manager

Verify the replicated storage systems

Fan out protection

Manage ONTAP tools for VMware vSphere

ONTAP tools for VMware vSphere dashboard overview

ONTAP tools Manager user interface

Enable ONTAP tools for VMware vSphere services

Change ONTAP tools for VMware vSphere configuration

Manage datastores

Mount NFS and VMFS datastore

Unmount NFS and VMFS datastore

Mount a vVols datastore

Resize NFS and VMFS datastore

Expand vVol datastore

Shrink vVols datastore

Delete datastores

ONTAP storage views for datastores

Virtual machine storage view

Manage storage thresholds

Manage storage backends

Manage vCenter Server instances

Manage certificates

Access ONTAP tools for VMware vSphere maintenance console

Overview of ONTAP tools for VMware vSphere maintenance console

Configure remote diagnostic access

Start SSH on other nodes

Update the vCenter server and ONTAP credentials

ONTAP tools reports

Collect the log files

Manage virtual machines

Considerations to migrate or clone virtual machines

Migrate virtual machines with NFS and VMFS datastores to vVols datastores

VASA cleanup

Attach or detach a data disk from a virtual machine

Discover storage systems and hosts

Modify ESXi host settings

Manage passwords

Change ONTAP tools Manager password

Reset ONTAP tools Manager password

Reset application user password

Reset maintenance console user password

Manage host cluster protection

Modify host cluster protection

Remove host cluster protection

Disable AutoSupport

Update AutoSupport proxy URL

Add NTP servers

Create a backup and recover the ONTAP tools setup

Uninstall ONTAP tools for VMware vSphere

Remove FlexVol volumes

Upgrade ONTAP tools for VMware vSphere

Upgrade error codes

Migrate ONTAP tools for VMware vSphere 9.xx to 10.4

Migrate to the latest ONTAP tools for VMware vSphere

Migrate the VASA Provider and update the SRA

Automate using the REST API

Learn about the REST API

REST implementation

Your first REST API call

API reference

Configure ONTAP user roles and privileges

You can configure new user roles and privileges for managing storage backends using ONTAP System Manager.

SVM aggregate mapping requirements

To use SVM user credentials for provisioning datastores, internally ONTAP tools for VMware vSphere creates volumes on the aggregate specified in the datastores POST API. The ONTAP does not allow the creation of volumes on unmapped aggregates on an SVM using SVM user credentials. To resolve this, you need to map the SVMs with the aggregates using the ONTAP REST API or CLI as described here.

REST API:

PATCH "/api/svm/svms/f16f0935-5281-11e8-b94d-005056b46485" '{"aggregates":{"name":["aggr1","aggr2","aggr3"]}}'

ONTAP CLI:

sti115_vsim_ucs630f_aggr1 vserver show-aggregates                                        AvailableVserver        Aggregate      State         Size Type    SnapLock Type-------------- -------------- ------- ---------- ------- --------------svm_test       sti115_vsim_ucs630f_aggr1                               online     10.11GB vmdisk  non-snaplock

Create ONTAP user and role manually

Follow the instructions in this section to create the user and roles manually.

  1. Access ONTAP System Manager using the cluster management IP address of the cluster.

  2. Log in to the cluster with admin privileges.

    1. To configure cluster ONTAP tools roles, select Cluster > Settings > Users and Roles pane.

    2. To configure cluster SVM ONTAP tools roles, select Storage SVM > Settings > Users and Roles pane

  3. Create Roles:

    1. Select Add under Roles table.

    2. Enter the Role name and Role Attributes details.

      Add the REST API Path and the respective access from the drop down.

    3. Add all the needed APIs and save the changes.

  4. Create Users:

    1. Select Add under Users table.

    2. In the Add User dialog box, select System Manager.

    3. Enter the Username.

    4. Select Role from the options created in the Create Roles step above.

    5. Enter the applications to give access to and the authentication method. ONTAPI and HTTP are the required applications, and the authentication type is Password.

    6. Set the Password for the User and Save the user.

List of minimum privileges required for non-admin global scoped cluster user

The minimum privileges required for non-admin global scoped cluster user are listed in this section.

Using APIs:

API

Access level

Used for

/api/cluster

Read-Only

Cluster Configuration Discovery

/api/cluster/licensing/licenses

Read-Only

License Check for Protocol specific licenses

/api/cluster/nodes

Read-Only

Platform type discovery

/api/security/accounts

Read-Only

Privilege Discovery

/api/security/roles

Read-Only

Privilege Discovery

/api/storage/aggregates

Read-Only

Aggregate space check during Datastore/Volume provisioning

/api/storage/cluster

Read-Only

To get the Cluster level Space and Efficiency Data

/api/storage/disks

Read-Only

To get the Disks associated in an Aggregate

/api/storage/qos/policies

Read/Create/Modify

QoS and VM Policy management

/api/svm/svms

Read-Only

To get SVM configuration in the case the Cluster is added locally.

/api/network/ip/interfaces

Read-Only

Add Storage Backend - To identify the management LIF scope is Cluster/SVM

/api/storage/availability-zones

Read-Only

SAZ Discovery. Applicable to ONTAP 9.16.1 release onwards.

Create ONTAP tools for VMware vSphere ONTAP API based cluster scoped user

You need discovery, create, modify, and destroy Privileges to perform PATCH operations and automatic rollback in case of failure on datastores. Lack of these all these privileges together leads to workflow disruptions and cleanup issues.

Creating ONTAP tools for VMware vSphere ONTAP API based user with discovery, create storage, modify storage, destroy storage privileges enables initiating discoveries and manage ONTAP tools workflows.

To create a cluster scoped user with all privileges mentioned above, run the following commands:

security login rest-role create -role <role-name> -api /api/application/consistency-groups -access all

security login rest-role create -role <role-name> -api /api/private/cli/snapmirror -access all

security login rest-role create -role <role-name> -api /api/protocols/nfs/export-policies -access all

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystem-maps -access all

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystems -access all

security login rest-role create -role <role-name> -api /api/protocols/san/igroups -access all

security login rest-role create -role <role-name> -api /api/protocols/san/lun-maps -access all

security login rest-role create -role <role-name> -api /api/protocols/san/vvol-bindings -access all

security login rest-role create -role <role-name> -api /api/snapmirror/relationships -access all

security login rest-role create -role <role-name> -api /api/storage/volumes -access all

security login rest-role create -role <role-name> -api "/api/storage/volumes/*/snapshots" -access all

security login rest-role create -role <role-name> -api /api/storage/luns -access all

security login rest-role create -role <role-name> -api /api/storage/namespaces -access all

security login rest-role create -role <role-name> -api /api/storage/qos/policies -access all

security login rest-role create -role <role-name> -api /api/cluster/schedules -access read_create

security login rest-role create -role <role-name> -api /api/snapmirror/policies -access read_create

security login rest-role create -role <role-name> -api /api/storage/file/clone -access read_create

security login rest-role create -role <role-name> -api /api/storage/file/copy -access read_create

security login rest-role create -role <role-name> -api /api/support/ems/application-logs -access read_create

security login rest-role create -role <role-name> -api /api/protocols/nfs/services -access read_modify

security login rest-role create -role <role-name> -api /api/cluster -access readonly

security login rest-role create -role <role-name> -api /api/cluster/jobs -access readonly

security login rest-role create -role <role-name> -api /api/cluster/licensing/licenses -access readonly

security login rest-role create -role <role-name> -api /api/cluster/nodes -access readonly

security login rest-role create -role <role-name> -api /api/cluster/peers -access readonly

security login rest-role create -role <role-name> -api /api/name-services/name-mappings -access readonly

security login rest-role create -role <role-name> -api /api/network/ethernet/ports -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/logins -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/ports -access readonly

security login rest-role create -role <role-name> -api /api/network/ip/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/nfs/kerberos/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/nvme/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/san/fcp/services -access readonly

security login rest-role create -role <role-name> -api /api/protocols/san/iscsi/services -access readonly

security login rest-role create -role <role-name> -api /api/security/accounts -access readonly

security login rest-role create -role <role-name> -api /api/security/roles -access readonly

security login rest-role create -role <role-name> -api /api/storage/aggregates -access readonly

security login rest-role create -role <role-name> -api /api/storage/cluster -access readonly

security login rest-role create -role <role-name> -api /api/storage/disks -access readonly

security login rest-role create -role <role-name> -api /api/storage/qtrees -access readonly

security login rest-role create -role <role-name> -api /api/storage/quota/reports -access readonly

security login rest-role create -role <role-name> -api /api/storage/snapshot-policies -access readonly

security login rest-role create -role <role-name> -api /api/svm/peers -access readonly

security login rest-role create -role <role-name> -api /api/svm/svms -access readonly

Additionally, for ONTAP Versions 9.16.0 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/storage-units -access all

Create ONTAP tools for VMware vSphere ONTAP API based SVM scoped user

To create a SVM scoped user with all the privileges, run the following commands:

security login rest-role create -role <role-name> -api /api/application/consistency-groups -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/private/cli/snapmirror -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/export-policies -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystem-maps -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystems -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/igroups -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/lun-maps -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/vvol-bindings -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/snapmirror/relationships -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/volumes -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api "/api/storage/volumes/*/snapshots" -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/luns -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/namespaces -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/schedules -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/snapmirror/policies -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/file/clone -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/file/copy -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/support/ems/application-logs -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/services -access read_modify -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/jobs -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/peers -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/name-services/name-mappings -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/ethernet/ports -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/fc/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/fc/logins -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/ip/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/kerberos/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/fcp/services -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/iscsi/services -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/security/accounts -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/security/roles -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/qtrees -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/quota/reports -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/snapshot-policies -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/svm/peers -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/svm/svms -access readonly -vserver <vserver-name>

Additionally, for ONTAP Versions 9.16.0 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/storage-units -access all -vserver <vserver-name>

To create a new API based user using the above created API based roles, run the following command:

security login create -user-or-group-name <user-name> -application http -authentication-method password -role <role-name> -vserver <cluster-or-vserver-name>

Example:

security login create -user-or-group-name testvpsraall -application http -authentication-method password -role OTV_10_VP_SRA_Discovery_Create_Modify_Destroy -vserver C1_sti160-cluster_

To unlock the account, to enable access to the management interface run the following command:

security login unlock -user <user-name> -vserver <cluster-or-vserver-name>

Example:

security login unlock -username testvpsraall -vserver C1_sti160-cluster
Top of Page