ONTAP tools for VMware vSphere 10 Manuals ( CA08871-301 )

ONTAP tools for VMware vSphere 10.5

Release notes

Release Notes

What's new in ONTAP tools for VMware vSphere 10.5

Concepts

ONTAP tools for VMware vSphere overview

Key concepts and terms

Role based access control (RBAC)

Learn about RBAC

RBAC with VMware vSphere

vCenter Server environment

Use RBAC with vCenter server

RBAC with ONTAP

ONTAP environment

Use RBAC with ONTAP

Deploy ONTAP tools for VMware vSphere

Quick start for ONTAP tools for VMware vSphere

High availability (HA) deployment workflow

ONTAP tools requirements and configuration limits

Before you get started

Deploy ONTAP tools for VMware vSphere

Troubleshoot deployment errors

Configure ONTAP tools for VMware vSphere

Add vCenter Server instances

Register VASA Provider to vCenter Server

Install the NFS VAAI plug-in

Configure ESXi host settings

Configure ONTAP user roles and privileges

Add a storage backend

Associate a storage backend with a vCenter Server instance

Configure network access

Create a datastore

Protect datastores and virtual machines

Protect using host cluster protection

Protect using SRA protection

Configure SRA to protect datastores

Configure SRA for SAN and NAS environments

Configure SRA for highly scaled environments

Configure SRA on the VMware Live Site Recovery appliance

Update SRA credentials

Configure protected and recovery sites

Configure protected and recovery site resources

Configure network mappings

Configure folder mappings

Configure resource mappings

Configure placeholder datastores

Configure SRA using array manager

Verify the replicated storage systems

Fan-out protection

Manage ONTAP tools for VMware vSphere

ONTAP tools for VMware vSphere dashboard overview

Understand igroups and export policies

Understand ONTAP tools managed igroups

ONTAP tools Manager user interface

Manage ONTAP tools Manager settings

Edit AutoSupport settings

Add NTP servers

Reset VASA Provider and SRA credentials

Edit backup settings

Enable ONTAP tools for VMware vSphere services

Change ONTAP tools for VMware vSphere configuration

Manage datastores

Mount NFS and VMFS datastore

Unmount NFS and VMFS datastore

Mount a vVols datastore

Resize NFS and VMFS datastore

Expand vVol datastore

Shrink vVols datastore

Delete datastores

ONTAP storage views for datastores

Virtual machine storage view

Manage storage thresholds

Manage storage backends

Manage vCenter Server instances in ONTAP tools

Manage certificates

Access ONTAP tools for VMware vSphere maintenance console

Overview of ONTAP tools for VMware vSphere maintenance console

Configure remote diagnostic access

Start SSH on other nodes

Update the vCenter server and ONTAP credentials

Change certificate validation flag

ONTAP tools reports

Manage virtual machines

Considerations to migrate or clone virtual machines

Migrate virtual machines with NFS and VMFS datastores to vVols datastores

VASA cleanup

Attach or detach a data disk from a virtual machine

Discover storage systems and hosts

Modify ESXi host settings

Manage passwords

Change ONTAP tools Manager password

Reset ONTAP tools Manager password

Reset application user password

Reset maintenance console user password

Manage host cluster protection

Modify host cluster protection

Remove host cluster protection

Recover the ONTAP tools setup

Uninstall ONTAP tools for VMware vSphere

Remove FlexVol volumes

Upgrade ONTAP tools for VMware vSphere

Upgrade from ONTAP tools for VMware vSphere 10.x to 10.5

Upgrade error codes

Migrate ONTAP tools for VMware vSphere 9.xx to 10.5

Migrate to the latest ONTAP tools for VMware vSphere

Migrate the VASA Provider and update the SRA

Automate using the REST API

Learn about the REST API

REST implementation

Your first REST API call

API reference

Configure ONTAP user roles and privileges

You can configure new user roles and privileges for managing storage backends using ONTAP System Manager.

SVM aggregate mapping requirements

When provisioning datastores using SVM user credentials, ONTAP tools for VMware vSphere creates volumes on the aggregate specified in the datastores POST API. ONTAP prevents SVM users from creating volumes on aggregates not mapped to the SVM. Map the SVM to the required aggregates using the ONTAP REST API or CLI before creating volumes.

REST API:

PATCH "/api/svm/svms/f16f0935-5281-11e8-b94d-005056b46485" '{"aggregates":{"name":["aggr1","aggr2","aggr3"]}}'

ONTAP CLI:

sti115_vsim_ucs630f_aggr1 vserver show-aggregates                                        AvailableVserver        Aggregate      State         Size Type    SnapLock Type-------------- -------------- ------- ---------- ------- --------------svm_test       sti115_vsim_ucs630f_aggr1                               online     10.11GB vmdisk  non-snaplock

Create ONTAP user and role manually

Follow the instructions in this section to create the user and roles manually.

  1. Access ONTAP System Manager using the cluster management IP address of the cluster.

  2. Log in to the cluster with admin privileges.

    1. To configure cluster ONTAP tools roles, select Cluster > Settings > Users and Roles.

    2. To configure cluster SVM ONTAP tools roles, select Storage SVM > Settings > Users and Roles.

  3. Create roles:

    1. Select Add under Roles table.

    2. Enter the Role name and Role Attributes details.

      Add the REST API Path and choose the access from the drop-down list.

    3. Add all the needed APIs and save the changes.

  4. Create users:

    1. Select Add under Users table.

    2. In the Add User dialog box, select System Manager.

    3. Enter the Username.

    4. Select Role from the options created in the Create Roles step above.

    5. Enter the applications to give access to and the authentication method. ONTAPI and HTTP are the required applications, and the authentication type is Password.

    6. Set the Password for the User and Save the user.

List of minimum privileges required for non-admin global scoped cluster user

The minimum privileges required for non-admin global scoped cluster user are listed in this section.

You can access functionality by using APIs:

API

Access level

Used for

/api/cluster

Read-Only

Cluster configuration discovery

/api/cluster/licensing/licenses

Read-Only

License Check for protocol specific licenses

/api/cluster/nodes

Read-Only

Platform type discovery

/api/security/accounts

Read-Only

Privilege discovery

/api/security/roles

Read-Only

Privilege discovery

/api/storage/aggregates

Read-Only

Aggregate space check during datastore/volume provisioning

/api/storage/cluster

Read-Only

To get the cluster level space and efficiency data

/api/storage/disks

Read-Only

To get the disks associated in an aggregate

/api/storage/qos/policies

Read/Create/Modify

QoS and VM policy management

/api/svm/svms

Read-Only

To get SVM configuration when the cluster is added locally.

/api/network/ip/interfaces

Read-Only

Add storage backend - To identify the management LIF scope is cluster/SVM

/api/storage/availability-zones

Read-Only

SAZ discovery. Applicable to ONTAP 9.16.1 release onwards and ASA r2 systems.

/api/cluster/metrocluster

Read-Only

Gets MetroCluster status and configuration details.

Create ONTAP tools for VMware vSphere ONTAP API based cluster scoped user

Discovery, create, modify, and destroy privileges are required for PATCH operations and automatic rollback on datastores. Missing permissions might cause workflow and cleanup issues.

An ONTAP API-based user with discovery, create, modify, and destroy privileges can manage ONTAP tools workflows.

To create a cluster scoped user with all privileges mentioned above, run the following commands:

security login rest-role create -role <role-name> -api /api/application/consistency-groups -access all

security login rest-role create -role <role-name> -api /api/private/cli/snapmirror -access all

security login rest-role create -role <role-name> -api /api/protocols/nfs/export-policies -access all

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystem-maps -access all

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystems -access all

security login rest-role create -role <role-name> -api /api/protocols/san/igroups -access all

security login rest-role create -role <role-name> -api /api/protocols/san/lun-maps -access all

security login rest-role create -role <role-name> -api /api/protocols/san/vvol-bindings -access all

security login rest-role create -role <role-name> -api /api/snapmirror/relationships -access all

security login rest-role create -role <role-name> -api /api/storage/volumes -access all

security login rest-role create -role <role-name> -api "/api/storage/volumes/*/snapshots" -access all

security login rest-role create -role <role-name> -api /api/storage/luns -access all

security login rest-role create -role <role-name> -api /api/storage/namespaces -access all

security login rest-role create -role <role-name> -api /api/storage/qos/policies -access all

security login rest-role create -role <role-name> -api /api/cluster/schedules -access read_create

security login rest-role create -role <role-name> -api /api/snapmirror/policies -access read_create

security login rest-role create -role <role-name> -api /api/storage/file/clone -access read_create

security login rest-role create -role <role-name> -api /api/storage/file/copy -access read_create

security login rest-role create -role <role-name> -api /api/support/ems/application-logs -access read_create

security login rest-role create -role <role-name> -api /api/protocols/nfs/services -access read_modify

security login rest-role create -role <role-name> -api /api/cluster -access readonly

security login rest-role create -role <role-name> -api /api/cluster/jobs -access readonly

security login rest-role create -role <role-name> -api /api/cluster/licensing/licenses -access readonly

security login rest-role create -role <role-name> -api /api/cluster/nodes -access readonly

security login rest-role create -role <role-name> -api /api/cluster/peers -access readonly

security login rest-role create -role <role-name> -api /api/name-services/name-mappings -access readonly

security login rest-role create -role <role-name> -api /api/network/ethernet/ports -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/logins -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/ports -access readonly

security login rest-role create -role <role-name> -api /api/network/ip/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/nfs/kerberos/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/nvme/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/san/fcp/services -access readonly

security login rest-role create -role <role-name> -api /api/protocols/san/iscsi/services -access readonly

security login rest-role create -role <role-name> -api /api/security/accounts -access readonly

security login rest-role create -role <role-name> -api /api/security/roles -access readonly

security login rest-role create -role <role-name> -api /api/storage/aggregates -access readonly

security login rest-role create -role <role-name> -api /api/storage/cluster -access readonly

security login rest-role create -role <role-name> -api /api/storage/disks -access readonly

security login rest-role create -role <role-name> -api /api/storage/qtrees -access readonly

security login rest-role create -role <role-name> -api /api/storage/quota/reports -access readonly

security login rest-role create -role <role-name> -api /api/storage/snapshot-policies -access readonly

security login rest-role create -role <role-name> -api /api/svm/peers -access readonly

security login rest-role create -role <role-name> -api /api/svm/svms -access readonly

security login rest-role create -role <role-name> -api /api/cluster/metrocluster -access readonly

Additionally, for ONTAP Versions 9.16.0 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/storage-units -access all

Create ONTAP tools for VMware vSphere ONTAP API based SVM scoped user

Run the following commands to create an SVM scoped user with all privileges:

security login rest-role create -role <role-name> -api /api/application/consistency-groups -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/private/cli/snapmirror -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/export-policies -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystem-maps -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystems -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/igroups -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/lun-maps -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/vvol-bindings -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/snapmirror/relationships -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/volumes -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api "/api/storage/volumes/*/snapshots" -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/luns -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/namespaces -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/schedules -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/snapmirror/policies -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/file/clone -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/file/copy -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/support/ems/application-logs -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/services -access read_modify -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/jobs -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/peers -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/name-services/name-mappings -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/ethernet/ports -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/fc/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/fc/logins -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/ip/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/kerberos/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/fcp/services -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/iscsi/services -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/security/accounts -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/security/roles -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/qtrees -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/quota/reports -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/snapshot-policies -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/svm/peers -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/svm/svms -access readonly -vserver <vserver-name>

Additionally, for ONTAP Versions 9.16.0 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/storage-units -access all -vserver <vserver-name>

To create a new API based user using the above created API based roles, run the following command:

security login create -user-or-group-name <user-name> -application http -authentication-method password -role <role-name> -vserver <cluster-or-vserver-name>

Example:

security login create -user-or-group-name testvpsraall -application http -authentication-method password -role OTV_10_VP_SRA_Discovery_Create_Modify_Destroy -vserver C1_sti160-cluster_

Run the following command to unlock the account and enable management interface access:

security login unlock -user <user-name> -vserver <cluster-or-vserver-name>

Example:

security login unlock -username testvpsraall -vserver C1_sti160-cluster
Top of Page