OceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For File
Uploaded by
jarekscribd23OceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For File
Uploaded by
jarekscribd23OceanStor Dorado
6.1.x
SmartMulti-Tenant Feature Guide
for File
Issue 07
Date 2023-10-31
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2023. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. i
Security Declaration
Product Life Cycle
Huawei's regulations on product life cycle are subject to the Product End of Life Policy. For details about
the policy, see the following website:https://support.huawei.com/ecolumnsweb/en/warranty-policy
Vulnerability
Huawei's regulations on product vulnerability management are subject to "Vul. Response Process". For
details about the policy, see the following website:https://www.huawei.com/en/psirt/vul-response-process
For enterprise customers who need to obtain vulnerability information, visit:https://
securitybulletin.huawei.com/enterprise/en/security-advisory
Preconfigured Digital Certificate
Huawei has released the Huawei Preset Digital Certificate Disclaimer for the preconfigured digital
certificates delivered with devices. For details about the disclaimer, visit the following website:https://
support.huawei.com/enterprise/en/bulletins-service/ENEWS2000015789
Life Cycle of Product Documentation
Huawei released the Huawei Product Documentation Lifecycle Policy for after-sales customer
documentation. For details about this policy, see the website of Huawei's official website:https://
support.huawei.com/enterprise/en/bulletins-website/ENEWS2000017761
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. ii
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File About This Document
About This Document
Purpose
This document describes the implementation principles and application scenarios
of the SmartMulti-Tenant feature and explains how to configure and manage this
feature.
NOTE
SmartMulti-Tenant is a multi-tenancy feature developed by Huawei.
The following table lists the product models supporting SmartMulti-Tenant.
Product Model Product Version
OceanStor Dorado 3000 (96 GB memory per 6.1.2
controller) 6.1.3
6.1.5
6.1.6
6.1.7
OceanStor Dorado 5000 6.1.0
6.1.2
OceanStor Dorado 6000
6.1.3
OceanStor Dorado 8000 6.1.5
OceanStor Dorado 18000 6.1.6
6.1.7
Intended Audience
This document is intended for:
● Technical support engineers
● Maintenance engineers
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. iii
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File About This Document
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk which, if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium level of risk which, if not
avoided, could result in death or serious injury.
Indicates a hazard with a low level of risk which, if not
avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Supplements the important information in the main text.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Change History
Changes between document issues are cumulative. The latest document issue
contains all the changes made in earlier issues.
Issue 07 (2023-10-31)
This issue is the seventh official release.
Issue 06 (2023-07-15)
This issue is the sixth official release.
Issue 05 (2023-04-20)
This issue is the fifth official release.
Issue 04 (2022-11-15)
This issue is the fourth official release.
Issue 03 (2022-08-25)
This issue is the third official release.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. iv
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File About This Document
Issue 02 (2022-01-25)
This issue is the second official release.
Added the operations of vStore users.
Issue 01 (2021-09-30)
This issue is the first official release.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. v
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File Contents
Contents
About This Document............................................................................................................... iii
1 Description................................................................................................................................ 1
1.1 Overview.................................................................................................................................................................................... 1
1.2 License Requirements and Specifications....................................................................................................................... 3
1.3 Working Principle.................................................................................................................................................................... 3
1.3.1 Concepts.................................................................................................................................................................................. 3
1.3.2 vStore Isolation..................................................................................................................................................................... 4
1.3.3 vStore Functions................................................................................................................................................................... 6
1.4 Application Scenarios............................................................................................................................................................. 6
2 Configuring vStores.................................................................................................................8
2.1 Configuration Process.......................................................................................................................................................... 12
2.2 Logging In to DeviceManager.......................................................................................................................................... 12
2.2.1 Logging In to DeviceManager (System User)......................................................................................................... 12
2.2.2 Logging In to DeviceManager (vStore User, Applicable to 6.1.3 and Later)................................................ 13
2.3 Checking the License File................................................................................................................................................... 15
2.4 Configuring Basic Storage Resources............................................................................................................................. 16
2.5 Creating a vStore.................................................................................................................................................................. 16
2.6 Creating a vStore User........................................................................................................................................................ 21
2.7 Configuring the Network................................................................................................................................................... 25
2.7.1 (Optional) Creating a Bond Port..................................................................................................................................25
2.7.2 (Optional) Creating a VLAN.......................................................................................................................................... 26
2.7.3 (Optional) Creating a DNS Zone................................................................................................................................. 27
2.7.4 Creating a Logical Port.................................................................................................................................................... 28
2.7.5 (Optional) Configuring DNS Load Balancing.......................................................................................................... 34
2.7.6 (Optional) Managing the Routes of a Logical Port...............................................................................................36
2.8 Configuring Basic Storage Resources (System User)................................................................................................37
2.8.1 Creating a File System..................................................................................................................................................... 38
2.8.2 Creating a Dtree.................................................................................................................................................................57
2.8.3 Creating a Quota............................................................................................................................................................... 62
2.8.4 Sharing a File System....................................................................................................................................................... 66
2.8.4.1 Configuring an NFS Share...........................................................................................................................................67
2.8.4.1.1 Configuration Process............................................................................................................................................... 67
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. vi
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File Contents
2.8.4.1.2 Preparing Data............................................................................................................................................................ 67
2.8.4.1.3 (Optional) Setting the NFS Service...................................................................................................................... 68
2.8.4.1.4 (Optional) Preparing LDAP Domain Configuration Data............................................................................. 70
2.8.4.1.5 (Optional) Configuring LDAP Domain Authentication Parameters.......................................................... 74
2.8.4.1.6 (Optional) Preparing NIS Domain Configuration Data.................................................................................82
2.8.4.1.7 (Optional) Configuring NIS Domain Authentication Parameters..............................................................84
2.8.4.1.8 (Optional) Configuring the NFSv4 Service for a Non-Domain Environment........................................ 87
2.8.4.1.9 (Optional) Enabling NFSv3 Mount for Windows Clients (Applicable to 6.1.6 and Later)................ 88
2.8.4.1.10 Creating an NFS Share........................................................................................................................................... 89
2.8.4.1.11 Adding an NFS Share Client (Applicable to Versions Earlier Than 6.1.3).............................................95
2.8.4.1.12 Adding an NFS Share Client (Applicable to 6.1.3 and Later)................................................................... 99
2.8.4.1.13 Accessing an NFS Share.......................................................................................................................................103
2.8.4.2 Configuring a CIFS Share.......................................................................................................................................... 103
2.8.4.2.1 Configuration Process............................................................................................................................................. 103
2.8.4.2.2 Preparing Data.......................................................................................................................................................... 104
2.8.4.2.3 (Optional) Creating a Local Authentication User Group........................................................................... 105
2.8.4.2.4 Creating a Local Authentication User............................................................................................................... 106
2.8.4.2.5 (Optional) Preparing AD Domain Configuration Data............................................................................... 108
2.8.4.2.6 (Optional) Connecting a Storage System to a DNS Server....................................................................... 109
2.8.4.2.7 (Optional) Configuring AD Domain Authentication Parameters............................................................ 110
2.8.4.2.8 Creating a CIFS Share............................................................................................................................................. 115
2.8.4.2.9 Accessing a CIFS Share........................................................................................................................................... 123
2.8.4.3 Accessing Cross-Protocol Shares............................................................................................................................ 125
2.8.4.3.1 Overview..................................................................................................................................................................... 125
2.8.4.3.2 Configuring Mapping Parameters...................................................................................................................... 129
2.8.4.3.3 Creating a User Mapping...................................................................................................................................... 131
2.8.4.3.4 Accessing a CIFS File Across Protocols.............................................................................................................. 133
2.8.4.3.5 Accessing an NFS File Across Protocols............................................................................................................ 138
2.9 Configuring Basic Storage Resources (vStore User, Applicable to 6.1.3 and Later).................................... 142
2.9.1 Creating a File System................................................................................................................................................... 142
2.9.2 (Optional) Creating a Dtree........................................................................................................................................ 159
2.9.3 (Optional) Creating a Quota...................................................................................................................................... 162
2.9.4 Sharing a File System.................................................................................................................................................... 166
2.9.4.1 Configuring an NFS Share........................................................................................................................................ 167
2.9.4.1.1 Configuration Process............................................................................................................................................. 167
2.9.4.1.2 Preparing Data.......................................................................................................................................................... 167
2.9.4.1.3 (Optional) Preparing LDAP Domain Configuration Data...........................................................................168
2.9.4.1.4 (Optional) Configuring LDAP Domain Authentication Parameters....................................................... 171
2.9.4.1.5 (Optional) Preparing NIS Domain Configuration Data.............................................................................. 172
2.9.4.1.6 (Optional) Configuring NIS Domain Authentication Parameters........................................................... 174
2.9.4.1.7 (Optional) Configuring the NFSv4 Service for a Non-Domain Environment......................................174
2.9.4.1.8 Creating an NFS Share........................................................................................................................................... 175
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. vii
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File Contents
2.9.4.1.9 Adding NFS Share Clients......................................................................................................................................180
2.9.4.1.10 Accessing an NFS Share.......................................................................................................................................184
2.9.4.2 Configuring a CIFS Share.......................................................................................................................................... 192
2.9.4.2.1 Configuration Process............................................................................................................................................. 192
2.9.4.2.2 Preparing Data.......................................................................................................................................................... 192
2.9.4.2.3 (Optional) Creating a Local Authentication User Group........................................................................... 193
2.9.4.2.4 Creating a Local Authentication User............................................................................................................... 194
2.9.4.2.5 (Optional) Preparing AD Domain Configuration Data............................................................................... 196
2.9.4.2.6 (Optional) Connecting a Storage System to a DNS Server....................................................................... 197
2.9.4.2.7 (Optional) Configuring AD Domain Authentication Parameters............................................................ 198
2.9.4.2.8 Creating a CIFS Share............................................................................................................................................. 199
2.9.4.2.9 Accessing a CIFS Share........................................................................................................................................... 204
2.9.4.3 Accessing Cross-Protocol Shares............................................................................................................................ 206
2.9.4.3.1 Overview..................................................................................................................................................................... 206
2.9.4.3.2 Configuring Mapping Parameters...................................................................................................................... 209
2.9.4.3.3 Creating a User Mapping...................................................................................................................................... 211
2.9.4.3.4 Accessing a CIFS File Across Protocols.............................................................................................................. 214
2.9.4.3.5 Accessing an NFS File Across Protocols............................................................................................................ 219
3 Managing vStores............................................................................................................... 224
3.1 Viewing a vStore................................................................................................................................................................. 224
3.2 Modifying a vStore............................................................................................................................................................. 226
3.3 Deleting a vStore................................................................................................................................................................ 227
3.4 Managing a vStore User.................................................................................................................................................. 227
3.4.1 Viewing a vStore User................................................................................................................................................... 227
3.4.2 Modifying a vStore User............................................................................................................................................... 228
3.4.3 Logging Out a vStore User.......................................................................................................................................... 230
3.4.4 Locking a vStore User.................................................................................................................................................... 231
3.4.5 Unlocking a vStore User............................................................................................................................................... 231
3.4.6 Changing the Password upon the Next Login...................................................................................................... 232
3.4.7 Deleting a vStore User.................................................................................................................................................. 232
4 Managing Basic Storage Services of vStores................................................................ 234
A Configuring and Managing SmartMulti-Tenant Using the CLI............................... 235
B How to Obtain Help........................................................................................................... 241
B.1 Preparations for Contacting Huawei........................................................................................................................... 241
B.1.1 Collecting Troubleshooting Information................................................................................................................. 241
B.1.2 Making Debugging Preparations............................................................................................................................... 241
B.2 How to Use the Document............................................................................................................................................. 242
B.3 How to Obtain Help from Website.............................................................................................................................. 242
B.4 Ways to Contact Huawei................................................................................................................................................. 242
C Glossary................................................................................................................................. 243
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. viii
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File Contents
D Acronyms and Abbreviations........................................................................................... 259
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. ix
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
1 Description
SmartMulti-Tenant creates multiple virtual storage systems in a physical storage
system to implement flexible, easy-to-manage, and cost-effective storage sharing
among multiple vStores without affecting data security and privacy of each vStore.
This chapter provides an overview of SmartMulti-Tenant and describes its
availability, working principle, restrictions, and application scenarios.
1.1 Overview
1.2 License Requirements and Specifications
1.3 Working Principle
1.4 Application Scenarios
1.1 Overview
This section describes the background, definition, and benefits of SmartMulti-
Tenant.
Background
The requirements for XaaS in public and private clouds emerge with the soaring
development of cloud services. As the number of end users increases constantly,
one physical storage system may be used by multiple enterprises or individual
users. The following challenges arise:
● The logical resources of enterprises or individual users who use the same
storage system may interfere with each other or unauthorized access may
occur, impairing data security.
● IT service providers need to pay extra costs to manage users.
● Data migration without affecting services is required.
Developed to deal with these challenges, the multi-tenancy technology allows
storage resource sharing among tenants and at the same time simplifies
configuration and management, as well as enhances data security.
Definition
Huawei's SmartMulti-Tenant allows tenants to create multiple virtual storage
systems in one physical storage system. With SmartMulti-Tenant, tenants can
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 1
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
share hardware resources and safeguard data security and confidentiality in a
multi-protocol unified storage architecture.
NOTE
Difference between multi-tenancy and multi-user technologies: They adopt similar user
permission designs that enable different users to share the same storage resources but have
different access permissions. However, in the multi-tenancy technology, tenants have
independent storage resources, networks, and user information.
Advantages of SmartMulti-Tenant
SmartMulti-Tenant allows multiple clients to use the same or customized services
in the same system architecture in a shared data center. In addition, it implements
logical isolation to ensure service and network security of tenants. Resources of
one tenant are invisible to other tenants.
In real practices, SmartMulti-Tenant aims to improve resource utilization efficiency
and reduce the per-unit cost by fully consolidating resources, and guarantees
resource security. Figure 1-1 uses an example in daily life to explain multi-tenancy.
Figure 1-1 Multi-tenancy used in hotel resource allocation
Solution 1
The hotel space is
not divided. All
guests share the
How to allocate same room and bed.
the hotel space
to these guests?
A hotel (storage system) Question: How to
is leased to multiple allocate resources?
guests (tenants).
Solution 2
Guests have their
own rooms and beds.
The example shows that multiple guests (tenants) can share the same hotel
(storage system) and they have different needs. Different hotel rooms (logical
areas, namely, vStores mentioned in the following sections) are provided. In this
way, guests can choose desired rooms. For example, there are 50 guests. Some
guests want large rooms (large storage capacities) and some need small rooms
due to limited budgets. Then, the landlord can divide the whole building into
rooms that can meet guest requirements, instead of building a hotel for each
guest.
Benefits
Table 1-1 lists the benefits of SmartMulti-Tenant.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 2
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
Table 1-1 Benefits of SmartMulti-Tenant
Benefit Description
Cost effectiveness A computing environment is shared by multiple tenants,
reducing the overall resource consumption, operating
costs, and management expenses.
Enhanced security The storage resources, networks, and services of one
tenant are isolated from those of another, enhancing
security.
1.2 License Requirements and Specifications
This section describes the license requirements and specifications of SmartMulti-
Tenant.
License Requirements
To use SmartMulti-Tenant, ensure that the license file imported to the system
includes the SmartMulti-Tenant license.
Specifications
The SmartMulti-Tenant specifications vary with the product model. For detailed
specifications, refer to Specifications Query (https://info.support.huawei.com/
storage/spec/#/home).
1.3 Working Principle
SmartMulti-Tenant enables a storage system to allocate and manage resources for
multiple tenants, improving resource usage and tenant security.
1.3.1 Concepts
SmartMulti-Tenant enables a storage system to allocate and manage resources for
multiple tenants, improving resource usage and tenant security.
Virtual Store (vStore)
A storage system can be divided into multiple virtual storage systems called
vStores. A physical storage system can have multiple vStores that share a storage
pool. The system administrators and vStore users allocate file system storage
resources to each vStore. File systems are used by upper-layer applications
through NFS and CIFS sharing. The system provides a default vStore
System_vStore. If no vStore is specified for resources (such as file systems and
protocols) when they are created, the resources are owned by System_vStore.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 3
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
Management Views
The storage system provides two management views:
System view: This is the default view. System administrators can create vStores in
this view and manage resources globally or for specific vStores. If the SmartMulti-
Tenant license is not activated, vStores cannot be created in this view and the
storage resources are globally allocated and managed. This is for customers who
do not need multi-tenancy. After activating the SmartMulti-Tenant license, system
administrators can create vStores and manage vStore resources.
vStore view: configures and manages vStore services. After activating the
SmartMulti-Tenant license, system administrators can create vStores and vStore
users in the system view, and then access the vStore view as vStore users to
configure and manage storage resources of the vStores.
1.3.2 vStore Isolation
SmartMulti-Tenant isolates the management operations, services, and networks
among vStores. Data is inaccessible among the vStores, achieving secure isolation.
● Management isolation
Each vStore has its own administrators. The vStore administrators can
configure and manage their own storage resources only through the GUI or
RESTful APIs.
● Network isolation
LIFs separate the networks among vStores to prevent unauthorized access of
storage resources.
● Service isolation
Each vStore has its own storage resources, users, and user groups. Users can
access the file systems of the vStore through the LIF or management port.
Management Isolation
OceanStor Dorado allows each vStore to have its own administrators, separating
the management of different vStores. The resources that can be operated and
managed by different vStores are called views. vStore administrators can manage
resources only in their respective views and cannot access other vStores' views or
the system view. vStore administrators support role-based permission control.
Roles of specified permissions must be assigned to each vStore administrator
when it is created.
Network Isolation
vStores use logical interfaces (LIFs) to configure NAS services. A LIF belongs to
only one vStore, providing logical isolation of ports. A LIF can be created on bond
port, VLAN port, or Ethernet port.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 4
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
Figure 1-2 Network isolation
Service Isolation
SmartMulti-Tenant isolates the service data, service access, and service
configurations (such as NAS protocol configuration) of different users.
● Service data isolation
The system administrator allocates different file systems to different vStores
for isolation. Similarly, the quotas of the file systems are also isolated.
● Service access isolation
Each vStore has independent NAS protocol instances, including NFS and
NDMP.
● Service configuration isolation
Each vStore has its own users, user groups, user mapping rule, security
policies, NFS shares, AD domain, DNS service, NIS service, and LDAP service.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 5
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
Figure 1-3 Service isolation
1.3.3 vStore Functions
OceanStor Dorado supports file system resource management and share
management for vStores.
Basic Service Management
Users can manage, share, and export the file systems in a vStore.
● vStore file system management
OceanStor Dorado allows users to create, modify, delete, and query file
systems of a vStore in the vStore view.
● vStore share management
OceanStor Dorado allows users to configure shares for vStores, including
configuring local NAS share users, NAS domain servers and domain users, file
system sharing, and NAS logical ports.
1.4 Application Scenarios
SmartMulti-Tenant enables users to implement flexible, easy-to-manage, and
cost-effective storage sharing among multiple vStores in a multi-protocol unified
storage infrastructure. SmartMulti-Tenant supports performance tuning and data
protection settings for each vStore to meet different SLA requirements.
Service Isolation Among vStores
Development of the cloud technology requires a higher level of resource sharing
on underlying devices. There is an increasing demand for data resource isolation.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 6
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 1 Description
SmartMulti-Tenant creates multiple virtual storage systems in a physical storage
system, provides independent services and configuration space for each vStore,
and isolates services, storage resources, and networks of vStores. Different vStores
share the same hardware resources, without affecting data security and privacy.
Example: Different service departments of an enterprise share a physical storage
system. Each service department manages and allocates its own storage resources,
and the access to storage resources of other departments is denied to meet
security requirements.
Figure 1-4 Service isolation between different departments of an enterprise
HR department Production department
APP APP APP APP APP APP
VM VM VM VM VM VM
NFS/CIFS NFS/CIFS
vStore vStore
Physical storage
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 7
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2 Configuring vStores
You can allocate and manage storage resources as required, ensuring the
performance of key applications and improving the service quality of the storage
system.
Context
Any user that has logged in to a storage system can operate the storage system.
Misoperations by a user can impair the storage system reliability and data
integrity. To prevent that, the storage system defines types of users and assigns
specific roles to them based on different service scenarios. Moreover, the storage
system allows self-defined roles.
System role: a system default or user-defined role that can create vStores and
allocate storage resources on a storage system. Table 2-1 describes the system
default roles and their permissions.
vStore role: a default or user-defined role that can complete vStore settings in the
vStore view. Table 2-2 lists the default vStore roles and their permissions in the
storage system.
You can create users with specific roles to manage the storage system.
Table 2-1 System-defined roles
Built-in Role Permission
Super All permissions over the system
administrator
Administrator All permissions except user management, role management,
global security regulation clock management, litigation hold
file management, S3 key management, storage system
power-off and restart, and running of major management
O&M commands in the developer view, engineer view, and
diagnostic view
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 8
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Built-in Role Permission
Security System security configuration permissions, including
administrator management of security policies, security rules, HyperCDP
objects, disks, certificates, disk data destruction policies, key
services, antivirus functions, file service snapshots, and
container storage
SAN resource Management permissions on SAN resources, including
administrator management of disk domains, storage pools, disks, controller
enclosures or disk enclosures, recycle bin policies, internal
objects, LUNs, clone LUNs, application type objects, initiators,
targets, iSNS servers, mapping views, host groups, hosts, port
groups, LUN groups, ports, controllers, interface modules, DNS
load balancing services, BGP configurations, BGP peers, block
service snapshots, HyperCDP objects, HyperClone, omtask,
storage connectivity, and container storage
NAS resource Management permissions on NAS resources, including
administrator management of disk domains, storage pools, ports, DNS load
balancing services, BGP configurations, BGP peers, NFS
services, share services, file systems, clone file systems,
domain authentication information, dtree services, quota
services, CIFS services, Kerberos realm configurations, file
signatures, application type objects, audit logs, file service
snapshots, omtask, storage connectivity, HyperCDP objects,
container storage, and SmartMove pairs
Data protection Data protection management permissions, including
administrator management of recycle bin policies, internal objects, LUNs,
clone LUNs, application type objects, initiators, mapping
views, host groups, hosts, ports, remote devices, block service
snapshots, HyperCDP objects, snapshot consistency groups
(CGs), HyperClone, clone CGs, LUN CGs, LUN groups, remote
replication, CGs, DR Star, HyperMetro CGs, HyperMetro
domains, HyperMetro pairs, quorum servers, omtask, storage
connectivity, protection groups, file systems, clone file
systems, dtree services, file service snapshots, quota services,
NDMP services, file system migration policies, vStore services,
and container storage
Remote device Cross-device data protection management permissions,
administrator including management of recycle bin policies, internal objects,
LUNs, clone LUNs, initiators, mapping views, host groups,
hosts, port groups, LUN groups, ports, HyperCDP objects,
HyperClone, clone CGs, block service snapshots, snapshot CGs,
CGs, remote devices, remote replication, HyperMetro CGs,
HyperMetro domains, HyperMetro pairs, quorum servers,
SmartQoS, LUN migration, system information, mirroring
policies, omtask, storage connectivity, protection groups, file
systems, clone file systems, dtree services, file service
snapshots, quota services, NDMP services, container storage,
and file system migration policies This role is used for remote
authentication in cross-device data protection scenarios.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 9
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Built-in Role Permission
Monitor Routine O&M permissions, such as information collection,
performance collection, and inspection, including alarm policy
management, log information export (such as system logs,
configuration information, and diagnosis files), system log
management, configuration file management, running data
(configuration information) management, Call Home (DME
IQ) service management, management of the CLI views that
can be switched over, container storage management, and
O&M management and query commands in the R&D view
NDMP backup NDMP backup service management permissions, including
administrator management of initiators, mapping views, host groups, hosts,
port groups, ports, HyperCDP objects, HyperClone, clone CGs,
snapshot CGs, CGs, remote devices, remote replication,
HyperMetro CGs, HyperMetro domains, HyperMetro pairs,
quorum servers, SmartQoS, system information, mirroring
policies, omtask, storage connectivity, protection groups, file
systems, clone file systems, dtree services, file service
snapshots, quota services, NDMP services, container storage,
and SmartMove pairs
Remote All permissions except user management, role management,
assistance security policy management, security rule management,
administrator storage system power-on, power-off, and restart, omtask
authentication mode management, deletion of files and
directories in file systems, privileged deletion of enterprise
WORM file systems, Call Home (eService) service
management and query, and running of major and minor
O&M management commands in the developer view,
engineer view, and diagnostic view
Table 2-2 vStore roles
Preset Role Permission
vStore Management of vStores' LUNs, LUN groups, initiators,
administrator mapping views, hosts, host groups, port groups, HyperCDP
objects, HyperClone, clone CGs, LUN CGs, block service
snapshots, snapshot CGs, CGs, DR Star, remote replication,
HyperMetro CGs, HyperMetro pairs, SmartQoS, LUN
migration, omtask, storage connectivity, certificates, antivirus
services, protection groups, NFS services, service plane domain
servers, file systems, share and share permissions, file
signatures, CIFS services, dtree services, file service snapshots,
quota services, NDMP services, audit logs, Kerberos realm and
services, encryption types, SmartMove pairs, and file system
migration policies
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 10
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Preset Role Permission
vStore protocol vStore protocol management permissions, including
administrator management of vStores' omtask, service plane domain
servers, share and share permissions, Kerberos realm and
services, and encryption types
vStore data vStore data protection management permissions, including
protection management of vStores' LUNs, clone LUNs, initiators,
administrator mapping views, hosts, host groups, HyperCDP objects,
HyperClone, clone CGs, LUN CGs, block service snapshots,
snapshot CGs, LUN groups, remote replication, CGs, DR Star,
HyperMetro CGs, HyperMetro pairs, omtask, storage
connectivity, protection groups, file systems, clone file
systems, file service snapshots, NDMP services, and file system
migration policies
vStore WORM vStore WORM management permissions, including
administrator management of vStores' omtask, file system WORM, file
systems, clone file systems, shares, share permissions, file
signatures, and litigation hold files
vStore NDMP vStore NDMP backup service management permissions,
backup including management of vStores' internal objects, initiators,
administrator mapping views, host groups, hosts, port groups, ports,
HyperCDP objects, HyperClone, clone CGs, snapshot CGs, CGs,
remote devices, remote replication, HyperMetro CGs,
HyperMetro domains, HyperMetro pairs, quorum servers,
SmartQoS, system information, mirroring policies, omtask,
storage connectivity, protection groups, file systems, clone file
systems, dtree services, file service snapshots, quota services,
NDMP services, and SmartMove pairs
vStore vStore DataTurbo management permissions, including remote
DataTurbo replication management and DataTurbo management of
administrator vStores
In addition to the default user roles, the storage system supports user-defined
roles. For details about the permissions of user-defined roles, see "Permission
Matrix for User-defined Roles" in the Administrator Guide specific to your product
version.
2.1 Configuration Process
2.2 Logging In to DeviceManager
2.3 Checking the License File
2.4 Configuring Basic Storage Resources
2.5 Creating a vStore
2.6 Creating a vStore User
2.7 Configuring the Network
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 11
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.8 Configuring Basic Storage Resources (System User)
2.9 Configuring Basic Storage Resources (vStore User, Applicable to 6.1.3 and
Later)
2.1 Configuration Process
Before configuring SmartMulti-Tenant, understand the process to ensure a smooth
configuration.
Figure 2-1 shows the process for configuring SmartMulti-Tenant.
Figure 2-1 Configuration process
Start
Log in to
DeviceManager.
Check the license file.
Create a storage pool.
System user
Create a vStore.
Create a vStore user.
Configure the
network.
Create a file Create a file system.
system.
Create a dtree. Create a dtree.
Basic storage
Basic storage resource
resource configuration
Create a quota. Create a quota.
configuration by a vStore
by a system user
user (applicable to
Share the file system. Share the file system.
6.1.3 and later)
End End
Optional Mandatory
2.2 Logging In to DeviceManager
DeviceManager is a device management program developed by Huawei.
DeviceManager has been loaded to storage systems before factory delivery. You
can log in to DeviceManager to manage storage resources.
2.2.1 Logging In to DeviceManager (System User)
For details on how to log in to DeviceManager, see "Logging In to
DeviceManager" in the Initialization Guide specific to your product model and
version.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 12
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.2.2 Logging In to DeviceManager (vStore User, Applicable to
6.1.3 and Later)
This section describes how to log in to the vStore view through a service network
port.
Prerequisites
Verify that the maintenance terminal meets the following requirements before you
use DeviceManager:
● The super administrator has created a vStore user.
● The super administrator has created a logical port whose role is
Management or Management + service in the vStore, and the IP address of
the logical port can be pinged from the maintenance terminal.
● The operating system and browser are compatible with DeviceManager.
DeviceManager supports multiple operating systems and browsers. You can
query the compatibility using Huawei Storage Interoperability Navigator.
● To use a lightweight directory access protocol (LDAP) domain user account to
log in to DeviceManager, you must first configure the LDAP domain server,
and then set the LDAP server parameters and create an LDAP domain user
account on the storage system.
Context
● DeviceManager supports only TLS 1.0, 1.1, and 1.2.
● By default, DeviceManager allows a maximum of 32 users to log in
concurrently.
● This section uses the Windows as an example to describe how to log in to
DeviceManager. Adjust the procedures based on actual situations.
Procedure
Step 1 Open the browser on the maintenance terminal.
Step 2 Enter https://XXX.XXX.XXX.XXX:8088 in the address box and press Enter.
The DeviceManager login page is displayed.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 13
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● XX.XXX.XXX.XXX is the IP address of the logical port created by the super administrator
in the vStore. The role of the logical port is Management or Management + service.
● If a firewall is configured, you must enable port 8088 for the system to provide web
services.
● The web browser may prompt that the website has a security certificate issue. If the IP
address is correct, you can neglect the prompt and continue accessing the storage
system.
● If you have an available security certificate, run the import certificate ip=? user=?
password=? type=? command to import the security certificate to improve system
security. For details about this command, visit Command/Event/Error Code Query.
● The GUI may vary slightly depending on the product version and model.
Step 3 Set the login mode, language, and background animation.
1. Select a login mode in the Authentication Mode list.
– Local user: You will log in to the storage system in local authentication
mode. The super administrator can log in to the storage system only as a
local user.
– LDAP user: You will log in to the storage system in LDAP domain
authentication mode.
You can log in to the storage system in LDAP domain authentication
mode only after the LDAP server is properly configured.
2. You can switch the language in the upper right corner. DeviceManager
supports simplified Chinese and English.
3. You can enable or disable the background animation of the login page using
the Background Animation switch in the upper right corner.
NOTE
Background animation is disabled by default.
Step 4 Type your username and password.
NOTE
● If Verification Code is displayed, enter the correct verification code.
● If LDAP user is selected, type a domain user name and password.
● If you forget the password of an administrator or a read-only user account, the super
administrator can reset the password. If you forget the user name or password of the
super administrator account, contact Huawei technical support.
● If you consecutively enter incorrect passwords for a number of times specified in
Number of Incorrect Passwords on the Login Policy page (3 by default), the account
is automatically locked.
The default lockout duration is 5 minutes. For details on how to set the lockout
duration, see "Configuring the Login Policy" in the Administrator Guide.
● To ensure system security, change the default login password immediately after you log
in to the storage system for the first time, and periodically change the password in the
future. Choose Settings > User and Security > Users and Roles > Users. Click More >
Modify on the right of the user whose password needs to be changed.
● If your login authentication method is Login password + email one-time password,
email authentication is required. For details, see "How Do I Log In to the Storage System
Through Multi-Factor Authentication?" in the Initialization Guide.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 14
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 5 Click Log In.
The DeviceManager management page is displayed.
Figure 2-2 DeviceManager management page
NOTE
● The GUI may vary slightly depending on the product version and model. The actual GUI
prevails.
● To learn details about each step and operation, click and select Online Help to
view online help.
● To log out of DeviceManager, click in the upper right corner of the page and
choose Log Out.
----End
2.3 Checking the License File
Each value-added feature requires a license file for activation. Before configuring a
value-added feature, ensure that its license file is valid for the feature.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > License Management.
Step 3 In the middle function pane, verify that NAS Foundation and SmartMulti-Tenant
are displayed in the feature list.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 15
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● If no license file has been imported, import a license file by referring to the Initialization
Guide.
● If NAS Foundation is not displayed in the feature list, contact technical support
engineers.
----End
2.4 Configuring Basic Storage Resources
Before creating vStores, system administrators must allocate basic storage
resources. For details, see Creating a Storage Pool in the Basic Storage Service
Configuration Guide for File specific to your product model and version.
2.5 Creating a vStore
After a vStore is created, the storage system allocates independent private space
to it, including LUNs, file systems, and ports. The vStore obtains complete storage
services, but also remain resource and network isolation with other vStores.
Creating a vStore is the prerequisite for allocating and managing vStore services.
Prerequisites
Only the super administrator and administrators can create vStores.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click Create.
The Create vStore page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 16
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 3 Set vStore parameters.
Table 2-3 describes the parameters.
Table 2-3 vStore parameters
Parameter Description
Name Name of the new vStore.
[Value range]
● The name must be unique.
● The name contains only letters, digits, periods (.),
underscores (_), and hyphens (-).
● The name contains 1 to 256 characters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 17
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NAS Capacity Capacity quota of the vStore. The total file system capacity
Quota of the vStore cannot exceed the quota.
NOTE
● In 6.1.5 and later versions, NAS capacity quotas can be set on
the CLI by using the create vstore general command. For details
about this command, see Command/Event/Error Code Query.
● In 6.1.6 and later versions, NAS capacity quotas can be set on
DeviceManager.
SAN Capacity Capacity quota of the vStore. The total LUN capacity of the
Quota vStore cannot exceed the quota.
NOTE
In 6.1.7 and later versions, SAN capacity quotas can be set on
DeviceManager.
Description Description of the vStore.
[Value range]
The description can be left blank or contain up to 255
characters.
Associate with Select the storage pool associated with the vStore. The
Storage Pool options are as follows:
● Unlimited: The current vStore can use all storage pools.
● Custom: The vStore can only use the selected storage
pool. Click Selected: X. On the Associate with Storage
Pool page that is displayed, select a storage pool.
Associate with FC FC port associated with the vStore. The options are as
Port follows:
● Unlimited: The current vStore can use all FC ports.
● Custom: The current vStore can only use the selected FC
port. Click Selected: X. On the Associate with FC Port
page that is displayed, select an FC port.
NOTE
Only 6.1.3 and later versions support setting Associate with Storage Pool and Associate
with FC Port.
Step 4 Configure a management logical port for the vStore and a data logical port for
communicating with the host.
1. Click Add.
The Create Logical Port page is displayed.
2. Configure parameters for the logical port. Table 2-4 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 18
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-4 Logical port parameters
Parameter Description
Name Name of the logical port.
To be compatible with the software, the name must meet
the following requirements:
– The name must be unique.
– The name can contain only letters, digits, underscores
(_), hyphens (-), and periods (.).
– The name contains 1 to 255 characters.
Role Role of the logical port. Possible options are:
Management: A port of this role is used by a vStore
administrator to log in to the system for management.
Service: A port of this role is used to access services, such as
accessing CIFS shares of file systems.
Management + service: A port of this role is used to access
services or for a vStore administrator to log in to the
storage system for system management.
Replication: A port of this role is used for replication link
connection in remote replication or HyperMetro, or for
quorum link connection in HyperMetro.
Client: used when the storage system functions as a client
to establish link connections with remote devices in NAS
server-free migration and SmartMobility.
VTEP: VxLAN tunnel endpoint, used to establish VxLAN
tunnels when a cloud platform accesses file system share
services.
Health check: used by the cloud platform to check the
health status of the shared service of storage file systems.
Data Data protocol of a logical port. Possible values are NFS,
Protocol CIFS, NFS + CIFS, iSCSI, and NVMe over RoCE.
NOTE
NFS, CIFS, and NFS + CIFS are applicable to file service
configuration. iSCSI and NVMe over RoCE are applicable to block
service configuration.
IP Address IP address type of the logical port. Possible options are IPv4
Type and IPv6.
IP Address IPv4 or IPv6 address of the logical port.
Subnet Mask Subnet mask of the logical port's IPv4 address.
NOTE
This parameter is available only when IP Address Type is set to
IPv4.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 19
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Prefix Prefix length of the logical port's IPv6 address.
NOTE
This parameter is available only when IP Address Type is set to
IPv6.
Gateway Gateway of a logical port's IP address.
Port Type Type of the port to which the logical port belongs. Possible
options are Ethernet port, Bond port, and VLAN.
NOTE
This parameter is available only when Data Protocol is set to NFS,
CIFS, NFS + CIFS, or iSCSI.
Home Port Ethernet port, bond port, or VLAN to which the logical port
belongs.
Activation Determine whether to activate the logical port.
Status
3. Select Advanced in the upper right corner to set the advanced attributes of
the logical port.
Table 2-5 describes the parameters.
Table 2-5 Advanced logical port parameters
Parameter Description
Failover Group Name of a failover group.
NOTE
– If a failover group is specified, services on the failed home
port will be taken over by an available port in the specified
failover group.
– If no failover group is specified, services on the failed
home port will be taken over by an available port in the
default failover group.
IP Address After IP address failover is enabled, services on the
Failover failed home port will be taken over by other available
ports in a failover group. In the entire process, the IP
address used by services remains unchanged.
NOTE
Shares of file systems do not support the multipathing mode.
They use IP address failover to improve the reliability of links.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 20
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Failback Mode After the fault of the home port is rectified, services
fail back to the home port. Possible values are
Automatic and Manual.
NOTE
– If Failback Mode is Manual, ensure that the link to the
home port is normal before the failback. You can manually
switch services back to the home port only when the link
to the home port keeps normal for over five minutes.
– If Failback Mode is Automatic, ensure that the link to the
home port is normal before the failback. Services will
automatically fail back to the home port only when the
link to the home port keeps normal for over five minutes.
4. Click OK.
NOTE
Select one or more logical ports and click Remove or click on the right of a logical
port to remove logical ports.
Step 5 Click OK.
NOTE
● After a vStore is created, you can select Configure LDAP Domain, Configure File
Service NIS Domain, Configure File Service AD Domain, or Create HyperMetro
vStore Pair as required on the operation success page.
● After a vStore is created, you can select it on other pages to manage its storage
resources.
----End
2.6 Creating a vStore User
A vStore user can log in to DeviceManager and query the vStore view.
Prerequisites
A vStore has been created.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click Create on the User Management tab page.
The Create User page is displayed.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 21
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 3 Set user information.
● Set Type to Local user and configure the local user information. Table 2-6
describes related parameters.
Table 2-6 Local user parameters
Parameter Description
Username Name of a new user.
Password Password of the newly created user.
Confirm Confirm password of the new user.
Password
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 22
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Password Indicates whether to render the password always valid. If
Always Valid this function is enabled, the password is not restricted by
the password validity period specified in the security policy.
NOTE
If Password Always Valid is enabled, you do not need to change
the password upon the first login.
Role Role of the new user. The preset vStore roles in a storage
system are as follows:
– vStore administrator: has all management permissions
of a vStore.
– vStore protocol administrator: has vStore protocol
management permissions, including authentication user
management and share management.
– vStore data protection administrator: has data
protection management permissions of a vStore,
including LUN management, local data protection
management, remote data protection management,
HyperMetro management, and background
configuration task management.
– vStore WORM administrator: has the WORM
management permissions of a vStore, including global
security regulation clock management, WORM file
system management, vStore litigation hold
management, and file fingerprint management.
– vStore NDMP backup administrator: has NDMP
backup management permissions of a vStore, including
LUN management, local data protection management,
remote data protection management, HyperMetro
management, and performance tuning management.
NOTE
In addition to the preset user roles, the storage system supports
user-defined roles.
Description Description of the new user.
Login Login authentication method of the new user.
Authenticatio NOTE
n – If you select Login password + email one-time password, you
must configure the SMTP server by choosing Settings > User
and Security > Multi-Factor Authentication.
– No matter which login authentication method you have
selected, the login authentication method is Login password
when you log in through RESTful or SFTP.
Recipient Recipient email address for receiving one-time passwords if
Email you select Login password + email one-time password.
Address
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 23
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● Set Type to LDAP user or LDAP user group and configure the LDAP user or
LDAP user group information. Table 2-7 describes the parameters.
Table 2-7 LDAP user or LDAP user group parameters
Parameter Description
Username Name of a new LDAP user or LDAP user group.
NOTE
The new LDAP user or LDAP user group must be on the LDAP
domain server. Otherwise, the login will fail.
Role Role of the new user. The preset vStore roles in a storage
system are as follows:
– vStore administrator: has all management permissions
of a vStore.
– vStore protocol administrator: has vStore protocol
management permissions, including authentication
user management and share management.
– vStore data protection administrator: has data
protection management permissions of a vStore,
including LUN management, local data protection
management, remote data protection management,
HyperMetro management, and background
configuration task management.
– vStore WORM administrator: has the WORM
management permissions of a vStore, including global
security regulation clock management, WORM file
system management, vStore litigation hold
management, and file fingerprint management.
– vStore NDMP backup administrator: has NDMP
backup management permissions of a vStore, including
LUN management, local data protection management,
remote data protection management, HyperMetro
management, and performance tuning management.
NOTE
In addition to the preset user roles, the storage system supports
user-defined roles.
Description Description of the new user.
Login Method Login method of the new user.
Login Login authentication method of the new user.
Authentication NOTE
– If you select Login password + RADIUS one-time password,
you need to enter the RADIUS one-time password during
login.
– If you select Login password + RADIUS one-time password,
only DeviceManager is supported in Login Method.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 24
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 4 Click OK.
----End
2.7 Configuring the Network
Before configuring shared services, plan and configure the network properly for
accessing and managing file services.
2.7.1 (Optional) Creating a Bond Port
This section describes how to bond Ethernet ports on the same controller.
Prerequisites
The IP addresses of the Ethernet ports you want to bond have been cleared.
Ethernet ports that have IP addresses cannot be bonded.
Context
Port bonding provides more bandwidth and higher redundancy for links. Although
ports are bonded, each session still transmits data through a single port and the
total bandwidth can be increased only when there are multiple sessions.
Determine whether to bond ports based on site requirements.
Port bonding on the storage system has the following restrictions:
● Only Ethernet ports that have the same rate and are on the same controller
can be bonded. Ports cannot be bonded across controllers. Non-Ethernet ports
cannot be bonded.
● Link aggregation (IEEE 802.3ad) is supported.
● Read-only users are not allowed to bond Ethernet ports.
● Each port can only be added to one bond port.
● A member port of a port group cannot be added to a bond port.
● Management network ports cannot be bonded.
● After ports are bonded, their MTU changes to the default value. You must
also set the port mode on switches. Take Huawei switches as an example. You
must set the ports on the Huawei switches to work in static LACP mode.
NOTICE
The link aggregation modes vary with switch manufacturers. If a switch from
another vendor is used, contact technical support of the switch manufacturer
for specific link aggregation configurations.
Port bonding on the host has the following restriction:
If the TOE function is enabled on the storage system and the host port connecting
to the switch must be bonded, the bonding mode must be set to 4.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 25
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
If the preceding restriction cannot be met, disable the TOE function of the port.
Procedure
Step 1 Choose Services > Network > Ethernet Network > Bond Ports.
Step 2 Click Create.
The Create Bond Port page is displayed on the right.
Step 3 Set a bond name and select ports you want to bond.
1. Specify a name for the bond port in Name.
NOTE
The name must meet the following requirements:
– The value can contain only letters, digits, underscores (_), hyphens (-), and periods
(.).
– The name contains 1 to 31 characters.
2. Select the controller to which the Ethernet port belongs.
3. When using the CloudVxLAN feature, select CloudVxLAN port from the port
type drop-down list.
4. In Available Ports, select one or more ports you want to bond.
Step 4 Click OK.
Confirm your operation as prompted.
----End
2.7.2 (Optional) Creating a VLAN
This section describes how to create VLANs for Ethernet ports or bond ports.
Prerequisites
VLANs cannot be created on the Ethernet ports that are configured with IP
addresses or used for networking.
Procedure
Step 1 Choose Services > Network > Ethernet Network > VLANs.
Step 2 Click Create.
The Create VLAN page is displayed on the right.
Step 3 In the Port Type drop-down list, select the type of the ports used to create VLANs.
Possible values are Ethernet Port and Bond Port.
Step 4 In the Home Port list, select a home port.
Step 5 In ID, specify the ID of a VLAN, and then click Add.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 26
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● The VLAN ID ranges from 1 to 4094. You can specify multiple VLAN IDs one by one or in
a batch. When creating multiple VLANs and specifying VLAN IDs in a batch, the VLAN
IDs are in the following format: Start VLAN ID-End VLAN ID.
● To delete a VLAN ID, click next to it.
Step 6 Click OK.
----End
Follow-up Procedure
When creating a logical port based on a VLAN, ensure that the port type is VLAN
and the home port is the VLAN's home port.
2.7.3 (Optional) Creating a DNS Zone
A DNS zone contains IP addresses of a group of logical ports. A host can use the
name of a DNS zone to access shared services provided by a storage system.
Services can be evenly distributed to logical ports.
Context
It is recommended that a DNS zone be associated with only logical ports with the
same IP address type (IPv4 or IPv6).
If the host interface card supports both IPv4 and IPv6 protocols, the DNS client
initiates IPv4 and IPv6 resolution requests. If the storage system is associated with
both IPv4 and IPv6 logical ports in the same DNS zone and the host interface card
is configured with only IPv4 addresses, the host may fail to access the domain
name.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the details page that is displayed on the
right, click the File Service tab and click Configure in the DNS Zone area.
The Configure DNS Zone page is displayed on the right.
Step 3 Configure a DNS zone.
● Add a DNS zone.
a. Click Add.
b. In Name, enter the name of the DNS zone to be added.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 27
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The name complexity requirements are as follows:
▪ A name contains 1 to 255 characters and consists of multiple labels separated
by periods (.).
▪ A label contains 1 to 63 characters including letters, digits, hyphens (-), and
underscores (_), and must start and end with a letter or a digit.
▪ A name must be unique.
c. If a HyperMetro vStore pair has been created for the vStore and Working
Mode of the selected HyperMetro domain is HyperMetro in active-
active mode, you need to set the owning site of the DNS zone. In normal
cases, the host can access the logical port that belongs to the local site
through the domain name of the local site. DNS zones with owning sites
are mainly used when the active-active sites are far away from each
other. In this case, hosts can access the nearest site to ensure access
performance.
● Modify a DNS zone.
In Name, modify the name of the desired DNS zone.
NOTE
The name complexity requirements are as follows:
– A name contains 1 to 255 characters and consists of multiple labels separated by
periods (.).
– A label contains 1 to 63 characters including letters, digits, hyphens (-), and
underscores (_), and must start and end with a letter or a digit.
– A name must be unique.
● Remove a DNS zone.
In the row that contains the desired DNS zone, click Remove.
Step 4 Click Save.
----End
2.7.4 Creating a Logical Port
This section describes how to create and manage logical ports that are used to
access file services. A logical port is created based on an Ethernet port, a bond
port, or a VLAN.
Context
When configuring an NFS share, set Role to Service or Management + service
for the logical port, and set Data Protocol to NFS or NFS + CIFS or NFS over
RDMA for the logical port.
NOTE
Only 6.1.7 and later versions support NFS over RDMA.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 28
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Precautions
● It is recommended that you create no more than 64 logical ports for each
controller. If more than 64 logical ports are created for one controller, the
logical ports will fail over to a few available physical ports in the event that a
large number of physical ports fail, decreasing service performance.
● In the case of file access across network segments, if a Remote Authentication
Dial-In User Service (RADIUS) server is used for network device
authentication in the data center and IP address failover occurs on a logical
port, the IP address of the logical port will be re-registered on the RADIUS
server. In this process, the IP address is not available. File services will be
restored after the IP address becomes available.
Procedure
Step 1 Choose Services > Network > Logical Ports.
Step 2 Click Create.
The Create Logical Port page is displayed on the right.
Step 3 Set the parameters listed in Table 2-8.
Table 2-8 Logical port parameters
Parameter Description
Name Name of the logical port.
The name must meet the following requirements:
● The name must be unique.
● The name can contain only letters, digits, underscores
(_), hyphens (-), and periods (.).
● The name contains 1 to 255 characters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 29
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Role Role of the logical port. Possible values are:
Management: A port of this role is used by a vStore
administrator to log in to the system for management.
Service: A port of this role is used to access services, such
as accessing CIFS shares of file systems.
Management + service: A port of this role is used to
access services or for a vStore administrator to log in to
the storage system for system management.
Replication: A port of this role is used for replication link
connection in remote replication or HyperMetro, or for
quorum link connection in HyperMetro.
Client: used when the storage system functions as a client
to establish link connections with remote devices in NAS
server-free migration and SmartMobility.
VTEP: VxLAN tunnel endpoint, used to establish VxLAN
tunnels when a cloud platform accesses file system share
services.
Health check: used by the cloud platform to check the
health status of the shared service of storage file systems.
NOTE
Only 6.1.3 and later versions support role types of Management
and Management + service.
Data Protocol Data protocol of a logical port, including NFS, CIFS, NFS +
CIFS, iSCSI, NVMe over RoCE, and NFS over RDMA.
NOTE
● NFS, CIFS, NFS + CIFS, and NFS over RDMA are applicable to
file service configuration. iSCSI and NVMe over RoCE are
applicable to block service configuration.
● This parameter is displayed only when Role is set to Service,
Management + service, or Health check. The data protocol
for a logic port with a role of Health check is NFS + CIFS.
● Only ports on 25 Gbit/s and 100 Gbit/s RoCE interface modules
support NFS over RDMA.
● Only 6.1.7 and later versions support NFS over RDMA.
Owning vStore vStore to which the logical port belongs.
NOTE
This parameter is displayed only when Role is set to Service,
Management, or Management + service.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 30
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Owning Site Site to which a logical port belongs. If a HyperMetro
vStore pair has been created for the owning vStore, the
configuration information of the front-end service logical
port at the local site is automatically synchronized to the
remote site, and the logical port at the owning site
processes service access. The logical port is in connected
state at the owning site and is in to-be-working state at
the non-owning site. After the logical port creation is
complete, its owning site cannot be modified. If a fault
occurs for the port, the logical port at the non-owning site
is used to process service access.
NOTE
● This parameter is displayed only when a HyperMetro vStore
pair has been created for the owning vStore and the working
mode for the HyperMetro domain of the HyperMetro vStore
pair is HyperMetro in active-active mode.
● If the working mode for the HyperMetro domain is
HyperMetro in active-passive mode, the owning site is the
primary site.
IP Address Type IP address type of the logical port, which can be IPv4 or
IPv6.
NOTE
If Role is VTEP or Health check, the IP address type is IPv4.
IP Address IPv4 or IPv6 address of the logical port.
Subnet Mask Subnet mask of the logical port's IPv4 address.
NOTE
This parameter is available only when IP Address Type is set to
IPv4.
Prefix Prefix length of the logical port's IPv6 address.
NOTE
This parameter is available only when IP Address Type is set to
IPv6.
Gateway Gateway of a logical port's IP address.
Port Type Type of the port to which the logical port belongs. Possible
values are Ethernet port, Bond port, VLAN, and RoCE
port.
NOTE
● When Data Protocol is NFS, CIFS, NFS + CIFS, or iSCSI, or
Role is Client, you can select Ethernet port, Bond port, or
VLAN for Port Type.
● When Data Protocol is NVMe over RoCE or NFS over RDMA,
you can select a VLAN or RoCE port.
● If Role is VTEP, Port Type is VLAN.
● If Role is Health check, Port Type is SIP.
● Only 6.1.5 and later versions support RoCE ports.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 31
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Home Port Ethernet port, bond port, VLAN, or RoCE port to which the
logical port belongs.
NOTE
If Port Type is set to RoCE port, you can only select the RoCE port
whose Trust Mode is DSCP.
Activation Status Determine whether to activate the logical port.
NOTE
This parameter is available only when Data Protocol is NFS, CIFS,
NFS + CIFS or NFS over RDMA, or Role is Health check.
Owning Controller Controller to which the logical port belongs.
NOTE
This parameter is available only when Role is set to Health check.
Step 4 When Role is set to Management, select Advanced in the upper right corner and
set the advanced attributes of the logical port.
NOTE
In the case that Role is set to Service or Management + service, you can set advanced
attributes only when Data Protocol is NFS, CIFS, NFS + CIFS, or NFS over RDMA.
Table 2-9 describes the parameters.
Table 2-9 Advanced logical port parameters
Parameter Description
Failover Group Name of a failover group.
NOTE
● This parameter is available only when Data Protocol is set to
NFS, CIFS, NFS + CIFS, or NFS over RDMA, or Role is set to
Client.
● If a failover group is specified, services on the failed home port
will be taken over by an available port in the specified failover
group.
● If no failover group is specified, services on the failed home
port will be taken over by an available port in the default
failover group.
● It is recommended that the logical ports of the same vStore
use the same failover group. This ensures that the fault
domains of the logical ports are the same.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 32
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
IP Address Failover After IP address failover is enabled, services on the failed
home port will be taken over by other available ports in
the failover group. In the entire process, the IP address
used by services remains unchanged.
NOTE
● This parameter is available only when Data Protocol is set to
NFS, CIFS, NFS + CIFS, or NFS over RDMA, or Role is set to
Client.
● Shares of file systems do not support the multipathing mode.
They use IP address failover to improve the reliability of links.
Failback Mode After the fault of the home port is rectified, services fail
back to the home port. Possible values are Automatic and
Manual.
NOTE
● This parameter is available only when Data Protocol is set to
NFS, CIFS, NFS + CIFS, or NFS over RDMA, or Role is set to
Client.
● If Failback Mode is Manual, ensure that the link to the home
port is normal before the failback. You can manually switch
services back to the home port only when the link to the
home port keeps normal for over five minutes.
● If Failback Mode is Automatic, ensure that the link to the
home port is normal before the failback. Services will
automatically fail back to the home port only when the link to
the home port keeps normal for over five minutes.
Listen for DNS With this function enabled, external NEs can access the
Query DNS service provided by the storage system by using the
IP address of this logical port.
NOTE
This parameter is available only when Data Protocol is set to
NFS, CIFS, NFS + CIFS, or NFS over RDMA
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 33
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
DNS Zone Name of a DNS zone.
NOTE
● This parameter is available only when Data Protocol is set to
NFS, CIFS, NFS + CIFS, or NFS over RDMA
● If the value is blank, the logical port is not used for DNS-based
load balancing.
● One logical port can be associated with only one DNS zone.
One DNS zone can be associated with multiple logical ports.
● It is recommended that Listen for DNS Query be enabled for
at least one logical port of each DNS zone.
● It is recommended that a DNS zone be associated with only
logical ports with the same IP address type (IPv4 or IPv6).
If the host interface card supports both IPv4 and IPv6
protocols, the DNS client initiates IPv4 and IPv6 resolution
requests. If the storage system is associated with both IPv4
and IPv6 logical ports in the same DNS zone and the host
interface card is configured with only IPv4 addresses, the host
may fail to access the domain name.
● The load balancing effect varies with the distribution of logical
ports associated with a DNS zone. To obtain a better load
balancing effect, ensure that logical ports associated with a
DNS zone are evenly distributed among controllers.
● If a HyperMetro vStore pair has been created for the owning
vStore, you can only select the DNS zones with the same
owning site.
Step 5 Click OK.
----End
2.7.5 (Optional) Configuring DNS Load Balancing
DNS load balancing can detect the loads carried by the IP addresses on the
storage system in real time and use a proper IP address as the DNS response to
balance the loads among the IP addresses.
Prerequisites
● If the storage system connects to an external DNS server, the external DNS
server has been configured and is running properly.
● If the storage system directly connects to a host, DNS client configurations
have been set on the host.
● Port 53 for the TCP/UDP protocol between the storage system and the DNS
server or host is enabled.
Context
● DNS load balancing applies to scenarios where a large number of NAS service
IP addresses or NAS clients are involved. If only a small number of (for
example, less than 20) NAS service IP addresses or NAS clients are involved,
you are advised to directly use service IP addresses to mount shares.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 34
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● Working principle:
a. When a host accesses the NAS service of a storage system using a
domain name, the host first sends a DNS request to the built-in DNS
server and the DNS server obtains the IP address according to the domain
name.
b. If the domain name contains multiple IP addresses, the storage system
selects the IP address with a light load as the DNS response based on the
configured load balancing policy and returns the DNS response to the
host.
c. After receiving the DNS response, the host sends a service request to the
target IP address.
● When DNS load balancing resolves a domain name, a specific domain name
resolution record is added. The following records are supported:
– A record: added if a domain name points to an IPv4 address (for example,
192.168.20.10).
– AAAA record: added if a host name (or domain name) points to an IPv6
address (for example, ff03:0:0:0:0:0:0:c1).
– PTR record: reverse of an A or AAAA record for implementing reverse
DNS lookups.
● DNS load balancing supports only the UDP protocol for domain name
resolution.
Procedure
Step 1 Choose Settings > Basic Information > DNS Service.
Step 2 Enable File Service DNS Load Balancing.
1. Set the DNS load balancing policy. The storage system supports the following
load balancing policies:
NOTE
– Weighted round robin applies to scenarios where the load of storage devices is
light or unknown, for example, in the scenario where shares are initially mounted
to a large number of NAS clients.
– Other policies apply to scenarios where users want to balance loads based on a
certain indicator (such as CPU usage, port bandwidth, number of connections, and
overall loads) of running services, for example, in the scenario where shares are
mounted to NAS clients in batches during capacity expansion of client applications.
– Weighted round robin: IP addresses that process loads under the same
domain name are selected in round robin mode for processing.
– CPU usage: The CPU usage of each controller determines the weight. The
storage system uses the weight to select a controller to process client
services.
– Port bandwidth usage: The total bandwidth usage of each controller
determines the weight. The storage system uses the weight to select a
controller to process client services.
– Connections: The NAS connections of each controller determine the
weight. The storage system uses the weight to select a controller to
process client services.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 35
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
– Overall loads: The overall load of CPU usage, bandwidth usage, and
number of NAS connections determines controller selection. Less loaded
controllers are more likely to be selected.
2. Click Save.
----End
Follow-up Procedure
On the storage system, associate logical ports with DNS zones, configure DNS
request listening on logical ports, set DNS load balancing policies, and enable DNS
load balancing. Then configure the DNS server address on the client.
2.7.6 (Optional) Managing the Routes of a Logical Port
When configuring share access, ensure that the logical port can ping the IP
addresses of the domain controller, DNS server, and clients. If the ping test fails,
add routes from the IP address of the logical port to the network segment of the
domain controller, DNS server, or clients.
Prerequisites
A logical port has been configured with an IP address.
Procedure
Step 1 Choose Services > Network > Logical Ports.
Step 2 Select the desired vStore from the vStore drop-down list in the upper left corner.
Step 3 Select the desired logical port and click Manage Route.
The Manage Route dialog box is displayed.
NOTE
Alternatively, perform either of the following operations to go to the Manage Route page:
● Click More on the right of the desired logical port and choose Manage Route.
● Click the name of the desired logical port. In the upper right corner of the page that is
displayed, select Manage Route from the Operation drop-down list.
Step 4 Configure the route information for the logical port.
1. In the IP Address drop-down list, select the IP address of the logical port for
which you want to add a route.
2. Click Add.
3. Set the parameters listed in Table 2-10.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 36
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-10 Route parameters
Paramete Description
r
Type Three types of routes are available:
– Default route
A route through which data is forwarded by default if no
preferred route is available. The destination address and
mask (IPv4) or prefix (IPv6) of the default route are
automatically set to 0. To use this option, you only need to
add a gateway.
– Host route
A route to a host. The destination mask (IPv4) or prefix
(IPv6) of the host route are automatically set to
255.255.255.255 or 128. To use this option, you only need to
add the destination address and gateway.
– Network segment route
A route to a network segment. You must add the
destination address, destination mask (IPv4) or prefix
(IPv6), and gateway.
Destinatio IPv4 address, IPv6 address, or network segment of the
n Address destination service network port on the application server or
destination logical port on another storage system.
Subnet Subnet mask of the IPv4 address or prefix of the IPv6 address
Mask/ for the destination service network port on the application
Prefix server or destination logical port on another storage system.
Gateway Gateway where the local logical port's IP address resides.
NOTE
The IP address of the gateway must be different from all internal
heartbeat IP addresses. Otherwise, routing will fail.
4. Click . The route information is added to the list.
NOTE
Click on the right of a desired route to delete it.
Step 5 Click Close.
----End
2.8 Configuring Basic Storage Resources (System User)
Log in to DeviceManager as a system user and configure storage resources of all
vStores in a unified manner. The NFS share and CIFS share are used as examples
to describe how to configure basic storage resources. For details about file service
configuration, see the Basic Storage Service Configuration Guide for File.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 37
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.8.1 Creating a File System
This section describes how to create a file system to share storage resources in the
form of files or directories.
Context
● File systems created in the storage system are thin file systems. That is, the
storage system will not allocate all of the configured capacity to file systems
at a time. Within the configured capacity, the storage system allocates storage
resources to file systems based on the actual capacity used by hosts.
● Before creating a file system, you are advised to handle the alarms indicating
that the storage pool capacity is about to be used up.
Precautions
In a storage pool, if the total capacity of all thin file systems exceeds that of the
storage pool, data cannot be written if the capacity of the storage pool is used up.
Procedure
Step 1 Choose Services > File Service > File Systems.
Step 2 In the vStore drop-down list in the upper left corner, select the vStore for which
you want to create a file system.
Step 3 Click Create.
The Create File System page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 38
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual displayed information may vary.
For some device models, you can click in the upper right corner of the page to enable
SmartGUI. SmartGUI mines users' historical operation data and builds a configuration
parameter recommendation model based on user profiles to recommend configuration
parameters for the block service and file service. After SmartGUI is enabled, the system
presets parameters based on recommendations when you create a file system. You can click
Modify in the upper right corner to modify the parameters or directly click OK to create a
file system.
Step 4 Set the basic information about the file system.
Table 2-11 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 39
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-11 File system parameters
Parameter Description
Name Name of the file system.
[Value range]
● The name must be unique.
● The name can contain only letters, digits, periods (.),
underscores (_), hyphens (-), and characters of different
languages.
● The name contains 1 to 255 characters.
Owning vStore vStore to which the file system belongs.
NOTE
This parameter is mandatory when vStore is set to All vStores in
Step 2.
Description Description of the file system.
NOTE
Description is hidden. To display hidden parameters, select
Advanced.
[Value range]
The description can be left blank or contain up to 255
characters.
Owning Storage Owning storage pool of the file system.
Pool
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 40
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Security Style Select a security style based on service requirements. It is
used to set the access control style of a file system in multi-
protocol mode.
● Mixed
Allows users of both CIFS and NFS clients to access and
control file systems. The last configured permissions
prevail.
NOTE
– If Mixed is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– You are advised to configure a default UNIX user for the CIFS
service in Services > File Service > Authentication Users >
User Mappings > Set Mapping Parameter. The UNIX user
must be an existing local authentication user, NIS domain
user, or LDAP domain user.
– You are advised to configure a default Windows user for the
NFS service in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter. The
Windows user must be an existing local authentication user
or AD domain user.
– Only 6.1.5 and later versions support the Mixed security
style.
● Native
Controls CIFS users' permissions with Windows NT ACLs
and NFS users' permissions with UNIX permissions (UNIX
mode bits, POSIX ACLs, and NFSv4 ACLs). Windows NT
ACLs and UNIX permissions will neither affect nor
synchronize with each other.
– For CIFS share access, Windows NT ACLs determine
whether Windows users have access permission.
NOTE
If Windows NT ACLs do not exist, UNIX mode bits determine
whether Windows users have access permission.
– For NFS share access, access permission of UNIX users
is determined by UNIX permissions.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 41
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NOTE
– If Native is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– You are advised to configure a default UNIX user for the CIFS
service in Services > File Service > Authentication Users >
User Mappings > Set Mapping Parameter. The UNIX user
must be an existing local authentication user, NIS domain
user, or LDAP domain user.
– You are advised to configure a default Windows user for the
NFS service in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter. The
Windows user must be an existing local authentication user
or AD domain user.
– Only 6.1.5 and later versions support the Native security
style.
● NTFS
Controls CIFS users' permissions with Windows NT ACLs.
NOTE
– If NTFS is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default Windows
user for the NFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The default Windows user must be an existing
local authentication user or AD domain user.
● UNIX
Controls NFS users' permissions with UNIX mode bits or
NFSv4 ACLs.
NOTE
– If UNIX is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default UNIX user
for the CIFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The UNIX user must be an existing local
authentication user, NIS domain user, or LDAP domain user.
– In this mode, the default UNIX permission of the file system
root directory is 755. To change the value, run the change
file_system general file_system_id=? unix_permissions=?
command. For details about the command, visit Command/
Event/Error Code Query.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 42
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NAS Lock Policy NAS Lock Policy includes Mandatory Lock and Advisory
Lock.
● Mandatory Lock is recommended if clients using
different protocols simultaneously access the same file or
directory.
● Advisory Lock is recommended if high read and write
performance is required and clients using different
protocols do not access the same file or directory
simultaneously.
NOTE
– This parameter is available only when Security Style is set to
Native.
– Only 6.1.5 and later versions support this parameter.
VAAI Indicates whether to enable VAAI. VMware Storage APIs for
Array Integration (VAAI) are a set of APIs that allow ESXi
hosts to offload specific file operations to the storage array.
This enables vSphere to quickly implement key operations
and reduces the usage of the host CPU, memory, and
storage bandwidth for higher efficiency and lower O&M
costs.
● Enabled: The host offloads file operations to the storage
array. Once it is enabled, it cannot be disabled.
● Disabled: VAAI is not used.
NOTE
– Only 6.1.5 and later versions support this parameter.
Step 5 Set the capacity and tuning information of the file system.
Table 2-12 describes the parameters.
Table 2-12 Capacity and tuning parameters
Parameter Description
Capacity Capacity of the file system, which indicates the maximum
capacity allocated to the thin file system. That is, the total
capacity dynamically allocated to the thin file system
cannot exceed this value.
NOTE
● The maximum capacity of the file system cannot exceed the
system specifications. For details about the specifications, see
the Specifications Query tool.
● The storage system uses the following capacity algorithms
defined by Windows: 1 PB = 1,024 TB, 1 TB = 1,024 GB, 1 GB =
1,024 MB, 1 MB = 1,024 KB, and 1 KB = 1,024 bytes.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 43
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Capacity Alarm Alarm threshold of the file system capacity. An alarm will be
Threshold (%) generated when the threshold is reached.
NOTE
● Capacity Alarm Threshold (%) is hidden. To display hidden
parameters, select Advanced.
● Capacity threshold = File system capacity x (1 - Reserved
snapshot space ratio (%)) x Capacity alarm threshold (%)
● The alarm is cleared only when the used capacity of the file
system is smaller than Max {90% of the threshold capacity,
threshold capacity - 1 GB}.
Reserved Percentage of the file system snapshot space to the file
Snapshot Space system capacity.
Ratio (%) NOTE
● The file system space must not occupy the space reserved for
snapshots. For example, if the capacity of a file system is 100 GB
and the reserved snapshot space ratio is 20%, the used capacity
of the file system cannot exceed 80 GB.
● Snapshots can be created when the file system space is full but
the space reserved for snapshots is not full.
● Only 6.1.5 and later versions support this parameter.
Delete Obsolete Indicates whether to delete obsolete read-only snapshots. If
Read-Only used space of the file system reaches the capacity alarm
Snapshot threshold and used space of snapshots is larger than space
reserved for snapshots (source file system capacity x
reserved snapshot space ratio), the system automatically
deletes the oldest non-secure read-only snapshots.
NOTE
● Delete Obsolete Read-Only Snapshot is a hidden parameter.
To display hidden parameters, select Advanced.
● If both Delete Obsolete Read-Only Snapshot and Capacity
Auto-negotiation Policy are enabled, the capacity auto-
negotiation policy is executed first.
● Only 6.1.5 and later versions support this parameter.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 44
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Capacity Auto- The available capacity autonegotiation policies are as
negotiation follows:
Policy ● Not used: The storage capacity used by a file system is
fixed and is not flexibly adjusted by the storage system.
● Auto expansion: The file system capacity is
automatically increased to meet user needs for more
data writes, when the available space of a file system is
about to run out and the storage pool has available
space.
● Auto expansion/reduction: The storage system
automatically adjusts the file system capacity based on
file system space usage. When the available space of a
file system is about to run out and the storage pool has
available space, automatic capacity expansion will be
used to increase file system capacity. When the file
system's storage space is released, it can be reclaimed
into a storage pool and used by other file systems in
data write requests.
NOTE
● Capacity Auto-negotiation Policy is a hidden parameter. To
display hidden parameters, select Advanced.
● If both Delete Obsolete Read-Only Snapshot and Capacity
Auto-negotiation Policy are enabled, the capacity auto-
negotiation policy is executed first.
● Only 6.1.5 and later versions support this parameter.
Auto Expansion When the ratio of the used capacity to the total capacity of
Trigger Threshold a file system is greater than this threshold, the storage
(%) system automatically triggers file system capacity
expansion.
NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion or Auto
expansion/reduction.
● The value of Auto Expansion Trigger Threshold (%) must be
greater than that of Auto Reduction Trigger Threshold (%).
● Only 6.1.5 and later versions support this parameter.
Auto Reduction When the ratio of the used capacity to the total capacity of
Trigger Threshold a file system is smaller than this threshold, the storage
(%) system automatically triggers space reclamation to reduce
the file system capacity.
NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion/reduction.
● Only 6.1.5 and later versions support this parameter.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 45
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Auto Expansion Upper limit of automatic capacity expansion.
Upper Limit NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion or Auto
expansion/reduction.
● Only 6.1.5 and later versions support this parameter.
Auto Reduction Lower limit of automatic capacity reduction.
Lower Limit NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion/reduction.
● Only 6.1.5 and later versions support this parameter.
Application Type Application type of the file system. Preset application types
are provided for typical applications. In file service scenarios,
possible options are NAS_Default, NAS_Virtual_Machine,
NAS_Database, NAS_Large_File, Office_Automation,
NAS_Others, and NAS_EDA.
NOTE
● The Application Request Size and File System Distribution
Algorithm parameters are set for preset application types. The
value of Application Request Size is 16 KB for NAS_Default,
NAS_Virtual_Machine, Office_Automation, NAS_Others, and
NAS_EDA, 8 KB for NAS_Database, and 32 KB for
NAS_Large_File. If Application Type is set to NAS_Default,
NAS_Large_File, Office_Automation, NAS_Others, or
NAS_EDA, File System Distribution Algorithm is Directory
balance mode. In this mode, directories are evenly allocated to
each controller by quantity. If Application Type is set to
NAS_Virtual_Machine or NAS_Database, File System
Distribution Algorithm is Performance mode. In this mode,
directories are preferentially allocated to the controller to which
the shared IP address belongs, improving access performance of
directories and files.
● When SmartCompression and SmartDedupe licenses are
imported to the system, the preset application types also display
whether SmartCompression and SmartDedupe are enabled.
For details, see SmartDedupe and SmartCompression Feature
Guide for File of the desired product model and version.
● Application Type cannot be changed once being configured.
You are advised to set the value based on the service I/O model.
● To create an application type, run the create workload_type
general name=? io_size=? command. For details, visit
Command/Event/Error Code Query.
● You can also run the create file_system general or change
file_system general command to create or modify a file system
respectively. For details, visit Command/Event/Error Code
Query.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 46
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
SmartCache Indicates whether to add the file system to a SmartCache
Partition partition. Adding a file system to a SmartCache partition
shortens the response time for reading the file system.
NOTE
● SmartCache Partition is hidden. To display hidden parameters,
select Advanced.
● This parameter is available only when SCM drives have been
added to the controller enclosure where the file system resides
and a SmartCache partition has been created. For details, see
SmartCache Feature Guide of the desired model and version.
Step 6 If a HyperMetro vStore pair has been created for the selected vStore, you need to
configure HyperMetro for the newly created file system.
Specify Remote Storage Pool for creating a remote file system. The system will
create a remote file system on the remote device of the HyperMetro vStore pair
and add the local and remote file systems to a HyperMetro pair.
For details about HyperMetro, see the HyperMetro Feature Guide for File of the
desired version.
Step 7 Configure shares for the file system.
● Set NFS shares for the file system.
a. Enable NFS.
b. Set Create From. Possible values are Template or New.
▪ Template
Select a share template from the drop-down list box. The system
presets the description and permission of the created share based on
the selected template. You can click Modify on the right of Share to
modify the share information.
▪ New
The read/write permission of all clients is preset in the system, and
the default root permission of clients is root_squash. You can click
Modify on the right of Share to modify the share information.
● Set CIFS shares for the file system.
a. Enable CIFS.
b. Set Create From. Possible values are Template or New.
▪ Template
Select a share template from the drop-down list box. The system
presets the description and permission of the created share based on
the selected template. You can click Modify on the right of Share to
modify the share information.
▪ New
The system presets the full control permission for everyone. You can
click Modify on the right of Share to modify the share information.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 47
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 8 Set a quota for the file system.
NOTE
Quota is a hidden parameter. To display hidden parameters, select Advanced.
1. Enable Quota.
NOTE
– The quota switch is disabled by default.
– When the Quota function is disabled, the system does not collect statistics on
quota usage. In this case, hard and soft quotas do not take effect.
2. Click Create.
The Create Quota page is displayed on the right.
3. Specify Quota Type. Possible options are Directory quota, User quota, and
User group quota.
– Directory quota
The directory quota of a file system limits the space usage or file quantity
used by all dtrees in the file system.
NOTE
The directory quota of a file system takes effect only for dtrees whose quota
function is enabled. In addition, the quota of each dtree is limited separately.
– User quota
User quota: limits the space usage or file quantity used by a single user.
i. Click Select.
The Select User page is displayed.
ii. Select the users for which you want to create a quota.
○ If you select All users, the quota limits the space usage or file
quantity of each user in the system.
○ If you select Specified users, click Add. On the Add User page
that is displayed, select the UNIX Users or Windows Users tab,
and select one or more desired users. Then click OK.
NOTE
If you set User Type to Local authentication user, select the desired
users in the list below.
If you set User Type to LDAP domain user, NIS domain user, or AD
domain user, enter the user names in the Name text box.
To remove added users, click Remove on the right of a desired user, or
select one or more desired users and click Remove.
○ If you select Specified user groups, the quota limits the space
usage or file quantity of each specified user group. To add a user
group, click Add. On the Add User Group page that is displayed,
select a user group type and select the desired user groups. Then
click OK.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 48
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
If you set User Group Type to Local authentication user group,
select the desired user groups in the list below.
If you set User Group Type to LDAP domain user group or NIS
domain user group, enter the user group names in the Name text
box.
To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click
Remove.
iii. Click OK.
– User group quota
User group quota: limits the space usage or file quantity used by a single
user group.
i. Click Select.
The Select User Group page is displayed.
ii. Select the user groups for which you want to create a quota.
○ If you select All user groups, the quota limits the space usage
or file quantity of each user group in the system.
○ If you select Specified user groups, the quota limits the space
usage or file quantity of each specified user group. To add a user
group, click Add. On the Add User Group page that is displayed,
select a user group type and select the desired user groups. Then
click OK.
NOTE
If you set User Group Type to Local authentication user group,
select the desired user groups in the list below.
If you set User Group Type to LDAP domain user group or NIS
domain user group, enter the user group names in the Name text
box.
To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click
Remove.
iii. Click OK.
4. Set space quotas.
Table 2-13 describes the parameters.
Table 2-13 Space quota parameters
Parameter Description
Hard Quota Space hard quota. If the quota is reached, the system
immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be larger than that of Soft Quota.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 49
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Soft Quota Space soft quota. If the quota is reached, the system
generates an alarm but still allows writes. After the hard
quota is reached, the system immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be smaller than that of Hard Quota.
5. Set file quantity quotas.
Table 2-14 describes the parameters.
Table 2-14 File quantity quota parameters
Parameter Description
Hard Quota File quantity hard quota. If the quota is reached, new
files cannot be added. Operations on existing files are
not affected.
[Value range]
1 to 2 billion
The value must be larger than that of Soft Quota.
Soft Quota File quantity soft quota. If the quota is reached, the
system generates an alarm but new files can still be
added. After the hard quota is reached, new files cannot
be added.
[Value range]
1 to 2 billion
The value must be smaller than that of Hard Quota.
NOTE
– If you do not set the space quota or file quantity quota, the storage system only
collects statistics on but does not control the space usage or file quantity. To view
the statistics about used space quota and used file quantity quota, choose Services
> File Service > Quotas > Quota Reports, and select the desired file system.
– To modify a quota, click More on the right of the quota and choose Modify.
– To delete a quota, select the quota and click Delete above the list or click More on
the right of the quota.
– The parameters for creating a quota are preset. A quota is created for a file system
only after the file system has been created.
Step 9 Configure data protection for the file system.
1. Enable Add to HyperCDP Schedule.
2. Select a HyperCDP schedule to create a HyperCDP object for the file system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 50
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● HyperCDP is a high-density snapshot technology that provides continuous data
protection for file systems. For details about the HyperCDP feature, see HyperCDP
Feature Guide for File of the desired version.
● The system has a built-in HyperCDP schedule NAS_DEFAULT_BUILDIN. The schedule is
executed once an hour (retains the latest three copies), once at 00:05 every day (retains
the latest two copies), and once at 00:10 every Sunday (retains the latest two copies).
● When you create a file system, the system selects the built-in HyperCDP schedule
NAS_DEFAULT_BUILDIN by default.
● A file system can be added to only one HyperCDP schedule. For a file system that has
been added to a HyperCDP schedule, if you want to change its owning HyperCDP
schedule, you need to remove the file system from the original HyperCDP schedule first.
● If a file system has not been added to a HyperCDP schedule during the file system
creation, you can add it to a HyperCDP schedule after the file system is created.
Step 10 (Applicable to 6.1.6 and later versions) If an antivirus server has been configured
for the vStore you selected, you can configure the antivirus service for the file
system.
NOTE
You can choose Settings > File Service > Antivirus Service to check whether the antivirus
server has been configured. If you need to configure the antivirus server, see section
"Configuring Antivirus Servers" in the Security Configuration Guide specific to your product
model and version.
The antivirus server scans the file system based on the preset scan policy. After a
scan policy is configured for the file system, the system automatically creates a
scan task for the file system. You can choose Settings > File Service > Antivirus
Service to manage the task.
1. Enable On-Demand Scan and select an on-demand scan policy.
Select or deselect Scan Now as required. After Scan Now is selected, the
system immediately scans the file system based on the selected on-demand
scan policy. You must set the scan duration.
NOTE
If no on-demand scan policy exists, click Create to customize one.
2. Enable On-Access Scan and select an on-access scan policy.
NOTE
You can click Create to customize a scan policy.
Step 11 Select Advanced in the upper right corner and set the audit log items of the file
system. The system records audit logs of operations on the file system. The audit
log items include Create, Delete, Read, Write, Open, Close, Rename, List
folders, Obtain properties, Set properties, Obtain security properties, Set
security properties, Obtain extension properties, and Set extension properties.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 51
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● To ensure that the selected audit log items take effect, choose Settings > File Service >
Audit Log to enable the audit log function.
● If too many audit logs are generated and the audit log collection speed is lower than
the audit log writing speed, the temporary buffer space may be insufficient, causing
service interruption risks. You are advised to properly configure the items to be audited.
For example, configure only Create, Delete, and Write for a file system.
Step 12 Set advanced attributes of the file system.
Table 2-15 describes the parameters.
Table 2-15 Advanced file system parameters
Parameter Description
Snapshot Indicates whether to visualize the directory of the file
Directory system snapshots.
Visibility
Auto Atime Indicates whether to enable Auto Atime Update. Atime
Update indicates the last file system access time. After this function
is enabled, the system updates the file system access time
based on Update Frequency.
NOTE
Enabling Auto Atime Update compromises the system
performance.
Atime Update Indicates the Atime update frequency. The options can be
Frequency Hourly and Daily.
Snapshot This function is to obtain differential data between file
Comparison system snapshots during incremental backup by backup
software. After it is enabled, file system snapshot
comparison is provided.
NOTE
● Before enabling this function, you are advised to set Snapshot
Directory Visibility to Visible. Otherwise, certain backup
software may be unable to access snapshots.
● Only 6.1.6 and later versions support this parameter.
Step 13 Set the WORM (Write Once Read Many) properties of the file system. The WORM
file system ensures that a file enters the protected state after being written. In this
case, the file cannot be modified, moved, or deleted, but can be read for multiple
times.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 52
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
Only 6.1.3 and later versions support the WORM feature.
Due to the sensitivity of a WORM file system to data security, the following configuration
operations on file systems are restricted:
● Only read-only snapshots can be created for the WORM file system. The snapshot file
systems created for the WORM file system also have the WORM feature.
● When configuring the remote replication function:
– If Pair Creation is set to Manual, ensure that the WORM file system modes at
both ends are the same. Otherwise, the primary/secondary relationship cannot be
established.
– If Pair Creation is set to Automatic, ensure that the global WORM regulatory
clock has been initialized on the remote end.
– If the primary file system is a WORM audit log file system, primary/secondary
switchover and disabling protection for the secondary resource are not supported.
Table 2-16 describes the parameters.
NOTE
The WORM properties are hidden. To display hidden parameters, select Advanced.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 53
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-16 WORM properties of a file system
Parameter Description
Mode Compliance mode of WORM protection.
● Compliance
– Files within the protection period cannot be modified,
renamed, or deleted by super administrators,
administrators, or common users.
– Files whose protection period expires can be deleted
but cannot be modified or renamed by super
administrators, administrators, or common users.
– A file system that contains files within the protection
period cannot be deleted by super administrators or
administrators.
– A file system, in which the protection period of all files
expires, can be deleted by super administrators and
administrators.
● Enterprise
– Common users or administrators cannot modify,
delete, or rename files within the protection period,
but privileged users can delete these files.
– Files whose protection period expires can be deleted
but cannot be modified or renamed by super
administrators, administrators, or common users.
– Administrators cannot delete a file system that
contains files within the protection period, but
privileged users can delete the file system.
– A file system, in which the protection period of all files
expires, can be deleted by super administrators and
administrators.
NOTE
Only 6.1.7 and later versions support the Enterprise mode.
NOTE
● Enterprise WORM file systems can be renamed, but Compliance
WORM file systems cannot.
● Enterprise WORM file systems can be rolled back using a
snapshot, but Compliance WORM file systems cannot.
● Primary/secondary switchover and disabling protection for the
secondary resource are supported if the primary and secondary
file systems of the remote replication are Enterprise WORM file
systems, but not supported if they are Compliance WORM file
systems.
● Enterprise WORM file systems cannot be configured as WORM
audit log file systems.
[Default value]
Compliance
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 54
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Min. Protection Minimum protection period supported by the WORM file
Period system. The protection period of a file in the WORM file
system cannot be smaller than the value of this parameter.
[Value range]
0 to 70 years or Indefinite.
NOTE
The value of Min. Protection Period must be less than or equal to
that of Max. Protection Period.
[Default value]
3 years
Max. Protection Maximum protection period supported by the WORM file
Period system. The protection period of a file in the WORM file
system cannot be longer than the value of this parameter.
[Value range]
1 day to 70 years or Indefinite.
NOTE
The value of Max. Protection Period cannot be 0.
[Default value]
70 years
Default Default protection period supported by the WORM file
Protection Period system. The protection period of a file in the WORM file
system is the default value of the parameter if you do not
set a protection period for the file.
[Value range]
● If the value of Max. Protection Period ranges from 1 day
to 70 years, Default Protection Period is a value from
Min. Protection Period to Max. Protection Period.
● If Max. Protection Period is set to Indefinite, Default
Protection Period is a value from Min. Protection
Period to 70 years or is Indefinite.
NOTE
To set Default Protection Period to Indefinite, you must set
Max. Protection Period to Indefinite. Otherwise, the setting
fails.
[Default value]
70 years
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 55
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Automatic After this function is enabled, a file automatically enters the
Lockout locked state if not being modified within Lockout Wait
Time (hours). The file in the locked state is protected. You
can only read the file, but cannot modify, rename, or delete
it.
NOTE
Modification operations include file data change and metadata
change.
[Default value]
Disabled
Lockout Wait Indicates the wait time before a file automatically enters the
Time locked state. This parameter is displayed only when
Automatic Lockout is enabled.
[Value range]
1 minute to 10 years.
[Default value]
If Automatic Lockout is enabled, the default value is 2
hours.
Automatic After this function is enabled, the system automatically
Deletion deletes files whose protection periods have expired.
NOTE
Before enabling this function, ensure that files do not need
protection and can be automatically deleted by the system after
they expire.
[Default value]
Disabled
WORM Audit Log After WORM Audit Log File System is enabled, the system
File System records operation logs of the WORM file system, including
Add a litigation, Remove a litigation, and privileged
deletion of Enterprise WORM file systems.
NOTE
This parameter is available only when Mode is set to Compliance.
[Default value]
Disabled
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 56
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Global WORM Before creating a WORM file system for the first time, you
Regulatory Clock need to initialize the WORM regulatory clock. After this
parameter is enabled, the global security regulatory clock is
initialized to the current system time and time zone.
The WORM regulatory clock prevents modification to file
protection periods caused by system time tampering
attacks. The WORM regulatory clock includes a global
WORM regulatory clock and a file system WORM regulatory
clock. To initialize the WORM regulatory clock, you only
need to initialize the global WORM regulatory clock. The file
system WORM regulatory clock will be automatically
initialized using the global WORM regulatory clock when a
WORM file system is created.
NOTICE
● The global WORM regulatory clock cannot be modified after
being initialized. Before the setting, ensure that the system time
and time zone are correct.
● Only super administrators can initialize the global WORM
regulatory clock.
Step 14 Click OK.
Confirm your operation as prompted.
NOTE
After the task is created successfully, the Execution Result page is displayed. You can view
details about the current task on this page.
----End
2.8.2 Creating a Dtree
A dtree is a subdirectory of a file system. You can set quotas and shares for a dtree
and manage file space usage and access permissions of the dtree.
Prerequisites
You have created a file system.
Procedure
Step 1 Choose Services > File Service > Dtrees.
Step 2 Select a vStore to which the desired file system belongs from the vStore drop-
down list in the upper left corner.
Step 3 Click Create.
The Create Dtree page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 57
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual GUI may vary.
Step 4 Set dtree parameters.
Table 2-17 describes the parameters.
Table 2-17 Dtree parameters
Parameter Description
Owning File File system to which a dtree belongs.
System
Name Name of a dtree.
[Value range]
You can enter multiple dtree names separated by commas
(,) or carriage returns.
A dtree name:
● The name must be unique.
● The name can contain only letters, digits, characters of
different languages, and special characters (!\"#&%$'()*
+-.;<=>?@[]^_`{|}~ and spaces).
● The name contains 1 to 255 characters.
● The name cannot only contain one or two consecutive
periods (. or ..).
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 58
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Quota Determine whether to enable the quota function of a dtree
based on service requirements.
When the Quota function is disabled, the system does not
collect statistics on quota usage. In this case, hard and soft
quotas do not take effect.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 59
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Security Style Select a security style based on service requirements. It is
used to set the access control style of a dtree in multi-
protocol mode.
● Mixed
Allows users of both CIFS and NFS clients to access and
control dtrees. The last configured permissions prevail.
NOTE
– If Mixed is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– You are advised to configure a default UNIX user for the CIFS
service in Services > File Service > Authentication Users >
User Mappings > Set Mapping Parameter. The UNIX user
must be an existing local authentication user, NIS domain
user, or LDAP domain user.
– You are advised to configure a default Windows user for the
NFS service in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter. The
Windows user must be an existing local authentication user
or AD domain user.
– Only 6.1.5 and later versions support the Mixed security
style.
● Native
Controls CIFS users' permissions with Windows NT ACLs
and NFS users' permissions with UNIX permissions (UNIX
mode bits, POSIX ACLs, and NFSv4 ACLs). Windows NT
ACLs and UNIX permissions will neither affect nor
synchronize with each other.
– For CIFS share access, Windows NT ACLs determine
whether Windows users have access permission.
NOTE
If Windows NT ACLs do not exist, UNIX mode bits determine
whether Windows users have access permission.
– For NFS share access, access permission of UNIX users
is determined by UNIX permissions.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 60
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NOTE
– If Native is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– You are advised to configure a default UNIX user for the CIFS
service in Services > File Service > Authentication Users >
User Mappings > Set Mapping Parameter. The UNIX user
must be an existing local authentication user, NIS domain
user, or LDAP domain user.
– You are advised to configure a default Windows user for the
NFS service in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter. The
Windows user must be an existing local authentication user
or AD domain user.
– Only 6.1.5 and later versions support the Native security
style.
● NTFS
Controls CIFS users' permissions with Windows NT ACLs.
NOTE
– If NTFS is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default Windows
user for the NFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The default Windows user must be an existing
local authentication user or AD domain user.
● UNIX
Controls NFS users' permissions with UNIX mode bits or
NFSv4 ACLs.
NOTE
– If UNIX is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default UNIX user
for the CIFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The UNIX user must be an existing local
authentication user, NIS domain user, or LDAP domain user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 61
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NAS Lock Policy NAS Lock Policy includes Mandatory Lock and Advisory
Lock.
● Mandatory Lock is recommended if clients using
different protocols simultaneously access the same file or
directory.
● Advisory Lock is recommended if high read and write
performance is required and clients using different
protocols do not access the same file or directory
simultaneously.
NOTE
● This parameter is available only when Security Style is set to
Native.
● Only 6.1.5 and later versions support this parameter.
Step 5 Click OK.
----End
2.8.3 Creating a Quota
This operation enables you to create a quota to control and collect statistics of the
space usage or file quantity of one or all dtrees in a file system or of a single user
or user group.
Prerequisites
● You have created a dtree in a file system.
● When creating a quota for a specified user or user group, the user or user
group has been created.
● (Applicable to 6.1.2 and earlier versions) When creating a quota for a file
system (that is, the Dtree parameter is blank), the file system is empty and
no dtree is created in the file system.
● (Applicable to 6.1.2 and earlier versions) When creating a quota for a dtree,
the dtree is empty.
Procedure
Step 1 Choose Services > File Service > Quotas > Custom Quotas.
Step 2 Select the vStore to which the desired file system belongs from the vStore drop-
down list in the upper left corner.
Step 3 Click Create.
The Create Quota page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 62
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual displayed information may vary.
Step 4 Select the file system and dtree for which you want to create a quota.
NOTE
When the Dtree parameter is blank, the created user or user group quota takes effect for
the file system and the directory quota takes effect for all dtrees in the file system.
Step 5 Select a quota type. Possible options are Directory quota, User quota, and User
group quota.
● Directory quota
● User quota
a. Click Select.
The Select User page is displayed.
b. Select the users for which you want to create a quota.
▪ If you select All users, the quota controls the space usage or file
quantity of each user in the system.
▪ If you select Specified users, click Add. On the Add User page that
is displayed, select the UNIX Users or Windows Users tab, and
select one or more desired users. Then, click OK.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 63
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
○ If you set User Type to Local authentication user, select the users to be
added in the list below.
○ If you set User Type to LDAP domain user, NIS domain user, or AD
domain user, enter the user names in the Name text box.
○ If you set User Type to LDAP domain user, the system automatically
detects whether the LDAP domain has been configured. If no LDAP
domain is configured, the system prompts you to configure an LDAP
domain first.
○ If you set User Type to NIS domain user, the system automatically
detects whether the NIS domain has been configured. If no NIS domain
is configured, the system prompts you to configure an NIS domain first.
○ If you set User Type to AD domain user, the system automatically
detects whether the AD domain has been configured. If no AD domain is
configured, the system prompts you to configure an AD domain first.
○ To remove added users, click Remove on the right of a desired user, or
select one or more desired users and click Remove.
▪ If you select Specified user groups, the quota controls the space
usage or file quantity of each user in specified user groups. Click
Add. On the Add User Group page that is displayed, select a user
group type and select the desired user groups. Then, click OK.
NOTE
○ If you set User Group Type to Local authentication user group, select
the user groups to be added in the list below.
○ If you set User Group Type to LDAP domain user group or NIS domain
user group, enter the user group names in the Name text box.
○ If you set User Group Type to LDAP domain user group, the system
automatically detects whether the LDAP domain has been configured. If
no LDAP domain is configured, the system prompts you to configure an
LDAP domain first.
○ If you set User Group Type to NIS domain user group, the system
automatically detects whether the NIS domain has been configured. If
no NIS domain is configured, the system prompts you to configure an
NIS domain first.
○ To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click Remove.
c. Click OK.
● User group quota
a. Click Select.
The Select User Group page is displayed.
b. Select the user groups for which you want to create a quota.
▪ If you select All user groups, the quota controls the space usage or
file quantity of all user groups in the system.
▪ If you select Specified user groups, the quota controls the space
usage or file quantity of each specified user group. Click Add. On the
Add User Group page that is displayed, select a user group type and
select the desired user groups. Then, click OK.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 64
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
○ If you set User Group Type to Local authentication user group, select
the user groups to be added in the list below.
○ If you set User Group Type to LDAP domain user group or NIS domain
user group, enter the user group names in the Name text box.
○ If you set User Group Type to LDAP domain user group, the system
automatically detects whether the LDAP domain has been configured. If
no LDAP domain is configured, the system prompts you to configure an
LDAP domain first.
○ If you set User Group Type to NIS domain user group, the system
automatically detects whether the NIS domain has been configured. If
no NIS domain is configured, the system prompts you to configure an
NIS domain first.
○ To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click Remove.
c. Click OK.
Step 6 Set space quotas.
Table 2-18 describes the parameters.
Table 2-18 Space quota parameters
Parameter Description
Hard Quota Space hard quota. If the quota is reached, the system
immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be larger than that of Soft Quota.
Soft Quota Space soft quota. If the quota is reached, the system
generates an alarm but still allows writes. After the hard
quota is reached, the system immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be smaller than that of Hard Quota.
NOTE
When the used capacity exceeds the soft quota or hard quota, the system generates an
alarm. The alarm is cleared only when the used capacity is smaller than 90% of the soft
quota or hard quota.
Step 7 Set file quantity quotas.
Table 2-19 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 65
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-19 File quantity quota parameters
Parameter Description
Hard Quota File quantity hard quota. If the quota is reached, new files
cannot be added. However, operations on existing files are
not affected.
[Value range]
1 to 2 billion
The value must be larger than that of Soft Quota.
Soft Quota File quantity soft quota. If the quota is reached, the system
generates an alarm but new files can still be added. After
the hard quota is reached, new files cannot be added.
[Value range]
1 to 2 billion
The value must be smaller than that of Hard Quota.
NOTE
If you do not set the space quota or file quantity quota, the storage system only collects
statistics on but does not control the space usage or file quantity. To view the statistics
about used space quota and used file quantity quota, choose Services > File Service >
Quotas > Quota Reports, and select the desired file system.
Step 8 Click OK.
----End
2.8.4 Sharing a File System
You can access a file system only after it is shared. File systems of vStores can be
shared using NFS or CIFS. This section describes how to share file systems using
these protocols. For details about the NFS and CIFS shares, see the Basic Storage
Service Configuration Guide for File specific to your product model and version.
NFS
Network File System (NFS) is a file sharing protocol developed by Sun and now
hosted by Internet Engineering Task Force (IETF). It applies to file system sharing
in Linux, Unix, Mac OS, and VMware operating systems.
CIFS
Common Internet File System (CIFS) is a file sharing protocol developed by
Microsoft and primarily used in Windows environments. The shares using CIFS
include CIFS shares and Homedir shares.
● A CIFS share is to share a file system or its quota tree among authentication
users, including local and domain authentication users. The users have the
permissions granted by the storage system on the CIFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 66
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● Homedir shares are a type of CIFS shares. A Homedir share is to share a file
system to a specific user as an exclusive directory. The user can only access
the exclusive directory named after its user name.
Accessing Shared Files Across Protocols
The storage system allows users to configure both NFS sharing and CIFS sharing
for a file system. The user mapping function allows users to access shared files
across protocols (CIFS-NFS) through clients on different platforms and obtain
precise permission control.
2.8.4.1 Configuring an NFS Share
This section describes how to configure an NFS share.
2.8.4.1.1 Configuration Process
Figure 2-3 shows the flowchart for configuring an NFS share.
Figure 2-3 Configuring an NFS share
Start
Prepare data.
Prepare data.
Enable NFSv4.
Domain environment Non-domain environment
Configure NFSv4 to be
Add the storage Add the storage compatible with non-
system to an LDAP system to an NIS domain environments.
domain. domain.
When a storage system is used According to the NFSv4 standard
in an LDAP or NIS environment, protocol, the NFSv4 service must be
add the storage system to an used in a domain environment.
Create an NFS share.
LDAP or NIS domain. However, if you need the NFSv4
service to be compatible with non-
domain environments, you must
Add an NFS client.
complete necessary settings on the
client.
Access the shared
space.
End
Optional Mandator
y
2.8.4.1.2 Preparing Data
Before configuring an NFS share in a storage system, plan and collect required
data to facilitate follow-up service configurations.
You need to prepare the following data:
● Logical IP address
Logical IP address used by a storage system to provide shared space for
clients.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 67
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● File system
File system shared through the NFS share.
● LDAP or NIS domain information
● Permission
The permissions include read-only and read-write.
– Read-only: Clients have the read-only permission for the NFS share.
– Read-write: Clients have the read and write permissions for the NFS
share.
NOTE
You can contact your network administrator to obtain desired data.
2.8.4.1.3 (Optional) Setting the NFS Service
By default, the storage system enables the NFSv3 service and disables the NFSv4.0
and NFSv4.1 services. To use the NFSv4.0 or NFSv4.1 protocol for share access, you
must enable the NFSv4 service first. If you use NFSv3 for share access, skip this
section.
Context
● The storage system supports NFSv3, NFSv4.0, and NFSv4.1.
NOTE
● Only 6.1.2 and later versions support NFSv4.1.
● Only 6.1.3 and later versions support NFSv4.0.
● The NFSv4.0 and NFSv4.1 services are disabled by default in the storage
system.
● By default, the NFSv3 service is enabled on the storage system.
● The NFS service can be set on DeviceManager or on the CLI.
NOTE
Only 6.1.6 and later versions support settings of the NFSv3 service on DeviceManager
or on the CLI.
Setting the NFS Service on DeviceManager (Applicable to 6.1.3 and Later)
Step 1 Choose Settings > File Service > NFS Service.
Step 2 In the vStore drop-down box in the upper left, select the vStore for which you
want to set the NFS service.
Step 3 Click Modify in the upper right.
The page for configuring the NFS service is displayed.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 68
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual GUI may vary.
Step 4 Select Enable after NFSv3 Service, NFSv4.0 Service, or NFSv4.1 Service as
required.
Step 5 In Domain Name, enter the storage domain name.
NOTE
● NFSv4.0 and NFSv4.1 use a user name + domain name mapping mechanism, enhancing
the security of clients' access to shared resources.
● In a non-domain or LDAP environment, retain the default domain name localdomain.
● In an NIS environment, the entered information must be the same as the domain name
in the /etc/idmapd.conf file on the Linux client that accesses the share. (You are
advised to set both of them to the NIS domain name.)
● The domain name must contain 1 to 64 characters.
● Only 6.1.5 and later versions support domain name setting.
Step 6 Specify whether to enable NFS over RDMA. After NFS over RDMA is enabled, you
can use NFS over RDMA to access shares. NFS over RDMA relies on the RDMA
technology to implement data communication between clients and storage
systems. This effectively reduces network latency, relieves CPU loads of clients and
storage systems, and improves NFS access performance.
NOTE
Only 6.1.7 and later versions support this parameter.
Step 7 Click Save.
A Danger dialog box is displayed.
NOTICE
If a host is accessing the shares of the storage system, enabling or disabling the
NFS service may interrupt services. Exercise caution when performing this
operation.
Step 8 Confirm the information in the dialog box and select I have read and understand
the consequences associated with performing this operation.
Step 9 Click OK.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 69
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Setting the NFS Service on the CLI
Step 1 Log in to the CLI of the storage system.
Step 2 Optional: To configure the NFS service for a vStore, run the change vstore view
id=? command to enter the vStore view.
You can run the show vstore command to query the value of id.
Step 3 Specify whether to enable the NFSv3, NFSv4.0, or NFSv4.1 service.
● To enable the NFSv4.0 service, run the change service nfs_config
nfsv40_status=enable command.
● To enable the NFSv4.1 service, run the change service nfs_config
nfsv41_status=enable command.
● To disable the NFSv3 service, run the change service nfs_config
nfsv3_status=disable command.
Step 4 Run the show service nfs_config command to check the running status of the
NFS service.
● The Nfsv4.0 Service Status field in the command output indicates the
running status of the NFSv4.0 service of the current vStore.
● The Nfsv41 Service Status field in the command output indicates the running
status of the NFSv4.1 service of the current vStore.
● The Nfsv3 Service Status field in the command output indicates the running
status of the NFSv3 service of the current vStore.
----End
2.8.4.1.4 (Optional) Preparing LDAP Domain Configuration Data
Before adding a storage system to an LDAP domain, collect configuration data of
the LDAP domain server.
LDAP Domain Parameters
LDAP data is organized in a tree structure that clearly lays out organizational
information. A node on this tree is called an entry. Each entry has a distinguished
name (DN). The DN of an entry is composed of a base DN and relative DNs
(RDNs). The base DN refers to the position of the parent node where the entry
resides on the tree, and the RDN (such as UID or CN) refers to an attribute that
distinguishes the entry from others.
LDAP directories function as file system directories. For example, directory
dc=redmond,dc=wa,dc=microsoft,dc=com can be regarded as the following path
of a file system directory: com\microsoft\wa\redmond. In another example of
directory cn=user1,ou=user,dc=example,dc=com, cn=user1 indicates a user name
and ou=user indicates the organization unit of an Active Directory (AD), that is,
user1 is in the user organization unit of the example.com domain.
The following figure shows the data structure of an LDAP server.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 70
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-20 defines LDAP entry acronyms.
Table 2-20 LDAP entry definitions
Acronym Meaning
o Organization
ou Organization unit
c Country name
dc Domain component
sn Surname
cn Common name
What Is OpenLDAP?
OpenLDAP is an open implementation of LDAP that is now widely used in various
popular Linux releases.
OpenLDAP consists of the following components:
● slapd: an independent LDAP daemon
● slurpd: an independent LDAP update and replication daemon
● Libraries implementing LDAP
● Tool software and illustration client
The OpenLDAP website does not provide OpenLDAP installation packages for
Windows. You can obtain OpenLDAP installation packages for the following
Windows operating systems from the Userbooster website: Windows XP, Windows
Server 2003, Windows Server 2008, Windows Vista, Windows 7, Windows 8, and
Windows Server 2012.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 71
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Obtaining LDAP Configuration Data in Windows
The following describes how to obtain LDAP configuration data in Windows using
OpenLDAP as an example.
1. Open the OpenLDAP installation directory.
2. Find the slapd.conf system configuration file.
3. Use text editing software to open the configuration file and search for the
following fields:
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw XXXXXXXXXXXX
– dc=example,dc=com maps to Base DN on the storage system
configuration page.
– cn=Manager,dc=example,dc=com maps to Bind DN on the storage
system configuration page.
– XXXXXXXXXXXX maps to Bind Password on the storage system
configuration page. If the password is in ciphertext, contact LDAP server
administrators to obtain the password.
4. Find configuration files (.ldif files) of the users and user groups that need to
access the storage system.
NOTE
LDAP Interchange Format (LDIF) is one of the most common file formats for LDAP
applications. It is a standard mechanism that represents directories in the text format.
It allows users to import data to and export data from the directory server. LDIF files
store LDAP configurations and directory contents, and therefore can provide you with
related information.
5. Use text editing software to open the configuration file and find the DNs of a
user and a user group that correspond to User Directory and Group
Directory respectively on the storage system configuration page.
#root on the top
dn: dc=example,dc=com
dc: example
objectClass: domain
objectClass: top
#First organization unit name: user
dn: ou=user,dc=example,dc=com
ou: user
objectClass: organizationalUnit
objectClass: top
#Second organization unit name: groups
dn: ou=group,dc=example,dc=com
ou: group
objectClass: organizationalUnit
objectClass: top
#The first user represents user1 that belongs to organization unit user in the organizational structure
topology.
dn: cn=user1,ou=user,dc=example,dc=com
cn: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: user1
uid: user1
uidNumber: 2882
gidNumber: 888
homeDirectory: /export/home/ldapuser
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 72
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
loginShell: /bin/bash
userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
#The second user represents user2 that belongs to organization unit user in the organizational
structure topology.
dn: cn=user2,ou=user,dc=example,dc=com
cn: user2
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: client
uid: client
uidNumber: 2883
gidNumber: 888
homeDirectory: /export/home/client
loginShell: /bin/bash
userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
#The first user group represents group1 that belongs to organization unit group in the organizational
structure topology. The group contains user1 and user2.
dn: cn=group1,ou=group,dc=example,dc=com
cn: group1
gidNumber: 888
memberUid: user1#Belongs to the group.
memberUid: user2#Belongs to the group.
objectClass: posixGroup
Obtaining LDAP Configuration Data in Linux
The following describes how to obtain LDAP configuration data in Linux using
OpenLDAP as an example.
1. Log in to an LDAP server as user root.
2. Run the cd /etc/openldap command to go to the /etc/openldap directory.
linux-ldap:~ # cd /etc/openldap
linux-ldap:/etc/openldap #
3. Run the ls command to view the system configuration file slapd.conf and the
configuration files (.ldif files) of the users and user groups who want to
access the storage system.
linux-ldap:/etc/openldap #ls
example.ldif ldap.conf schema slap.conf slap.con slapd.conf
4. Run the cat command to open the system configuration file slapd.conf where
you can view related parameters.
linux-ldap:/etc/openldap #cat slapd.conf
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw XXXXXXXXXXXX
– dc=example,dc=com maps to Base DN on the storage system
configuration page.
– cn=Manager,dc=example,dc=com maps to Bind DN on the storage
system configuration page.
– XXXXXXXXXXXX maps to Bind Password on the storage system
configuration page. If the password is in ciphertext, contact LDAP server
administrators to obtain the password.
5. Run the cat command to open the example.ldif file. Find the DNs of a user
and a user group that correspond to User Directory and Group Directory
respectively on the storage system configuration page. For details about the
parameters, see 5.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 73
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.8.4.1.5 (Optional) Configuring LDAP Domain Authentication Parameters
If an LDAP domain server is deployed on the customer's network, the storage
system must join the LDAP domain. Then, NFS clients must be authenticated by
the LDAP domain server when they attempt to access shared resources on the
storage system.
Prerequisites
● An LDAP domain has been set up.
● You have prepared the data required for configuring an NFS share.
NOTE
● The storage systems can connect to an LDAP server through management network
ports or service network ports (logical ports). If a storage system connects to an
LDAP server through management network ports, ensure that the management
network ports on at least two controllers can properly communicate with the LDAP
server. If a storage system connects to an LDAP server through service network
ports, it is recommended that the service network ports on at least two controllers
can properly communicate with the LDAP server. It is recommended that storage
systems connect to LDAP servers through service network ports.
● A storage system can connect to only one LDAP server.
● An LDAP server with high performance is recommended. This prevents issues such
as I/O latency increase when the storage system sends a large number of
concurrent query requests to the LDAP server.
Precautions
● You are advised to use physical isolation and end-to-end encryption to ensure
security of data transfer between the LDAP domain server and clients.
● You are advised to configure a static IP address for the LDAP server. If a
dynamic IP address is configured, security risks may exist.
● In the following scenario (the three situations occurred in sequence), use
clear nfs nfsv4_idmap_cache controller=? to clear the IDMAP cache of all
controllers:
a. The storage system had not been added to an LDAP domain or had not
been correctly added to an LDAP domain.
b. An LDAP domain user of the host accessed the shared space of the
storage system through the NFSv4.0 or NFSv4.1 protocol.
c. The storage system has been correctly added to an LDAP domain.
Procedure
Step 1 Choose Settings > User and Security > Domain Authentication > File Service
LDAP Domain.
Step 2 Select the desired vStore from the vStore drop-down list in the upper left corner.
Step 3 View LDAP domain parameters of the file service. Table 2-21 describes the
parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 74
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● On the file service LDAP domain management page, click to refresh file service
LDAP domain information.
● On the file service LDAP domain management page, click and select the file service
LDAP domain information you want to view.
Table 2-21 LDAP domain parameters of the file service
Parameter Description
Status Indicates whether the file service LDAP domain is enabled.
Server Address IP address or domain name of the LDAP server.
NOTE
The first server in the list is the active LDAP server, and others are
standby.
Protocol Encryption protocol used for domain authentication.
Port Port used by the storage device to communicate with the
LDAP domain server.
Base DN LDAP domain's start distinguished name (DN) specified
for searching.
NOTE
You can click the LDAP information bar of the file service to view and manage the LDAP
information.
Step 4 You can also configure and restore the file service LDAP domain to initial
configuration.
● Configure
a. Select the LDAP domain to be configured and click Configure.
The Configure File Service LDAP Domain page is displayed on the right.
NOTE
Alternatively, choose Services > vStore Service > vStores and click the name of a
vStore. On the details page that is displayed on the right, select the File Service
tab and click Configure in the LDAP Domain area.
b. Select Advanced in the upper right corner and set server information.
Table 2-22 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 75
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-22 File service LDAP domain server information
Parameter Description
Server In the Server area, click Add to set the IP address or
domain name of the LDAP server.
NOTE
The first server in the list is the active LDAP server, and others
are standby.
The domain name format requirements are as follows:
1. The domain name can contain 1 to 255 characters,
including letters, digits, underscores (_), periods (.),
and hyphens (-).
2. Must start with a letter or digit and cannot end with
an underscore (_) or a hyphen (-).
3. The domain name cannot contain consecutive
periods (.), underscores (_), periods (.), or only
digits.
NOTE
▪ Ensure that the IP address or domain name is reachable.
Otherwise, user authentication commands and network
commands will time out.
▪ To remove an LDAP server, select the desired server and
click Remove.
▪ To test connectivity, select the desired server and click Test.
[Example]
192.168.1.10
www.test.com
Protocol Protocol used by the storage system to communicate
with the LDAP domain server.
▪ LDAP: The system uses the standard LDAP protocol
to communicate with the LDAP domain server.
▪ LDAPS: The system uses the LDAPS protocol to
communicate with the LDAP domain server if the
server supports SSL.
NOTE
▪ LDAP is vulnerable to security risks. You are advised to
select the LDAPS protocol.
▪ Before selecting the LDAPS protocol, choose Settings >
Certificates > Certificate Management and select a
desired certificate to import the CA certificate file of the
LDAP domain server. If the LDAP server is required to
authenticate the storage system, import the certificate file
and private key file. In 6.1.0, choose Settings > Certificate
Management.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 76
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Port Port used by the storage device to communicate with
the LDAP domain server.
▪ The default port number of the LDAP protocol is
389.
▪ The default port number of the LDAPS protocol is
636.
[Value range]
The value must be an integer ranging from 1 to 65535.
Base DN LDAP domain's start DN specified for searching.
[Rule]
A DN consists of RDNs, which are separated by
commas (,). An RDN is in the format of key=value. The
value cannot start with a number sign (#) or a space
and cannot end with a space. For example,
testDn=testDn,xxxDn=xxx.
[Format]
xxx=yyy, separated by commas (,)
[Example]
dc=example,dc=com
Bind Using Indicates whether to enable Bind Using AD Credential.
AD
Credential
c. Set the binding information about the file service LDAP domain. Table
2-23 describes the parameters.
Table 2-23 Binding information about the file service LDAP domain
Parameter Description
Bind Level Bind level for the LDAP domain server.
Simple: simple authentication.
SASL: simple authentication and security layer.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 77
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Bind DN Binding directory on the server.
Binding is a process that a client initiates a connection
request to establish a session to the LDAP server.
During binding, the client specifies accounts to access
directories on the server. You must search the binding
directory for desired contents.
A bind DN consists of RDNs, which are separated by
commas (,). An RDN is in the format of key=value. The
value cannot start with a number sign (#) or a space
and cannot end with a space. For example:
testDn=testDn,exampleDn=example
NOTE
The default access account is the administrator account. If you
use another account, ensure that it has access permission to
the domain service on the LDAP server.
Bind Password used for accessing the binding directory.
Password NOTE
A simple password may result in security issues. A complex
password that contains uppercase letters, lowercase letters,
digits, and special characters is recommended.
Confirm Bind Confirms the password for logging in to the LDAP
Password domain server.
d. Set the query information about the file service LDAP domain. Table 2-24
describes the parameters.
Table 2-24 Query information about the file service LDAP domain
Parameter Description
User Indicates the user directory configured on the LDAP
Directory domain server.
The directory of a user consists of RDNs, which are
separated by commas (,). An RDN is in the format of
key=value. The value cannot start with a number sign
(#) or a space and cannot end with a space. For
example: testDn=testDn,exampleDn=example
User Search Indicates the search scope for user queries.
Scope
▪ Subtree: searches the named DN and subnodes
under the DN.
▪ One-level: searches the subnodes under the DN.
▪ Base: searches just the named DN.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 78
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
User Group Indicates the user group directory configured on the
Directory LDAP domain server.
The directory of a user group consists of RDNs, which
are separated by commas (,). An RDN is in the format
of key=value. The value cannot start with a number
sign (#) or a space and cannot end with a space. For
example: testDn=testDn,exampleDn=example
User Group Indicates the search scope for user group queries.
Search Scope Subtree: searches the named DN and subnodes under
the DN.
One-level: searches the subnodes under the DN.
Base: searches just the named DN.
Network Indicates the network group DN.
Group DN The directory where a network group is located
consists of RDNs, which are separated by commas (,).
An RDN is in the format of key=value. The value
cannot start with a number sign (#) or a space and
cannot end with a space. For example:
testDn=testDn,exampleDn=example
Network Indicates the search scope for network group queries.
Group Search
Scope ▪ Subtree: searches the named DN and subnodes
under the DN.
▪ One-level: searches the subnodes under the DN.
▪ Base: searches just the named DN.
Search Indicates the timeout duration that the client waits for
Timeout the LDAP domain server to return the query result. The
Duration (s) default value is 3 seconds.
Connection Indicates the timeout duration that the client
Timeout establishes a connection with the LDAP domain server.
Duration (s) The default value is 3 seconds.
Idle Timeout Indicates the timeout duration that the client has no
Duration (s) communication with the LDAP domain server. The
default value is 30 seconds.
e. Set the LDAP template information. Table 2-25 describes the parameters.
Table 2-25 LDAP template information.
Parameter Description
LDAP Schema Last Indicates the LDAP template type selected last
Selected time.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 79
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Reset LDAP You can select a type for the LDAP schema
Schema template. You can select a template for which
relevant parameters are entered automatically.
You can also customize relevant parameters
instead of selecting a template.
▪ RFC2307: schema based on RFC2307
▪ AD-IDMU: schema based on active directory
identity management in UNIX.
NOTE
▪ MS-AD-BIS is a schema based on RFC-2307bis. To
use the MS-AD-BIS schema, select AD-IDMU and
modify the Support RFC2307bis, RFC2307bis
groupOfUniqueNames Object Class, and
RFC2307bis uniqueMember Object Class
parameters.
▪ A schema defines the structure and rules for LDAP
directories and how LDAP servers identify category,
attribute, and other information of LDAP directories.
RFC2307 Schema defines the name of the RFC2307
posixAccount posixAccount object class.
Object Class [Default value]
▪ posixAccount (displayed by default when
RFC2307 is selected in LDAP Schema
Template)
▪ User (displayed by default when AD-IDMU is
selected in LDAP Schema Template)
RFC2307 Schema defines the name of the RFC2307
posixGroup Object posixGroup object class.
Class [Default value]
▪ posixGroup (displayed by default when
RFC2307 is selected in LDAP Schema
Template)
▪ Group (displayed by default when AD-IDMU is
selected in LDAP Schema Template)
RFC2307 Schema defines the name of the RFC2307
nisNetgroup nisNetgroup object class.
Object Class [Default value]
nisNetgroup
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 80
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
RFC2307 uid Schema defines the name of the RFC2307 uid
Attribute attribute.
[Default value]
uid
RFC2307 Schema defines the name of the RFC2307
uidNumber uidNumber attribute.
Attribute [Default value]
uidNumber
RFC2307 Schema defines the name of the RFC2307
gidNumber gidNumber attribute.
Attribute [Default value]
gidNumber
RFC2307 CN Schema defines the name of the RFC2307 CN
Attribute for User attribute for user group.
Group [Default value]
cn
RFC2307 CN Schema defines the name of the RFC2307 CN
Attribute for attribute for network group.
Network Group [Default value]
▪ cn (displayed by default when RFC2307 is
selected in LDAP Schema Template)
▪ name (displayed by default when AD-IDMU is
selected in LDAP Schema Template)
RFC2307 Schema defines the name of the RFC2307
memberUid memberUid attribute.
Attribute [Default value]
memberUid
RFC2307 Schema defines the name of the RFC2307
memberNisNetgro memberNisNetgroup attribute.
up Attribute [Default value]
memberNisNetgroup
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 81
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
RFC2307 Schema defines the name of the RFC2307
nisNetgroupTriple nisNetgroupTriple attribute.
Attribute [Default value]
▪ nisNetgroupTriple (displayed by default when
RFC2307 is selected in LDAP Schema
Template)
▪ nisNetgroupTriple (displayed by default when
AD-IDMU is selected in LDAP Schema
Template)
Support Indicates whether to enable the RFC2307bis
RFC2307bis attribute.
NOTE
To use the MS-AD-BIS schema, enable Support
RFC2307bis.
RFC2307bis Schema defines the name of the RFC2307bis
groupOfUniqueNa groupOfUniqueNames object class. This
mes Object Class parameter is valid only when Support
RFC2307bis is enabled.
[Default value]
groupOfUniqueName
NOTE
To use the MS-AD-BIS schema, change the default value
to group.
RFC2307bis Schema defines the name of the RFC2307bis
uniqueMember uniqueMember attribute. This parameter is valid
Object Class only when Support RFC2307bis is enabled.
[Default value]
uniqueMember
NOTE
To use the MS-AD-BIS schema, change the default value
to member.
f. Click OK.
● Restore to Initial
Select File Service LDAP Domain and click Restore to Initial.
----End
2.8.4.1.6 (Optional) Preparing NIS Domain Configuration Data
Before adding a storage system to an NIS domain, collect the configuration data
of an NIS server.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 82
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Why NIS Domains?
In UNIX shared mode, all nodes that provide sharing services must maintain their
configuration files such as /etc/hosts and /etc/passwd. For example, if you add a
new node to the shared network, all UNIX-based systems must update their /etc/
hosts files to include the name of the new node. If you add a new user who may
need to access all nodes, all the systems must modify their /etc/passwd files.
These operations are time-consuming when more than 10 nodes are deployed.
Network Information Service (NIS) developed by SUN Microsystem uses a single
system (NIS server) to manage and maintain the files containing information
about host names and user accounts, providing references for all the systems
configured as NIS clients. When NIS is used, if you want to add a host to the
shared network, you only need to modify a related file on the NIS server and
transfer the modification to other nodes on the network.
The following figure shows the relationship between an NIS server and other
hosts.
Working Principles
When NIS is configured, the ASCII files in the NIS domain are converted to NIS
database files (or mapping table files). Hosts in the NIS domain query and parse
the NIS database files to perform operations such as authorized access and
updates. For example, common password file /etc/passwd of a UNIX host is
converted to the following NIS database files:
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 83
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NIS Domain Parameters
Default maps for an NIS domain are located in each server's /var/yp/
domainname directory. For example, the maps that belong to the domain
test.com are located in each server's /var/yp/test.com directory.
The system super administrator can run the /usr/bin/domainname command to
rename a domain in interactive mode. Common users can run the domainname
command without parameters to obtain the default domain name of the local
system.
Data Preparation
Collect Domain Name, Primary Server Address, Standby Server Address 1
(Optional), and Standby Server Address 2 (Optional). For details about how to
obtain the data, see 2.8.4.1.7 (Optional) Configuring NIS Domain
Authentication Parameters.
2.8.4.1.7 (Optional) Configuring NIS Domain Authentication Parameters
If an NIS domain server is deployed on the customer's network, the storage
system must join the NIS domain. Then, NFS clients must be authenticated by the
NIS domain server when they attempt to access shared resources on the storage
system.
Prerequisites
● An NIS domain has been set up.
● You have prepared the data required for configuring an NFS share.
NOTE
● The storage systems can connect to an NIS server through management network
ports or service network ports (logical ports). If a storage system connects to an
NIS server through management network ports, ensure that the management
network ports on at least two controllers can properly communicate with the NIS
server. If a storage system connects to an NIS server through service network ports,
it is recommended that the service network ports on at least two controllers can
properly communicate with the NIS server. It is recommended that storage systems
connect to NIS servers through service network ports.
● A storage system can connect to only one NIS server.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 84
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Precautions
● You are advised to use physical isolation and end-to-end encryption to ensure
security of data transfer between the NIS domain server and clients.
● In the following scenario (the three situations occurred in sequence), use
clear nfs nfsv4_idmap_cache controller=? to clear the IDMAP cache of all
controllers:
a. First, the storage system had not been added to an NIS domain or had
not been correctly added to an NIS domain.
b. Then, an NIS domain user of the host accessed the shared space of the
storage system through the NFSv4.0 or NFSv4.1 protocol.
c. Finally, the storage system has been correctly added to an NIS domain.
Procedure
Step 1 Choose Settings > User and Security > Domain Authentication > File Service
NIS Domain.
Step 2 Select the desired vStore from the vStore drop-down list in the upper left corner.
Step 3 View NIS domain parameters of the file service. Table 2-26 describes the
parameters.
NOTE
● On the file service NIS domain management page, click to refresh file service NIS
domain information.
● On the file service NIS domain management page, click and select the file service NIS
domain information you want to view.
Table 2-26 NIS domain parameters of the file service
Parameter Description
Status Indicates whether the file service NIS domain is enabled.
Domain Name Indicates the domain name of the NIS domain server.
Active Server Indicates the active NIS server IP address or domain
Address name.
Standby Server Indicates the IP address or domain name of standby NIS
Address 1 server 1.
Standby Server Indicates the IP address or domain name of standby NIS
Address 2 server 2.
Step 4 You can also configure and restore the file service NIS domain to initial
configuration.
● Configure
a. Select the NIS domain to be configured and click Configure.
The Configure File Service NIS Domain page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 85
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
Alternatively, choose Services > vStore Service > vStores and click the name of a
vStore. On the details page that is displayed on the right, select the File Service
tab and click Configure in the NIS Domain area.
b. Configure basic information. Table 2-27 describes the parameters.
Table 2-27 Basic information about the file service NIS domain
Parameter Description
Domain Indicates the domain name of the NIS domain server.
Name The domain name format requirements are as follows:
1. The domain name can contain 1 to 63 characters,
including letters, digits, underscores (_), periods (.), and
hyphens (-).
2. The domain name cannot start or end with an
underscore (_) or hyphen (-).
3. The domain name can contain multi-level sub-
domain names, which are separated by periods (.). A
period (.) cannot be at the beginning or end of a
domain name, and multiple periods (.) cannot be
entered consecutively.
[Example]
abc.com
Active Server Indicates the active NIS server IP address or domain
Address name.
NOTE
▪ Ensure that the IP address or domain name is reachable.
Otherwise, user authentication commands and network
commands will time out.
▪ Click Test to check the connectivity of the entered IP
address or domain name.
[Example]
192.168.0.100
www.test.com
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 86
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Standby Indicates the IP address or domain name of standby
Server NIS server 1.
Address 1 NOTE
▪ Ensure that the IP address or domain name is reachable.
Otherwise, user authentication commands and network
commands will time out.
▪ Click Test to check the connectivity of the entered IP
address or domain name.
[Example]
192.168.0.101
www.test1.com
Standby Indicates the IP address or domain name of standby
Server NIS server 2.
Address 2 NOTE
▪ Ensure that the IP address or domain name is reachable.
Otherwise, user authentication commands and network
commands will time out.
▪ Click Test to check the connectivity of the entered IP
address or domain name.
[Example]
192.168.0.102
www.test2.com
c. Click OK.
● Restore to Initial
Select File Service NIS Domain and click Restore to Initial.
----End
2.8.4.1.8 (Optional) Configuring the NFSv4 Service for a Non-Domain Environment
This section describes how to configure the NFSv4 service for a non-domain
environment.
Background
According to the NFSv4 standard protocol, the NFSv4 service can be used only in a
domain environment to ensure proper running. To use the NFSv4 service in a non-
domain environment, configure the user name@domain name mapping
mechanism used by the NFSv4 service on your client. Then, the NFSv4 service will
use UIDs and GIDs to transfer owner and group information about files during
service transactions between your storage system and client.
The storage system supports NFSv4.1 in 6.1.2 and later versions, and NFSv4.0 in
6.1.3 and later versions.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 87
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Risks
● In scenarios where the NFSv4 service is used in a non-domain environment,
the user authentication method of the NFSv4 service is the same as that of
the NFSv3 service. The method cannot meet the theoretical security
requirements of the NFSv4 standard protocol.
● Users mapped by each client depend on the configuration files of client users
and user groups. The configuration file of each user and user group must be
independently maintained for proper mapping.
● UIDs and GIDs must be used when ACLs are configured for non-root users
and non-root user groups. Otherwise, the configuration will fail.
● The NFSv4 service is not recommended in a non-domain environment. If
operations in Configuration on Clients are not performed, executing the
chown command may fail.
Configuration on Clients
Step 1 Run the echo 1 > /sys/module/nfs/parameters/nfs4_disable_idmapping
command.
Step 2 Run the cat /sys/module/nfs/parameters/nfs4_disable_idmapping command. If
Y is displayed in the command output, the NFSv4 service is successfully
configured.
NOTICE
If you have used the NFSv4 service to mount NFS shares before configuring the
NFSv4 service for a non-domain environment, mount the NFS shares again after
configuring the NFSv4 service.
----End
2.8.4.1.9 (Optional) Enabling NFSv3 Mount for Windows Clients (Applicable to
6.1.6 and Later)
By default, the storage system does not allow NFSv3 mount on Windows clients.
This section describes how to enable NFSv3 mount for Windows clients, in order to
access NFS shares from the Windows clients.
Procedure
NOTE
If NFSv3 mount on Windows clients is enabled, you are advised to set the data protocol of
the logical port to NFS + CIFS.
Step 1 Run the change service nfs_config nfsv3_win_mount_support=enable command
to enable NFSv3 mount for Windows clients.
Step 2 (Optional) You are advised to run the change service nfs_config
config_jukebox_err_to_drop=enable command to discard the JUKEBOX error
code so that it is not returned to clients. In this case, the clients will retry in the
event of an error, which enhances reliability.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 88
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The change service nfs_config config_jukebox_err_to_drop=? command takes effect for
both Windows and UNIX clients.
----End
2.8.4.1.10 Creating an NFS Share
This section describes how to create an NFS share. After an NFS share is created,
shared file systems are accessible to clients that run SUSE, Red Hat, HP-UX,
Solaris, AIX, and Windows.
NOTE
Only 6.1.6 and later versions allow Windows clients to access NFS shares.
Prerequisites
You have obtained required data for configuring an NFS share.
Procedure
Step 1 Choose Services > File Service > Shares > NFS Shares.
Step 2 Select the desired vStore from the vStore drop-down list in the upper left corner.
Step 3 On the NFS Shares tab page, click Create.
The Create NFS Share page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 89
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual displayed information may vary.
For some device models, you can click in the upper right corner of the page to enable
SmartGUI. SmartGUI mines users' historical operation data and builds a configuration
parameter recommendation model based on user profiles to recommend configuration
parameters for the block service and file service. After SmartGUI is enabled, the system
presets the File System and Permission parameters based on recommendations when you
create an NFS share. You can directly use the parameters or modify them as required.
Step 4 Set basic NFS share parameters.
Table 2-28 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 90
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-28 Basic NFS share parameters
Parameter Description
File System File system for which you want to create an NFS share.
NOTE
When the global root directory / is selected for File System, you can
create an NFS global namespace (GNS) share.
● Each vStore can only create one GNS.
● You must add an independent share for a file system. After the
share is added, this file system will not be displayed if a host is
only authorized to access / but not the file system.
● GNS root directory / is read-only. You cannot create, modify, and
delete directories or files under / and you cannot modify
directory attributes of /. Once the directory of a file system is
entered, the permission will change to the share permission of
the file system.
● If no GNS is created, root directory / cannot be mounted to an
NFSv3 client. Only shared file systems can be viewed when / is
mounted to an NFSv4 directory.
● When creating an NFS GNS share, you can only set the
description for the share.
● If you want to create a HyperMetro or HyperReplication vStore
pair and a GNS has been created for the primary vStore, the
version of the secondary storage system must be the same as
that of the primary storage system. If a vStore pair has been
created, you can create a GNS share only when the versions of
the primary and secondary storage systems are the same and
support GNSs.
[Example]
FileSystem001
NOTICE
If the selected file system is the secondary storage system in a
remote replication pair or remote storage system in a HyperMetro
pair, data in the file system is probably being modified when it is
accessed. Before performing this operation, confirm that the
application allows possible data inconsistency.
Dtree Dtree for which you want to create an NFS share. If you do
not select a dtree, the NFS share is created for the entire file
system.
[Example]
Dtree_test
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 91
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Share Name Share name of the file system, which is used by users to
access shared resources.
NOTE
● When creating a GNS, you cannot set the share name.
● Only 6.1.6 and later versions support this parameter.
[Value range]
● The name must start with a slash (/).
● The name supports only letters, digits, special characters !
\"#&%$'()*+-,.:;<=>?@[]^_`{|}~, and spaces.
● The name contains 1 to 255 characters.
Share Path Share path of the file system, which is generated based on
the File System and Dtree parameters.
[Example]
/Filesystem001/Dtree_test
Description Description of the NFS share.
[Value range]
The description can be left blank or contain up to 255
characters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 92
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Character Clients communicate with the storage system using codes.
Encoding Codes configured on the NFS share must be the same as
that of the clients. These codes apply to names and
metadata of shared files, but do not change the codes of file
data. Codes include:
● UTF-8
International code set
● EUC-JP
euc-j*[ja] code set
● JIS
JIS code set
● S-JIS
cp932*[ja_jp.932] code set
● ZH
Simplified Chinese code set, in compliance with GB 2312
● GBK
Simplified Chinese code set, in compliance with GB 2312
● EUC-TW
Traditional Chinese code set, in compliance with CNS
11643
● BIG5
cp950 traditional Chinese code set
● DE
German character set, in compliance with ISO 8859-1
● PT
Portuguese character set, in compliance with ISO 8859-1
● ES
Spanish character set, in compliance with ISO 8859-1
● FR
French character set, in compliance with ISO 8859-1
● IT
Italian character set, in compliance with ISO 8859-1
● KO
cp949 Korean code set
● AR
Arabic character set, in compliance with ISO 8859-6
● CS
Czech character set, in compliance with ISO 8859-2
● DA
Danish character set, in compliance with ISO 8859-1
● FI
Finnish character set, in compliance with ISO 8859-1
● HE
Hebrew character set, in compliance with ISO 8859-8
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 93
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
● HR
Croatian character set, in compliance with ISO 8859-2
● HU
Hungarian character set, in compliance with ISO 8859-2
● NO
Norwegian character set, in compliance with ISO 8859-1
● NL
Dutch character set, in compliance with ISO 8859-1
● PL
Polish character set, in compliance with ISO 8859-2
● RO
Romanian character set, in compliance with ISO 8859-2
● RU
Russian character set, in compliance with ISO 8859-5
● SK
Slovak character set, in compliance with ISO 8859-2
● SL
Slovenian character set, in compliance with ISO 8859-2
● SV
Swedish character set, in compliance with ISO 8859-1
● TR
Turkish character set, in compliance with ISO 8859-9
● EN-US
English character set, in compliance with ISO 8859-1
● EUC-KR
Korean character set, in compliance with KS X 2901
NOTE
● Method of querying character encoding on clients (for example,
in Linux): Run the locale command to view character encoding
of the current system.
● NFSv4 supports only UTF-8. If NFSv4 is used, ensure that the
host uses UTF-8 character encoding.
Show Snapshot This function allows clients to show and traverse snapshot
directories.
NOTE
Description, Character Encoding, and Show Snapshot are hidden parameters. To display
hidden parameters, click Advanced.
Step 5 Configure access permissions for the NFS share.
Click Add to add a client. For details, see 2.8.4.1.12 Adding an NFS Share Client
(Applicable to 6.1.3 and Later).
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 94
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● When Type is set to Host, the system automatically detects whether the LDAP domain,
NIS domain, or DNS has been configured. To add a client by specifying the host name,
configure at least one of them.
● When Type is set to Network group, the system automatically detects whether the
LDAP domain or NIS domain has been configured. You must configure at least one of
them.
● You can click More on the right of a client and choose Modify to modify its information.
● You can select one or more clients and click Remove, or click More on the right of a
client and select Remove, to remove clients.
Step 6 Click OK.
----End
2.8.4.1.11 Adding an NFS Share Client (Applicable to Versions Earlier Than 6.1.3)
An NFS share client enables client users to access shared file systems through the
network.
Prerequisites
● You have obtained required data for configuring an NFS share.
● You have created a host name available on the DNS if you need to add a
client whose Type is Host.
● You have created a network group name available on the LDAP or NIS server
if you need to add a client whose Type is Network group.
Procedure
Step 1 Choose Services > File Service > Shares > NFS Shares.
Step 2 Select the vStore to which the desired NFS share belongs from the vStore drop-
down list in the upper left corner.
Step 3 Click More on the right of the desired NFS share and select Add Client.
The Add Client page is displayed.
NOTE
Alternatively, perform either of the following operations to add a client:
● Click the path of the desired NFS share. On the page that is displayed, click Add in the
Permissions area.
● Click the path of the desired NFS share. In the upper right corner of the page that is
displayed, click Operation and select Add Client.
NOTE
For some device models, you can click in the upper right corner of the page to enable
SmartGUI. SmartGUI mines users' historical operation data and builds a configuration
parameter recommendation model based on user profiles to recommend configuration
parameters for the block service and file service. After SmartGUI is enabled, the system
presets the Type and Permission parameters based on recommendations when you add an
NFS share client. You can directly use the parameters or modify them as required.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 95
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 4 Set client attributes.
Table 2-29 describes the parameters.
Table 2-29 Client parameters
Parameter Description
Type Client type of the NFS share.
[Value range]
● Host
● Network group
NOTE
● When a client is included in multiple share permissions, the
priority of share authentication from high to low is in the
following sequence: host name > IP address > network segment
> wildcard > network group > *.
● When Type is set to Network group and the vStore to which the
share belongs is configured with the DNS service, add the
reverse lookup zones of the network segments where the client
IP addresses reside on the DNS server. Otherwise, the host I/O
latency may increase.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 96
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Clients When Type is set to Host, enter client host names (FQDNs
are recommended), IP addresses, or IP address segments, or
use the asterisk (*) to represent IP addresses of all clients.
When Type is set to Network group, enter the network
group names configured in the LDAP or NIS domain.
NOTE
● When Type is set to Host, the system automatically detects
whether the LDAP domain, NIS domain, or DNS has been
configured. To add a client by specifying the host name,
configure at least one of them.
● When Type is set to Network group, the system automatically
detects whether the LDAP domain or NIS domain has been
configured. You must configure at least one of them.
[Value range]
You can enter multiple host names, IP addresses, or network
group names of the clients separated by semicolons (;),
spaces, or carriage returns.
A host name:
● Contains 1 to 255 letters, including letters, digits,
hyphens (-), periods (.), and underscores (_).
● Must start with a letter or digit and cannot end with a
hyphen (-) or underscore (_).
● Cannot contain a combination of a period and
underscore (_. or ._), a combination of a period and
hyphen (-. or .-), consecutive periods (..), or pure digits.
For IP addresses:
● You can enter client IP addresses, client IP address
segments, or an asterisk (*) to represent IP addresses of
all clients.
● IPv4 addresses, IPv6 addresses, or the combination of
IPv4 and IPv6 addresses are supported.
● The mask of an IPv4 address ranges from 1 to 32. The
prefix of an IPv6 address ranges from 1 to 128.
A network group name:
● Contains 1 to 254 characters.
● Can contain only letters, digits, underscores (_), hyphens
(-), and periods (.).
Permission Permission level for the clients to access the NFS share.
Possible options are as follows:
● Read-only: Clients can only read files in the NFS share.
● Read-write: Clients can read and write files in the NFS
share.
Step 5 Set advanced client parameters. Select Advanced in the upper right corner.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 97
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-30 describes the parameters.
Table 2-30 Advanced client parameters
Parameter Description
Write Mode Indicates how the clients write data to the NFS share. The
modes include:
● Sync: The system writes data onto disks instantly.
● Async: The system responds to clients' requests first and
then writes data.
NOTE
If the value is set to Async, data may be lost when a client and
storage system are faulty at the same time.
[Default value]
Sync
Permission Indicates whether to retain the user ID (UID) and group ID
Constraint (GID) of a shared directory.
● all_squash: The UID and GID of a shared directory are
mapped to user nobody, which is applicable to public
directories.
● no_all_squash: retains the UID and GID of a shared
directory.
[Default value]
no_all_squash
root Permission Controls the root permission of the clients.
Constraint ● root_squash: does not allow a client to access the share
as user root. Otherwise, the client will be mapped as an
anonymous user.
● no_root_squash: allows a client to access the share as
user root that has full control and access permissions for
shared directories.
NOTE
If a VM needs to be created in the NFS share, select
no_root_squash. Otherwise, the VM may run abnormally.
[Default value]
no_root_squash
Source Port Indicates whether to enable source port verification.
Verification ● secure: allows clients to access the NFS share using ports
Constraint 1 to 1023.
● insecure: allows clients to access the NFS share using
any port.
[Default value]
insecure
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 98
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 6 Click OK.
----End
2.8.4.1.12 Adding an NFS Share Client (Applicable to 6.1.3 and Later)
An NFS share client enables client users to access shared file systems through the
network.
Prerequisites
● You have prepared the data required for configuring an NFS share.
● You have created a host name available on the DNS if you need to add a
client whose Type is Host.
● You have created a network group name available on the LDAP or NIS server
if you need to add a client whose Type is Network group.
● If Share Path is set to global root directory /, you cannot add a client.
Procedure
Step 1 Choose Services > File Service > Shares > NFS Shares.
Step 2 Select the vStore to which the desired NFS share belongs from the vStore drop-
down list in the upper left corner.
Step 3 Click More on the right of the desired NFS share and select Add Client.
The Add Client page is displayed.
NOTE
Alternatively, perform either of the following operations to add a client:
● Click the path of the desired NFS share. On the page that is displayed, click Add in the
Permissions area.
● Click the path of the desired NFS share. In the upper right corner of the page that is
displayed, click Operation and select Add Client.
NOTE
For some device models, you can click in the upper right corner of the page to enable
SmartGUI. SmartGUI mines users' historical operation data and builds a configuration
parameter recommendation model based on user profiles to recommend configuration
parameters for the block service and file service. After SmartGUI is enabled, the system
presets the Type and Permission parameters based on recommendations when you add a
client. You can directly use the parameters or modify them as required.
Step 4 Set client attributes.
Table 2-31 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 99
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-31 Client parameters
Parameter Description
Type Client type of the NFS share.
[Value range]
● Host
● Network group
NOTE
● When a client is included in multiple share permissions, the
priority of share authentication from high to low is in the
following sequence: host name > IP address > network segment
> wildcard > network group > *.
● When Type is set to Network group and the vStore to which the
share belongs is configured with the DNS service, add the
reverse lookup zones of the network segments where the client
IP addresses reside on the DNS server. Otherwise, the host I/O
latency may increase.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 100
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Clients When Type is set to Host, enter client host names (FQDNs
are recommended), IP addresses, or IP address segments, or
use the asterisk (*) to represent IP addresses of all clients.
When Type is set to Network group, enter the network
group names configured in the LDAP or NIS domain.
NOTE
● When Type is set to Host, the system automatically detects
whether the LDAP domain, NIS domain, or DNS has been
configured. To add a client by specifying the host name,
configure at least one of them.
● When Type is set to Network group, the system automatically
detects whether the LDAP domain or NIS domain has been
configured. You must configure at least one of them.
[Value range]
You can enter multiple host names, IP addresses, or network
group names of the clients separated by semicolons (;),
spaces, or carriage returns.
For host names:
● A host name contains 1 to 255 characters and cannot
contain spaces.
● A host name cannot start with a hyphen (-).
For IP addresses:
● You can enter client IP addresses, client IP address
segments, or an asterisk (*) to represent IP addresses of
all clients.
● IPv4 addresses, IPv6 addresses, or the combination of
IPv4 and IPv6 addresses are supported.
● The mask of an IPv4 address ranges from 1 to 32. The
prefix of an IPv6 address ranges from 1 to 128.
A network group name:
● Contains 1 to 254 characters.
● The value can contain only letters, digits, underscores (_),
periods (.), and hyphens (-).
UNIX Permission Indicates the permission level for the UNIX client to access
the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 101
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Kerberos5 Indicates the permission level for the Kerberos5 client to
Permission access the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
Kerberos5i Indicates the permission level for the Kerberos5i client to
Permission access the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
Kerberos5p Indicates the permission level for the Kerberos5p client to
Permission access the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
root Permission Controls the root permission of the clients.
Constraint ● root_squash: does not allow a client to access the share
as user root. Otherwise, the client will be mapped as an
anonymous user.
● no_root_squash: allows a client to access the share as
user root that has full control and access permissions for
shared directories.
NOTE
If a VM needs to be created in the NFS share, select
no_root_squash. Otherwise, the VM may run abnormally.
[Default value]
root_squash
Step 5 Set advanced client parameters. Select Advanced in the upper right corner.
Table 2-32 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 102
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-32 Advanced client parameters
Parameter Description
Write Mode Indicates how the clients write data to the NFS share. The
modes include:
● Sync: The system writes data onto disks instantly.
● Async: The system responds to clients' requests first and
then writes data.
NOTE
If the value is set to Async, data may be lost when a client and
storage system are faulty at the same time.
[Default value]
Sync
Permission Indicates whether to retain the user ID (UID) and group ID
Constraint (GID) of a shared directory.
● all_squash: The UID and GID of a shared directory are
mapped to user nobody, which is applicable to public
directories.
● no_all_squash: retains the UID and GID of a shared
directory.
[Default value]
no_all_squash
Source Port Indicates whether to enable source port verification.
Verification ● secure: allows clients to access the NFS share using ports
Constraint 1 to 1023.
● insecure: allows clients to access the NFS share using
any port.
[Default value]
insecure
Step 6 Click OK.
----End
2.8.4.1.13 Accessing an NFS Share
This section describes how to access an NFS share over TCP or RDMA. A client
accesses an NFS share in an LDAP/NIS domain or a non-domain environment in
the same way.
2.8.4.2 Configuring a CIFS Share
This section describes how to configure a CIFS share.
2.8.4.2.1 Configuration Process
Figure 2-4 shows the flowchart for configuring a CIFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 103
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Figure 2-4 Configuring a CIFS share
Start
Prepare data.
Non-domain environment Domain
environment
Create a local
authentication user
group. Add the storage system
to an AD domain.
Create a local
authentication user.
Create a CIFS share.
AccessAdd
thean NFS share
shared space.
client.
End
Optional Mandator
y
2.8.4.2.2 Preparing Data
Before configuring a CIFS share in a storage system, plan and collect required data
to facilitate follow-up service configurations.
You need to prepare the following data:
● Logical IP address
Logical IP address used by a storage system to provide shared space for
clients.
● File system
File system or its dtree configured as a CIFS share.
● Name of a CIFS share
● Permission
Permission of a user or user group to access a CIFS share, including:
– Full control: The user can fully control the CIFS share.
– Read-only: The user can only read the CIFS share.
– Read and write: The user can read and write the CIFS share.
– Forbidden: The user cannot access the CIFS share.
● Local authentication user
Users for local authentication of the storage system in a non-domain
environment.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 104
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● AD domain information
● DNS
IP address of the DNS server.
NOTE
You can contact your network administrator to obtain desired data.
2.8.4.2.3 (Optional) Creating a Local Authentication User Group
This section describes how to create a local authentication user group. Local
authentication user groups are used to control the share access permissions of
specific local authentication users.
Context
A storage system has nine local authentication user groups that are automatically
created. The nine user groups are reserved for the system and cannot be modified
or deleted.
● Administrators is the administrator group. When the group members access
a shared namespace in the storage system, they do not need to be
authenticated by share-level ACLs and NT ACLs. They can operate any file in
any share with administrator permissions without the need to be
authenticated.
● Power Users is a user group in Windows.
– For 6.1.3 and later versions, its permission level is higher than that of
Users but lower than that of Administrators. Members of this user group
can use Windows Management Console (MMC).
– For versions earlier than 6.1.3, this user group is a common unprivileged
user group.
● Backup Operators is the backup user group.
– For 6.1.2 and later versions, members of this group can back up and
restore files on the computers.
– For versions earlier than 6.1.2, this user group is a common unprivileged
user group.
● Other groups (Users, Guests, Account Operators, Server Operators, Print
Operators and Replicator) are common unprivileged user groups. When the
group members access a shared file system of the storage system, they can
have the corresponding permissions only after being authenticated.
NOTE
An access control list (ACL) is a collection of permissions that are authorized to users or
user groups to operate shared files. ACL permissions are classified into ACL storage
permissions and ACL authentication permissions. After a user logs in to a share, the system
determines the user's permissions on the share, reads the ACL permissions, and then
determines whether the user can read and write files. For ACL storage permissions, each
ACL permission is called an Access Control Entry (ACE). After a share is mounted to a
Windows client, the client sends NT ACLs to the server (storage system that provides the
share).
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 105
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Procedure
Step 1 Choose Services > File Service > Authentication Users > Windows Users > Local
Authentication User Groups.
Step 2 Select the vStore for which you want to create a local authentication user group
from the vStore drop-down list in the upper left corner.
Step 3 Click Create.
The Create Local Windows Authentication User Group page is displayed on the
right.
Step 4 Set basic parameters for the local authentication user group.
Table 2-33 describes the parameters.
Table 2-33 Basic local authentication user group parameters
Parameter Description
Name Name of the local authentication user group.
[Value range]
● The name must be unique.
● The name cannot contain "/[]:|<>+=;?*@, or control
characters, and cannot end with a period (.). If the name
starts or ends with a space, the space is not displayed
after the name is created.
● The name can contain case-insensitive letters. For
example, aa and AA cannot be created at the same time.
● The user group name cannot be the same as the name of
a local authentication user.
● The name contains 1 to 256 characters.
Description Description of the local authentication user group.
[Value range]
The description can be left blank or contain up to 256
characters.
Step 5 Select privileges for the local authentication user group. You can view details
about the privileges in the description.
Step 6 Click OK.
----End
2.8.4.2.4 Creating a Local Authentication User
This section describes how to create a local authentication user. For applications
that use local authentication, local authentication users are used to access shares.
You can add a local authentication user to a user group for authentication and
access a share as the user group.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 106
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Procedure
Step 1 Choose Services > File Service > Authentication Users > Windows Users > Local
Authentication Users.
Step 2 Select the vStore for which you want to create a local authentication user from
the vStore drop-down list in the upper left corner.
Step 3 Click Create.
The Create Local Windows Authentication User page is displayed on the right.
Step 4 Set basic parameters for the local authentication user.
Table 2-34 describes the parameters.
Table 2-34 Basic local authentication user parameters
Parameter Description
Name Name of the local authentication user.
[Value range]
● The name must be unique.
● The name cannot contain "/\][:;|=,+*?<>@, spaces, or
control characters, and cannot end with a period (.).
● The name can contain case-insensitive letters. For
example, aaaaaaaa and AAAAAAAA cannot be created
at the same time.
● The name cannot be the same as the name of a local
authentication user group.
● The name contains 3 to 20 characters.
NOTE
You can modify the minimum length of the user name on the Set
Security Policy page.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 107
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Password Password of the local authentication user.
[Value range]
● The password contains 8 to 32 characters.
● The password must contain at least one of the following
types: special characters, uppercase letters, lowercase
letters, and digits. Special characters include !"#$%&'()*
+,-./:;<=>?@[\]^`{_|}~ and spaces.
● The password cannot contain more than three
consecutive identical characters.
● The password cannot be the same as the user name or
the user name spelled backward.
NOTE
You can set security policies for the password of a local
authentication user on the Set Security Policy page. If Validity
Period is 0, the password will never expire. For the security purpose,
you are advised to set a specific password validity period. After the
password expires, you cannot access shares, but you can set a
password again or modify the password security policy on the Set
Security Policy page.
Confirm Confirms the password for consistency.
Password
Status Indicates whether to enable the user.
Description Description of the local authentication user.
[Value range]
The description can be left blank or contain up to 256
characters.
Owning Groups Groups to which the local authentication user belongs. Click
on the right of Owning Groups. In the Available Groups
list, select the desired groups and add them to Selected
Groups.
NOTE
You cannot configure privileges for local authentication users separately on DeviceManager.
Instead, you can configure privileges for local authentication users on the CLI.
Step 5 Click OK.
----End
2.8.4.2.5 (Optional) Preparing AD Domain Configuration Data
Why AD Domains?
In Windows shared mode, every device that provides shares is an independent
node. The account and permission information about users allowed to access
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 108
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
shares are stored on each node. As a result, the information maintenance is
complex and uncontrollable.
If an AD domain is used, the domain controller manages all the user configuration
information and authenticates the access to the domain. The domain controller
incorporates a database that stores information about the domain account,
password, and nodes in the domain. A user can access all the shared content in
the domain after passing the authentication by the domain controller.
Working Principles
Figure 2-5 Network diagram of AD domain server authentication
1. The DNS server provides a full domain name (123.com for example) for the
AD domain.
2. The storage system is added into the AD domain and provides share services.
3. Users can access shares after logging in to hosts in the AD domain using
domain accounts.
Data Preparation
To smoothly add a storage system to an AD domain, prepare or plan the required
data based on the site requirements. Collect Domain Administrator, Password,
Full Domain Name, Organization Unit (optional), and System Name. For details
about how to obtain the data, see 2.8.4.2.7 (Optional) Configuring AD Domain
Authentication Parameters.
2.8.4.2.6 (Optional) Connecting a Storage System to a DNS Server
Connecting a storage system to a DNS server allows the storage system to access
the AD domain server using a domain name. This operation enables you to
configure the IP address of the DNS service for the file storage service.
Prerequisites
● A DNS server has been configured and is running properly.
● Port 53 for the TCP/UDP protocol between the storage system and the DNS
server is enabled.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 109
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● The latency of the network between the DNS server and the storage system is
less than or equal to the configured latency (200 ms by default).
Context
● A DNS server is used to resolve names of hosts in a domain.
● If you want to configure a standby DNS server, keep the domain names of the
active and standby servers consistent.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the details page that is displayed on the
right, click the File Service tab and click Configure in the DNS Service area.
The DNS Service page is displayed on the right.
Step 3 Configure an IP address for the DNS service.
1. Set Active DNS IP Address.
2. (Optional) Set Standby DNS IP Address 1.
3. (Optional) Set Standby DNS IP Address 2.
NOTE
Set Standby DNS IP Address 1 first and then Standby DNS IP Address 2.
4. (Optional) Test the connection between the DNS server and the storage
system.
– You can click Test next to a DNS IP address to test its availability.
– You can click Test All to test the connection between the DNS server and
the storage system.
Step 4 Click OK. Confirm your operation as prompted.
----End
2.8.4.2.7 (Optional) Configuring AD Domain Authentication Parameters
If an AD domain server is deployed on the customer's network, the storage system
must join the AD domain. Then, clients must be authenticated by the AD domain
server when they attempt to access shared resources on the storage system. The
administrator can manage the share access permissions and quotas of domain
users. If the storage system does not join an AD domain, domain users cannot use
share services provided by the storage system.
Prerequisites
● An AD domain has been set up.
● The storage system has been connected to the DNS server.
● The AD domain server and DNS server have time synchronization with the
storage system. The time difference must be no larger than 5 minutes.
● Ports 88 (TCP/UDP protocol), 389 (TCP/UDP protocol), 445 (TCP protocol),
and 464 (TCP/UDP protocol) are enabled between the storage system and the
AD domain.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 110
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● If Signature Enforcement is enabled for the AD domain, Signature
Enforcement must also be enabled for the corresponding vStore on the
storage system.
NOTE
The storage systems can connect to AD domain servers and DNS servers through
management network ports or service network ports (logical ports). If a storage system
connects to an AD domain server and DNS server through management network ports,
ensure that the management network ports on at least two controllers can properly
communicate with the AD domain server and DNS server. If a storage system connects to
the AD domain server and DNS server through service network ports, it is recommended
that the service network ports on at least two controllers can properly communicate with
the AD domain server and DNS server. It is recommended that storage systems connect to
AD domain servers through service network ports.
Precautions
● Before adding a storage system to an AD domain, ensure that the primary
controller of the storage system is connected to the DNS server and AD
domain server.
● When Overwrite System Name is enabled, if a system name entered exists in
the AD domain controller, the information about the current storage system
will overwrite the information about the storage system corresponding to the
system name on the AD domain controller.
● A simple password may result in security issues. A complex password that
contains uppercase letters, lowercase letters, digits, and special characters is
recommended.
● You are advised to use physical isolation and end-to-end encryption to ensure
security of data transfer between the AD domain server and clients.
Procedure
Step 1 Choose Settings > User and Security > Domain Authentication > File Service
AD Domain.
Step 2 Select a vStore from the vStore drop-down list in the upper left corner.
Step 3 View AD domain parameters of the file service. Table 2-35 describes the
parameters.
NOTE
● On the file service AD domain management page, click to refresh file service AD
domain information.
● On the file service AD domain management page, click and select the file service AD
domain information you want to view.
Table 2-35 AD domain parameters of the file service
Parameter Description
Full Domain Name Indicates the full domain name of the AD domain server.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 111
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Organization Unit Indicates the organization unit of a type of directory
objects in the domain. These objects include users,
computers, and printers.
System Name Indicates the name of the storage system in the AD
domain.
Domain Status Indicates whether the storage system is added to the
domain.
Step 4 Configure the file service AD domain.
1. Select the AD domain to be configured and click Configure.
The Configure File Service AD Domain page is displayed on the right.
NOTE
Alternatively, choose Services > vStore Service > vStores and click the name of a
vStore. On the details page that is displayed on the right, select the File Service tab
and click Configure in the AD Domain area.
2. Configure basic information. Table 2-36 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 112
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-36 Basic information about the file service AD domain
Parameter Description
Domain Administrator account that can log in to the AD server or
Administrator account with AD domain administrator permissions. It is
recommended that you use a user with AD domain
administrator permissions to add a storage system to an
AD domain. If the user with the administrator privileges
cannot be used, use a common domain user granted with
AD object control permissions (including computer object
creation and deletion permissions and write permissions
for specified organizational units).
The following formats are supported:
1. User name, for example, test_user1.
2. NetBIOS name + user name. You can run the nbtstat -n
command to query the NetBIOS name. For example,
china\test_user1.
NOTE
This function is supported only in 6.1.5 and later versions.
3. User name + AD domain name, for example,
[email protected].
NOTE
This function is supported only in 6.1.5 and later versions.
[Value range]
A string of 1 to 63 characters.
[Example]
test_user1
Password Password for the domain administrator, that is, the
password for logging in to the AD server.
[Value range]
A string of 1 to 127 characters.
Full Domain Indicates the full domain name of the AD domain server.
Name NOTE
You can click Test to test the validity of the full domain name.
[Value range]
A string of 1 to 127 characters.
[Example]
abc.com
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 113
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Organization Indicates the organization unit of a type of directory
Unit objects in the domain. These objects include users,
computers, and printers. After an object joins the domain,
it will be a member in the organization unit. If this
parameter is left empty, objects join the Computers
organization unit by default.
[How to obtain]
1. On the Windows AD domain server, open Active
Directory Users and Computers or ADSI Edit.
2. Select the directory on the left, right-click the directory,
and choose Properties.
3. In the Properties dialog box that is displayed, click
Attribute Editor. The value of distinguishedName is
the organization unit.
[Example]
cn=xxx,dc=abc,dc=com
System Name Indicates the name of the storage system in the AD
domain. After the storage system is added to the domain,
the client can use the name to access the storage system.
NOTE
– If the system name used for joining the domain exists in the
domain controller and the Overwrite System Name function
is disabled in the storage system, joining the AD domain will
fail.
– Special characters ~!$%^&{}`' are not recommended because
the domain name of the DNS server does not support these
characters.
– English characters and digits are recommended.
[Value range]
A string of 1 to 15 characters.
[Example]
test2021
Overwrite If a storage system with the same name exists in the
System Name domain controller, enabling this function will overwrite the
original storage system information.
NOTICE
After this function is enabled, information about the storage
system with the same system name in the domain controller will
be overwritten. As a result, the authentication between the
storage system and domain controller corresponding to the system
name will be affected.
Domain Indicates whether the storage system is added to the
Status domain.
3. Click Join Domain.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 114
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
4. If you want to remove a storage system from an AD domain, perform the
following operations:
a. Set Domain Administrator and Password.
b. Click Exit Domain.
Confirm your operation as prompted.
5. Click Close.
----End
Follow-up Procedure
● After adding a storage system to an AD domain that has multiple domain
controllers, you are advised to wait about 2 minutes for these domain
controllers to synchronize configurations and then access shares as a domain
user.
● After the storage system is removed from the AD domain, you are advised to
wait for about 2 minutes before adding the storage system to the AD domain
again.
2.8.4.2.8 Creating a CIFS Share
This section describes how to share file systems in CIFS mode so that users can
access the file systems.
Procedure
Step 1 Choose Services > File Service > Shares > CIFS Shares.
Step 2 Select the desired vStore from the vStore drop-down list in the upper left corner.
Step 3 Click Create.
The Create CIFS Share page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 115
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual displayed information may vary.
For some device models, you can click in the upper right corner of the page to enable
SmartGUI. SmartGUI mines users' historical operation data and builds a configuration
parameter recommendation model based on user profiles to recommend configuration
parameters for the block service and file service. After SmartGUI is enabled, the system
presets the File System and Share Name parameters based on recommendations when
you create a CIFS share. You can directly use the parameters or modify them as required.
Step 4 Set basic CIFS share parameters.
Table 2-37 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 116
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-37 Basic CIFS share parameters
Parameter Description
File System File system for which you want to create a CIFS share.
NOTE
If the selected file system is the secondary storage system in a
remote replication pair or remote storage system in a HyperMetro
pair, data in the file system is probably being modified when it is
accessed. Before performing this operation, confirm that the
application allows possible data inconsistency.
[Example]
Filesystem001
Dtree Dtree for which you want to create a CIFS share. If you do
not select a dtree, the CIFS share is created for the entire file
system.
[Example]
Dtree_test
Share Name Name of the share, which is used by users to access shared
resources.
[Value range]
● The name must be unique.
● The name cannot contain characters " / \ [ ] : | < > + ; , ?
* =, and cannot be ipc$, autohome, ~, or print$ reserved
by the system.
NOTE
– ipc$ is a resource that shares named pipes. A named pipe is
one of the mechanisms of inter-process communication.
– autohome is the share name reserved for the autohome
share.
– ~ is a symbol reserved for the autohome share.
– print$ is the shared printer.
● The name contains 1 to 80 characters.
[Example]
share_for_user1
NOTE
The system creates an admin share named c$ by default in 6.1.3 or
later. The c$ share has the following characteristics:
● Its share path is the root directory /, and its share permissions
are Administrators full control permissions.
● Each time a vStore is created, a c$ share is automatically created
for this vStore.
● It cannot be deleted.
● You can view or modify the attributes of the c$ share. For
example, on the Windows Management Console (MMC), you
can modify the description and offline settings of the c$ share.
● On MMC, you can use the c$ share to browse file systems and
dtrees and directly select a file system or dtree to create a share.
You do not need to manually enter the share path.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 117
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Share Path Share path of the file system, which is generated based on
the File System and Dtree parameters.
[Example]
/Filesystem001/Dtree_test
Step 5 Set advanced attributes of the CIFS share. Select Advanced in the upper right
corner.
Table 2-38 describes the parameters.
Table 2-38 Advanced parameters of a CIFS share
Parameter Description
Description Indicates the description of a CIFS share.
NOTE
The description can be left blank or contain up to 255 characters.
Notify Determine whether to enable Notify. After this function is
enabled, a client's operations on a directory, such as adding
a sub-directory, adding a file, modifying the directory, and
modifying a file, can be detected by other clients that are
accessing this directory or the parent directory of this
directory. The created or modified directories and files are
visible after the page automatically refreshes.
Continuously Indicates whether to enable Continuously Available. If it is
Available enabled, CIFS services will not be interrupted in scenarios
such as controller faults and intermittent network
disconnections, but performance will deteriorate.
This option is the SMB continuous availability feature. This
feature depends on Oplock, which is enabled by default. If
Oplock is disabled, choose Settings > File Service > CIFS
Service to enable it.
SMB3 Encryption Specifies whether to enable SMB3 encryption. After this
function is enabled, the system encrypts the share to ensure
data security, but the performance deteriorates.
NOTICE
Enabling this function affects SMB3 service performance. Check
whether this function needs to be enabled.
NOTE
● After SMB3 encryption is enabled, only SMB3 clients can access
shares by default.
● Only 6.1.3 and later versions support this parameter.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 118
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Unencrypted After this function is enabled, clients that do not have
Client Access encryption capabilities can access the share.
NOTICE
After this function is enabled, clients of earlier versions (for
example, Windows 7) are allowed to access shares where SMB3
encryption is enabled in plaintext. Check whether this function
needs to be enabled.
NOTE
● This function takes effect only after the SMB3 encryption
function is enabled.
● Only 6.1.3 and later versions support this parameter.
ABE After ABE is enabled, files and folders that users have no
access permission are not displayed.
NOTE
● SMB2 and SMB3 support this function but SMB1 does not.
● Only 6.1.3 and later versions support this parameter.
Show Previous If this function is enabled, clients can show and roll back
Version historical versions.
NOTE
Only 6.1.5 and later versions support this parameter.
Show Snapshot This function allows clients to show and traverse snapshot
directories.
NOTE
Only 6.1.3 and later versions support this parameter.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 119
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Offline File Cache files that need to be accessed in different modes to
Cache Mode local clients so that files can be operated offline. The cache
modes are as follows:
● None: Files and programs in the shared directory cannot
be cached to local clients. Therefore, these files and
programs cannot be operated offline.
● Manual: Specified files and programs in the shared
directory can be cached to local clients and operated
offline.
● Documents: If a user accesses the shared directory and
opens a file or program in the shared directory, the file or
program is automatically cached to a local client so that
the user can operate it offline.
● Programs: If an executable file (EXE and DLL) in the
shared directory is executed by a local client, the file is
automatically cached to the client. If the client needs to
run the executable file next time, it accesses the cached
file instead of that in the shared directory.
NOTE
Shares with Continuously Available enabled cannot quickly enter
offline mode because clients will try to reconnect to the storage
system for several minutes in the event of a network failure.
Therefore, it is recommended that you disable Continuously
Available before using offline file caching, and enable
Continuously Available if offline file caching is not required.
NOTE
Only 6.1.6 and later versions support this parameter.
Step 6 Select user or user groups that can access the CIFS share.
1. In the Permissions area, click Add.
The Add User or User Group page is displayed.
2. Set Type for the users or user groups.
Possible values are Everyone, Local Windows authentication user, Local
Windows authentication user group, AD domain user, AD domain user
group, Local UNIX authentication user, Local UNIX authentication user
group, LDAP domain user, LDAP domain user group, NIS domain user, and
NIS domain user group. Note that Local UNIX authentication user, Local
UNIX authentication user group, LDAP domain user, LDAP domain user
group, NIS domain user, and NIS domain user group are displayed after you
select Advanced in the upper right corner.
NOTE
Local UNIX authentication user, Local UNIX authentication user group, LDAP
domain user, LDAP domain user group, NIS domain user, and NIS domain user
group are available only in 6.1.6 and later versions.
– If you select Local Windows authentication user, Local Windows
authentication user group, Local UNIX authentication user, or Local
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 120
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
UNIX authentication user group, select the users or user groups you
want to add from the list.
NOTE
You can click Create to create a local authentication user or user group.
– If you select AD domain user, AD domain user group, LDAP domain
user, LDAP domain user group, NIS domain user, or NIS domain user
group, enter the names of the users or user groups in Name.
NOTE
▪ If you select a domain user or user group, the system automatically detects
whether the domain has been configured. If no domain is configured, the
system prompts you to configure a domain first.
▪ The name format is Domain name\Domain user name or Domain name
\Domain user group name.
▪ Name contains 1 to 256 characters. An AD domain user name cannot start
with an at sign (@).
▪ You can also enter multiple names separated by pressing Enter.
3. In Permission, select the permission granted for the users or user groups.
Table 2-39 describes the permissions.
Table 2-39 CIFS share permissions
Permission Forbidden Read-Only Read-Write Full Control
Viewing files Xa √b √ √
and
subdirectorie
s
Viewing file X √ √ √
contents
Running X √ √ √
executable
files
Adding files X -c √ √
or
subdirectorie
s
Modifying X - √ √
file contents
Deleting files X - √ √
and
subdirectorie
s
Renaming X - √ √
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 121
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Permission Forbidden Read-Only Read-Write Full Control
Changing X - - √
ACL
permissions
of files or
directories
a: Users do not have the permission.
b: Users have the permission.
c: The specified permission is not involved.
NOTE
– The permission priority from high to low is Forbidden > Full control > Read-write
> Read-only. The highest permission prevails. If a user is granted with a higher
permission than its original one, the new permission takes effect immediately
without re-authentication. For example, the access permission of a user is Read-
only, and then the user is added to a user group whose access permission is Full
control. Therefore, the access permission of the user is changed to Full control
and it can access the CIFS share immediately without re-authentication.
– You can run the change service cifs administrators_privilege=? command on the
CLI to modify permissions of members in the Administrators user group. For
details about the command, refer to Command/Event/Error Code Query. In the
command, the value of the administrators_privilege parameter can be admin
(default), default_group, or owner.
For local authentication users whose primary user group is Administrators, users
with different administrators_privilege values have different permissions.
▪ admin: When members in the Administrators user group access a shared file
system in the storage system, they do not need to be authenticated by share-
level ACLs and NT ACLs. They can operate any file in any share (with
administrator permissions of the share) without authentication.
▪ default_group: Members in the Administrators user group have the same
permissions as members in the default_group user group.
▪ owner: Members in the Administrators user group have the permissions to
query and set file or directory ACLs and modify file or directory owners. When
the group members access shared file systems, they need to be authenticated
by directory- or file-level NT ACLs, but do not need to be authenticated by
share-level ACLs.
Modified permissions take effect only after users are re-authenticated on clients.
You can run the show service cifs command on the CLI and check permissions of
the Administrators user group in the Administrators Privilege field.
4. Click OK.
The system adds the selected users or user groups to the Permissions list.
Step 7 Click OK.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 122
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.8.4.2.9 Accessing a CIFS Share
By accessing a CIFS share, different users can access the shared directories that
they have permission to access.
Procedure
Step 1 Choose Map network drive on a Windows client.
Take Windows Server 2012 as an example. Open File Explorer and choose
Computer > Map network drive > Map network drive.
NOTE
GUIs may be slightly different for clients running different versions of Windows operating
systems. The actual GUIs prevail.
Step 2 In the displayed Map Network Drive dialog box, configure the network folder you
want to map.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 123
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● In Drive, specify the drive letter for the connection.
● In Folder, specify the folder that you want to connect to. Select Connect
using different credentials and click Finish.
The folder is in the format of \\logical ip address\sharename.
Wherein, logical ip address indicates the IP address of the storage system's
logical port providing the CIFS share, and sharename indicates the name of
the CIFS share.
Step 3 In the displayed Windows Security dialog box, enter the user name and password
for accessing the CIFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 124
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● If you log in as a domain authentication user, enter the domain user name in
the Domain name\Domain user name format and the corresponding
password.
NOTE
After CIFS shares are allocated to domain users, do not modify the domain user
information. If you do, the CIFS shares cannot be accessed.
● If you log in as a local authentication user, enter the user name and password
of the local authentication user.
Step 4 Click OK.
NOTE
If errors occur during the access, verify that:
● The storage system is added into a correct AD domain.
● The network between the client and storage system is normal.
● The domain user has the access permission.
----End
2.8.4.3 Accessing Cross-Protocol Shares
A storage system allows NFS and CIFS shares to be configured for the same file
system concurrently. This section describes how a storage system uses the user
mapping function to allow users to access shared files across protocols (CIFS-NFS)
used by clients on different platforms and implement precise permission control.
2.8.4.3.1 Overview
This section introduces the user mapping mechanism used during cross-protocol
(CIFS-NFS) share access.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 125
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
CIFS-NFS Share Access
A storage system allows users to share a file system or dtree using NFS and CIFS
at the same time. Different clients can access a file system or dtree
simultaneously. Windows, Linux, and UNIX adopt different mechanisms to
authenticate users and control access. The storage system manages user mapping
and permission control of different operating systems in a unified manner,
protecting the security of CIFS-NFS share access.
● If a CIFS user attempts to access a file or directory, the storage system
authenticates local or AD domain users first. If the UNIX permission (UNIX
Mode bits) has been configured for the file or directory, the CIFS user is
mapped as an NFS user based on preset user mapping rules during
authentication. Then the storage system performs UNIX permission
authentication for the user.
● If an NFS user attempts to access a file or directory with NT ACLs, the NFS
user is mapped as a CIFS user based on the preset mapping rules. Then the
storage system performs NT ACL permission authentication for the user.
CIFS-NFS Share Access Permissions
If permission types of a file or directory and a client that attempts to access the
file or directory do not match, CIFS-NFS cross-protocol access is required and you
must map the permission of the file or directory so that it can be displayed by the
client.
● NFS client accessing a file or directory with the NTFS permission
When an NFS client checks the NTFS permission that a file or directory has,
the client can obtain the UNIX permission mapped from an NT ACL. The NFS
client displays as many permissions as possible but the actual permissions are
determined by the NT ACL. For example, the NFS client shows that all users
have read, write, and execute permissions, but one of the users may only have
the write permission.
● CIFS client accessing a file or directory with the UNIX permission
When a CIFS client checks the UNIX permission that a file or directory has, the
UNIX permission is mapped into four ACEs for the CIFS client. The ACEs are
for the owner, owner primary group, everyone, and the current Windows user
for the file or directory respectively. The NT ACL is displayed only but not used
to control actual operation permissions.
Table 2-40 shows how permissions are converted among UNIX Mode bits and NT
ACLs.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 126
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-40 Permission conversion among UNIX Mode bits and NT ACLs
File Permission Permission Conversion
A file or directory ● If an NFS or CIFS client sends a request to read an
only has valid UNIX ACL, one ACL is mapped based on UNIX Mode bits.
Mode bits. ● If a CIFS client sends a request to set an ACL, an NT
ACL takes effect and UNIX Mode bits with the
maximum permissions are mapped based on the NT
ACL.
A file or directory has If an NFS client sends a request to read UNIX Mode bits,
a valid NT ACL. UNIX Mode bits (mapped based on the NT ACL) of the
storage system are returned directly.
CIFS-NFS User Mapping
Windows systems (CIFS) and Linux systems (NFS) use different mechanisms to
identify and authenticate users:
● Windows systems use security identifiers (SIDs) to identify users. SIDs apply
to all users, user groups, services, and computers in the systems. CIFS supports
NT ACLs for authentication.
● Linux systems use user identities (UIDs) and one or more group identities
(GIDs) to identify users. One user belongs to one user group at least. NFS
supports diversified security control mechanisms such as UNIX Mode bits for
authentication.
During CIFS-NFS share access, users using different protocols must be mapped
based on user mapping rules for user authentication and precise permission
control.
The timing of user mapping is as follows:
● For a CIFS client, a user mapping occurs when the security mode of the file
system to be accessed is UNIX, that is, files or directories in the file system
have only the UNIX Mode bits permission. A user will have both the
permissions before and after user mapping.
● For an NFS client, a user mapping occurs when the security mode of the file
system to be accessed is NTFS, that is, files or directories in the file system
have the NT ACL permission. A user will have both the permissions before and
after user mapping.
● When a parent directory has inheritable NT ACL permission, files or directories
created no matter on an NFS client or a CIFS client will have the NT ACL
permission by default. In this case, if the NFS client accesses files or
directories, a user mapping will always occur. That is, a user will have both
the permissions before and after user mapping. When the parent directory
does not have any inheritable NT ACL permission, files or directories created
no matter on an NFS client or a CIFS client will have the UNIX Mode bits
permission. In this case, if the NFS client accesses files or directories, no user
mapping occurs. That is, the user's permission remains unchanged.
● If mappings are changed on CIFS clients, the change takes effect after CIFS
connections are disconnected and next re-authentication is performed.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 127
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● User mappings on NFS clients are cached and expire after four hours by
default. New user mappings and user information changes take effect after
the cached data expires.
User mapping rules specify the mappings among different user accounts. They can
be saved in a local database or managed in an AD domain in a centralized
manner. A user mapping rule includes the mapping type, source user, mapped
user, and mapping priority. If a user matches multiple mapping rules, it is mapped
based on the rule with a higher priority. If the rules have the same priority, the
user is mapped based on the rule that is configured the earliest.
The following describes how local user mapping is performed:
● NFS-CIFS user mapping: An NFS user is authenticated using its UID on a
server. When user mapping occurs, the user name corresponding to the UID is
queried in the sequence of the local, LDAP, and NIS domains, and then the
user name after mapping and its SID and owning user group are queried
based on the locally configured mapping relationships using the user name
corresponding to the UID. After the mapping, identity authentication for
cross-protocol access will be performed on the mapped user and its owning
group.
● CIFS-NFS user mapping: A CIFS user is authenticated by SID on the service
end. When a user mapping occurs, the mapped user will be queried based on
the user name to which the SID corresponds and the local mapping. Then the
UID to which the mapped user name corresponds and its owning group will
be queried in the sequence of the local storage system, LDAP domain, and
NIS domain. After the mapping, identity authentication for cross-protocol
access will be performed on the mapped user and its owning group.
NOTE
● You are not advised to configure users with the same UID or user name in the local
storage system, LDAP domain, and NIS domain. If users with the same UID or user
name exist, the mapping result may not meet the expectation.
● In 6.1.6 and later versions, you can run the add identity_mapping rule
from_identity=? to_identity=? mapping_type=? host_name=? address=? command to
configure client IP address segments or host names in a user mapping rule. Clients can
use the user mapping rule only when their IP address segments or host names match
those specified in the user mapping rule. For details about the command, visit
Command/Event/Error Code Query.
After user mapping, on an NFS client, the owner information of files or directories
owned by CIFS users (the files or directories that are created by CIFS users or the
owner information of the files or directories are changed to CIFS users) is the
information of the NFS users mapped from CIFS users. If no mapping rules have
been configured for CIFS users, the owner information of the files or directories is
about the IDs (calculated using IDMAP, a hash algorithm) of the CIFS users.
After user mapping, on a CIFS client, the owner information of the files or
directories owned by NFS users (the files or directories that are created by NFS
users or the owner information of the files or directories are changed to NFS
users) is about NFS user names. If NFS users are NIS or LDAP domain users, the
owner information is displayed as UNIXUser\user name.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 128
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
When CIFS users are mapped to NFS users, quota statistics will be collected for the NFS
users or owning user group.
2.8.4.3.2 Configuring Mapping Parameters
You can create user mappings in both the local storage system and the external
IDMU domain to access shares across different systems. The following introduces
how to set the mapping mode as well as timeout duration of the IDMU query, and
search for the domain name.
Context
If you only use IDMU user mappings, you do not need to configure user mappings
in the local storage system.
Procedure
Step 1 Choose Services > File Service > Authentication Users > User Mappings.
Step 2 Select the vStore for which you want to configure mapping parameters from the
vStore drop-down list in the upper left corner.
Step 3 Click Set Mapping Parameter.
The Set Mapping Parameter page is displayed on the right.
Step 4 Enable Mapping Parameters and configure user mapping parameters.
Table 2-41 describes the parameters.
Table 2-41 Mapping parameters
Parameter Description
Mapping Mode Global parameter of user mappings, including:
● Support only user mapping of this system: The
system only supports user mappings created in this
system.
● Support only user mapping in IDMU: The system
only supports user mappings in the IDMU domain.
● Preferentially support user mapping in IDMU:
When user mappings of a specified source user exist
both in the system and the IDMU domain, the
system preferentially uses the mapping in the IDMU
domain.
● Preferentially support user mapping of this
system: When user mappings of a specified source
user exist both in the system and the IDMU domain,
the system preferentially uses the mapping in this
system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 129
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
IDMU Search Timeout duration for the system to search for a
Timeout Duration (s) specified user mapping in the IDMU domain.
[Value range]
5 to 120
IDMU Search DN Benchmark directory where the system searches for a
specified user mapping in the IDMU domain. The
benchmark directory stores the information of user
mappings.
[Value range]
The directory contains 0 to 255 characters.
Map to User with Indicates whether to map to users with the same name.
Same Name After this function is enabled, the system automatically
maps UNIX users and Windows users with the same
name.
Default UNIX User When user mapping is enabled and a Windows user
fails to be mapped, the Windows user will be mapped
to this default UNIX user.
Default Windows When user mapping is enabled and a UNIX user fails to
User be mapped, the UNIX user will be mapped to this
default Windows user.
If the default Windows user is an AD domain user, the
naming format is Domain name\Domain user name.
The AD domain name can only be a NetBIOS name. You
can query the NetBIOS name of a domain by running
the nbtstat -n command. Alternatively, you can right-
click the domain on the Active Directory Users and
Computers page, choose Properties from the shortcut
menu, and find the value of Domain name (pre-
Windows 2000) in the dialog box that is displayed. The
value is the NetBIOS name of the domain.
NOTE
Map to User with Same Name, Default UNIX User, and Default Windows User are
available only when Mapping Mode is set to Support only user mapping of this system,
Preferentially support user mapping in IDMU, or Preferentially support user mapping
of this system. IDMU Search Timeout Duration (s) and IDMU Search DN are available
only when Mapping Mode is set to Support only user mapping in IDMU, Preferentially
support user mapping in IDMU, or Preferentially support user mapping of this system.
Step 5 Confirm your operation as prompted.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 130
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.8.4.3.3 Creating a User Mapping
This operation enables the system to map a source user to a target user based on
a mapping relationship for accessing shares across protocols.
NOTE
If Map to User with Same Name is enabled, default user mapping (Default UNIX User or
Default Windows User) is configured, and user mapping is created, you can follow the
following sequence to search for user mapping: the created user mappings > user mappings
with the same name > the default user mapping.
Procedure
Step 1 Choose Services > File Service > Authentication Users > User Mappings.
Step 2 Select the vStore for which you want to create a user mapping from the vStore
drop-down list in the upper left corner.
Step 3 Click Create.
The Create User Mapping page is displayed on the right.
Step 4 Set basic user mapping parameters.
Table 2-42 describes the parameters.
Table 2-42 Basic user mapping parameters
Parameter Description
Mapping Mode User mapping mode related to the operating system.
Possible options are:
● Windows to UNIX: When accessing UNIX shares using
Windows, a Windows user has all the permissions
granted to the target user.
● UNIX to Windows: When accessing Windows shares
using UNIX, a UNIX user has all the permissions granted
to the target user.
● Kerberos to UNIX: When accessing UNIX shares using
Kerberos authentication through a client, a Kerberos user
has all the permission granted to the target user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 131
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Source User Source user in the mapping.
NOTE
● The name of the source user supports the wildcard (*). For
example, user* indicates all user names starting with user.
● The user name can be a common or domain user name. An AD
domain user name uses a backslash (\) to connect the domain
name and user name. Only one backslash (\) is allowed, for
example, china\user001. The AD domain name can only be a
NetBIOS name. You can query the NetBIOS name of a domain
by running the nbtstat -n command. Alternatively, you can
right-click the domain on the Active Directory Users and
Computers page, choose Properties from the shortcut menu,
and find the value of Domain name (pre-Windows 2000) in
the dialog box that is displayed. The value is the NetBIOS name
of the domain.
Target User Target user in the mapping.
NOTE
The user name can be a common or domain user name. An AD
domain user name uses a backslash (\) to connect the domain
name and user name. Only one backslash (\) is allowed, for
example, china\user001. The AD domain name can only be a
NetBIOS name. You can query the NetBIOS name of a domain by
running the nbtstat -n command. Alternatively, you can right-click
the domain on the Active Directory Users and Computers page,
choose Properties from the shortcut menu, and find the value of
Domain name (pre-Windows 2000) in the dialog box that is
displayed. The value is the NetBIOS name of the domain.
Priority Priority of the mapping. A smaller value indicates a higher
priority. When multiple mappings share the same source
user, the system uses the mapping with the highest priority.
[Value range]
1 to 32
Step 5 Click Add to Mapping List to add the mapping to the list below.
NOTE
You can set user mapping parameters and click Add to Mapping List to configure multiple
user mappings.
Step 6 Test, modify, or delete a user mapping.
● Testing a user mapping
Select a user mapping and click Test to check whether the target user in the
user mapping exists.
NOTE
You can also click More on the right of a desired user mapping and choose Test.
● Modifying a user mapping
a. Click More on the right of the desired user mapping and choose Modify.
The Modify User Mapping page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 132
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
b. Set basic user mapping parameters.
Table 2-42 describes the parameters.
c. Click OK.
● Deleting a user mapping
Select one or more desired user mappings and click Delete.
NOTE
You can also click More on the right of the desired user mapping and choose Delete.
Step 7 Click OK.
----End
Example
● User mapping rule example 1: Map Windows user win_user01 to UNIX user
ux_user01.
– Source user: win_user01
– Target user: ux_user01
– Mapping type: Windows to Unix
– Priority: 10 (default)
● User mapping rule example 2: Map any UNIX user to user1 in the AD domain
(domain name authtest).
– Source user: *
– Target user: authtest\user1
– Mapping type: Unix to Windows
– Priority: 10 (default)
2.8.4.3.4 Accessing a CIFS File Across Protocols
This section describes how an NFS client accesses CIFS files and directories for
which the NT ACL permission has been configured.
Prerequisites
● The user of the Linux client has the same UID and GID as the local
authentication user.
You can query the local authentication user ID and ID of its owning primary
group on the DeviceManager. On the Linux client, you can run the groupadd
-g GID user group name command to create a user group, and then run the
useradd -u UID -g GID user name command to create a user.
● Before you use an AD domain user to configure user mapping rules, the
storage system has been added to the AD domain.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 133
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Context
Before users can use an NFS client to access shared files and folders for which NT
ACLs have been configured, the administrator must follow the process as shown in
Figure 2-6 to configure related parameters.
Figure 2-6 Flowchart of configuring cross-protocol access of a CIFS file
Start
Create a file system. The security mode of the file system is NTFS.
Skip this step if AD, LDAP, or NIS domain users
Create a local authentication user.
access shares.
Create NFS and CIFS shares.
Configure user mapping parameters.
Configure user mapping rules.
Use a Linux client to mount and
access shares.
End
Mandatory Optional
Example
Table 2-43 provides an example of data planning during the configuration.
Table 2-43 Example of data planning
Item Planned Value
File system Name: share_dir
Security mode: NTFS
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 134
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Item Planned Value
Local authentication Name: unix_user1
user ID: 100001
Primary group name: unix_group
Primary group ID: 100000
Name: cifs_user1
NFS client user Name: unix_user1
The user must have the same UID and GID as the
local authentication user.
NFS share ● File system: share_dir
● Type of the client: host
● Name or IP address: x.x.0.10
● Permission: Read-write
● Advanced: The default settings are used.
CIFS share ● File system: share_dir
● Share name: share_dir_cifs
● Local authentication user: cifs_user1
● Permission level: Full control
Mapping Mode Local system user mappings are supported
preferentially.
User mapping rule ● Mapping type: Unix to Windows
● Source user: unix_user1
● Target user: cifs_user1
● Priority: 10
Step 1 Create a file system.
1. Choose Services > File Service > File Systems.
2. Create a file system named share_dir as planned.
Step 2 Create a local UNIX authentication user group and user.
1. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication User Groups.
2. Click Create to create a local authentication user group named unix_group as
planned.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 135
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
3. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication Users.
4. Click Create to create a local authentication user named unix_user1 as
planned.
Step 3 Create a local Windows authentication user.
1. Choose Services > File Service > Authentication Users > Windows Users >
Local Authentication Users.
2. Click Create to create a local authentication user named cifs_user1 as
planned.
Step 4 Create an NFS share and a CIFS share for the same file system.
1. Choose Services > File Service > Shares.
2. Create an NFS share and a CIFS share for the same file system based on
parameters as planned.
Step 5 Configure user mapping parameters.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Set Mapping Parameter and set Mapping Mode to Preferentially
support user mapping of this system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 136
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 6 Configure user mapping rules.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Create and configure user mapping rules as planned.
Step 7 Use a Windows client to access shared directory share_dir and set permissions of
files under the shared directory.
1. Use a Windows client to access a CIFS share.
2. Under the shared directory, create folder subdir1 and file file1.
3. Add one ACE to subdir1 and file1.
Right-click the file or folder and choose properties from the shortcut menu
that is displayed. In the properties dialog box that is displayed, click the
Security tab and add the modify permission ACE to user cifs_user1.
4. Delete the Everyone permissions for subdir1, so as to verify that the NFS
client has permissions of the mapped Windows user.
Step 8 Run the change service nfs_config g_ntfs_unix_security_ops=ignore command
on the storage system to ignore any modification on NFS client permissions.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 137
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
This operation is required because Security Style of the file system share_dir in this
example is NTFS and Windows ACLs exist.
Step 9 Use an NFS client to mount the share and access the share as local user
unix_user1.
1. Use an NFS client to mount the NFS share.
2. Run the groupadd -g 100000 unix_group command to create a user group
that has the same GID as the local authentication user group.
3. Run the useradd -u 100001 -g 100000 unix_user1 command to create a user
that has the same UID and GID as the local authentication user.
NOTE
The UID and GID in the command are used as an example only. They vary with site
conditions.
4. Run the su - unix_user1 command to switch users.
5. Write data to folder subdir1.
If the data is written to the folder successfully, the Linux client has a write
permission for the folder.
----End
2.8.4.3.5 Accessing an NFS File Across Protocols
This section describes how a CIFS client accesses a file or directory for which the
UNIX permission has been configured.
Prerequisites
The user of the Linux client has the same UID and GID as the local authentication
user.
You can query the local authentication user ID and ID of its owning primary group
on the DeviceManager. On the Linux client, you can run the groupadd -g GID user
group name command to create a user group, and then run the useradd -u UID -
g GID user name command to create a user.
Context
Before users can use a Windows client to access shared files and folders for which
the UNIX permission has been configured, the administrator needs to follow the
process as shown in Figure 2-7 to configure related parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 138
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Figure 2-7 Flowchart of configuring cross-protocol access of an NFS file
Start
Create a file system. The security mode of the file system is UNIX.
Create a local authentication user. Skip this step if AD domain users access shares.
Create NFS and CIFS shares.
Configure user mapping parameters.
Configure user mapping rules.
Use a Windows client to mount and
access shares.
End
Mandatory Optional
Example
Table 2-44 provides an example of data planning during the configuration.
Table 2-44 Example of data planning
Item Planned Value
File system Name: share_dir2
Security mode: UNIX
Local authentication user Name: cifs_user2
Name: unix_user2
ID: 100002
Primary group name: unix_group
Primary group ID: 100000
NFS client user Name: unix_user2
The user must have the same UID and GID as the
local authentication user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 139
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Item Planned Value
NFS share ● File system: share_dir2
● Type of the client: host
● Name or IP address: x.x.0.10
● Permission: Read-write
● Advanced: The default settings are used.
CIFS share ● File system: share_dir2
● Share name: share_dir_cifs2
● Local authentication user: cifs_user2
● Permission level: Full control
Mapping Mode Local system user mappings are supported
preferentially.
User mapping rule ● Mapping type: Windows to Unix
● Source user: cifs_user2
● Target user: unix_user2
● Priority: 10
Windows operating systems do not allow a file name to contain special characters.
Therefore, it is recommended that the file name and directory name of an NFS
share do not contain special characters including \:*/?"<>|, and the file name and
directory name do not end with a period (.) or a space. Otherwise, the storage
system converts the file name and directory name to short names (for example,
~PY203).
Step 1 Create a file system.
1. Choose Services > File Service > File Systems.
2. Create a file system named share_dir2 as planned.
Step 2 Create a local Windows authentication user.
1. Choose Services > File Service > Authentication Users > Windows Users >
Local Authentication Users.
2. Click Create to create a local authentication user named cifs_user2 as
planned.
Step 3 Create a UNIX local authentication user group and user.
1. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication User Groups.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 140
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2. Click Create to create a local authentication user group named unix_group as
planned.
3. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication Users.
4. Click Create to create a local authentication user named unix_user2 as
planned.
Step 4 Create an NFS share and a CIFS share for the same file system.
1. Choose Services > File Service > Shares.
2. Create an NFS share and a CIFS share for the same file system based on
parameters as planned.
Step 5 Configure user mapping parameters.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Set Mapping Parameter and set Mapping Mode to Preferentially
support user mapping of this system.
Step 6 Configure user mapping rules.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Create and configure user mapping rules as planned.
Step 7 Use an NFS client to mount the share and set permissions of files under the
shared directory.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 141
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
1. Use an NFS client to mount the NFS share.
2. Run the groupadd -g 100000 unix_group command to create a user group
that has the same GID as the local authentication user group.
3. Run the useradd -u 100002 -g 100000 unix_user2 command to create a user
that has the same UID and GID as the local authentication user.
NOTE
The UID and GID in the command are used as an example only. They vary with site
conditions.
4. Run the su - unix_user2 command to switch users.
5. Create the file1 file and grant the read-only permission.
NOTE
The security style of the file system (share_dir2) on the storage system is UNIX. The
default UNIX permission of the root directory of the file system is 755. Therefore, first
run the change file_system general file_system_id=? unix_permissions=777
command on the storage system to change the UNIX permission to 777.
# touch file1
# chmod 400 file1
Step 8 Use cifs_user2 to access file1 on a Windows client and verify that it has only the
read-only permission.
----End
2.9 Configuring Basic Storage Resources (vStore User,
Applicable to 6.1.3 and Later)
Log in to DeviceManager as a vStore user and configure storage resources for the
vStore. The NFS share and CIFS share are used as examples to describe how to
configure basic storage resources. For details about file service configuration, see
the Basic Storage Service Configuration Guide for File.
2.9.1 Creating a File System
This section describes how to create a file system to share storage resources in the
form of files or directories.
Context
File systems created in the storage system are thin file systems. That is, the
storage system will not allocate all of the configured capacity to file systems at a
time. Within the configured capacity, the storage system allocates storage
resources to file systems based on the actual capacity used by hosts.
Precautions
In a storage pool, if the total capacity of all thin file systems exceeds that of the
storage pool, data cannot be written if the capacity of the storage pool is used up.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 142
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Procedure
Step 1 Choose Services > File Service > File Systems.
Step 2 Click Create.
The Create File System page is displayed on the right.
NOTE
The screenshot is for reference only and the actual displayed information may vary.
Step 3 Set the basic information about the file system.
Table 2-45 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 143
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-45 File system parameters
Parameter Description
Name Name of the file system.
[Value range]
● The name must be unique.
● The name can contain only letters, digits, periods (.),
underscores (_), hyphens (-), and characters of different
languages.
● The name contains 1 to 255 characters.
Description Description of the file system.
NOTE
Description is hidden. To display hidden parameters, click
Advanced.
[Value range]
The description can be left blank or contain up to 255
characters.
Owning Storage Owning storage pool of the file system.
Pool
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 144
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Security Style Select a security style based on service requirements. It is
used to set the access control style of a file system in multi-
protocol mode.
NOTE
Only 6.1.5 and later versions support Mixed and Native.
● Mixed
Allows users of both CIFS and NFS clients to access and
control file systems. The last configured permissions
prevail.
● Native
Controls CIFS users' permissions with Windows NT ACLs
and NFS users' permissions with UNIX permissions (UNIX
mode bits, POSIX ACLs, and NFSv4 ACLs). Windows NT
ACLs and UNIX permissions will neither affect nor
synchronize with each other.
– For CIFS share access, Windows NT ACLs determine
whether Windows users have access permission.
NOTE
If Windows NT ACLs do not exist, UNIX mode bits determine
whether Windows users have access permission.
– For NFS share access, access permission of UNIX users
is determined by UNIX permissions.
● NTFS
Controls CIFS users' permissions with Windows NT ACLs.
NOTE
– If NTFS is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default Windows
user for the NFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The default Windows user must be an existing
local authentication user or AD domain user.
● UNIX
Controls NFS users' permissions with UNIX mode bits or
NFSv4 ACLs.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 145
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NOTE
– If UNIX is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default UNIX user
for the CIFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The default UNIX user must be an existing local
authentication user or NIS/LDAP domain user.
– In this mode, the default UNIX permission of the file system
root directory is 755. To change the value, run the change
file_system general file_system_id=? unix_permissions=?
command. For details about the command, visit Command/
Event/Error Code Query.
NAS Lock Policy NAS Lock Policy includes Mandatory Lock and Advisory
Lock.
● Mandatory Lock is recommended if clients using
different protocols simultaneously access the same file or
directory.
● Advisory Lock is recommended if high read and write
performance is required and clients using different
protocols do not access the same file or directory
simultaneously.
NOTE
– This parameter is available only when Security Style is set to
Native.
– Only 6.1.5 and later versions support this parameter.
VAAI Indicates whether to enable VAAI. VMware Storage APIs for
Array Integration (VAAI) are a set of APIs that allow ESXi
hosts to offload specific file operations to the storage array.
This enables vSphere to quickly implement key operations
and reduces the usage of the host CPU, memory, and
storage bandwidth for higher efficiency and lower O&M
costs.
● Enabled: The host offloads file operations to the storage
array. Once it is enabled, it cannot be disabled.
● Disabled: VAAI is not used.
NOTE
Only 6.1.5 and later versions support this parameter.
Step 4 Set the capacity and tuning information of the file system.
Table 2-46 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 146
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-46 Capacity and tuning parameters
Parameter Description
Capacity Capacity of the file system, which indicates the maximum
capacity allocated to the thin file system. That is, the total
capacity dynamically allocated to the thin file system
cannot exceed this value.
NOTE
● The maximum capacity of the file system cannot exceed the
system specifications. For details about the specifications, see
the Specifications Query tool.
● The storage system uses the following capacity algorithms
defined by Windows: 1 PB = 1,024 TB, 1 TB = 1,024 GB, 1 GB =
1,024 MB, 1 MB = 1,024 KB, and 1 KB = 1,024 bytes.
Capacity Alarm Alarm threshold of the file system capacity. An alarm will be
Threshold (%) generated when the threshold is reached.
NOTE
● Capacity Alarm Threshold (%) is hidden. To display hidden
parameters, click Advanced.
● Capacity threshold = File system capacity x (1 – Reserved
snapshot space ratio (%)) x Capacity alarm threshold (%)
● The alarm is cleared only when the used capacity of the file
system is smaller than 90% of the capacity threshold or the
capacity threshold minus 1 GB (whichever is larger).
Reserved Percentage of the file system snapshot space to the file
Snapshot Space system capacity.
Ratio (%) NOTE
● The file system space must not occupy the space reserved for
snapshots. For example, if the capacity of a file system is 100 GB
and the reserved snapshot space ratio is 20%, the used capacity
of the file system cannot exceed 80 GB.
● Snapshots can be created when the file system space is full but
the space reserved for snapshots is not full.
● Only 6.1.5 and later versions support this parameter.
Delete Obsolete Indicates whether to delete obsolete read-only snapshots. If
Read-Only used space of the file system reaches the capacity alarm
Snapshot threshold and used space of snapshots is larger than space
reserved for snapshots (source file system capacity x
reserved snapshot space ratio), the system automatically
deletes the oldest non-secure read-only snapshots.
NOTE
● Delete Obsolete Read-Only Snapshot is a hidden parameter.
To display hidden parameters, click Advanced.
● If both Delete Obsolete Read-Only Snapshot and Capacity
Auto-negotiation Policy are enabled, the capacity auto-
negotiation policy is executed first.
● Only 6.1.5 and later versions support this parameter.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 147
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Capacity Auto- The available capacity autonegotiation policies are as
negotiation follows:
Policy ● Not used: The storage capacity used by a file system is
fixed and is not flexibly adjusted by the storage system.
● Auto expansion: The file system capacity is
automatically increased to meet user needs for more
data writes, when the available space of a file system is
about to run out and the storage pool has available
space.
● Auto expansion/reduction: The storage system
automatically adjusts the file system capacity based on
file system space usage. When the available space of a
file system is about to run out and the storage pool has
available space, automatic capacity expansion will be
used to increase file system capacity. When the file
system's storage space is released, it can be reclaimed
into a storage pool and used by other file systems in
data write requests.
NOTE
● Capacity Auto-negotiation Policy is a hidden parameter. To
display hidden parameters, click Advanced.
● If both Delete Obsolete Read-Only Snapshot and Capacity
Auto-negotiation Policy are enabled, the capacity auto-
negotiation policy is executed first.
● Only 6.1.5 and later versions support this parameter.
Auto Expansion When the ratio of the used capacity to the total capacity of
Trigger Threshold a file system is greater than this threshold, the storage
(%) system automatically triggers file system capacity
expansion.
NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion or Auto
expansion/reduction.
● The value of Auto Expansion Trigger Threshold (%) must be
greater than that of Auto Reduction Trigger Threshold (%).
● Only 6.1.5 and later versions support this parameter.
Auto Reduction When the ratio of the used capacity to the total capacity of
Trigger Threshold a file system is smaller than this threshold, the storage
(%) system automatically triggers space reclamation to reduce
the file system capacity.
NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion/reduction.
● Only 6.1.5 and later versions support this parameter.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 148
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Auto Expansion Upper limit of automatic capacity expansion.
Upper Limit NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion or Auto
expansion/reduction.
● Only 6.1.5 and later versions support this parameter.
Auto Reduction Lower limit of automatic capacity reduction.
Lower Limit NOTE
● This parameter is displayed only when Capacity Auto-
negotiation Policy is set to Auto expansion/reduction.
● Only 6.1.5 and later versions support this parameter.
Application Type Application type of the file system. Preset application types
are provided for typical applications. In file service scenarios,
possible options are NAS_Default, NAS_Virtual_Machine,
NAS_Database, NAS_Large_File, Office_Automation, and
NAS_EDA.
NOTE
● The Application Request Size and File System Distribution
Algorithm parameters are set for preset application types. The
value of Application Request Size is 16 KB for NAS_Default,
NAS_Virtual_Machine, Office_Automation, and NAS_EDA, 8
KB for NAS_Database, and 32 KB for NAS_Large_File. If
Application Type is set to NAS_Default, NAS_Large_File,
Office_Automation, or NAS_EDA, File System Distribution
Algorithm is Directory balance mode. In this mode, directories
are evenly allocated to each controller by quantity. If
Application Type is set to NAS_Virtual_Machine or
NAS_Database, File System Distribution Algorithm is
Performance mode. In this mode, directories are preferentially
allocated to the controller to which the shared IP address
belongs, improving access performance of directories and files.
● When SmartCompression and SmartDedupe licenses are
imported to the system, the preset application types also display
whether SmartCompression and SmartDedupe are enabled. For
details, see SmartDedupe and SmartCompression Feature Guide
for File of the desired product model and version.
● Application Type cannot be changed once being configured.
You are advised to set the value based on the service I/O model.
● To create an application type, run the create workload_type
general name=? io_size=? command. For details, visit
Command/Event/Error Code Query.
● You can also run the create file_system general or change
file_system general command to create or modify a file system
respectively. For details, visit Command/Event/Error Code
Query.
Step 5 If a HyperMetro vStore pair has been created for the vStore, you need to configure
a HyperMetro pair for the newly created file system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 149
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Specify Remote Storage Pool for creating a remote file system. The system will
create a remote file system on the remote device of the HyperMetro vStore pair
and add the local and remote file systems to a HyperMetro pair.
For details about HyperMetro, see the HyperMetro Feature Guide for File of the
desired version.
Step 6 Configure shares for the file system.
● Set NFS shares for the file system.
a. Enable NFS.
b. Set Create From. Possible values are Template or New.
▪ Template
Select a share template from the drop-down list box. The system
presets the description and permission of the created share based on
the selected template. You can click Modify on the right of Share to
modify the share information.
▪ New
The system presets the read and write permissions of all clients. You
can click Modify on the right of Share to modify the share
information.
● Set CIFS shares for the file system.
a. Enable CIFS.
b. Set Create From. Possible values are Template or New.
▪ Template
Select a share template from the drop-down list box. The system
presets the description and permission of the created share based on
the selected template. You can click Modify on the right of Share to
modify the share information.
▪ New
The system presets the full control permission for everyone. You can
click Modify on the right of Share to modify the share information.
Step 7 Set a quota for the file system.
NOTE
Quota is a hidden option. To display hidden parameters, click Advanced.
1. Enable Quota.
NOTE
– The quota switch is disabled by default.
– When the Quota function is disabled, the system does not collect statistics on
quota usage. In this case, hard and soft quotas do not take effect.
2. Click Create.
The Create Quota page is displayed on the right.
3. Specify Quota Type. Possible options are Directory quota, User quota, and
User group quota.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 150
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
– Directory quota
The directory quota of a file system limits the space usage or file quantity
used by all dtrees in the file system.
NOTE
The directory quota of a file system takes effect only for dtrees whose quota
function is enabled. In addition, the quota of each dtree is limited separately.
– User quota
User quota: limits the space usage or file quantity used by a single user.
i. Click Select.
The Select User page is displayed.
ii. Select the users for which you want to create a quota.
○ If you select All users, the quota limits the space usage or file
quantity of each user in the system.
○ If you select Specified users, click Add. On the Add User page
that is displayed, select the UNIX Users or Windows Users tab,
and select one or more desired users. Then click OK.
NOTE
If you set User Type to Local authentication user, select the desired
users in the list below.
If you set User Type to LDAP domain user, NIS domain user, or AD
domain user, enter the user names in the Name text box.
To remove added users, click Remove on the right of a desired user, or
select one or more desired users and click Remove.
○ If you select Specified user groups, the quota limits the space
usage or file quantity of each specified user group. To add a user
group, click Add. On the Add User Group page that is displayed,
select a user group type and select the desired user groups. Then
click OK.
NOTE
If you set User Group Type to Local authentication user group,
select the desired user groups in the list below.
If you set User Group Type to LDAP domain user group or NIS
domain user group, enter the user group names in the Name text
box.
To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click
Remove.
iii. Click OK.
– User group quota
User group quota: limits the space usage or file quantity used by a single
user group.
i. Click Select.
The Select User Group page is displayed.
ii. Select the user groups for which you want to create a quota.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 151
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
○ If you select All user groups, the quota limits the space usage
or file quantity of each user group in the system.
○ If you select Specified user groups, the quota limits the space
usage or file quantity of each specified user group. To add a user
group, click Add. On the Add User Group page that is displayed,
select a user group type and select the desired user groups. Then
click OK.
NOTE
If you set User Group Type to Local authentication user group,
select the desired user groups in the list below.
If you set User Group Type to LDAP domain user group or NIS
domain user group, enter the user group names in the Name text
box.
To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click
Remove.
iii. Click OK.
4. Set space quotas.
Table 2-47 describes the parameters.
Table 2-47 Space quota parameters
Parameter Description
Hard Quota Space hard quota. If the quota is reached, the system
immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be larger than that of Soft Quota.
Soft Quota Space soft quota. If the quota is reached, the system
generates an alarm but still allows writes. After the hard
quota is reached, the system immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be smaller than that of Hard Quota.
5. Set file quantity quotas.
Table 2-48 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 152
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-48 File quantity quota parameters
Parameter Description
Hard Quota File quantity hard quota. If the quota is reached, new
files cannot be added. Operations on existing files are
not affected.
[Value range]
1 file to 2 billion files
The value must be larger than that of Soft Quota.
Soft Quota File quantity soft quota. If the quota is reached, the
system generates an alarm but new files can still be
added. After the hard quota is reached, new files cannot
be added.
[Value range]
1 file to 2 billion files
The value must be smaller than that of Hard Quota.
NOTE
– If you do not set the space quota or file quantity quota, the storage system only
collects statistics on but does not control the space usage or file quantity. To view
the statistics about used space quota and used file quantity quota, choose Services
> File Service > Quotas > Quota Reports, and select the desired file system.
– To modify a quota, click More on the right of the quota and select Modify.
– To delete a quota, select the quota and click Delete above the list or click More on
the right of the quota.
– The parameters for creating a quota are preset. A quota is created for a file system
only after the file system has been created.
Step 8 Configure data protection for the file system.
1. Enable Add to HyperCDP Schedule.
2. Select a HyperCDP schedule to create a HyperCDP object for the file system.
NOTE
● HyperCDP is a high-density snapshot technology that provides continuous data
protection for file systems. For details about the HyperCDP feature, see HyperCDP
Feature Guide for File of the desired version.
● The system has a built-in HyperCDP schedule NAS_DEFAULT_BUILDIN. The schedule is
executed once an hour (retains the latest three copies), once at 00:05 every day (retains
the latest two copies), and once at 00:10 every Sunday (retains the latest two copies).
● When you create a file system, the system selects the built-in HyperCDP schedule
NAS_DEFAULT_BUILDIN by default.
● A file system can be added to only one HyperCDP schedule. For a file system that has
been added to a HyperCDP schedule, if you want to change its owning HyperCDP
schedule, you need to remove the file system from the original HyperCDP schedule first.
● If a file system has not been added to a HyperCDP schedule during the file system
creation, you can add it to a HyperCDP schedule after the file system is created.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 153
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 9 Select Advanced in the upper right corner and set the audit log items of the file
system. The system records audit logs of operations on the file system. The audit
log items include Create, Delete, Read, Write, Open, Close, Rename, List
folders, Obtain properties, Set properties, Obtain security properties, Set
security properties, Obtain extension properties, and Set extension properties.
NOTE
To ensure that the selected audit log items take effect, choose Settings > File Service >
Audit Log to enable the audit log function.
Step 10 Set advanced attributes of the file system.
Table 2-49 describes the parameters.
Table 2-49 Advanced file system parameters
Parameter Description
Snapshot Indicates whether to visualize the directory of the file
Directory system snapshots.
Visibility
Auto Atime Indicates whether to enable the function of automatically
Update updating the Atime. Atime indicates the time when a
namespace is accessed. After this function is enabled, the
system updates the Atime based on the value of Atime
Update Frequency.
NOTE
Enabling Auto Atime Update compromises the system
performance.
Atime Update Indicates the Atime update frequency. The options can be
Frequency Hourly and Daily.
Snapshot This function is to obtain differential data between file
Comparison system snapshots during incremental backup by backup
software. After it is enabled, file system snapshot
comparison is provided.
NOTE
● To use this function, you are advised to set Snapshot Directory
Visibility to Visible. Otherwise, some backup software may fail
to access snapshots.
● Only 6.1.6 and later versions support this parameter.
Step 11 Set the Write Once Read Many (WORM) properties of the file system. The WORM
file system ensures that a file enters the protected state after being written. In this
case, the file cannot be modified, moved, or deleted, but can be read for multiple
times.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 154
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
Only 6.1.3 and later versions support the WORM feature.
Before setting the WORM properties of a file system, you need to initialize the global
WORM regulatory clock in the system view.
Due to the sensitivity of a WORM file system to data security, the following configuration
operations on file systems are restricted:
● Only read-only snapshots can be created for the WORM file system. The snapshot file
systems created for the WORM file system also have the WORM feature.
● When configured the remote replication function:
– If Pair Creation is set to Manual, ensure that the WORM file system modes at
both ends are the same. Otherwise, the primary/secondary relationship cannot be
established.
– If Pair Creation is set to Automatic, ensure that the global WORM regulatory
clock has been initialized on the remote end.
– If the primary file system is a WORM audit log file system, primary/secondary
switchover and disabling protection for the secondary resource are not supported.
Table 2-50 describes the parameters.
NOTE
The WORM properties are hidden. To display hidden parameters, click Advanced.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 155
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-50 WORM properties of a file system
Parameter Description
Mode Indicates the compliance mode of WORM protection.
● Regulatory compliance
– Files within the protection period cannot be modified,
renamed, or deleted by super administrators,
administrators, or common users.
– Files whose protection period expires can be deleted
but cannot be modified or renamed by super
administrators, administrators, or common users.
– A file system that contains files within the protection
period cannot be deleted by super administrators or
administrators.
– A file system, in which the protection period of all files
expires, can be deleted by super administrators and
administrators.
● Enterprise compliance
– Common users or administrators cannot modify,
delete, or rename files within the protection period,
but privileged users can delete these files.
– Files whose protection period expires can be deleted
but cannot be modified or renamed by super
administrators, administrators, or common users.
– Administrators cannot delete a file system that
contains files within the protection period, but
privileged users can delete the file system.
– A file system, in which the protection period of all files
expires, can be deleted by super administrators and
administrators.
NOTE
● Enterprise WORM file systems can be renamed, but Regulatory
Compliance WORM file systems cannot.
● Enterprise WORM file systems can be rolled back using a
snapshot, but Regulatory Compliance WORM file systems
cannot.
● Primary/secondary switchover and disabling protection for the
secondary resource are supported if the WORM mode of the
primary and secondary file systems of the remote replication is
enterprise compliance, but not supported if the WORM mode of
the primary and secondary file systems is regulatory compliance.
● Enterprise file systems cannot be configured as WORM audit log
file systems.
[Default value]
Regulatory compliance
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 156
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Min. Protection Minimum protection period supported by the WORM file
Period system. The protection period of a file in the WORM file
system cannot be smaller than the value of this parameter.
[Value range]
0 to 70 years or Indefinite.
NOTE
The value of Min. Protection Period must be less than or equal to
that of Max. Protection Period.
[Default value]
3 years
Max. Protection Maximum protection period supported by the WORM file
Period system. The protection period of a file in the WORM file
system cannot be longer than the value of this parameter.
[Value range]
1 day to 70 years or Indefinite.
NOTE
The value of Max. Protection Period cannot be 0.
[Default value]
70 years
Default Default protection period supported by the WORM file
Protection Period system. The protection period of a file in the WORM file
system is the default value of the parameter if you do not
set a protection period for the file.
[Value range]
● If the value of Max. Protection Period ranges from 1 day
to 70 years, Default Protection Period is a value from
Min. Protection Period to Max. Protection Period.
● If Max. Protection Period is set to Indefinite, Default
Protection Period is a value from Min. Protection
Period to 70 years or is Indefinite.
NOTE
To set Default Protection Period to Indefinite, you must set
Max. Protection Period to Indefinite. Otherwise, the setting
fails.
[Default value]
70 years
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 157
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Automatic After this function is enabled, a file automatically enters the
Lockout locked state if not being modified within Lockout Wait
Time (hours). The file in the locked state is protected. You
can only read the file, but cannot modify, rename, or delete
it.
NOTE
Modification operations include file data change and metadata
change.
[Default value]
Disabled
Lockout Wait Indicates the wait time before a file automatically enters the
Time locked state. This parameter is displayed only when
Automatic Lockout is enabled.
[Value range]
1 minute to 10 years.
[Default value]
If Automatic Lockout is enabled, the default value is 2
hours.
Automatic After this function is enabled, the system automatically
Deletion deletes files whose protection periods have expired.
NOTE
Before enabling this function, ensure that files do not need
protection and can be automatically deleted by the system after
they expire.
[Default value]
Disabled
WORM Audit Log After the WORM audit log file system is enabled, the system
File System records operation logs of the WORM file system, including
Add a litigation, Remove a litigation, and privileged
deletion of Enterprise WORM file systems.
NOTE
This parameter is available only when Mode is set to Regulatory
compliance.
[Default value]
Disabled
Step 12 Click OK.
Confirm your operation as prompted.
NOTE
After the task is created successfully, the Execution Result page is displayed. You can view
details about the current task on this page.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 158
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.9.2 (Optional) Creating a Dtree
A dtree is a subdirectory of a file system. You can set quotas and shares for a dtree
and manage file space usage and access permissions of the dtree.
Prerequisites
You have created a file system.
Procedure
Step 1 Choose Services > File Service > Dtrees.
Step 2 Click Create.
The Create Dtree page is displayed on the right.
NOTE
The screenshot is for reference only and the actual GUI may vary.
Step 3 Set dtree parameters.
Table 2-51 describes the parameters.
Table 2-51 Dtree parameters
Parameter Description
Owning File File system to which a dtree belongs.
System
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 159
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Name Name of a dtree.
[Value range]
You can enter multiple dtree names separated by commas
(,) or carriage returns.
A dtree name:
● The name must be unique.
● The name can contain only letters, digits, characters of
different languages, and special characters (!\"#&%$'()*
+-.;<=>?@[]^_`{|}~ and spaces).
● The name contains 1 to 255 characters.
● The name cannot only contain one or two consecutive
periods (. or ..).
Quota Indicates whether to enable the quota function of a dtree
based on service requirements.
When the Quota function is disabled, the system does not
collect statistics on quota usage. In this case, hard and soft
quotas do not take effect.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 160
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Security Style Select a security style based on service requirements. It is
used to set the access control style of a dtree in multi-
protocol mode.
NOTE
Only 6.1.5 and later versions support Mixed and Native.
● Mixed
Allows users of both CIFS and NFS clients to access and
control file systems. The last configured permissions
prevail.
● Native
Controls CIFS users' permissions with Windows NT ACLs
and NFS users' permissions with UNIX permissions (UNIX
mode bits, POSIX ACLs, and NFSv4 ACLs). Windows NT
ACLs and UNIX permissions will neither affect nor
synchronize with each other.
– For CIFS share access, Windows NT ACLs determine
whether Windows users have access permission.
NOTE
If Windows NT ACLs do not exist, UNIX mode bits determine
whether Windows users have access permission.
– For NFS share access, access permission of UNIX users
is determined by UNIX permissions.
● NTFS
Controls CIFS users' permissions with Windows NT ACLs.
NOTE
– If NTFS is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default Windows
user for the NFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The default Windows user must be an existing
local authentication user or AD domain user.
● UNIX
Controls NFS users' permissions with UNIX mode bits or
NFSv4 ACLs.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 161
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
NOTE
– If UNIX is selected, you are advised to enable user mapping
and set Mapping Mode to Support only user mapping of
this system in Services > File Service > Authentication
Users > User Mappings > Set Mapping Parameter.
– In addition, you are advised to configure a default UNIX user
for the CIFS service in Services > File Service >
Authentication Users > User Mappings > Set Mapping
Parameter. The default UNIX user must be an existing local
authentication user or NIS/LDAP domain user.
– In this mode, the default UNIX permission of the file system
root directory is 755. To change the value, run the change
file_system general file_system_id=? unix_permissions=?
command. For details about the command, visit Command/
Event/Error Code Query.
NAS Lock Policy NAS Lock Policy includes Mandatory Lock and Advisory
Lock.
● Mandatory Lock is recommended if clients using
different protocols simultaneously access the same file or
directory.
● Advisory Lock is recommended if high read and write
performance is required and clients using different
protocols do not access the same file or directory
simultaneously.
NOTE
● This parameter is available only when Security Style is set to
Native.
● Only 6.1.5 and later versions support this parameter.
Step 4 Click OK.
----End
2.9.3 (Optional) Creating a Quota
This operation enables you to create a quota to control and collect statistics of the
space usage or file quantity of one or all dtrees in a file system or of a single user
or user group.
Prerequisites
● You have created a dtree in a file system.
● When creating a quota for a specified user or user group, the user or user
group has been created.
Procedure
Step 1 Choose Services > File Service > Quotas > Custom Quotas.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 162
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 2 Click Create.
The Create Quota page is displayed on the right.
NOTE
The screenshot is for reference only and the actual displayed information may vary.
Step 3 Select the file system and dtree for which you want to create a quota.
NOTE
When the Dtree parameter is blank, the created user or user group quota takes effect for
the file system and the directory quota takes effect for all dtrees in the file system.
Step 4 Select a quota type. Possible options are Directory quota, User quota, and User
group quota.
● Directory quota
● User quota
a. Click Select.
The Select User page is displayed.
b. Select the users for which you want to create a quota.
▪ If you select All users, the quota controls the space usage or file
quantity of each user in the system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 163
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
▪ If you select Specified users, click Add. On the Add User page that
is displayed, select the UNIX Users or Windows Users tab, and
select one or more desired users. Then, click OK.
NOTE
○ If you set User Type to Local authentication user, select the users to be
added in the list below.
○ If you set User Type to LDAP domain user, NIS domain user, or AD
domain user, enter the user names in the Name text box.
○ If you set User Type to LDAP domain user, the system automatically
detects whether the LDAP domain has been configured. If no LDAP
domain is configured, the system prompts you to configure an LDAP
domain first.
○ If you set User Type to NIS domain user, the system automatically
detects whether the NIS domain has been configured. If no NIS domain
is configured, the system prompts you to configure an NIS domain first.
○ If you set User Type to AD domain user, the system automatically
detects whether the AD domain has been configured. If no AD domain is
configured, the system prompts you to configure an AD domain first.
○ To remove added users, click Remove on the right of a desired user, or
select one or more desired users and click Remove.
▪ If you select Specified user groups, the quota controls the space
usage or file quantity of each user in specified user groups. Click
Add. On the Add User Group page that is displayed, select a user
group type and select the desired user groups. Then, click OK.
NOTE
○ If you set User Group Type to Local authentication user group, select
the user groups to be added in the list below.
○ If you set User Group Type to LDAP domain user group or NIS domain
user group, enter the user group names in the Name text box.
○ If you set User Group Type to LDAP domain user group, the system
automatically detects whether the LDAP domain has been configured. If
no LDAP domain is configured, the system prompts you to configure an
LDAP domain first.
○ If you set User Group Type to NIS domain user group, the system
automatically detects whether the NIS domain has been configured. If
no NIS domain is configured, the system prompts you to configure an
NIS domain first.
○ To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click Remove.
c. Click OK.
● User group quota
a. Click Select.
The Select User Group page is displayed.
b. Select the user groups for which you want to create a quota.
▪ If you select All user groups, the quota controls the space usage or
file quantity of all user groups in the system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 164
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
▪ If you select Specified user groups, the quota controls the space
usage or file quantity of each specified user group. Click Add. On the
Add User Group page that is displayed, select a user group type and
select the desired user groups. Then, click OK.
NOTE
○ If you set User Group Type to Local authentication user group, select
the user groups to be added in the list below.
○ If you set User Group Type to LDAP domain user group or NIS domain
user group, enter the user group names in the Name text box.
○ If you set User Group Type to LDAP domain user group, the system
automatically detects whether the LDAP domain has been configured. If
no LDAP domain is configured, the system prompts you to configure an
LDAP domain first.
○ If you set User Group Type to NIS domain user group, the system
automatically detects whether the NIS domain has been configured. If
no NIS domain is configured, the system prompts you to configure an
NIS domain first.
○ To remove added user groups, click Remove on the right of a desired
user group, or select one or more desired user groups and click Remove.
c. Click OK.
Step 5 Set space quotas.
Table 2-52 describes the parameters.
Table 2-52 Space quota parameters
Parameter Description
Hard Quota Space hard quota. If the quota is reached, the system
immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be larger than that of Soft Quota.
Soft Quota Space soft quota. If the quota is reached, the system
generates an alarm but still allows writes. After the hard
quota is reached, the system immediately forbids writes.
[Value range]
1 KB to 256 PB
The value must be smaller than that of Hard Quota.
Step 6 Set file quantity quotas.
Table 2-53 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 165
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-53 File quantity quota parameters
Parameter Description
Hard Quota File quantity hard quota. If the quota is reached, new files
cannot be added. However, operations on existing files are
not affected.
[Value range]
1 to 2 billion
The value must be larger than that of Soft Quota.
Soft Quota File quantity soft quota. If the quota is reached, the system
generates an alarm but new files can still be added. After
the hard quota is reached, new files cannot be added.
[Value range]
1 to 2 billion
The value must be smaller than that of Hard Quota.
NOTE
If you do not set the space quota or file quantity quota, the storage system only collects
statistics on but does not control the space usage or file quantity. To view the statistics
about used space quota and used file quantity quota, choose Services > File Service >
Quotas > Quota Reports, and select the desired file system.
Step 7 Click OK.
----End
2.9.4 Sharing a File System
You can access a file system only after it is shared. File systems of vStores can be
shared using NFS or CIFS. This section describes how to share file systems using
these protocols. For details about the NFS and CIFS shares, see the Basic Storage
Service Configuration Guide for File specific to your product model and version.
NFS
Network File System (NFS) is a file sharing protocol developed by Sun and now
hosted by Internet Engineering Task Force (IETF). It applies to file system sharing
in Linux, Unix, Mac OS, and VMware operating systems.
CIFS
Common Internet File System (CIFS) is a file sharing protocol developed by
Microsoft and primarily used in Windows environments. The shares using CIFS
include CIFS shares and Homedir shares.
● A CIFS share is to share a file system or its quota tree among authentication
users, including local and domain authentication users. The users have the
permissions granted by the storage system on the CIFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 166
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● Homedir shares are a type of CIFS shares. A Homedir share is to share a file
system to a specific user as an exclusive directory. The user can only access
the exclusive directory named after its user name.
Accessing Shared Files Across Protocols
The storage system allows users to configure both NFS sharing and CIFS sharing
for a file system. The user mapping function allows users to access shared files
across protocols (CIFS-NFS) through clients on different platforms and obtain
precise permission control.
2.9.4.1 Configuring an NFS Share
This section describes how to configure an NFS share.
2.9.4.1.1 Configuration Process
Figure 2-8 shows the flowchart for configuring an NFS share.
Figure 2-8 Configuring an NFS share
Start
Prepare data.
Prepare data.
Enable NFSv4.
Domain environment Non-domain environment
Configure NFSv4 to be
Add the storage Add the storage compatible with non-
system to an LDAP system to an NIS domain environments.
domain. domain.
When a storage system is used According to the NFSv4 standard
in an LDAP or NIS environment, protocol, the NFSv4 service must be
add the storage system to an used in a domain environment.
Create an NFS share.
LDAP or NIS domain. However, if you need the NFSv4
service to be compatible with non-
domain environments, you must
Add an NFS client.
complete necessary settings on the
client.
Access the shared
space.
End
Optional Mandator
y
2.9.4.1.2 Preparing Data
Before configuring an NFS share in a storage system, plan and collect required
data to facilitate follow-up service configurations.
You need to prepare the following data:
● Logical IP address
Logical IP address used by a storage system to provide shared space for
clients.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 167
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● File system
File system shared through the NFS share.
● LDAP or NIS domain information
● Permission
The permissions include read-only and read-write.
– Read-only: Clients have the read-only permission for the NFS share.
– Read-write: Clients have the read and write permissions for the NFS
share.
NOTE
You can contact your network administrator to obtain desired data.
2.9.4.1.3 (Optional) Preparing LDAP Domain Configuration Data
Before adding a storage system to an LDAP domain, collect configuration data of
the LDAP domain server.
LDAP Domain Parameters
LDAP data is organized in a tree structure that clearly lays out organizational
information. A node on this tree is called an entry. Each entry has a distinguished
name (DN). The DN of an entry is composed of a base DN and relative DNs
(RDNs). The base DN refers to the position of the parent node where the entry
resides on the tree, and the RDN (such as UID or CN) refers to an attribute that
distinguishes the entry from others.
LDAP directories function as file system directories. For example, directory
dc=redmond,dc=wa,dc=microsoft,dc=com can be regarded as the following path
of a file system directory: com\microsoft\wa\redmond. In another example of
directory cn=user1,ou=user,dc=example,dc=com, cn=user1 indicates a user name
and ou=user indicates the organization unit of an Active Directory (AD), that is,
user1 is in the user organization unit of the example.com domain.
The following figure shows the data structure of an LDAP server.
Table 2-54 defines LDAP entry acronyms.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 168
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-54 LDAP entry definitions
Acronym Meaning
o Organization
ou Organization unit
c Country name
dc Domain component
sn Surname
cn Common name
What Is OpenLDAP?
OpenLDAP is an open implementation of LDAP that is now widely used in various
popular Linux releases.
OpenLDAP consists of the following components:
● slapd: an independent LDAP daemon
● slurpd: an independent LDAP update and replication daemon
● Libraries implementing LDAP
● Tool software and illustration client
The OpenLDAP website does not provide OpenLDAP installation packages for
Windows. You can obtain OpenLDAP installation packages for the following
Windows operating systems from the Userbooster website: Windows XP, Windows
Server 2003, Windows Server 2008, Windows Vista, Windows 7, Windows 8, and
Windows Server 2012.
Obtaining LDAP Configuration Data in Windows
The following describes how to obtain LDAP configuration data in Linux using
OpenLDAP as an example.
1. Open the OpenLDAP installation directory.
2. Find the slapd.conf system configuration file.
3. Use text editing software to open the configuration file and search for the
following fields:
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw XXXXXXXXXXXX
– dc=example,dc=com maps to Base DN on the storage system
configuration page.
– cn=Manager,dc=example,dc=com maps to Bind DN on the storage
system configuration page.
– XXXXXXXXXXXX maps to Bind Password on the storage system
configuration page. If the password is in ciphertext, contact LDAP server
administrators to obtain the password.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 169
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
4. Find configuration files (.ldif files) of the users and user groups that need to
access the storage system.
NOTE
LDAP Interchange Format (LDIF) is one of the most common file formats for LDAP
applications. It is a standard mechanism that represents directories in the text format.
It allows users to import data to and export data from the directory server. LDIF files
store LDAP configurations and directory contents, and therefore can provide you with
related information.
5. Use text editing software to open the configuration file and find the DNs of a
user and a user group that correspond to User Directory and Group
Directory respectively on the storage system configuration page.
#root on the top
dn: dc=example,dc=com
dc: example
objectClass: domain
objectClass: top
#First organization unit name: user
dn: ou=user,dc=example,dc=com
ou: user
objectClass: organizationalUnit
objectClass: top
#Second organization unit name: groups
dn: ou=group,dc=example,dc=com
ou: group
objectClass: organizationalUnit
objectClass: top
#The first user represents user1 that belongs to organization unit user in the organizational structure
topology.
dn: cn=user1,ou=user,dc=example,dc=com
cn: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: user1
uid: user1
uidNumber: 2882
gidNumber: 888
homeDirectory: /export/home/ldapuser
loginShell: /bin/bash
userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
#The second user represents user2 that belongs to organization unit user in the organizational
structure topology.
dn: cn=user2,ou=user,dc=example,dc=com
cn: user2
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: client
uid: client
uidNumber: 2883
gidNumber: 888
homeDirectory: /export/home/client
loginShell: /bin/bash
userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
#The first user group represents group1 that belongs to organization unit group in the organizational
structure topology. The group contains user1 and user2.
dn: cn=group1,ou=group,dc=example,dc=com
cn: group1
gidNumber: 888
memberUid: user1#Belongs to the group.
memberUid: user2#Belongs to the group.
objectClass: posixGroup
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 170
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Obtaining LDAP Configuration Data in Linux
The following describes how to obtain LDAP configuration data in Linux using
OpenLDAP as an example.
1. Log in to an LDAP server as user root.
2. Run the cd /etc/openldap command to go to the /etc/openldap directory.
linux-ldap:~ # cd /etc/openldap
linux-ldap:/etc/openldap #
3. Run the ls command to view the system configuration file slapd.conf and the
configuration files (.ldif files) of the users and user groups who want to
access the storage system.
linux-ldap:/etc/openldap #ls
example.ldif ldap.conf schema slap.conf slap.con slapd.conf
4. Run the cat command to open the system configuration file slapd.conf where
you can view related parameters.
linux-ldap:/etc/openldap #cat slapd.conf
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw XXXXXXXXXXXX
– dc=example,dc=com maps to Base DN on the storage system
configuration page.
– cn=Manager,dc=example,dc=com maps to Bind DN on the storage
system configuration page.
– XXXXXXXXXXXX maps to Bind Password on the storage system
configuration page. If the password is in ciphertext, contact LDAP server
administrators to obtain the password.
5. Run the cat command to open the example.ldif file. Find the DNs of a user
and a user group that correspond to User Directory and Group Directory
respectively on the storage system configuration page. For details about the
parameters, see 5.
2.9.4.1.4 (Optional) Configuring LDAP Domain Authentication Parameters
If an LDAP domain server is deployed on the customer's network, the storage
system must join the LDAP domain. Then, NFS clients must be authenticated by
the LDAP domain server when they attempt to access shared resources on the
storage system.
Prerequisites
● An LDAP domain has been set up.
● You have prepared the data required for configuring an NFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 171
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● The storage systems can connect to an LDAP server through management network
ports or service network ports (logical ports). If a storage system connects to an
LDAP server through management network ports, ensure that the management
network ports on at least two controllers can properly communicate with the LDAP
server. If a storage system connects to an LDAP server through service network
ports, it is recommended that the service network ports on at least two controllers
can properly communicate with the LDAP server. It is recommended that storage
systems connect to LDAP servers through service network ports.
● A storage system can connect to only one LDAP server.
● An LDAP server with high performance is recommended. This prevents issues such
as I/O latency increase when the storage system sends a large number of
concurrent query requests to the LDAP server.
Precautions
● You are advised to use physical isolation and end-to-end encryption to ensure
security of data transfer between the LDAP domain server and clients.
● You are advised to configure a static IP address for the LDAP server. If a
dynamic IP address is configured, security risks may exist.
● In the following scenario (the three situations occurred in sequence), use
clear nfs nfsv4_idmap_cache controller=? to clear the IDMAP cache of all
controllers:
a. First, the storage system had not been added to an LDAP domain or had
not been correctly added to an LDAP domain.
b. Then, an LDAP domain user of the host accessed the shared space of the
storage system through the NFSv4.0 or NFSv4.1 protocol.
c. Finally, the storage system has been correctly added to an LDAP domain.
2.9.4.1.5 (Optional) Preparing NIS Domain Configuration Data
Before adding a storage system to an NIS domain, collect the configuration data
of an NIS server.
Why NIS Domains?
In UNIX shared mode, all nodes that provide sharing services must maintain their
configuration files such as /etc/hosts and /etc/passwd. For example, if you add a
new node to the shared network, all UNIX-based systems must update their /etc/
hosts files to include the name of the new node. If you add a new user who may
need to access all nodes, all the systems must modify their /etc/passwd files.
These operations are time-consuming when more than 10 nodes are deployed.
Network Information Service (NIS) developed by SUN Microsystem uses a single
system (NIS server) to manage and maintain the files containing information
about host names and user accounts, providing references for all the systems
configured as NIS clients. When NIS is used, if you want to add a host to the
shared network, you only need to modify a related file on the NIS server and
transfer the modification to other nodes on the network.
The following figure shows the relationship between an NIS server and other
hosts.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 172
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Working Principles
When NIS is configured, the ASCII files in the NIS domain are converted to NIS
database files (or mapping table files). Hosts in the NIS domain query and parse
the NIS database files to perform operations such as authorized access and
updates. For example, common password file /etc/passwd of a UNIX host is
converted to the following NIS database files:
NIS Domain Parameters
Default maps for an NIS domain are located in each server's /var/yp/
domainname directory. For example, the maps that belong to the domain
test.com are located in each server's /var/yp/test.com directory.
The system super administrator can run the /usr/bin/domainname command to
rename a domain in interactive mode. Common users can run the domainname
command without parameters to obtain the default domain name of the local
system.
Data Preparation
Collect Domain Name, Primary Server Address, Standby Server Address 1
(Optional), and Standby Server Address 2 (Optional). For details about how to
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 173
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
obtain the data, see 2.8.4.1.7 (Optional) Configuring NIS Domain
Authentication Parameters.
2.9.4.1.6 (Optional) Configuring NIS Domain Authentication Parameters
If an NIS domain server is deployed on the customer's network, the storage
system must join the NIS domain. Then, NFS clients must be authenticated by the
NIS domain server when they attempt to access shared resources on the storage
system.
Prerequisites
● An NIS domain has been set up.
● You have prepared the data required for configuring an NFS share.
NOTE
● The storage systems can connect to an NIS server through management network
ports or service network ports (logical ports). If a storage system connects to an
NIS server through management network ports, ensure that the management
network ports on at least two controllers can properly communicate with the NIS
server. If a storage system connects to an NIS server through service network ports,
it is recommended that the service network ports on at least two controllers can
properly communicate with the NIS server. It is recommended that storage systems
connect to NIS servers through service network ports.
● A storage system can connect to only one NIS server.
Precautions
● You are advised to use physical isolation and end-to-end encryption to ensure
security of data transfer between the NIS domain server and clients.
● In the following scenario (the three situations occurred in sequence), use
clear nfs nfsv4_idmap_cache controller=? to clear the IDMAP cache of all
controllers:
a. First, the storage system had not been added to an NIS domain or had
not been correctly added to an NIS domain.
b. Then, an NIS domain user of the host accessed the shared space of the
storage system through the NFSv4.0 or NFSv4.1 protocol.
c. Finally, the storage system has been correctly added to an NIS domain.
2.9.4.1.7 (Optional) Configuring the NFSv4 Service for a Non-Domain Environment
This section describes how to configure the NFSv4 service for a non-domain
environment.
Background
According to the NFSv4 standard protocol, the NFSv4 service can be used only in a
domain environment to ensure proper running. To use the NFSv4 service in a non-
domain environment, configure the user name@domain name mapping
mechanism used by the NFSv4 service on your client. Then, the NFSv4 service will
use UIDs and GIDs to transfer owner and group information about files during
service transactions between your storage system and client.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 174
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
The storage system supports NFSv4.1 in 6.1.2 and later versions, and NFSv4.0 in
6.1.3 and later versions.
Risks
● In scenarios where the NFSv4 service is used in a non-domain environment,
the user authentication method of the NFSv4 service is the same as that of
the NFSv3 service. The method cannot meet the theoretical security
requirements of the NFSv4 standard protocol.
● Users mapped by each client depend on the configuration files of client users
and user groups. The configuration file of each user and user group must be
independently maintained for proper mapping.
● UIDs and GIDs must be used when ACLs are configured for non-root users
and non-root user groups. Otherwise, the configuration will fail.
● The NFSv4 service is not recommended in a non-domain environment. If
operations in Configuration on Clients are not performed, executing the
chown command may fail.
Configuration on Clients
Step 1 Run the echo 1 > /sys/module/nfs/parameters/nfs4_disable_idmapping
command.
Step 2 Run the cat /sys/module/nfs/parameters/nfs4_disable_idmapping command. If
Y is displayed in the command output, the NFSv4 service is successfully
configured.
NOTICE
If you have used the NFSv4 service to mount NFS shares before configuring the
NFSv4 service for a non-domain environment, mount the NFS shares again after
configuring the NFSv4 service.
----End
2.9.4.1.8 Creating an NFS Share
This section describes how to create an NFS share. After an NFS share is created,
shared file systems are accessible to clients that run SUSE, Red Hat, HP-UX,
Solaris, and AIX.
Prerequisites
You have obtained required data for configuring an NFS share.
Procedure
Step 1 Choose Services > File Service > Shares > NFS Shares.
Step 2 On the NFS Shares tab page, click Create.
The Create NFS Share page is displayed on the right.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 175
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The screenshot is for reference only and the actual GUI may vary.
Step 3 Set basic NFS share parameters.
Table 2-55 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 176
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-55 Basic NFS share parameters
Parameter Description
File System File system for which you want to create an NFS share.
NOTE
When global root directory / is selected for File System, you can
create an NFS global namespace (GNS) share.
● Each vStore can only create one GNS.
● An independent share must be added for a file system. After the
share is added, this file system will not be displayed if a host is
only authorized to access / but not the file system.
● GNS root directory / is read-only. You cannot create, modify, and
delete directories or files under / and you cannot modify
directory attributes of /. Once the directory of a file system is
entered, the permission will be changed to the share permission
of the file system.
● If no GNS is created, root directory / cannot be mounted to an
NFSv3 client. Only shared file systems can be viewed when / is
mounted to an NFSv4 client.
● When creating an NFS GNS share, you can only set the
description for the share.
● If you want to create a HyperMetro or HyperReplication vStore
pair and a GNS has been created for the primary vStore, the
version of the secondary storage system must be the same as
that of the primary storage system. If a vStore pair has been
created, you can create a GNS share only when the versions of
the primary and secondary storage systems are the same and
support GNSs.
[Example]
FileSystem001
NOTICE
If the selected file system is the secondary storage system in a
remote replication pair or remote storage system in a HyperMetro
pair, data in the file system is probably being modified when it is
accessed. Before performing this operation, confirm that the
application allows possible data inconsistency.
Dtree Dtree for which you want to create an NFS share. If you do
not select a dtree, the NFS share is created for the entire file
system.
[Example]
Dtree_test
Share Path Share path of the file system, which is generated based on
the File System and Dtree parameters.
[Example]
/Filesystem001/Dtree_test
Description Description of the NFS share.
[Value range]
The description can be left blank or contain up to 255
characters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 177
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Character Clients communicate with the storage system using codes.
Encoding Codes configured on the share must be the same as that of
the clients. These codes apply to names and metadata of
shared files, but do not change the codes of file data. Codes
include:
● UTF-8
International code set
● EUC-JP
euc-j*[ja] code set
● JIS
JIS code set
● S-JIS
cp932*[ja_jp.932] code set
● ZH
Simplified Chinese code set, in compliance with GB 2312
● GBK
Simplified Chinese code set, in compliance with GB 2312
● EUC-TW
Traditional Chinese code set, in compliance with CNS
11643
● BIG5
cp950 traditional Chinese code set
● DE
German character set, in compliance with ISO 8859-1
● PT
Portuguese character set, in compliance with ISO 8859-1
● ES
Spanish character set, in compliance with ISO 8859-1
● FR
French character set, in compliance with ISO 8859-1
● IT
Italian character set, in compliance with ISO 8859-1
● KO
cp949 Korean code set
● AR
Arabic character set, in compliance with ISO 8859-6
● CS
Czech character set, in compliance with ISO 8859-2
● DA
Danish character set, in compliance with ISO 8859-1
● FI
Finnish character set, in compliance with ISO 8859-1
● HE
Hebrew character set, in compliance with ISO 8859-8
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 178
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
● HR
Croatian character set, in compliance with ISO 8859-2
● HU
Hungarian character set, in compliance with ISO 8859-2
● NO
Norwegian character set, in compliance with ISO 8859-1
● NL
Dutch character set, in compliance with ISO 8859-1
● PL
Polish character set, in compliance with ISO 8859-2
● RO
Romanian character set, in compliance with ISO 8859-2
● RU
Russian character set, in compliance with ISO 8859-5
● SK
Slovak character set, in compliance with ISO 8859-2
● SL
Slovenian character set, in compliance with ISO 8859-2
● SV
Swedish character set, in compliance with ISO 8859-1
● TR
Turkish character set, in compliance with ISO 8859-9
● EN-US
English character set, in compliance with ISO 8859-1
NOTE
Method of querying character encoding on clients (for example, in
Linux): Run the locale command to view character encoding of the
current system.
Show Snapshot This function allows clients to show and traverse snapshot
directories.
NOTE
Description, Character Encoding, and Show Snapshot are hidden parameters. You can
click Advanced to display them.
Step 4 Configure access permissions for the NFS share.
Click Add to add a client. For details, see 2.9.4.1.9 Adding NFS Share Clients.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 179
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
● When Type is set to Host, the system automatically detects whether the LDAP domain,
NIS domain, or DNS has been configured. To add a client by specifying the host name,
configure at least one of them.
● When Type is set to Network group, the system automatically detects whether the
LDAP domain or NIS domain has been configured. You must configure at least one of
them.
● You can click More on the right of a client and select Modify to modify its information.
● You can select one or more clients and click Remove, or click More on the right of a
client and select Remove, to remove clients.
Step 5 Click OK.
----End
2.9.4.1.9 Adding NFS Share Clients
An NFS share client enables client users to access shared file systems through the
network.
Prerequisites
● You have obtained required data for configuring an NFS share.
● You have created a host name available on the DNS if you need to add a
client whose Type is Host.
● You have created a network group name available on the LDAP or NIS server
if you need to add a client whose Type is Network group.
● If Share Path is set to global root directory /, you cannot add a client.
Procedure
Step 1 Choose Services > File Service > Shares > NFS Shares.
Step 2 Click More on the right of the desired NFS share and select Add Client.
The Add Client page is displayed.
NOTE
Alternatively, perform either of the following operations to add a client:
● Click the path of the desired NFS share. On the page that is displayed, click Add in the
Permissions area.
● Click the path of the desired NFS share. In the upper right corner of the page that is
displayed, click Operation and select Add Client.
Step 3 Set client attributes.
Table 2-56 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 180
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-56 Client parameters
Parameter Description
Type Client type of the NFS share.
[Value range]
● Host
● Network group
NOTE
● When a client is included in multiple share permissions, the
priority of share authentication from high to low is in the
following sequence: host name > IP address > network segment
> wildcard > network group > *.
● When Type is set to Network group and the vStore to which the
share belongs is configured with the DNS service, add the
reverse lookup zones of the network segments where the client
IP addresses reside on the DNS server. Otherwise, the host I/O
latency may increase.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 181
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Clients When Type is set to Host, enter client host names (FQDNs
are recommended), IP addresses, or IP address segments, or
use the asterisk (*) to represent IP addresses of all clients.
When Type is set to Network group, enter the network
group names configured in the LDAP or NIS domain.
NOTE
● When Type is set to Host, the system automatically detects
whether the LDAP domain, NIS domain, or DNS has been
configured. To add a client by specifying the host name,
configure at least one of them.
● When Type is set to Network group, the system automatically
detects whether the LDAP domain or NIS domain has been
configured. You must configure at least one of them.
[Value range]
You can enter multiple host names, IP addresses, or network
group names of the clients separated by semicolons (;),
spaces, or carriage returns.
For host names:
● A host name contains 1 to 255 characters and cannot
contain spaces.
● A host name cannot start with a hyphen (-).
For IP addresses:
● You can enter client IP addresses, client IP address
segments, or an asterisk (*) to represent IP addresses of
all clients.
● IPv4 addresses, IPv6 addresses, or the combination of
IPv4 and IPv6 addresses are supported.
● The mask of an IPv4 address ranges from 1 to 32. The
prefix of an IPv6 address ranges from 1 to 128.
A network group name:
● Contains 1 to 254 characters.
● The value can contain only letters, digits, underscores (_),
periods (.), and hyphens (-).
UNIX Permission Indicates the permission level for the UNIX client to access
the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 182
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Kerberos5 Indicates the permission level for the Kerberos5 client to
Permission access the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
Kerberos5i Indicates the permission level for the Kerberos5i client to
Permission access the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
Kerberos5p Indicates the permission level for the Kerberos5p client to
Permission access the NFS share. Possible options are:
● Read-only: The clients can only read files in the NFS
share.
● Read-write: The clients can read and write files in the
NFS share.
● None: No operation is allowed on the NFS share.
root Permission Controls the root permission of the clients.
Constraint ● root_squash: does not allow a client to access the share
as user root. Otherwise, the client will be mapped as an
anonymous user.
● no_root_squash: allows a client to access the share as
user root that has full control and access permissions for
shared directories.
NOTE
● If a VM needs to be created in an NFS share, select
no_root_squash. Otherwise, the VM may run abnormally.
● For a file system or dtree whose security mode is UNIX, the
default UNIX permission is 755. If root_squash is enabled for the
NFS share permission of the file system or dtree, user root only
has the read and execute permissions. You can run the change
file_system general file_system_id=? unix_permissions=? or
change dtree dtree_id=? unix_permissions=? command to
modify the UNIX permission of the file system or dtree.
Step 4 Set advanced client parameters. Select Advanced in the upper right corner.
Table 2-57 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 183
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-57 Advanced client parameters
Parameter Description
Permission Indicates whether to retain the user ID (UID) and group ID
Constraint (GID) of a shared directory.
● all_squash: The UID and GID of a shared directory are
mapped to user nobody, which is applicable to public
directories.
● no_all_squash: retains the UID and GID of a shared
directory.
[Default value]
no_all_squash
Source Port Indicates whether to enable source port verification.
Verification ● secure: allows clients to access the NFS share using ports
Constraint 1 to 1023.
● insecure: allows clients to access the NFS share using
any port.
[Default value]
insecure
Step 5 Click OK.
----End
2.9.4.1.10 Accessing an NFS Share
This section describes how to use a client to access an NFS share. A client accesses
an NFS share in an LDAP/NIS domain or a non-domain environment in the same
way.
Context
● The storage system supports NFSv3, NFSv4.0, and NFSv4.1.
NOTE
● Only 6.1.2 and later versions support NFSv4.1.
● Only 6.1.3 and later versions support NFSv4.0.
● The NFSv4.0 and NFSv4.1 services are disabled by default in the storage
system. If you want to use NFSv4.0 or NFSv4.1 for share access, enable the
NFSv4 service first.
● Only 6.1.3 and later versions support the NFS global namespace (GNS) share.
● You can run the change user_mode current_mode user_mode=developer
command to enter the developer mode. For details about the commands, see
the advanced O&M command reference.
Precautions
When a file system is mounted using NFSv4.0 or NFSv4.1, ensure that the same
domain name is configured for both the host and storage. (Generally, the default
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 184
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
domain name is localdomain on both the host and storage device.) Otherwise,
when files created by a host user are queried on the storage, the information
about the user and group to which the files belong is incorrectly displayed. For
example, user root is displayed as nobody on the storage.
● On the host, query the domain name in the configuration file of the idmapd
service. For example, in the SUSE operating system, you can run the vi /etc/
idmapd.conf command to query or edit the value of Domain.
● On the storage, run the change vstore view id=? command to enter the
vStore view. You can run the show vstore command to query the value of id.
Then run the show service nfs_config command in developer mode to query
the domain name. The default domain name is localdomain. To change the
domain name on the storage, run the change service nfs_config
domain_name=? command.
SUSE, Red Hat, or Ubuntu Client
Step 1 Log in to the client as user root.
Step 2 Run the showmount -e ipaddress command to view available NFS shares in the
storage system.
ipaddress represents the logical IP address of the storage system. 192.168.50.16 is
used as an example.
#showmount -e 192.168.50.16
Export list for 192.168.50.16
/nfstest *
#
NOTE
/nfstest in the output represents the share path of the NFS share created in the storage
system. If a GNS is created, / will be displayed.
Step 3 Run the mount -t nfs -o vers=n,proto=m,rsize=o,wsize=p,hard,intr,timeo=q
ipaddress:sharepath /mnt command to mount an NFS share to the client. Table
2-58 describes the related parameters.
sharepath is the share path of the NFS share created in the storage system.
#mount -t nfs -o vers=3,proto=tcp,rsize=262144,wsize=262144,hard,intr,timeo=50 192.168.50.16:/
nfstest /mnt
NOTE
● If the client uses NFSv4.1 to mount an NFS share, you are advised to specify the
minorversion parameter. For a SUSE client, run the following command (commands for
other operating systems are similar):
mount -t nfs -o vers=4,minorversion=1,proto=tcp,rsize=262144,wsize=262144,hard,intr,timeo=50
192.168.50.16:/nfstest /mnt
● To mount a GNS, run the following command:
#mount -t nfs -o vers=3,proto=tcp,rsize=262144,wsize=262144,hard,intr,timeo=50
192.168.50.16:/ /mnt
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 185
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-58 Parameters for mounting an NFS share to a SUSE, Red Hat, or Ubuntu
client
Parameter Description Example
o Option for mounting The default value is rw.
an NFS share,
including ro and rw.
● ro: mounts a
share that is
read-only.
● rw: mounts a
share that can be
read and written.
vers NFS version. In an environment that requires high
reliability, you are advised to use NFSv3.
proto Transfer protocol. Set this parameter to tcp.
rsize Number of bytes for 262144 is recommended.
reading files from an
NFS server.
wsize Number of bytes for 262144 is recommended.
writing files to an
NFS server.
timeo Interval for ● The default value is 600.
retransmission upon ● If there is a high requirement on the
timeout. The unit is service recovery time, you are
0.1 second. advised to set this parameter to 50.
NOTE
In the preceding table, vers is mandatory, and other parameters are optional. You are
advised to use the recommended parameter settings.
Step 4 Run the mount command to verify that the NFS share has been mounted to the
local computer.
#mount
192.168.50.16:/nfstest on /mnt type nfs
(rw,vers=3,proto=tcp,rsize=262144,wsize=262144,hard,intr,timeo=50,addr=192.168.50.16)
NOTE
If a GNS is mounted, the following information is displayed:
#mount
192.168.50.16:/ on /mnt type nfs
(rw,vers=3,proto=tcp,rsize=262144,wsize=262144,hard,intr,timeo=50,addr=192.168.50.16)
When the preceding information is displayed, the NFS share has been successfully
mounted to the local computer.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 186
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Debian Client
Step 1 Log in to the client as user root.
Step 2 On the client, run the apt-get install nfs-common command to install the nfs-
common software package.
Step 3 Run the showmount -e ipaddress command to view available NFS shares in the
storage system.
ipaddress represents the logical IP address of the storage system. 192.168.50.16 is
used as an example.
#showmount -e 192.168.50.16
Export list for 192.168.50.16
/nfstest *
#
NOTE
/nfstest in the output represents the share path of the NFS share created in the storage
system. If a GNS is created, / will be displayed.
Step 4 Run the mkdir /mnt/share command to create a directory on the client to mount
an NFS share.
The following uses the /share directory as an example.
Step 5 Run the mount ipaddress:sharepath /mnt/share command to mount an NFS
share.
sharepath represents the Share Path of the NFS share created in the storage
system.
mount 192.168.50.16:/nfstest /mnt/share
NOTE
To mount a GNS, run the following command:
mount 192.168.50.16:/ /mnt/share
Step 6 Run the df -hT command to verify that the NFS share has been successfully
mounted to the local computer.
----End
HP-UX or SUN Solaris Client
Step 1 Log in to the client as user root.
Step 2 Run the showmount -e ipaddress command to view available NFS shares in the
storage system.
ipaddress represents the logical IP address of the storage system. 192.168.50.16 is
used as an example.
#showmount -e 192.168.50.16
Export list for 192.168.50.16
/nfstest *
#
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 187
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
/nfstest in the output represents the share path of the NFS share created in the storage
system. If a GNS is created, / will be displayed.
Step 3 Run the mount [-F nfs|-f nfs] -o vers=n,proto=m ipaddress:sharepath /mnt
command to mount an NFS share. Table 2-59 describes the related parameters.
sharepath is the share path of the NFS share created in the storage system.
#mount -f nfs -o vers=3,proto=tcp 192.168.50.16:/nfstest /mnt
NOTE
To mount a GNS, run the following command:
#mount -f nfs -o vers=3,proto=tcp 192.168.50.16:/ /mnt
Table 2-59 Parameters for mounting an NFS share to an HP-UX or a SUN Solaris
client
Parameter Description Example
-F nfs or -f nfs Optional. -F nfs is available to an HP-UX client
and -f nfs is available to a Solaris client.
vers NFS version. In an environment that requires high
reliability, you are advised to use NFSv3.
proto Transfer protocol. Set this parameter to tcp.
NOTE
In the preceding table, vers is mandatory, and other parameters are optional. You are
advised to use the recommended parameter settings.
Step 4 Run the mount command to verify that the NFS share has been mounted to the
local computer.
#mount
192.168.50.16:/nfstest on /mnt type nfs (rw,vers=3,proto=tcp,addr=192.168.50.16)
NOTE
If a GNS is mounted, the following information is displayed:
#mount
192.168.50.16:/ on /mnt type nfs (rw,vers=3,proto=tcp,addr=192.168.50.16)
When the preceding information is displayed, the NFS share has been successfully
mounted to the local computer.
----End
IBM AIX Client
Step 1 Log in to the client as user root.
Step 2 Run showmount -e ipaddress to view available NFS shares in the storage system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 188
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
ipaddress represents the logical IP address of the storage system. 192.168.50.16 is
used as an example.
#showmount -e 192.168.50.16
Export list for 192.168.50.16
/nfstest *
#
NOTE
/nfstest in the output represents the share path of the NFS share created in the storage
system. If a GNS is created, / will be displayed.
Step 3 Run the mount ipaddress:sharepath /mnt command to mount an NFS share.
sharepath represents the Share Path of the NFS share created in the storage
system.
#mount 192.168.50.16:/nfstest /mnt
mount: 1831-008 giving up on:
192.168.50.16:/nfstest
Vmount: Operation not permitted.
#
NOTE
● To mount a GNS, run the following command:
#mount 192.168.50.16:/ /mnt
mount: 1831-008 giving up on:
192.168.50.16:/
Vmount: Operation not permitted.
#
● If the default NFS port on an AIX client is different from that on the storage system, the
preceding command cannot be executed and a message is displayed indicating that the
operation permission is restricted. The NFS share fails to be mounted. In this case, run
the following command to solve this problem. You can also use the SMIT menu to
mount the NFS shared file system.
#nfso -o nfs_use_reserved_ports=1
Setting nfs_use_reserved_ports to 1
Step 4 Run the mount command to verify that the NFS share has been mounted to the
local computer.
#mount
192.168.50.16:/nfstest on /mnt type nfs (rw,addr=192.168.50.16)
NOTE
If a GNS is mounted, the following information is displayed:
#mount
192.168.50.16:/ on /mnt type nfs (rw,addr=192.168.50.16)
When the preceding information is displayed, the NFS share has been successfully
mounted to the local computer.
----End
VMware Client
NOTE
When you want to create VMs on an NFS share, Root Permission Constraint of the NFS
share must be no_root_squash.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 189
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● vSphere Client
NOTE
GUIs may vary with versions. The actual GUIs prevail.
Step 1 Log in to VMware vSphere Client.
Step 2 Select the desired host from the left navigation tree.
Step 3 Choose Configuration > Storage > Add Storage.
The Add Storage wizard is displayed.
Step 4 In Select Storage Type, select Network File System and click Next.
The Locate Network File System page is displayed.
Step 5 Set the related parameters. Table 2-60 describes related parameters.
Table 2-60 Parameters for adding an NFS share in VMware
Parameter Description Value
Server Logical IP address of the Example
storage system. 192.168.50.16
Folder Share Path of the NFS Example
share created in the /nfstest
storage system.
Datastore Name Name of the NFS share Example
in VMware. data
Step 6 Click Next.
Step 7 Confirm the information and click Finish.
Step 8 On the Configuration tab page, view the newly added NFS share.
----End
● vSphere Web Client (VMware vSphere 5.5 as an example)
NOTE
GUIs may vary with versions. The actual GUIs prevail.
Step 1 Log in to the VMware vSphere Web Client.
Step 2 Choose Storage > Datastores > New datastore.
The New datastore wizard is displayed.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 190
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 3 On the Select creation type page, select Mount NFS datastore and click Next.
The Provide NFS mount details page is displayed.
Step 4 Set related parameters.
Table 2-61 Parameter settings
Parameter Description
Name Name of the NFS datastore.
NFS server Name of the NFS server, which can be the IP address of
the logical port or DNS name.
NFS share Path of the NFS share.
NFS version NFS version, which can be NFS 3 or NFS 4.
NOTE
● The system and data disks of VMs reside in datastores of ESXi
hosts. NFSv3 has higher performance than NFSv4.1. Therefore,
you are advised to use NFSv3 to mount NFS datastores to ESXi
hosts.
● If multiple hosts access the same datastore, you must use the
same NFS protocol on all hosts.
Step 5 Click Next, confirm the information, and click Finish.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 191
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Follow-up Procedure
If you modify NFS user information, new user authentication information takes
effect after 30 minutes.
2.9.4.2 Configuring a CIFS Share
This section describes how to configure a CIFS share.
2.9.4.2.1 Configuration Process
Figure 2-9 shows the flowchart for configuring a CIFS share.
Figure 2-9 Configuring a CIFS share
Start
Prepare data.
Non-domain environment Domain
environment
Create a local
authentication user
group. Add the storage system
to an AD domain.
Create a local
authentication user.
Create a CIFS share.
AccessAdd
thean NFS share
shared space.
client.
End
Optional Mandator
y
2.9.4.2.2 Preparing Data
Before configuring a CIFS share in a storage system, plan and collect required data
to facilitate follow-up service configurations.
You need to prepare the following data:
● Logical IP address
Logical IP address used by a storage system to provide shared space for
clients.
● File system
File system or its dtree configured as a CIFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 192
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● Name of a CIFS share
● Permission
Permission of a user or user group to access a CIFS share, including:
– Full control: The user can fully control the CIFS share.
– Read-only: The user can only read the CIFS share.
– Read and write: The user can read and write the CIFS share.
– Forbidden: The user cannot access the CIFS share.
● Local authentication user
Users for local authentication of the storage system in a non-domain
environment.
● AD domain information
● DNS
IP address of the DNS server.
NOTE
You can contact your network administrator to obtain desired data.
2.9.4.2.3 (Optional) Creating a Local Authentication User Group
This section describes how to create a local authentication user group. Local
authentication user groups are used to control the share access permissions of
specific local authentication users.
Context
A system has nine local authentication user groups that are automatically created.
The nine user groups are reserved for the system and cannot be modified or
deleted:
● Administrators is the administrator group. When the group members access
a shared namespace in the storage system, they do not need to be
authenticated by share-level ACLs and NT ACLs. They can operate any file in
any share with administrator permissions without the need to be
authenticated.
● Other user groups are common user groups. When the group members access
a shared file system of the storage system, they can have the corresponding
permissions only after being authenticated.
NOTE
An access control list (ACL) is a collection of permissions that are authorized to users or
user groups to operate shared files. ACL permissions are classified into ACL storage
permissions and ACL authentication permissions. After a user logs in to a share, the system
determines the user's permissions on the share, reads the ACL permissions, and then
determines whether the user can read and write files. For ACL storage permissions, each
ACL permission is called an Access Control Entry (ACE). After a share is mounted to a
Windows client, the client sends NT ACLs to the server (storage system that provides the
share).
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 193
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Procedure
Step 1 Choose Services > File Service > Authentication Users > Windows Users > Local
Authentication User Groups.
Step 2 Click Create.
The Create Local Windows Authentication User Group page is displayed on the
right.
Step 3 Set basic parameters for the local authentication user group.
Table 2-62 describes the parameters.
Table 2-62 Basic local authentication user group parameters
Parameter Description
Name Name of the local authentication user group.
[Value range]
● The name must be unique.
● The name cannot contain "/[]:|<>+=;?*@, or control
characters, and cannot end with a period (.). If the name
starts or ends with a space, the space is not displayed
after the name is created.
● The name can contain case-insensitive letters. For
example, aa and AA cannot be created at the same time.
● The user group name cannot be the same as the name of
a local authentication user.
● The name contains 1 to 256 characters.
Description Description of the local authentication user group.
[Value range]
The description can be left blank or contain up to 256
characters.
Step 4 Select privileges for the local authentication user group. You can view details
about the privileges in the description.
Step 5 Click OK.
----End
2.9.4.2.4 Creating a Local Authentication User
This section describes how to create a local authentication user. For applications
that use local authentication, local authentication users are used to access shares.
You can add a local authentication user to a user group for authentication and
access a share as the user group.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 194
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Procedure
Step 1 Choose Services > File Service > Authentication Users > Windows Users > Local
Authentication Users.
Step 2 Click Create.
The Create Local Windows Authentication User page is displayed on the right.
Step 3 Set basic parameters for the local authentication user.
Table 2-63 describes the parameters.
Table 2-63 Basic local authentication user parameters
Parameter Description
Name Name of the local authentication user.
[Value range]
● The name must be unique.
● The name cannot contain "/\][:;|=,+*?<>@, spaces, or
control characters, and cannot end with a period (.).
● The name can contain case-insensitive letters. For
example, aaaaaaaa and AAAAAAAA cannot be created
at the same time.
● The name cannot be the same as the name of a local
authentication user group.
● The name contains 3 to 20 characters.
NOTE
You can modify the minimum length of the user name on the Set
Security Policy page.
Password Password of the local authentication user.
[Value range]
● The password contains 8 to 32 characters.
● The password must contain at least one of the following
types: special characters, uppercase letters, lowercase
letters, and digits. Special characters include !"#$%&'()*
+,-./:;<=>?@[\]^`{_|}~ and spaces.
● The password cannot contain three consecutive identical
characters.
● The password cannot be the same as the user name or
the user name spelled backward.
NOTE
You can set security policies for the password of a local
authentication user on the Set Security Policy page. If Validity
Period is 0, the password will never expire. For the security
purpose, you are advised to set a specific password validity
period. After the password expires, the user cannot access shares.
After the password expires, you can set a password again or
modify the password security policy.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 195
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Confirm Confirms the password for consistency.
Password
Status Indicates whether to enable the user.
Owning Groups Groups to which the local authentication user belongs. Click
on the right of Owning Groups. In the Available Groups
list, select the desired groups and add them to Selected
Groups.
NOTE
You cannot configure privileges for local authentication users separately on DeviceManager.
Instead, you can configure privileges for local authentication users on the CLI.
Step 4 Click OK.
----End
2.9.4.2.5 (Optional) Preparing AD Domain Configuration Data
Why AD Domains?
In Windows shared mode, every device that provides shares is an independent
node. The account and permission information about users allowed to access
shares are stored on each node. As a result, the information maintenance is
complex and uncontrollable.
If an AD domain is used, the domain controller manages all the user configuration
information and authenticates the access to the domain. The domain controller
incorporates a database that stores information about the domain account,
password, and nodes in the domain. A user can access all the shared content in
the domain after passing the authentication by the domain controller.
Working Principles
Figure 2-10 Network diagram of AD domain server authentication
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 196
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
1. The DNS server provides a full domain name (123.com for example) for the
AD domain.
2. The storage system is added into the AD domain and provides share services.
3. Users can access shares after logging in to hosts in the AD domain using
domain accounts.
Data Preparation
To smoothly add a storage system to an AD domain, prepare or plan the required
data based on the site requirements. Collect Domain Administrator, Password,
Full Domain Name, Organization Unit (optional), and System Name. For details
about how to obtain the data, see 2.8.4.2.7 (Optional) Configuring AD Domain
Authentication Parameters.
2.9.4.2.6 (Optional) Connecting a Storage System to a DNS Server
After a storage system is connected to a DNS server, you can resolve and access
external domain addresses through the storage system. Storage arrays' DNS-based
load balancing feature can detect the loads of IP addresses on the storage arrays
in real time and use a proper IP address as the DNS response to achieve load
balancing among IP addresses. This operation enables you to configure active or
standby DNS IP addresses and set DNS load balancing for the system
management.
Prerequisites
● A DNS server has been configured and is running properly.
● Port 53 for the TCP/UDP protocol between the storage system and the DNS
server is enabled.
● The latency of the network between the DNS server and the storage system is
less than or equal to the configured latency (200 ms by default).
Context
● A DNS server is used to resolve and access external domain name addresses.
● If you want to configure a standby DNS server, keep the domain names of the
active and standby servers consistent.
Procedure
Step 1 Choose Settings > File Service > DNS Service.
Step 2 Click Configure in the upper right corner and configure the DNS service.
Step 3 Set Active DNS IP Address.
Step 4 (Optional) Set Standby DNS IP Address 1.
Step 5 (Optional) Set Standby DNS IP Address 2.
NOTE
Set Standby DNS IP Address 1 first and then Standby DNS IP Address 2.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 197
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 6 (Optional) Test the connection between the DNS server and the storage system.
● You can click Test next to a DNS IP address to test its availability.
● You can click Test All to test the connection between the DNS server and the
storage system.
Step 7 Click OK.
----End
2.9.4.2.7 (Optional) Configuring AD Domain Authentication Parameters
If an AD domain server is deployed on the customer's network, the storage system
must join the AD domain. Then, clients must be authenticated by the AD domain
server when they attempt to access shared resources on the storage system. The
administrator can manage the share access permissions and quotas of domain
users. If the storage system does not join an AD domain, domain users cannot use
share services provided by the storage system.
Prerequisites
● An AD domain has been set up.
● The storage system has been connected to the DNS server.
● The AD domain server and DNS server have time synchronization with the
storage system. The time difference must be no larger than 5 minutes.
● Ports 88 (TCP/UDP protocol), 389 (TCP/UDP protocol), 445 (TCP protocol),
and 464 (TCP/UDP protocol) are enabled between the storage system and the
AD domain.
NOTE
The storage systems can connect to AD domain servers and DNS servers through
management network ports or service network ports (logical ports). If a storage system
connects to an AD domain server and DNS server through management network ports,
ensure that the management network ports on at least two controllers can properly
communicate with the AD domain server and DNS server. If a storage system connects to
the AD domain server and DNS server through service network ports, it is recommended
that the service network ports on at least two controllers can properly communicate with
the AD domain server and DNS server. It is recommended that storage systems connect to
AD domain servers through service network ports.
Precautions
● Before adding a storage system to an AD domain, ensure that the primary
controller of the storage system is connected to the DNS server and AD
domain server.
● When Overwrite System Name is enabled, if a system name entered exists in
the AD domain controller, the information about the current storage system
will overwrite the information about the storage system corresponding to the
system name on the AD domain controller.
● A simple password may result in security issues. A complex password that
contains uppercase letters, lowercase letters, digits, and special characters is
recommended.
● You are advised to use physical isolation and end-to-end encryption to ensure
security of data transfer between the AD domain server and clients.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 198
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2.9.4.2.8 Creating a CIFS Share
This section describes how to share file systems in CIFS mode so that users can
access the file systems.
Procedure
Step 1 Choose Services > File Service > Shares > CIFS Shares.
Step 2 Click Create.
The Create CIFS Share page is displayed on the right.
NOTE
The screenshot is for reference only and the actual displayed information may vary.
For some device models, you can click in the upper right corner of the page to enable
SmartGUI. SmartGUI mines users' historical operation data and builds a configuration
parameter recommendation model based on user profiles to recommend configuration
parameters for the block service and file service. After SmartGUI is enabled, the system
presets the File System and Share Name parameters based on recommendations when
you create a CIFS share. You can directly use the parameters or modify them as required.
Step 3 Set basic CIFS share parameters.
Table 2-64 describes the parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 199
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-64 Basic CIFS share parameters
Parameter Description
File System File system for which you want to create a CIFS share.
NOTE
If the selected file system is the secondary storage system in a
remote replication pair or remote storage system in a HyperMetro
pair, data in the file system is probably being modified when it is
accessed. Before performing this operation, confirm that the
application allows possible data inconsistency.
[Example]
Filesystem001
Dtree Dtree for which you want to create a CIFS share. If you do
not select a dtree, the CIFS share is created for the entire file
system.
[Example]
Dtree_test
Share Name Name of the share, which is used by users to access shared
resources.
[Value range]
● The name must be unique.
● The name cannot contain characters " / \ [ ] : | < > + ; , ?
* =, and cannot be ipc$, autohome, ~, or print$ reserved
by the system.
● The name contains 1 to 80 characters.
[Example]
share_for_user1
NOTE
By default, an ADMIN share named c$ is created. The c$ share has
the following characteristics:
● Its share path is the root directory /, and its share permissions
are Administrators full control permissions.
● Each time a vStore is created, a c$ share is automatically created
for this vStore.
● It cannot be deleted. New user permissions cannot be added to
it.
● You can view or modify the attributes of the c$ share. For
example, on the Windows Management Console (MMC), you
can modify the description and offline settings of the c$ share.
● On MMC, you can use the c$ share to browse file systems and
dtrees and directly select a file system or dtree to create a share.
You do not need to manually enter the share path.
Share Path Share path of the file system, which is generated based on
the File System and Dtree parameters.
[Example]
/Filesystem001/Dtree_test
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 200
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 4 Set advanced properties of the CIFS share. Select Advanced in the upper right
corner.
Table 2-65 describes the parameters.
Table 2-65 Advanced parameters of a CIFS share
Parameter Description
Description Indicates the description of a CIFS share.
NOTE
The description can be left blank or contain up to 255 characters.
Notify Determine whether to enable Notify. After this function is
enabled, a client's operations on a directory, such as adding
a sub-directory, adding a file, modifying the directory, and
modifying a file, can be detected by other clients that are
accessing this directory or the parent directory of this
directory. The created or modified directories and files are
visible after the page automatically refreshes.
Continuously Determine whether to enable Continuously Available. This
Available option provides the SMB continuous availability feature. This
feature depends on Oplock which is enabled by default. If
Oplock is disabled, choose Settings > File Service > CIFS
Service to enable it.
SMB3 Encryption Specifies whether to enable SMB3 encryption. After this
function is enabled, the system encrypts the share to ensure
data security, but the performance deteriorates.
NOTE
After SMB3 encryption is enabled, only SMB3 clients can access
shares by default.
Unencrypted After this function is enabled, clients that do not have
Client Access encryption capabilities can access the share.
ABE After ABE is enabled, files and folders that users have no
access permission are not displayed.
NOTE
SMB2 and SMB3 support this function but SMB1 does not.
Show Snapshot This function allows clients to show and traverse snapshot
directories.
Step 5 Select users or user groups that can access the CIFS share.
1. In the Permissions area, click Add.
The Add User or User Group page is displayed.
2. Select the type of the users or user groups.
The value can be Everyone, Local Windows authentication user, Local
Windows authentication user group, AD domain user, or AD domain user
group.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 201
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
– If you select Local Windows authentication user or Local Windows
authentication user group, select the users or user groups to be added
from the list.
NOTE
You can click Create to create a local Windows authentication user or local
Windows authentication user group.
– If you select AD domain user or AD domain user group, enter the
names of the users or user groups in Name.
NOTE
▪ If you select AD domain user or AD domain user group, the system
automatically detects whether the AD domain has been configured. If no AD
domain is configured, the system prompts you to configure an AD domain
first.
▪ A domain user name is in the format of Domain name\Domain user name
and a domain user group name is in the format of Domain name\Domain
user group name.
▪ Name contains 1 to 256 characters. An AD domain user name cannot start
with an at sign (@).
▪ You can also enter multiple names separated by pressing Enter.
3. In Permission, select the permission granted for the users or user groups.
Table 2-66 describes the permissions.
Table 2-66 CIFS share permissions
Permission Forbidden Read-Only Read-Write Full Control
Viewing files Xa √b √ √
and
subdirectorie
s
Viewing file X √ √ √
contents
Running X √ √ √
executable
files
Adding files X -c √ √
or
subdirectorie
s
Modifying X - √ √
file contents
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 202
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Permission Forbidden Read-Only Read-Write Full Control
Deleting files X - √ √
and
subdirectorie
s
Renaming X - √ √
Changing X - - √
ACL
permissions
of files or
directories
a: Users do not have the permission.
b: Users have the permission.
c: The specified permission is not involved.
NOTE
– The permission priority from high to low is Forbidden > Full control > Read-write
> Read-only. The highest permission prevails. If a user is granted with a higher
permission than its original one, the new permission takes effect immediately
without re-authentication. For example, the access permission of a user is Read-
only, and then the user is added to a user group whose access permission is Full
control. Therefore, the access permission of the user is changed to Full control
and it can access the CIFS share immediately without re-authentication.
– You can run the change service cifs administrators_privileg=? command on the
CLI to modify permissions of members in the Administrators user group. For
details about the command, see Command Reference of the desired version. In the
command, the value of the administrators_privileg parameter can be admin
(default), default_group, or owner.
For local authentication users whose primary user group is Administrators, users
with different administrators_privileg values have different permissions.
▪ admin: When members in the Administrators user group access a shared file
system in the storage system, they do not need to be authenticated by share-
level ACLs and NT ACLs. They can operate any file in any share with
administrator permissions without the need to be authenticated.
▪ default_group: Members in the Administrators user group have the same
permissions as members in the default_group user group.
▪ owner: Members in the Administrators user group have the permissions to
query and set file or directory ACLs and modify file or directory owners. When
the group members access shared file systems, they need to be authenticated
by directory- or file-level NT ACLs, but do not need to be authenticated by
share-level ACLs.
Modified permissions take effect only after users are re-authenticated on clients.
You can run the show service cifs command on the CLI and check permissions of
the Administrators user group in the Administrators Privilege field.
4. Click OK.
The system adds the selected users or user groups to the Permissions list.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 203
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Step 6 Click OK.
----End
2.9.4.2.9 Accessing a CIFS Share
By accessing a CIFS share, different users can access the shared directories that
they have permission to access.
Procedure
Step 1 Choose Map network drive on a Windows client.
The following uses a Windows Server 2012 client as an example.
Open File Explorer and choose Computer > Map network drive > Map network
drive.
NOTE
GUIs may be slightly different for clients running different versions of Windows operating
systems. The actual GUIs prevail.
Step 2 In the displayed Map Network Drive dialog box, configure the network folder you
want to map.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 204
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● In Drive, specify the drive letter for the connection.
● In Folder, specify the folder that you want to connect to. Select Connect
using different credentials and click Finish.
The folder is in the format of \\Logical IP address\Share name.
Wherein, Logical IP address indicates the IP address of the storage system's
logical port providing the CIFS share, and Share name indicates the name of
the CIFS share.
Step 3 In the displayed Windows Security dialog box, enter the user name and password
for accessing the CIFS share.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 205
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● If you log in as a domain authentication user, enter the domain user name in
the Domain name\Domain user name format and the corresponding
password.
NOTE
After CIFS shares are allocated to domain users, do not modify the domain user
information. If you do, the CIFS shares cannot be accessed.
● If you log in as a local authentication user, enter the user name and password
of the local authentication user.
Step 4 Click OK.
NOTE
If errors occur during the access, verify that:
● The storage system is added into a correct AD domain.
● The network between the client and storage system is normal.
● The domain user has the access permission.
----End
2.9.4.3 Accessing Cross-Protocol Shares
A storage system allows NFS and CIFS shares to be configured for the same file
system concurrently. This section describes how a storage system uses the user
mapping function to allow users to access shared files across protocols (CIFS-NFS)
used by clients on different platforms and implement precise permission control.
2.9.4.3.1 Overview
This section introduces the user mapping mechanism used during cross-protocol
(CIFS-NFS) share access.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 206
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
CIFS-NFS Share Access
A storage system allows users to share a file system or dtree using NFS and CIFS
at the same time. Different clients can access a file system or dtree
simultaneously. Windows, Linux, and UNIX adopt different mechanisms to
authenticate users and control access. The storage system manages user mapping
and permission control of different operating systems in a unified manner,
protecting the security of CIFS-NFS share access.
● If a CIFS user attempts to access a file or directory, the storage system
authenticates local or AD domain users first. If the UNIX permission (UNIX
Mode bits) has been configured for the file or directory, the CIFS user is
mapped as an NFS user based on preset user mapping rules during
authentication. Then the storage system performs UNIX permission
authentication for the user.
● If an NFS user attempts to access a file or directory with NT ACLs, the NFS
user is mapped as a CIFS user based on the preset mapping rules. Then the
storage system performs NT ACL permission authentication for the user.
CIFS-NFS Share Access Permissions
If permission types of a file or directory and a client that attempts to access the
file or directory do not match, CIFS-NFS cross-protocol access is required and you
must map the permission of the file or directory so that it can be displayed by the
client.
● NFS client accessing a file or directory with the NTFS permission
When an NFS client checks the NTFS permission that a file or directory has,
the client can obtain the UNIX permission mapped from an NT ACL. The NFS
client displays as many permissions as possible but the actual permissions are
determined by the NT ACL. For example, the NFS client shows that all users
have read, write, and execute permissions, but one of the users may only have
the write permission.
● CIFS client accessing a file or directory with the UNIX permission
When a CIFS client checks the UNIX permission that a file or directory has, the
UNIX permission is mapped into four ACEs for the CIFS client. The ACEs are
for the owner, owner primary group, everyone, and the current Windows user
for the file or directory respectively. The NT ACL is displayed only but not used
to control actual operation permissions.
Table 2-67 shows how permissions are converted among UNIX Mode bits and NT
ACLs.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 207
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Table 2-67 Permission conversion among UNIX Mode bits and NT ACLs
File Permission Permission Conversion
A file or directory ● If an NFS or CIFS client sends a request to read an
only has valid UNIX ACL, one ACL is mapped based on UNIX Mode bits.
Mode bits. ● If a CIFS client sends a request to set an ACL, an NT
ACL takes effect and UNIX Mode bits with the
maximum permissions are mapped based on the NT
ACL.
A file or directory has If an NFS client sends a request to read UNIX Mode bits,
a valid NT ACL. UNIX Mode bits (mapped based on the NT ACL) of the
storage system are returned directly.
CIFS-NFS User Mapping
Windows systems (CIFS) and Linux systems (NFS) use different mechanisms to
identify and authenticate users:
● Windows systems use security identifiers (SIDs) to identify users. SIDs apply
to all users, user groups, services, and computers in the systems. CIFS supports
NT ACLs for authentication.
● Linux systems use user identities (UIDs) and one or more group identities
(GIDs) to identify users. One user belongs to one user group at least. NFS
supports diversified security control mechanisms such as UNIX Mode bits for
authentication.
During CIFS-NFS share access, users using different protocols must be mapped
based on user mapping rules for user authentication and precise permission
control.
The timing of user mapping is as follows:
● For a CIFS client, a user mapping occurs when the security mode of the file
system to be accessed is UNIX, that is, files or directories in the file system
have only the UNIX Mode bits permission. A user will have both the
permissions before and after user mapping.
● For an NFS client, a user mapping occurs when the security mode of the file
system to be accessed is NTFS, that is, files or directories in the file system
have the NT ACL permission. A user will have both the permissions before and
after user mapping.
● When a parent directory has inheritable NT ACL permission, files or directories
created no matter on an NFS client or a CIFS client will have the NT ACL
permission by default. In this case, if the NFS client accesses files or
directories, a user mapping will always occur. That is, a user will have both
the permissions before and after user mapping. When the parent directory
does not have any inheritable NT ACL permission, files or directories created
no matter on an NFS client or a CIFS client will have the UNIX Mode bits
permission. In this case, if the NFS client accesses files or directories, no user
mapping occurs. That is, the user's permission remains unchanged.
● If mappings are changed on CIFS clients, the change takes effect after CIFS
connections are disconnected and next re-authentication is performed.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 208
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
● User mappings on NFS clients are cached and expire after four hours by
default. New user mappings and user information changes take effect after
the cached data expires.
User mapping rules specify the mappings among different user accounts. They can
be saved in a local database or managed in an AD domain in a centralized
manner. A user mapping rule includes the mapping type, source user, mapped
user, and mapping priority. If a user matches multiple mapping rules, it is mapped
based on the rule with a higher priority. If the rules have the same priority, the
user is mapped based on the rule that is configured the earliest.
The following describes how local user mapping is performed:
● NFS-CIFS user mapping: An NFS user is authenticated by UID on the service
end. When a user mapping occurs, the user name to which the UID
corresponds will be queried in the sequence of the local storage system, LDAP
domain, and NIS domain. Based on the queried user name and the local
mapping, the user name, SID, and owning group of the mapped user will be
queried.
● CIFS-NFS user mapping: A CIFS user is authenticated by SID on the service
end. When a user mapping occurs, the mapped user will be queried based on
the user name to which the SID corresponds and the local mapping. Then the
UID to which the mapped user name corresponds and its owning group will
be queried in the sequence of the local storage system, LDAP domain, and
NIS domain.
NOTE
It is not advised to configure the same UID or user name in the local storage system, LDAP
domain, or NIS domain. If the same UID or user name exists, the user mapping results will
not be the expected results.
After user mapping, on an NFS client, the owner information of files or directories
owned by CIFS users (the files or directories that are created by CIFS users or the
owner information of the files or directories are changed to CIFS users) is the
information of the NFS users mapped from CIFS users. If no mapping rules have
been configured for CIFS users, the owner information of the files or directories is
about the IDs (calculated using IDMAP, a hash algorithm) of the CIFS users.
After user mapping, on a CIFS client, the owner information of the files or
directories owned by NFS users (the files or directories that are created by NFS
users or the owner information of the files or directories are changed to NFS
users) is about NFS user names. If NFS users are NIS or LDAP domain users, the
owner information is displayed as UNIXUser\user name.
NOTE
When CIFS users are mapped to NFS users, quota statistics will be collected for the NFS
users or owning user group.
2.9.4.3.2 Configuring Mapping Parameters
You can create user mappings in the local storage system as well as use user
mappings in the external IDMU domain to access shares across systems. This
section describes how to set user mapping parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 209
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Context
If only IDMU user mappings are used, you do not need to configure user
mappings in the local storage system.
Procedure
Step 1 Choose Services > File Service > Authentication Users > User Mappings.
Step 2 Click Set Mapping Parameter.
The Set Mapping Parameter page is displayed on the right.
Step 3 Enable Mapping Parameters and configure user mapping parameters.
Table 2-68 describes the parameters.
Table 2-68 Mapping parameters
Parameter Description
Mapping Mode Global parameter of user mappings, including:
● Support only user mapping of this system: The
system only supports user mappings created in this
system.
● Support only user mapping in IDMU: The system
only supports user mappings in the IDMU domain.
● Preferentially support user mapping in IDMU:
When user mappings of a specified source user exist
both in the system and the IDMU domain, the
system preferentially uses the mapping in the IDMU
domain.
● Preferentially support user mapping of this
system: When user mappings of a specified source
user exist both in the system and the IDMU domain,
the system preferentially uses the mapping in this
system.
IDMU Search Timeout duration for the system to search for a
Timeout Duration (s) specified user mapping in the IDMU domain.
[Value range]
5 to 120
IDMU Search DN Benchmark directory where the system searches for a
specified user mapping in the IDMU domain. The
benchmark directory stores the information of user
mappings.
[Value range]
The directory contains 0 to 255 characters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 210
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Map to User with Indicates whether to map to users with the same name.
Same Name After this function is enabled, the system automatically
maps UNIX users and Windows users with the same
name.
Default UNIX User When user mapping is enabled and a Windows user
fails to be mapped, the Windows user will be mapped
to this default UNIX user.
Default Windows When user mapping is enabled and a UNIX user fails to
User be mapped, the UNIX user will be mapped to this
default Windows user.
If the default Windows user is an AD domain user, the
naming format is Domain name\Domain user name.
The AD domain name supports only the NetBIOS name.
You can query the NetBIOS name of a domain by
running the nbtstat -n command on the CLI.
Alternatively, you can right-click the domain on the
Active Directory Users and Computers page, choose
Properties from the shortcut menu, and view the value
of Domain name (pre-Windows 2000) in the dialog
box that is displayed. The value is the NetBIOS name of
the domain.
NOTE
Map to User with Same Name, Default UNIX User, and Default Windows User are
available only when Mapping Mode is set to Support only user mapping of this system,
Preferentially support user mapping in IDMU, or Preferentially support user mapping
of this system. IDMU Search Timeout Duration (s) and IDMU Search DN are available
only when Mapping Mode is set to Support only user mapping in IDMU, Preferentially
support user mapping in IDMU, or Preferentially support user mapping of this system.
Step 4 Confirm your operation as prompted.
----End
2.9.4.3.3 Creating a User Mapping
This operation enables the system to map the source user to the target user based
on a mapping relationship for accessing shares across protocols.
NOTE
If Map to User with Same Name is enabled, default user mapping (Default UNIX User or
Default Windows User) is configured, and user mappings are created, you can follow the
following sequence to search for a user mapping: the created user mappings > user
mappings with the same name > the default user mapping.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 211
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Procedure
Step 1 Choose Services > File Service > Authentication Users > User Mappings.
Step 2 Click Create.
The Create User Mapping page is displayed on the right.
Step 3 Set basic user mapping parameters.
Table 2-69 describes the parameters.
Table 2-69 Basic user mapping parameters
Parameter Description
Mapping Mode User mapping mode related to the operating system,
Possible options are:
● Windows to UNIX: When accessing UNIX shares using
Windows, a Windows user has all the permissions
granted to the target user.
● UNIX to Windows: When accessing Windows shares
using UNIX, a UNIX user has all the permissions granted
to the target user.
● Kerberos to UNIX: When accessing UNIX shares using
Kerberos authentication through a client, a Kerberos user
has all the permission granted to the target user.
Source User Source user in the mapping.
NOTE
● The name of the source user supports the wildcard (*). For
example, user* indicates all user names starting with user.
● The user name can be a common or domain user name. An AD
domain user name uses a backslash (\) to connect the domain
name and user name. Only one backslash (\) is allowed, for
example, china\user001. The AD domain name supports only
the NetBIOS name. You can query the NetBIOS name of a
domain by running the nbtstat -n command on the CLI.
Alternatively, you can right-click the domain on the Active
Directory Users and Computers page, choose Properties from
the shortcut menu, and view the value of Domain name (pre-
Windows 2000) in the dialog box that is displayed. The value is
the NetBIOS name of the domain.
Target User Target user in the mapping.
NOTE
The user name can be a common or domain user name. An AD
domain user name uses a backslash (\) to connect the domain
name and user name. Only one backslash (\) is allowed, for
example, china\user001. The AD domain name supports only the
NetBIOS name. You can query the NetBIOS name of a domain by
running the nbtstat -n command on the CLI. Alternatively, you can
right-click the domain on the Active Directory Users and
Computers page, choose Properties from the shortcut menu, and
view the value of Domain name (pre-Windows 2000) in the dialog
box that is displayed. The value is the NetBIOS name of the domain.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 212
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Parameter Description
Priority Priority of the mapping. A smaller value indicates a higher
priority. When multiple mappings share the same source
user, the system uses the mapping with the highest priority.
[Value range]
1 to 32
Step 4 Click Add to Mapping List to add the mapping to the list below.
NOTE
You can set user mapping parameters and click Add to Mapping List to configure multiple
user mappings.
Step 5 Test, modify, or delete a user mapping.
● Testing a user mapping
Select a user mapping and click Test to check whether the target user in the
user mapping exists.
NOTE
You can also click More on the right of a desired user mapping and select Test.
● Modifying a user mapping
a. Click More on the right of the desired user mapping and select Modify.
The Modify User Mapping page is displayed on the right.
b. Set basic user mapping parameters.
Table 2-69 describes the parameters.
c. Click OK.
● Deleting a user mapping
Select one or more desired user mappings and click Delete.
NOTE
You can also click More on the right of a desired user mapping and select Delete.
Step 6 Click OK.
----End
Example
● User mapping rule example 1: Map Windows user win_user01 to UNIX user
ux_user01.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 213
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
– Source user: win_user01
– Target user: ux_user01
– Mapping type: Windows to Unix
– Priority: 10 (default)
● User mapping rule example 2: Map any UNIX user to user1 in the AD domain
(domain name authtest).
– Source user: *
– Target user: authtest\user1
– Mapping type: Unix to Windows
– Priority: 10 (default)
2.9.4.3.4 Accessing a CIFS File Across Protocols
This section describes how an NFS client accesses CIFS files and directories for
which the NT ACL permission has been configured.
Prerequisites
● A Linux client user has the same UID and GID as a local authentication user.
You can query the local authentication user ID and ID of its owning primary
group on the DeviceManager. On the Linux client, you can run the groupadd
-g GID user group name command to create a user group, and then run the
useradd -u UID -g GID user name command to create a user.
● Before you use an AD domain user to configure user mapping rules, the
storage system has been added to the AD domain.
Context
Before users can use an NFS client to access shared files and folders for which NT
ACLs have been configured, the administrator must follow the process as shown in
Figure 2-11 to configure related parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 214
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Figure 2-11 Flowchart of configuring cross-protocol access of a CIFS file
Start
Create a file system. The security mode of the file system is NTFS.
Skip this step if AD, LDAP, or NIS domain users
Create a local authentication user.
access shares.
Create NFS and CIFS shares.
Configure user mapping parameters.
Configure user mapping rules.
Use a Linux client to mount and
access shares.
End
Mandatory Optional
Example
Table 2-70 provides an example of data planning during the configuration.
Table 2-70 Example of data planning
Item Planned Value
File system Name: share_dir
Security mode: NTFS
Local authentication Name: unix_user1
user ID: 100001
Primary group name: unix_group
Primary group ID: 100000
Name: cifs_user1
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 215
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Item Planned Value
NFS client user Name: unix_user1
The user must have the same UID and GID as the
local authentication user.
NFS share ● File system: share_dir
● Type of the client: host
● Name or IP address: x.x.0.10
● Permission: Read-write
● Advanced: The default settings are used.
CIFS share ● File system: share_dir
● Share Name: share_dir_cifs
● Local Authentication User: cifs_user1
● Permission Level: Full control
Mapping Mode Local system user mappings are supported
preferentially.
User mapping rule ● Mapping Type: Unix to Windows
● Source User: unix_user1
● Target User: cifs_user1
● Priority: 10
Step 1 Create a file system.
1. Choose Services > File Service > File Systems.
2. Create a file system named share_dir as planned.
Step 2 Create a local UNIX authentication user group and user.
1. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication User Groups.
2. Click Create to create a local authentication user group named unix_group as
planned.
3. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication Users.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 216
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
4. Click Create to create a local authentication user named unix_user1 as
planned.
Step 3 Create a local Windows authentication user.
1. Choose Services > File Service > Authentication Users > Windows Users >
Local Authentication Users.
2. Click Create to create a local authentication user named cifs_user1 as
planned.
Step 4 Create an NFS share and a CIFS share for the same file system.
1. Choose Services > File Service > Shares.
2. Create an NFS share and a CIFS share for the same file system based on
parameters as planned.
Step 5 Configure user mapping parameters.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Set Mapping Parameter and set Mapping Mode to Preferentially
support user mapping of this system.
Step 6 Configure user mapping rules.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Create and configure user mapping rules as planned.
Step 7 Use a Windows client to access shared directory share_dir and set permissions of
files under the shared directory.
1. Use a Windows client to access a CIFS share.
2. Under the shared directory, create folder subdir1 and file file1.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 217
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
3. Add one ACE to subdir1 and file1.
Right-click the file or folder and choose properties from the shortcut menu
that is displayed. In the properties dialog box that is displayed, click the
Security tab and add the modify permission ACE to user cifs_user1.
4. Delete the Everyone permissions for subdir1, so as to verify that the NFS
client has permissions of the mapped Windows user.
Step 8 Run the change service nfs_config g_ntfs_unix_security_ops=ignore command
on the storage system to ignore any modification on NFS client permissions.
NOTE
This operation is required because Security Style of the file system share_dir in this
example is NTFS and Windows ACLs exist.
Step 9 Use an NFS client to mount the share and access the share as local user
unix_user1.
1. Use an NFS client to mount the NFS share.
2. Run the groupadd -g 100000 unix_group command to create a user group
that has the same GID as the local authentication user group.
3. Run the useradd -u 100001 -g 100000 unix_user1 command to create a user
that has the same UID and GID as the local authentication user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 218
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
NOTE
The UID and GID in the command are used as an example only. They vary with site
conditions.
4. Run the su - unix_user1 command to switch users.
5. Write data to folder subdir1.
If the data is written to the folder successfully, the Linux client has a write
permission for the folder.
----End
2.9.4.3.5 Accessing an NFS File Across Protocols
This section describes how a CIFS client accesses a file or directory for which the
UNIX permission has been configured.
Prerequisites
The user of the Linux client has the same UID and GID as the local authentication
user.
You can query the local authentication user ID and ID of its owning primary group
on the DeviceManager. On the Linux client, you can run the groupadd -g GID user
group name command to create a user group, and then run the useradd -u UID -
g GID user name command to create a user.
Context
Before users can use a Windows client to access shared files and folders for which
the UNIX permission has been configured, the administrator needs to follow the
process as shown in Figure 2-12 to configure related parameters.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 219
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Figure 2-12 Flowchart of configuring cross-protocol access of an NFS file
Start
Create a file system. The security mode of the file system is UNIX.
Create a local authentication user. Skip this step if AD domain users access shares.
Create NFS and CIFS shares.
Configure user mapping parameters.
Configure user mapping rules.
Use a Windows client to mount and
access shares.
End
Mandatory Optional
Example
Table 2-71 provides an example of data planning during the configuration.
Table 2-71 Example of data planning
Item Planned Value
File system Name: share_dir2
Security mode: UNIX
Local authentication user Name: cifs_user2
Name: unix_user2
ID: 100002
Primary group name: unix_group
Primary group ID: 100000
NFS client user Name: unix_user2
The user must have the same UID and GID as the
local authentication user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 220
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
Item Planned Value
NFS share ● File system: share_dir2
● Type of the client: host
● Name or IP address: x.x.0.10
● Permission: Read-write
● Advanced: The default settings are used.
CIFS share ● File system: share_dir2
● Share Name: share_dir_cifs2
● Local authentication user: cifs_user2
● Permission Level: Full control
Mapping Mode Local system user mappings are supported
preferentially.
User mapping rule ● Mapping Type: Windows to Unix
● Source User: cifs_user2
● Target User: unix_user2
● Priority: 10
Windows operating systems do not allow a file name to contain special characters.
Therefore, it is recommended that the file name and directory name of an NFS
share do not contain special characters including \:*/?"<>|, and the file name and
directory name do not end with a period (.) or a space. Otherwise, the storage
system converts the file name and directory name to short names (for example,
~PY203).
Step 1 Create a file system.
1. Choose Services > File Service > File Systems.
2. Create a file system named share_dir2 as planned.
Step 2 Create a Windows local authentication user.
1. Choose Services > File Service > Authentication Users > Windows Users >
Local Authentication Users.
2. Click Create to create a local authentication user named cifs_user2 as
planned.
Step 3 Create a UNIX local authentication user group and user.
1. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication User Groups.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 221
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
2. Click Create to create a local authentication user group named unix_group as
planned.
3. Choose Services > File Service > Authentication Users > UNIX Users > Local
Authentication Users.
4. Click Create to create a local authentication user named unix_user2 as
planned.
Step 4 Create an NFS share and a CIFS share for the same file system.
1. Choose Services > File Service > Shares.
2. Create an NFS share and a CIFS share for the same file system based on
parameters as planned.
Step 5 Configure user mapping parameters.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Set Mapping Parameter and set Mapping Mode to Preferentially
support user mapping of this system.
Step 6 Configure user mapping rules.
1. Choose Services > File Service > Authentication Users > User Mappings.
2. Click Create and configure user mapping rules as planned.
Step 7 Use an NFS client to mount the share and set permissions of files under the
shared directory.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 222
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 2 Configuring vStores
1. Use an NFS client to mount the NFS share.
2. Run the groupadd -g 100000 unix_group command to create a user group
that has the same GID as the local authentication user group.
3. Run the useradd -u 100002 -g 100000 unix_user2 command to create a user
that has the same UID and GID as the local authentication user.
NOTE
The UID and GID in the command are used as an example only. They vary with site
conditions.
4. Run the su - unix_user2 command to switch users.
5. Create the file1 file and grant the read-only permission.
NOTE
The security style of the file system (share_dir2) on the storage system is UNIX. The
default UNIX permission of the root directory of the file system is 755. Therefore, first
run the change file_system general file_system_id=? unix_permissions=777
command on the storage system to change the UNIX permission to 777.
# touch file1
# chmod 400 file1
Step 8 Use cifs_user2 to access file1 on a Windows client and verify that it has only the
read-only permission.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 223
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
3 Managing vStores
This chapter describes how to manage vStores to meet service running
requirements.
3.1 Viewing a vStore
3.2 Modifying a vStore
3.3 Deleting a vStore
3.4 Managing a vStore User
3.1 Viewing a vStore
This operation enables you to view basic information about a vStore.
Context
● After the system supports the SmartMulti-Tenant feature after an upgrade, all
LUNs, file systems, and ports in the original system are allocated to internal
system vStore System_vStore.
● On the vStore management page, you can click to refresh vStore
information.
● On the vStore management page, you can click or next to a parameter
and enter a keyword or select a parameter value to search for the desired
vStores.
● On the vStore management page, you can click to select the vStore
parameters you want to view.
● On the vStore management page, you can click or next to a parameter
to change the display order of vStores.
● On the vStore management page, you can click to export vStore
information to your local PC.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 224
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
Step 2 View information about vStores in the function pane. Table 3-1 describes the
parameters.
Table 3-1 vStore parameters
Parameter Description
Name Name of a vStore.
ID ID of a vStore.
Running Status Running status of a vStore.
LUNs Number of LUNs of a vStore.
File Systems Number of file systems of a vStore.
Data Protection Data protection information of a vStore.
Audit Log Indicates whether the audit log function is enabled for a
vStore. Audit logs record operations performed for file
systems in a vStore.
NAS Capacity Capacity quota of a vStore. The total file system capacity
Quota of the vStore cannot exceed the quota.
NOTE
● In 6.1.5 and later versions, NAS capacity quotas can be set on
the CLI by using the create vstore general command. For
details about this command, see Command/Event/Error Code
Query.
● In 6.1.6 and later versions, NAS capacity quotas can be set on
DeviceManager.
SAN Capacity Capacity quota of a vStore. The total LUN capacity of the
Quota vStore cannot exceed the quota.
NOTE
In 6.1.7 and later versions, SAN capacity quotas can be set on
DeviceManager.
Step 3 (Optional) Click the name of a desired vStore to view its Summary, File Service,
User Management, and Protection.
NOTE
● In the Basic Information area on the Summary tab page, you can click the values of
Associate with Storage Pool and Associate with FC Port to modify the parameters on
the displayed Associate with Storage Pool and Associate with FC Port pages. Table
2-3 describes the parameters.
● On the File Service tab page, you can configure DNS Service, DNS Zone, LDAP
Domain, NIS Domain, AD Domain, NDMP Service, and Kerberos Realms for the
selected vStore.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 225
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
3.2 Modifying a vStore
This operation enables you to modify the name and description of a vStore.
Precautions
● Internal system vStore System_vStore cannot be modified.
● Only the super administrator and administrators can modify vStores.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click More on the right of the desired vStore and choose Modify.
The Modify vStore page is displayed on the right.
NOTE
Alternatively, click the name of the desired vStore. In the upper right corner of the page
that is displayed, select Modify from the Operation drop-down list.
Step 3 Modify the vStore.
1. Modify Name of the vStore.
NOTE
– The name must be unique.
– The name contains only letters, digits, periods (.), underscores (_), and hyphens (-).
– The name contains 1 to 256 characters.
2. Modify NAS Capacity Quota. The total file system capacity of the vStore
cannot exceed the quota.
NOTE
– In 6.1.5 and later versions, NAS capacity quotas can be set on the CLI by using the
create vstore general command. For details about this command, see Command/
Event/Error Code Query.
– In 6.1.6 and later versions, NAS capacity quotas can be set on DeviceManager.
3. Modify SAN Capacity Quota. The total LUN capacity of the vStore cannot
exceed the quota.
NOTE
In 6.1.7 and later versions, SAN capacity quotas can be set on DeviceManager.
4. Input necessary information about the vStore in Description to help you
identify the vStore.
NOTE
The description can be left blank or contain up to 255 characters.
Step 4 Click OK.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 226
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
3.3 Deleting a vStore
This operation enables you to delete a vStore to release its storage resources.
Precautions
● Internal system vStore System_vStore cannot be deleted.
● Only the super administrator and administrators can delete vStores.
Prerequisites
● Service information such as logical ports of the vStore has been deleted.
● The administrator that manages the vStore is offline.
● The users of the vStore have been deleted.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Select the desired vStore and click Delete.
NOTE
Alternatively, perform either of the following operations to delete a vStore:
● Click More on the right of the desired vStore and choose Delete.
● Click the name of the desired vStore. In the upper right corner of the page that is
displayed, select Delete from the Operation drop-down list.
Step 3 Confirm your operation as prompted.
----End
3.4 Managing a vStore User
A vStore user is the administrator for managing the vStore space. By creating
different vStore users, you can restrict their operation permissions on the storage
system to ensure the stability of the service system and the security of service
data.
3.4.1 Viewing a vStore User
This operation enables you to view the user name, type, online/offline status,
password status, owning LDAP group, creation time, lock status, and the role of a
vStore user.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 227
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
Step 3 In the function pane, view user information listed in Table 3-2.
Table 3-2 User parameters
Parameter Description
Username Name of a user.
NOTE
You can click the name of the desired vStore user to view its
details and manage it.
Role Role of a user.
Type Type of a user.
Online/Offline Status of a user on DeviceManager. Possible values are
Online and Offline.
Password Status Password status of a user.
Owning LDAP Group LDAP user group to which a user belongs.
Login Method Login method of a user.
Login Authentication Authentication mode for user login. Possible options are
Login password, Login password + email one-time
password, and Login password + RADIUS one-time
password.
Lock Status Lock status of a user.
Created Time when a user is created.
----End
3.4.2 Modifying a vStore User
If the current user does not have permission of some operations or you forget its
password, you can modify the user information to adjust the user level or initialize
the password.
Precautions
● Only a super administrator can initialize the passwords of other users.
● Only users whose status is Offline can be modified.
● If a non-super administrator account encounters a security problem, a super
administrator can set password properties of this account. In this case, the
password of the account must be changed upon the next login.
● If a password has expired or been initialized, the system prompts you to
change the password when you log in to DeviceManager.
● If a password is about to expire, the system prompts you to change the
password after you log in to DeviceManager.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 228
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
● To prevent security risks of the storage system due to password leakage, you
need to modify a password upon initial login and regularly change the
password on DeviceManager.
● Do not change a password during information collection or expansion.
Otherwise, information collection or capacity expansion fails.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab, locate the row that contains the user to be
modified, click More, and select Modify.
The Modify User page is displayed.
NOTE
Alternatively, click the desired user name. In the upper right corner of the page that is
displayed, select Modify from the Operation drop-down list.
Step 3 Set user information.
Table 3-3 describes the parameters.
Table 3-3 User parameters
Parameter Description
Role User right range. You can select a built-in role provided by the
system or create a role.
Password Indicates whether to render the password always valid. If this
Always Valid function is enabled, the password is not restricted by the
password validity period specified in the security policy.
NOTE
● When Password Always Valid is switched to the disabled status, if
the password has not been changed before, you must change the
password upon the next login.
● When modifying the information about an LDAP user or LDAP user
group, you cannot set the password to never expire.
Initialize Indicates whether to initialize the password. If you want to
Password initialize the password, select Initialize Password, and enter
Password of Login User, New Password, and Confirm
Password.
NOTE
If you are modifying the information about an LDAP user or LDAP user
group, this operation is unavailable.
Description Description of a user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 229
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
Parameter Description
Login Login authentication method of a user.
Authentication NOTE
● When Type is set to Local user, Login password + email one-time
password is supported in Login Authentication.
● If you select Login password + email one-time password, you
must configure the SMTP server by choosing Settings > User and
Security > Multi-Factor Authentication.
● No matter which login authentication method you have selected,
the login authentication method is Login password when you log
in through RESTful or SFTP.
● When Type is set to LDAP user, Login password + RADIUS one-
time password is supported in Login Authentication. In addition,
when Login password + RADIUS one-time password is selected,
only DeviceManager is supported in Login Method.
Recipient Recipient email address for receiving one-time passwords if you
Email Address select Login password + email one-time password.
NOTE
● To ensure account security, change the password upon your first login.
● To ensure account security, change the password regularly.
----End
3.4.3 Logging Out a vStore User
A super administrator can prevent a logged-in user from using a storage device by
forcibly logging the user out of DeviceManager.
Prerequisites
● Only a super administrator can forcibly log out a user.
● The status of the user to be logged out is Online.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab, locate the row that contains the target user, click
More, and select Offline.
NOTE
You can also click the desired user name. In the upper right corner of the page that is
displayed, select Offline from the Operation drop-down list in the upper right corner.
Confirm your operation as prompted.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 230
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
3.4.4 Locking a vStore User
A super administrator can prevent a user from logging in to a storage device by
locking the user. If a user is online, the user cannot log in again after logging out.
Prerequisites
● Only a super administrator can lock a user.
● Lock Status of the user to be locked is Unlocked.
● Only local users can be locked.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab, locate the row that contains the target user, click
More, and select Lock.
NOTE
Alternatively, click the desired user name. On the page that is displayed, select Lock from
the Operation drop-down list the upper right corner.
Confirm your operation as prompted.
----End
3.4.5 Unlocking a vStore User
A super administrator can allow a user to log in again to a storage device by
unlocking the user.
Prerequisites
● Only a super administrator can unlock a user.
● Lock Status of the user to be unlocked is Locked.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab, locate the row that contains the user to be
unlocked, click More, and select Unlock.
The Authenticate Permission dialog box is displayed.
NOTE
Alternatively, click the desired user name. Select Unlock from the Operation drop-down list
the upper right corner.
Step 3 Enter the password of the login user and click OK.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 231
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
Confirm your operation as prompted.
----End
3.4.6 Changing the Password upon the Next Login
If a super administrator discovers that the password of a user encounters security
risks (for example, the login IP addresses vary or incorrect passwords are entered
many times), the super administrator can force the user to change its password
upon the next login.
Context
● Only a super administrator can force a user to change its password upon the
next login.
● The super administrator, other super administrators, LDAP users, and LDAP
user groups cannot change their passwords upon the next login.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab, click More on the right of the user to be
modified, and select Modify Password Next Login.
NOTE
Alternatively, click the desired user name. On the page that is displayed, select Change
Password Next Login from the Operation drop-down list in the upper right corner.
Confirm your operation as prompted.
----End
3.4.7 Deleting a vStore User
If you want to prevent a user from logging in to and managing a storage device,
you can delete the user.
Prerequisites
● A super administrator can delete other users.
● An online user cannot be deleted.
Procedure
Step 1 Choose Services > vStore Service > vStores.
Step 2 Click the name of the desired vStore. On the page that is displayed on the right,
click the User Management tab, locate the row that contains the user to be
deleted, click More, and select Delete.
NOTE
Alternatively, click the name of the desired user name. On the page that is displayed, select
Delete from the Operation drop-down list in the upper right corner.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 232
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 3 Managing vStores
Confirm your operation as prompted.
----End
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 233
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File 4 Managing Basic Storage Services of vStores
4 Managing Basic Storage Services of
vStores
After configuring basic storage services of a vStore, you can manage the following
items of the vStore to meet service requirements:
● File system
● Dtree
● Quota
● Logical port
● Local authentication user and user group
● NFS share
● Managing CIFS Shares
For details, see the Basic Storage Service Configuration Guide for File specific to
your product model.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 234
OceanStor Dorado A Configuring and Managing SmartMulti-Tenant
SmartMulti-Tenant Feature Guide for File Using the CLI
A Configuring and Managing SmartMulti-
Tenant Using the CLI
This section provides some CLI commands for configuring and managing
SmartMulti-Tenant.
NOTE
● The CLI commands supported by different models may vary.
● For more CLI commands and their description, refer to Command/Event/Error Code
Query.
Figure A-1 shows the process for configuring SmartMulti-Tenant.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 235
OceanStor Dorado A Configuring and Managing SmartMulti-Tenant
SmartMulti-Tenant Feature Guide for File Using the CLI
Figure A-1 Process for configuring SmartMulti-Tenant using the CLI
Start
Check the license.
Create a storage
pool.
Create a vStore.
Create a bond port.
Create a VLAN.
Set DNS load
balancing.
Enter the vStore view.
Create a file system.
Create a dtree.
Create a quota.
Configure the
network.
Share the file system.
End
Mandatory Optional
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 236
OceanStor Dorado A Configuring and Managing SmartMulti-Tenant
SmartMulti-Tenant Feature Guide for File Using the CLI
Configuring SmartMulti-Tenant Using the CLI
Table A-1 Configuring SmartMulti-Tenant
Procedure Command
Check the show license
license file. NOTE
SmartMulti-Tenant depends on the NAS license, which covers NAS
Foundation, SmartQuota, and SmartMulti-Tenant.
Create a storage create storage_pool
pool. NOTE
● When you run the create storage_pool command to create a
storage pool, the system automatically creates a disk domain in
the background.
● You can also run the create disk_domain and create
storage_pool commands to create a disk domain and a storage
pool, respectively.
If you run the create disk_domain command to create a disk
domain separately, the default redundancy policy is disk
redundancy. If you want to create a storage pool with enclosure
redundancy, add redundancy_strategy=enclosure in the
command to create a disk domain.
Create a vStore. create vstore general
(Optional) create bond_port
Create a bond
port.
(Optional) create vlan general
Create a VLAN.
(Optional) Set change system dns_load_balance
DNS load
balancing.
Enter the vStore change vstore view
view.
Create a file create file_system general
system.
(Optional) create dtree general
Create a dtree.
(Optional) create quota file_system
Create a quota. create quota dtree
Configuring the network
(Optional) create dns_zone general
Create a DNS
zone.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 237
OceanStor Dorado A Configuring and Managing SmartMulti-Tenant
SmartMulti-Tenant Feature Guide for File Using the CLI
Procedure Command
Create a logical ● Creating a logical port based on a bond port:
port. create logical_port bond
● Creating a VLAN-based logical port:
create logical_port vlan
● Creating a logical port based on an Ethernet port:
create logical_port eth
(Optional) Add ● IPv4:
a route for the add logical_port ipv4_route
logical port. ● IPv6:
add logical_port ipv6_route
Configuring the NFS share
(Optional) change domain ldap_config
Modify the
LDAP domain
authentication
configurations.
(Optional) change domain ldap_schema
Modify the
advanced LDAP
domain
authentication
configurations.
Modify the NIS change domain nis_config
domain
authentication
configurations.
Create an NFS create share nfs
share.
Create an NFS create share_permission nfs
share
permission.
Access the NFS -
share.
Configuring the CIFS share
Create a create windows_group general
Windows local
authentication
user group.
Create a create windows_user general
Windows local
authentication
user.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 238
OceanStor Dorado A Configuring and Managing SmartMulti-Tenant
SmartMulti-Tenant Feature Guide for File Using the CLI
Procedure Command
Modify AD change domain ad_config
domain
authentication
configurations.
Configure the change domain dns_config
DNS server
address for
services of the
vStore.
Create a CIFS create share cifs
share.
Create a CIFS create share_permission cifs
share
permission.
Access the CIFS -
share.
Accessing shared files across protocols
Modify user change identity_mapping config
mapping
configurations.
Add a user add identity_mapping rule
mapping rule.
Managing SmartMulti-Tenant Using the CLI
Table A-2 Managing vStores
Operation Command
Query system show role system
role
information.
Query vStore show role vstore
role
information.
Add a role. create role general
add role permit
Modify basic change role general
information
about a role.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 239
OceanStor Dorado A Configuring and Managing SmartMulti-Tenant
SmartMulti-Tenant Feature Guide for File Using the CLI
Operation Command
Delete a role. delete role general
Query the show vstore
vStore status.
Modify basic change vstore info
information
about a vStore.
Delete a vStore. delete vstore general
Create a vStore create user
user.
Query user show user
information.
Modify basic change user
information
about a user.
Lock a user. change user_lock
Unlock a user. change user_unlock
Delete a user. delete user
For details about commands used for managing basic vStore services, see
Managing Basic Storage Services Using the CLI in the Basic Storage Service
Configuration Guide for File.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 240
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File B How to Obtain Help
B How to Obtain Help
If a tough or critical problem persists in routine maintenance or troubleshooting,
contact Huawei technical support.
B.1 Preparations for Contacting Huawei
To better resolve the fault, you are advised to collect troubleshooting information
and make debugging preparations before contacting Huawei.
B.1.1 Collecting Troubleshooting Information
You need to collect troubleshooting information before troubleshooting.
You need to collect the following information:
● Name and address of the customer
● Contact person and telephone number
● Time when the fault occurred
● Description of the fault phenomena
● Device type and software version
● Measures taken after the fault occurs and the related results
● Troubleshooting level and required solution deadline
B.1.2 Making Debugging Preparations
When you contact Huawei for help, the technical support engineer of Huawei
might assist you to do certain operations to collect information about the fault or
rectify the fault directly.
Before contacting Huawei for help, you need to prepare the boards, port modules,
screwdrivers, screws, cables for serial ports, network cables, and other required
materials.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 241
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File B How to Obtain Help
B.2 How to Use the Document
Huawei provides guide documents shipped with the device. The guide documents
can be used to handle the common problems occurring in daily maintenance or
troubleshooting.
To better solve the problems, use the documents before you contact Huawei for
technical support.
B.3 How to Obtain Help from Website
Huawei provides users with timely and efficient technical support through the
regional offices, secondary technical support system, telephone technical support,
remote technical support, and onsite technical support.
Contents of the Huawei technical support system are as follows:
● Huawei headquarters technical support department
● Regional office technical support center
● Customer service center
● Technical support website: https://support.huawei.com/enterprise/
You can query how to contact the regional offices at https://
support.huawei.com/enterprise/.
B.4 Ways to Contact Huawei
Huawei Technologies Co., Ltd. provides customers with comprehensive technical
support and service. For any assistance, contact our local office or company
headquarters.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's
Republic of China
Website: https://e.huawei.com/
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 242
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
C Glossary
A
AC power module The module that transfers the external AC power
supply into the power supply for internal use.
Application server A service processing node (a computer device) on the
network. Application programs of data services run
on the application server.
Asynchronous remote A kind of remote replication. When the data at the
replication primary site is updated, the data does not need to be
updated synchronously at the mirroring site to finish
the update. In this way, performance is not reduced
due to data mirroring.
Air baffle It optimizes the ventilation channels and improves
the heat dissipation capability of the system.
Audit log guarantee A mode for recording audit logs. This mode
mode preferentially ensures that the audit log function is
normal and no audit log is missing.
Audit log non- A mode for recording audit logs. In this mode,
guarantee mode services are running properly. Audit logs may be
missing.
B
Backup A collection of data stored on (usually removable)
non-volatile storage media for purposes of recovery
in case the original copy of data is lost or becomes
inaccessible; also called a backup copy. To be useful
for recovery, a backup must be made by copying the
source data image when it is in a consistent state.
The act of creating a backup.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 243
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Backup window An interval of time during which a set of data can be
backed up without seriously affecting applications
that use the data.
Bandwidth The numerical difference between the upper and
lower frequencies of a band of electromagnetic
radiation. A deprecated synonym for data transfer
capacity that is often incorrectly used to refer to
throughput.
Baud rate The maximum rate of signal state changes per
second on a communications circuit. If each signal
state change corresponds to a code bit, then the
baud rate and the bit rate are the same. It is also
possible for signal state changes to correspond to
more than one code bit, so the baud rate may be
lower than the code bit rate.
Bit error An incompatibility between a bit in a transmitted
digital signal and the corresponding bit in the
received digital signal.
Bit error rate The probability that a transmitted bit will be
erroneously received. The bit error rate (BER) is
measured by counting the number of bits in error at
the output of a receiver and dividing by the total
number of bits in the transmission. BER is typically
expressed as a negative power of 10.
Bonding Bonding of multiple independent physical network
ports into a logical port, which ensures the high
availability of server network connections and
improves network performance.
Boundary scan A test methodology that uses shift registers in the
output connections of integrated circuits (ICs). One IC
is often connected to the next IC. A data pattern is
passed through the chain and the observed returned
data stream affected by the circuit conditions gives
an indication of any faults present. The system is
defined under IEEE standard 1149.1 and is also
known as Joint Test Action Group (JTAG).
Browser/Server Architecture that defines the roles of the browser and
server. The browser is the service request party and
the server is the service provider.
Built-in FRU Alarm It indicates errors on the built-in FRUs of a controller,
indicator such as errors on fans or memory modules.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 244
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
C
Cache hit ratio The ratio of the number of cache hits to the number
of all I/Os during a read task, usually expressed as a
percentage.
Captive screw Specially designed to lock into place on a parent
board or motherboard, allowing for easy installation
and removal of attached pieces without release of
the screw.
Challenge Handshake A password-based authentication protocol that uses a
Authentication challenge to verify that a user has access rights to a
Protocol system. A hash of the supplied password with the
challenge is sent for comparison so the cleartext
password is never sent over the connection.
Compliance mode A protection mode of WORM. In compliance mode,
files within their protection period cannot be changed
or deleted by either the file user or by the system
administrator. Files with expired protection periods
can be deleted but not changed by the file user or
the system administrator.
Controller The control logic in a disk or tape that performs
command decoding and execution, host data transfer,
serialization and deserialization of data, error
detection and correction, and overall management of
device operations. The control logic in a storage
subsystem that performs command transformation
and routing, aggregation (RAID, mirroring, striping, or
other), high-level error recovery, and performance
optimization for multiple storage devices.
Controller enclosure An enclosure that accommodates controllers and
provides storage services. It is the core component of
a storage system and generally consists of
components, such as controllers, power supplies, and
fans.
Copying A pair state. The state indicates that the source LUN
data is being synchronized to the target LUN.
Container root Space used to store the metadata for running
directory container images and container instances.
Container image An image is a special file system, which provides the
programs, libraries, resources, and configuration files
required for running containers. It also contains
configuration parameters, for example, for
anonymous disks, environment variables, and users.
The image does not contain dynamic data, and its
content will not be modified after construction.
Containerized An image can start multiple containers, and an
application application can contain one or a group of containers.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 245
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Container node Controller that runs the container service.
Configuration item list A series of modifiable configuration items defined in
the Helm chart of the container.
Container service Containerized application management service, which
manages the lifecycle of containerized applications.
CloudVxLAN CloudVxLAN is a feature that uses the Virtual
eXtensible Local Area Network (VxLAN) technology,
which allows storage systems to directly connect to
the VPC network and become a part of Huawei Cloud
Stack for unified management and maintenance,
greatly simplifying O&M.
D
Data compression The process of encoding data to reduce its size. Lossy
compression (i.e., compression using a technique in
which a portion of the original information is lost) is
acceptable for some forms of data (e.g., digital
images) in some applications, but for most IT
applications, lossless compression (i.e., compression
using a technique that preserves the entire content of
the original data, and from which the original data
can be reconstructed exactly) is required.
Data flow A process that involves processing data extracted
from the source system. These processes include:
filtering, integration, calculation, and summary,
finding and solving data inconsistency, and deleting
invalid data so that the processed data meets the
requirements of the destination system for the input
data.
Data migration A movement of data or information between
information systems, formats, or media. Migration is
performed for reasons such as possible decay of
storage media, obsolete hardware or software
(including obsolete data formats), changing
performance requirements, the need for cost
efficiencies etc.
Data source A system, database (database user; database
instance), or file that can make BOs persistent.
Deduplication The replacement of multiple copies of data — at
variable levels of granularity — with references to a
shared copy in order to save storage space and/or
bandwidth.
Dirty data Data that is stored temporarily on the cache and has
not been written onto disks.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 246
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Disaster recovery The recovery of data, access to data and associated
processing through a comprehensive process of
setting up a redundant site (equipment and work
space) with recovery of operational data to continue
business operations after a loss of use of all or part
of a data center. This involves not only an essential
set of data but also an essential set of all the
hardware and software to continue processing of that
data and business. Any disaster recovery may involve
some amount of down time.
Disk array A set of disks from one or more commonly accessible
disk subsystems, combined with a body of control
software. The control software presents the disks'
storage capacity to hosts as one or more virtual disks.
Control software is often called firmware or
microcode when it runs in a disk controller. Control
software that runs in a host computer is usually
called a volume manager.
Disk domain A disk domain consists of the same type or different
types of disks. Disk domains are isolated from each
other. Therefore, services carried by different disk
domains do not affect each other in terms of
performance and faults (if any).
Disk enclosure Consists of the following parts in redundancy:
expansion module, disk, power module, and fan
module. System capacity can be expanded by
cascading multiple disk enclosures.
Disk location The process of locating a disk in the storage system
by determining the enclosure ID and slot ID of the
disk.
Disk utilization The percentage of used capacity in the total available
capacity.
E
eDevLUN Logical storage array space created by a third-party
storage array.
Expansion module A component used for expansion.
Expansion Connects a storage system to more disk enclosures
through connection cables, expanding the capacity of
the storage system.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 247
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Enhanced Direct Enhanced Direct Connect automatically manages
Connect Huawei hardware switches and provides Layer 3
interconnection between private IP addresses in your
cloud and networks outside the cloud. The
networking type and data plane are optimized based
on the original hardware Direct Connect. You can
select the firewall interconnection mode and
networking type to suit your business needs in
different scenarios.
F
Field replaceable unit A unit or component of a system that is designed to
be replaced in the field, i.e., without returning the
system to a factory or repair depot. Field replaceable
units may either be customer-replaceable or their
replacement may require trained service personnel.
Firmware Low-level software for booting and operating an
intelligent device. Firmware generally resides in read-
only memory (ROM) on the device.
Flash Translation Layer Flash Translation Layer (FTL) organizes and manages
host data, enables host data to be allocated to NAND
flash chips of SSDs in an orderly manner, maintains
the mapping relationship between logical block
addresses (LBAs) and physical block addresses
(PBAs), and implements garbage collection, wear
leveling, and bad block management.
Front-end port The port that connects the controller enclosure to the
service side and transfers service data. Front-end port
types are Fibre Channel and iSCSI.
Front-end interconnect On a storage device, all controllers share the front-
I/O module (FIM) end interface modules.
G
Garbage collection The process of reclaiming resources that are no
longer in use. Garbage collection has uses in many
aspects of computing and storage. For example, in
flash storage, background garbage collection can
improve write performance by reducing the need to
perform whole block erasures prior to a write.
Gateway A device that receives data via one protocol and
transmits it via another.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 248
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Global garbage With a view to defragmentation of storage arrays
collection and garbage collection of disks, global garbage
collection reduces garbage of disks by enabling
storage arrays to inform disks of not implementing
invalid data relocation and of controlling space
release so that disks and controllers consume less
space, reducing costs and prolonging the useful life
of storage arrays.
Global system for The second-generation mobile networking standard
mobile defined by the European Telecommunications
communications Standards Institute (ETSI). It is aimed at designing a
standard for global mobile phone networks. GSM
consists of three main parts: mobile switching
subsystem (MSS), base station subsystem (BSS), and
mobile station (MS).
Global wear leveling With a view to individual characteristics of a single
disk, global wear leveling uses space allocation and
write algorithms to achieve wear leveling among
disks, preventing a disk from losing efficacy due to
excessive writes and prolonging the useful life of the
disk.
H
Hard disk tray The tray that bears the hard disk.
Heartbeat Heartbeat supports node communication, fault
diagnosis, and event triggering. Heartbeats are
protocols that require no acknowledgement. They are
transmitted between two devices. The device can
judge the validity status of the peer device.
Hit ratio The ratio of directly accessed I/Os from the cache to
all I/Os.
Hot swap The substitution of a replacement unit (RU) in a
system for a defective unit, where the substitution
can be performed while the system is performing its
normal functioning normally. Hot swaps are physical
operations typically performed by humans.
HyperMetro A value-added service of storage systems.
HyperMetro means two datasets (on two storage
systems) can provide storage services as one dataset
to achieve load balancing among applications and
failover without service interruption.
HyperMetro domain A HyperMetro configuration object generally; made
up of two storage arrays and one quorum server.
HyperMetro services can be created on a HyperMetro
domain.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 249
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
HyperMetro vStore A HyperMetro vStore pair consists of two vStores,
pair that is, two tenants. After a HyperMetro relationship
is set up for a pair of vStores, the datasets in the two
vStores work in redundancy mode and provide
storage services in one dataset view, achieving hitless
service failover.
HyperMetro-Inner On an eight-controller network, with HyperMetro-
Inner, continuous mirroring, back-end global sharing,
and three-copy technologies, a storage system can
tolerate one-by-one failures of seven controllers
among eight controllers, concurrent failures of two
controllers, and failure of a controller enclosure.
HyperDetect HyperDetect is a feature that provides ransomware
detection.
Handle A handle resides on the structural part of a module. It
is used to insert or remove a module into or from a
chassis, not helpful in saving efforts.
Helm chart A Helm chart is in TAR format. It is similar to the deb
package of APT or the rpm package of Yum. It
contains a group of yaml files that define Kubernetes
resources.
I
In-band management The management control information of the network
and the carrier service information of the user
network are transferred through the same logical
channel. In-band management enables users to
manage storage arrays through commands.
Management commands are sent through service
channels, such as I/O write and read channels. The
advantages of in-band management include high
speed, stable transfer, and no additional
management network ports required.
Initiator The system component that originates an I/O
command over an I/O interconnect. The endpoint
that originates a SCSI I/O command sequence. I/O
adapters, network interface cards, and intelligent I/O
interconnect control ASICs are typical initiators.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 250
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
I/O Shorthand for input/output. I/O is the process of
moving data between a computer system's main
memory and an external device or interface such as a
storage device, display, printer, or network connected
to other computer systems. This encompasses
reading, or moving data into a computer system's
memory, and writing, or moving data from a
computer system's memory to another location.
Intelligent ransomware The system detects known ransomware features to
detection identify whether the file systems are attacked by
ransomware. If no ransomware attack is identified,
the system analyzes and compares the changes in file
system snapshots, and uses machine learning
algorithms to further check whether the file systems
are infected by ransomware.
Interface module A replaceable field module that accommodates the
service or management ports.
L
Load balance A method of adjusting the system, application
components, and data to averagely distribute the
applied I/Os or computing requests to physical
resources of the system.
Logical unit The addressable entity within a SCSI target that
executes I/O commands.
Logical unit number The SCSI identifier of a logical unit within a target.
Industry shorthand, when phrased as "LUN", for the
logical unit indicated by the logical unit number.
LUN formatting The process of writing 0 bits in the data area of the
logical drive and generating related parity bits so that
the logical drive can be in the ready state.
LUN mapping A storage system maps LUNs to application servers
so that application servers can access storage
resources.
LUN migration A method for the LUN data to migrate between
different physical storage spaces while ensuring data
integrity and uninterrupted operation of host
services.
LUN snapshot A type of snapshot created for a LUN. This snapshot
is both readable and writable and is mainly used to
provide a snapshot LUN from point-in-time LUN
data.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 251
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Lever A lever resides on the structural part of a module. It
is used to insert or remove a module into or from a
chassis, saving efforts.
Local image repository A private repository used to store the container
images and Helm charts imported by users. It is
different from the standard image repository. The
imported images and Helm charts must meet the
compatibility requirements of the system.
M
Maintenance terminal A computer connected through a serial port or
management network port. It maintains the storage
system.
Management interface The module that integrates one or more
module management network ports.
Management network An entity that provides means to transmit and
process network management information.
Management network The network port on the controller enclosure
port connected to the maintenance terminal. It is provided
for the remote maintenance terminal. Its IP address
can be modified with the change of the customer's
environment.
N
NVM Express A host controller interface with a register interface
and command set designed for PCI Express-based
SSDs.
NVMe SSD A solid state disk (SSD) with a non-volatile memory
express (NVMe) interface. Compared with other
SSDs, such SSDs can deliver higher performance and
shorter latency.
O
Out-of-band A management mode used during out-of-band
management networking. The management and control
information of the network and the bearer service
information of the user network are transmitted
through different logical channels.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 252
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
P
Power failure When an external power failure occurs, the AC PEM
protection depends on the battery for power supply. This
ensures the integrity of the dirty data in the cache.
Pre-copy When the system monitors a failing member disk in a
RAID group, the system copies the data from the disk
to a hot spare disk in advance.
Palm-sized NVMe SSD A palm-sized NVMe SSD is a type of NVMe SSD of
which the dimensions (H x W x D) are 160 mm x 79.8
mm x 9.5 mm (neither 3.5-inch nor 2.5-inch).
Q
Quorum server A server that can provide arbitration services for
clusters or HyperMetro to prevent the resource access
conflicts of multiple application servers.
Quorum Server Mode A HyperMetro arbitration mode. When a HyperMetro
arbitration occurs, the quorum server decides which
site wins the arbitration.
R
RAID level The application of different redundancy types to a
logical drive. A RAID level improves the fault
tolerance or performance of the logical drive but
reduces the available capacity of the logical drive.
You must specify a RAID level for each logical drive.
Ransomware file When launching attacks, ransomware usually
interception generates encrypted files with special file name
extensions. In light of this, the system intercepts the
write to files with specific file name extensions to
block the extortion from known ransomware and
protect file systems in the storage system.
Real-time ransomware Ransomware has similar I/O behavior characteristics.
detection By analyzing file I/O behavior characteristics, the
system quickly filters out abnormal files and
performs deep content analysis on the abnormal files
to detect files attacked by ransomware. Then, secure
snapshots are created for file systems where files
have been attacked, and alarms are reported to
notify the data protection administrator, limiting the
impact of ransomware and reducing losses.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 253
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Reconstruction The regeneration and writing onto one or more
replacement disks of all of the user data and check
data from a failed disk in a mirrored or RAID array. In
most arrays, a rebuild can occur while applications
are accessing data on the array's virtual disks.
Redundancy The inclusion of extra components of a given type in
a system (beyond those required by the system to
carry out its function) for the purpose of enabling
continued operation in the event of a component
failure.
Remote replication A core technology for disaster recovery and a
foundation that implements remote data
synchronization and disaster recovery. This
technology remotely maintains a set of data mirrors
through the remote data connection function of the
storage devices that are separated in different places.
Even when a disaster occurs, the data backup on the
remote storage device is not affected. Remote
replication can be divided into synchronous remote
replication and asynchronous remote replication.
Reverse The process of restoring data from the redundancy
synchronization machine (RM) when the services of the production
machine (PM) are recovering.
Route The path that network traffic takes from its source to
its destination. On a TCP/IP network, each IP packet
is routed independently. Routes can change
dynamically.
S
Script A parameterized list of primitive I/O interconnect
operations intended to be executed in sequence.
Often used with respect to ports, most of which are
able to execute scripts of I/O commands
autonomously (without policy processor assistance).
A sequence of instructions intended to be parsed and
carried out by a command line interpreter or other
scripting language. Perl, VBScript, JavaScript and Tcl
are all scripting languages.
Serial port An input/output location (channel) that sends and
receives data (one bit at a time) to and from the CPU
of a computer or a communications device. Serial
ports are used for serial data communication and as
interfaces for some peripheral devices, such as mouse
devices and printers.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 254
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Service data The user and/or network information required for the
normal functioning of services.
Service network port The network port that is used to store services.
Simple network An IETF protocol for monitoring and managing
management protocol systems and devices in a network. The data being
monitored and managed is defined by an MIB. The
functions supported by the protocol are the request
and retrieval of data, the setting or writing of data,
and traps that signal the occurrence of events.
Single point of failure One component or path in a system, the failure of
which would make the system inoperable.
Slot A position defined by an upper guide rail and the
corresponding lower guide rail in a frame. A slot
houses a board.
Small computer system A collection of ANSI standards and proposed
interface standards that define I/O interconnects primarily
intended for connecting storage subsystems or
devices to hosts through host bus adapters. Originally
intended primarily for use with small (desktop and
desk-side workstation) computers, SCSI has been
extended to serve most computing needs, and is
arguably the most widely implemented I/O
interconnect in use today.
Snapshot A point in time copy of a defined collection of data.
Clones and snapshots are full copies. Depending on
the system, snapshots may be of files, LUNs, file
systems, or any other type of container supported by
the system.
Snapshot copy A copy of a snapshot LUN.
Source LUN The LUN where the original data is located.
Static Priority Mode A HyperMetro arbitration mode. When a HyperMetro
arbitration occurs, the preferred site always wins the
arbitration.
Storage system An integrated system that consists of the following
parts: controller, storage array, host bus adapter,
physical connection between storage units, and all
control software.
Storage unit An abstract definition of backup storage media for
storing backup data. The storage unit is connected to
the actual storage media used to back up data.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 255
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Streaming media Streaming media is media continuously streamed
over the network. Combining technologies
concerning streaming media data collection,
compression, encoding, storage, transmission,
playback, and network communications, streaming
media can provide high-quality playback effects in
real time at low bandwidth.
Subnet A type of smaller network that forms a larger
network according to a rule, such as, forming a
network according to different districts. This
facilitates the management of a large network.
Smart disk enclosure Being compared with traditional disk enclosures, the
smart disk enclosures are equipped with Arm chips
and DDR memories or other computing modules to
achieve powerful computing capabilities. With such
capabilities, the smart disk enclosures can help
controllers to share some computing loads,
accelerating data processing.
Share authentication During vStore configuration synchronization, the
share authentication information (including the share
information and domain controller configuration) is
synchronized to the secondary end.
T
Target The endpoint that receives a SCSI I/O command
sequence.
Target LUN The LUN on which target data resides.
Thin LUN A logic disk that can be accessed by hosts. It
dynamically allocates storage resources from the thin
pool according to the actual capacity requirements of
users.
Topology The logical layout of the components of a computer
system or network and their interconnections.
Topology deals with questions of what components
are directly connected to other components from the
standpoint of being able to communicate. It does not
deal with questions of physical location of
components or interconnecting cables. The
communication infrastructure that provides Fibre
Channel communication among a set of PN_Ports
(e.g., a Fabric, an Arbitrated Loop, or a combination
of the two).
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 256
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Trim A method by which the host operating system may
inform a storage device of data blocks that are no
longer in use and can be reclaimed. Many storage
protocols support this functionality via various
names, e.g., ATA TRIM and SCSI UNMAP.
U
User interface The space where users interact with a machine.
U-shaped bracket It is an optional structural part like letter "U". It is
located between the mounting ear of a chassis and
the mounting bar of a cabinet or bay and is used to
adjust the locations of the chassis and mounting bar
of the cabinet or bay.
W
Wear leveling A set of algorithms utilized by a flash controller to
distribute writes and erases across the cells in a flash
device. Cells in flash devices have a limited ability to
survive write cycles. The purpose of wear leveling is
to delay cell wear out and prolong the useful life of
the overall flash device.
Write amplification Increase in the number of write operations by the
device beyond the number of write operations
requested by hosts.
Write amplification The ratio of the number of write operations on the
factor device to the number of write operations requested
by the host.
Write back A caching technology in which the completion of a
write request is signaled as soon as the data is in the
cache. Actual writing to non-volatile media occurs at
a later time. Write back includes inherent risks: an
application will take action predicated on the write
completion signal, and a system failure before the
data is written to non-volatile media will cause
media contents to be inconsistent with that
subsequent action. For these reasons, sufficient write
back implementations include mechanisms to
preserve cache contents across system failures
(including power failures) and a flushed cache at
system restart time.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 257
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File C Glossary
Write Once Read Many A type of storage, designed for fixed content, that
preserves what is written to it in an immutable
fashion. Optical disks are an example of WORM
storage.
Write through A caching technology in which the completion of a
write request is not signaled until data is safely
stored on non-volatile media. Write performance
equipped with the write through technology is
approximately that of a non-cached system. However,
if the written data is also held in a cache, subsequent
read performance may be dramatically improved.
Z
Zone A collection of Fibre Channel N_Ports and/or
NL_Ports (i.e., device ports) that are permitted to
communicate with each other via the fabric. Any two
N_Ports and/or NL_Ports that are not members of at
least one common zone are not permitted to
communicate via the fabric. Zone membership may
be specified by: 1) port location on a switch, (i.e.,
Domain_ID and port number); or, 2) the device's
N_Port_Name; or, 3) the device's address identifier;
or, 4) the device's Node_Name. Well-known
addresses are implicitly included in every zone.
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 258
OceanStor Dorado
SmartMulti-Tenant Feature Guide for File D Acronyms and Abbreviations
D Acronyms and Abbreviations
Issue 07 (2023-10-31) Copyright © Huawei Technologies Co., Ltd. 259
You might also like
- OceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For Block139 pages
- OceanStor Dorado 6.1.x SmartVirtualization Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartVirtualization Feature Guide267 pages
- OceanStor Dorado 6.1.x Administrator GuideNo ratings yetOceanStor Dorado 6.1.x Administrator Guide545 pages
- OceanStor Dorado 6.1.x CloudVxLAN Feature GuideNo ratings yetOceanStor Dorado 6.1.x CloudVxLAN Feature Guide65 pages
- OceanStor Dorado 6.1.x SmartQoS Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartQoS Feature Guide70 pages
- OceanStor Dorado 6.1.x SmartMobility Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartMobility Feature Guide117 pages
- OceanStor Dorado 6.1.x SmartMove Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartMove Feature Guide56 pages
- OceanStor Dorado 6.1.x Security Configuration GuideNo ratings yetOceanStor Dorado 6.1.x Security Configuration Guide222 pages
- OceanStor Dorado 6.1.x SmartMigration Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x SmartMigration Feature Guide For Block96 pages
- OceanStor Dorado 6.1.x HyperSnap Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperSnap Feature Guide For File65 pages
- OceanStor Dorado 6.1.x IP Address Failover Deployment GuideNo ratings yetOceanStor Dorado 6.1.x IP Address Failover Deployment Guide88 pages
- OceanStor Dorado 6.1.x HyperCDP Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperCDP Feature Guide For File100 pages
- OceanStor Dorado 6.1.x HyperLock Feature GuideNo ratings yetOceanStor Dorado 6.1.x HyperLock Feature Guide124 pages
- OceanStor Dorado 6.1.x HyperCDP Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperCDP Feature Guide For Block119 pages
- OceanStor Dorado 6.1.x HyperReplication Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperReplication Feature Guide For Block286 pages
- OceanStor Dorado 6.1.x HyperClone Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperClone Feature Guide For File64 pages
- OceanStor Dorado 6.1.x HyperSnap Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperSnap Feature Guide For Block142 pages
- OceanStor Dorado 6.1.x NDMP Feature GuideNo ratings yetOceanStor Dorado 6.1.x NDMP Feature Guide168 pages
- Best Practices of OceanStor Dorado & OceanStor For VMware in SAN ScenariosNo ratings yetBest Practices of OceanStor Dorado & OceanStor For VMware in SAN Scenarios47 pages
- OceanStor Dorado 6.1.x SmartCache Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartCache Feature Guide56 pages
- OceanStor Dorado 6.1.x Container User GuideNo ratings yetOceanStor Dorado 6.1.x Container User Guide138 pages
- OceanStor Dorado 6.1.x CloudBackup Feature GuideNo ratings yetOceanStor Dorado 6.1.x CloudBackup Feature Guide120 pages
- Dorado V6 Series 6.1.x Basic Storage Service Configuration Guide For FileNo ratings yetDorado V6 Series 6.1.x Basic Storage Service Configuration Guide For File685 pages
- OceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For BlockNo ratings yetOceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For Block304 pages
- OceanStor Dorado 6.1.x HyperClone Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperClone Feature Guide For Block106 pages
- OceanStor 6.1.6 REST Interface ReferenceNo ratings yetOceanStor 6.1.6 REST Interface Reference3,690 pages
- OceanStor Dorado V6 Series 6.1.x & V700R001 Troubleshooting Guide 2025No ratings yetOceanStor Dorado V6 Series 6.1.x & V700R001 Troubleshooting Guide 202591 pages
- OceanStor Dorado 6.1.x SmartTier Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartTier Feature Guide29 pages
- OceanStor Dorado 3000 6.x Installation GuideNo ratings yetOceanStor Dorado 3000 6.x Installation Guide155 pages
- OceanStor Dorado 6.1.x 3DC Configuration For FileNo ratings yetOceanStor Dorado 6.1.x 3DC Configuration For File153 pages
- Dorado V6 Series 6.1.x Best Practices of OceanStor Dorado & OceanStor For NAS Microsoft Hyper-VNo ratings yetDorado V6 Series 6.1.x Best Practices of OceanStor Dorado & OceanStor For NAS Microsoft Hyper-V52 pages
- OceanStor Dorado 6.1.x HyperDetect Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperDetect Feature Guide For File102 pages
- OceanStor Dorado 6.1.x 3DC Configuration For BlockNo ratings yetOceanStor Dorado 6.1.x 3DC Configuration For Block296 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To Linux Hosts Using NFS Over RDMANo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To Linux Hosts Using NFS Over RDMA52 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To VMware ESXi Hosts Using NVMe Over FabricsNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To VMware ESXi Hosts Using NVMe Over Fabrics67 pages
- OceanStor Dorado 5000 V6 and Dorado 6000 V6 6.x & V700R001 Installation GuideNo ratings yetOceanStor Dorado 5000 V6 and Dorado 6000 V6 6.x & V700R001 Installation Guide180 pages
- OceanStor Dorado 6.0.0 SmartVirtualization Feature GuideNo ratings yetOceanStor Dorado 6.0.0 SmartVirtualization Feature Guide251 pages
- OceanStor Dorado 6.1.x Disk Encryption User GuideNo ratings yetOceanStor Dorado 6.1.x Disk Encryption User Guide156 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To Linux Hosts Using NFS Over RDMANo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To Linux Hosts Using NFS Over RDMA51 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For VMware ESXiNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For VMware ESXi149 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Red HatNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Red Hat104 pages
- OceanStor Dorado 6.1.x Initialization GuideNo ratings yetOceanStor Dorado 6.1.x Initialization Guide249 pages
- ManageOne 6.5.1 Operation Portal Northbound API Reference 07No ratings yetManageOne 6.5.1 Operation Portal Northbound API Reference 071,444 pages
- OceanStor Dorado 6.1.3 Command ReferenceNo ratings yetOceanStor Dorado 6.1.3 Command Reference1,939 pages
- Best Practices of OceanStor Dorado Oriented To Oracle Database Deploymen...No ratings yetBest Practices of OceanStor Dorado Oriented To Oracle Database Deploymen...81 pages
- ESDK Enterprise Storage Plugins 2.6.RC2 User Guide (SRA) 02No ratings yetESDK Enterprise Storage Plugins 2.6.RC2 User Guide (SRA) 0257 pages
- Huawei OceanStor Dorado V6 All Flash Storage Systems Technical White PaperNo ratings yetHuawei OceanStor Dorado V6 All Flash Storage Systems Technical White Paper199 pages
- OceanStor Dorado 8000 V6 and Dorado 18000 V6 6.0.1 Product Description100% (2)OceanStor Dorado 8000 V6 and Dorado 18000 V6 6.0.1 Product Description219 pages
- OceanStor Dorado 2000 6.1.6 Technical White PaperNo ratings yetOceanStor Dorado 2000 6.1.6 Technical White Paper133 pages
- OceanStor Dorado 6.0.0 Basic Storage Service Configuration GuideNo ratings yetOceanStor Dorado 6.0.0 Basic Storage Service Configuration Guide140 pages
- OceanProtect Backup Storage 1.5.0 Acceptance Test GuideNo ratings yetOceanProtect Backup Storage 1.5.0 Acceptance Test Guide78 pages
- OceanStor Dorado 8000&18000 All-Flash Storage Technical White PaperNo ratings yetOceanStor Dorado 8000&18000 All-Flash Storage Technical White Paper197 pages
- OceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For BlockNo ratings yetOceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For Block288 pages
- OceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For FusionComputeNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For FusionCompute24 pages
- OceanStor Dorado 6.1 Administrator GuideNo ratings yetOceanStor Dorado 6.1 Administrator Guide376 pages
- OceanStor Dorado 6.1.2.SPH8 Patch NotesNo ratings yetOceanStor Dorado 6.1.2.SPH8 Patch Notes23 pages
- Best Practices of OceanStor Dorado & OceanStor For VMware in NAS ScenariosNo ratings yetBest Practices of OceanStor Dorado & OceanStor For VMware in NAS Scenarios46 pages
- OceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For Block51 pages
- OceanStor Dorado Backup Features Comparison (HyperSnap, HyperClone, and HyperCDP)No ratings yetOceanStor Dorado Backup Features Comparison (HyperSnap, HyperClone, and HyperCDP)6 pages
- OceanStor Dorado and OceanStor 6.1.6 Deep DiveNo ratings yetOceanStor Dorado and OceanStor 6.1.6 Deep Dive27 pages
- Huawei OceanStor Dorado 6.1.6 Storage Simplified Interoperability Matrix For FileNo ratings yetHuawei OceanStor Dorado 6.1.6 Storage Simplified Interoperability Matrix For File11 pages
- OceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For File46 pages
- OceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For Red Hat RHV 4.xNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For Red Hat RHV 4.x10 pages
- Owning Controllers of Interface Module Ports On OceanStor Dorado 4 U Controller EnclosureNo ratings yetOwning Controllers of Interface Module Ports On OceanStor Dorado 4 U Controller Enclosure13 pages
- OceanStor Dorado Disk Health Prediction PrinciplesNo ratings yetOceanStor Dorado Disk Health Prediction Principles6 pages
- Auditing Internal Control Over Financial Reporting: Mcgraw-Hill/IrwinNo ratings yetAuditing Internal Control Over Financial Reporting: Mcgraw-Hill/Irwin39 pages
- Worked Example - Analysis and Design of Steel Sheet Pile Wall (EN 1997-1) - StructvilleNo ratings yetWorked Example - Analysis and Design of Steel Sheet Pile Wall (EN 1997-1) - Structville11 pages
- A Chosen Calling Jews in Science in The Twentieth Century Latest Edition Download100% (12)A Chosen Calling Jews in Science in The Twentieth Century Latest Edition Download15 pages
- 08 - ISM Code Internal Auditor - Auditor Traits and Auditing Techniques100% (1)08 - ISM Code Internal Auditor - Auditor Traits and Auditing Techniques26 pages
- Superexcels Provide Differentiated Supervision: First EditionNo ratings yetSuperexcels Provide Differentiated Supervision: First Edition23 pages
- Tone/Pulse Switchable Dialer With LCD Interface and Dual-Tone Melody GeneratorNo ratings yetTone/Pulse Switchable Dialer With LCD Interface and Dual-Tone Melody Generator25 pages
- JNL College (Pallavi For Botany B.SC Part I) Topic-MarseliaNo ratings yetJNL College (Pallavi For Botany B.SC Part I) Topic-Marselia13 pages
- PP-CI-GG-005 Civil Inspection and Testing ServicesNo ratings yetPP-CI-GG-005 Civil Inspection and Testing Services7 pages
