SuperCluster: July 2017 QFSDP ZFSSA dcsvcs user change mitigation

Asset ID:	1-79-2297850.1
Update Date:	2017-08-25
Keywords:

Solution Type Predictive Self-Healing Sure

Solution 2297850.1 : SuperCluster: July 2017 QFSDP ZFSSA dcsvcs user change mitigation

Applies to:

Oracle SuperCluster T5-8 Hardware - Version All Versions to All Versions [Release All Releases]
Oracle SuperCluster M7 Hardware - Version All Versions to All Versions [Release All Releases]
Oracle SuperCluster M6-32 Hardware - Version All Versions to All Versions [Release All Releases]
SPARC SuperCluster T4-4 - Version All Versions to All Versions [Release All Releases]
Oracle SuperCluster T5-8 Full Rack - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.

Purpose

Mitigate issues that can occur with ZFSSA after updating to July 2017 QFSDP version of osc-domcreate and ssctuner.

Scope

Benefit:

A properly monitored and maintained internal ZFSSA will ensure the optimum operations of all LDoms and zones that consume iSCSI LUNs off the internal ZFSSA. While the internal ZFSSA is also available for general-purpose shared storage with NFS, the single JBOD ZFSSA is not designed for heavy IO for extended periods of time. Proper monitoring of the utilization will also let you know which one of your virtual tenants may be using the ZFSSA excessively, negatively impacting other tenants on the SuperCluster. As of July 2017 QFSDP ssctuner implements this monitoring. But osc-domcreate creates a new dcsvcs user to connect to ZFSSA and does not have correct permissions for ssctuner to use that user implementing this monitoring so this document explains how to assign correct permissions and avoid ssctuner creating incomplete thresholds.

Risk :

Without correct permissions for dcsvcs user, it is possible that the threshold will not have important data gathered when the 75% utilization threshold is exceeded. Though very unlikely, it is also possible that ssctuner could create a duplicate worksheet/threshold, one as root and another as dcsvcs.

Details

Mandatory actions:

After booting into July 2017 QFSDP on the Master Control Domain (First Compute Node/PDOM, first LDOM. oes/id oes/node=ssccn1), before ssctuner executes it's 24 hour daily task, please take the following steps to avoid issues when it attempts to create threshold/worksheet/alerts as dcsvcs user.

The Solaris Virtual Assistant Health Check should under most circumstances create dcsvcs user and role on ZFS SA within an hour after being upgraded and restarting with the July 2017 QFSDP level, but one can easily check and if required manually perform those same steps to avoid having to wait for that :

(1) Execute the below command from the Master Control Domain :

root@MCD:~# cd /opt/oracle.supercluster/osc-domcreate/bin

root@MCD:/opt/oracle.supercluster/osc-domcreate/bin# ./dcsvcs_zfs_auths.py user check dcsvcs <ZFS-SA-STOR-IB-Address>
access user set to dcsvcs
checking user's role dcsvcs_role exists

NOTE – The above output indicates dcsvcs user/role exists on ZFS SA.
If the dcsvcs user/role is not defined on ZFS SA then you will see the output as below:

access user set to root
operation failed, user dcsvcs not defined on zfssa

(2) If the dcsvcs user/role doesn't exist then create dcsvcs user/role using the below commands on the MCD, else skip to step 3 :

root@MCD:/opt/oracle.supercluster/osc-domcreate/bin# ./dcsvcs_zfs_auths.py role create dcsvcs_role <ZFS-SA-STOR-IB-Address>
root@MCD:/opt/oracle.supercluster/osc-domcreate/bin# ./dcsvcs_zfs_auths.py -k /root/.ssh/id_rsa.pub user create dcsvcs <ZFS-SA-STOR-IB-Address>
NOTE – If the above steps succeed, verify with "ssh dcsvcs@<ZFSSA-IB-IP>" BEFORE below revocation of root password-less ssh to ZFS SA.
root@MCD:/opt/oracle.supercluster/osc-domcreate/bin# ./dcsvcs_zfs_auths.py -k /root/.ssh/id_rsa.pub user delete root <ZFS-SA-STOR-IB-Address>

3) Once dcsvcs user/role exists, set role authorizations on ZFS SA as follows:

# ssh root@<ZFS-SA-STOR-IB-Address>
ZFS-SA:> configuration roles select dcsvcs_role
ZFS-SA:configuration roles dcsvcs_role> authorizations
ZFS-SA:configuration roles dcsvcs_role authorizations> create
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> set scope=stat
scope = stat
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> set allow_create=true
allow_create = true (uncommitted)
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> set allow_read=true
allow_read = true (uncommitted)
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> commit
ZFS-SA:configuration roles dcsvcs_role authorizations> create
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> set scope=worksheet
scope = worksheet
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> set allow_read=true
allow_read = true (uncommitted)
ZFS-SA:configuration roles dcsvcs_role auth (uncommitted)> commit

Once the above authorizations are in place, as long as ssctuner SMF property ZFSSA_THR_ALRT_TUNE is true as should be the case, ssctuner will create the correct ZFSSA threshold/worksheet/alerts as user dcsvcs when the next 24 hour interval occurs.

After 24 hours, check ssctuner SMF log to verify that the threshold has been created.

References

<NOTE:2288649.1> - SuperCluster: Best Practice - Establish Threshold Alerts on the ZFSSA
<NOTE:1957864.2> - x

Attachments

This solution has no attachment