diff --git a/CHANGELOG.md b/CHANGELOG.md index 374aa6411..817ba41b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,18 @@ # Change Log ## [Releases](https://github.com/NetApp/harvest/releases) +## 25.05.1 / 2025-06-10 Release +:pushpin: This release is identical to 25.05.0, if you are using the Cisco collector, we recommend upgrading to version 25.05.1 to reduce cardinality issues caused by storing a switch's uptime as a label instead of a metric value. + +This release also includes: + +1. Introduced a new `ONTAP: Switch` dashboard that provides detailed information about switches connected to ONTAP. +2. Enhanced functionality to parse the Cisco version when the RCF is missing. +3. Updated to Golang 1.23.4, which includes several security vulnerability fixes (CVEs). +4. MetroCluster internal SVMs and volumes are no longer exported when they are offline. + +--- + ## 25.05.0 / 2025-05-19 Release pushpin: Highlights of this major release include: ## :star: New Features diff --git a/cmd/collectors/cisco/rest/client.go b/cmd/collectors/cisco/rest/client.go index 19e56ada9..de92a5afa 100644 --- a/cmd/collectors/cisco/rest/client.go +++ b/cmd/collectors/cisco/rest/client.go @@ -158,7 +158,7 @@ func (c *Client) callWithAuthRetry(command string, callType apiType) (gjson.Resu // } // } code := result.Get("output.code") - if code.Exists() { + if code.Exists() && code.Int() != 200 { errMsg := result.Get("output.msg").String() if errMsg == "" { errMsg = "unknown error" diff --git a/cmd/tools/grafana/dashboard_test.go b/cmd/tools/grafana/dashboard_test.go index 35bab83ab..abc08849e 100644 --- a/cmd/tools/grafana/dashboard_test.go +++ b/cmd/tools/grafana/dashboard_test.go @@ -1007,16 +1007,17 @@ func ensureLookBack(text string) string { func TestOnlyHighlightsExpanded(t *testing.T) { exceptions := map[string]int{ - "cmode/shelf.json": 2, - "cmode/fsa.json": 2, + "cmode/auditlog.json": 2, "cmode/flexcache.json": 2, - "cmode/workload.json": 2, - "cmode/smb.json": 2, + "cmode/fsa.json": 2, "cmode/health.json": 2, + "cmode/nfsTroubleshooting.json": 3, "cmode/power.json": 2, + "cmode/shelf.json": 2, + "cmode/smb.json": 2, + "cmode/switch.json": 2, + "cmode/workload.json": 2, "storagegrid/fabricpool.json": 2, - "cmode/auditlog.json": 2, - "cmode/nfsTroubleshooting.json": 3, } // count the number of expanded sections in the dashboard and ensure num expanded = 1 VisitDashboards( diff --git a/docs/ontap-metrics.md b/docs/ontap-metrics.md index 7719984bd..ed98de46e 100644 --- a/docs/ontap-metrics.md +++ b/docs/ontap-metrics.md @@ -7,7 +7,7 @@ These can be generated on demand by running `bin/harvest grafana metrics`. See - More information about ONTAP REST performance counters can be found [here](https://docs.netapp.com/us-en/ontap-pcmap-9121/index.html). ``` -Creation Date : 2025-May-29 +Creation Date : 2025-Jun-09 ONTAP Version: 9.16.1 ``` ## Understanding the structure diff --git a/docs/prepare-cdot-clusters.md b/docs/prepare-cdot-clusters.md index 12ad2f173..0770900de 100644 --- a/docs/prepare-cdot-clusters.md +++ b/docs/prepare-cdot-clusters.md @@ -7,11 +7,10 @@ Although a generic admin account can be used, it is better to create a dedicated In the examples below, the user, group, roles, etc., use a naming convention of `netapp-harvest`. These can be modified as needed to match your organizational needs. -There are few steps required to prepare each system for monitoring. +There are a few steps required to prepare each system for monitoring. Harvest supports two [authentication styles](https://netapp.github.io/harvest/latest/configure-harvest-basic/#authentication) -(`auth_style`) to connect to ONTAP clusters. -These are `basic_auth` or `certificate_auth`. +(`auth_style`) to connect to ONTAP clusters: `basic_auth` and `certificate_auth`. Both work well, but if you're starting fresh, the recommendation is to create a read-only harvest user on your ONTAP server and use [certificate-based](#using-certificate-authentication) TLS authentication. @@ -26,65 +25,142 @@ There are two ways to create a read-only ONTAP role. Pick the one that best fits - Create a role with read-only access to all API objects via [System Manager](#system-manager). - Create a role with read-only access to the limited set of APIs Harvest collects via [ONTAP's command line interface (CLI)](#ontap-cli). -### System Manager +### ONTAP CLI -Open System Manager. Click on *CLUSTER* in the left menu bar, *Settings* and *Users and Roles*. +We are going to: -![System Manager Settings](assets/prepare-ontap/ontap_user_sm_0.png) +1. create a Harvest role with read-only access to a [limited set of objects](#least-privilege-approach) +2. [create a Harvest user](#create-harvest-user-and-associate-with-the-harvest-role) and assign it to that role +3. Depending on which collectors you want to use, add permissions for one or all of the [Rest](#rest-least-privilege-role), [Zapi](#zapi-least-privilege-role), [StatPerf](#statperf-least-privilege-role) collectors. -In the right column, under *Roles*, click on *Add* to add a new role. +Login to the CLI of your cDOT ONTAP system using SSH. -![System Manager Settings](assets/prepare-ontap/ontap_user_sm_1.png) +#### REST least-privilege role -Choose a role name (e.g. *harvest2-role*). In the *REST API PATH* field, type */api* and select *Read-Only* for -*ACCESS*. Click on *Save*. - -![System Manager Settings](assets/prepare-ontap/ontap_user_sm_2.png) +Verify there are no errors when you copy/paste these. +Warnings are fine. -In the left column, under *Users*, click on *Add* to create a new user. Choose a username. Under *Role*, select the role -that we just created. Under *User Login Methods* select *ONTAPI*, and one of the two authentication methods. -Press the `Add` button and select *HTTP* and one of the authentication methods. -Type in a password if you chose *Password*. Click on *Save* +```bash +security login rest-role create -role harvest-rest-role -access readonly -api /api/cloud/targets +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/counter/tables +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/mediators +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/metrocluster/diagnostics +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/nodes +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/ntp/servers +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/peers +security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/sensors +security login rest-role create -role harvest-rest-role -access readonly -api /api/name-services/ldap +security login rest-role create -role harvest-rest-role -access readonly -api /api/name-services/nis +security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ethernet/ports +security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ethernet/switch/ports +security login rest-role create -role harvest-rest-role -access readonly -api /api/network/fc/ports +security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/interfaces +security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/ports +security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/routes +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/services +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/sessions +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/shares +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/locks +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/ndmp/sessions +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/nfs/connected-clients +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/nfs/export-policies +# s3 is buggy in 9.15, use protocols endpoint instead. See https://mysupport.netapp.com/site/bugs-online/product/ONTAP/JiraNgage/CONTAP-210232 +security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols +# security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/s3/buckets +# security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/s3/services +security login rest-role create -role harvest-rest-role -access readonly -api /api/security +security login rest-role create -role harvest-rest-role -access readonly -api /api/security/accounts +security login rest-role create -role harvest-rest-role -access readonly -api /api/security/audit/destinations +security login rest-role create -role harvest-rest-role -access readonly -api /api/security/certificates +security login rest-role create -role harvest-rest-role -access readonly -api /api/security/login/messages +security login rest-role create -role harvest-rest-role -access readonly -api /api/security/ssh +security login rest-role create -role harvest-rest-role -access readonly -api /api/snapmirror/relationships +security login rest-role create -role harvest-rest-role -access readonly -api /api/snapmirror/policies +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/aggregates +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/disks +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/flexcache/flexcaches +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/luns +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/namespaces +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/qtrees +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/qos/policies +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/qos/workloads +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/quota/reports +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/shelves +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/snapshot-policies +security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/volumes +security login rest-role create -role harvest-rest-role -access readonly -api /api/support/auto-update +security login rest-role create -role harvest-rest-role -access readonly -api /api/support/autosupport +security login rest-role create -role harvest-rest-role -access readonly -api /api/support/ems/destinations +security login rest-role create -role harvest-rest-role -access readonly -api /api/support/ems/events +security login rest-role create -role harvest-rest-role -access readonly -api /api/support/ems/messages +security login rest-role create -role harvest-rest-role -access readonly -api /api/svm/peers +security login rest-role create -role harvest-rest-role -access readonly -api /api/svm/svms + +# Private CLI endpoints +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/support/alerts +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/aggr +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/cluster/date +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/disk +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/export-policy/rule +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/certificate +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/ssl +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/connections/active +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/interface +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port/ifgrp +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/node +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/adaptive-policy-group +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/policy-group +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/workload +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qtree +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/snapmirror +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/failover +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/shelf +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/chassis/fru +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/controller/fru +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/health/subsystem +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/node/environment/sensors +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/volume +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/cifs/share +security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/object-store-server/bucket/policy +``` + +See [#2991](https://github.com/NetApp/harvest/issues/2991) for more information. + +**Associate the REST role with the harvest user** -![System Manager Settings](assets/prepare-ontap/ontap_user_sm_3.png) +Using password authentication -If you chose *Password*, you can add the username and password to the Harvest configuration file and start Harvest. If -you chose *Certificate* jump to [Using Certificate Authentication](#using-certificate-authentication) to generate -certificates files. +```bash +security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method password +``` -??? "System Manager Classic interface" +??? failure "If you get an error `command failed: duplicate entry` when running the previous command" + Remove the previous entry and recreate like so: - Open System Manager. Click on the Settings icon in the top-right corner of the window. - - ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_0.png) - - Click on *Roles* in the left menu bar and click *Add*. Choose a role name (e.g. *harvest2-role*). - - ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_1.png) - - Under *Role Attributes* click on *Add*, under *Command* type *DEFAULT*, leave *Query* empty, select *readonly* under *Access Level*, click on *OK* and *Add*. - - After you click on *Add*, this is what you should see: - - ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_2.png) - - Now we need to create a user. Click on *Users* in the left menu bar and *Add*. Choose a username and password. Under - *User Login Methods* click on *Add*, select *ontapi* as *Application* and select the role that we just created as *Role*. - Repeat by clicking on *Add*, select *http* as *Application* and select the role that we just created as *Role*. - Click on *Add* in the pop-up window to save. - - ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_3.png) + ```bash + security login delete -user-or-group-name harvest2 -application http -authentication-method * + security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method password + ``` -### ONTAP CLI +Using certificate authentication -We are going to: +```bash +security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method cert +``` -1. create a Harvest role with read-only access to a [limited set of objects](#least-privilege-approach) -2. [create a Harvest user](#create-harvest-user-and-associate-with-the-harvest-role) and assign it to that role +??? failure "If you get an error `command failed: duplicate entry` when running the previous command" + Remove the previous entry and recreate like so: -Login to the CLI of your cDOT ONTAP system using SSH. + ```bash + security login delete -user-or-group-name harvest2 -application http -authentication-method * + security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method cert + ``` -#### Least-privilege approach +#### Zapi least-privilege role Verify there are no errors when you copy/paste these. Warnings are fine. @@ -130,7 +206,7 @@ security login role create -role harvest2-role -access readonly -cmddirname "vol security login role create -role harvest2-role -access readonly -cmddirname "vserver" ``` -#### Create harvest user and associate with the harvest role +**Associate the ZAPI role with the harvest user** Use this for password authentication @@ -145,164 +221,28 @@ Or this for certificate authentication security login create -user-or-group-name harvest2 -application ontapi -role harvest2-role -authentication-method cert ``` -#### Create REST role - -Replace `$ADMIN_VSERVER` with your SVM admin name. - -```bash -security login rest-role create -role harvest2-rest-role -access readonly -api /api -vserver $ADMIN_VSERVER -``` - -??? "Least-privilege approach for REST" - - If you are on ONTAP version 9.14.X or later, - instead of the above command, - you can use the following commands to create a REST role with read-only access to a limited set of objects. - - Since REST roles are defined in terms of legacy roles, if you have already created a legacy role with the same name, - you will need to delete it first or use a different name. - - ```bash - security login rest-role create -role harvest-rest-role -access readonly -api /api/cloud/targets - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/counter/tables - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/mediators - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/metrocluster/diagnostics - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/nodes - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/ntp/servers - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/peers - security login rest-role create -role harvest-rest-role -access readonly -api /api/cluster/sensors - security login rest-role create -role harvest-rest-role -access readonly -api /api/name-services/ldap - security login rest-role create -role harvest-rest-role -access readonly -api /api/name-services/nis - security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ethernet/ports - security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ethernet/switch/ports - security login rest-role create -role harvest-rest-role -access readonly -api /api/network/fc/ports - security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/interfaces - security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/ports - security login rest-role create -role harvest-rest-role -access readonly -api /api/network/ip/routes - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/services - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/sessions - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/cifs/shares - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/locks - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/ndmp/sessions - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/nfs/connected-clients - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/nfs/export-policies - # s3 is buggy in 9.15, use protocols endpoint instead. See https://mysupport.netapp.com/site/bugs-online/product/ONTAP/JiraNgage/CONTAP-210232 - security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols - # security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/s3/buckets - # security login rest-role create -role harvest-rest-role -access readonly -api /api/protocols/s3/services - security login rest-role create -role harvest-rest-role -access readonly -api /api/security - security login rest-role create -role harvest-rest-role -access readonly -api /api/security/accounts - security login rest-role create -role harvest-rest-role -access readonly -api /api/security/audit/destinations - security login rest-role create -role harvest-rest-role -access readonly -api /api/security/certificates - security login rest-role create -role harvest-rest-role -access readonly -api /api/security/login/messages - security login rest-role create -role harvest-rest-role -access readonly -api /api/security/ssh - security login rest-role create -role harvest-rest-role -access readonly -api /api/snapmirror/relationships - security login rest-role create -role harvest-rest-role -access readonly -api /api/snapmirror/policies - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/aggregates - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/disks - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/flexcache/flexcaches - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/luns - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/namespaces - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/qtrees - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/qos/policies - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/qos/workloads - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/quota/reports - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/shelves - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/snapshot-policies - security login rest-role create -role harvest-rest-role -access readonly -api /api/storage/volumes - security login rest-role create -role harvest-rest-role -access readonly -api /api/support/auto-update - security login rest-role create -role harvest-rest-role -access readonly -api /api/support/autosupport - security login rest-role create -role harvest-rest-role -access readonly -api /api/support/ems/destinations - security login rest-role create -role harvest-rest-role -access readonly -api /api/support/ems/events - security login rest-role create -role harvest-rest-role -access readonly -api /api/support/ems/messages - security login rest-role create -role harvest-rest-role -access readonly -api /api/svm/peers - security login rest-role create -role harvest-rest-role -access readonly -api /api/svm/svms - - # Private CLI endpoints - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/support/alerts - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/aggr - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/cluster/date - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/disk - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/export-policy/rule - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/certificate - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/security/ssl - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/connections/active - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/interface - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/network/port/ifgrp - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/node - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/adaptive-policy-group - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/policy-group - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qos/workload - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/qtree - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/snapmirror - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/failover - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/storage/shelf - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/chassis/fru - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/controller/fru - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/health/subsystem - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/system/node/environment/sensors - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/volume - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/cifs/share - security login rest-role create -role harvest-rest-role -access readonly -api /api/private/cli/vserver/object-store-server/bucket/policy - ``` - - See [#2991](https://github.com/NetApp/harvest/issues/2991) for more information. - -#### Associate REST role with harvest user - -Using password authentication - -```bash -security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method password -``` - -??? failure "If you get an error `command failed: duplicate entry` when running the previous command" - Remove the previous entry and recreate like so: - - ```bash - security login delete -user-or-group-name harvest2 -application http -authentication-method * - security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method password - ``` - -Using certificate authentication +Verify that the harvest2-role role has web access by running the following commands. -```bash -security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method cert -``` - -??? failure "If you get an error `command failed: duplicate entry` when running the previous command" - Remove the previous entry and recreate like so: - - ```bash - security login delete -user-or-group-name harvest2 -application http -authentication-method * - security login create -user-or-group-name harvest2 -application http -role harvest2-rest-role -authentication-method cert - ``` - -#### Verify that the harvest role has web access ```bash vserver services web access show -role harvest2-role -name ontapi -vserver services web access show -role harvest2-rest-role -name rest -vserver services web access show -role harvest2-rest-role -name docs-api ``` -If any entries are missing, enable access by running the following. Replace `$ADMIN_VSERVER` with your SVM admin name. +If there are no matching entries, enable access by running the following. + ```bash -vserver services web access create -vserver $ADMIN_VSERVER -name ontapi -role harvest2-role -vserver services web access create -vserver $ADMIN_VSERVER -name rest -role harvest2-rest-role -vserver services web access create -vserver $ADMIN_VSERVER -name docs-api -role harvest2-rest-role +vserver services web access create -role harvest2-role -name ontapi ``` -#### StatPerf Collector Permissions +#### StatPerf least-privilege role -To use the `StatPerf` collector, the `harvest` user requires additional permissions. Execute the following commands to configure the necessary roles and logins: +Verify there are no errors when you copy/paste these. +Warnings are fine. ```bash security login role create -role harvest2-role -access all -cmddirname "set" security login role create -role harvest2-role -access readonly -cmddirname "statistics" + +security login rest-role create -role harvest2-rest-role -access readonly -api /api/cluster security login rest-role create -role harvest2-rest-role -access read_create -api /api/private/cli security login create -user-or-group-name harvest2 -application ssh -authentication-method password -role harvest2-role security login create -user-or-group-name harvest2 -application http -authentication-method password -role harvest2-rest-role @@ -310,7 +250,9 @@ security login create -user-or-group-name harvest2 -application http -authentica #### 7-Mode CLI -Login to the CLI of your 7-Mode ONTAP system (e.g. using SSH). First, we create a user role. If you want to give the +Login to the CLI of your 7-Mode ONTAP system (e.g., using SSH). +First, we create a user role. +If you want to give the user readonly access to **all** API objects, type in the following command: ```bash @@ -321,6 +263,55 @@ api-diagnosis-config-get-iter,api-aggr-list-info,api-volume-list-info, \ api-storage-shelf-environment-list-info,api-qtree-list,api-quota-report ``` +### System Manager + +Open System Manager. Click on *CLUSTER* in the left menu bar, *Settings* and *Users and Roles*. + +![System Manager Settings](assets/prepare-ontap/ontap_user_sm_0.png) + +In the right column, under *Roles*, click on *Add* to add a new role. + +![System Manager Settings](assets/prepare-ontap/ontap_user_sm_1.png) + +Choose a role name (e.g. *harvest2-role*). In the *REST API PATH* field, type */api* and select *Read-Only* for +*ACCESS*. Click on *Save*. + +![System Manager Settings](assets/prepare-ontap/ontap_user_sm_2.png) + +In the left column, under *Users*, click on *Add* to create a new user. Choose a username. Under *Role*, select the role +that we just created. Under *User Login Methods* select *ONTAPI*, and one of the two authentication methods. +Press the `Add` button and select *HTTP* and one of the authentication methods. +Type in a password if you chose *Password*. Click on *Save* + +![System Manager Settings](assets/prepare-ontap/ontap_user_sm_3.png) + +If you chose *Password*, you can add the username and password to the Harvest configuration file and start Harvest. If +you chose *Certificate* jump to [Using Certificate Authentication](#using-certificate-authentication) to generate +certificates files. + +??? "System Manager Classic interface" + + Open System Manager. Click on the Settings icon in the top-right corner of the window. + + ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_0.png) + + Click on *Roles* in the left menu bar and click *Add*. Choose a role name (e.g. *harvest2-role*). + + ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_1.png) + + Under *Role Attributes* click on *Add*, under *Command* type *DEFAULT*, leave *Query* empty, select *readonly* under *Access Level*, click on *OK* and *Add*. + + After you click on *Add*, this is what you should see: + + ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_2.png) + + Now we need to create a user. Click on *Users* in the left menu bar and *Add*. Choose a username and password. Under + *User Login Methods* click on *Add*, select *ontapi* as *Application* and select the role that we just created as *Role*. + Repeat by clicking on *Add*, select *http* as *Application* and select the role that we just created as *Role*. + Click on *Add* in the pop-up window to save. + + ![System Manager Classic Settings](assets/prepare-ontap/ontap_user_smc_3.png) + # Using Certificate Authentication See [comments here for troubleshooting](https://github.com/NetApp/harvest/issues/314#issuecomment-882120238) client diff --git a/docs/resources/power-algorithm.md b/docs/resources/power-algorithm.md index 5b873e9f8..6e20538b1 100644 --- a/docs/resources/power-algorithm.md +++ b/docs/resources/power-algorithm.md @@ -2,7 +2,7 @@ Gathering power metrics requires a cluster with: * ONTAP versions 9.6+ -* [REST enabled](../prepare-cdot-clusters.md), even when using the ZAPI collector. After granting REST permissions, restart Harvest. +* [REST enabled](../prepare-cdot-clusters.md#rest-least-privilege-role), even when using the ZAPI collector. After granting REST permissions, restart Harvest. REST is required because it is the only way to collect chassis field-replaceable-unit (FRU) information via the REST API `/api/private/cli/system/chassis/fru`. diff --git a/grafana/dashboards/cmode/network.json b/grafana/dashboards/cmode/network.json index 581123934..0e8fd4e95 100644 --- a/grafana/dashboards/cmode/network.json +++ b/grafana/dashboards/cmode/network.json @@ -71,7 +71,7 @@ "gnetId": null, "graphTooltip": 1, "id": null, - "iteration": 1723188904112, + "iteration": 1749475358867, "links": [ { "asDropdown": true, @@ -564,7 +564,7 @@ "panels": [ { "datasource": "${DS_PROMETHEUS}", - "description": "Ethernet port details.", + "description": "Displays a collection of ports (physical, VLAN and LAG) for an entire cluster.", "fieldConfig": { "defaults": { "custom": { @@ -762,6 +762,18 @@ "value": "Mbits" } ] + }, + { + "matcher": { + "id": "byName", + "options": "MTU" + }, + "properties": [ + { + "id": "unit", + "value": "string" + } + ] } ] }, @@ -893,7 +905,7 @@ }, { "datasource": "${DS_PROMETHEUS}", - "description": "NIC port details.", + "description": "This table tracks hardware network traffic performance and errors for all supported network interface cards (NIC), such as Intel Niantic, Qlogic, and CNA.", "fieldConfig": { "defaults": { "custom": { @@ -1614,7 +1626,7 @@ "exemplar": false, "expr": "nic_util_percent{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\nand\n topk(\n $TopResources,\n avg_over_time(\n nic_util_percent{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}[3h] @ end()\n )\n )", "interval": "", - "legendFormat": "{{node}} {{nic}}", + "legendFormat": "{{node}} - {{nic}}", "refId": "A" } ], @@ -1703,15 +1715,17 @@ "pluginVersion": "8.1.8", "targets": [ { + "exemplar": false, "expr": "sum by (cluster) (\n nic_tx_total_errors{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\n)", "interval": "", - "legendFormat": "TOTAL", + "legendFormat": "TOTAL - {{cluster}}", "refId": "A" }, { + "exemplar": false, "expr": "sum by (cluster) (\n nic_tx_hw_errors{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\n)", "interval": "", - "legendFormat": "HW", + "legendFormat": "HW - {{cluster}}", "refId": "D" } ], @@ -1800,27 +1814,31 @@ "pluginVersion": "8.1.8", "targets": [ { + "exemplar": false, "expr": "sum by (cluster) (\n nic_rx_total_errors{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\n)", "interval": "", - "legendFormat": "TOTAL", + "legendFormat": "TOTAL- {{cluster}}", "refId": "A" }, { + "exemplar": false, "expr": "sum by (cluster) (\n nic_rx_alignment_errors{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\n)", "interval": "", - "legendFormat": "ALIGNMENT", + "legendFormat": "ALIGNMENT- {{cluster}}", "refId": "B" }, { + "exemplar": false, "expr": "sum by (cluster) (\n nic_rx_crc_errors{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\n)", "interval": "", - "legendFormat": "CRC", + "legendFormat": "CRC- {{cluster}}", "refId": "C" }, { + "exemplar": false, "expr": "sum by (cluster) (\n nic_rx_length_errors{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",nic=~\"$Eth\",node=~\"$Node\"}\n)", "interval": "", - "legendFormat": "LENGTH", + "legendFormat": "LENGTH- {{cluster}}", "refId": "D" } ], @@ -2145,8 +2163,8 @@ "Value #F": 8, "cluster": 1, "datacenter": 0, - "nic": 2, - "node": 3 + "nic": 3, + "node": 2 }, "renameByName": { "Value #A": "", @@ -5179,5 +5197,5 @@ "timezone": "", "title": "ONTAP: Network", "uid": "cdot-network", - "version": 12 + "version": 13 } diff --git a/grafana/dashboards/cmode/switch.json b/grafana/dashboards/cmode/switch.json index 561de49d1..d45809eb3 100644 --- a/grafana/dashboards/cmode/switch.json +++ b/grafana/dashboards/cmode/switch.json @@ -33,6 +33,12 @@ "name": "Time series", "type": "panel", "version": "" + }, + { + "id": "text", + "name": "Text", + "type": "panel", + "version": "" } ], "annotations": { @@ -86,6 +92,37 @@ "x": 0, "y": 0 }, + "id": 44, + "panels": [], + "title": "Important Information about the Switch Dashboard", + "type": "row" + }, + { + "datasource": "${DS_PROMETHEUS}", + "description": "", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 42, + "options": { + "content": "This dashboard is compatible with ONTAP 9.8+ and requires the KeyPerf collector. To use this dashboard, please follow the step below:\n\n1. **Enable the KeyPerf Collector**: Update your `harvest.yml` configuration file to enable the [KeyPerf](https://netapp.github.io/harvest/latest/configure-keyperf/) collector.", + "mode": "markdown" + }, + "pluginVersion": "8.1.8", + "type": "text" + }, + { + "collapsed": false, + "datasource": "${DS_PROMETHEUS}", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 4 + }, "id": 6, "panels": [], "title": "Overview", @@ -211,6 +248,18 @@ "value": 400 } ] + }, + { + "matcher": { + "id": "byName", + "options": "Speed" + }, + "properties": [ + { + "id": "unit", + "value": "Mbits" + } + ] } ] }, @@ -218,7 +267,7 @@ "h": 7, "w": 24, "x": 0, - "y": 1 + "y": 5 }, "id": 5, "interval": "", @@ -298,7 +347,7 @@ "h": 1, "w": 24, "x": 0, - "y": 8 + "y": 12 }, "id": 30, "panels": [ @@ -361,7 +410,7 @@ "h": 8, "w": 12, "x": 0, - "y": 8 + "y": 9 }, "id": 28, "options": { @@ -453,7 +502,7 @@ "h": 8, "w": 12, "x": 12, - "y": 8 + "y": 9 }, "id": 29, "options": { @@ -545,7 +594,7 @@ "h": 8, "w": 12, "x": 0, - "y": 16 + "y": 17 }, "id": 31, "options": { @@ -644,7 +693,7 @@ "h": 8, "w": 12, "x": 12, - "y": 16 + "y": 17 }, "id": 32, "options": { @@ -695,7 +744,7 @@ "h": 1, "w": 24, "x": 0, - "y": 9 + "y": 13 }, "id": 25, "panels": [ @@ -742,7 +791,7 @@ "h": 9, "w": 4, "x": 0, - "y": 14 + "y": 10 }, "id": 37, "options": { @@ -764,7 +813,7 @@ "targets": [ { "exemplar": false, - "expr": "count(\n min_over_time(\n ethernet_switch_port_new_status{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",interface=~\"$Interface\",speed!=\"\",speed!=\"auto-speed\",switch=~\"$Switch\"}[1d]\n )\n ==\n 0\n )\nor\n vector(0)", + "expr": "count(\n min_over_time(\n ethernet_switch_port_new_status{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",interface=~\"$Interface\",speed!=\"auto-speed\",switch=~\"$Switch\"}[1d]\n )\n ==\n 0\n )\nor\n vector(0)", "instant": true, "interval": "", "legendFormat": "", @@ -850,6 +899,18 @@ ] } ] + }, + { + "matcher": { + "id": "byName", + "options": "Speed" + }, + "properties": [ + { + "id": "unit", + "value": "Mbits" + } + ] } ] }, @@ -857,7 +918,7 @@ "h": 9, "w": 20, "x": 4, - "y": 14 + "y": 10 }, "id": 39, "options": { @@ -868,7 +929,7 @@ "targets": [ { "exemplar": false, - "expr": "min_over_time(\n ethernet_switch_port_new_status{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",interface=~\"$Interface\",speed!=\"\",speed!=\"auto-speed\",switch=~\"$Switch\"}[1d]\n )\n==\n 0", + "expr": "min_over_time(\n ethernet_switch_port_new_status{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",interface=~\"$Interface\",speed!=\"auto-speed\",switch=~\"$Switch\"}[1d]\n )\n==\n 0", "format": "table", "instant": true, "interval": "", @@ -980,7 +1041,7 @@ "h": 11, "w": 24, "x": 0, - "y": 23 + "y": 19 }, "id": 40, "options": { @@ -1001,11 +1062,11 @@ "targets": [ { "exemplar": false, - "expr": "min_over_time(\n ethernet_switch_port_new_status{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",interface=~\"$Interface\",speed!=\"\",speed!=\"auto-speed\",switch=~\"$Switch\"}[1d]\n )\n==\n 0", + "expr": "min_over_time(\n ethernet_switch_port_new_status{cluster=~\"$Cluster\",datacenter=~\"$Datacenter\",interface=~\"$Interface\",speed!=\"auto-speed\",switch=~\"$Switch\"}[1d]\n )\n==\n 0", "format": "time_series", "instant": false, "interval": "", - "legendFormat": "{{switch}} - {{interface}} - {{speed}}", + "legendFormat": "{{switch}} - {{interface}}", "refId": "A" } ], @@ -1297,5 +1358,5 @@ "timezone": "", "title": "ONTAP: Switch", "uid": "cdot-switch", - "version": 1 + "version": 3 }