ONTAP Configuration

User Permissions

Trident does not need full permissions on the ONTAP cluster and should not be used with the cluster-level admin account. Below are the ONTAP CLI comands to create a dedicated user for Trident with specific permissions.

# create a new Trident role
security login role create -vserver [VSERVER] -role trident_role -cmddirname DEFAULT -access none

# grant common Trident permissions
security login role create -vserver [VSERVER] -role trident_role -cmddirname "event generate-autosupport-log" -access all
security login role create -vserver [VSERVER] -role trident_role -cmddirname "network interface" -access readonly
security login role create -vserver [VSERVER] -role trident_role -cmddirname "version" -access readonly
security login role create -vserver [VSERVER] -role trident_role -cmddirname "vserver" -access readonly
security login role create -vserver [VSERVER] -role trident_role -cmddirname "vserver nfs show" -access readonly
security login role create -vserver [VSERVER] -role trident_role -cmddirname "volume" -access all
security login role create -vserver [VSERVER] -role trident_role -cmddirname "snapmirror" -access all

# grant ontap-san Trident permissions
security login role create -vserver [VSERVER] -role trident_role -cmddirname "vserver iscsi show" -access readonly
security login role create -vserver [VSERVER] -role trident_role -cmddirname "lun" -access all

# grant ontap-nas-economy Trident permissions
security login role create -vserver [VSERVER] -role trident_role -cmddirname "vserver export-policy create" -access all
security login role create -vserver [VSERVER] -role trident_role -cmddirname "vserver export-policy rule create" -access all

# create a new Trident user with Trident role
security login create -vserver [VSERVER] -username trident_user -role trident_role -application ontapi -authmethod password

Configuration File Options

In addition to the global configuration values above, when using ONTAP these top level options are available.

Option Description Example
managementLIF IP address of ONTAP management LIF 10.0.0.1
dataLIF IP address of protocol LIF; will be derived if not specified 10.0.0.2
svm Storage virtual machine to use (req, if management LIF is a cluster LIF) svm_nfs
username Username to connect to the storage device vsadmin
password Password to connect to the storage device secret
aggregate Aggregate for provisioning (optional; if set, must be assigned to the SVM) aggr1

A fully-qualified domain name (FQDN) can be specified for the managementLIF option. For the ontap-nas* drivers only, a FQDN may also be specified for the dataLIF option, in which case the FQDN will be used for the NFS mount operations. For the ontap-san driver, the default is to use all data LIF IPs from the SVM and to use iSCSI multipath. Specifying an IP address for the dataLIF for the ontap-san driver forces the driver to disable multipath and use only the specified address.

For the ontap-nas and ontap-nas-economy drivers, an additional top level option is available. For NFS host configuration, see also: http://www.netapp.com/us/media/tr-4067.pdf

For the ontap-nas-flexgroup driver, the aggregate option in the configuration file is ignored. All aggregates assigned to the SVM are used to provision a FlexGroup Volume.

Option Description Example
nfsMountOptions Fine grained control of NFS mount options; defaults to “-o nfsvers=3” -o nfsvers=4

For the ontap-san driver, an additional top level option is available to specify an igroup.

Option Description Example
igroupName The igroup used by the plugin; defaults to “netappdvp” myigroup

Also, when using ONTAP, these default option settings are available to avoid having to specify them on every volume create.

Defaults Option Description Example
spaceReserve Space reservation mode; “none” (thin provisioned) or “volume” (thick) none
snapshotPolicy Snapshot policy to use, default is “none” none
snapshotReserve Snapshot reserve percentage, default is “” to accept ONTAP’s default 10
splitOnClone Split a clone from its parent upon creation, defaults to “false” false
encryption Enable NetApp Volume Encryption, defaults to “false” true
unixPermissions NAS option for provisioned NFS volumes, defaults to “777” 777
snapshotDir NAS option for access to the .snapshot directory, defaults to “false” false
exportPolicy NAS option for the NFS export policy to use, defaults to “default” default
securityStyle NAS option for access to the provisioned NFS volume, defaults to “unix” mixed
fileSystemType SAN option to select the file system type, defaults to “ext4” xfs

Scaling Options

The ontap-nas and ontap-san drivers create an ONTAP FlexVol for each Docker volume. ONTAP supports up to 1000 FlexVols per cluster node with a cluster maximum of 12,000 FlexVols. If your Docker volume requirements fit within that limitation, the ontap-nas driver is the preferred NAS solution due to the additional features offered by FlexVols such as Docker-volume-granular snapshots and cloning.

If you need more Docker volumes than may be accommodated by the FlexVol limits, choose the ontap-nas-economy driver, which creates Docker volumes as ONTAP Qtrees within a pool of automatically managed FlexVols. Qtrees offer far greater scaling, up to 100,000 per cluster node and 2,400,000 per cluster, at the expense of some features. The ontap-nas-economy driver does not support Docker-volume-granular snapshots or cloning. The ontap-nas-economy driver is not currently supported in Docker Swarm, as Swarm does not orchestrate volume creation across multiple nodes.

Choose the ontap-nas-flexgroup driver to increase parallelism to a single volume that can grow into the petabyte range with billions of files. Some ideal use cases for FlexGroups include AI/ML/DL, big data and analytics, software builds, streaming, file repositories, etc. Trident uses all aggregates assigned to an SVM when provisioning a FlexGroup Volume. FlexGroup support in Trident also has the following considerations:

  • Requires ONTAP version 9.2 or greater.
  • As of this writing, FlexGroups only support NFS v3.
  • Recommended to enable the 64-bit NFSv3 identifiers for the SVM.
  • The minimum recommended FlexGroup size is 100GB.
  • Cloning is not supported for FlexGroup Volumes.

For information regarding FlexGroups and workloads that are appropriate for FlexGroups see the NetApp FlexGroup Volume - Best Practices and Implementation Guide.

To get advanced features and huge scale in the same environment, you can run multiple instances of the Docker Volume Plugin, with one using ontap-nas and another using ontap-nas-economy.

Example ONTAP Config Files

NFS Example for ontap-nas driver

{
    "version": 1,
    "storageDriverName": "ontap-nas",
    "managementLIF": "10.0.0.1",
    "dataLIF": "10.0.0.2",
    "svm": "svm_nfs",
    "username": "vsadmin",
    "password": "secret",
    "aggregate": "aggr1",
    "defaults": {
      "size": "10G",
      "spaceReserve": "none",
      "exportPolicy": "default"
    }
}

NFS Example for ontap-nas-flexgroup driver

{
    "version": 1,
    "storageDriverName": "ontap-nas-flexgroup",
    "managementLIF": "10.0.0.1",
    "dataLIF": "10.0.0.2",
    "svm": "svm_nfs",
    "username": "vsadmin",
    "password": "secret",
    "defaults": {
      "size": "100G",
      "spaceReserve": "none",
      "exportPolicy": "default"
    }
}

NFS Example for ontap-nas-economy driver

{
    "version": 1,
    "storageDriverName": "ontap-nas-economy",
    "managementLIF": "10.0.0.1",
    "dataLIF": "10.0.0.2",
    "svm": "svm_nfs",
    "username": "vsadmin",
    "password": "secret",
    "aggregate": "aggr1"
}

iSCSI Example for ontap-san driver

{
    "version": 1,
    "storageDriverName": "ontap-san",
    "managementLIF": "10.0.0.1",
    "dataLIF": "10.0.0.3",
    "svm": "svm_iscsi",
    "username": "vsadmin",
    "password": "secret",
    "aggregate": "aggr1",
    "igroupName": "myigroup"
}