Nice workaround!

We do know of this limitation and are looking to try to address in future releases, btw.

From: Alexander Griesser AGriesser@anexia-it.com Sent: Friday, November 6, 2020 9:37 AM To: Parisi, Justin Justin.Parisi@netapp.com; Toasters toasters@teaparty.net Subject: AW: SVM Trident limits/config

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hah, I think I just found a way to do that. I'ts not perfect, but I can at least set a maximum to get some control on that. I can limit the maximum number of volumes an SVM can create with:

vserver modify -vserver vs1 -max-volumes 10

And with the following rule, I can disallow the creation of a volume > 10G:

security login role create -vserver vNFS_440019_onepanel01 -role restricted -cmddirname "volume" -access all -query "-size <=10G"

Creation of a volume with size 10G: vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 10g -volume test1 vNFS_440019_onepanel01::> vol show Vserver Volume Aggregate State Type Size Available Used% --------- ------------ ------------ ---------- ---- ---------- ---------- ----- vNFS_440019_onepanel01 test1 superion_data online RW 10GB 9.50GB 0%

11G: vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 11g -volume test2

Error: command failed: not authorized for that command

Trying to resize the previously created 10G volume to 11G: vNFS_440019_onepanel01::> vol size -volume test2 -new-size +1g

Error: command failed: not authorized for that command

Not perfect, but better than nothing.

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Gesendet: Freitag, 6. November 2020 15:19 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: RE: SVM Trident limits/config

No, there is not a way to do that.

From: Toasters <toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net> On Behalf Of Alexander Griesser Sent: Friday, November 6, 2020 9:07 AM To: Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Subject: SVM Trident limits/config

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hey there,

due to popular demand, I'm currently playing around with the trident integration and am following the docs here: https://netapp-trident.readthedocs.io/en/stable-v18.07/docker/install/ndvp_o...

From what I can see, there's no easy way to limit the total amount of volume space created from within the SVM.

I can limit the amount of volumes that can be created, but I cannot limit the maximum total size of those - or is there any option to do that?

I just want to make sure that none of these clients are using more resources than assigned (without having to assign dedicated aggregates). Is that possible?

Thanks,

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Can you not use the Kubernetes Resource Quoting objects to control the same ( Limits applied at the openshift/k8 cluster side ) ?

https://kubernetes.io/docs/concepts/policy/resource-quotas/

You would need to have a mechanism to control these resource quota numbers across multiple namespaces/ in a given cluster to make sure you did not exceed what was available to provision in the associated trident backend aggregate for the SVM you were pointing at .

This seemed like an approach to me anyway . Is the above not feasible ?

On Fri, Nov 6, 2020 at 9:42 AM Parisi, Justin Justin.Parisi@netapp.com wrote:

Nice workaround!

We do know of this limitation and are looking to try to address in future releases, btw.

*From:* Alexander Griesser AGriesser@anexia-it.com *Sent:* Friday, November 6, 2020 9:37 AM *To:* Parisi, Justin Justin.Parisi@netapp.com; Toasters < toasters@teaparty.net> *Subject:* AW: SVM Trident limits/config

*NetApp Security WARNING*: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hah, I think I just found a way to do that.

I’ts not perfect, but I can at least set a maximum to get some control on that.

I can limit the maximum number of volumes an SVM can create with:

vserver modify -vserver vs1 -max-volumes 10

And with the following rule, I can disallow the creation of a volume > 10G:

security login role create -vserver vNFS_440019_onepanel01 -role restricted -cmddirname "volume" -access all -query "-size <=10G"

Creation of a volume with size 10G:

vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 10g -volume test1

vNFS_440019_onepanel01::> vol show

Vserver Volume Aggregate State Type Size Available Used%

---

---

vNFS_440019_onepanel01

      test1        superion_data

                                online     RW         10GB

9.50GB 0%

11G:

vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 11g -volume test2

Error: command failed: not authorized for that command

Trying to resize the previously created 10G volume to 11G:

vNFS_440019_onepanel01::> vol size -volume test2 -new-size +1g

Error: command failed: not authorized for that command

Not perfect, but better than nothing.

*Alexander Griesser*

Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com

Web: http://www.anexia-it.com

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt

Geschäftsführer: Alexander Windbichler

Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

*Von:* Parisi, Justin Justin.Parisi@netapp.com *Gesendet:* Freitag, 6. November 2020 15:19 *An:* Alexander Griesser AGriesser@anexia-it.com; Toasters < toasters@teaparty.net> *Betreff:* RE: SVM Trident limits/config

No, there is not a way to do that.

*From:* Toasters toasters-bounces@teaparty.net *On Behalf Of *Alexander Griesser *Sent:* Friday, November 6, 2020 9:07 AM *To:* Toasters toasters@teaparty.net *Subject:* SVM Trident limits/config

*NetApp Security WARNING*: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hey there,

due to popular demand, I’m currently playing around with the trident integration and am following the docs here:

https://netapp-trident.readthedocs.io/en/stable-v18.07/docker/install/ndvp_o...

From what I can see, there’s no easy way to limit the total amount of volume space created from within the SVM.

I can limit the amount of volumes that can be created, but I cannot limit the maximum total size of those – or is there any option to do that?

I just want to make sure that none of these clients are using more resources than assigned (without having to assign dedicated aggregates).

Is that possible?

Thanks,

*Alexander Griesser*

Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com

Web: http://www.anexia-it.com

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt

Geschäftsführer: Alexander Windbichler

Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

---

Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters

Hi Alexander,

you should also ask them to not create 500 volumes of size 1GB . Your aggregate (and all other k8s cluster user) may not like that … 😉 Norbert Geissler

Siemens AG IT IN OPS ED SP WIN&NAS Otto-Hahn-Ring 6 81739 Muenchen, Germany Fax: +49 89 636-43003 Mobile: +49 162 4110898 mailto:norbert.geissler@siemens.com www.siemens.comhttps://siemens.com [cid:image001.gif@01D6B45F.95633D10] Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

Von: Toasters toasters-bounces@teaparty.net Im Auftrag von Alexander Griesser Gesendet: Freitag, 6. November 2020 16:20 An: Sean Daly keas666@gmail.com; Parisi, Justin Justin.Parisi@netapp.com Cc: Toasters toasters@teaparty.net Betreff: AW: SVM Trident limits/config

I do not manage the k8s cluster. Customers deploy them on their own and are now asking for a SVM to create persistent storage, so I can currently only ask them to please not create 20 100TB volumes 😊

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Sean Daly <keas666@gmail.commailto:keas666@gmail.com> Gesendet: Freitag, 6. November 2020 16:18 An: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Cc: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: Re: SVM Trident limits/config

Can you not use the Kubernetes Resource Quoting objects to control the same ( Limits applied at the openshift/k8 cluster side ) ?

https://kubernetes.io/docs/concepts/policy/resource-quotas/

You would need to have a mechanism to control these resource quota numbers across multiple namespaces/ in a given cluster to make sure you did not exceed what was available to provision in the associated trident backend aggregate for the SVM you were pointing at .

This seemed like an approach to me anyway . Is the above not feasible ?

On Fri, Nov 6, 2020 at 9:42 AM Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> wrote: Nice workaround!

We do know of this limitation and are looking to try to address in future releases, btw.

From: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com> Sent: Friday, November 6, 2020 9:37 AM To: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Subject: AW: SVM Trident limits/config

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hah, I think I just found a way to do that. I’ts not perfect, but I can at least set a maximum to get some control on that. I can limit the maximum number of volumes an SVM can create with:

vserver modify -vserver vs1 -max-volumes 10

And with the following rule, I can disallow the creation of a volume > 10G:

security login role create -vserver vNFS_440019_onepanel01 -role restricted -cmddirname "volume" -access all -query "-size <=10G"

Creation of a volume with size 10G: vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 10g -volume test1 vNFS_440019_onepanel01::> vol show Vserver Volume Aggregate State Type Size Available Used% --------- ------------ ------------ ---------- ---- ---------- ---------- ----- vNFS_440019_onepanel01 test1 superion_data online RW 10GB 9.50GB 0%

11G: vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 11g -volume test2

Error: command failed: not authorized for that command

Trying to resize the previously created 10G volume to 11G: vNFS_440019_onepanel01::> vol size -volume test2 -new-size +1g

Error: command failed: not authorized for that command

Not perfect, but better than nothing.

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Gesendet: Freitag, 6. November 2020 15:19 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: RE: SVM Trident limits/config

No, there is not a way to do that.

From: Toasters <toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net> On Behalf Of Alexander Griesser Sent: Friday, November 6, 2020 9:07 AM To: Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Subject: SVM Trident limits/config

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hey there,

due to popular demand, I’m currently playing around with the trident integration and am following the docs here: https://netapp-trident.readthedocs.io/en/stable-v18.07/docker/install/ndvp_o...

From what I can see, there’s no easy way to limit the total amount of volume space created from within the SVM. I can limit the amount of volumes that can be created, but I cannot limit the maximum total size of those – or is there any option to do that?

I just want to make sure that none of these clients are using more resources than assigned (without having to assign dedicated aggregates). Is that possible?

Thanks,

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

_______________________________________________ Toasters mailing list Toasters@teaparty.netmailto:Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters

Ah, I see, you can limit that on a vserver level …

Von: Alexander Griesser AGriesser@anexia-it.com Gesendet: Freitag, 6. November 2020 17:12 An: Geissler, Norbert (IT IN OPS ED SP WIN&NAS) norbert.geissler@siemens.com Cc: Toasters toasters@teaparty.net Betreff: AW: SVM Trident limits/config

I can limit the number of volumes already, just can’t limit the size… I can, however, automate the creation of an SVM, so currently my only good option seems to be to provide one SVM per customer volume and limit the size oft he volume the SVM can create to whatever I want to sell them and to set max-volumes to 1 (or two, if the root volume also counts).

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Geissler, Norbert <norbert.geissler@siemens.commailto:norbert.geissler@siemens.com> Gesendet: Freitag, 6. November 2020 17:09 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com> Cc: Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: AW: SVM Trident limits/config

Hi Alexander,

you should also ask them to not create 500 volumes of size 1GB . Your aggregate (and all other k8s cluster user) may not like that … 😉 Norbert Geissler

Siemens AG IT IN OPS ED SP WIN&NAS Otto-Hahn-Ring 6 81739 Muenchen, Germany Fax: +49 89 636-43003 Mobile: +49 162 4110898 mailto:norbert.geissler@siemens.com www.siemens.comhttps://siemens.com [cid:image001.gif@01D6B461.939A03E0] Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

Von: Toasters <toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net> Im Auftrag von Alexander Griesser Gesendet: Freitag, 6. November 2020 16:20 An: Sean Daly <keas666@gmail.commailto:keas666@gmail.com>; Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Cc: Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: AW: SVM Trident limits/config

I do not manage the k8s cluster. Customers deploy them on their own and are now asking for a SVM to create persistent storage, so I can currently only ask them to please not create 20 100TB volumes 😊

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Sean Daly <keas666@gmail.commailto:keas666@gmail.com> Gesendet: Freitag, 6. November 2020 16:18 An: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Cc: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: Re: SVM Trident limits/config

Can you not use the Kubernetes Resource Quoting objects to control the same ( Limits applied at the openshift/k8 cluster side ) ?

https://kubernetes.io/docs/concepts/policy/resource-quotas/

You would need to have a mechanism to control these resource quota numbers across multiple namespaces/ in a given cluster to make sure you did not exceed what was available to provision in the associated trident backend aggregate for the SVM you were pointing at .

This seemed like an approach to me anyway . Is the above not feasible ?

On Fri, Nov 6, 2020 at 9:42 AM Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> wrote: Nice workaround!

We do know of this limitation and are looking to try to address in future releases, btw.

From: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com> Sent: Friday, November 6, 2020 9:37 AM To: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Subject: AW: SVM Trident limits/config

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hah, I think I just found a way to do that. I’ts not perfect, but I can at least set a maximum to get some control on that. I can limit the maximum number of volumes an SVM can create with:

vserver modify -vserver vs1 -max-volumes 10

And with the following rule, I can disallow the creation of a volume > 10G:

security login role create -vserver vNFS_440019_onepanel01 -role restricted -cmddirname "volume" -access all -query "-size <=10G"

Creation of a volume with size 10G: vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 10g -volume test1 vNFS_440019_onepanel01::> vol show Vserver Volume Aggregate State Type Size Available Used% --------- ------------ ------------ ---------- ---- ---------- ---------- ----- vNFS_440019_onepanel01 test1 superion_data online RW 10GB 9.50GB 0%

11G: vNFS_440019_onepanel01::> vol create -aggregate superion_data -size 11g -volume test2

Error: command failed: not authorized for that command

Trying to resize the previously created 10G volume to 11G: vNFS_440019_onepanel01::> vol size -volume test2 -new-size +1g

Error: command failed: not authorized for that command

Not perfect, but better than nothing.

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin <Justin.Parisi@netapp.commailto:Justin.Parisi@netapp.com> Gesendet: Freitag, 6. November 2020 15:19 An: Alexander Griesser <AGriesser@anexia-it.commailto:AGriesser@anexia-it.com>; Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Betreff: RE: SVM Trident limits/config

No, there is not a way to do that.

From: Toasters <toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net> On Behalf Of Alexander Griesser Sent: Friday, November 6, 2020 9:07 AM To: Toasters <toasters@teaparty.netmailto:toasters@teaparty.net> Subject: SVM Trident limits/config

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hey there,

due to popular demand, I’m currently playing around with the trident integration and am following the docs here: https://netapp-trident.readthedocs.io/en/stable-v18.07/docker/install/ndvp_o...

From what I can see, there’s no easy way to limit the total amount of volume space created from within the SVM. I can limit the amount of volumes that can be created, but I cannot limit the maximum total size of those – or is there any option to do that?

I just want to make sure that none of these clients are using more resources than assigned (without having to assign dedicated aggregates). Is that possible?

Thanks,

Alexander Griesser Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.commailto:AGriesser@anexia-it.com Web: http://www.anexia-it.comhttp://www.anexia-it.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt Geschäftsführer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

_______________________________________________ Toasters mailing list Toasters@teaparty.netmailto:Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters

...

I can, however, automate the creation of an SVM, so currently my only good option seems to be to provide one SVM per customer volume and limit the size oft he volume the SVM can create to whatever I want to sell them and to set max-volumes to 1 (or two, if the root volume also counts).

Yeah, one could do that (one vserver per customer volume) but... it's feels a bit... ridiculous..? Something better is needed, I do agree with that. Hope there will be something in the not too distant future. Can't remember now how many vservers is possible in a large ONTAP cluster, is it 1000? There's some limit. It depends on how many nodes or some other factors I think.

https://library.netapp.com/ecmdocs/ECMLP2429205/html/GUID-425E17E6-B342-4AFC...

Actually, this number is very small, so this "solution" is not going to scale. But I could start with that and re-host the volumes later on once that's fixed (assuming that this product will not sell like hot cakes in the first few months).

But this is a nice workaround -- I have to admit I still don't fully understand how it works, because I'm not too familiar with the 'security login role stuff... (need to read up on it!) ::> vserver modify -vserver vs1 -max-volumes 50 ::> security login role create -vserver <name> -role restricted -cmddirname "volume" -access all -query "-size <=50G"

Well, actually, when you leave out the query, it's quite easy. You specify the command name and the access permission for it (none, read-only, all). So you could create a role which allows "net int show", but does not allow "network port show". You can use "all" access on "network interface" which will also allow the creation and modification of LIFs, if you just assign "read-only" to "network interface", you will be able to read all the config, but not modify it.

The query then allows you to add some more granularity, like f.ex. you could limit write access to just one lif and leave read-only access on all the others.

security login role create -vserver <name> -role restricted -cmddirname "network interface" -access all -query "-lif <lifname>" security login role create -vserver <name> -role restricted -cmddirname "network interface" -access readonly

You can also use the query to just allow volume creation on a single aggregate for one user, f.ex. And what I found out while testing is, that the query also supports things like "-size <= 50G" which was helpful in this situation.

So with the above set and assuming no K8s "customer" can override it in any way, you're good right? It will limit things for sure. Or did I miss something? Some other disadvantage or side effect of doing that 'role' command?

Yes, with that, I'm "good". There's no real downside oft he security roles I can think of. Of course, you open management commands to your customers, but well, doesn't seem to be avoidable nowadays.

Some thoughts. The next step down this path is when the customer has MANY K8s clusters, they are an internal "ISP" of sorts. So they want one vserver per their K8s cluster and they want to create and remove them themselves together with K8s clusters. I.e.: be vserver admin and API control it too from their "portal" w their own automation.

But then you can no longer do anything like this, it's not in your control anymore to limit things in a vserver in any way by force:

vserver modify -vserver vs1 -max-volumes 10

Well, you would not allow a customer to create a SVM on your OnTap cluster anyways, at least not using the Ontap API, because you would have to allow them to access the cluster admin API and that's probably not the best idea. What we're doing here is to allow the customer access to our customer portal's API and in there we have a module for automating NetApp stuff, f.ex. to create a new SVM and in there it's easy to let the user pick "SVM large, small and x-large" (f.ex.) for a k8s workload and assign whatever policies I want to it.

What to do then? If you relinquish vserver creation control, then the K8s cluster admin ppl can do anything they like and the only option that remains is to control things at the Aggr level. As best one can... If they run out of Aggr space then... *boom*. Their problem. Still, there will be some sort of disruption and some sort of Incident mgmt there one would think

Yah, assigning a separate aggregate per cluster doesn't really scale here, unless there's some sort of "virtual" aggregate I'm not aware of. Also, I think aggregate quotas per "customer" (or svm in this case) would work well here, but I'm also not aware of anything like that.

So finally we have the last step: the K8s cluster team purchases their own ONTAP cluster(s), all the NetApp HW on their CAPEX budget and they own the whole thing; all the HW = all the OPEX created by the depreciation. The cost reclaim model is their problem, not mine. The only thing a Storage Ops Teams does in the scenario (e.g. where I work internally at Ericsson in our R&D) is set up the baseline ONTAP cluster as it should be in the internal Network and manage/support the HW (replace broken things etc), up to creating Aggrs probably because K8s ppl don't want to do that.

There's a big problem with doing things like that. Nowadays, people do not want to sign 3yr contracts and also they do not know how much resources they need. Back in the old times, people thought before deploying, nowadays, things are different 😊 With that comes the need to automatically scale in all directions and if the project doesn't work out, it's being teared down immediately. Also, k8s f.ex. or any other rapid deployment scenario sometimes is also used for quickly cloning an environment to do some tests (load tests, release tests, whatever) and that also requires temporary space, so the only valid option can be flexible sizing on the SP end.

Then, from vserver level of abstraction and up, they do whatever they want. 100% automated under their control. A-hm. Did I just make myself (almost) obsolete..? ;-)

Duties are shifting. You will be orchestrating lots of wild SVMs on your clusters (like an animal tamer) and have no idea what they're doing, what project they belong to and if they bite you or not if you try to pet them. Sometimes, you will have to react to "your product sucks" tickets just because those so-called DevOps people do not even know what an iop is and how to measure it, but hey, that's the future.

Yes, that's what Trident is for really from a K8s PoV, is it not? Making the storage Operations Team nearly obsolete. Infrastructure as Code, etc. For this to work out properly, the financial control (CAPEX, bugeting, OPEX, cost reclaim) has to be put in the hands of the K8s admin ppl. Each K8s cluster created automatically creates a vserver for it in some or other of the ONTAP clusters set up and available for this purpose. For this sole purpose. All the volume and performance mgmt (Demand- & Capacity Mgmt) has to be done by the K8s admin ppl.

That's not going to happen. They want to click on a button (or fire an API call) that creates a 150TB volume with 200k iops. How you, as a provider, make sure this gets delivered is none of their business. If you cannot deliver that in a few seconds, they'll go and look somewhere else. Trying to talk to them to make them aware oft he fact that you will never be able to reach 10Gbit/s of bandwidth on a volume with just 1000 iops set as a limit, because that's just technically not possible, will not work out either - BTDT.

Right. I, the Storage Architect, go join that team (K8s guys) instead, to plan and handle the ONTAP storage for PVC for all the umpteen K8s clusters and server "POD"s [a future vision for my working life..?]

Not sure if that's your future - you would have to be involved in the application design there then and that's a whole different business.

Best, Alex