Volumes¶

VPSA virtual Volumes are thinly provisioned utilizing an efficient and sophisticated block-level mapping layer. The Volume’s virtual address space is carved into virtual contiguous blocks (a.k.a. “Chunks”). When you create a Volume it consumes zero Pool capacity. Pool capacity is provisioned to volumes on demand. Only at the first write to each chunk the physical space is allocated from the Pool capacity to the Volume, and mapping update of the virtual-to-physical addresses.

The Volume’s virtual Capacity is not limited to the available Pool capacity.

Snapshots are read-only representations of the Volume’s data at a given point-in-time. They are thinly provisioned and share the same data chunks with their Volume as much as possible until you actually modify the chunk’s data. This triggers a Redirect On Write (ROW) operation where a new chunk is provisioned and the modified data is written there.

Cloned Volumes are Volumes created by cloning another Volume’s data set at a specified point-in-time Snapshot. Volumes and their Clones share unmodified Pool Chunks. A COW is triggered whenever you modify a chunk in the Volume or in the Clone.

Volumes can be Block Volumes (exposed via an iSCSI or Fibre Channel protocols) or NAS Shares (exposed via NFS or SMB protocols).

The following protocols are supported in the VPSA Storage Array and VPSA Flash Array:

Supported volume protocols¶
Volume Type	Version
Block	iSCSI, iSER, FC
NAS (SMB/CIFS)	2.x, 3.x
NAS (NFS)	3, 4.0, 4.1, 4.2

Important

As of VPSA version 20.12, SMB version 1 is no longer supported

Creating and Deleting a Volume¶

To Create a Volume go to the Volumes Page and press the Create button. Select whether you wish to create a Block Volume or a NAS Share.

Creating a Block Volume¶

Define the following Volume attributes in the Create Block Volume dialog:

Name – the Volume’s display name. This must be unique, and can be modified throughout the Volume’s lifetime.

Note

Objects names can be up to 128 chars long and can contain letters and digits, dashes “-” and underscores “_”
Capacity – Virtual Capacity of the Volume in GB. All Volumes are thinly provisioned. No actual capacity is allocated when the Volume is created, so the aggregated Virtual capacity of the volumes is not bounded by the Pool capacity. It is possible to over-provision a Pool, but you need to manage and monitor this it carefully, using a Pool Protection Mechanism (see Managing Pool Capacity Alerts for more details).

Warning

ReFS doesn’t support trim/unmap operation for non-Microsoft Storage Spaces storage array. ReFS doesn’t support thin-provisioned volumes. It is highly recommended to avoid VPSA’s storage pool over-provisioning in case ReFS filesystem is planned to be used as deleted data will not be reflected in the VPSA’s pool capacity
Pool – Select the Pool that is most appropriate for your Volume’s QoS requirements (based on available capacity, caching, RAID protection, drive types, etc.).
Encrypted – Select this checkbox if you wish to encrypt the volume’s data on the drives. Please note that you must first define an encryption password via the Controllers Page. For more details about Volume encryption see Managing Encrypted Volumes.
VPSA Flash Array Compress and Dedupe options:
- Compress – Check the checkbox if you want the new volume to be compressed.
- Dedupe – Check the checkbox if you want the new volume to be deduped.
  
  Note
  
  The ability to apply the Compress and Dedupe options is dependent on the Data Reduction feature being enabled at the VPSA level in the Provisioning portal. See Enabling or Disabling Data Reduction Bundle.
Attach Default Snapshot Policies – Refer to Managing Snapshot Policies for a detailed explanation regarding snapshot policies. You can apply and remove snapshot policies from a Volume at any time.

Performance Capping - To limit the volume’s maximum input or output operations or throughput per second, enter values for:

Performance Capping Parameter	Description
Read IOPS	The maximum number of read operations per second.
Write IOPS	The maximum number of write operations per second.
Read MBPS	The maximum throughput of data in Megabytes per second for read operations.
Write MBPS	The maximum throughput of data in Megabytes per second for write operations.

Filtering the List of Volumes¶

To filter the list of volumes displayed in the center pane, you can use one or more of the predefined filters, or a predefined custom tag.

Expand the Filter control.
On the right, click the Add Filter dropdown to select a filter. The selected filter appears on the left.
Repeat the Add Filter actions to select additional filters.

Note

Selected filters are italicized and highlighted with a gray background in the Add Filter dropdown.
Refining the filtering:
- For most filters, select one of its dropdown options.
- The Name filter accepts input of a case-sensitive string. If the input string matches part or all of a volume’s name, the volume is listed. Wildcards are not accepted.
- The Tag filter requires input of a predefined custom Tag Name, and optionally, a Tag Value to further refine filtering for tags that have specific values for assigned volumes. Wildcards are not accepted.
  
  Note
  
  Unlike the Name filter, Tag Name and Tag Value require full case-sensitive strings, and do not return matches on partial strings.
  
  See the Tags section for configuring predefined custom tags.
Click Search to apply the filter.
To remove a single filter, click the trash icon to the right of the filter. Click Search again to refresh the volumes list.
To remove all the filters, click Clear.

Attaching & detaching Volumes to Servers¶

Volumes can be attached to many Servers. Block Volumes are attached via the iSCSI protocol. NAS Shares are attached via the NFS/SMB protocol.

To attach a Volume

Go to the Volumes page, select the Volume and press the Servers > Attach to Server(s) button:

Select the Server(s) that you’d like to provide with access to the Volume.
For NAS Shares, select the access type: NFS or SMB.
For Block Volumes over Fibre Channel, select FC
Press Submit to confirm.

Mounting an NFS Share on a Linux machine

Install the NFS client:

On Ubuntu Servers do:
```
apt-get install nfs-common
```
On Redhat/CenOS Servers do:
```
yum install nfs-utils
```
Create a mount point:
```
$ mkdir /mnt/nfs_share
```
Run the following command as the superuser (or with sudo):
```
$mount –t nfs4 <NFS_Export_Path>/<mount point>
```
You can find the NFS_Export_Path in the Volumes > Properties tab.
Follow the step in Creating NAS Users to setup basic NFS authentication.

Mounting an SMB Share on a Windows Server

On the Windows Server, go to Computer > Map Network Drive.
In the Map Network Drive dialog:
1. Drive: Select a drive letter.
2. Folder: Enter the SMB Export Path of the SMB share in the format \\<VPSA_IP>\<volume_export_name>. You can find the SMB Export Path parameter in the VPSA GUI Volumes > Properties tab.

Note

On the first time that you connect from a Windows Server to a VPSA share, you are requested to enter an SMB User name and Password. See Creating SMB Users for more details, or use SMB guest access.

Format a Volume

Once the Volume is attached to the Server and identified by the Operating System as a drive, use the specific OS tools to format the drive to the needs of the OS or file-system used. Allocation units of 512B to 64KB are supported.

Important

Recommended best practice for Windows NTFS and ReFS performance

Allocation unit size should match the LSA chunk size
- Log structured array (LSA)
  
  A zStorage pool uses a log structured array (LSA) to allocate capacity. A log structured array (LSA) has a directory that defines the physical placement of data blocks.
  
  Each logical block device has a range of Logical Block Addresses (LBAs), starting from 0 and ending with the block address that fills the block device capacity.
  
  An LSA enables allocating data sequentially (log structure), and its directory provides a lookup for matching the LBA with the physical address within the array.
  
  An LSA does not overwrite existing data in its original location. Every write operation appends data at the end of the allocated space, and old data is marked for garbage collection. This reduces Read-Modify-Write (RMW) IO operations, and improves performance.
  
  Since a pool uses an LSA to allocate capacity, a volume created from a pool consists of a directory that stores the allocation of blocks within the capacity of the pool.
- Formatting Windows NTFS drive
  
  When formatting a Windows guest VM’s NTFS drive, by default the allocation unit size is 4KB. For a large LSA chunk size, for example 32KB, a small allocation unit size of 4KB causes almost all IOs to be Read-Modify-Write (RMW) operations, that can impact performance.
  
  Zadara recommends aligning the allocation unit size on Windows VM NTFS drives to match the LSA chunk size, for significantly reduced RMW on IOs.
  
  Note
  
  For LSA chunk sizes, refer to the VPSA Storage Array pool types and VPSA Flash Array pool types tables under Creating a Pool in the Configuring Storage Pools page.
Quick Removal policy for Windows virtual disk devices

The Windows Better performance disk device policy that enables write caching gains in performance at the expense of non-redundancy. In cases where customer applications already handle relaxed consistency by triggering flushes, or don’t need strong consistency, they can use the default Better performance policy option.

For other use cases, Zadara advises disabling the write caching policy for Windows virtual disk devices, by configuring the Windows Device Manager > <guest VM> > Disk drives > Properties > Policies > Removal Policy to Quick Removal.

To detach a Volume

When you detach a Volume from a Server, the Server will lose access to the Volume’s data. The recommended practice is to unmount the Volume on the Server side before detaching it on the VPSA.

To detach a Volume from a Server, go to the Volumes page, select a Volume and click Servers > Detach from Server(s). You will be requested to select the Servers from which to detach this Volume.

Alternatively, you can view the attached Servers list in the Volume’s South Panel, select the Server from which to detach the Volume, and click Detach Server(s) in the top-left corner of the South Panel.

Expanding a Volume¶

You can expand a Volume anytime, regardless of whether the Volume has Snapshots, Clones or is being remotely mirrored.

To expand a Volume go to the Volumes page, select the Volume and click Expand. Enter the amount of additional virtual capacity with which you’d like to expand the Volume, and press Submit.

Volume Automatic Expansion¶

To avoid out-of-space situations for File shares, the VPSA provides an Automatic Expansion mechanism.

It allows the customer to define an automatic NAS volume expansion policy.

Automatic Expansion is controlled by 3 parameters:

Emergency Threshold - Volume will be expanded once the free capacity of the NAS share is below the given threshold. Default: 10% of the volume provisioned capacity.
Expand By - The additional provisioned capacity to be added. Default: 50GiB
Maximum Volume Capacity - The maximum allowed volume provisioned capacity (up to MAX Pool capacity) Default: 0GiB (Unlimited)

By default all volumes are created with Automatic Expansion disabled. To enable it, check the Automatic Expansion checkbox on the Create > Create NAS share dialog, or enable it from the Properties tab’s Capacity column.

Managing SMB File History¶

SMB File History is a mechanism that allows restoration of previous versions of any given file or folder on a NAS volume, attached to Windows. SMB File History is similar to the VPSA snapshots mechanism, and driven by the same Snapshots Policies.

To Apply a SMB File History Policy on a Volume¶

Go to the Volumes page, and select the NAS Volume.
Select Data Services > Attach File History Policy.
In the Apply Snapshot Policy to Volume dialog, select the Snapshot Policy to apply to the Volume and press Submit.

To detach a SMB File History Policy from a Volume¶

Go to the Volumes page, and select the Volume and press the Snapshot Policies south tab to view the Volume’s applied Snapshot Policies.
Select the Snapshot Policy to delete, and press the Detach Policy button at the top left corner of the South Panel.

You will be prompted to select whether or not to delete all of the Volume’s Snapshots associated with this Policy.

To restore files from SMB File History¶

On a Windows Server, open Windows Explorer and navigate to the file/folder you want to restore.
Right-click on the file, and select Restore previous versions.
In the dialog that opens, go to the Previous Versions tab, select the version to restore, and click Restore.

Note

Each share can keep up to 64 snapshots for File History recovery purposes, (e.g. once a day for a month) and maximum of 512 snapshots for a VPSA Storage Array.
When a Volume with SMB File History Snapshots is migrated to another Pool, the SMB File History snapshots will not be migrated to the new Pool.

Cloning a Volume¶

Cloning a Volume is the process of creating a Read/Write zero-capacity replica of a Volume, with a data set identical to that of the Volume, from a selected point-in-time (which can be the time the Clone is created, or one of the existing Snapshots’ point-in-time).

The result of the Cloning operation is a new Volume. The two Volumes now share all of the non-modified chunks. Only upon a first-write to a chunk, a Copy-On-Write occurs which allocates a new chunk and breaks the chunk sharing.

You can create an unlimited number of Clones of a given Volume, either from the same data set (from the same Snapshot) or from different data sets.

Clones are completely independent from each other, from the source Volume and from the Snapshot from which they were created. For example, you can delete the original Volume and/or Snapshot and it will leave the Cloned Volume unaffected. You can also modify Volume attributes of each Clone independently.

You can only create Clones within the Pool where the original Volume resides.

To create a new Clone

Go to the Volumes page, select the Volume to be cloned and press Data Services > Clone.
In the Clone Volume dialog:
- Clone Name – Enter a name for the Cloned Volume.
- Clone from – Select the point-in-time Snapshot whose data set you wish to replicate.
  
  If you wish to clone the current data set of the Volume, don’t select any Snapshot.
Press Submit.

Alternative method: Clone from Snapshot

On the Volumes page, select the Volume to be cloned.
Press the Snapshots tab in the South Panel, and select the desired point-in-time Snapshot.
Press Clone at the top left corner of the South Panel.
In the Clone from Snapshot dialog, enter a name for the new cloned Volume.

The newly created Clone will appear as a regular Volume in the Volume list.

The NFS/SMB Export name of a cloned Volume will be identical to the Cloned Volume display name. |

Online Volume Migration¶

Volumes created in a VPSA pool can be easily migrated to a different pool in the same VPSA. All entities bounded to the volume (snapshot policies, servers attachments etc.) will be migrated as well. Existing snapshots migration is configurable by the user.

The online migration process is completely seamless to the end user and will not cause any service disruption to the hosts connected to the volume.

A common use case for using the Online Volume Migration feature is migrating performance demanding volume to a more performant storage pool(e.g. SATA pool to an SSD pool) on-the-fly.

Online Volume Migration can be initiated from the VPSA GUI or via VPSA REST API. For the REST API usage and examples please refer to the Volumes section of the VPSA REST API Guide.

Migrating a Volume¶

In the left pane menu, navigate to the Volumes section under the Resources section.

Select the Volume that will be migrated to another VPSA Pool.
From the upper options menu select Data Services > Migrate.
In the Migrate Volume dialog:
- Destination pool – Select the destination Pool to migrate to, from the list of available pools. Make sure to select a Pool with sufficient free capacity.
- Migrate Existing Snapshots – Check the checkbox if the migration of the volume should include the existing snapshots of the volume. If Migrate Existing Snapshots is checked, all snapshots will be migrated to the destination Pool.
  
  Note
  
  If Migrate Existing Snapshots is not checked, the Volume snapshots will be deleted.
- VPSA Flash Array options:
  - Compress – Check the checkbox if you want the new volume to be compressed.
  - Dedupe – Check the checkbox if you want the new volume to be deduped.
- Press Submit to start the migration.
- In the Create Migration confirmation dialog, review the details and confirm the Online Volume Migration operation.

Monitoring the migration¶

Once started, the online migration task can be monitored from the VPSA GUI.

In the left pane menu navigate to the Volumes section under Resources.
Select the Volume that is currently being migrated.
On the south panel, the new Migration Status tab is available. The Migration Status tab will provide real-time migration information while the migration is still running.
The user has complete control on the migration task as it can be Paused or Aborted in the Migration Status tab.
Upon completion, the Migration Status tab will be removed from the Volume south panel. A log entry will be added in the Logs tab as an indication of a successful migration.

Managing Data Reduction¶

Scope: VPSA Flash Array

The ability to apply the Compress and Dedupe options on a Volume is dependent on the Data Reduction feature being enabled at the VPSA level in the Provisioning portal. See Enabling or Disabling Data Reduction Bundle.

Data Reduction on a VPSA can be enabled or disabled at any time.
Compress and Dedupe can be enabled or disabled on a Volume at any time, on a VPSA that has Data Reduction enabled. Subsequent block write operations on the Volume follow the latest Compress and Dedupe Enabled/Disabled settings.
To apply the Compress and Dedupe feature to data at rest on an existing Volume, the Volume should undergo a live migration to a new Storage Pool. The new Volume on the destination Storage Pool should be created with the Compress and Dedupe features enabled, so that inline Data Reduction is applied as the live migration occurs. See Online Volume Migration.

Managing Encrypted Volumes¶

Encrypting data at rest is a highly recommended security measure to protect sensitive information from unauthorized access. This provides an extra layer of security, even if the data drive is stolen or compromised. It is especially important for organizations that handle sensitive information such as personal data, financial information, and confidential business information.

Encryption management of Data-at-Rest (data on the Disk Drives) is applied by the VPSA on a per-Volume basis. Encrypted and unencrypted Volumes can coexist in the same VPSA Pool.

Volume encryption has a negligible impact (if any) on volume performance. It’s important to note that the benefits of encryption far outweigh any potential performance impact, as it ensures the protection of sensitive data.

A VPSA generates a random 256-bit unique Volume Encryption Key per encrypted Volume and uses the Advanced Encryption Standard (AES) to encrypt and decrypt the Volume data.

Note

In previous versions of the VPSA software, AES 128 was used. Volumes that were created on those versions are encrypted with 128 bit keys.

The Volume Encryption Keys are stored on disk as ciphertext, using AES with a 256-bit Master Encryption Key, which is generated from a user-supplied Master Encryption Password.

The User owns the Master Encryption Password. It is never stored on any persistent media. Instead, only its SHA3 hash-sum is saved on disk for password validation.

Caution

Since the system does not keep the Master Encryption Password, you are fully responsible to retain and protect the Master Encryption Password.

During VPSA operation, the Master Encryption Password itself is held in kernel memory of the VPSA. Core-dumping any user-mode process within the VPSA will not reveal the Master Encryption Key.

This method ensures that encrypted Data-at-Rest cannot be accessed without explicitly knowing the user-supplied Master Encryption Password, thus providing you full protection if you opt for Data-at-Rest Volume encryption.

Important

The encryption attribute of a volume cannot be changed! If you’d like to encrypt the data of a non-encrypted volume, or vice versa, you will need to create a new volume and copy the data.

Supported volume encryption options:

Encryption using an Encryption Password
Encryption using AWS KMS Store
Encryption using KMIP supporting KMS

Encryption using an Encryption Password¶

To create a Master Encryption Password:

Go to the Settings page.
In the Security tab, in the Encryption section press Edit.
Read the instructions and warning.
Enter your Password and Save.

Once the Master Encryption Password is set, you can change or reset it at any time. Master Encryption Password does not affect the encrypted data.

Store your Master Encryption Password in a secure place.

To create an encrypted volume, follow the steps in the Creating and Deleting a Volume section.

Encrypted volumes will present the Encrypted property in the VPSA Volumes view and in the Volume’s properties.

Encryption using AWS KMS Store¶

Amazon’s AWS Key Management Service (KMS) centrally manages keys and policies across integrated services and applications from a single point. AWS KMS generates a data key, encrypts it under the KMS key, and sends both the plaintext data key and the encrypted data key to Amazon S3. Amazon S3 encrypts the data using the data key and removes the plaintext key from memory as soon as possible after use.

Zadara VPSA supports use of AWS KMS for VPSA volume encryption.

Configuring AWS KMS encryption for a volume involves configurations on both the AWS Management Console and the VPSA admin GUI.

AWS KMS Configuration¶

Create a new customer managed key:
- Symmetric (default)
- Encrypt & Decrypt (default)
- Single region key (default)
The user allowed to use the key should have access to the KMS Service along with the following action:
- “kms:Encrypt”
- “kms:Decrypt”
- “kms:ReEncrypt*”
- “kms:GenerateDataKey*”
- “kms:DescribeKey”

Warning

KMS Key rotation is currently not supported!

VPSA Configuration¶

After setting up AWS KMS keys in the AWS Management Console, in the VPSA GUI, under System, open the Settings page, and configure the following parameters.

Click the Security tab.
Click Edit on the right of Encryption.
Click Encryption using KMIP supporting KMS.
Select Encryption using AWS KMS Store.
Region: Select the region of your AWS KMS Store.
KMS Key ID: Enter the UUID of your AWS Key ID.
AWS Access Key: Enter your AWS access key ID.
AWS Secret Key: Enter your AWS secret access key.
Read the KMS disclaimer. To acknowledge your acceptance of responsibility to maintain KMS access, mark the checkbox.
Click Save.

Once the system is set to encrypt volumes using the AWS KMS Service, the status for Encryption will be set to “Activated, AWS KMS”.

Encrypted volumes will present the Encrypted property in the VPSA Volumes view and in the Volume’s properties.

To create an encrypted volume, follow the steps in the Creating and Deleting a Volume section.

Disable AWS KMS Encryption¶

If volume encryption with AWS KMS is no longer required, click Edit and select Remove AWS KMS Encryption. The system will only allow the removal of the encryption setting if the VPSA does not have any encrypted volumes.

Encryption Key recovery¶

Similar to the other Encryption modes (KMIP or Encryption Password) during VPSA operation, the Master Encryption Password itself is held in kernel memory of the VPSA. Since is not stored persistently in the VPSA, the user will be prompted to validate their AWS KMS configuration in case of a failure.

In such case:

The VPSA Administrator will be notified
Volumes will not be accessible
User action is required from the VPSA Settings view

In case of AWS KMS, the VPSA administrator will be required to enter the following information:

AWS Region
AWS Access Key
AWS Secret Key

The same KMS key can be used by multiple IAM users, therefor in case of a rotation of the user’s credentials or in case the original credentials are no long valid (access key & secret) a new pair can be used to restore VPSA to KMS integration given it is allowed to use the original KMS key.

Encryption using KMIP supporting KMS¶

The Key Management Interoperability Protocol (KMIP) enables the secure creation and storage of keys and other security objects on a key management server (KMS).

Zadara VPSA supports Fortanix Data Security Manager (DMS) for VPSA Storage Array volume encryption.

Configuring Fortanix DSM for a volume involves configurations on both the Fortanix DSM UI and the VPSA admin GUI:

Fortanix DSM configuration
VPSA KMIP configuration

Fortanix DSM configuration¶

In the Groups panel, create a new group with a meaningful name and click Save.
In the Apps panel, create a new app with the following parameters:
1. Name: A meaningful name for the app.
2. Interface: Select KMIP.
3. Authentication: Select API key or Certificate. If you are uncertain, choose API key.
4. Assign the group that you created in the previous step.
5. Click Save.
In the Security objects panel, create a new object with the following parameters:
1. Name: A meaningful name for the security object.
2. Group: Select the group you created earlier.
3. Select GENERATE as the key creation method.
4. Key type: Select AES as the key type.
  
  Note
  
  Zadara VPSA currently supports AES encryption for Fortanix DSM.
5. Key size: Select 256 for the AES key size.
6. Key operations permitted: Configure both:
  - ENCRYPT
  - DECRYPT
7. Accept the default settings for the rest of the configuration.
8. Click GENERATE at the bottom of the form.

VPSA KMIP configuration¶

In the VPSA GUI, under System, open the Settings page, and configure the following parameters.

Click the Security tab.
Click Edit on the right of Encryption.
Click Encryption using KMIP supporting KMS.
KMS Type: Select Fortanix DSM.
KMS Host: Select the region where the SmartKey KMS is registered. Supported regions:
- North America
- European Union
- United Kingdom
- Asia Pacific
- Australia
Connect Via: Select the interface used by the VPSA to connect to the KMS. Currently the VPSA frontend and public IP are supported.
KMS Key ID: Enter the ID for the KMS key used for the VPSA volume keys encryption. For Fortanix DSM, this is the UUID of the key object.
KMS Username: Enter the username used by the VPSA for KMS authentication. It can be retrieved from the Fortanix DSM app by clicking on View credentials > Username/Password.
KMS Password: Enter the password used by the VPSA for KMS authentication. It can be retrieved from the Fortanix DSM app by clicking on View credentials > Username/Password.
Use Proxy: If you need a proxy server:
1. Mark Use Proxy.
2. Enter the proxy Host and Port.
3. If the proxy requires authentication credentials:
  1. Mark Use Authentication.
  2. Enter the proxy’s User and Password.
Login with credentials + certificate: VPSA KMS integration supports an enhanced security login mode using login credentials together with a certificate. To use the enhanced security login, mark Login with credentials + certificate.
1. Keyfile Content: Copy your keyfile content, and paste it here.
2. Certfile Content: Copy your certfile content, and paste it here.
Read the KMS disclaimer. To acknowledge your acceptance of responsibility to maintain KMS access, mark the checkbox.
Click Save.

To create an encrypted volume, follow the steps in the Creating and Deleting a Volume section.

Encrypted volumes are displayed with the icon.

KMS and VPSA Key rotation¶

Caution

Do not discard your old KMS key until after the key rotation is complete, as the VPSA still uses it to protect its master encryption password.

In the Fortanix DSM UI, go to your SmartKey account and rotate the key. After key rotation, copy the new KMS key’s UUID.
In the VPSA GUI, under System, open the Settings page.
Click the Security tab.
Click Edit on the right of Encryption.
Paste the new KMS key’s UUID into KMS Key ID.
Click Save.

Note

After applying the updated settings, the VPSA will re-encrypt its master key using the new UUID. On successful completion of this phase, the old KMS key can be discarded.

Audit Log Management¶

The VPSA supports audit logging of specific file system events.

Configuring file access auditing¶

The auditing policy must first be configured globally in the Security tab on the Settings page, before it can be applied to volumes.

File access auditing can be enabled when creating a new volume (see Creating a NAS Share under Creating and Deleting a Volume) and also on existing volumes.

Enabling file access auditing¶

To Enable file access auditing on an existing volume:

In the center pane, click on the volume to mark it.
Click the Audit Log dropdown and click Enable.

Downloading the volume audit log¶

To Download the audit log:

In the center pane, click on the volume to mark it.
Click the Audit Log dropdown and click Download Audit Log.
In the Download Audit Log dialog box that displays, enter the date and time range to download.
Note
- Audit logs are downloaded as a zip file comprising logs in CSV format.
- The audit log file download is limited to a maximum size of 1GB. If the audit log data exceeds 1GB, extract it in multiple downloads of shorter date and time ranges.

Volume’s audit log output¶

The audit log is exported to a field-delimited file, containing rows with 11 columns. In some cases, a 12th column is included, which contains extended parameters of the logged command.

Column	Parameter
1	Timestamp
2	VC name
3	Share name
4	Protocol
5	Client host IP address
6	Client hostname (if available)
7	User ID or username
8	Group ID or groupname
9	Command
10	Return status
11	Command-specific parameters
12	Extended command-specific parameters

Note

The timestamp value is according to the timezone displayed in the VPSA’s UI header, usually UTC.

It is not possible to download audit logs with a different timezone.

The following table lists and describes possible logged commands:

Category	Command description	SMB command	NFS-3 command	NFS-4 command
CONNECT	User connects to the share	connect
CONNECT	User disconnects from the share	disconnect
CREATE	Create new regular file	create(file)	create(file)	create(file)
	Create new directory	mkdirat	mkdir	mkdir
	Create new symbolic link	symlinkat	symlink	symlink
	Create new hard link	linkat	link	link
	Create new special file		mknod(blk)	mknod(blk)
			mknod(chr)	mknod(chr)
			mknod(socket)	mknod(socket)
OPEN FILE	Open existing file	open(file)		open(file)
RENAME	Rename file or directory	renameat	rename	rename
REMOVE	Delete file	unlinkat	unlink	remove
REMOVE	Delete directory	unlinkat	rmdir	remove
ATTRIBUTES	Change permissions	fchmod fset_dos_attributes	setattr	setattr
		fchmod fset_dos_attributes	setattr	setattr
		~~chmod~~ (deprecated since v22.06) ~~set_dos_attributes~~ (deprecated since v22.06)

	Change owner	fchown lchown	setattr	setattr
	Change owner	fchown lchown	setattr	setattr
	Change ACLs	fset_nt_acl

The following snippet depicts several lines of an audit log.

Note

The header row is added in this example for informational purposes only, and is not part of an audit log output.

Timestamp                 |VC name          |Share|Protocol|IP address |host |User ID or name  |Group ID or name      |Command|St|Command parameters

2024-09-11 08:21:43.435816|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|connect|ok|smb1
2024-09-11 08:21:57.133796|vsa-000001ab-vc-0| smb2|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|connect|ok|smb2
2024-09-11 08:22:56.135063|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|mkdirat|ok|/export/smb1/Test
2024-09-11 08:22:56.138699|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_dos_attributes|ok|/export/smb1/Test
2024-09-11 08:22:56.141804|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_nt_acl|ok|/export/smb1/Test|<extended parameters>
2024-09-11 08:22:56.150438|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|mkdirat|ok|/export/smb1/Test/proc0
2024-09-11 08:22:56.151271|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_dos_attributes|ok|/export/smb1/Test/proc0
2024-09-11 08:22:56.154084|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_nt_acl|ok|/export/smb1/Test/proc0|<extended parameters>
2024-09-11 08:22:56.277061|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|mkdirat|ok|/export/smb1/Test/proc1
2024-09-11 08:22:56.277842|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_dos_attributes|ok|/export/smb1/Test/proc1
2024-09-11 08:22:56.281236|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_nt_acl|ok|/export/smb1/Test/proc1|<extended parameters>
2024-09-11 08:22:56.296915|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|create(file)|ok|/export/smb1/Test/proc0/data_0.din|w
2024-09-11 08:22:56.298040|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_dos_attributes|ok|/export/smb1/Test/proc0/data_0.din
2024-09-11 08:22:56.300355|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_nt_acl|ok|/export/smb1/Test/proc0/data_0.din|<extended parameters>
2024-09-11 08:22:56.305856|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|create(file)|ok|/export/smb1/Test/proc1/data_0.din|w
2024-09-11 08:22:56.306814|vsa-000001ab-vc-0| smb1|SMB3_11|<IP address>|vm123|ZSTORAGE2\user123|ZSTORAGE2\domain users|fset_dos_attributes|ok|/export/smb1/Test/proc1/data_0.din

Disabling file access auditing¶

To Disable the audit log for a volume:

In the center pane, click on the volume to mark it.
Click the Audit Log dropdown and click Disable. A confirmation dialog box opens.

Note

Disabling a volume’s audit logs does not remove audited entries.

Volume File Lifecycle Management¶

The VPSA supports file lifecycle management and analytics. When file lifecycle management is enabled for a VPSA, the following options are available for configuring each volume:

Indexing Enable - Selecting this option activates file lifecycle management and analytics on the selected volume.
Indexing Pause - Suspend analytics collection for the selected volume. This option is available for volumes that are enabled for file lifecycle and analytics.
Indexing Resume - Resume analytics collection for the selected volume. This option is available for volumes that are enabled for file lifecycle and analytics, and their indexing is paused.
Indexing Disable - Selecting this option deactivates file lifecycle management and analytics on the selected volume.

Note

Disabling file lifecycle indexing for a volume removes all existing data collected for that volume.

Viewing Volume Properties¶

Filtering Volumes

In a VPSA with many volumes it might be difficult to locate a specific volume in the Volumes page. Filtering the List of Volumes can be useful.

The Volumes page displays the list of Volumes (Block and NAS) in the VPSA. Select a Volume to see its detailed information in the following South Panel tabs:

Properties¶

Each Volume includes the following properties:

Property	Description
	General
ID	An internally assigned unique ID.
Name	User assigned name. Can be modified anytime.
Comment	User free text comment. Can be used for labels, reminders or any other purpose
Status	- Creating - Initializing Volume’s metadata. - Deleting - In process of deleting the Volume and updating data chunks references. - Partial/Failed - The Volume is inaccessible due to lower construct failure (on Pool or RAID Group level). - Available - The Volume is healthy but is not attached to any Server. - In-use - The Volume is healthy and is attached to one or more Servers.
Data Type	- “Block” for Block Volume. - “File-system” for NAS Shares.
Pool	The Pool name where this Volume is provisioned.
Server(s)	Server Name attached to the Volume. Multiple(X) will be displayed when X servers are attached.
NFS Export Path	(NAS Shares Only) The NFS Share export path to be used when mounting it. All defined paths are listed here. Additional path can be defined.
SMB Export Path	(NAS Shares Only) The SMB Share export path(s) to be used when connecting to it from a Windows Server. All defines paths listed.
Access Type	(NAS Shares Only) Access protocols which are used by the Servers which are attached to a NAS Share: NFS, SMB, or Multiple.
atime Update	(NAS Shares Only) Yes/No – Indicates whether to update access time of NAS Share files and directories on every access, including read-access.
SMB Only	(NAS Shares Only) Yes/No – enable/disable locking optimizations
SMB Guest Access	(SMB Only) Yes/No – Allow/Block anonymous user access
SMB Encryption Mode	(SMB Only) Off/Desired/Required - Sets SMB encrypt secured protocol behaviour
Enhanced Windows ACLs	(SMB Only) Yes/No
Directory Creation Mask	(NAS Shares Only) Default directory umask value
File Creation Mask	(NAS Shares Only) Default file umask value
Map archive	(NAS Shares Only) Yes/No - Maps the windows archive bit to the unix execute bit.
SMB Browsable	(SMB Only) Yes/No - seen in the list of available shares
SMB Hidden Files	(SMB Only) This is a list of files or directories that are not visible but are accessible (delimited by /)
SMB Hide Unreadable	(SMB Only) Yes/No - Prevents clients from seeing the existence of files that cannot be read.
SMB Hide Unwritable	(SMB Only) Yes/No - Prevents clients from seeing the existence of files that cannot be written.
SMB Hide Dot Files	(SMB Only) Yes/No - Prevents clients from seeing the existence of “.*” files.
SMB serial small IO workload Optimized	(SMB Only) Yes/No
SMB Store DOS Attributes	(SMB Only) Yes/No - Preserve DOS attributes (hidden, archive, read-only, system)
User Quotas	(NAS Shares Only) On/Off - user quotas on volume.
Group Quotas	(NAS Shares Only) On/Off - group quotas on volume.
Project Quotas	(NAS Shares Only) On/Off - Project quotas on volume.
NFS Root Squash	(NFS Only) Yes/No - map requests from uid/gid 0 (root) to the anonymous uid/gid. Note: Set to “Yes” to block external root access to the volume.
NFS All Squash	(NFS Only) Yes/No - map requests from and uid/gid to the anonymous uid/gid. Note: Useful for inter server/application correlation or Public File shares
NFS anonymous GID	(NFS Only) explicitly sets a specific group id for the anonymous account
NFS anonymous UID	(NFS Only) explicitly sets a specific user id for anonymous account
File Lifecycle Index Management	Indicates the state of indexing for analytics data collection. Possible values: Enabled/Disabled for analytics data collection. Paused when analytics data collection is enabled, but pending resume.
File Lifecycle Index Management Full Scan State	When File Lifecycle Index Management is enabled, the VPSA performs a single full scan of NAS share files. Subsequent detected filesystem changes are updated in the indexing. Possible statuses of the volume’s full scan: In Progress: indicates the full scan progress as a percentage. Finished: inicates that the full scan is complete. Paused: indicates that File Lifecycle Index Management is paused. Disabled: indicates that File Lifecycle Index Management is disabled.
Extended Metering	Yes/No – Enabling extended metering. When “Extended Metering” is disabled, the VPSA records the volume’s performance statistics of reads and writes operations. When “Extended Metering” is enabled, the VPSA also records performance statistics of other file operations, including create, delete, etc… Note: “Extended Metering” enabled puts extra load on the VPSA, and the metering DB might grow rapidly. It is recommended to use it for only limited period of time, for planning or troubleshooting purposes.
WWID	(Block Only) SCSI unique World-wide ID. Use this value on Linux Servers to identify the Volume device when multipathing is configured.
Compress VPSA Flash Array	Indicates the state of data compression. Possible values: Enabled/Disabled Compression can be enabled or disabled at any time. See Enabling or Disabling Data Reduction Bundle. Subsequent block write operations on the volume follow the latest Enabled/Disabled setting.
Dedupe VPSA Flash Array	Indicates the state of data deduplication. Possible values: Enabled/Disabled Deduplication can be enabled or disabled at any time. See Enabling or Disabling Data Reduction Bundle. Subsequent block write operations on the volume follow the latest Enabled/Disabled setting.
Encrypted	Yes/No
Encryption Size Key	The number of bits in a key used by the encryption algorithm.
Created	Date & time when the Volume was created.
Modified	Date & time when the Volume was last modified.
	Capacity
Virtual Capacity	Capacity of the Volume as seen by the attached Servers.
Available Capacity	(NAS Shares Only) Free capacity of the NAS Share.
Mapped Capacity	The used capacity (allocated from the Pool) of the Volume excluding its Snapshots and Clones.
Data Copies Capacity	The used capacity (allocated from the Pool) of the Volume’s Snapshots and Clones. Note: the total capacity allocated for a Volume and all its Clones and Snapshots is the sum of Mapped Capacity + Data Copies Capacity
Read IOPS	The maximum number of read operations per second.
Write IOPS	The maximum number of write operations per second.
Read MBPS	The maximum throughput of data in Megabytes per second for read operations.
Write MBPS	The maximum throughput of data in Megabytes per second for write operations.

Snapshots¶

Lists the point-in-time Snapshots of this Volume. If you retain many Snapshots per Volume, you may want to use the Snapshot Filtering tool to find a specific Snapshot. For more details see Filtering Snapshots.

The following Properties are provided per Snapshot:

Attribute	Description
ID	Snapshot ID
Name	Display Name.
TimeStamp	Snapshot creation time stamp
Status	Normal\Pending Deletion\Deletion

Object Storage Snapshots¶

Lists the point-in-time Snapshots of this Volume which are stored in an Object Storage (e.g S3). These Snapshots are created by the Backup to Object Storage feature, as defined in Backup to Object Storage

The following Properties are provided per Object Storage Snapshot:

Attribute	Description
ID	Snapshot ID
Name	Display Name.
Region	Object storage region
Bucket	Object storage bucket
TimeStamp	Snapshot creation time stamp
Status	Normal\Pending Deletion\Deletion

SMB File History (SMB Only)¶

Lists the point-in-time Snapshots of this Volume which are kept for SMB File History recovery purposes. These Snapshots are created by the SMB File History mechanism. For details see Managing SMB File History.

The following Properties are provided per File History Snapshot:

Attribute	Description
ID	Snapshot ID
Name	Display Name.
TimeStamp	Snapshot creation time stamp
Status	Normal\Pending Deletion\Deletion
Pool	Pool where the file history is kept

Snapshot Policies¶

The Snapshot Policies tab lists the policies that are attached to the selected Volume. The following Properties are provided per Snapshot Policy:

Attribute	Description
Name	Display Name.
Status	Active or Paused.
Type	The VPSA application controlling the Policy: Snapshot Manager Remote Mirroring Backup to Object Storage SMB File History
Create Policy	Frequency of Snapshot creation.
Delete Policy	Number of Snapshots to retain.
Dest. Delete Policy	Number of Snapshots to retain on Remote Mirror destination Volume.

For more details on Snapshot Policies management, see Managing Snapshots and Snapshot Policies.

Servers¶

The Servers tab lists the Servers to which the Volume is attached. For Block Volumes the LUN Number associated with each Server is displayed. It also indicates if the server accesses the volume via iSCSI or FC.

Containers¶

Lists the Docker Containers that are able to access the selected Volume, along with their statuses. For details about attaching Volumes to Containers see Containers.

Metering¶

The Metering Charts provide live metering of the IO workload associated with the selected Volume.

The charts display the usage data as it was captured in the past 20 “intervals”. An interval length can be set to one of the following: 1 Second, 10 Seconds, 1 Minute, 10 Minutes, or 1 Hour. The Auto button lets you see continuously-updating live metering info (refreshed every 3 seconds).

The following charts are displayed:

Chart	Description
IOPs	The number of read and write SCSI commands issued to the selected Volume from all attached Servers.
Bandwidth (MB\s)	Total throughput (in MB) of read and write SCSI command issued to the selected Volume from all attached Servers.
IO Time (ms)	Average response time of all read and write SCSI command issued to the selected Volume from all attached Servers.

Logs¶

Displays all event logs associated with this Volume.

Performance Alerts¶

Displays Performance Alerts for the selected Volume.

Read IOPS Limit – Creates an alert when, during the past minute, the average read IOPS for the selected Volume exceeds a user-specified threshold.
Read Throughput Limit - Creates an alert when, during the past minute, the average read MB/s for the selected Volume exceeds a user-specified threshold.
Read Latency Limit – Creates an alert when, during the past minute, the average read latency for the selected Volume exceeds a user-specified threshold.
Write IOPS Limit – Creates an alert when, during the past minute, the average write IOPS for the selected Volume exceeds a user-specified threshold.
Write Throughput Limit - Creates an alert when, during the past minute, the average write MB/s for the selected Volume exceeds a user-specified threshold.
Write Latency Limit – Creates an alert when, during the past minute, the average write latency for the selected Volume exceeds a user-specified threshold.

Capacity Alerts¶

Displays capacity Alerts for the selected NAS Volume The Capacity Alerts tab lists the configurable attributes of the NAS Volume capacity Protection Mechanism, similar to the pool capacity alerts. See Managing Pool Capacity Alerts for more details.

Alert Threshold - Creates an alert when it is estimated that the Volume will be at full capacity in X Minutes.
- Default Value: 360 minutes
Alert Interval - Calculates the estimated time until the Volume is full based on the capacity usage in the previous X minutes.
- Default Value: 60 minutes
Emergency Threshold - Creates an alert when the volume is running out of free space and reaching the given threshold.”
- Default Value: 1 GB

File Lifecycle¶

The File Lifecycle tab provides a shortcut button to navigate directly to the file lifecycle analytics page for the selected volume.

Tags¶

Predefined custom tags can be configured in the Tags tab. An example use case for tags is Filtering the List of Volumes in the center pane.

A tag is identified by its Tag Name and has a Tag Value associated with it. A tag can be defined only once for a volume. However, the same Tag Name can be defined with a different Tag Value for other volumes.

Create: To create a new tag for a volume, in the volume’s Tags tab click Create, and enter the Tag Name and Tag Value. The tag is added to the list of tags in the Tags tab.
Edit: To change the Tag Value of an existing tag, click on that tab in the tags list to mark it, and then click Edit. The Edit Tag dialog box opens, allowing overwriting of the Tag Value.

Note

Only the Tag Value can be edited. A tag cannot be renamed. It must be deleted, and a tag with the new name configured in its place.
Delete: To delete a tag, click on that tag row in the tags list to mark it, and then click Delete. A confirmation dialog box opens.
Refresh: Displays the updated tags list.

Volumes¶

Creating and Deleting a Volume¶

Creating a Block Volume¶

Creating a NAS share¶

Deleting a Volume/Share¶

Filtering the List of Volumes¶

Attaching & detaching Volumes to Servers¶

Expanding a Volume¶

Volume Automatic Expansion¶

Managing SMB File History¶

To Apply a SMB File History Policy on a Volume¶

To detach a SMB File History Policy from a Volume¶

To restore files from SMB File History¶

Cloning a Volume¶

Online Volume Migration¶

Migrating a Volume¶

Monitoring the migration¶

Managing Data Reduction¶

Managing Encrypted Volumes¶

Encryption using an Encryption Password¶

Encryption using AWS KMS Store¶

AWS KMS Configuration¶

VPSA Configuration¶

Disable AWS KMS Encryption¶

Encryption Key recovery¶

Encryption using KMIP supporting KMS¶

Fortanix DSM configuration¶

VPSA KMIP configuration¶

KMS and VPSA Key rotation¶

Audit Log Management¶

Configuring file access auditing¶

Enabling file access auditing¶

Downloading the volume audit log¶

Volume’s audit log output¶

Disabling file access auditing¶

Volume File Lifecycle Management¶

Viewing Volume Properties¶

Properties¶

Snapshots¶

Object Storage Snapshots¶

SMB File History (SMB Only)¶

Snapshot Policies¶

Servers¶

Containers¶

Metering¶

Logs¶

Performance Alerts¶

Capacity Alerts¶

File Lifecycle¶

Tags¶