|
| 1 | +# Automatically create SnapMirror relationships for FSxN file systems |
| 2 | + |
| 3 | +## Introduction |
| 4 | +This script is used to ensure that all your volumes, in all your FSxN file systems, are SnapMirror'ed to a remote FSxN file system. It does this by: |
| 5 | + |
| 6 | +- Looping on all the AWS regions that support FSx. |
| 7 | +- For each region, it loops on all the FSxN file systems. |
| 8 | +- For each FSxN file system, it obtains the list of the volumes it has using the ONTAP API. |
| 9 | +- For each of the volumes it checks if the "snapmirror.destinations.is_ontap" field is set to false. Meaning it doesn't have an existing SnapMirror relationship. |
| 10 | +- If it is set to false, then it checks from the AWS side to see if there is a "protect_volume" tag set to "skip". |
| 11 | +- If there isn't one, then it uses the ONTAP SnapMirror API to create the SnapMirror relationship. This API will create a destination volume if it does not already exist. |
| 12 | + |
| 13 | +While there is some logic in the script to attempt to handle FlexGroup volumes, there are issues with it, so that part of the script has been disabled. The issues I encountered trying to support FlexGroups: |
| 14 | +**NOTE:** All of the below is based on ONTAP version 9.13.1. |
| 15 | +- The SnapMirror API does not work with FlexGroups (even though the documentation implies that it does). Because of this I attempted to use the CLI "pass-through" API to create the SnapMirror relationship the "old fashioned way" by: |
| 16 | + - Create the destination volume if it doesn't already exist. |
| 17 | + - Create the SnapMirror relationship. |
| 18 | + - Initialize the SnapMirror relationship. |
| 19 | +- When creating the destination volume, it just creates with the default parameters, so it might not match the configuration of the source volume. Specially, the number of constituents could be different. |
| 20 | +- The "snapmirror.destinations.is_ontap" field is not maintained by ONTAP for FlexGroup volumes. So, the script will attempt to create a SM relationship every time it is run. It will fail, and probably not harm anything, but it isn't clean. A "To Do" is the leverage the SnapMirror API to obtain the list of SnapMirror relationships and figure out if the volume already has a relationship reviewing that list. Note that "snapmirror list-destinations" also doesn't work for FlexGroup volumes. |
| 21 | + |
| 22 | +## Set Up |
| 23 | +There are a few things you need to do in order to get this script to run properly: |
| 24 | + |
| 25 | +- Set up a secret for each of the FSxN file systems in the AWS Secrets Manager. Each secret should have two "keys" (they can be named anything, since you set the key name in the script): |
| 26 | + - username - set to the username you want the script to use when issuing API to the ONTAP system. |
| 27 | + - password - set to the password of the username specified with the username key. |
| 28 | +- Edit the top of the script and fill in a few variables: |
| 29 | +- partnerTable - This table provides the association with a source FSxN file system to its partner cluster (i.e. where its volumes should be SnapMirror'ed to.) There should be five fields for each entry: |
| 30 | + - fsxId - Set to the AWS ID of the FSx file system. |
| 31 | + - svmName - Set to the SVM name on the FSxN file system. |
| 32 | + - partnerFsxnIP - Set to the IP address of the management port of the partner FSxN file system. |
| 33 | + - partnerSvmName - The name of the SVM where you want the SnapMirror destination volume to resided. |
| 34 | + - partnerSvmSourceName - Is the "peered name" of the source SVM. Usually, it is the same as the source SVM, but can be different if that same name already exists on the partner file system. When you peer the SVM it will require you to create an alias for the source SVM so all the SVM names are unique. |
| 35 | +- secretsTable - This table provides the secret name, and username and password keys to use for each of the file systems. It should have 4 fields: |
| 36 | + - id - Set to the AWS File System ID |
| 37 | + - secretName - Set to the name of the secret created in step one. |
| 38 | + - usernameKey - Set to the name of the key that holds the username. In the instructions above, it should be set to 'username' but this allows you to use any key name you want. |
| 39 | + - passwordKey - Set to the name of the key that holds the password. |
| 40 | +*NOTE:* Instead of defining the secretsTable in the script, you can define dynamodbTableName and dynamodbRegion and the script will read the secretsTable from the DynamoDB table. The table should have the same fields as the secretsTable. |
| 41 | +- secretsManagerRegion - Set to the region where the Secrets Manager has been set up. |
| 42 | +- destinationVolumeSuffix - Set to the string you want appended to the source volume name to create the destination volume name. |
| 43 | +- snapMirrorPolicy - Set to the Data ONTAP SnapMirror policy you want the assigned to the SnapMirror relationship. |
| 44 | +- maxSnapMirrorRelationships - Set to the maximum number of SnapMirror relationship initializations you want to allow running at the same time. |
| 45 | +- dryRun - If set to 'True' (case sensitive) the program will just show that it would have done, instead of actually creating the SnapMirror relationships. |
| 46 | + |
| 47 | +If you want to run this script as a Lambda program, then you'll need to |
| 48 | +- Create a role that has the following permissions: |
| 49 | + - secretsmanager:GetSecretValue |
| 50 | + - ec2:DescribeRegions |
| 51 | + - fsx:DescribeFileSystems |
| 52 | + - fsx:DescribeVolumes |
| 53 | + - fsx:ListTagsForResources |
| 54 | + - dynamodb:GetItem - Optionally, if you are using a DynamoDB table to store the secretsTable. |
| 55 | + |
| 56 | +Create AWS endpoints for any services that it uses. Currently that is: |
| 57 | +- ec2 |
| 58 | +- fsx |
| 59 | +- SecretsManager |
| 60 | +- dynamodb - Optionally, if you are using a DynamoDB table to store the secretsTable. |
| 61 | + |
| 62 | +# Running The Script |
| 63 | +To run the script on a Linux host, you just need to change the UNIX permissions on the file to be executable, then run it as a command: |
| 64 | + |
| 65 | +chmod +x auto_creaate_sm_relationships |
| 66 | + |
| 67 | +./auto_create_sm_relationships |
| 68 | + |
| 69 | +To run it as a Lambda function you will need to: |
| 70 | +- Create the Lambda function with a Python runtime, from scratch, and paste the program into code box and save it. |
| 71 | +- Associate the role created above with the Lambda function. |
| 72 | +- Create the AWS service endpoints mentioned above. |
| 73 | +- Adjust the default timeout from 4 seconds to at least 20, maybe 60 seconds. |
| 74 | +- Once you have tested that it run successfully, creating an eventBridge that will trigger it to run on a regular basis (e.g. once or twice a day). |
0 commit comments