ONEFS 7.1.

1 AND LATER: BEST PRACTICES FOR

UPGRADING CLUSTERS CONFIGURED WITH
ACCESS ZONES

Abstract

Access zones behave differently in OneFS 7.1.1 than in previous

releases. If you are using shared data in access zones, this technical
guide provides a description of the key access zones changes in OneFS
7.1.1 and later to help you understand the implications of these
changes.
Publication History

Date Description
September 30, 2014 Initial publication.
January 23, 2015 Added details about snapshots in nested Access Zones.
May 15, 2015 Updated the following notes: You cannot configure NFS exports in
multiple access zones for OneFS 7.1.1. You must configure NFS exports
in the System zone for this OneFS family. However, OneFS 7.2.0 and
later versions allow NFS export to use separate Access Zones. For
OneFS 7.2.0 and later, NFS export rules are zone-aware. Each export is
associated with a zone, can only be mounted by clients on that zone,
and can only expose paths below the zone root.

EMC², EMC, Isilon, OneFS, and the EMC logo are registered trademarks or
trademarks of EMC Corporation in the United States and other countries.
All other trademarks used herein are the property of their respective
owners.
© Copyright 2014 EMC Corporation. All rights reserved. Published in the
USA.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 2
 EMC believes the information in this document is accurate as of its
publication date. The information is subject to change without notice.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 3
CONTENTS
Introduction .................................................................................................................................................... 5
Access zones overview ................................................................................................................................... 5
Changes to access zones in OneFS 7.1.1 and later .......................................................................................... 5
Base directories for access zones ................................................................................................................ 6
SMB shares within access zones ................................................................................................................. 7
Home directory template paths ................................................................................................................... 8
HDFS settings.............................................................................................................................................. 8
Examples of shared data workflows that would require data restructuring ....................................................... 9
Scenario 1: Access zones with untrusted Active Directory servers and shared data ................................... 9
Scenario 2: Access zones with shared and private data.......................................................................... 11
Access zones best practices ......................................................................................................................... 14
Documentation resources ............................................................................................................................. 16
Contact EMC Isilon Technical Support ........................................................................................................... 16

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 4
Introduction
This guide describes in detail access zones changes in EMC Isilon OneFS® 7.1.1 and later and recommended
best practices for administrators who are considering an upgrade to 7.1.1. It also includes known scenarios
that will require data restructuring and possible solutions for customers who upgrade to 7.1.1 when using
access zones with shared data. It is intended for and written for a technical audience.

IMPORTANT!
If access zones are configured for a cluster, we strongly recommend that you read the OneFS Upgrade Planning
and Process Guide and contact EMC Isilon Technical Support before upgrading the cluster to OneFS 7.1.1 or
later. This will help to ensure that changes to access zones will not interrupt your workflow.

Access zones overview

Access zones provide the means to configure and provision a subset of your total storage. This multi-tenancy
feature of OneFS enables administrators to partition a cluster into multiple virtual containers and to separate
data into self-contained units with their own sets of authentication providers, user mapping rules, and SMB
shares.

Access zones support all configuration settings for authentication and identity management services on a
cluster, so you can configure authentication providers and provision SMB shares on a zone-by-zone basis.
When you create an access zone, a local provider is created automatically, which makes it possible for you to
configure each access zone with a list of local users and groups. You can also authenticate through a different
Active Directory (AD) provider in each access zone.

Note: You cannot configure NFS exports in multiple access zones for OneFS 7.1.1. You must configure NFS
exports in the System zone for this OneFS family. However, OneFS 7.2.0 and later versions allow NFS export to
use separate Access Zones. For OneFS 7.2.0 and later, NFS export rules are zone-aware. Each export is
associated with a zone, can only be mounted by clients on that zone, and can only expose paths below the
zone root.

To control data access, you can direct incoming connections to the access zone from a specific IP address in
the pool by using SmartConnect zones. Associating an access zone with an IP address pool restricts
authentication to the associated access zone and reduces the number of accessible SMB shares.

When working as designed with proper configuration, access zones provides isolation of cluster resources.

Changes to access zones in OneFS 7.1.1 and later

Starting with OneFS 7.1.1, access zones requires root directories, and no other access zone can access the
data from another access zone. When you are using multiple access zones, the directory layouts will need to
be altered, so that the root of one access zone is not nested inside the root of another access zone. The
purpose of this guide is to help you to evaluate these changes and create a plan for making post-upgrade
modifications to access zones.

For clusters using access zones in versions prior to OneFS 7.1.1:

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 5
If you upgrade to OneFS 7.1.1 or later, all previously created access zones will be assigned a base path of
/ifs. Before you can create any new access zones, you must specify new base paths for existing access
zones. The new base paths must not overlap. The access zone configuration cannot be modified by the GUI.

The OneFS 7.1.1 changes to access zones affect SMB share paths, the home directory template path for each
local provider, and HDFS settings.

SMB and HDFS protocols are access-zone aware. Other protocols use the access zones for System access. You
will need to make configuration changes to these areas after upgrading, which might include migrating data to
new directories or duplicating shared data.

Example 1. Upgrading to OneFS 7.1.1 with access zones and no shared data

The following example illustrates access zones before and after upgrading to OneFS 7.1.1 or later. In this
example, there are no SMB shares associated with multiple access zones (excluding the System zone).

Before upgrading After upgrading

Global List of Shares:
Finance = /ifs/data/Finance
Engineering = /ifs/data/Engineering
Human Resources = /ifs/data/Human Resources
ZoneA: ZoneA:

Shares: Base directory = /ifs

Finance Shares:

Home directory template: Finance = /ifs/data/Finance

local-provider:ZoneA = /ifs/home/%U Home directory template:

ZoneB: local-provider:ZoneA = /ifs/home/%U

Shares: ZoneB:

Human Resources Base directory = /ifs

Engineering
Shares:
Home directory template:
Human Resources = /ifs/data/Human
local-provider:ZoneB = /ifs/home/%U Resources
Engineering = /ifs/data/Engineering
Home directory template:
local-provider:ZoneB = /ifs/home/%U

After the upgrade, both ZoneA and ZoneB point to /ifs as the base directory, and the home directory
template in each access zone points to the same directory.

Base directories for access zones

Access zone base directories extend and enforce the best practice of designating separate directory trees for
separate access zones. OneFS 7.1.1 enforces data isolation by requiring each zone to specify a base directory
path that does not overlap with another base directory. All SMB file sharing for a zone starts below that path.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 6
For example, for a cluster that had the following two access zones: AccessZone1 and Access Zone2, if the data
layout was:

/ifs/data/AccessZone1
/ifs/data/AccessZone1/AccessZone2

The data will need to be migrated to the following:

/ifs/data/AccessZone1
/ifs/data/AccessZone2

The shares and exports pointing to those directories will need to be reconfigured as well.

In addition:

• Sharing across zones is not allowed.

• The base directory of the default System access zone is /ifs and cannot be modified.

IMPORTANT!
If you upgrade to OneFS 7.1.1 or later, you cannot create new access zones until you reconfigure any zones
that were migrated during the OneFS upgrade. After the upgrade, each migrated access zone will have /ifs as
the base directory, and this configuration will continue to serve connections without issues. However, you will
not be able to create new access zones until you reconfigure each access zone with a unique base directory.

Note: You can always change your access zone base directory back to /ifs. The purpose of this is to allow
administrators an escape valve in case they need to switch it back.

Prior to modifying base directories, you will need to create new directories, if needed. For data migrations with
a large number of files, we recommend that you always move directories, rather than files, into these new
directories, by using the mv command.

You will also need to modify the home directory template path of the local provider for each access zone and
to modify the SMB share paths in each access zone to point to the directories where the data was moved.

For procedures on reconfiguring access zones, review the OneFS Upgrade Planning and Process Guide.

SMB shares within access zones

The following configuration changes will occur when you upgrade to OneFS 7.1.1 or later to adhere to new
path guidelines enforced by access zones:

• Shares are not stored in a global list; shares are stored in access zones.
• A share path must match or fall under the base path of the access zone.
• Share names must be unique only within an access zone, not on the cluster.
• Existing SMB shares that are associated with more than one access zone will be duplicated, with a
copy added to each existing access zone. Each share will reference the same directory. This is not a
recommended configuration and should be reconfigured.
• If an SMB share has a display name in an access zone, the upgrade process will replace the share
name with the share display name.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 7
If necessary, create new directory paths that the shares will point to, migrate the data to those shares, and
then modify the SMB shares to point to the new shares.

For procedures on reconfiguring SMB shares for access zones, review the following section in the OneFS
Upgrade Planning and Process Guide:

• “Reconfiguring SMB shares within access zones”

Home directory template paths

OneFS 7.1.1 introduced changes to access zones that affect home directory templates. After you upgrade to
OneFS 7.1.1, the path of the home directory template in each access zone that is configured with the local
authorization provider must match or fall under the base directory path of the access zone.

You will need to modify both the home directory template and SMB share paths before updating the zone base
directory.

For procedures on reconfiguring home directory templates, review the following section in the OneFS Upgrade
Planning and Process Guide:

• “Reconfiguring home directory templates within access zones”

HDFS settings
The following configuration changes occur when you upgrade to OneFS 7.1.1 or later:

• By default, the HDFS root directory of each migrated access zone is set to the base directory of the
zone. This is not a recommended configuration and should be reconfigured.
• Settings for authentication and keytab files are copied and applied to each migrated access zone.
• WebHDFS in enabled by default in each access zone.
• HDFS settings are no longer global; they are configured in each access zone.

After the upgrade to OneFS 7.1.1, the following HDFS settings and guidelines are applicable to each access
zone:

• Settings for the HDFS root directory and authentication are allowed in each access zone.
• The root directory of each migrated access zone defaults to the base directory.
• An HDFS root directory path must match or fall under the base directory path of the access zone.

For procedures on reconfiguring HDFS settings for access zones, review the following section in the OneFS
Upgrade Planning and Process Guide:

• “Reconfiguring HDFS settings within access zones”

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 8
Examples of shared data workflows that would require data
restructuring
Before upgrading, assess the impact that the access zone changes may have on your workflow and the
amount of work it will require to complete post-upgrade configuration changes. The changes can be
considerable if you have shared data across multiple access zones.

If your cluster uses one of the following workflows, we recommend that you contact EMC Isilon Technical
Support to discuss a migration strategy.

Scenario 1: Access zones with untrusted Active Directory servers and shared data
In this scenario, each access zone is configured with an untrusted authentication provider. A common set of
data is shared across multiple access zones that are authenticated by different Active Directory (AD) servers.
These AD servers have no trust relationship and can be potentially separated by a firewall. The external Active
Directory server (AD1) is being used to govern external users, who don't belong to the same organization as
AD2.

Before the upgrade

Internal users (User Group 2) accessing Access ZoneB are able to see the shared data, and users from an
external entity (User Group 1) accessing Access ZoneA can also see that shared data. Both user groups have
full read/write access to the set of shared data.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 9
After the upgrade
After the upgrade to 7.1.1, one access zone will lose access to the shared data. To resolve this, you can apply
a SyncIQ policy to replicate the shared data copy 1 to shared data copy 2. In this scenario, you can also use
SmartDedupe to reduce disk usage, and only the metadata would exist on shared data copy 2.

The larger implication in this scenario is that users coming in from Access ZoneB and its authorization provider
will no longer have read/write (RW) access to the shared data. They will be able to access the data only in
read-only (RO) mode.

If your original use case for this data prior to 7.1.1 is RO for user group 2, this scenario might work for you. If
you want all users to have full RW access to that set of shared data, then this solution will not work. Contact
Technical Support to discuss any other options.

For more information about restructuring data and configuring access zones, review the “Access zones”
section in the OneFS 7.1.1 Web Administration Guide or in the OneFS 7.1.1 CLI Administration Guide, and the
following sections in the OneFS Upgrade Planning and Process Guide:

• “Configuring base directories for access zones”

• “Reconfiguring SMB shares within access zones”
• “Reconfiguring home directory templates within access zones”
• “Reconfiguring HDFS settings within access zones”

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 10
Scenario 2: Access zones with shared and private data
In this scenario, we have SMB shares that are associated with multiple access zones. There is one Active
Directory authentication server, so all users coming into this cluster have the same authentication provider. A
common set of data is shared across multiple access zones, and SmartConnect zones are used to control user
access to different areas of the shared data. Some of the data is being accessed by multiple user groups, but
some of the data is private data, accessible only by a subset of user groups. The SMB shared data is combined
prior to OneFS 7.1.1, and then selectively assigned to different access zones to manage user access.

Before the upgrade

In this example, one group of users will be able to see all 10 (for example) shares. The other group of users
can only see a subset (for example, 3 shares) in another access zone.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 11
After the upgrade
If an SMB share was listed in multiple access zones, the upgrade process will make duplicate copies of the
share and place them in their respective zones. Each share references the same directory. This is not a
recommended configuration and should be reconfigured.

A possible solution would be to restructure your data. You would create new directories and move data into
those directories to create a separation of data for different shares. The 10 shares of combined private and
shared data would need to be configured for only the 7 shares of private data in one access zone for User
Group 1, and the 3 shares of shared data would be selectively assigned to a different access zone to manage
user access for User Groups 1 and 2.

Another option would be to create a third access zone to isolate data access for different clients. This option is
viable if you are using the same authentication providers between all access zones.

For example, if you have the following configurations before and after upgrading:

Before upgrading After upgrading

Global List of Shares:
Finance = /ifs/data/Finance
Engineering = /ifs/data/Engineering
Human Resources = /ifs/data/Human
Resources
ZoneA:
ZoneA:
Base directory = /ifs
Shares:
Shares:
Human Resources
Human Resources = /ifs/data/Human Resources
Finance
Finance = /ifs/data/Finance

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 12
Before upgrading After upgrading
Home directory template: Home directory template:
local-provider:ZoneA = /ifs/home/%U local-provider:ZoneA = /ifs/home/%U
ZoneB: ZoneB:
Shares: Base directory = /ifs
Human Resources Shares:
Engineering
Human Resources = /ifs/data/Human Resources
Home directory template: Engineering = /ifs/data/Engineering
local-provider:ZoneB = /ifs/home/%U Home directory template:
local-provider:ZoneB = /ifs/home/%U

After upgrading and resolving any conflicts, you can create a third access zone and move all home directories
for users in ZoneA and ZoneB as follows:

ZoneA:
Base directory = /ifs/ZoneA
Shares:
Finance = /ifs/ZoneA/Finance

ZoneB:
Base directory = /ifs/ZoneB
Shares:
Engineering = /ifs/ZoneB/Engineering

ZoneC:
Base directory = /ifs/ZoneC
Shares:
Human Resources = /ifs/ZoneC/Human Resources

For more information on restructuring data and configuring access zones, review the “Access zones” section in
the OneFS 7.1.1 Web Administration Guide or the OneFS 7.1.1 CLI Administration Guide, and the following
sections in the OneFS Upgrade Planning and Process Guide:

• “Configuring base directories for access zones”

• “Reconfiguring SMB shares within access zones”
• “Reconfiguring home directory templates within access zones”
• “Reconfiguring HDFS settings within access zones”

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 13
Access zones best practices
To configure access zones optimally for OneFS 7.1.1 and later, follow the best practices described in this
section.

1. Reserve the System zone for configuration access

Reserve the System zone for configuration access and create additional access zones for data access.
Do not allow data access in both the System zone and created access zones.

Note: This guideline does not apply to NFS, which is allowed only in the System zone for OneFS 7.1.1.
However, OneFS 7.2.0 and later versions allow NFS export to use separate Access Zones. For OneFS
7.2.0 and later, NFS export rules are zone-aware. Each export is associated with a zone, can only be
mounted by clients on that zone, and can only expose paths below the zone root.

2. Assign only one authentication provider of each type to each access zone
Access zones enforce only a single Active Directory provider in a zone, a hard requirement based on
the semantics of NTLM authentication. Although OneFS allows multiple LDAP, NIS, and File
authentication providers in one access zone, administration is simplified when only one type of each
provider is assigned per access zone.

3. Avoid overlapping UID or GID ranges for authentication providers in the same access zone
The potential for zone access conflicts is slight but possible if overlapping UIDs/GIDs are present in
the same access zone.

4. Create access zones to isolate data access for different clients or users
Do not create access zones if a workflow requires data sharing between different classes of clients or
users.

5. Limit the number of access zones in OneFS 7.1.1 to 20

The maximum number of access zones has yet to be established. However, as a best practice, the
number of access zones should not exceed 20 in OneFS 7.1.1. Correspondingly, you should limit the
number of audited zones to 20 in OneFS 7.1.1.

6. Use the PermissionRepair job to copy ACLs

We recommend that you use the PermissionRepair job to copy ACLs of the top-level parent directory to
the top level of a new path, after you create a new SMB share and add it to an access zone, and before
you move directories.

isi job start PermissionRepair --mode clone –-template <source path>

--paths <new target path>

7. Always move directories—rather than directory contents—for directories with large numbers of files
For internal data migrations with a large number of files, we recommend that you always move entire
directories into new directories by using the mv command. Moving entire directories results in a single
inode update and is very fast. In contrast, moving directory contents might only affect permissions

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 14
 inheritance and can take an exceptionally long time, especially when there are large numbers of files
present.

8. Create access zones directory layout structures

Create directories with the /ifs/<cluster-name>/<zone-name>/ structure. This can become your
access zone rule, and then you can create SMB shares under that directory structure and define
permissions. See the Technical Demo: Access Zones in EMC Isilon OneFS 7.1.1 for a demonstration.
This structure permits synchronization between multiple clusters with SyncIQ, while matching SyncIQ
root path, and SyncIQ target root path, without any concern for overlap.

9. Delete symbolic links that point to a path outside of its own access zone
Prior to OneFS 7.1.1, you could create symbolic links that point between access zones. After the
upgrade, if your symbolic links (symlinks) point to a share path that is outside of the access zone, you
should remove them.

For example, a number of customers use the Homedir template path in the Auth Provider settings to
define where FTP/sFTP users land when they connect to the cluster, so that they can use chroot to
route authorization providers and users to different directories. This path must change, and therefore
any symbolic links in that Homedir might not work after the upgrade. The Homedir template must be
updated after the upgrade and any symbolic links that point between access zones will need to be
deleted.

10. Restructure nested overlapping paths between access zones

If you have nested overlapping paths such as the following:
/ifs/data/ZoneA
/ifs/data/ZoneA/ZoneB

You will need to migrate the data and split it into something like the following:
/ifs/data/ZoneA
/ifs/data/ZoneB

The shares and exports pointing to those directories will also need to be reconfigured, and one access
zone will lose read/write access to any shared data.

11. Assess the number of shares you have before you upgrade
Make sure you understand the total number of shares you have, and how they are configured, before
you upgrade to OneFS 7.1.1. If you have a large number of shares in multiple access zones, the total
number of shares created will multiply based on the number of SMB shares that are shared across a
certain number of access zones after the upgrade, so that each access zone "owns" its own shares. If
the original number of shares is sufficiently large—for example 10,000 or more—upgrading to OneFS
7.1.1 may create stability issues, because you would be hitting the upper limit of shares of a cluster.
As a guideline, the total number of shares in a cluster should not exceed 30,000. So if you have
10,000 shares, which are shared across three access zones, you could potentially have 30,000
shares after the upgrade.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 15
 If you will be getting close to the total number of shares limitation, contact EMC Isilon Technical
Support before you upgrade.

12. Manage your snapshots in nested Access Zones

If you have nested Access Zones, and snapshots were taken from the parent directory downwards,
after the upgrade users of the "higher" Access Zone will still be able to right-click on the snapshots
and select "Restore previous versions" in Windows Explorer.

Users in the "lower" Access Zone would only have access to new snapshots that are created after the
paths are re-structured. A best practice is to re-create snapshot schedules per Access Zone after the
restructure of the Access Zone paths, and manually recover snapshots from /ifs/.snapshot/ before
they expire.

Documentation resources
See the following documentation resources for additional information:

• For details about access zones configuration, see the OneFS 7.1.1 Web Administration Guide and the
OneFS 7.1.1 CLI Administration Guide.
• For details about the OneFS 7.1.1 release, including known issues, see the OneFS 7.1.1 Release Notes.
• For planning and implementation details, see the OneFS Upgrade Planning and Process Guide.
• For a demonstration on how to create access zones in OneFS, see the Technical Demo: Access Zones in
EMC Isilon OneFS 7.1.1.

Contact EMC Isilon Technical Support

When you contact support, specify that you are requesting information about or assistance with an upgrade to
OneFS 7.1.1.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 16
Online Support: https://support.emc.com/

Telephone Support:
United States: 800-782-4362 (800-SVC-4EMC)
Canada: 800-543-4782
Worldwide: +1-508-497-7901
Additional worldwide access numbers

EMC Isilon Telephone Support:

From the main menu, select option 2 (All Hardware Products); then option 1 (All Hardware Products except AX).

Help with Online Support Tools:

For questions specific to EMC Online Support registration, access, or site association, contact
[email protected]

© Copyright 2014 EMC Corporation. All rights reserved.

OneFS 7.1.1 and later: Best practices for upgrading clusters with access zones 17