Mailing List Archive

The config check for DNS was added around 8.3.x because we moved where DNS was handled from the cluster scope to the SVM scope. Many customers had DNS configured for the cluster, but not the SVM. This would break export policies and other services and cause outages, which is why it's rated as "high impact."

TR-4379 covers the DNS changes regarding upgrades:

www.netapp.com/us/media/tr-4379.pdf<http://www.netapp.com/us/media/tr-4379.pdf>

Not sure how you can tell config advisor to ignore those things.

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Alexander Griesser
Sent: Saturday, September 2, 2017 5:46 AM
To: toasters@teaparty.net
Subject: DNS Configured Check - High Impact on ConfigAdvisor

Hey,

can anyone explain to me why "DNS Configured Check" is rated as high impact on SVMs in ConfigAdvisor 5? I'm not using DNS at all in any of my SVMs, all connections are IP-based and all my reports now look pretty bad with x High Impact Issues where x is the number of SVMs.
Also, the Management LIF configurations are rated as Low Impact and in my point of view it's also not necessary to have separate management LIFs for SVMs if I do not give access to them to my tenants or require any Snapmanager integrations.

Any idea how I can tell ConfigAdvisor to just ignore those things?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Hey Justin,

yah, I'm aware about that change and people doing things like that which break after upgrading to 8.3; but ConfigAdvisor should (in my opinion) be smarter about that.
It's easy for CA to check if DNS is active inside a SVM and alert for the absence of DNS _ONLY_ if there are export policies configured for hostnames; otherwise, the way it is now, all my install reports need additional explanation when there's so much red in CA :)

Maybe I'm just to stupid to find the setting for configuring individual alerting levels based on the findings of CA, but so far, I've not been successful in at least converting them to info notices or anything like that.

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin [mailto:Justin.Parisi@netapp.com]
Gesendet: Dienstag, 5. September 2017 16:02
An: Alexander Griesser <AGriesser@anexia-it.com>; toasters@teaparty.net
Betreff: RE: DNS Configured Check - High Impact on ConfigAdvisor

The config check for DNS was added around 8.3.x because we moved where DNS was handled from the cluster scope to the SVM scope. Many customers had DNS configured for the cluster, but not the SVM. This would break export policies and other services and cause outages, which is why it's rated as "high impact."

TR-4379 covers the DNS changes regarding upgrades:

www.netapp.com/us/media/tr-4379.pdf<http://www.netapp.com/us/media/tr-4379.pdf>

Not sure how you can tell config advisor to ignore those things.

From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> [mailto:toasters-bounces@teaparty.net] On Behalf Of Alexander Griesser
Sent: Saturday, September 2, 2017 5:46 AM
To: toasters@teaparty.net<mailto:toasters@teaparty.net>
Subject: DNS Configured Check - High Impact on ConfigAdvisor

Hey,

can anyone explain to me why "DNS Configured Check" is rated as high impact on SVMs in ConfigAdvisor 5? I'm not using DNS at all in any of my SVMs, all connections are IP-based and all my reports now look pretty bad with x High Impact Issues where x is the number of SVMs.
Also, the Management LIF configurations are rated as Low Impact and in my point of view it's also not necessary to have separate management LIFs for SVMs if I do not give access to them to my tenants or require any Snapmanager integrations.

Any idea how I can tell ConfigAdvisor to just ignore those things?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Perhaps open up a case and get a product enhancement request raised. Or, there may be a way to bypass those alerts that I am unaware of.

From: Alexander Griesser [mailto:AGriesser@anexia-it.com]
Sent: Tuesday, September 5, 2017 10:34 AM
To: Parisi, Justin <Justin.Parisi@netapp.com>; toasters@teaparty.net
Subject: AW: DNS Configured Check - High Impact on ConfigAdvisor

Hey Justin,

yah, I'm aware about that change and people doing things like that which break after upgrading to 8.3; but ConfigAdvisor should (in my opinion) be smarter about that.
It's easy for CA to check if DNS is active inside a SVM and alert for the absence of DNS _ONLY_ if there are export policies configured for hostnames; otherwise, the way it is now, all my install reports need additional explanation when there's so much red in CA :)

Maybe I'm just to stupid to find the setting for configuring individual alerting levels based on the findings of CA, but so far, I've not been successful in at least converting them to info notices or anything like that.

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Von: Parisi, Justin [mailto:Justin.Parisi@netapp.com]
Gesendet: Dienstag, 5. September 2017 16:02
An: Alexander Griesser <AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>>; toasters@teaparty.net<mailto:toasters@teaparty.net>
Betreff: RE: DNS Configured Check - High Impact on ConfigAdvisor

The config check for DNS was added around 8.3.x because we moved where DNS was handled from the cluster scope to the SVM scope. Many customers had DNS configured for the cluster, but not the SVM. This would break export policies and other services and cause outages, which is why it's rated as "high impact."

TR-4379 covers the DNS changes regarding upgrades:

www.netapp.com/us/media/tr-4379.pdf<http://www.netapp.com/us/media/tr-4379.pdf>

Not sure how you can tell config advisor to ignore those things.

From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> [mailto:toasters-bounces@teaparty.net] On Behalf Of Alexander Griesser
Sent: Saturday, September 2, 2017 5:46 AM
To: toasters@teaparty.net<mailto:toasters@teaparty.net>
Subject: DNS Configured Check - High Impact on ConfigAdvisor

Hey,

can anyone explain to me why "DNS Configured Check" is rated as high impact on SVMs in ConfigAdvisor 5? I'm not using DNS at all in any of my SVMs, all connections are IP-based and all my reports now look pretty bad with x High Impact Issues where x is the number of SVMs.
Also, the Management LIF configurations are rated as Low Impact and in my point of view it's also not necessary to have separate management LIFs for SVMs if I do not give access to them to my tenants or require any Snapmanager integrations.

Any idea how I can tell ConfigAdvisor to just ignore those things?

Thanks,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com<mailto:AGriesser@anexia-it.com>
Web: http://www.anexia-it.com<http://www.anexia-it.com/>

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Justin> Perhaps open up a case and get a product enhancement request
Justin> raised. Or, there may be a way to bypass those alerts that I
Justin> am unaware of.

I think config advisor is just a bunch of scripts which grab and
massage the data, then put it into a nice report. Maybe you could
hack it to remove that report? I don't have my laptop on right now,
otherwise I'd check it out.

For all I know, it's powershell scripts, or maybe even just python.

I agree it could be smarter, but setting up DNS isn't hard either.
Just point it to some DNS servers you don't care about, or which are
strictly internal maybe? That's the other option, since you must need
DNS for some of your systems...

John
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters

On 6-9-17 02:43, John Stoffel wrote:
> I agree it could be smarter, but setting up DNS isn't hard either.
> Just point it to some DNS servers you don't care about, or which are

It can be quite hard to setup DNS.

For example, we have a bunch of SVMs in a metrocluster environment.

Metrocluster needs strechted VLANs, and we really don't like strechting VLANs across sites, so we set it up so that the only VLANs that are strechted, are the NFS VLANs. Those use RFC1918 IP addresses and are not routed.

As a result, those SVMs *cannot* have an IP address that is globally reachable. And they don't need to, either. Using NFSv3 and IP-based access control, and this way the NFS server is properly isolated from everything else.

The only way to set up DNS would be to run a special DNS server inside those VLANs with an extra port to the outside world. However, the SVMs don't need DNS, so we obviously won't do that just to silence a silly warning.

(It's one of the reasons I hardly ever look at configAdvisor. Fortunately hardly anyone wants to look at those reports anyway, mainly netapp support staff).

--
Jan-Pieter Cornet <johnpc@xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law

What tool are you using to check on the correctnes of a new deployment if you're not using ConfigAdvisor?

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser@anexia-it.com
Web: http://www.anexia-it.com

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

-----Ursprüngliche Nachricht-----
Von: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] Im Auftrag von Jan-Pieter Cornet
Gesendet: Donnerstag, 7. September 2017 14:03
An: John Stoffel <john@stoffel.org>
Cc: toasters@teaparty.net
Betreff: Re: DNS Configured Check - High Impact on ConfigAdvisor

On 6-9-17 02:43, John Stoffel wrote:
> I agree it could be smarter, but setting up DNS isn't hard either.
> Just point it to some DNS servers you don't care about, or which are

It can be quite hard to setup DNS.

For example, we have a bunch of SVMs in a metrocluster environment.

Metrocluster needs strechted VLANs, and we really don't like strechting VLANs across sites, so we set it up so that the only VLANs that are strechted, are the NFS VLANs. Those use RFC1918 IP addresses and are not routed.

As a result, those SVMs *cannot* have an IP address that is globally reachable. And they don't need to, either. Using NFSv3 and IP-based access control, and this way the NFS server is properly isolated from everything else.

The only way to set up DNS would be to run a special DNS server inside those VLANs with an extra port to the outside world. However, the SVMs don't need DNS, so we obviously won't do that just to silence a silly warning.

(It's one of the reasons I hardly ever look at configAdvisor. Fortunately hardly anyone wants to look at those reports anyway, mainly netapp support staff).

--
Jan-Pieter Cornet <johnpc@xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters