00:00
Hello and welcome to our ongoing series on configuring and using file services on a Pure Storage Flash Array system. This video will provide an overview on flash array policies for file as well as creating our first file system and file share. So let's get into it. Building on top of where we left off in the last video where we configured the virtual
00:23
network interface, the DNS, and the active directory. Today we're gonna be working with policies and the actual file system shares on the Flash Array to create our first file share. So I've already gone in the lab, logged into the lab environment and I'm already into my flash array system. And once you're in there, you want to go and go
00:42
into the storage note here on the far left, and then from the menu, what we're gonna be focusing on in this video is the file systems and the policy menu options. So we're first gonna start with policies because we don't have any policies created to assign to our file systems as of yet, other than the simple or the default sample ones that are included on the array.
01:05
And as you can see once we go into policies, we have four options for export policies, quota policies, auto policies, and audit policies. Now, at the basics, the only one that we need to create to actually make all this work is the export policy, but we're gonna go ahead and walk through each of these just to kind of show you what they are and give you kind of a brief overview.
01:25
So let's start with the export policy. So if I go ahead and see you on the far right, go ahead and click the plus sign to create. We get to create export policy wizard. Now I do not have a pod set up in my lab environment, so if you're doing replication in your environment from point A to point B, you would have the option to use these pods,
01:45
um, so obviously in your environment, go ahead and select that if needed, or if you don't have them like I do, you don't need to fill anything out. For the type, for the export policy type, we're gonna be working with SMB, so we'll hit the drop down and change it from NFS to SMB. Um, for this kind of example, we're gonna work with, like let's say we're creating a department
02:03
share folder, so I'm just gonna call it Department share, give it a name. We obviously want this enabled. Uh, we're gonna turn on access-based enumeration. This is a Windows feature, basically it's gonna show based off your, uh, an account permissions, what folders they can and can't see,
02:19
so it's just a good thing to turn on, um, that way they can't see what they're missing, right? If they don't have access to the folder, it's just not gonna show up in their file structure. And continuous availability is something we'll dive into in a later video that just has to deal with high availability and controller failover for SMB client connections and how
02:39
continuously available those are and what we do there to handle that in a failover scenario. So with that out of the way, let's just go ahead and click create and right there we've got our export policy, but we need to do one at minimum, one extra thing within the export policy. So if we go into the department share export policy, you notice there's no members yet. That will come later when we create and assign
03:02
the file system, but we don't have any rules or any access rules; that is blank. It says here no rules found. so on the far right, we need to go ahead and create a rule. So let's go ahead and click the plus sign. and for this lab environment to make things super easy,
03:17
we're always gonna go with the handy dandy trustee wildcard, just to make it open to anybody, but just know you could do host name, IP address, subnet masks, like you have a different gambit of things that you could use based on how you might want to limit your rule or rules to your environment. I'm just gonna leave the wildcard, um, we're gonna leave allow anonymous access disabled,
03:38
and then we're gonna turn or leave SMB encryption required off as well. So let's just go and click add. so now we have our rule, and in theory that's all we would really need to kind of go out and create our file system to get things going. but we wouldn't have a complete video if I didn't touch on these other policies.
03:54
So the next thing is you can create a quota policy and to follow with our department share, let's say we want to limit all of our users to a 500 gig limit. So again, no policies found, click on the far right for the plus sign. And we're gonna call this, let's call it department share quota, getting really technical here, and I'm gonna say it is enabled; again, broken record,
04:18
no pod is selected because I'm not using any pods in this environment. So let's go ahead and click create. And just like that, we've got our policy, but we don't have any rules for this policy to follow, so we need to go in there and create a rule. So on the far right, we're gonna go ahead and click the plus sign to create a rule,
04:37
and let's say, you know, our quota limit's going to be 500 gigs. Now, granted, you do have a drop-down, you could do K, megs, gigs, terabytes, petabytes, exabytes, whatever you want, but we're just gonna use 500 gigs in this example. For notifications, let's just say I'm gonna say user, that way if I may give user account and I
04:55
start hitting up or bumping up against that threshold, I would get the email saying, hey Jason, you're, you know, you're getting close or you're above this 500 gigs. This is where that enforced policy can come on. So by default, we don't enforce it, meaning you get more of a, you get messages or more of a warning. It's like, hey, you're over 500 gigs, you're at 560 gigs,
05:16
you're at 600 gigs, but you can continue writing to it, whereas if I select enforced, like the moment I hit that cap, I'm not writing there anymore. The users are gonna get an error message when they try to write something. Um, so it just depends on what the kind of, no pun intended, the policies in your environment,
05:31
like how strict you want to be, like, do you want a hard cap or do you just want to say, hey folks, we see that you're over, you can continue your item but please go back, maybe clean up some of these MP4s or whatever you're storing that's taking up all the space. Now, ignore usage is a kind of an interesting option. This is more for like an after the fact where
05:50
you've created a directory, let's say users or groups have been writing to it and you're like, well, we really want to put some quotas in place there, um. You would select ignore usages because if you wanted to put this quota on, let's say we didn't have a quota, I'm at 600 gigs, and they're like, well, we should put a user quota on it and then now I've
06:07
got this 500. The ignore usage would not say it wouldn't limit me because I've already used that amount of storage. It's kind of an easy way of saying, hey, we know you've got this, we're gonna ignore the usage that you've got, but let's go back in and clean it up after the fact.
06:22
So we'll go ahead and leave that unchecked, we'll click add. And from there, we have our quota done. Let's go back up to policies. So auto-der policy, when it comes to working with like SMB shares, you're not really going to use them like you might use them, but I doubt it. What Auto-der does.
06:40
Is any time you create a directory that's got an auto policy on it, it's gonna refer to, we refer to that as a managed directory, and what that means is when I go over here on the left and under analysis and go into performance, I can actually start seeing individual performance metrics for each of those folders. Now on a file system, like a Windows file share
07:00
system, it's probably not that big of a deal unless you're like really just hammering this file share for some odd reason. where this really comes in value and importance is like let's say if I'm using NFS to mount a data store in a vSphere environment. what that'll do is every VM will get its own managed folder, and then when you go into the
07:17
performance here on the left, you can see per VM how much storage I/O or performance metrics that that VM is creating. So it's more of a granular management tool for working with virtual machines, doesn't mean you couldn't turn it on for file shares, you're just probably not gonna see a lot of value in it. And then finally, audit policy. So if you need to audit to assist log server or
07:39
just a local log servers or whatever, you would need to create an audit policy. So on the far right, go and click the plus sign. let's call this, uh, we'll call this department share and I'm just gonna say audit. We want it enabled and I do have a log target on the system already configured, meaning I do have a syslog setting, so I would select a little button here and then say use my
08:03
log targets of syslog data audit. obviously if you don't have syslogging available, you need to kind of, you know, refer to our general flash re- documentation to get that set up. So you kind of need to have that enabled first and configured before you would create your audit policy. So we'll go and click create and like that
08:21
we've got all of our policy work done. now, when I mentioned about coming right to policies at the beginning of this video, Going forward, if these were all the policies you needed, from now on, you could just straight up go to the file systems and just create all the folders you want. We just had to go to the policy section again
08:35
because we just didn't have these in place to start with. Now under file systems, you'll see so much empty because we haven't created any file systems as of yet. So right here under file systems on the far right, let's go ahead and click the plus sign and we'll just call this, you know, department share 'cause that's what we're working with, our theme of this example,
08:54
so let's say that. And click create, and as you see, there we get the file system, we get the directories, the department share route, so everything's looking good there. Now we need to start assigning those policies that we created before to make it usable, accessible, and working.
09:11
So let's go into department share and notice here again, a lot of empty, but under policies, more specifically, there's nothing listed. So we need to start adding those policies. So if you go to the far right. And click the drop down, the little burger menu. The first thing we want to do is we're gonna go
09:26
and add the export policy, basically who can access this export. Um, so let's call it, uh, I'm just gonna call it department share export. We do want it enabled, and then we do want to use the SNP policy, so we're going that from the dropdown. Go ahead and click add, and just like that, we've got the export policy.
09:49
Next, you know, again we're going with that user directory, so let's go ahead and add a quota policy. So we've got the department share quota, so we'll go and check that, click add. Um, you know, while we're at it, let's say we're gonna audit this as well, so we'll add the audit policy that we created, department share audit,
10:07
select that, click add. Um, and the other thing, you know, again, if you had snapshot policies already pre-created for just your regular kind of, you know, snapshot scheduling, like you could add that here as well. Just not gonna do that in this video, but just know that you could add snapshot policies as well. So with that all done.
10:24
We're good to go from like the FlashRay perspective. We've got the export policies for who can access it, and we've got a file system created. Now it just kind of turns into, let's say, general Windows file server administration. So let's go ahead and minimize our interface here, and let's go into computer management. And the first thing we're gonna do is let's go ahead and access it.
10:48
The remote computer. Now remember, or maybe you didn't see in the previous video, when we set up the Active Directory and DNS for the system, we called it FA file. So we're gonna connect to FA-dash-file. OK, we're connected to it. We're gonna go ahead and expand System Tools, go into Shared Folders, and then Shares.
11:09
Just like that, we see the department share. So I can right-click on it and do properties. Um, Share Permissions, everyone's got full control. What's the security? It says everyone and then administrators as well. So we've got the share there.
11:23
Let's kind of take this a little step further because we're on that export policy. I turned an access-based enumeration. So let's make sure that's actually working. So we're gonna do a little NTFS permissions here; might be a little rusty on it. These are by no means the optimal way. This is just enough to show you that it works, uh, your mileage may vary; do not treat this as the expert way.
11:43
Of creating file shares, just a little public service announcement there. So first thing I'll do, let's go ahead and edit this. I'll remove the Everyone. And then I'm just gonna add, let's say, domain users. Check the names here. That's that. We'll give them read and execute.
12:00
We'll say apply. OK, so we got that, but let's go ahead and create some actual, like, department shares under this folder. So I'm let's go ahead and browse to it. So we'll launch FA file, like department share. Sport, right? So we got, it's pretty much an empty folder.
12:20
So let's go ahead and create, we've got two teams, let's say, let's say we got the storage team. And let's say we've got the database team. Um, so we don't want either one of them to be busy peeking into each other's folders, right? We don't want them to know what other
12:40
business is going on. So let's go into the properties of the database team. Let's go into security. Uh, let's remove. Uh, oops, sorry, let's add, yeah, not an expert on this.
12:55
So let's add, uh, DB of the database team. And then click OK, click add. Uh, let's make sure that domain admins are in there as well. We, of course, get full control. But we want to remove the domain users, right, because everybody's gonna be a part of the
13:18
domain users here, so let's remove that. Sorry, let's go ahead and click OK. Let's go into advanced, disable inheritance. Sorry, it's been a minute, and then let's go ahead and remove. The domain users like, so click OK.
13:34
That looks good. DB admins. Let's give them full control. Domain admins' full control. Great, click OK, click OK. Let's go into the storage team and basically do the same thing for the storage folks.
13:46
Let's go to security. Let's go ahead and edit. A domain admins. Check the name. Let's go ahead, I guess I could do multiples at once. Let's add storage team, I think is what it's called.
14:05
Storage admins, go ahead and click that. OK, let's give them full control. Domain admins have full control. Let's go ahead and remove. Sorry, let's go ahead and remove. The main users.
14:31
Now let's remove, there we go, so click apply, click OK. OK, and we're good there, right? So what I'm gonna do is I'm gonna log into a another Windows desktop and I'm gonna log in. As a storage admin team member and then browse to that file share and make sure that they can see the storage folder but they can't see the database team folder.
14:52
So just to show that we've done that, I'm going to do command. You can see here the username is Sandy, um. Same, so you can see that Sandy T Lab, Sandy get it, Sandy anyways, so we're logged into Sandy. So when I browse for that file share, she should just see the storage team and not.
15:13
Um, database team, so let's browse a file. Mature export. And just like that, we can see that access-based enumeration is working. I see the storage team folder. I do not see the database team folder, and of course I can go in here and I can create a new text document. Just a title, right? So we can see that those permissions are working as expected.
15:39
But with that, that's just how quickly and easily you can set up an SMB share with FA file services. You can tweak those quotas, whether it be user quotas, uh, for capacity or, you know, you can create more refined export policies. To really lock things down. It all just depends on what you need in your environment, but as you can tell,
16:00
very simple to configure and set up. But that's it for this video. Be sure to check out more videos on Pure 360. Until the next time, I hope you have a great day.
