5.3 NSS Media Upgrade

This section provides the commands to upgrade the NSS pools to AD or Trustee Index media.

5.3.1 AD Media

All NSS32 pools must be AD media upgraded in order to support AD users. NSS64 pools are by default Trustee Index media (includes AD media) upgraded. Use the nsscon commands in this section to upgrade the existing NSS32 media to support AD users or to enable all future NSS32 pool creation to be automatically created with the AD user support.

For the Existing NSS Pools

nss /PoolMediaUpgrade=poolname /MediaType=AD

Upgrades the specified NSS pool to support AD media.

NOTE:Media upgrading a shared NSS pool in a mixed-node cluster environment is not recommended. You can still force the upgrade using the /ForceMedia switch. After the forceful media upgrade, the pool will not load in nodes older than OES 2015.

The following commands can also be used to upgrade the existing NSS32 pool media to support AD users.

nss /ZLSSUpgradeCurrentPoolMediaFormatToAD=poolname

Upgrades the file system media format of a particular NSS32 pool to support AD users.

nss /ZLSSUpgradeCurrentPoolMediaFormatToAD=all /include=shared

Any NSS32 shared pools created after running this command will be AD media enabled.

nss /ZLSSUpgradeCurrentPoolMediaFormatToAD=all /include=local

Any NSS32 local pools created after running this command will be AD media enabled.

nss /ZLSSUpgradeCurrentPoolMediaFormatToAD=all

Any NSS32 pools (shared or local) created after running this command will be AD media enabled.

NOTE:Media upgrading a shared NSS32 pool in a mixed-node cluster environment is not recommended. You can still force the upgrade using the /ForceADMedia switch. After the forceful media upgrade, the pool will not load in nodes older than OES 2015. For more information, see Behavior of an NSS Pool Resource with Media Version 44.03 and Above in Mixed Node Cluster in the OES 2018 SP3: OES Cluster Services for Linux Administration Guide.

For the Newly Created NSS Pools

The commands placed in the nssstart.cfg file persists across server reboots. If the NSS commands are added in the nssstart.cfg file, ensure those commands are not prefixed with nss.

If these commands are issued from the command line, it persists only till a server reboot.

nss /NewPoolMediaFormat=AD /include=all

Sets the file system media format of all the newly created pools (shared or local) to support AD media.

nss /NewPoolMediaFormat=AD /include=shared

Sets the file system media format of all the newly created shared pools to support AD media.

nss /NewPoolMediaFormat=AD /include=local

Sets the file system media format of all the newly created local pools to support AD media.

NOTE:Media upgrading a shared NSS pool in a mixed-node cluster environment is not recommended. You can still force the upgrade using the /ForceMedia switch. After the forceful media upgrade, the pool will not load in nodes older than OES 2015.

The following commands can also be used to enable all future NSS32 pool creation to be automatically created with the AD user support.

nss /ZLSSUpgradeNewPoolMediaFormatToAD=all

Upgrades the file system media format of all the newly created NSS32 pools (shared or local) to support AD users.

nss /ZLSSUpgradeNewPoolMediaFormatToAD=all /include=shared

Upgrades the file system media format of all the newly created NSS32 shared pools to support AD users.

nss /ZLSSUpgradeNewPoolMediaFormatToAD=all /include=local

Upgrades the file system media format of all the newly created NSS32 local pools to support AD users.

NOTE:Media upgrading a shared NSS32 pool in a mixed-node cluster environment is not recommended. You can still force the upgrade using the /ForceADMedia switch. After the forceful media upgrade, the pool will not load in nodes older than OES 2015. For more information, see Behavior of an NSS Pool Resource with Media Version 44.03 and Above in Mixed Node Cluster in the OES 2018 SP3: OES Cluster Services for Linux Administration Guide.

Media upgrading an NSS32 pool can also be done using NSSMU (Section 10.2, NSS Management Utility (NSSMU) Quick Reference) and iManager (Section 16.2, Creating a Pool).

Volume AD-enabling

Use the following commands to AD-enable the volumes. Only after AD-enabling, the AD users will be able to access the NSS resources based on the access rights assignment. Before running these commands, ensure that the pools on which these volumes exist are NSS AD media-upgraded.

nss /ADIdentities=volume_name

AD-enables the specified volume.

nss /ADIdentities=all

AD-enables all the volumes. The volumes whose pools are not AD media-upgraded are ignored.

nss /(No)EnableNewVolumeToAD

Enables or disables the automatic AD-enabling of new volumes.

The commands placed in the nssstart.cfg file persists across server reboots. If this NSS command is added in the nssstart.cfg file, ensure this command is not prefixed with nss.

If this command is issued from the command line, it persists only till a server reboot.

Default: Off

Range: On or Off

Examples

To enable automatic AD-enabling of new volumes, enter

nss /EnableNewVolumeToAD

To disable automatic AD-enabling of new volumes, enter

nss /NoEnableNewVolumeToAD

AD-enabling of volumes can also be done using NSSMU (Section 10.2, NSS Management Utility (NSSMU) Quick Reference) and iManager (Section 19.1, Understanding Volume Properties).

5.3.2 Trustee Index Media

The Storage Services (NSS) volumes use the Trustee Model to secure access to directories and files. The Trustee Model allows you to assign users as trustees of directories and files on the NSS volumes. The model’s inheritance function allows subdirectories and files to inherit rights from a parent directory or masks the rights that should not be inherited. The Trustee Index tree stores the list of directories and files in the NSS volumes that are having trustees and IRF (Inherited Rights Filter). The ZIDs (iNode number) in NSS consists of ACLs (with trustees and IRFs) that are stored in volumes in the Trustee Index tree. These ZIDs helps you to scan the trustee information for NURM, NFARM, and so on at any given path in NSS volume. Therefore, NSS requires a media upgrade to pool and volume to support Trustee Index. For more information on Trustee Model, see Section 6.5.3, OES Trustee Model.

Use the nsscon commands in this section to upgrade the existing NSS media to support Trustee Index or to enable all future NSS pool creation to be automatically created with the Trustee Index support.

For the Existing NSS Pools

nss /PoolMediaUpgrade=poolname /MediaType=TrusteeIndex

Upgrades the specified pool to support Trustee Index media.

For the Newly Created NSS Pools

The commands placed in the nssstart.cfg file persists across server reboots. If the NSS commands are added in the nssstart.cfg file, ensure those commands are not prefixed with nss.

If these commands are issued from the command line, it persists only till a server reboot.

nss /NewPoolMediaFormat=TrusteeIndex

Sets the file system media format of all the newly created pools (shared or local) to support Trustee Index media.

nss /NewPoolMediaFormat=TrusteeIndex /include=shared

Sets the file system media format of all the newly created shared pools to support Trustee Index media.

nss /NewPoolMediaFormat=TrusteeIndex /include=local

Sets the file system media format of all the newly created local pools to support Trustee Index media.

NOTE:Media upgrading a shared NSS pool in a mixed-node cluster environment is not recommended. You can still force the upgrade using the /ForceMedia switch. After the forceful media upgrade, the pool will not load in nodes older than OES 2015 SP1.

5.3.3 AES Media

To create encrypted volumes with an AES-256 encryption algorithm, use the NSS64 pool type with pool media upgraded to AES. The AES-256 encryption algorithm has longer key size and provides additional security compared to AES-128. Use the nsscon commands in this section to upgrade the existing NSS media to support AES or to enable all future NSS pool creation to be automatically created with the AES Index support.

For the Existing NSS Pools

nss /PoolMediaUpgrade=poolname /MediaType=AES

Upgrades the specified pool to support AES media.

For the Newly Created NSS Pools

The commands placed in the nssstart.cfg file persists across server reboots. If the NSS commands are added in the nssstart.cfg file, ensure those commands are not prefixed with nss.

If these commands are issued from the command line, it persists only till a server reboot.

nss /NewPoolMediaFormat=AES

Sets the file system media format of all the newly created pools (shared or local) to support AES media.

nss /NewPoolMediaFormat=AES /include=shared

Sets the file system media format of all the newly created shared pools to support AES media.

nss /NewPoolMediaFormat=AES /include=local

Sets the file system media format of all the newly created local pools to support AES media.

NOTE:Media upgrading a shared NSS pool in a mixed-node cluster environment is not recommended. You can still force the upgrade using the /ForceMedia switch. After the forceful media upgrade, the pool will not load in nodes older than OES 2018 SP2.