Filer Configuration

The plugins from check_netapp_pro connect to the NetApp devices with a user and password to retrieve the status and performance data. Here we explain how to create this user on a NetApp device.

Keep the users name short (not longer than 15 characters) in order to avoid problems with third-party tools (e.g. Windows domain user, LDAP).

To make your live easy avoid shell-active characters like backslash or exclamation mark in the password. E.g. jGyi8CHP_83d will make you less headache than 0815!nagios\123.

NetApp Filer (Cluster-Mode)

To get a monitoring-user on cdot you can ask your NetApp-partner on how to create a read-only user with sufficient but not too high privileges, refer to your product-documentation or you can use the following type-script to create it.

Typescript Monitoring User for cdot

Create a role first and then a user. The creation of the role differs between Ontap-versions.

Create role for filer with RESTful API (Ontap >= 9.6)

The following rest-role is an exact copy of the built-in readonly role with one additional api-path for the Certificate check.

sim97::security login rest-role> create -role monitoring -vserver sim97 -api /api -access readonly
sim97::security login rest-role> create -role monitoring -vserver sim97 -api /api/security -access none
sim97::security login rest-role> create -role monitoring -vserver sim97 -api /api/security/audit/destinations -access readonly
sim97::security login rest-role> create -role monitoring -vserver sim97 -api /api/security/authentication/password -access all
sim97::security login rest-role> create -role monitoring -vserver sim97 -api /api/security/certificates -access readonly

Check Result

sim97::security login rest-role> show monitoring                                                                        
               Role                                    Access
Vserver        Name            API                     Level
----------     -------------   -------------------     ------
sim97          monitoring      /api                    readonly
                               /api/security           none
5 entries were displayed.
Create role for legacy, ZAPI-only filer (Ontap <= 9.5)

On older ZAPI-only filers create an role (instead of a rest-role):

sim::security login role> create -role monitoring -cmddirname DEFAULT -access readonly
sim::security login role> create -role monitoring -cmddirname security -access none

Check Result

sim::security login role> show monitoring
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
sim        monitoring    DEFAULT                                       readonly
                         security                                      none
2 entries were displayed.
Create user

The creation-process of the user is the same for all Ontap cdot-versions we are aware of.

sim97::security login> create monitoring -role monitoring -comment "system-monitoring user, readonly" -application ontapi -authentication-method password 
sim97::security login> create monitoring -role monitoring -application http -authentication-method password 

Check Result

sim97::security login> show monitoring                                                                      
Vserver: sim97
User/Group                 Authentication                 Acct   Authentication
Name           Application Method        Role Name        Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
monitoring     http        password      monitoring       no     none
monitoring     ontapi      password      monitoring       no     none
2 entries were displayed.

The creation of the -application http user is not strictly required on non-RESTful filers.

NetApp Filer (7-Mode)

  1. Define a user for monitoring on each 7-Mode filer.

  2. Assign the required capabilities to that user. You may want to use the type-script below. A user-name of nagios is a nice tradition but any other name is fine too.

Required Capabilities

The minimum capabilities for the monitoring user (‘nagios’) are listed in the typescript below. For obvious security-reasons (user and password are stored in plain-text on the monitoring-system) the monitoring-user (‘nagios’) should not have more capabilities than required.

Type Script

We used the following commands to add the required user to the filer:

> useradmin role add monitoring -c 'for system-monitoring' -a login-http-admin,api-perf-object-counter-list-info,api-perf-object-get-*,api-system-get-*,api-snapshot-list-info,api-aggr-list-info,api-vfiler-get-status,api-aggr-scrub-list-info,api-disk-list-info,api-net-ifconfig-get,api-net-config-get-active,api-lun-list-info,api-storage-shelf-bay-list-info,api-storage-shelf-environment-list-info,api-,api-snapmirror-get-status,api-snapshot-list-info,api-volume-list-info

> useradmin group add monitoring -c 'for system-monitoring' -r monitoring

> useradmin user add nagios -c 'system-monitoring user' -g monitoring

If you would like to update the capabilities for an existing role::

useradmin role modify monitoring -a <complete list of capabilities>

You can not add a single capability to the existing ones.