这几天有两个客户问到这个问题,以前没有仔细想过,天然认为和7-mode应该一样,但仔细琢磨下肯定不同,很明显,7-mode的两个控制器的admin或者root密码是独立的,两个控制器可以是不同的密码。但c-mode下,admin的密码只有一个,一套cluster的admin密码是一样的,如果按照老的方法修改一个控制器的密码,另外一个怎么同步过去呢?
含糊的时候,就上手,直接上机实战下,就知道了。下面是我们对一套2节点的FAS2750 admin密码重置过程,供大家参考。
开始之前,有几个前提条件,满足这个再往下继续呀
等几分钟,HA就会takeover这个突然丢失的控制器
FAS2750::> May 31 14:25:45 [FAS2750-02:vifmgr.clus.linkdown:EMERGENCY]: The cluster port e0a on node FAS2750-02 has gone down unexpectedly.
May 31 14:25:45 [FAS2750-02:vifmgr.clus.linkdown:EMERGENCY]: The cluster port e0b on node FAS2750-02 has gone down unexpectedly.
May 31 14:25:46 [FAS2750-02:callhome.clam.node.ooq:EMERGENCY]: Call home for NODE(S) OUT OF CLUSTER QUORUM.
May 31 14:25:46 [FAS2750-02:clam.node.ooq:EMERGENCY]: Node (name=FAS2750-01, ID=1000) is out of "CLAM quorum" (reason=seen by HA partner).
May 31 14:26:00 [FAS2750-02:monitor.globalStatus.critical:EMERGENCY]: This node has taken over FAS2750-01. There are not enough spare disks.
3. 将好的控制器,就是有串口连接的控制器也做power cycle的动作,可以通过关闭chassis的PSU或者插拔控制器来完成。
插拔后,这个控制器会启动,然后ctrl+C到boot menu
*******************************
* *
* Press Ctrl-C for Boot Menu. *
* *
*******************************
cryptomod_fips: Executing Crypto FIPS Self Tests.
cryptomod_fips: Crypto FIPS self-test: 'CPU COMPATIBILITY' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 ECB, AES-256 ECB' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 CBC, AES-256 CBC' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 GCM, AES-256 GCM' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 CCM' passed.
cryptomod_fips: Crypto FIPS self-test: 'CTR_DRBG' passed.
cryptomod_fips: Crypto FIPS self-test: 'KDF' passed.
cryptomod_fips: Crypto FIPS self-test: 'SHA1, SHA256, SHA512' passed.
cryptomod_fips: Crypto FIPS self-test: 'HMAC-SHA1, HMAC-SHA256, HMAC-SHA512' passed.
cryptomod_fips: Crypto FIPS self-test: 'PBKDF2' passed.
cryptomod_fips: Crypto FIPS self-test: 'Self-integrity' passed.
^CFri May 31 14:29:55 2024 sp_get_oem_nv2f_event:Response (6 bytes) evt 3 timestamp 0x0
Fri May 31 14:29:55 2024 sp_clear_oem_nv2f_event:cleared
Fri May 31 14:29:55 2024 [nv2flash.restage.progress:NOTICE]: ReStage is going to restore non-volatile data from flash in approximately 21 seconds.
....^C.................
Fri May 31 14:30:08 2024 Going to clear pending data on mSata
Fri May 31 14:30:08 2024 [nv2flash.copy2NVMEM.succeed:INFO]:Copying nonvolatile data from the flash device to NVMEM succeeded in 13 seconds.
Boot Menu will be available.
Attempting to use existing varfs on /dev/nvrd1
dd: /mroot/etc/entropy-file: Read-only file system
SUCCESS
FWU 1st trigger point
FWU has no post firmware update action registered.
May 31 14:30:52 Power outage protection flash de-staging: 50 cycles
Please choose one of the following:
(1) Normal Boot.
(2) Boot without /etc/rc.
(3) Change password.
(4) Clean configuration and initialize all disks.
(5) Maintenance mode boot.
(6) Update flash from backup config.
(7) Install new software first.
(8) Reboot node.
(9) Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)?
4. 选择 change password,就是3
Selection (1-11)? 3
Pensando Offload Driver, ver 1.4.0-E-78
Pensando Ethernet NIC Driver, ver: 1.4.0-E-96
ionic_rdma ver 1.4.0-E-96 : Pensando RoCE HCA driver
***** ZTL loaded***OS2SP configured successfully***May 31 14:32:11 [FAS2750-02:cf.ic.sbb:notice]: HA interconnect: SBB Compatibility Event. No compatible partner node found. The interconnect device has been disabled.
May 31 14:32:18 [FAS2750-02:discover.6500.unsupported:notice]: FC-to-SAS bridge ATTO 6500N discovery is disabled.
May 31 14:32:18 [FAS2750-02:fal_nvme.partition.status:notice]: Partition 0-1 with capacity 894 GiB status: online.
sysctl_warn_reuse: can't re-use a leaf (sysvar.DETAIL_mask)!
pnso provider init started.
Notice : pnso card not detected.
hwo: Node is using hardware provider : 1.
cryptomod_fips: Executing Crypto FIPS Self Tests.
cryptomod_fips: Crypto FIPS self-test: 'CPU COMPATIBILITY' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 ECB, AES-256 ECB' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 CBC, AES-256 CBC' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 GCM, AES-256 GCM' passed.
cryptomod_fips: Crypto FIPS self-test: 'AES-128 CCM' passed.
cryptomod_fips: Crypto FIPS self-test: 'CTR_DRBG' passed.
cryptomod_fips: Crypto FIPS self-test: 'KDF' passed.
cryptomod_fips: Crypto FIPS self-test: 'SHA1, SHA256, SHA512' passed.
cryptomod_fips: Crypto FIPS self-test: 'HMAC-SHA1, HMAC-SHA256, HMAC-SHA512' passed.
cryptomod_fips: Crypto FIPS self-test: 'PBKDF2' passed.
cryptomod_fips: Crypto FIPS self-test: 'Self-integrity' passed.
May 31 14:32:24 [FAS2750-02:raid.autoPart.disabled:ALERT]: Disk auto-partitioning is disabled on this system: the system needs a minimum of 8 SSDs.
May 31 14:32:24 [FAS2750-02:callhome.raid.adp.disabled:notice]: Disk auto-partitioning is disabled on this system: ADP DISABLED.
May 31 14:32:25 [FAS2750-02:fmmb.disk.notAccsble:notice]: All Partner mailbox disks are inaccessible.
Enter the username that the password will be changed for:
Enter the username that the password will be changed for: admin
Enter a new password:
Enter it again:
Please choose one of the following:
(1) Normal Boot.
(2) Boot without /etc/rc.
(3) Change password.
(4) Clean configuration and initialize owned disks (3 disks are owned by this filer).
(5) Maintenance mode boot.
(6) Update flash from backup config.
(7) Install new software first.
(8) Reboot node.
(9) Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)?
5. 选择1,正常启动
6. 启动以后,使用新的密码登录
7. 将另外一个控制器加电,机器启动,到waiting for giveback
8. 到正常的控制器做 storage failover giveback 的命令,控制器启动
- • ONTAP 9
- • Data ONTAP 8.3
- • Two-node cluster
- • No other Account with Admin privileges exist 没有其他用户拥有admin的权限
- • 必须要有串口线
- • 需要有宕机窗口,是宕机窗口呀,两个控制器都要down的时间窗口
- 如果客户还创建了其他具有admin权限的用户,其实就可以用这个用来来命令行重置admin的密码了。
- 下面开始重置密码的保姆级过程,如果还有问题,可以添加vx,账号 StorageExpert
- 1. 连接串口到一个控制器
- 2. 把一个node 断电,这可以通过把chassis的电源拔掉或者把控制器抽出来的方法
148
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
