If the disks on the shelf or shelves have mailbox disks, right after you remove ownership from the disks (even though all zeroed spares), the node will crash. The ha-partner will not be able to takeover. Then the ha partner will also crash with an inconsistent mailbox. We had both nodes drop after removing ownership from a shelf that was being removed. It is an easy fix to get to maintenance mode and mailbox destroy local, but add that to your run book for hot shelf removal. We didn’t have any data on the ha-pair for the maintenance (the great thing about cDOT which averted any outage even during this maintenance). We recovered after reassigning the disks and deleting the mailbox (had to do that twice) then both nodes came back up after coredump and mailbox was recreated and storage failover was able to enable again.
::> set adv ::*> stor failover mailbox-disk show
One other note on the move mroot procedure https://kb.netapp.com/support/index?page=content&id=3013873&locale=en_US The article now lists to turn on nvfail (submitted that update a while ago), but some systems also had create_ucode enabled on vol0, so I check “vol options vol0” prior to move, then match the settings after the move in addition to nvfail. Also, if you have cdpd.enable on and ip.fastpath.enable off, both of those need to be reset since mroot move sets them back to cdpd off and fastpath on defaults (8.3P1).
Yes, but they are not actively used. And if one fails or is removed, the system should automatically elect another one as replacement (otherwise every failed mailbox disk would crash the filer in the same way) so if you give the system enough time between the "remove ownership" commands it should work without causing a panic
I need to test this on a cDOT system with storage failover modify -enable false... This is one of the big differences in cDOT and 7-Mode... I did a 7-Mode test moving the root volume. Immediately after marking the new volume as root with vol options volname root, the mailbox disks move automatically to the new disks. In cDOT we only mark the new volume as root in maintenance mode which does not do this...then rebuild mroot instead of copying (ndmpcopy, vol copy, snapmirror, etc.) old root to new root in 7-Mode. If cDOT handled the mailbox move with the mark of root in maintenance mode we would be all good here. The case I ran into is when you move mroot from the old disks to new disks...not so much of an edge case since that is a typical use case before hot removing drives.
Tue May 22 22:15:30 GMT [node1: fmmb.lock.disk.remove:info]: Disk 0c.00.0 removed from local mailbox set. Tue May 22 22:15:30 GMT [node1: fmmb.lock.disk.remove:info]: Disk 0c.00.1 removed from local mailbox set. Tue May 22 22:15:30 GMT [node1: fmmb.current.lock.disk:info]: Disk 0c.00.7 is a local HA mailbox disk.
Don't have a system I can test on... with the procedure of disk remove_ownership with the ha failover disabled... It could crash the system again. I do know that a maintenance mode boot while taken over then mailbox destroy local, then disk remove_ownership does work with no issue though but would be nice to do online without taking the node to option 5...I just don't trust it removing the disk ownership with a mailbox even if it does work. Takeover then maintenance mode is extra work but safe.
I found a 2240 I'm zeroing now...should be able to get back to it by tomorrow to do a test... move mroot to another aggr, stor fail modify -enable false, then remove mailbox disks one at a time and see what happens.
8.3P1 also worked. The mailbox disks automatically moved to the new mroot aggregate. Again the only difference is a root partition. I will chalk this up to an anomaly... NetApp support has the logs and ASUPs that went out when we ran into this and should be able to see it all (RSA also enabled with updates). But I will always check mailbox location before every removing disk ownership... although cDOT did save the day since we were able to do this with no data on the HA-pair...
I ran into this exact problem last week! I have a loop of FC shelves that I am replacing with a SAS stack. I had to do the NDO procedure to move the node root aggr off of the FC disks. That worked like a charm but apparently the mailbox disks didn't get moved along with the root aggr/vol. As soon as I tried to unown the now "unused" FC disks the node paniced and went down. The partner node stayed up though. I was able to boot into maintenance mode and do the 'mailbox destroy local' command to get them to rebuild on the SAS drives. The node came back up but I'm not convinced it is 100% kosher yet. I have a feeling I'm looking at another planned outage window to take both nodes down and rebuild the mailboxes on both sides.
I've done a bunch of hot-shelf removals but never encountered this. This is the first time I've had to move the node root aggr though and you can be sure I'll be checking mailbox disk location form now on!
Support has the log files and is looking why it didn't move... in every other case it seems to move but we think it may be a lock on the mailbox that doesn't happen often... if we add a check of mailbox to the procedure then we can see if on the old disks... do a takeover... then when the partner is down, destroy local and boot...then giveback. Should be all NDU 🙂 Just a check needed to make sure... or fix the bug where it doesn't move or give us the ability to move mailboxes hot...lots of ways to go but my advice is check mailbox location then remediate ndu if needed. Could be worse but what we don't know can cause a panic.