Tasks | Until the fix is added into the NetWitness product by default, follow the steps below:
Installing new RPM packages
- To extract and install the rsa-sa-tools-11.2.0.0-Powervault.zip file attached to this article, execute the following commands:
unzip rsa-sa-tools-11.2.0.0-Powervault.zip /tmp cd /tmp yum update ./rsa-sa-tools-11.2.0.0-1808301802.5.941817f.noarch.rpm
- To extract and install the perccli_7.1-007.0127_linux.tar.gz file attached to this article, execute the following commands:
gunzip perccli_7.1-007.0127_linux.tar.gz tar -xvf perccli_7.1-007.0127_linux.tar rpm -Uvh perccli_7.1-007.0127.noarch.rpm
|
Resolution | Before running the NwArrayConfig script again the PowerVault storage will need to be manually broken down to allow the new script to run correctly. Please review the sections below that correspond to the appliance type that needs reset. If there are any concerns about proceeding with the resetting of the storage, stop and contact RSA NetWitness Support for further assistance.
Once the appliance storage has been reset follow the original hardware setup guide for setting up PowerVault storage. You should now receive a prompt for encrypting the drives during setup.
Resetting a Decoder Appliance The following procedure will reset a decoder appliance back to its pre-Powervault configuration state. This does not reset any NetWitness/Security Analytics configuration files. The below instructions are for a Network Decoder. If you have a Log Decoder change out any reference to decoder with logdecoder.
- SSH into the appliance with the broken Powervault setup.
- If the sosreport was ran on the appliance before the Powervault configuration began, retrieve the lvscan, vgscan and pvscan files from the tar.gz that was created. Compare these files to the results from the next steps. By examining the results it should be straightforward where the script stopped. Skip ahead to the step where the output files and command output does not match.
- Run lvscan and find any devices that contain decoder and decodersmall.
# lvscan
Example output:
ACTIVE '/dev/decodersmall/decoroot' [30.00 GiB] inherit ACTIVE '/dev/decodersmall/decoinde' [10.00 GiB] inherit ACTIVE '/dev/decodersmall/decosess' [250.00 GiB] inherit ACTIVE '/dev/decodersmall/decometa' [3.35 TiB] inherit ACTIVE '/dev/decoder/decopack' [12.73 TiB] inherit
- Run lvremove against all logical volumes that were discovered in the previous step.
If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount <device> to disconnect it.
- Run lvremove against all logical volumes that were discovered in the previous step.
If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount <device> to disconnect it.
# lvremove /dev/decodersmall/decometa # lvremove /dev/decodersmall/decoroot # lvremove /dev/decodersmall/decoinde # lvremove /dev/decodersmall/decosess # lvremove /dev/decoder/decopack
- Run vgscan and find any groups that contain concentrator or index.
# vgscan
Example output: Found volume group "decodersmall" using metadata type lvm2 Found volume group "decoder" using metadata type lvm2
- Run vgremove against all volume groups that were discovered in the previous step.
# vgremove decodersmall # vgremove decoder
- Run pvscan and find any physical volumes that have no VG names associated.
# pvscan Example output:
PV /dev/sdb VG lvm2 [3.64 TB / 0 free] PV /dev/sda VG lvm2 [12.73 TB / 0 free] Total: 3 [12.42 TB] / in use: 3 [12.42 TB] / in no VG: 0 [0 ]
- Run pvremove against all physical volumes that were discovered in the previous step.
# pvremove /dev/sdb # pvremove /dev/sda
- Run the nwraidutil.pl script and look at its output. It can be determined what virtual drives need to be destroyed. Use the enclosure number under the physical section to find the virtual drives associated with the enclosures. Use the following as an example
Notes:
- Adapter 0: This shows the adapter that contains the virtual disks underneath it.
- Virtual Disk 0: This is the first virtual disk on Adapter 0.
- Virtual Disk 1: This is the second virtual disk on Adapter 0.
- Enclosure 8: This is the physical enclosure number that can be found under the physical layout section.
- Using the information retrieved from the previous step, run the following PercCli command to break the virtual drives.
# /opt/MegaRAID/Perc/percli64 /cx/vx del force
Notes - There is no space between the /cx and /vx options
- Change the x in /cx to the Adapter number, which for our example is 0
- Change the x in /vx to the Virtual Disk number, which for our example is either 0 or 1. If you want to remove all virtual disks on the adapter use /vall
Example output: # /opt/MegaRAID/Perc/percli64 /c0/vall del force
- Once the virtual drives are destroyed the appliance is back to its default, out of the box, configuration.
Resetting a Concentrator ApplianceThe following procedure will reset a concentrator appliance back to its pre-Powervault state. This does not reset any NetWitness/Security Analytics configuration files. These steps may vary slightly do to different versions of creation scripts. - SSH into the appliance with the broken Powervault setup.
- If the sosreport was run on the appliance before the powervault configuration began, retrieve the lvscan, vgscan and pvscan files from the tar.gz that was created. Compare these files to the results from the previous step. By examining the results it should be straightforward where the script stopped. Skip ahead to the step where the output files and command output does not match.
- Run lvscan and find any devices that contain concentrator or index in them.
- Run lvremove against all logical volumes that were discovered in the previous step.
# lvremove /dev/concentrator/metadb # lvremove /dev/index/index # lvremove /dev/concentrator/sessiondb # lvremove /dev/concentrator/root
If an error about the logical volume being busy appears this means the logical volume is mounted by the OS. Use umount <device> to disconnect it.- Run vgscan and find any groups that contain concentrator or index.
# vgscan Example output: Found volume group "index" using metadata type lvm2 Found volume group "concentrator" using metadata type lvm2 - Run vgremove against all volume groups that were discovered in the previous step.
# vgremove concentrator # vgremove index
- Run pvscan and find any physical volumes that have no VG names associated.
# pvscan Example output: PV /dev/sdc VG lvm2 [1.36 TB /0 free] PV /dev/sdd VG lvm2 [10.91 TB /0 free]
- Run pvremove against all physical volumes that were discovered in the previous step.
# pvremove /dev/sdc # pvremove /dev/sdd
- Run the nwraidutil.pl script and look at its output. It can be determined what virtual drives need to be destroyed. Use the enclosure number under the physical section to find the virtual drives associated with the enclosures. Use the following as an example.
- Adapter 0: This shows the adapter that contains the virtual disks underneath it.
- Virtual Disk 0: This is the first virtual disk on Adapter 0.
- Virtual Disk 1: This is the second virtual disk on Adapter 0.
- Enclosure 8: This is the physical enclosure number that can be found under the physical layout section.
- Using the information retrieved from the previous step, run the following Percli command command to break the virtual drives.
# /opt/MegaRAID/Perc/percli64 /cx/vx del force
- There is no space between the /cx and /vx options
- Change the x in /cx to the Adapter number, which for our example is 0
- Change the x in /vx to the Virtual Disk number, which for our example is either 0 or 1. If you want to remove all virtual disks on the adapter use /vall
Example Output: # /opt/MegaRAID/Perc/percli64 /c0/vall del force
- Once the virtual drives are destroyed the appliance is back to its default, out of the box, configuration.
|