Choice With Nutanix, Agility with Docker EE, Security with Both and all thanks to the French!

If I took the great detective skills from the CNN and Fox News it would be easy to come to the conclusion that containers were invented by the French. I can come to this conclusion because coworker and fellow booth babe in crime Christophe Jauffret is French and so is Solomon Hykes. While I didn’t see Solomon at DockerCon 2018, Christophe built a great little demo using Nutanix Calm with Docker EE which fit into the conferences maintain theme, choice, agility, security.
While I’m not totally delusional I know Docker wasn’t talking directly about Nutanix but two companies do share the same thoughts on the theme they selected.

Choice: Docker EE is not tied to a single OS or VM model. Docker also supports the leading cloud hosted Kubernetes services. Nutanix supports multiple hypervisor’s four on Prem which shines in the infrastructure as a service arena but can also use Nutanix Calm to deploy to GCP or AWS using a common blueprint.

Agility: Docker EE has proven ROI and infrastructure savings that was proven when McKesson got on stage. Docker EE accelerates on-boarding with uniform operating model across clouds and helps with automation of application life-cycle policies. Mechanics allows you to focus on the application while we take care of the infrastructure stack. With the Nutanix calm you can use blueprints from the marketplace or share them on the community.

Security: Nutanix takes security very seriously. Nutanix has automated Security Technical Implementation Guides that keep your system in a hardened state. Not only can these STIGS automatically run hourly, daily, weekly, they are tested across the whole stack so nothing breaks and takes Nutanix customers out of the guessing game and dealing with pages of Excel spreadsheets with changes to make. Docker with its trusted registry gives image scanning and integrated security policies across clouds. Together Nutanix and docker can secure your entire build pipeline.

With all that being said let’s get to the cool part, the demo.

Christophe has built a blueprint in Calm to deploy one master node and two worker nodes. This could be easily changed to three master nodes and he also shows auto scaling the worker nodes. When you watch the demo you are able to see all of the steps that are happening, you can check the logs for any errors that happened, you can add variables for versions, protect passwords and add steps for full life-cycle management.

In the demo he is also using Nutanix AFS which provides SMB and NFS storage. He has set up a storage class so that persistent volume claims can be used. Since AFS can have multiple NAS heads, you can have great performance for building environments when using our Shared export type. The Shared export type allows for all top level directories in the root of the export to land on different NAS heads. While it is not shown in the demo Nutanix can provide block support as well and has a AHV turbo for great performance.

Nutanix Calm Blueprint

The biggest announcement at DockerCon was the ability for Docker EE to support federated management across hybrid and multi-cloud infrastructure. Nutanix can help deploy EE on Prem or to GCP and or AWS in the cloud. If you want to run containers on AKS or EK S you can do that to. Wherever you need your application to be ran with the proper security controls in place, it’s possible without being locked in.

If you want to get started today you can download Nutanix Community Edition and give it a shot today, Nutanix Calm licenses are included, security is on by default and AHV it is integrated for seamless experience.

Happy Computing!


Nutanix NAS AFS 3.0.1 Released with Support for Active/Active with Peer Software

If you’re the type of person that needs to wait for the dot release after the GA, this is for you! At GA of AFS 3.0, Nutanix released File auditing API’s for AFS to be used by 3rd party vendors. Peer Software is using these API’s to provide an active/active solution for your SMB needs. With these API’s, Peer and Nutanix can offer endless solutions for your file severing needs. Migration, building upon an existing solution or a straight up Nutanix to Nutanix solution is possible with the lowest recovery time for your customers.

Effective data protection for remote offices
WAN / Latency Tolerance
Support for heterogeneous vendor/platforms

PeerGFS is a software-based data management solution that works to create a unified globally accessible file system that provides users with fast local access to their data while simultaneously enabling continuous protection and high availability.

With this release AFS supports the following antivirus software:

Kaspersky Security 10 for Windows Server
Sophos Endpoint Security and Control 9, 10
Symantec Protection Engine 7.9.0
McAfee VirusScan Enterprise for Storage 1.2.0 and 1.3.0


AFS Cluster Network Change (Re-IP AFS) : Because Things Change

You can now change the managed/unmanaged network settings of the file server FSVM cluster to support moving the cluster from one datacenter to another, updating VLAN settings, or other use cases where you need to change network information. For unmanaged networks, you can change the FSVM cluster virtual IP address or IP address of each FSVM. Now that its in the GUI, less human error and more time for coffee.


AFS 3.0 Brings NFS for the Busy Developer

AFS 3.0 brings NFS v4 Support! This is the rocket ship that your software builds needed! No longer are your build piplines stuck with the lonely power of a single NAS head servicing your workloads.

AFS with NFS support enables you to manage a collection of NFS exports distributed across multiple file server VMs (FSVMs, think NAS head). With NFS, users can now use Linux and UNIX clients with AFS. This feature is also hypervisor agnostic.

AFS supports two types of NFS exports:

Distributed. A distributed export (“sharded”) means the data is spread across all FSVMs to help improve performance and resiliency. A distributed export can be used for any application. It is distributed at the top-level directories and does not have files at the root of the export. If you give a developer one share and each build goes into the share as top-level directory watch out, you might not have time for coffee.

1 Share, multiple top-level directories, multiple NAS heads.

Non-distributed. A non-distributed export (“non-sharded”) means all data is contained in a single FSVM. A non-distributed export is used for any purpose that does not require a distributed structure. If you have 10’s or 1000’s of exports they will be placed among all of the FSVM/NAS heads!

Best of all, one click upgrades and the Nutanix ease of use makes this a slam dunk to deploy and maintain.


NFS v4 to Enable Acropolis File Services

Acropolis File Services (AFS) is a software-defined, scale-out file storage solution that provides a repository for unstructured data, such as home directories, user profiles, departmental shares, application logs, backups, and archives. Flexible and responsive to workload requirements, AFS is a fully integrated, core component of the Nutanix Enterprise Cloud Platform. At both of our .Next User conferences in Washington, D.C. and Nice France, NFS support for AFS was highlighted as a new feature to be added along with the current SMB support in an upcoming release.

NFS has been around almost as long as I have been breathing air as an eighties baby. Being an open standard, NFS has evolved over the years and now has different versions available. In most cases the version used is driven by the client that will be accessing the server. To this end Nutanix is entering the NFS space first with support for version 4 to go along with the current SMB support. NFS v4 is stable and has been going thru iterations since the 2000s. Most recent distributions of various platforms like Linux (CentOS, Ubuntu), Solaris, AIX use NFS v4 as the default client protocol and additional attention to security made it great easy choice.

More at the link below.

Full article posted on the Next Community Site


Supported Anti-Virus Offload for Nutanix Native File Services(AFS)

As the list grows with releases I will try to keep this updated.

As of AFS 2.2.1 supported AV ICAP based vendors:

McAfee Virus Scan Enterprise for Storage 1.2.0

Symantec Protection Engine 7.9.0

Kaspersky Security 10

Sophos Antivirus

Nutanix recommends the following file extensions for user profiles are added to the exclusion list when using the AFS Antivirus scanning:

Symantec Pre-Req

Each Symantec ICAP server needs the hot fix (SPE_7.9.0_HF03.zip) installed from http://www.symantec.com/docs/TECH216348.

Kaspersky Pre-Req
When running the Database Update task with the network folder as an update source, you might encounter an error after entering credentials.


To resolve, download and install the critical fix 13017 provided by Kaspersky

Download Link:



Nutanix Scale Out File Services – AFS 2.2 Supported Clients

Supported Configurations

The following are AFS supported configurations.

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Active Directory
    Domain Functional Level Supported Domain Controller
    • Windows Server 2008*
    • Windows Server 2008* and up
    • Windows Server 2008 R2
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    * = AFS 2.0.2 and 2.1 support Windows 2008.
    Clients/Use Cases
    OS Type Supported Versions
    • Apple Client
    • OS X El Capitan (10.11)
    • macOS Sierra (10.12)
    • Windows Client
    • Windows 7
    • Windows 8
    • Windows 8.1
    • Windows 10
    • Windows Server
    • Windows Server 2008
    • Windows 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016

    SMB Protocol Versions

    Server Message Block (SMB) serves as an application layer network that provides shared
    access to files and network node communication. AFS supports the following SMB versions.

    • SMB 2.0
    • SMB 2.1
    • SMB 3.0 (basic protocol support without specific SMB 3.0 features)

    Automatically Snap, Clone and Backup AFS (Acropolis File Services)

    I wrote a script on the Next community site that automatically snaps, clones and then you can use any backup product that can read off a SMB share. The script can be used to always have the latest backup copy and avoid impacting your production users.

    Automatically https://next.nutanix.com/t5/Nutanix-Connect-Blog/24-Hour-Backup-Window-with-Nutanix-Native-File-Services/ba-p/23708

    Hope you find it useful.


    Nutanix Native File Services (AFS) Now Supports AV Offload Scanning

    With AFS 2.2 and AOS 5.1.2 now supports ICAP(Internet Content Adaptation Protocol), which is supported by a wide range of security vendors and products, is a standard protocol that allows file and web servers to be integrated with security products. Nutanix chose this method to give customers the ability to choose the antivirus solution that works best for their specific environment.

    Following is the workflow for an ICAP-supported antivirus solution:
    An SMB client submits a request to open or close a file.
    The file server determines if the file needs to be scanned, based on the metadata and virus scan policies. If a scan is needed, the file server sends the file to the ICAP server and issues a scan request.
    The ICAP server scans the file and reports the scan results back to the file server.
    The file server takes an action based on the scan results:
    If the file is infected, the file server quarantines it and returns an “access denied” message to the SMB client.
    If the file is clean, it returns the file handle to the SMB client.

    The ICAP service runs on each AFS file server and can interact with more than one ICAP server in parallel to support horizontal scale-out of the antivirus server. We recommend configuring two or more ICAP servers for production. The scale-out nature of AFS and one-click optimization greatly mitigates any antivirus scanning performance overhead. If the scanning affects AFS file server VM performance, one-click optimization recommends increasing the virtual CPU resources or scaling out the file server VMs. This feature also allows both the ICAP server and AFS to scale out, ensuring fast responses from the customer’s antivirus vendor.

    AFS sets scanning defaults across the entire file server, but they are disabled by default per share when you enable file scanning. You can enable scan on write and scan on read. Scan on write begins when the file is closed, and scan on read occurs when the file is opened. You can also exclude certain file types and files over a certain size. Share scan polices can override any defaults set for the file server.

    For each ICAP server, we spin up no more than 10 parallel connections per FSVM and randomly dispatch the file scanning among all the ICAP servers. With heavier workloads, which may encounter many scan requests and use all connections, the scan servers with more processing power scan more files. As soon as the current scan finishes, the next file is picked up from the queue, which keeps the number of active connections at 10.

    Once AFS quarantines a file, the admin can rescan, unquarantine, or delete the file. Quarantined files can be searched if it is necessary to restore a file quickly.
    If your antivirus vendor doesn’t support ICAP, you can scan the shares by installing an antivirus agent onto a Windows machine and then mounting all the shares from the file server. This approach allows you to schedule scans during periods of low usage. At the desktop or client level, you can set your antivirus solution to scan on write or scan only when files are modified. You can configure high-security environments to scan inline for both reads and writes.


    #Nutanix #AFS – Cannot access folders/files created with a dot “.”

    You may experience issues with third party application when accessing folders/files with a dot “.” prefix in the name such as “.profile” or “.build”.

    One of the error messages may look like the one below.

    Error mesessage
    The “.profile” has different permissions.

    This is pertaining folders like “.profile” or “.build”. If can create the folders and see them, but when trying to access them with programs, it throws access errors. The “dot files” have different permissions.

    There is a configuration option called “hide dot files” in AFS. This “hide dot files” configuration option is enabled by default in AFS.

    You can run the following command on one of the FSVMs to turn off the “hide dot files” option globally.

    scli smbcli global "hide dot files" No

    Example of the command run successfully below.
    nutanix@NTNX-x-x-x-x-A-FSVM:~$ scli smbcli global "hide dot files" no
    No existing config 'hide dot files' in smb.conf. Creating a new entry now..!
    smb.conf update is successful