PowerStore 3.5 - First Impressions

Amongst the flurry of announcements from Dell Tech World this year was a new software release for Dell's PowerStore platform. We've covered previous releases here, so be sure to check those out. While it's a patch release, there are a slew of useful features we'll discuss in this article.

We work closely with Dell's product engineering teams to test the functionality of pre-release code and share our feedback on the features and our user experience. As former enterprise storage admins and current users of this gear, we bring, what we hope, is the same perspective from which our customers view the system. We tested PowerStoreOS 3.5 earlier this year for several months, and this direct interaction with the code is used to provide the insight you get here. For our testing, we are looking to verify the functionality of the new features and their integration into the management interface; pre-GA code is not expected to show the same speed as the gold release, so we won't be discussing performance here. 

For those just joining us that need an introduction, PowerStore is one of Dell's enterprise-class midrange storage systems. It packs a ton of performance, capacity, and functionality into two rack units of space. PowerStore is a dual-controller, all-NVMe storage array capable of block via FC-SCSI, FC-NVMe, iSCSI, NVMe/TCP, and vVols, as well as NFS and SMB file storage. The entire array is a single consolidated pool of storage, with that pool servicing both block and file workloads seamlessly with a global deduplication domain. To top it off, up to four appliances can be federated, allowing workload mobility between individual systems.

The new features in the 3.5 release are:

• Failsafe networking (FSN)
• Secure Snaps
• Multifactor authentication (MFA)
• Recycle Bin
• STIG hardening / USGv6 compliance
• PowerProtect backup integration

Let's tick through these features and talk about what they are and why they're important.

Failsafe Networking

PowerStore has supported LACP (802.3ad) since day one; PowerStoreOS 3.5 brings support for failsafe networking. Like LACP, FSN creates a virtual interface in PowerStore with multiple interfaces inside it. Unlike LACP, FSN does not coordinate with the upstream switches or perform load balancing; the array monitors the paths and flips to the standby interface if the primary is faulted. You can also combine FSN with LACP, with two independent two-port LACP interfaces inside the FSN interface. If connected to a pair of top-of-rack switches not using MLAG/vPC/VLT, this provides redundancy within a switch and failover across switches.

Secure Snapshots

Snapshots have been around for a while and are now the go-to local copy mechanism, thanks to their space-efficient nature. They are used to create read-only point-in-time copies of block volumes or file systems, where only changed blocks are saved to the storage pool. Secure Snaps alter the snapshot retention behavior by setting a hard time-to-live value on a snapshot. That means a storage administrator cannot delete a secure snapshot before the expiration date is reached. Once a snapshot is marked as secure, its lifetime can only be extended; no shorter retention is possible. This feature is helpful as part of a comprehensive data protection strategy. Bad actors may delete your copies before destroying the primary data, and Secure Snaps mitigate that.  

Implementing Secure Snaps is simple: create a snapshot rule and add it to a protection policy. When creating the rule, there is an option to make the snapshot secure. The retention is variable based on the defined snapshot frequency: for daily snaps, copies can be kept up to 256 days; hourly copies have a ten-day retention maximum.

In addition to protection policies, Secure Snaps can be created in several other ways. First, by taking an ad-hoc snapshot of a volume or volume group and checking the Secure Snapshot checkbox. Second, an existing snapshot can be made secure by browsing to the volume or volume group, clicking the Protection tab → Modify, and the Secure Snapshot checkbox on that page.

From talking with Dell customers using Secure Snapshots on PowerMax, a common approach combines shorter retention, higher-frequency copies with lower-frequency, longer retention secure copies.

Multifactor Authentication

For many, logging into your corporate VPN or internal applications with a password plus token is old hat. As our customers develop more holistic security strategies, they've demanded more robust security from their appliances, storage, and otherwise. To that end, Dell has been at work adding MFA capabilities to their storage platforms, with MFA already in PowerMax and PowerScale. With PowerStoreOS 3.5, you can link your array with existing RSA SecurID token infrastructure. That means, even if an evildoer does gain a password, they wouldn't necessarily have your token code or PIN.

STIG Hardening / USGv6 Compliance

This update will mainly affect our federal government customers.  Due to the nature of what lives on them, storage arrays already have a different attack surface than a standard operating system installation.  Some customers must have a security posture beyond this already-secure stance. First, PowerStoreOS has now been certified for the US federal government's requirement for IPv6. The platform has supported IPv6 from the start, and it's used under the covers for intra-cluster traffic. The University of New Hampshire's InterOperability Laboratory has now independently validated PowerStore for operability in the US government's IT environment. Second, as documented here, after initial installation, the system can now have additional hardening applied, like:

• A reduced set of cipher suites for management connectivity, turning off less-secure encryptions.
• More stringent password requirements for local users: 15-character minimum, 60-day expiration, and eight characters different from your prior password. Also, expired passwords must be reset by someone with Admin or Security Admin roles assigned.
• Lock-out period: After three failed attempts, the account is locked out for fifteen minutes.
• No additional appliances can be added to the cluster after STIG hardening is applied.  For multi-appliance clusters, they must be clustered before applying hardening.

The only way to enable STIG is a REST API call in the aforementioned document.  Due to the decreased ease of use for admins, they want to make sure you really want to enable it; not being able to add appliances into a cluster might cause challenges down the road, and getting to normal mode is an appliance reinitialization. Enablement is a non-disruptive process as the controllers will sequentially reboot as they come up in STIG mode.

Recycle Bin

This is one of those features that makes so much sense when you think about it. Historically, when deleting volumes, they go away with no hope of recovery if the wrong volume is removed. Also, any local copies like snapshots may go away as well. PowerStore's Recycle Bin is a temporary holding area for volumes, volume groups, and related snapshots. While the window is adjustable, it defaults to seven days before deleted objects are purged from the system. If you're under a tight capacity constraint, just like your desktop's recycle bin, you can remove objects before they'd expire. Indeed you can also restore items from the Recycle Bin if they were accidentally pulled from production. As you'd expect from a storage system, PowerStore already makes it challenging to accidentally destroy in-use data: volumes must first be unmapped before they can be deleted.

When deleting unmapped volumes, you can bypass the Recycle Bin and permanently remove the volumes.

Once in the Recycle Bin, volumes are removed from the primary volumes view and get their own page. 

In the Recycle Bin view, you can recover them to the main view, immediately expire them, or let them live out their remaining time in peace before the expiration policy timer hits.

PowerProtect Backup Integration

What if you could schedule snapshots of your production data to move from your primary array to a protection system without needing anything in the middle? Sure, snapshots have been copied between arrays for a while now, but copies to dissimilar systems are less common. With PowerStoreOS 3.5, the primary array, PowerStore, can directly send snapshots of volumes and volume groups to PowerProtect DD and take advantage of its Data Invulnerability Architecture, as well as its data reduction and replication.

Setting up remote backup is simple. In the same menu for linking remote PowerStore systems, there is now a system-type dropdown that allows you to select PowerProtect DD, after which the options change.   

Enter the details for connectivity to DD, click OK, and your connection setup is complete.

The next step is to create a remote backup rule and add it to a protection policy. Once the policy is triggered, you'll see the storage objects in the Protection -> Remote Backup page. The initial copy will be a complete copy, and the subsequent copies will be incremental.

Should you need any of these copies, you have two options for accessing them: retrieve or instant access. The latter is precisely what it sounds like; data lives in Data Domain, and PowerStore is the passthrough device. That way, you'll get access to your data without waiting for a full recall; the downside of that convenience is reduced performance. The other option, retrieve, pulls data from protection storage back to PowerStore, where it is then available for host access. In either case, the volumes are retrieved as new snapshots on the system; they do not overwrite the source data. We successfully tested both retrieval methods with volume groups and standalone volumes. 

This feature is excellent when you have a large application that needs to have a copy of data off of its primary array quickly. However, it does not entirely replace traditional backup applications. There is no cataloging mechanism, nor does the array run pre- or post-scripts to be executed to set up things like Volume Shadow Copy or hot backup mode. Since the copies are scheduled, you could have scripts that run just before and after the protection job runs to create the remote backup snapshot. Those concerns can be mitigated when used as part of an overall protection strategy.

Odds and Ends - File Scalability Improvements

The number of file objects allowable grows in PowerStoreOS 3.5. The old limits were probably good enough for most, but they were generic in that capabilities of larger models were left untapped. 

The new version reached general availability on June 20 and is now available for all PowerStore-T systems. This means gen-1 hardware (1000T, 3000T, 5000T, 7000T, 9000T) and gen-2 (500T, 1200T, 3200T, 5200T, 9200T). It's downloadable from Dell's support site, along with release notes detailing the new features. To upgrade, simply pull down the software package, upload it to the array, and click the upgrade button; if you have a support contract, Dell can do this for you too.

Final Thoughts

This is a minor release of PowerStoreOS. As such, it isn't supposed to break major ground on new functions. That said, Secure Snapshots, Recycle Bin, and integration with PowerProtect DD are all strong entries that improve admins' lives. Are any of these going to be needle-movers for non-users? Probably not, but PowerStore's base functionality is. It is an adaptable platform that provides low latency performance across modern and legacy protocols, inherent intelligence that drives management simplicity, and a modern lifecycle experience. PowerStoreOS 3.5 takes an already good platform and makes it even better.

If you have any questions, please feel free to contact me directly.  If you want to experience 3.5 on a live system, try our PowerStore lab.  If you have more extensive needs than the lab can provide, reach out and use something from our fleet of PowerStore systems.