HomeResourcesField Guides › PowerScale (Isilon) OneFS Command Reference

Field Guide · Storage Operations

Dell PowerScale (Isilon) OneFS Command Reference for Production Storage Operators

This guide consolidates the OneFS commands storage engineers actually reach for to validate cluster health, inspect node hardware, untangle hung SMB sessions, read SmartPools and protection policy, chase performance, drive SyncIQ failover, and package evidence for Dell support. Every command states what it shows, when to run it, whether it is safe to run, and a representative output.

Who this is for: storage engineers · NAS administrators · infrastructure teams · operations teams · Dell PowerScale administrators

Command syntax validated against OneFS 8.2.x and 9.x · outputs shown from 9.5.x · field labels and counter names shift between releases · Reviewed by WUC Storage Infrastructure Engineering · Last validated: 2026-07-13

AudienceStorage admins · NAS engineers · Dell-facing escalation teams
PlatformsPowerScale F900/F600/F200, H700/H5600, A300 · Isilon X/NL/S
OneFS8.2.x and 9.x
Commands125+ across 13 families, safety-rated
Read time30 min full reference · jump via contents

!!Command safety model — read this first

This page is not a read-only reference. Unlike a switch show command set, the OneFS toolkit mixes harmless inspection with commands that will drop every SMB session on the cluster, delete a directory tree, evacuate a node, strip an ACL, break a replication relationship, or render CloudPools stub files unreadable. Several of the most-copied commands on the internet fall into that second group. Every command below carries a badge. Read the badge before you press Enter.
BadgeMeaningRule
Read-onlyInspects state. No configuration or data change.Safe in production, any time.
DisruptiveInterrupts client I/O or sessions, or triggers a heavy background job. Recoverable.Change window. Expect client impact.
DestructiveDeletes data, removes a node, strips permissions, breaks replication, or makes data inaccessible. Hard or impossible to reverse.Verified backup + written change approval. Never improvised.
Support-directedDiagnostic tooling intended to be run when Dell Support asks for it.Run only on an open case, at their instruction.
The single most important habit on this page: isi_for_array without -n runs on every node in the cluster. The difference between isi_for_array -n 2 'killall -6 lsass' and isi_for_array 'killall -6 lsass' is the difference between bouncing authentication on one node and bouncing it on all of them at once. Always specify -n <lnn> unless a cluster-wide action is genuinely what you intend.

ENVReference environment

Every command and output on this page is shown against a single consistent reference estate, so the examples hold together across families. It is a routed two-site design: a production cluster in Boston serving home directories, departmental shares and research data, replicating over a WAN link to a DR cluster in Phoenix. The two sites sit in separate Class A subnets and do not share a broadcast domain — which is the whole point of a DR site.

SITE A · BOSTON — PRODUCTION 10.10.10.0/24 · VLAN 110 · gw 10.10.10.254 Jumpstation Win 2012 10.10.10.1 DC / AD / DNS SMTP · Win2012 10.10.10.2 LDAP CentOS · NFS 10.10.10.3 InsightIQ perf analytics 10.10.10.30 DataIQ v2 dataset index 10.10.10.60 cluster: boston · 3 x F600 node 1 10.10.10.11 node 2 10.10.10.12 node 3 10.10.10.13 SC svc 10.10.10.20 nas.nexora.local READ / WRITE zones: clinical · research · corp External network ROUTED SyncIQ tcp/5667 SITE B · PHOENIX — DR 10.30.30.0/24 · VLAN 130 gw 10.30.30.254 cluster: phoenix 3 x F600 node 1 10.30.30.17 node 2 10.30.30.18 node 3 10.30.30.19 SC svc 10.30.30.20 · READ-ONLY GAP: no DC at DR site AD reachable only over the WAN to Site A. Site A down = no auth. All hostnames, domains, users, IPs and serials in this guide are synthetic reference values.
Routed two-site reference topology. The Boston production cluster (boston, 10.10.10.0/24) serves SMB clients from the Windows estate and NFS clients from Linux, authenticating against both Active Directory and LDAP, and replicates via SyncIQ over a routed WAN link to the Phoenix DR cluster (phoenix, 10.30.30.0/24). Separate subnets, separate VLANs, separate failure domains. The DR target is read-only by design — it becomes writable only when isi sync recovery allow-write is run, which is a declared-disaster action, not a test. Three nodes is the minimum supported cluster size, and it constrains both the protection levels available and whether a node can be smartfailed at all — see families 04 and 02.
The red box on the DR site is the most important thing in this diagram. Splitting the sites into separate subnets is correct — but a DR cluster is only as available as the services it depends on, and authentication is one of them. With the sole domain controller at Site A, a Boston outage takes Active Directory down with it. Phoenix would come up with perfectly current data and authenticate nobody: no SMB logons, no Kerberos, no ACL evaluation. You would have paid for a DR cluster and still be down. A DR site needs its own domain controller and its own DNS, or a documented, tested path to authentication that does not traverse the failed site. Verify this with isi auth status -v run on the DR cluster, not the production one — see Runbook 4, step 6. The same argument applies to DNS: if the SmartConnect delegation is served only from Site A, nothing resolves the DR name either.
Why the platform matters to the examples. A 3-node cluster must be built from the standalone F-series (F200/F600/F900). The chassis-based Gen6 platforms — H700, H5600, A300 — populate four nodes per 4U chassis, so their minimum viable cluster is four. Outputs below therefore show all-flash capacity (SSD, no HDD pool) and eight NVMe drives per node.

QSMost-used commands

CommandWhat it answersCadence
isi statusIs the cluster healthy, and how full is it?Constantly
isi devices listWhich drives or nodes are not HEALTHY?Every hardware alert
isi_for_array -s isi_hw_statusSerials, product IDs, PSU state — every node in one passAudits / RMAs
isi statistics client --sort=Ops --longWhich client is hammering the cluster right now?Every "it's slow" ticket
isi network interfaces list -vWhich IPs are where, and are the NICs up?Every connectivity issue
isi auth status -vAre the AD/LDAP providers actually online?Every login failure
isi storagepool health -vIs any pool under-protected or over-full?Weekly
isi sync reports listIs the DR copy actually current?Weekly / every audit
isi_gather_infoThe evidence bundle Dell Support expects with a caseEvery escalation

IXCommands by outcome

01Cluster health & events

This is where every investigation starts. Before you theorise about a protocol, a client, or a switch, establish whether the cluster believes it is healthy, whether every node is in the group, and whether anything is already alarming. OneFS is unusual in that a cluster can be degraded — a node split out of the group, a drive smartfailing — while still serving data perfectly well, so "users aren't complaining" is not evidence of health.

Healthy: all nodes in the group, all devices HEALTHY, no unresolved critical events, capacity under 85%.
Warning: a drive in SMARTFAIL; capacity 85–90%; events resolved but recurring.
Critical: a node out of the group, capacity above 90%, actual protection below policy.
Next: on any Critical, capture isi_gather_info before you change anything — the evidence disappears once you start remediating.

isi status Read-only

The single highest-value command on the cluster. Health, capacity, per-node state and running jobs in one screen. On an all-flash F-series cluster the HDD column reads zero — all capacity is SSD.

Command
isi status
Output
Cluster Name: boston
Cluster Health:     [ ATTN]
Cluster Storage:  HDD                 SSD Storage
Size:             0 (0 Raw)           246T (369T Raw)
VHS Size:         18T
Used:             0 (0%)              171T (69%)
Avail:            0 (0%)              75T (31%)

                   Health  Throughput (bps)   SSD Storage
ID |IP Address     |DASR |  In    Out  Total| Used / Size
---+---------------+-----+------+-----+-----+-----------------
  1|10.10.10.11    | OK  |  142M| 388M| 530M|   57T/  82T( 69%)
  2|10.10.10.12    | OK  |  138M| 401M| 539M|   57T/  82T( 69%)
  3|10.10.10.13    |-A-- |    0 |   0 |   0 |   57T/  82T( 70%)
---+---------------+-----+------+-----+-----+-----------------
Cluster Totals:          |  280M| 789M|1.06G|  171T/ 246T( 69%)

     Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only

isi status -q Read-only

Quick variant — suppresses the per-node table. Use it when you only want the cluster verdict and capacity.

Command
isi status -q
Output
Cluster Name: boston
Cluster Health:     [  OK ]
Size:  246T (369T Raw)
Used:  171T (69%)
Avail: 75T (31%)

isi status -n 3 Read-only

Scope to a single node by LNN. The fastest way to confirm the state of the one node an alert named — here, the node showing A (Attention) above.

Command
isi status -n 3
Output
Cluster Name: boston
Node LNN:    3
Node Health: [  OK ]
Node Storage: SSD 57T / 82T (70%)
Throughput:  In 151M  Out 377M

isi devices list Read-only

Every drive and node device with its state. Each F600 carries eight NVMe drives, so a 3-node cluster has 24 — small enough to read, but on larger estates the healthy rows are noise.

Command
isi devices list
Output
Lnn  Location  Device     Lnum  State      Serial
--------------------------------------------------------------
1     Bay  1   /dev/nvd0  7     HEALTHY    S5NXNG0R100001
1     Bay  2   /dev/nvd1  6     HEALTHY    S5NXNG0R100002
3     Bay  5   /dev/nvd4  3     SMARTFAIL  S5NXNG0R100021
3     Bay  6   /dev/nvd5  2     HEALTHY    S5NXNG0R100022
--------------------------------------------------------------
Total: 24

isi devices list | egrep -vi "healthy|l3" Read-only

The version you will actually type. Strips healthy drives and any L3-cache SSDs, leaving only what deserves attention. An empty result is the goal.

Command
isi devices list | egrep -vi "healthy|l3"
Output
Lnn  Location  Device     Lnum  State      Serial
3     Bay  5   /dev/nvd4  3     SMARTFAIL  S5NXNG0R100021

isi_for_array -n 3 'isi devices list | egrep -v HEALTHY' Read-only

Same filter, executed on node 3 specifically. isi_for_array is the cluster-wide fan-out wrapper; -n pins it to one node.

Command
isi_for_array -n 3 'isi devices list | egrep -v HEALTHY'
Output
boston-3: Lnn  Location  Device     Lnum  State      Serial
boston-3: 3     Bay  5   /dev/nvd4  3     SMARTFAIL  S5NXNG0R100021

isi_for_array -s 'isi_hw_status | grep SerNo; isi devices list | egrep -vi "healthy|l3"' Read-only

A composite audit sweep: for every node, print its serial then any unhealthy device. This is the one-liner to run before opening a hardware case, because it pairs the fault to the chassis serial Dell will ask for. -s sorts output by node number.

Command
isi_for_array -s 'isi_hw_status | grep SerNo; isi devices list | egrep -vi "healthy|l3"'
Output
boston-1:   SerNo: FCH2401A001
boston-2:   SerNo: FCH2401A002
boston-3:   SerNo: FCH2401A003
boston-3: 3     Bay  5   /dev/nvd4  3     SMARTFAIL  S5NXNG0R100021

isi_group_info Read-only

Group membership and the history of group changes. When a node "disappears", this tells you when it split and whether it rejoined. A cluster that is quietly forming and re-forming groups has an interconnect problem, not a protocol problem — and on a 3-node cluster, losing one node to a group split leaves you with no protection headroom at all.

Command
isi_group_info
Output
Cluster is in a fully functional state.
  1: 10.10.10.11  up
  2: 10.10.10.12  up
  3: 10.10.10.13  up
Last group change: 2026-07-13T04:22:11 (drive smartfail, node 3)

isi event events list Read-only

Current unresolved events. Read this before you clear anything.

Command
isi event events list
Output
ID       Occurred     Sev  Lnn  Event                     Message
---------------------------------------------------------------------------
7.12841  07/13 04:22  crit  3   400160002 (DRIVE_FAIL)    Drive in bay 5 failed
7.12839  07/12 23:07  warn  0   200010001 (CAPACITY)      Pool f600_82tb at 87%
---------------------------------------------------------------------------
Total: 2

isi event bulk --resolved=true Disruptive

Mass-resolves every event on the cluster. It is disruptive not to data but to your visibility — it clears genuine unresolved faults alongside stale noise. Never run this as a reflex to make a dashboard green; list the events first and fix what is real.

# Capture what you are about to clear:
boston-1# isi event events list > /ifs/data/events-20260713.txt
boston-1# isi event bulk --resolved=true

isi event bulk --ignore=true Disruptive

Same caution, stronger effect — suppresses events rather than resolving them, so they will not re-alert. Use only after you have captured the event list to a file.

Command
isi event bulk --ignore=true
Output
Are you sure? (yes/[no]): yes
14 events ignored.

02Node & hardware

Hardware questions arrive in two forms: an alert naming a component, or an audit demanding serials. Both are answered by isi_hw_status fanned across the array. The commands here are read-only except the last two, which take a node out of service — and on a minimum-size cluster, that is a far bigger decision than it looks.

Healthy: both PSUs good, all fans nominal, no failed DIMM or NVRAM battery.
Warning: one PSU absent or not good — you are running without power redundancy.
Critical: node down, NVRAM battery failed, or multiple drives failing in one node.
Next: pair the fault to a chassis serial before calling Dell — isi_for_array -s isi_hw_status | egrep 'SerNo|Product'.

isi_hw_status Read-only

Full hardware inventory and sensor state for the node you are on.

Command
isi_hw_status
Output
  SerNo: FCH2401A001
  Config: PowerScale F600
  ChsSerN: FCH2401A001
  FamCode: F
  ChsCode: 1U
  GenCode: 60
  Tier: 0
  Class: storage
  Product: F600-1U-Single-384GB-2x25GE SFP28-123TB
  HWGen: PSI
  Chassis: PowerScale
  CPU: Intel(R) Xeon(R) Gold 6230 CPU @ 2.10GHz
  RAM: 412316860416 Bytes
  Power Supplies OK
  Power Supply Slot1-PS0 good
  Power Supply Slot2-PS1 good

isi_for_array -s isi_hw_status | egrep 'SerNo|Product' Read-only

The audit one-liner. Serial and model for every node in the cluster, sorted. Paste the output straight into an RMA request or an asset register.

Command
isi_for_array -s isi_hw_status | egrep 'SerNo|Product'
Output
boston-1:   SerNo: FCH2401A001
boston-1:   Product: F600-1U-Single-384GB-2x25GE SFP28-123TB
boston-2:   SerNo: FCH2401A002
boston-2:   Product: F600-1U-Single-384GB-2x25GE SFP28-123TB
boston-3:   SerNo: FCH2401A003
boston-3:   Product: F600-1U-Single-384GB-2x25GE SFP28-123TB

isi_for_array -s isi_hw_status | grep -i power Read-only

Power supply state across every node. Run it after any PDU work, any data-centre power event, and before any planned power maintenance.

Command
isi_for_array -s isi_hw_status | grep -i power
Output
boston-1:  Power Supplies OK
boston-2:  Power Supplies OK
boston-3:  Power Supplies ATTN

isi_for_array -s isi_hw_status | grep -i -A2 "Power Supplies" Read-only

The better form — -A2 pulls the two PSU slot lines that follow the summary, so you see which supply is unhappy rather than just that one is.

Command
isi_for_array -s isi_hw_status | grep -i -A2 "Power Supplies"
Output
boston-1:  Power Supplies OK
boston-1:  Power Supply Slot1-PS0 good
boston-1:  Power Supply Slot2-PS1 good
--
boston-2:  Power Supplies OK
boston-2:  Power Supply Slot1-PS0 good
boston-2:  Power Supply Slot2-PS1 good
--
boston-3:  Power Supplies ATTN
boston-3:  Power Supply Slot1-PS0 good
boston-3:  Power Supply Slot2-PS1 absent

isi_for_array -n 3 isi_hw_status | grep -i power Read-only

Scoped to node 3. Once the sweep above names a node, drop to it directly rather than re-running across the array.

Command
isi_for_array -n 3 isi_hw_status | grep -i power
Output
boston-3:  Power Supplies ATTN
boston-3:  Power Supply Slot1-PS0 good
boston-3:  Power Supply Slot2-PS1 absent

isi_for_array -s isi statistics drive list Read-only

Per-drive I/O and latency on every node. A drive that is technically HEALTHY but showing latency an order of magnitude above its peers is a drive about to fail — this is how you find it before the alert does.

Command
isi_for_array -s isi statistics drive list
Output
boston-1: 1:nvd0 NVMe 14.2 398.1 0.4ms 69.0%
boston-2: 2:nvd0 NVMe 13.9 401.7 0.4ms 69.1%
boston-3: 3:nvd4 NVMe 12.1 410.2 184ms  69.1%   <-- outlier

isi devices node smartfail --node-lnn 3 Destructive

Begins evacuating a node from the cluster — every block it holds is re-protected onto the remaining nodes, then the node is removed. It is the correct way to retire a node, it is not reversible once data movement is underway, and it runs for hours.

On a 3-node cluster this command is effectively off the table. Three nodes is the minimum supported cluster size. Smartfailing one would leave two, which OneFS will not sustain — and even if it could, the remaining nodes must have the free capacity to absorb the evacuated data. On boston, running at 69% used, they do not. Add a node before you remove a node. This command belongs to clusters with headroom in both node count and capacity.
# Verify BOTH node count and free capacity before even considering this:
boston-1# isi status                      # how many nodes remain after removal?
boston-1# isi storagepool health -v       # can they absorb the evacuated data?
boston-1# isi devices node smartfail --node-lnn 3
boston-1# isi job jobs list               # watch the FlexProtect job that follows

isi config → reboot 3 Disruptive

Reboots node 3 from the isi config subshell. Clients connected to that node's IPs are disconnected; a dynamic IP pool will fail the addresses over to the surviving nodes, a static pool will not. On a 3-node cluster you are removing a third of your capacity and front-end bandwidth for the duration — do it in a window.

boston-1# isi config
boston-1>>> status
boston-1>>> reboot 3
boston-1>>> exit

03Networking & SmartConnect

OneFS networking is a four-layer hierarchy — groupnet, subnet, pool, interface — and almost every "the share is unreachable" ticket resolves to a misunderstanding of which layer owns the problem. Walk it top-down: does the groupnet resolve DNS, does the subnet have the right gateway and VLAN, does the pool have IPs and member interfaces, is the interface up.

Healthy: every pool has allocated IPs, member NICs are up, SmartConnect zone resolves.
Warning: pool IP range exhausted; a NIC flapping; listen queue overflows climbing.
Critical: a pool with no live member interfaces — the SmartConnect name resolves to nothing.
Next: if the interface is up and the pool is populated, the fault is above the network — go to authentication or sessions.

isi network external view Read-only

The top-level external network configuration — the starting point for any connectivity question.

Command
isi network external view
Output
    Groupnets: 1
      Subnets: 1
        Pools: 2
  IP Alloc:  dynamic (SmartConnect)

isi network groupnets list -v Read-only

Groupnets carry DNS settings and the AD/LDAP binding context. A groupnet with the wrong DNS servers breaks name resolution for an entire access zone while every other layer looks perfectly healthy.

Command
isi network groupnets list -v
Output
       ID: groupnet0
     Name: groupnet0
  DNS Servers: 10.10.10.2, 10.10.10.2
DNS Search: nexora.local
  Subnets: subnet0

isi network subnets list -v Read-only

Subnets, netmasks, gateways, VLAN tags, and the SmartConnect service IP — the address the DNS delegation points at.

boston-1# isi network subnets list -v
             ID: groupnet0.subnet0
           Name: subnet0
       Groupnet: groupnet0
    Addr Family: ipv4
      Base Addr: 10.10.10.0
           CIDR: 10.10.10.0/24
        Gateway: 10.10.10.254
Gateway Priority: 10
            MTU: 9000
          Pools: pool-smb, pool-nfs
SC Service Addrs: 10.10.10.20
   VLAN Enabled: True
        VLAN ID: 110

# For contrast, the same command on the DR cluster — a different site,
# a different subnet, a different VLAN, a different gateway:
phoenix-1# isi network subnets list -v
             ID: groupnet0.subnet0
      Base Addr: 10.30.30.0
           CIDR: 10.30.30.0/24
        Gateway: 10.30.30.254
SC Service Addrs: 10.30.30.20
        VLAN ID: 130

The MTU is worth a second look. Jumbo frames (9000) inside a site are routine; across the WAN to Phoenix they are usually not, and a path-MTU mismatch is a classic cause of SyncIQ transfers that stall or crawl while ping and small transfers work perfectly. If replication is inexplicably slow, test the path at full frame size before you blame the policy.

isi network pools view groupnet0.subnet0.pool-smb Read-only

The pool is where SmartConnect lives — the zone name, the balancing policy, the IP range, the access zone, and the member interfaces. If a client resolves the SmartConnect name to an IP that nothing is listening on, the answer is here.

Command
isi network pools view groupnet0.subnet0.pool-smb
Output
              ID: groupnet0.subnet0.pool-smb
        Groupnet: groupnet0
          Subnet: subnet0
            Name: pool-smb
          Ranges: 10.10.10.11-10.10.10.13
    Alloc Method: dynamic
          Ifaces: 1:25gige-1, 2:25gige-1, 3:25gige-1
     Access Zone: zone-clinical
SC Connect Policy: round_robin
         SC Zone: nas.nexora.local
SC Suspended Nodes: -

isi network pools list Read-only

Every pool at a glance. Run it first, then view the one you care about.

Command
isi network pools list
Output
ID                            SC Zone                Alloc    Access Zone
--------------------------------------------------------------------------
groupnet0.subnet0.pool-smb    nas.nexora.local       dynamic  zone-clinical
groupnet0.subnet0.pool-nfs    research.nexora.local  dynamic  zone-research
--------------------------------------------------------------------------

isi network interfaces list -v Read-only

Physical and logical interfaces per node, with their assigned IPs and link state. This is the bottom of the network stack — if the NIC is down here, nothing above it matters.

Command
isi network interfaces list -v
Output
LNN  Name       Status      Owners                        IP Addresses
------------------------------------------------------------------------------
1    25gige-1   Up          groupnet0.subnet0.pool-smb    10.10.10.11
1    25gige-2   Up          groupnet0.subnet0.pool-nfs    10.10.10.40
2    25gige-1   Up          groupnet0.subnet0.pool-smb    10.10.10.12
3    25gige-1   No Carrier  -                             -
------------------------------------------------------------------------------

isi network rules list Read-only

Provisioning rules that bind interfaces into pools automatically as nodes join. A node that joined the cluster but is serving no traffic often has no rule matching it.

Command
isi network rules list
Output
ID          Node Type  Iface     Groupnet.Subnet.Pool
----------------------------------------------------------------
rule-smb    any        25gige-1  groupnet0.subnet0.pool-smb
rule-nfs    any        25gige-2  groupnet0.subnet0.pool-nfs

isi_for_array -s '/usr/bin/netstat -sn | grep "listen queue overflows"' Read-only

Listen queue overflows mean the node accepted connections faster than the protocol daemon could service them — a strong signal of daemon saturation, not network loss. A climbing counter here alongside hung SMB clients points at lwio/lsass, not at the switch. This is the command that names the bad node.

Command
isi_for_array -s '/usr/bin/netstat -sn | grep "listen queue overflows"'
Output
boston-1: 0 listen queue overflows
boston-2: 0 listen queue overflows
boston-3: 4412 listen queue overflows

isi_for_array -s 'netstat -an | grep 5667' Read-only

SyncIQ's worker port. Use it to confirm replication to Phoenix is actually establishing connections, and from which nodes. Because the sites are routed, every one of these sessions crosses the WAN — so this command doubles as proof that the inter-site path and its firewall rules are open. A SyncIQ policy that "runs slowly" is frequently only using a subset of nodes.

Command
isi_for_array -s 'netstat -an | grep 5667'
Output
boston-1: tcp4  0  0  10.10.10.11.42188   10.30.30.17.5667   ESTABLISHED
boston-2: tcp4  0  0  10.10.10.12.51022   10.30.30.18.5667   ESTABLISHED
boston-3: tcp4  0  0  10.10.10.13.39471   10.30.30.19.5667   ESTABLISHED

All three prod nodes connected to all three DR nodes is what healthy looks like. If only boston-1 appears, you are replicating at one-third of the available parallelism — usually a firewall permitting the WAN path from one source address rather than the whole prod subnet. Nothing errors; the policy just takes three times as long, and eventually misses its RPO.

isi_for_array -s 'netstat -an | grep ".445" | grep CLOSED | wc -l' Read-only

Counts SMB sockets stuck in CLOSED per node. A large and growing number is a fingerprint of the hung-session condition covered in family 06.

04Storage pools & protection

SmartPools decides where data lives and how hard it is protected. Two questions dominate: is anything under-protected relative to policy, and where did this particular file actually land. On a small cluster the protection question is sharper than most operators expect, because node count is a hard ceiling on the protection levels available to you.

Node count caps protection level. +2n requires a minimum of five nodes; +3n requires seven. On the 3-node boston cluster the viable levels are +1n, +2d:1n, +3d:1n and mirroring. Requesting a level the cluster cannot satisfy does not throw a clean error — OneFS accepts the setting and then reports actual protection below requested in isi storagepool health. That silent gap is how clusters end up believing they are protected when they are not. Always read the actual column, never the requested one.
Healthy: actual protection equals requested; no pool above 90%.
Warning: a pool 85–90% full — SmartPools loses the free space it needs to restripe efficiently.
Critical: actual protection below requested, or a pool above 95%.
Next: under-protection means either a stalled FlexProtect (isi job jobs list) or a protection level the node count cannot deliver.
Command
isi_for_array -s 'netstat -an | grep ".445" | grep CLOSED | wc -l'
Output
boston-1: 0
boston-2: 0
boston-3: 4412     <-- buildup of CLOSED SMB sockets on node 3

isi storagepool health -v Read-only

The verdict command for this family — requested vs actual protection, per pool. The mismatch below is exactly the failure mode described above.

Command
isi storagepool health -v
Output
Name              Health  Used    Size   Protection  Actual
--------------------------------------------------------------
f600_82tb_384gb   ATTN    69.4%   246T   +2n         +2d:1n   <-- requested != actual
--------------------------------------------------------------
# Requested +2n needs 5 nodes. This cluster has 3. It is quietly
# delivering +2d:1n and reporting ATTN rather than refusing the setting.

isi storagepool list -v Read-only

All pools — nodepools and tiers together — with capacity and membership.

Command
isi storagepool list -v
Output
Name              Type      Nodes  Protection  Used    Size
-----------------------------------------------------------------
f600_82tb_384gb   nodepool  1,2,3  3x          69.4%   246T

isi storagepool nodepools list -v Read-only

Nodepools specifically: which nodes are in them, what protection they carry, which L3 settings apply. On an all-flash cluster L3 cache is not applicable — the drives are the fast tier.

Command
isi storagepool nodepools list -v
Output
                ID: 1
              Name: f600_82tb_384gb
             Nodes: 1, 2, 3
      Node Type IDs: 1
 Protection Policy: +2d:1n
 Manual Protection: False
                L3: False
              Tier: -
             Usage: 69.4% (171T of 246T)

isi storagepool tiers list -v Read-only

Tiers group nodepools for file-pool policy targeting. If a file-pool policy is "not working", confirm the tier it targets actually contains the nodepool you assume it does. A single-nodepool cluster has nothing to tier between — a common source of misconfigured policies that silently do nothing.

Command
isi storagepool tiers list -v
Output
Name   Node Pools   Notes
----------------------------------------
(no tiers configured — single node pool cluster)

isi storagepool settings view Read-only

Global SmartPools behaviour — spillover, virtual hot spare reservation, global namespace acceleration, and the default protection applied to data with no matching policy.

Command
isi storagepool settings view
Output
       Automatically Manage Protection: files_at_default
   Automatically Manage Io Optimization: files_at_default
   Protect Directories One Level Higher: Yes
          Global Namespace Acceleration: disabled
           Virtual Hot Spare Deny Writes: Yes
            Virtual Hot Spare Hide Spare: Yes
          Virtual Hot Spare Limit Drives: 2
                      Spillover Enabled: Yes
                       Spillover Target: anywhere

isi get -DD /ifs/research/genomics/cohort-a.bam Read-only

The forensic command for a single file — its actual protection, its pool, its layout, and whether it is a SmartLink (CloudPools stub). Verbose to the point of overwhelming, so filter it.

Command
isi get -DD /ifs/research/genomics/cohort-a.bam

isi get -DD <path> | grep -i smart Read-only

The practical form. Answers one question fast: has this file been tiered out to the cloud, or is it still on disk? A "missing" research file that is really a stub whose CloudPools account is disabled will show as SMARTLINKED here — see the warning in family 08.

Command
isi get -DD /ifs/research/genomics/cohort-a.bam | grep -i smart
Output
*  SMARTLINKED:       True
*  SMARTLINK STATE:   Stubbed
*  SMARTLINK ACCOUNT: cp-archive-01

isi_test_cpool_cbm --show-object-paths /ifs/research/genomics/cohort-a.bam Support-directed

Maps a SmartLink stub to the underlying cloud object paths. This is a Dell diagnostic binary, not a documented admin command — run it when Support asks you to prove where a stub's data physically lives during a CloudPools recovery.

Command
isi_test_cpool_cbm --show-object-paths /ifs/research/genomics/cohort-a.bam
Output
SmartLink: /ifs/research/genomics/cohort-a.bam
  Account:  cp-archive-01
  Objects:  3
    0: container=nha-archive  key=a1f3.../0000
    1: container=nha-archive  key=a1f3.../0001

isi storagepool nodepools modify --name=f600_82tb_384gb --protection-policy=+2d:1n Disruptive

Changes the protection policy for a nodepool. Innocuous-looking, heavy in effect: raising protection immediately queues a cluster-wide restripe that will consume back-end bandwidth for hours and will increase space consumption. Lowering protection reduces resilience instantly. On this cluster, +2d:1n is the correct target — +2n would be accepted and silently under-delivered.

boston-1# isi storagepool health -v            # confirm headroom AND node count first
boston-1# isi storagepool nodepools modify --name=f600_82tb_384gb --protection-policy=+2d:1n -v
boston-1# isi job jobs list                    # a restripe job will appear
boston-1# isi storagepool health -v            # verify actual == requested afterwards

isi_classic job history -j FSAnalyze -v Read-only

Historical run data for a named job. FSAnalyze feeds InsightIQ's file-system reporting; if the InsightIQ server is showing stale capacity or quota data, this tells you whether the job has been failing or was simply never scheduled.

05Authentication, zones & identity

Most "permission denied" tickets are not permission problems — they are identity problems. The user is being mapped to a different token than you assume, or the access zone is not the one you think the client hit, or a provider on that particular node has silently gone offline. Establish identity before you touch a single ACL.

This estate runs two directory providers, and that is where the hard bugs live. Windows staff authenticate to Active Directory; Linux and research clients resolve against LDAP. The same human being can therefore arrive with a Windows SID over SMB and a POSIX UID over NFS — and if the two do not map to the same on-disk identity, they will see different permissions on the same file depending on how they connected. When a user reports "it works from my laptop but not from the compute node", this is almost always the reason. Check both providers, and always pass --zone.
Healthy: all providers online on all nodes, zones mapped to the expected pools.
Warning: a provider online on most nodes but not all — intermittent, user-visible failures.
Critical: AD provider offline cluster-wide, or a broken secure channel to the domain controller.
Next: a provider offline on one node only is a node-local lsass problem → family 06.
Command
isi_classic job history -j FSAnalyze -v
Output
Job       ID  Start                End                  State
------------------------------------------------------------------
FSAnalyze 88  2026-07-12T22:00:02  2026-07-12T22:41:18  Succeeded

isi auth status -v Read-only

The health of every authentication provider, per zone. Run this before anything else on a login complaint. Note both providers below — AD for the Windows estate, LDAP for the Linux clients.

Command
isi auth status -v
Output
Zone: zone-clinical
  Provider: lsa-activedirectory-provider:NEXORA.LOCAL
    Status: online
    Connection: dc01.nexora.local (10.10.10.2)
  Provider: lsa-local-provider:zone-clinical
    Status: online

Zone: zone-research
  Provider: lsa-activedirectory-provider:NEXORA.LOCAL
    Status: online
  Provider: lsa-ldap-provider:nexora-ldap
    Status: online
    Connection: ldap://10.10.10.3
  Provider: lsa-file-provider:System
    Status: online

isi auth ads list -v Read-only

Active Directory provider detail — the joined domain, the machine account, the domain controllers in use, and the AD site. A cluster talking to a DC across a WAN link because site discovery failed will authenticate correctly but slowly, and users will call it "the storage being slow".

Command
isi auth ads list -v
Output
Name:               NEXORA.LOCAL
NetBIOS Domain:     NEXORA
Joined:             Yes
Machine Account:    BOSTON$
Site:               Default-First-Site-Name
Domain Controllers: dc01.nexora.local

isi auth ldap list -v Read-only

LDAP provider detail — the server URI, base DN, bind DN, and the attribute maps that turn an LDAP entry into a POSIX identity. When NFS clients get the wrong UID or land as nobody, the answer is almost always in the attribute mapping here, not in the export.

Command
isi auth ldap list -v
Output
             Name: nexora-ldap
      Server URIs: ldap://10.10.10.3
          Base DN: dc=nexora,dc=local
          Bind DN: cn=readonly,dc=nexora,dc=local
           Status: online
   User Filter: (objectClass=posixAccount)
  Group Filter: (objectClass=posixGroup)
       UID Attr: uidNumber
       GID Attr: gidNumber

isi auth mapping view --user=NEXORA\\jdoe --zone=zone-research Read-only

Shows how a single human is mapped across providers — the Windows SID on one side, the POSIX UID on the other, and whether OneFS has united them into one on-disk identity. In a dual-provider estate this is the command that explains why the same user sees different permissions over SMB than over NFS. If the mapping is absent or points at an unexpected UID, the ACL is a red herring.

Command
isi auth mapping view --user=NEXORA\\jdoe --zone=zone-research

isi auth refresh Read-only

Flushes the authentication provider cache. Effectively read-only in impact — it forces the next lookup to go to the source rather than serving a stale cached answer. The right first move after a group membership change has not taken effect.

Command
isi auth refresh
Output
Authentication provider cache flushed.

isi auth mapping token --user=NEXORA\\acarter Read-only

The command that ends arguments. It prints the exact access token OneFS builds for a user — their UID, primary GID, and every SID in their group membership. If the group you granted access to is not in this list, the ACL was never the problem.

Command
isi auth mapping token --user=NEXORA\\acarter
Output
         User
                Name: NEXORA\acarter
                 UID: 1000042
                 SID: S-1-5-21-1004336348-1177238915-682003330-1109
  Primary Group
                Name: NEXORA\domain users
                 GID: 1000000
   Supplemental Identities
                Name: NEXORA\storage-admins
                 GID: 1000210
                Name: NEXORA\clinical-ops
                 GID: 1000315

isi auth mapping token --user=NEXORA\\jdoe --zone=zone-research Read-only

The same lookup scoped to an access zone. Critical in a multi-zone estate: the identity a research user resolves to in zone-research is not necessarily the identity they resolve to in zone-clinical. Always pass --zone when the zones differ, or you will debug the wrong token.

Command
isi auth mapping token --user=NEXORA\\jdoe --zone=zone-research

isi auth users view --user=NEXORA\\jdoe Read-only

The provider's view of the user object. Confirms the account exists and is enabled from the cluster's perspective, which is not always what the AD console shows.

Command
isi auth users view --user=NEXORA\\jdoe

isi zone zones list -v Read-only

Access zones, their auth providers, and their base paths. Zones are the most common source of "it works for me but not for them" — two users hitting different SmartConnect names land in different zones, with different providers and different namespaces.

Command
isi zone zones list -v
Output
        Name: System
        Path: /ifs
Auth Providers: lsa-local-provider:System, lsa-file-provider:System

        Name: zone-clinical
        Path: /ifs/clinical
Auth Providers: lsa-activedirectory-provider:NEXORA.LOCAL
 NetBIOS Name: NHA-CLIN

        Name: zone-research
        Path: /ifs/research
Auth Providers: lsa-activedirectory-provider:NEXORA.LOCAL
 NetBIOS Name: NHA-RSCH

isi_run -z 2 <command> Read-only

Executes a command in the context of a specific access zone by ID. Necessary because many isi commands operate against the System zone by default and will silently return nothing useful when the object you are asking about lives in another zone. "The share doesn't exist" is frequently "you queried the wrong zone".

Command
isi_run -z 2 <command>

Auditing secure-channel failures in lsassd.log Read-only

When AD authentication degrades intermittently, secure-channel open failures in lsassd.log are the evidence. This counts them per domain controller for a given date. In a production estate with several DCs it isolates the one unhealthy controller the cluster keeps retrying; against the single DC here, a high count simply means the cluster is struggling to hold a secure channel to it at all — which is a domain-side or time-skew problem, not a storage one.

boston-1# isi_for_array -s "grep AD_NetrlogonOpenSchannel /var/log/lsassd.log \
  | grep 2026-07-13 \
  | awk -F'(' '{print \$2}' | awk -F')' '{print \$1}' \
  | sort -rn | uniq -c"
boston-1:  214 dc01.nexora.local
boston-2:  198 dc01.nexora.local
boston-3:  203 dc01.nexora.local

Counts this high on every node point away from a single wedged node and toward the domain itself. Check clock skew first — Kerberos fails hard past a five-minute drift, and it presents to users as random permission denials rather than as an authentication error.

06Protocol sessions & hung-session recovery

This is the most dangerous family on the page and the one most often copy-pasted without thought. The symptom is familiar: SMB clients hang, new connections stall, but the cluster reports itself healthy. The cause is usually a wedged lsass (authentication) or lwio (SMB I/O) daemon on a specific node. The cure is to restart that daemon — on that node.

Read the -n flag before you run anything in this family. isi_for_array 'killall -6 lsass' sends SIGABRT to the authentication daemon on every node simultaneously. Every SMB session on the cluster drops at once. On a 3-node cluster serving thousands of users that is a full outage and a flood of client-side application errors. The node-scoped form — isi_for_array -n 3 ... — affects one node, and a dynamic IP pool will fail its clients over to the survivors. Escalate scope only when node-scoped recovery has failed and you have accepted a cluster-wide interruption.
Healthy: session counts stable, CLOSED socket count near zero, no listen-queue overflows.
Warning: CLOSED sockets on .445 climbing on one node; clients on that node slow.
Critical: clients hung, connection counts frozen, listen queue overflowing — a wedged daemon.
Next: identify the one bad node first (listen queue overflows), then restart the daemon on that node only.

isi smb sessions list Read-only

Active SMB sessions with user, client IP, and node. The first thing to check — and to capture — before you restart anything.

Command
isi smb sessions list
Output
Computer      User          Node  Openfiles
--------------------------------------------------
10.10.10.41   NEXORA\jdoe   1     3
10.10.10.44   NEXORA\svc-x  2     1

isi smb openfiles list Read-only

Files currently held open over SMB. A single file held open by a stale session is a far smaller problem than a wedged daemon, and it has a far smaller fix — close the specific file rather than bouncing a service.

Command
isi smb openfiles list
Output
ID    File                            User          Node
-----------------------------------------------------------------
1042  /ifs/finance/shared/q3.docx     NEXORA\jdoe   1
1051  /ifs/research/projects/run.log  NEXORA\svc-x  2

isi statistics query current list --keys=node.clientstats.connected.smb,node.clientstats.active.smb2 -n all -d Read-only

Connected vs active SMB clients per node. The distinction matters enormously: a node with many connected and zero active clients is a node whose daemon has stopped servicing work. That is your wedged node, and this is how you name it.

Command
isi statistics query current list \
Output
  --keys=node.clientstats.connected.smb,node.clientstats.active.smb2 -n all -d
Node  node.clientstats.connected.smb  node.clientstats.active.smb2
------------------------------------------------------------------
1     1412                            138
2     1398                            141
3     1455                            0        <-- wedged
------------------------------------------------------------------

isi statistics query current list --keys=node.clientstats.connected.nfs,node.clientstats.active.nfs -n all -d Read-only

The NFS equivalent, for the Linux research clients. Same interpretation — connected without active is the tell.

Command
isi statistics query current list --keys=node.clientstats.connected.nfs,node.clientstats.active.nfs -n all -d

Continuous session monitor Read-only

A watch loop for a live incident: every 90 seconds, print connected/active counts and the CLOSED socket count per node. Run it in a second terminal while you work, so you can see the moment a node wedges — and the moment a restart fixes it.

while true; do
  echo "***** START *****"; date; echo
  isi statistics query current list \
    --keys=node.clientstats.connected.smb,node.clientstats.active.smb2 -n all -d \
    | grep -v "0 0"
  echo
  echo "***** Closed connections *****"
  isi_for_array -s 'netstat -an | grep ".445" | grep CLOSED | wc -l'
  echo "***** END *****"
  sleep 90
done

isi_for_array -n 3 '/usr/likewise/bin/lwsm restart lsass' Disruptive

The preferred recovery. A managed, graceful restart of the authentication daemon on node 3 only. Prefer this over killall in every case — it lets the service manager stop and start the daemon cleanly rather than aborting it. Clients on node 3 reconnect; with a dynamic IP pool most fail over transparently.

boston-1# isi_for_array -n 3 '/usr/likewise/bin/lwsm restart lsass'
boston-3: Stopping service: lsass
boston-3: Starting service: lsass
boston-1# isi auth status -v          # confirm the provider came back online

isi_for_array -n 3 'killall -6 lsass' Disruptive

Aborts the authentication daemon on node 3 with SIGABRT, forcing a core dump before the service manager restarts it. Use this instead of lwsm restart only when you need the core file for Dell to analyse — the crash dump is the entire point. Authentication on node 3 is interrupted while it restarts.

Command
isi_for_array -n 3 'killall -6 lsass'

isi_for_array -n 3 'killall -6 lwio' && sleep 45 Disruptive

Same treatment for the SMB I/O daemon. The sleep 45 is not decoration — lwio takes time to come back and tear down its sockets, and hammering the node before it settles will make the diagnosis worse. Wait, then re-check session counts.

Command
isi_for_array -n 3 'killall -6 lwio' && sleep 45

isi_for_array 'killall -6 lsass' Destructive

Cluster-wide SIGABRT to the authentication daemon on every node at once. Every SMB session on the cluster drops. Rated destructive not because data is lost but because the blast radius is total, and because it is routinely run by accident when someone omits -n. Reach for it only when node-scoped recovery has already failed, and only inside an accepted outage window.

Command
isi_for_array 'killall -6 lsass'

isi_for_array 'killall -6 lwio' && sleep 45 Destructive

The cluster-wide SMB equivalent. Same warning, same blast radius.

Command
isi_for_array 'killall -6 lwio' && sleep 45

isi_for_array 'killall -HUP isi_hangdump' Support-directed

Triggers the hang-dump collector. Do not run this speculatively — it exists to capture state for Dell engineering during an active hang investigation, and it is meaningful only when they have asked for it and told you when to fire it.

Command
isi_for_array 'killall -HUP isi_hangdump'

07Performance & statistics

"The NAS is slow" is a claim, not a diagnosis. This family turns it into a name — a client, a directory, a drive, or a node. Work it in two passes: first a fast health check to rule out a degraded cluster, then the statistics to find the offender. Skipping the health check is how people spend an hour tuning a client when the real problem was a node out of the group.

Healthy: cluster health OK, load spread across nodes, no single client dominating, drive latency uniform.
Warning: one client at a large multiple of the next; one node carrying most connections.
Critical: a node degraded or out of the group; drive latency an order of magnitude above peers; a hot directory serialising the cluster.
Next: if the cluster is healthy and no client dominates, suspect a background job consuming the back end.

A · Health check — start hereThirty seconds to confirm the cluster itself is healthy before you blame a client. Fuller cluster-health coverage is family 01.

isi status Read-only

The one-screen verdict: cluster health, per-node state, capacity, and running jobs. On a large, busy cluster it can take a moment to gather throughput — if you want it instantly, use the quick variant below.

Command
isi status
Output
Cluster Name: boston
Cluster Health:     [  OK ]
                   Health  Throughput (bps)   SSD Storage
ID |IP Address     |DASR |  In    Out  Total| Used / Size
---+---------------+-----+------+-----+-----+-----------------
  1|10.10.10.11    | OK  |  142M| 388M| 530M|   57T/  82T( 69%)
  2|10.10.10.12    | OK  |  138M| 401M| 539M|   57T/  82T( 69%)
  3|10.10.10.13    | OK  |  151M| 377M| 528M|   57T/  82T( 70%)
---+---------------+-----+------+-----+-----+-----------------
Cluster Totals:          |  431M|1.16G|1.59G|  171T/ 246T( 69%)
     Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only

isi status -pqv  ·  isi status -p -q -v Read-only

The pool-oriented health view. -p breaks the report out by node pool / tier, -q is quick — it skips the slower throughput gather so the command returns immediately on a large cluster — and -v is verbose. The two forms below are identical: OneFS accepts flags bundled (-pqv) or written separately (-p -q -v). Use whichever you will remember; the bundled form is faster to type, the separated form is easier to read in a runbook.

Command — bundled flags
isi status -pqv
Command — separated flags (identical)
isi status -p -q -v
Output
Cluster Name: boston
Cluster Health:     [  OK ]

Node Pool: f600_82tb_384gb
     Health:            [  OK ]
     Requested Protection: 3x
     Actual Protection:    3x
     HDD Total:         0
     SSD Total:         246T
     SSD Used:          171T (69%)
     Nodes:             1, 2, 3
--------------------------------------------------------------
     Health Fields: D = Down, A = Attention, S = Smartfailed, R = Read-Only

isi status -q Read-only

Just quick, no pool breakdown. The fastest possible "is the cluster OK right now?" — it returns the health verdict and capacity without waiting to sample throughput. This is the one to reach for the instant a slowness ticket lands, because it costs the cluster almost nothing and answers the first question.

Command
isi status -q

isi status -n 3 Read-only

Scope the health view to a single node by LNN — when a ticket or an earlier command has already named the node you care about.

Command
isi status -n 3

B · Performance statisticsOnce the cluster is confirmed healthy, name the offender — a client, a directory, a drive, or a node.

isi statistics client --sort=Ops --long Read-only

The workhorse. Every client sorted by operations per second. Nine times out of ten the top row is your answer — here, a batch job on node 3 dwarfing everything else.

Command
isi statistics client --sort=Ops --long
Output
 Ops    In     Out    TimeAvg  Node  Proto  Class  UserName            RemoteName
--------------------------------------------------------------------------------
14.2k  92.1M  410.3M  18.4ms   3     nfs3   read   root                10.10.10.3
 1.1k   8.4M   31.2M   2.1ms   1     smb2   write  NEXORA\jdoe         10.10.10.1
  842   2.1M   19.8M   1.8ms   2     smb2   read   NEXORA\svc-imaging  10.10.10.101
--------------------------------------------------------------------------------

isi statistics client --nodes=all --sort=ops --format=top Read-only

A live, auto-refreshing top-style view. Leave it running during an incident. The username column truncates, so cross-reference by IP when a name looks wrong or empty.

Command
isi statistics client --nodes=all --sort=ops --format=top

isi statistics client list --sort=Ops --long --format=csv Read-only

The same data as CSV, for when you need to hand evidence to someone or chart it. Redirect it to a file under /ifs/data/ and pull it off the cluster.

Command
isi statistics client list --sort=Ops --long --format=csv

isi statistics heat list --nodes=all --limit=30 Read-only

The thirty hottest files and directories on the cluster. This is how you find the contended object — a single lock-heavy directory that every client is queuing behind, which no client-level view will ever reveal.

Command
isi statistics heat list --nodes=all --limit=30
Output
 Ops    Node  Event      Class      Path
------------------------------------------------------------------
 8.4k   3     lock       write      /ifs/research/genomics/scratch/
 6.1k   3     getattr    namespace  /ifs/research/genomics/scratch/
 1.2k   1     read       read       /ifs/clinical/imaging/study-4471/
------------------------------------------------------------------

isi statistics drive -nall --long --sort=OpsOut Read-only

Per-drive throughput and latency across every node, sorted by outbound operations. Look for the outlier: a drive whose latency is far above its siblings is failing, whatever its HEALTHY status claims.

Command
isi statistics drive -nall --long --sort=OpsOut
Output
Drive    Type  OpsIn  OpsOut  TimeAvg  Slow  Used
-----------------------------------------------------
3:nvd4   NVMe   12.1   410.2  184.2ms   41   69.1%   <-- outlier
1:nvd2   NVMe   14.8   398.7    0.4ms    0   69.0%
2:nvd3   NVMe   13.2   402.1    0.4ms    0   69.2%
-----------------------------------------------------

isi statistics protocol list --nodes=all --long Read-only

Latency broken out by protocol operation. Tells you whether the pain is in metadata (getattr, lookup) or in data (read, write) — a distinction that points at completely different fixes.

Command
isi statistics protocol list --nodes=all --long

isi statistics system --nodes=all Read-only

CPU, network, and disk throughput per node. Answers the blunt question: is the cluster actually busy, or idle and still slow? An idle-but-slow cluster is a locking or metadata problem, not a capacity one.

Command
isi statistics system --nodes=all

isi_cache_stats Read-only

L1/L2 cache hit rates. Collapsing hit rates alongside rising latency usually means the working set has outgrown cache — a capacity-planning finding, not a fault.

Command
isi_cache_stats

isiperf_v3.sh — Dell performance capture Support-directed

Dell's performance capture harness — samples at an interval, for a number of rounds, and packages the result. Run it when Support asks for a capture window, with the parameters they specify: -i interval in seconds, -e iterations per round, -r rounds.

Command
/bin/bash /ifs/data/Isilon_Support/isiperf_v3.sh -i 10 -e 5 -r 12

08Jobs, SyncIQ & CloudPools

The job engine is the cluster's background metabolism — restripes, protection repair, dedupe, tree deletes — and the most common invisible cause of "unexplained" slowness. SyncIQ and CloudPools sit alongside it, and both contain commands that can break a DR relationship or make data unavailable in a single keystroke.

Healthy: jobs running at expected impact policy; SyncIQ policies completing inside their RPO.
Warning: a FlexProtect at HIGH impact during business hours; a SyncIQ runtime creeping up nightly.
Critical: a failed FlexProtect (data under-protected) or a failed SyncIQ policy (no current DR copy).
Next: correlate job start times against the onset of a performance complaint before blaming a client.

isi job jobs list Read-only

What the job engine is doing right now, and at what impact policy. Always check this before investigating a performance complaint.

Command
isi job jobs list
Output
ID    Type          State    Impact  Pri  Phase  Running Time
-------------------------------------------------------------
1247  FlexProtect   Running  HIGH    1    2/4    14h 22m
1249  SmartPools    Paused   LOW     6    1/2    -
-------------------------------------------------------------

isi job jobs view 1247 Read-only

Detail on a single job — phase, progress, estimated completion. A FlexProtect that has not advanced a phase in a day is stuck and needs a case.

Command
isi job jobs view 1247
Output
ID:            1247
Type:          FlexProtect
State:         Running
Impact Policy: HIGH
Priority:      1
Phase:         2 of 4
Progress:      lin-based scan (est. 3h 40m remaining)

isi job events list Read-only

Job engine history — what ran, what failed, when. The audit trail for "did something run last night that explains this?"

Command
isi job events list
Output
Time                 Job          Event
------------------------------------------------------------
2026-07-13T04:22:14  FlexProtect  Started (drive smartfail, node 3)
2026-07-12T22:00:02  FSAnalyze    Succeeded

isi sync policies list Read-only

SyncIQ replication policies, their targets, and their schedules. This is the inventory of your DR coverage — and the place to notice that a critical dataset has no policy at all.

Command
isi sync policies list
Output
Name                  Path              Target       Action  Enabled  Schedule
-------------------------------------------------------------------------------
sync-clinical-phx     /ifs/clinical     10.30.30.20  sync    Yes      every 4 hours
sync-home-phx         /ifs/home         10.30.30.20  sync    Yes      daily 22:00
sync-research-phx     /ifs/research     10.30.30.20  sync    Yes      daily 01:00
-------------------------------------------------------------------------------

isi sync jobs list Read-only

Currently running replication jobs with throughput. A policy whose runtime creeps up each night is heading for a missed RPO — catch it before the auditor does.

Command
isi sync jobs list
Output
Policy Name        ID   State    Action  Elapsed   Transferred
--------------------------------------------------------------------
sync-clinical-phx  412  running  sync    00:14:02  184.2 GB

isi sync reports list --policy-name=sync-clinical-phx Read-only

The evidence that DR actually works. Historical results per policy — this is what you show an auditor to prove the Phoenix copy is current, and what tells you a policy has been silently failing for a fortnight.

Command
isi sync reports list --policy-name=sync-clinical-phx
Output
Policy Name        Job ID  Start            End              Action  State
----------------------------------------------------------------------------
sync-clinical-phx  412     07/13 04:00:02   07/13 04:18:44   sync    finished
sync-clinical-phx  411     07/13 00:00:01   07/13 00:21:07   sync    finished
sync-clinical-phx  410     07/12 20:00:02   07/12 20:19:33   sync    finished
----------------------------------------------------------------------------

isi sync policies view sync-clinical-phx Read-only

Full policy definition — source, target, snapshot settings, and whether accelerated_failback is enabled. Check that last one before a disaster, not during: without it, failing back to Boston requires a full differential rebuild.

Command
isi sync policies view sync-clinical-phx
Output
Name:                 sync-clinical-phx
Source:               /ifs/clinical
Target Host:          10.30.30.20
Action:               sync
Schedule:             every 4 hours
Accelerated Failback: Yes

isi sync recovery allow-write sync-clinical-phx Destructive

Makes the target of a replication policy writable — the failover action, run on the DR cluster. It breaks the sync relationship: Phoenix is no longer a faithful copy of Boston, and returning to the original direction requires a resync that can move enormous volumes of data across the WAN.

This is a declared-disaster command, not a test. Running it to "check whether DR works" leaves the target writable and divergent, and the path back is a full failback cycle. If you want to validate DR without breaking it, take a snapshot on the target and mount it read-only, or use a dedicated test policy against a scratch path. Never point allow-write at a production policy to satisfy an audit checkbox.
# Run on the DR cluster (phoenix), during a declared failover only:
phoenix-1# isi sync policies list                      # confirm the policy name
phoenix-1# isi sync recovery allow-write sync-clinical-phx
phoenix-1# isi sync recovery resync-prep sync-clinical-phx   # later, to prepare failback

isi cloud accounts list Read-only

CloudPools accounts and whether each is enabled. Check this before assuming a stub file is corrupt.

Command
isi cloud accounts list
Output
Name           Type   Enabled  URI
------------------------------------------------------
cp-archive-01  ECS    Yes      https://ecs.nexora.local:9021

isi cloud accounts modify cp-archive-01 --enabled=no Destructive

The most quietly dangerous command in this guide. Disabling a CloudPools account deletes nothing — but every SmartLink stub pointing at that account becomes unreadable immediately. To users, files that were there a moment ago now throw I/O errors. There is no data loss and the fix is to re-enable, but the user-visible effect is indistinguishable from mass data loss, and on an archive tier it can hit millions of files at once. Know what is stubbed against the account (isi get -DD) before you disable it.

boston-1# isi cloud accounts list
boston-1# isi cloud accounts modify cp-archive-01 --enabled=no
# Undo — restores access immediately, nothing was deleted:
boston-1# isi cloud accounts modify cp-archive-01 --enabled=yes

isi cloud recall /ifs/research/genomics/cohort-a.bam -v Disruptive

Rehydrates a stub — pulls the file's data back from the cloud onto the cluster. Disruptive by capacity: recalling a large stubbed dataset can consume far more space than anyone estimated, and there is no dry-run. On a cluster already at 69%, recalling an archived genomics cohort is a capacity event. Check the size of what you are recalling, and the free space you have, before you start.

Command
isi cloud recall /ifs/research/genomics/cohort-a.bam -v
Output
Recalling /ifs/research/genomics/cohort-a.bam ...
  3 cloud objects retrieved (2.1 GB)
  File is now fully local; SmartLink stub removed.

isi job jobs start treedelete --paths=/ifs/research/genomics/scratch --priority=10 --policy=low Destructive

This deletes a directory tree and everything under it. It is the efficient way to remove millions of files — the job engine does it far faster than rm -rf — and it is irreversible. The --policy=low keeps it from starving client I/O; --priority=10 puts it at the back of the queue. Neither flag makes it safer. Verify the path twice, confirm a snapshot exists, and never let a trailing-slash typo choose the path for you.

# VERIFY the path resolves to what you think it does, FIRST:
boston-1# ls -ld /ifs/research/genomics/scratch
boston-1# isi snapshot snapshots list | grep genomics   # is there a rollback?
boston-1# isi job jobs start treedelete --paths=/ifs/research/genomics/scratch --priority=10 --policy=low

09Permissions & ACLs

OneFS runs a hybrid permission model — POSIX mode bits and Windows ACLs over the same namespace — and the friction between them causes a disproportionate share of escalations. It is worst where a directory is reached by Windows staff over SMB and by Linux research clients over NFS. Before changing anything here, prove the user's identity with isi auth mapping token. Most ACL "fixes" are applied to problems that were never ACL problems.

Every chmod -R here is a recursive, unbudgeted write across potentially millions of inodes. It is slow, it generates heavy metadata load, and it has no undo. On a large research tree, run it in a change window and expect it to take hours.

ls -led /ifs/clinical/shared Read-only

The command to run before and after any ACL change. Prints the effective ACL, owner, group, and the inheritance control flags. Capture the "before" output somewhere you can get back to.

Command
ls -led /ifs/clinical/shared
Output
drwxrwx---  +  12 NEXORA\svc-owner  NEXORA\domain users  496 Jul 13 08:35 .
 OWNER: user:NEXORA\svc-owner
 GROUP: group:NEXORA\domain users
 CONTROL:dacl_auto_inherited,dacl_protected
 0: group:NEXORA\clinical-ops allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
 1: group:NEXORA\research-faculty allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
 2: SYSTEM allow dir_gen_all,object_inherit,container_inherit

chmod -R +a group NEXORA\\storage-admins allow dir_gen_all,object_inherit,container_inherit,inherited_ace /ifs/clinical/shared Disruptive

Adds an inheritable full-control ACE for a group across a tree. The three inheritance flags matter: object_inherit propagates to files, container_inherit to directories, inherited_ace marks the ACE as inherited rather than explicit. Omit them and the grant applies only to the top directory — the single most common cause of "I gave them access and it still doesn't work".

# Capture the before-state first:
boston-1# ls -led /ifs/clinical/shared > /ifs/data/acl-before-20260713.txt
boston-1# chmod -R +a group NEXORA\\storage-admins allow \
  dir_gen_all,object_inherit,container_inherit,inherited_ace \
  /ifs/clinical/shared
boston-1# ls -led /ifs/clinical/shared

chmod -R +a user NEXORA\\svc-backup allow dir_gen_all,object_inherit,container_inherit,inherited_ace /ifs/clinical/shared Disruptive

The same grant for a service account rather than a group. Prefer groups — a per-user ACE on a large tree is a maintenance liability you will inherit later. Note the escaped backslash in the domain-qualified name.

Command
chmod -R +a user NEXORA\\svc-backup allow dir_gen_all,object_inherit,container_inherit,inherited_ace /ifs/clinical/shared

chmod -R -b 770 /ifs/research/projects Destructive

Strips every ACL from the tree and reverts it to pure POSIX mode bits. This is the legitimate fix when a directory has accumulated so much conflicting ACL cruft that Windows and Unix clients disagree about who can do what — a classic outcome on a shared research tree — and it permanently discards every existing ACE. Everyone who had access via an ACL loses it the instant this completes. The mode (770) is your choice; the ACL destruction is not optional.

# There is NO undo. Capture the existing ACLs first — that file is your only record:
boston-1# ls -leRd /ifs/research/projects > /ifs/data/acl-backup-20260713.txt
boston-1# chmod -R -b 770 /ifs/research/projects

10SMB share management

Everything up to this point inspects the cluster. This family changes who can reach it. Creating a share, granting a permission, or toggling oplocks are all live access-control operations — read the badges, and treat a permission grant with the same care you would a firewall rule, because that is what it is.

Healthy: shares scoped to the correct access zone, permissions granted to named groups, no broad well-known grants.
Warning: a share granting Everyone or Authenticated Users full control; oplocks disabled without a documented reason.
Critical: a production share exposed to the wrong zone, or a permission change made without knowing who currently has access.
Next: every command here takes a --zone. The most common share mistake is operating in the wrong one — confirm it first with isi zone zones list.

isi smb shares list --zone=zone-research Read-only

Every SMB share in a given access zone. Shares are per-zone objects, so a share that "doesn't exist" almost always exists in a zone you did not query.

boston-1# isi zone zones list                    # what zones exist?
boston-1# isi smb shares list --zone=zone-research
Share Name        Path
------------------------------------------------
Finance_Shared$   /ifs/finance/shared
projects          /ifs/research/projects
------------------------------------------------

isi smb shares view Finance_Shared$ --zone=zone-research Read-only

Full definition of one share — its path, its permissions, and its per-share settings. Read this before you change anything about the share.

Command
isi smb shares view Finance_Shared$ --zone=zone-research
Output
Share Name:  Finance_Shared$
Path:        /ifs/finance/shared
Permissions:
  NEXORA\finance-team   allow  full
Oplocks:     Yes
Access Zone: zone-research

isi smb shares create --zone= Disruptive

Creates a share. Disruptive because it exposes a filesystem path over SMB the moment it succeeds — the access-control decision is made here, not later.

Command
isi smb shares create Finance_Shared$ /ifs/finance/shared --zone=zone-research
Output
# The trailing $ hides the share from network browsing. It does NOT restrict
# access — a hidden share with open permissions is still open. Hiding is not
# securing; set the permissions.

isi smb shares permission create — grant access Disruptive

Grants a permission on a share. Prefer a named AD group over a well-known identity every time.

Command
isi smb shares permission create Finance_Shared$ \
Output
  --group "NEXORA\finance-team" --permission-type allow --permission full \
  --zone=zone-research
Granting full to Authenticated Users or Everyone is how a share becomes an incident. The command below is valid OneFS syntax and is exactly what you will find pasted in forum answers — and it hands full control of the share to every authenticated account in the domain, service accounts included. On a finance or research share that is a compliance finding waiting to be written up. If you genuinely need a broad grant, scope it to a named group and to the least permission that works (read, not full).
# Do NOT reach for this reflexively:
boston-1# isi smb shares permission create Finance_Shared$ \
  --wellknown "NT AUTHORITY\Authenticated Users" \
  --permission-type allow --permission full --zone=zone-research

isi smb shares permission delete Disruptive

Removes a permission. The classic use is stripping the default Everyone ACE that some share-creation paths add. Confirm what you are removing before you force it — --force skips the confirmation, not the consequences.

boston-1# isi smb shares permission view Finance_Shared$ --zone=zone-research   # look first
boston-1# isi smb shares permission delete Finance_Shared$ \
  --wellknown Everyone --force --zone=zone-research

isi smb shares modify --oplocks=false — a latency fix with a cost Disruptive

Opportunistic locks let clients cache aggressively. On a share with heavy concurrent multi-writer access — a shared finance workbook, a database file over SMB — oplock break storms can present as latency, and disabling oplocks can resolve it.

Command
isi smb shares modify --share=Finance_Shared$ --zone=zone-research --oplocks=false
Do not disable oplocks as a first move. Oplocks exist because they make the common single-writer case fast; turning them off slows every client that was benefiting to fix the few that were not. It is the right tool for a genuine multi-writer contention problem and the wrong tool for general "SMB feels slow." Confirm the contention with isi smb openfiles list before you reach for this.

isi smb openfiles close --id=<id> — clear a stuck lock Disruptive

When a single file is wedged open by a stale session — the "someone has this file locked and they went home" ticket — this closes that specific handle without touching any other session. Find the handle first, then close it by ID. This is a scalpel; the daemon restarts in family 06 are the hammer, and you reach for the scalpel first.

boston-1# isi_for_array "isi smb openfiles list" | grep -i "quarterly-report.docx"
ID    File                                    User
-----------------------------------------------------------
1042  /ifs/finance/shared/quarterly-report.docx  NEXORA\jdoe
boston-1# isi smb openfiles close --id=1042

Finding a file across the namespace Performance impact

When you need the full path of a file by name, find works — but scope it. A find rooted at / on a multi-petabyte cluster is a metadata-read storm that will show up in someone's latency graph. Root it at the narrowest path you can, and background it.

Command
find /ifs/finance -type f -name "quarterly-report.docx" >> /ifs/data/found.txt &
Output
# For a metadata-only search at scale, isi statistics heat (family 07) is lighter.

11Time, NTP & Kerberos alignment

Time is an authentication dependency, and almost nobody treats it as one until it breaks. Kerberos rejects a ticket whose clock is skewed more than five minutes from the KDC. When a node's clock drifts, AD authentication on that node fails — and it presents to users not as "authentication is down" but as random, intermittent permission denials. This family is short, and it is the first thing to check when AD works on some nodes and not others.

Healthy: every node within a second or two of the domain controller; NTP peering the DC or a common source.
Warning: one node drifting; clock offset growing but under five minutes.
Critical: a node past five-minute skew — Kerberos on that node is failing now, intermittently, and confusingly.
Next: a single skewed node is a node-local NTP problem; skew across the whole cluster points at the NTP source itself.

isi_for_array -s /usr/likewise/bin/lw-get-dc-time <domain> Read-only

The domain controller's clock, as each node sees it. This is your reference — the number every node must agree with, because it is the clock Kerberos is measured against.

Command
isi_for_array -s /usr/likewise/bin/lw-get-dc-time nexora.local

isi_for_array -s date Read-only

Each node's own clock, side by side. Compare against the DC time above; any node more than a few seconds out is drifting, and any node near five minutes out is already failing Kerberos.

Command
isi_for_array -s date
Output
boston-1: Mon Jul 13 14:02:11 EDT 2026
boston-2: Mon Jul 13 14:02:11 EDT 2026
boston-3: Mon Jul 13 14:06:44 EDT 2026     <-- 4m33s ahead. Kerberos is about to fail here.

isi_for_array -s "ntpdate -u -b <ntp-server-ip>" Disruptive

Forces an immediate time correction on every node. Disruptive because stepping a clock is not free — a large jump can disturb time-sensitive services and, briefly, invalidate in-flight Kerberos tickets as the clock crosses the skew boundary. Correct a genuine skew, but do it in a maintenance window if the jump is large, and fix the underlying NTP configuration so it does not recur.

# Prefer pointing NTP at the same source the domain uses (often the DC itself).
boston-1# isi_for_array -s "ntpdate -u -b 10.10.10.2"
boston-1# isi_for_array -s date        # re-verify every node now agrees

12SPN, domain controllers & node renumbering

The operations here are infrequent, high-consequence, and easy to get wrong because they touch the cluster's identity in the domain and its identity to itself. None of them are daily commands; all of them are worth knowing before the day you need them.

isi auth ads spn list <domain> Read-only

The Service Principal Names registered for the cluster's machine account. When Kerberos authentication to a share fails but the provider is online, a missing or duplicate SPN is a prime suspect — the client asks for a ticket to a name the KDC has no SPN for, and the request fails before it ever reaches the cluster.

Command
isi auth ads spn list NEXORA.LOCAL

isi auth ads spn check / fix <domain> Disruptive

check is read-only and reports missing SPNs; fix registers them, which writes to the machine account in AD. Run check first, understand what is missing and why, then fix deliberately.

boston-1# isi auth ads spn check NEXORA.LOCAL      # read-only report
boston-1# isi auth ads spn fix   NEXORA.LOCAL      # writes to AD — deliberate only

isi auth ads modify --domain-controller=<dc> Disruptive

Pins the cluster to a specific domain controller instead of letting AD site discovery choose. This is a legitimate emergency lever when discovery keeps selecting an unhealthy or distant DC — but it is also a trap.

Pinning a DC removes the cluster's ability to fail over to another one. You have hard-coded a dependency on a single domain controller. When that DC is patched, rebooted, or retired, the cluster's authentication goes down with it — and whoever pinned it has usually forgotten they did. Use it to work around a bad DC temporarily, write down that you did, and remove the pin once site discovery is healthy again. A pinned DC is an incident scheduled for a date you will not be watching.
boston-1# isi auth ads modify nexora.local --domain-controller=dc01.nexora.local
# Undo — return to automatic site-based discovery:
boston-1# isi auth ads modify nexora.local --domain-controller=""

isi devices node smartfail --node-lnn <n> Destructive

Covered in depth — including the quorum arithmetic and why a small cluster survives it — in the dedicated PowerScale Data Protection & SmartFail field guide. Note the correct spelling: devices, smartfail — the command is frequently mistyped, and a mistyped destructive command that happens to match a different valid command is its own hazard.

lnnset modify — renumber nodes after a smartfail Disruptive

Logical Node Numbers (LNNs) do not automatically close up after a node is removed — smartfail node 2 of three and you are left with LNNs 1 and 3, not 1 and 2. That gap is cosmetic, but it confuses scripts, monitoring, and humans reading isi status. lnnset modify in the isi config subshell renumbers them.

boston-1# isi config
boston-1>>> lnnset list              # show current LNN -> device mapping
boston-1>>> lnnset modify 3 2        # renumber LNN 3 to LNN 2, closing the gap
boston-1>>> commit
boston-1>>> exit
Renumber for tidiness, not during an incident. Changing LNNs shifts the identifiers every other command and script references. Do it as a deliberate housekeeping step once the cluster is stable and the node count is settled — never mid-recovery, when half your muscle-memory commands are about to point at a different node than you think.

13Upgrade, patches & firmware

Patching and OS upgrades are the highest-consequence routine work you do on a cluster — they touch every node and, done wrong, take the whole cluster offline. OneFS upgrades are rolling by default (one node at a time, quorum preserved), which is why access survives them; but "rolling" is not "risk-free." Know your current version before you touch anything, read what a patch changes before you install it, and never start an OS upgrade without a tested rollback plan.

Healthy: known OneFS version, patches applied deliberately and recorded, no upgrade half-committed.
Warning: patches installed but not documented; a cluster upgrade in the "committed pending" state left un-finalised.
Critical: an OS upgrade started without a rollback plan, or a rollback attempted after the point of commit.
Next: before any patch or upgrade, capture isi_gather_info and confirm the current version — it is your baseline and your rollback reference.

isi version Read-only

The current OneFS release, every time. This is the first thing Support asks and the first thing a known-issue search needs — behaviour, bugs, and even command syntax shift between releases, so establish it before you reason about anything else.

Command
isi version
Output
Isilon OneFS v9.5.0.0 B_9_5_0_002(RELEASE)
     Build:  B_9_5_0_002(RELEASE)
     Cluster: boston  (3 nodes, all at 9.5.0.0)

isi upgrade patches list Read-only

Which patches are installed. The first thing to check when a known bug matches your symptom, and the list Support expects attached to any case. Compare it against Dell's Security Advisories and patch bulletins for your release.

Command
isi upgrade patches list
Output
Patch Name         Description                              Status
-------------------------------------------------------------------
patch-321045       SMB session cleanup fix                  Installed
patch-320981       NFS lock reclaim on failover             Installed
-------------------------------------------------------------------

isi upgrade patches list --format=table Read-only

The same data in a clean, fixed-column table — easier to read at a glance and easier to parse if you are feeding it into a report or a scripted inventory across many clusters.

Command
isi upgrade patches list --format=table

isi upgrade patches view <patch> Read-only

What a specific patch actually changes — the services it touches, whether it needs a reboot, and what it supersedes or depends on. Read this before you install, so you know whether the change is a quiet daemon restart or something with client impact.

Command
isi upgrade patches view patch-321045
Output
Patch Name:         patch-321045
Description:        SMB session cleanup fix
Status:             Installed
Services affected:  lwio  (rolling restart, no reboot)
Supersedes:         none
Required by:        none

isi upgrade patches install <path> Disruptive

Installs a patch, rolling across the nodes. Most patches restart a service rather than reboot a node, but "restart a service" still means a brief interruption for clients on that node. Stage the patch under /ifs, read its view first, and install in a change window unless Support has told you it is non-disruptive.

Command
isi upgrade patches install /ifs/data/patches/patch-321102.tgz
Output
Patch patch-321102 staged.
Installing across 3 nodes (rolling) ...
  node 1: done   node 2: done   node 3: done
Patch patch-321102 installed.

isi upgrade patches uninstall <patch> Disruptive

Removes a patch, rolling. The same client-impact caution as install applies. Confirm nothing else depends on the patch (its view shows this) before removing it.

Command
isi upgrade patches uninstall patch-321102

isi upgrade view Read-only

The status of an in-progress OS upgrade — which nodes are done, which phase the cluster is in, and whether it is waiting on you to commit. When nothing is running it says so; run it any time you are unsure what state an upgrade left the cluster in.

Command
isi upgrade view
Output
Upgrade:  OneFS 9.5.0.0  ->  9.7.0.0
  Status:          committed pending
  Process:         rolling
  Nodes upgraded:  3 of 3
  Action needed:   run "isi upgrade cluster commit" to finalise

isi upgrade cluster start <install-image> Destructive

Begins a rolling OneFS OS upgrade. This is the highest-stakes command in the guide: it changes the operating system on every node in the cluster.

Never start an OS upgrade without a tested rollback plan and a change window. A rolling upgrade preserves quorum and keeps clients served node-by-node, but it is a one-way door past a certain point — once you commit, there is no rollback, only a fresh downgrade upgrade. Before you start: confirm the target release is supported for your hardware, read Dell's release notes and known-issues for that build, take a snapshot of critical config, capture isi_gather_info, and know exactly which command rolls it back. Treat the pre-commit window as your only safety margin, because it is.
Command
isi upgrade cluster start /ifs/data/install/OneFS_v9.7.0.0.isi

isi upgrade cluster rollback Destructive

Rolls a cluster back to the prior release — but only while the upgrade is still in the pre-commit state. Once you have committed, this command is no longer available; the way back is a full downgrade, which is itself an upgrade operation with its own risk. This is why the pre-commit window matters so much: it is the entire span in which "undo" exists.

Command
isi upgrade cluster rollback

isi upgrade cluster commit Disruptive · irreversible

Finalises the upgrade and closes the rollback window for good. Run it only once every node is upgraded, the cluster is healthy, and you have verified applications against the new release. After commit, the prior version is gone.

Command
isi upgrade cluster commit

13Incident runbooks

Four sequences covering the majority of PowerScale escalations. Each step names the command and the branch condition — the point is to stop early when the evidence says stop, rather than working the whole list out of habit.

Runbook 1 · SMB clients hung, cluster reports healthy

  1. isi status — is the cluster actually OK, or is a node out of the group? Node down → hardware/group problem, not protocol. Stop here.
  2. isi auth status -v — is the AD provider online on every node? Offline cluster-wide → domain-side problem. Stop here.
  3. listen queue overflows + CLOSED socket count — which single node is saturating? This names the node.
  4. connected vs active SMB clients — the wedged node shows connections but zero activity. Confirms the node.
  5. isi_for_array -n <node> '/usr/likewise/bin/lwsm restart lsass' — graceful restart, that node only. Re-check step 4.
  6. Still wedged after a settle period → restart lwio on the same node, wait 45s, re-check. Escalate to cluster-wide only inside an accepted outage.

Runbook 2 · Storage is slow, nothing is down

  1. isi job jobs list — is a FlexProtect or SmartPools job running at HIGH impact? Yes → very likely your answer. Lower the impact policy.
  2. isi statistics client --sort=Ops --long — is one client dominating? Yes → you have a name. Go talk to its owner.
  3. isi statistics heat list --nodes=all --limit=30 — is one directory contended? Yes → a locking hot-spot; no client-level view would have shown this.
  4. isi statistics drive -nall --long --sort=OpsOut — is one drive's latency an outlier? Yes → a failing drive, regardless of its HEALTHY state.
  5. isi statistics system --nodes=all — is the cluster busy at all? Idle but slow → metadata/locking, not capacity.

Runbook 3 · Users report files have vanished

  1. ls -led on the parent — do the files exist with an ACL the user cannot traverse? A permission problem masquerading as absence.
  2. isi auth mapping token --user=NEXORA\\<user> --zone=<zone> — is the user in the group you think grants access? Frequently not. Stop here if so.
  3. isi get -DD <path> | grep -i smart — is the file a CloudPools stub? Stubbed → check the account.
  4. isi cloud accounts list — is the account backing that stub disabled? Disabled → this is the cause. Re-enable it; the data was never gone.
  5. Only after all of the above → check snapshots and SyncIQ for an actual deletion.

Runbook 4 · DR failover to the secondary site

Read this before the disaster, not during it. Step 4 is irreversible without a full failback cycle. Every step before it is reversible; nothing after it is cheap.
  1. Confirm the primary is genuinely lost. A cluster that is unreachable from your desk is not necessarily down. If Boston is recoverable, recover it — failover is more expensive than almost any repair.
  2. isi sync reports list on the DR cluster — when did each policy last complete? This tells you exactly how much data you are about to lose. Write the number down; it is your actual RPO, not the one in the SLA.
  3. isi sync policies view — is accelerated_failback enabled? No → budget for a full differential rebuild on the way back.
  4. isi sync recovery allow-write <policy> on the DR cluster — makes the target writable. The relationship is now broken. There is no undo that does not involve a resync.
  5. Repoint clients: update the SmartConnect DNS delegation to the DR cluster's service IP. DNS TTL now governs how fast users come back — check it in advance, not now.
  6. isi auth status -v run on the DR cluster — are AD and LDAP online from Phoenix? This is the step that catches the single-DC gap. If the only domain controller lives at the failed site, Phoenix has current data and can authenticate nobody — the failover produces an outage with extra steps. Establish this before the disaster; there is no fixing it during one.
  7. Confirm DNS: does anything outside Site A still resolve the SmartConnect delegation? A delegation served only from the failed site's DNS makes the DR name unresolvable no matter how healthy the cluster is.
  8. When the primary returns: isi sync recovery resync-prep <policy> to stage the failback, and re-verify before repointing DNS again.

Escalation taking too long?

WUC engineers assist with PowerScale health reviews, protection and SmartPools design, SyncIQ and DR validation, hung-session forensics, and remediation planning — on Isilon and PowerScale estates inside and outside OEM support.

Talk to engineering →

14Escalation collection

When a case goes to Dell, the quality of your evidence sets the pace of the resolution. Collect before you remediate — the moment you restart a daemon, the state that would have explained the fault is gone.

isi_gather_info Read-only

The full diagnostic bundle — the direct analogue of a switch's show tech-support. Logs, configuration, hardware state and statistics from every node, packaged and optionally uploaded to Dell. This is what Support expects attached to a case. It is large and it takes time; start it early.

boston-1# isi_gather_info
# ... writes to /ifs/data/Isilon_Support/pkg/
boston-1# ls -lh /ifs/data/Isilon_Support/pkg/
-rw-r--r--  1 root  wheel   412M Jul 13 09:14 boston-20260713-091402.tar.gz

isi_gather_info --local-only Read-only

Restricts collection to the node you are on. Much faster, and appropriate when the fault is unambiguously node-local — but confirm with Support that a local gather is acceptable before you rely on it.

Command
isi_gather_info --local-only
Output
Gathering local node only ...
  Package: /ifs/data/Isilon_Support/pkg/boston-1-20260713-091402.tar.gz (86M)

isi_gather_info --nologs Read-only

Configuration and state without the log payload. Useful when you need a fast configuration snapshot for a design review rather than a fault investigation.

Command
isi_gather_info --nologs
Output
Gathering configuration and state (no logs) ...
  Package: /ifs/data/Isilon_Support/pkg/boston-config-20260713.tar.gz (12M)

isi upgrade patches list Read-only

Attach this to every case. Support's first act is to check whether your symptom matches a known issue already fixed in a patch you have not applied.

Command
isi upgrade patches list

IOCA — on-cluster analysis Support-directed

Dell's on-cluster health analyser. It reports known-issue exposure for your specific OneFS version. Fetch it, stage it in the support directory, and run it against your running version.

# Fetch and stage:
boston-1# curl --disable-epsv -O ftp.emc.com/pub/rcm/Isilon/tools/IOCA
boston-1# scp IOCA root@<cluster-mgmt-ip>:/ifs/data/Isilon_Support/
# Run against the running OneFS version:
boston-1# perl IOCA -u 9.5.0.0

Log locations worth knowing Read-only

When you need to grep rather than gather.

/var/log/messages          # general system
/var/log/lsassd.log        # authentication / AD secure channel
/var/log/lwiod.log         # SMB I/O daemon
/var/log/isi_job_d.log     # job engine
/var/log/isi_migrate.log   # SyncIQ

Operating notes

A healthy cluster and a healthy service are different claims. isi status can report OK while a wedged lwio on one node hangs every client SmartConnect happened to land there. Cluster health is a statement about the cluster's opinion of itself, not about whether users can open a file.

Omitting -n on isi_for_array is the single most expensive typo on this platform. It converts a node-scoped recovery into a cluster-wide outage. Build the habit of typing the -n flag first, before you type the command it will run.

Prefer lwsm restart over killall. killall -6 aborts a daemon and forces a core dump; the service-manager restart stops and starts it cleanly. Use the abort only when Dell wants the core file. Most operators reach for killall because it is what they found in a forum thread, not because they need the dump.

Capture evidence before you remediate. Restarting the daemon fixes the symptom and destroys the diagnosis. If you want the fault to stop recurring, gather first — isi_gather_info, session counts, listen queue overflows — and restart second.

Read the actual protection column, never the requested one. OneFS will accept a protection level your node count cannot deliver and quietly under-protect the data. A 3-node cluster asking for +2n is the textbook case: no error, no refusal, just a gap between what you asked for and what you have.

Disabling a CloudPools account is indistinguishable from data loss, from where the user sits. Stubs go unreadable instantly and en masse. Nothing is deleted and re-enabling restores access, but expect a P1 in the intervening minutes. Know what is stubbed against an account before you disable it.

allow-write is a disaster declaration, not a DR test. It breaks the replication relationship and commits you to a failback cycle. If you need to prove DR works — and you should, regularly — snapshot the target and mount it read-only. Do not satisfy an audit checkbox by breaking your own DR.

Verify identity before you touch an ACL, and pass --zone. A large share of ACL changes are made to solve problems that were never permission problems — the user simply was not in the group everyone assumed, or was resolving to a different token in a different access zone.

chmod -R -b has no undo, and ls -leRd is the only record you will get. Redirect it to a file before you strip ACLs. That file is your rollback plan, and it is the entire rollback plan.

FAQFrequently asked questions

Q01Are the commands on this page safe to run in production?

Some are; many are not — which is why every command carries a badge. Anything marked Read-only is safe at any time. Disruptive commands interrupt clients or trigger heavy background work. Destructive commands delete data, remove nodes, strip permissions, break replication, or make data unreadable. Read the badge first.

Q02What is the difference between isi_for_array with and without -n?

Without -n, the command runs on every node in the cluster simultaneously. With -n <lnn>, it runs on that node only. For inspection commands the difference is harmless. For killall, it is the difference between a node-scoped restart and a cluster-wide session drop.

Q03My SMB clients are hung but isi status says the cluster is healthy. What now?

That combination is the classic wedged-daemon signature. Find the single bad node using listen queue overflows and the connected-versus-active SMB counts, then restart lsass on that node with lwsm restart. Do not start with a cluster-wide killall. See Runbook 1.

Q04Why does isi storagepool health show a protection level I never asked for?

Because your node count cannot deliver the level you requested. +2n needs five nodes, +3n needs seven. OneFS accepts the setting and then reports a lower actual protection rather than refusing it. On a 3-node cluster, use +2d:1n. Always trust the actual column.

Q05Can I smartfail a node on a 3-node cluster?

No, in practice. Three nodes is the minimum supported cluster size, so removing one leaves an unsupportable cluster — and the survivors would also need free capacity to absorb the evacuated data. Add a node before you remove a node.

Q06A user says their files disappeared, but nothing was deleted. Where do I look?

Check whether the files are CloudPools stubs (isi get -DD <path> | grep -i smart) and then whether the CloudPools account backing them is disabled. A disabled account makes every stub unreadable instantly — the files are intact, but nobody can open them. See Runbook 3.

Q07How do I test DR without breaking replication?

Do not run isi sync recovery allow-write against a production policy — that is a failover, not a test, and it commits you to a failback. Instead, take a snapshot on the target cluster and mount it read-only, or run a dedicated test policy against a scratch path.

Q08The same user sees different permissions over SMB than over NFS. Why?

Because they are arriving as two different identities. Windows clients present an AD SID; Linux clients resolve a POSIX UID from LDAP. If those are not mapped to the same on-disk identity, OneFS is correctly enforcing permissions against two different users who happen to be the same person. Run isi auth mapping view --user=<user> --zone=<zone> and confirm the SID and UID unite. Do not fix this with an ACL.

Q09Why did my ACL grant not take effect on the files inside the directory?

Almost always missing inheritance flags. A chmod +a without object_inherit and container_inherit grants access to the top-level directory only. Add both, and use -R to apply across the existing tree — the flags govern new objects, the -R governs existing ones.

Q10What should I attach to a Dell Support case?

isi_gather_info output, isi upgrade patches list, and the hardware sweep (isi_for_array -s isi_hw_status | egrep 'SerNo|Product') so the fault is tied to a chassis serial. Collect it all before you remediate — restarting the daemon destroys the state that explains the fault.

RFReferences

  1. Dell PowerScale OneFS Documentation — CLI Command Reference and Administration Guide
  2. Dell Technologies Info Hub — PowerScale technical white papers

From the same practice

WE

About WUC Engineering

Storage engineers at WUC Technologies operate Dell PowerScale and Isilon clusters — from legacy X- and NL-series through F-, H- and A-series — alongside the Cisco MDS fabrics and enterprise arrays they serve, under post-OEM storage maintenance and network maintenance engagements across enterprise data centers.

Running PowerScale or Isilon in production?

Bring us the outputs this page taught you to collect. WUC storage engineers deliver cluster health assessments, protection and SmartPools reviews, SyncIQ and DR validation, performance investigations, and migration planning — for PowerScale and Isilon estates inside and outside OEM support, under post-OEM storage maintenance.

  • Cluster health assessment
  • Protection & SmartPools review
  • SyncIQ / DR validation
  • Migration & refresh planning
e.g. Cisco, Dell, NetApp - and when your next contract renews.

Prefer to talk it through first? Book a technical consultation → · View managed services

No prep slides required · References available under NDA · Multi-OEM coverage across Dell EMC, HPE, IBM, NetApp

All hostnames, domains, users, groups, paths, serial numbers and IP addresses in this guide are synthetic reference values. No customer environment is depicted.

Get a Custom Solution