Forum Discussion

zmlat's avatar
zmlat
Level 4
3 years ago

Is there any integration with NetBackup and Data Domain retention lock?

Hello,

I'm looking to turn on Data Domain retention lock and was wondering if there is any configuration on the NetBackup side required to make full use of the DD feature? My Veritas SE says this DD feature is transparent to NB, but Dell guy mentioned there might be some integration on the NB side (as there is for NetWorker).

I did read about the "retention" command. It seems to be something new in version 8.3 (?). Not sure if that is strictly a NB feature that does the same as the DD retention lock (or if its strictly a feature in the Flex appliance). We're currently on NB 8.2, but will be upgrading to 9.x (no appliance).

Thanks

    • davidmoline's avatar
      davidmoline
      Level 6

      Hi zmlat 

      If you review the HCL's for NetBackup you will find that WORM/immutable data storage is supported from NetBackup 8.3.0.1 with the appropriate version of the OST plug-in (the specific version depends on the connectivity to the DD).

      If you also want to use client direct, then you need NetBackup 9.1 or greater.

      Regards
      David

      • StefanosM's avatar
        StefanosM
        Level 6

        can you elaborate what "client direct" means?
        because as I know, and hope that will never change, you can not send the backups directly from netbackup client to datadomain.

    • zmlat's avatar
      zmlat
      Level 4

      thanks Stefanos...that actually looks like what I'm look for.

  • Hi,

    It's not fully transparent to NetBackup. NetBackup is aware of the target device capabilities via OST plug-in. So requirements;

    - NetBackup version: It has to be at least 8.3.0.1 on master and media servers.
    - OST plug-in version that Veritas certified to leverage Retention Lock. It's on the HCL.
    - DDOS version: Check the DDOS version and OST plug-in compatibility. Best to keep both on par.

     

    If Retention Lock enabled on an existing Storage Unit (MTree) on DD, you just need to use "tpconfig update" command so that NetBackup can pick up the appropriate flag and report it as a WORM capable device.

     

  • Hi zmlat 

    What do you want to achieve by using retention lock ? Ransomware protection ?

    On older versions of Netbackup I used Data Domain retention lock with the NBU basic STU to protect the catalog backup against accidental recursive deletion. The basic STU used a NFS share on the Data Domain.

    The setup was straight forward, I created a separate Mtree on the data domain and exported it via NFS. The retention lock on the data domain must be shorter then the Netbackup retention, else Netbackup will not be able to delete the images during image cleanup.

    Update - Sharing a FAQ about the DD RL : https://www.dell.com/support/kbdoc/da-dk/000079803/data-domain-retention-lock-frequently-asked-questions-faq

    Best Regards
    Nicolai

     

    • zmlat's avatar
      zmlat
      Level 4

      Hello Nicolai.

      I'm basically trying to protect the backups (not necessarily the catalog), whether it be ransomware or someone intentionally deleting backup images. I can NFS export the backup STU on the DD, and delete all my backups. Seems from the aforementioned replies there is some integration with NB.

      Curious about your catalog setup...did you run the catalog from that mtree? I guess you can't turn on compression on the catalog (but if its deduped, I guess you don't need to).

      • Nicolai's avatar
        Nicolai
        Moderator

        Hi zmlat 

        Since data domain are API based if using BOOST, the change of ransomware is low. If you are trying to protect against internal threats, your only choice is to lock down access to the Data Domain. You can't protect data against a administrator. The administrator can for example delete a Mtree or remove retention lock.

        On the Netbackup side (HA setup on Linux) we mounted a separate Data Domain Mtree via NFS. The storage unit type on Netbackup was the basic STU since it's the easiest STU to do catalog recovery from, it basically just pointing to the catalog files and off you go.  But to protect from a accidental resurvey deletion (rm -rf /) we used Data Domain retention lock on the Mtree. This created directories in the catalog structure called .root and within the directory was a copy of the data protected by the retention lock. The .root directory was write protected.

        We only used retention lock on the basic storage unit, never the BOOST based,

         

  • Thanks to all.

    StefanosM  as I understand it,  in NB 8.3, I can use NB to activate the retention lock feature on a per backup basis. So the protection will be the same as the backup image retention. I presume that I can then have mixed retention lock times on a single DD LSU.  But it also sounds like I can still use retention lock (ie., if I'm not at 8.3), and just manage the lock time at the DD level (like Nicolai example). I'd probably want to do the latter, even if I were at 8.3, and setup retention lock < backup retention, in the event I do need to delete backups before expiration...like if I'm running out of capacity on the DD.

    • Nicolai's avatar
      Nicolai
      Moderator

      Hi again zmlat 

      Image deletion in Netbackup is a constant process, e.g Netbackup does a clean up each time a "image clean" job is run. You want to make sure Netbackup always can delete the images, worst case is images being left on data domain Netbackup doesn't know about. Do testing first before implementing in production.

  • Is also there any compatibility of doing AIR from Primary site Flex Appliance Disk pool --> to -->DR site BYO connected DD appliances using DDBoost (Open storage) ?

     

     

    • davidmoline's avatar
      davidmoline
      Level 6

      Hi Kalm 

      This should really be put in a separate thread as not strictly related to the original post. 

      That said, AIR can only work between same OST devices (MSDP->MSDP, or DD->DD). So your proposal will not be possible. 

      David

  • Thanks a lot for your response.

    Yes, it should be in a separate thread. I don't know how to move the new discussion now.

    But, I understand that there is a workaround if we make a BYO media server only and connect it with Flex Appliance (Primary Site) and then configure SLP to duplicate the backup images (initially stored on MSDP) to DD (OpenStorage) connected with BYO media server only or FlexAppliance Media server.

    In the above case, we will not be doing AIR but we have all the images at DR site and only need to restore the catalog to restore the images from DD based storage media server.