cancel
Showing results for 
Search instead for 
Did you mean: 

Bare Metal Restore failing

victorstanescu
Level 3

Hello,

I am trying to do a bare metal restore. I have a simple configuration:

Netbackup Master/Media (same server) running fresh 8.1.1 install on Redhat

Boot server also on Redhat

I have a BMR image in the catalog. I have successfuly created a dissimilar profile (which is correctly recognized). So right now, my restore client boots correctly from dhcp/tftp/nfs. The restore script starts. Everything goes fine up until it tries to execute this command:

+ /usr/openv/netbackup/bin/bprestore -w -C intra-db.i.gts.ro -S nbm.vm.gts.ro -t 0 -s 03/12/2018 09:44:48 -e 03/12/2018 09:44:48 /etc/mke2fs.conf
EXIT STATUS 2800: Standard policy restore error

Playing in the command line of the restore client, I have tried to execute this command manually, after creating the /usr/openv/netbackup/logs/bprestore folder.

In the bprestore log I have noticed "vnet_get_user_credential_path [vnet_vxss.c:1621] status 35 0x23

I have discovered a file /tmp/bp.conf, in which a parameter is called USE_VXSS , set to value AUTOMATIC.

Changing /tmp/bp.conf so that USE_VXSS = PROHIBITED, I have noticed that bprestore works fine.

Initially my master was set to Access Control Prohibited. I have switched it to Automatic and enabled the NBAC part.

Nevertheless, the BMR restore goes the same way: script dies with 2800 Standard policy error. If I edit /tmp/bp.conf, the bprestore command works perfectly fine.

All hostnames resolve correctly, I have ping between all of them. I have found some forum threads which advised to check in various ways with bpclntcmd. I did all these and it was alright.

Can somebody help me as I am lost and without any ideas?

Thanks,

Victor

1 REPLY 1

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

I wonder if 'Secure comms' that was introduced in NBU 8.1 is still not completely fixed.

8.1 secure comms 'broke' BMR and was even removed from the SCL.

I read in 8.1.1 NetBackup Release Notes  that BMR is once again supported on Linux, Windows and Solaris. 

Herewith extract from Release Notes - not sure if this will help you in any way:

Bare Metal Restore with secure communications support
Bare Metal Restore (BMR) introduces secure communications support in the
NetBackup 8.1.1 release on Linux, Windows, and Solaris platforms. NetBackup
8.1.1 does not currently support Bare Metal Restore on AIX and HP-UX platforms.

BMR requires host ID-based certificates in the recovery and discovery environment
for a secure communication between the NetBackup client and the master server.
Host ID-based certificate is required to fetch the BMR configurations during the
restore and discovery operation.

Note: Review the secure communication compatibility matrix for BMR to learn more
about the supported boot server, client, and SRT client versions. See the “Secure
communication compatibility matrices for BMR for NetBackup 8.1.1 and later
releases” section within the NetBackup Bare Metal Restore Administrator’s Guide.

For automated restore operations or Prepare to Restore (PTR) and Prepare to
Discover (PTD) enabled operations, NetBackup BMR 8.1.1 introduces new
validations and restrictions. For more information about validation checks in Prepare
to Restore (PTR) and Prepare to Discover (PTD) operations, see the following
sections within the NetBackup Bare Metal Restore Administrator’s Guide:
■ "Preparing a client for restore"
■ "Discovering a configuration"

Once these validations complete successfully, the selected NetBackup client is
marked for automatic recovery or discovery. Automatic recovery means that the
autoreissue parameter is enabled for the host. It allows you to deploy a certificate
on the host without requiring a reissue token. For more information about Allow
Auto Reissue Certificate, see the “Allowing or disallowing automatic certificate
reissue” section within the NetBackup Security and Encryption Guide.

After a successful completion of restore, the host ID-based certificate is automatically
copied on the client that is restored. The autoreissue parameter which is required
for automatic recovery is reset.

Note: With NetBackup 8.1.1, for a Windows client, after a successful completion
of restore during Direct Virtual Machine (VM) conversion (physical to virtual), you
must manually deploy the Certificate Authority (CA) certificate and the host ID-based
certificate on the client that is restored. To learn more about how to deploy host
ID-based certificates manually, see "Deploying when a token is needed" section
within the NetBackup Security and Encryption Guide.

In the case of Generic Bare Metal Restore (BMR) Restore and Generic Discovery
of Hardware that is supported on Windows platform only, you are required to
manually generate a reissue token with which you can fetch host ID-based
certificates for a secure communication between the NetBackup client and the
master. You must also validate the Certificate Authority (CA) hash certificate. For
more information about how to create a reissue token and validate the Certificate
Authority (CA) hash certificate, refer to the following sections within the NetBackup
Security and Encryption Guide:
■ "Finding and communicating the fingerprint of a CA certificate section"
■ "Creating a reissue token"

For more information about Generic Bare Metal Restore (BMR) Restore and
Generic Discovery of Hardware, see the NetBackup Bare Metal Restore
Administrator’s Guide.