cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Is there any integration with NetBackup and Data Domain retention lock?

Go to solution
zmlat
Level 4

3 weeks ago

Hello,

I'm looking to turn on Data Domain retention lock and was wondering if there is any configuration on the NetBackup side required to make full use of the DD feature? My Veritas SE says this DD feature is transparent to NB, but Dell guy mentioned there might be some integration on the NB side (as there is for NetWorker).

I did read about the "retention" command. It seems to be something new in version 8.3 (?). Not sure if that is strictly a NB feature that does the same as the DD retention lock (or if its strictly a feature in the Flex appliance). We're currently on NB 8.2, but will be upgrading to 9.x (no appliance).

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
StefanosM
Level 6
Partner    VIP    Accredited Certified

3 weeks ago - last edited 3 weeks ago

I was searching for the same before two months. I found nothing from Veritas or EMC.

I found what I was searching from community
https://www.linkedin.com/pulse/immutability-worm-mit-netbackup-83-und-dell-data-domain-weber/
you can use google translate or just check the images

View solution in original post

12 REPLIES 12

Go to solution
StefanosM
Level 6
Partner    VIP    Accredited Certified

3 weeks ago - last edited 3 weeks ago

I was searching for the same before two months. I found nothing from Veritas or EMC.

I found what I was searching from community
https://www.linkedin.com/pulse/immutability-worm-mit-netbackup-83-und-dell-data-domain-weber/
you can use google translate or just check the images

Go to solution
davidmoline
Level 6
Employee
In response to StefanosM

3 weeks ago

Hi @zmlat 

If you review the HCL's for NetBackup you will find that WORM/immutable data storage is supported from NetBackup 8.3.0.1 with the appropriate version of the OST plug-in (the specific version depends on the connectivity to the DD).

If you also want to use client direct, then you need NetBackup 9.1 or greater.

Regards
David

Go to solution
StefanosM
Level 6
Partner    VIP    Accredited Certified
In response to davidmoline

3 weeks ago

can you elaborate what "client direct" means?
because as I know, and hope that will never change, you can not send the backups directly from netbackup client to datadomain.

0 Kudos

Go to solution
davidmoline
Level 6
Employee
In response to StefanosM

3 weeks ago

Hi @StefanosM 

My apologies it is mentioned in the HCL in relation to WORM/Immutable data, but I agree with what you say. Cllient direct is another name for client-side deduplication so it is not supported with a data domain (hopefully ever)

I was merging the WORM support with DD and a general comment about WORM and client direct support with 9.1. 

So the first statement I made stands. The second is not relevant for Data Domain - it only applies for MSDP WORM capable devices (such as a Flex WORM instance). 

Thanks for the pickup.
David

 

Go to solution
bhdrkzltn
Level 4

3 weeks ago

Hi,

It's not fully transparent to NetBackup. NetBackup is aware of the target device capabilities via OST plug-in. So requirements;

- NetBackup version: It has to be at least 8.3.0.1 on master and media servers.
- OST plug-in version that Veritas certified to leverage Retention Lock. It's on the HCL.
- DDOS version: Check the DDOS version and OST plug-in compatibility. Best to keep both on par.

 

If Retention Lock enabled on an existing Storage Unit (MTree) on DD, you just need to use "tpconfig update" command so that NetBackup can pick up the appropriate flag and report it as a WORM capable device.

 

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   

3 weeks ago - last edited 3 weeks ago

Hi @zmlat 

What do you want to achieve by using retention lock ? Ransomware protection ?

On older versions of Netbackup I used Data Domain retention lock with the NBU basic STU to protect the catalog backup against accidental recursive deletion. The basic STU used a NFS share on the Data Domain.

The setup was straight forward, I created a separate Mtree on the data domain and exported it via NFS. The retention lock on the data domain must be shorter then the Netbackup retention, else Netbackup will not be able to delete the images during image cleanup.

Update - Sharing a FAQ about the DD RL : https://www.dell.com/support/kbdoc/da-dk/000079803/data-domain-retention-lock-frequently-asked-quest...

Best Regards
Nicolai

 

Go to solution
zmlat
Level 4
In response to davidmoline

2 weeks ago

Thanks..for the reply. I reviewed the HCL and found no mention of retention lock, so not sure if the reference to WORM/8.3 is for the DD retention lock feature.

0 Kudos

Go to solution
zmlat
Level 4
In response to StefanosM

2 weeks ago

thanks Stefanos...that actually looks like what I'm look for.

0 Kudos

Go to solution
zmlat
Level 4
In response to Nicolai

2 weeks ago

Hello Nicolai.

I'm basically trying to protect the backups (not necessarily the catalog), whether it be ransomware or someone intentionally deleting backup images. I can NFS export the backup STU on the DD, and delete all my backups. Seems from the aforementioned replies there is some integration with NB.

Curious about your catalog setup...did you run the catalog from that mtree? I guess you can't turn on compression on the catalog (but if its deduped, I guess you don't need to).

0 Kudos

Go to solution
zmlat
Level 4

2 weeks ago

Thanks to all.

@StefanosM  as I understand it,  in NB 8.3, I can use NB to activate the retention lock feature on a per backup basis. So the protection will be the same as the backup image retention. I presume that I can then have mixed retention lock times on a single DD LSU.  But it also sounds like I can still use retention lock (ie., if I'm not at 8.3), and just manage the lock time at the DD level (like @Nicolai example). I'd probably want to do the latter, even if I were at 8.3, and setup retention lock < backup retention, in the event I do need to delete backups before expiration...like if I'm running out of capacity on the DD.

0 Kudos

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   
In response to zmlat

2 weeks ago

Hi @zmlat 

Since data domain are API based if using BOOST, the change of ransomware is low. If you are trying to protect against internal threats, your only choice is to lock down access to the Data Domain. You can't protect data against a administrator. The administrator can for example delete a Mtree or remove retention lock.

On the Netbackup side (HA setup on Linux) we mounted a separate Data Domain Mtree via NFS. The storage unit type on Netbackup was the basic STU since it's the easiest STU to do catalog recovery from, it basically just pointing to the catalog files and off you go.  But to protect from a accidental resurvey deletion (rm -rf /) we used Data Domain retention lock on the Mtree. This created directories in the catalog structure called .root and within the directory was a copy of the data protected by the retention lock. The .root directory was write protected.

We only used retention lock on the basic storage unit, never the BOOST based,

 

0 Kudos

Go to solution
Nicolai
Moderator
Moderator
Partner    VIP   
In response to zmlat

2 weeks ago

Hi again @zmlat 

Image deletion in Netbackup is a constant process, e.g Netbackup does a clean up each time a "image clean" job is run. You want to make sure Netbackup always can delete the images, worst case is images being left on data domain Netbackup doesn't know about. Do testing first before implementing in production.

0 Kudos