3 weeks ago
Hello,
I'm looking to turn on Data Domain retention lock and was wondering if there is any configuration on the NetBackup side required to make full use of the DD feature? My Veritas SE says this DD feature is transparent to NB, but Dell guy mentioned there might be some integration on the NB side (as there is for NetWorker).
I did read about the "retention" command. It seems to be something new in version 8.3 (?). Not sure if that is strictly a NB feature that does the same as the DD retention lock (or if its strictly a feature in the Flex appliance). We're currently on NB 8.2, but will be upgrading to 9.x (no appliance).
Thanks
Solved! Go to Solution.
3 weeks ago - last edited 3 weeks ago
I was searching for the same before two months. I found nothing from Veritas or EMC.
I found what I was searching from community
https://www.linkedin.com/pulse/immutability-worm-mit-netbackup-83-und-dell-data-domain-weber/
you can use google translate or just check the images
3 weeks ago - last edited 3 weeks ago
I was searching for the same before two months. I found nothing from Veritas or EMC.
I found what I was searching from community
https://www.linkedin.com/pulse/immutability-worm-mit-netbackup-83-und-dell-data-domain-weber/
you can use google translate or just check the images
3 weeks ago
Hi @zmlat
If you review the HCL's for NetBackup you will find that WORM/immutable data storage is supported from NetBackup 8.3.0.1 with the appropriate version of the OST plug-in (the specific version depends on the connectivity to the DD).
If you also want to use client direct, then you need NetBackup 9.1 or greater.
Regards
David
3 weeks ago
can you elaborate what "client direct" means?
because as I know, and hope that will never change, you can not send the backups directly from netbackup client to datadomain.
3 weeks ago
Hi @StefanosM
My apologies it is mentioned in the HCL in relation to WORM/Immutable data, but I agree with what you say. Cllient direct is another name for client-side deduplication so it is not supported with a data domain (hopefully ever)
I was merging the WORM support with DD and a general comment about WORM and client direct support with 9.1.
So the first statement I made stands. The second is not relevant for Data Domain - it only applies for MSDP WORM capable devices (such as a Flex WORM instance).
Thanks for the pickup.
David
3 weeks ago
Hi,
It's not fully transparent to NetBackup. NetBackup is aware of the target device capabilities via OST plug-in. So requirements;
- NetBackup version: It has to be at least 8.3.0.1 on master and media servers.
- OST plug-in version that Veritas certified to leverage Retention Lock. It's on the HCL.
- DDOS version: Check the DDOS version and OST plug-in compatibility. Best to keep both on par.
If Retention Lock enabled on an existing Storage Unit (MTree) on DD, you just need to use "tpconfig update" command so that NetBackup can pick up the appropriate flag and report it as a WORM capable device.
3 weeks ago - last edited 3 weeks ago
Hi @zmlat
What do you want to achieve by using retention lock ? Ransomware protection ?
On older versions of Netbackup I used Data Domain retention lock with the NBU basic STU to protect the catalog backup against accidental recursive deletion. The basic STU used a NFS share on the Data Domain.
The setup was straight forward, I created a separate Mtree on the data domain and exported it via NFS. The retention lock on the data domain must be shorter then the Netbackup retention, else Netbackup will not be able to delete the images during image cleanup.
Update - Sharing a FAQ about the DD RL : https://www.dell.com/support/kbdoc/da-dk/000079803/data-domain-retention-lock-frequently-asked-quest...
Best Regards
Nicolai
2 weeks ago
Thanks..for the reply. I reviewed the HCL and found no mention of retention lock, so not sure if the reference to WORM/8.3 is for the DD retention lock feature.
2 weeks ago
thanks Stefanos...that actually looks like what I'm look for.
2 weeks ago
Hello Nicolai.
I'm basically trying to protect the backups (not necessarily the catalog), whether it be ransomware or someone intentionally deleting backup images. I can NFS export the backup STU on the DD, and delete all my backups. Seems from the aforementioned replies there is some integration with NB.
Curious about your catalog setup...did you run the catalog from that mtree? I guess you can't turn on compression on the catalog (but if its deduped, I guess you don't need to).
2 weeks ago
Thanks to all.
@StefanosM as I understand it, in NB 8.3, I can use NB to activate the retention lock feature on a per backup basis. So the protection will be the same as the backup image retention. I presume that I can then have mixed retention lock times on a single DD LSU. But it also sounds like I can still use retention lock (ie., if I'm not at 8.3), and just manage the lock time at the DD level (like @Nicolai example). I'd probably want to do the latter, even if I were at 8.3, and setup retention lock < backup retention, in the event I do need to delete backups before expiration...like if I'm running out of capacity on the DD.
2 weeks ago
Hi @zmlat
Since data domain are API based if using BOOST, the change of ransomware is low. If you are trying to protect against internal threats, your only choice is to lock down access to the Data Domain. You can't protect data against a administrator. The administrator can for example delete a Mtree or remove retention lock.
On the Netbackup side (HA setup on Linux) we mounted a separate Data Domain Mtree via NFS. The storage unit type on Netbackup was the basic STU since it's the easiest STU to do catalog recovery from, it basically just pointing to the catalog files and off you go. But to protect from a accidental resurvey deletion (rm -rf /) we used Data Domain retention lock on the Mtree. This created directories in the catalog structure called .root and within the directory was a copy of the data protected by the retention lock. The .root directory was write protected.
We only used retention lock on the basic storage unit, never the BOOST based,
2 weeks ago
Hi again @zmlat
Image deletion in Netbackup is a constant process, e.g Netbackup does a clean up each time a "image clean" job is run. You want to make sure Netbackup always can delete the images, worst case is images being left on data domain Netbackup doesn't know about. Do testing first before implementing in production.