Solved: Is there any integration with NetBackup and Data D...

zmlat · ‎05-05-2022

Hello,

I'm looking to turn on Data Domain retention lock and was wondering if there is any configuration on the NetBackup side required to make full use of the DD feature? My Veritas SE says this DD feature is transparent to NB, but Dell guy mentioned there might be some integration on the NB side (as there is for NetWorker).

I did read about the "retention" command. It seems to be something new in version 8.3 (?). Not sure if that is strictly a NB feature that does the same as the DD retention lock (or if its strictly a feature in the Flex appliance). We're currently on NB 8.2, but will be upgrading to 9.x (no appliance).

Thanks

StefanosM · ‎05-05-2022

I was searching for the same before two months. I found nothing from Veritas or EMC.

I found what I was searching from community
https://www.linkedin.com/pulse/immutability-worm-mit-netbackup-83-und-dell-data-domain-weber/
you can use google translate or just check the images

View solution in original post

StefanosM · ‎05-05-2022

I was searching for the same before two months. I found nothing from Veritas or EMC.

I found what I was searching from community
https://www.linkedin.com/pulse/immutability-worm-mit-netbackup-83-und-dell-data-domain-weber/
you can use google translate or just check the images

davidmoline · ‎05-05-2022

Hi @zmlat

If you review the HCL's for NetBackup you will find that WORM/immutable data storage is supported from NetBackup 8.3.0.1 with the appropriate version of the OST plug-in (the specific version depends on the connectivity to the DD).

If you also want to use client direct, then you need NetBackup 9.1 or greater.

Regards
David

StefanosM · ‎05-05-2022

can you elaborate what "client direct" means?
because as I know, and hope that will never change, you can not send the backups directly from netbackup client to datadomain.

davidmoline · ‎05-06-2022

Hi @StefanosM

My apologies it is mentioned in the HCL in relation to WORM/Immutable data, but I agree with what you say. Cllient direct is another name for client-side deduplication so it is not supported with a data domain (hopefully ever)

I was merging the WORM support with DD and a general comment about WORM and client direct support with 9.1.

So the first statement I made stands. The second is not relevant for Data Domain - it only applies for MSDP WORM capable devices (such as a Flex WORM instance).

Thanks for the pickup.
David

bhdrkzltn · ‎05-06-2022

Hi,

It's not fully transparent to NetBackup. NetBackup is aware of the target device capabilities via OST plug-in. So requirements;

- NetBackup version: It has to be at least 8.3.0.1 on master and media servers.
- OST plug-in version that Veritas certified to leverage Retention Lock. It's on the HCL.
- DDOS version: Check the DDOS version and OST plug-in compatibility. Best to keep both on par.

If Retention Lock enabled on an existing Storage Unit (MTree) on DD, you just need to use "tpconfig update" command so that NetBackup can pick up the appropriate flag and report it as a WORM capable device.

Nicolai · ‎05-06-2022

Hi @zmlat

What do you want to achieve by using retention lock ? Ransomware protection ?

On older versions of Netbackup I used Data Domain retention lock with the NBU basic STU to protect the catalog backup against accidental recursive deletion. The basic STU used a NFS share on the Data Domain.

The setup was straight forward, I created a separate Mtree on the data domain and exported it via NFS. The retention lock on the data domain must be shorter then the Netbackup retention, else Netbackup will not be able to delete the images during image cleanup.

Update - Sharing a FAQ about the DD RL : https://www.dell.com/support/kbdoc/da-dk/000079803/data-domain-retention-lock-frequently-asked-quest...

Best Regards
Nicolai

zmlat · ‎05-11-2022

Thanks..for the reply. I reviewed the HCL and found no mention of retention lock, so not sure if the reference to WORM/8.3 is for the DD retention lock feature.

zmlat · ‎05-11-2022

thanks Stefanos...that actually looks like what I'm look for.

zmlat · ‎05-11-2022

Hello Nicolai.

I'm basically trying to protect the backups (not necessarily the catalog), whether it be ransomware or someone intentionally deleting backup images. I can NFS export the backup STU on the DD, and delete all my backups. Seems from the aforementioned replies there is some integration with NB.

Curious about your catalog setup...did you run the catalog from that mtree? I guess you can't turn on compression on the catalog (but if its deduped, I guess you don't need to).

zmlat · ‎05-11-2022

Thanks to all.

@StefanosM as I understand it, in NB 8.3, I can use NB to activate the retention lock feature on a per backup basis. So the protection will be the same as the backup image retention. I presume that I can then have mixed retention lock times on a single DD LSU. But it also sounds like I can still use retention lock (ie., if I'm not at 8.3), and just manage the lock time at the DD level (like @Nicolai example). I'd probably want to do the latter, even if I were at 8.3, and setup retention lock < backup retention, in the event I do need to delete backups before expiration...like if I'm running out of capacity on the DD.

Nicolai · ‎05-16-2022

Hi @zmlat

Since data domain are API based if using BOOST, the change of ransomware is low. If you are trying to protect against internal threats, your only choice is to lock down access to the Data Domain. You can't protect data against a administrator. The administrator can for example delete a Mtree or remove retention lock.

On the Netbackup side (HA setup on Linux) we mounted a separate Data Domain Mtree via NFS. The storage unit type on Netbackup was the basic STU since it's the easiest STU to do catalog recovery from, it basically just pointing to the catalog files and off you go. But to protect from a accidental resurvey deletion (rm -rf /) we used Data Domain retention lock on the Mtree. This created directories in the catalog structure called .root and within the directory was a copy of the data protected by the retention lock. The .root directory was write protected.

We only used retention lock on the basic storage unit, never the BOOST based,

Nicolai · ‎05-16-2022

Hi again @zmlat

Image deletion in Netbackup is a constant process, e.g Netbackup does a clean up each time a "image clean" job is run. You want to make sure Netbackup always can delete the images, worst case is images being left on data domain Netbackup doesn't know about. Do testing first before implementing in production.

Kalm · ‎11-16-2022

Is also there any compatibility of doing AIR from Primary site Flex Appliance Disk pool --> to -->DR site BYO connected DD appliances using DDBoost (Open storage) ?

davidmoline · ‎11-16-2022

Hi @Kalm

This should really be put in a separate thread as not strictly related to the original post.

That said, AIR can only work between same OST devices (MSDP->MSDP, or DD->DD). So your proposal will not be possible.

David

Kalm · ‎11-18-2022

Thanks a lot for your response.

Yes, it should be in a separate thread. I don't know how to move the new discussion now.

But, I understand that there is a workaround if we make a BYO media server only and connect it with Flex Appliance (Primary Site) and then configure SLP to duplicate the backup images (initially stored on MSDP) to DD (OpenStorage) connected with BYO media server only or FlexAppliance Media server.

In the above case, we will not be doing AIR but we have all the images at DR site and only need to restore the catalog to restore the images from DD based storage media server.

VOX

Is there any integration with NetBackup and Data Domain retention lock?