Host-based backup of Microsoft Hyper-V VMs.
Post Reply
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Copy-Only backup without credentials

Post by Alkochm »

Hello.
Is there any way to perform backup of VMs on copy-only mode without specifying credentials for guest OS?

In our case we provide VMs to our clients and doesn't have administrative access to every VM.
But we have to backup these VMs of course.

Without credentials, Guest Processing options in backup job cannot be configured, so backup is taken in default mode.
It breaks SQL server backup chain inside VM, because it writes last full backup information and truncate logs. So, we interrupt clients control over backup procedure.

Before that, we was able to use DPM for Hyper-V backup in copy-only mode without any credentials for guest OS
REG key on Hyper-V host: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\2.0] "CopyBackupEnabled"=dword:00000001

So, if I understand things correctly, VSS_BACKUP_TYPE VSS_BT_COPY is set during the initialization of the backup procedure on the Hyper-V host level and passed through inside VMs VSS(using Hyper-V backup integration services) and to SQL VSS writer.
This interaction doesn't require direct guest OS access.

Can't this behavior be used in VBR? Am I missing something and there is option for that?
Rick.Vanover
Veeam Software
Posts: 708
Liked: 167 times
Joined: Nov 30, 2010 3:19 pm
Full Name: Rick Vanover
Location: Columbus, Ohio USA
Contact:

Re: Copy-Only backup without credentials

Post by Rick.Vanover »

Hi Alexey - welcome to the Veeam forums. For the guest OS - we can do a backup without guest credentials. This is by not filling out the application-aware image processing part of a backup job. The main thing that needs to be disclosed in this situation is that the backup of the VM is crash-consistent.

So - basically as long as you have the permissions on the host to A) install the Veeam services and B) do the backups - then you don't need anything on the guest OS.

As much as we advocate a lot for the application-aware image processing - many organizations (especially service providers) do not drop it in the backup job.

I read through your topics above, but I think it's just over complicating. Veeam is rather straightforward to use - and the situation you are seeking likely can be done without the guest credentials as I laid out.
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

Looks like I wasn't clear, I will try to say in other words.
Yes, we can configure backup without application-aware settings configured. Yes, it works.
BUT in breaks the chain of SQL backups inside VM because backup of VM, taken from the host, Is Not Copy-Only.

For example, inside VM, client doing some work with SQL server. He set up some backup procedure with Full-Diff-Log backups schedule for SQL inside VM. Client wants to recover from these backup files sometime. He takes Full backup+Diff backup+Log backup files and restores from them later.

But, if we did a backup of the VM in the middle of this procedure, and this backup is not copy-only, than this backup is considered latest Full for SQL, so, the next Diff backup will be the diff between our backup of VM and that time, not the difference between the clients last Full backup and that time.
So, even if client wants to recover from their files from inside VM on the next day - he can't , because he needs full backup file from our backup of VM (because it is the latest one).

This occurs because of interaction between Hyper-V Host's backup integration services with VMs VSS provider, that interacts with SQL VSS writer.

This problem Is already solved in some other backup products with setting backup type of VMs on the host level to Copy-Only, so it is not interfering with backup of transactional applications inside VM.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Copy-Only backup without credentials

Post by Mike Resseler »

Hey Alexey,

I believe you are searching for this: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Can you look at it and see if this answers your need?

Thanks
Mike
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

These settings require credentials and access to VMs guest OS. We have neither.

Clients VMs is completely isolated from backup or Hyper-V infrastructure in their own networks and we can't have administrative access inside clients VMs.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Copy-Only backup without credentials

Post by Mike Resseler »

Alexey,

I will need to verify and will ask around. What backup method are you using in Hyper-V? Hyper-V Guest Quiescence?
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

Yes, Hyper-V Guest Quiescence is enabled.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Copy-Only backup without credentials

Post by Mike Resseler »

Hey Alexey,

I heard around. If you want to use Hyper-V Quiescence, then indeed those attributes will be changed. The only way to change this with Hyper-V quiescence is by changing a registry inside the VM (which probably won't work since you don't have access...)

Code: Select all

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtualization\VssRequestor 
Name: BackupType 
Type: REG_DWORD 
Value: 0 or 1 
Change it to 1 to make sure that application backup is not affected through the VM backup.

Another possibility is to use crash-consistent backup only. That would also make sure there is nothing changed inside the VM
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

Already tried this reg key.
Yes, inside guest OS.
No effect.
(Both Hyper-V and guest have september 2018 updates)
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Copy-Only backup without credentials

Post by Mike Resseler »

It really should not truncate the logs at that moment. That seems very odd to be fair. Can you see in that guest (I assume you are using a test VM or something) that the logs are actually truncated? In that case, I think it is best to create a support call.
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

To be really fair - that reg key never worked even with DPM.
The only thing that can make VSS backup to be copy only - is VSS_BT_COPY flag that is set in IVssBackupComponents::SetBackupState on the host level during backup initialization.
In other words - only application, that initalizes backups can control this behavior.
With DPM - we was able to do it, because DPM agent have reg key to enable copy-only backups.

From the SQL server side it looks like this:
"select backup_start_date, backup_finish_date, is_copy_only, type
from msdb.dbo.backupset
order by backup_start_date"

https://i.imgur.com/QDTdibZ.png

Here you can see the difference.
If Hyper-V Guest Quiescence is disabled - there is no record about backup inside VM.

What we trying to achieve here, is to configure similar with previous backup system behavior (application aware level of consistency).

Yes, I get that disabling Guest Quiescence kinda solves some part of the problem (and makes backups not so consistent) BUT we was able to achieve higher level of consistency with application-aware backups before with DPM without credentials and direct guest OS access.
It is strange that the same cannot be configured in Veeam.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Copy-Only backup without credentials

Post by Mike Resseler » 1 person likes this post

I'm afraid that this is the only way it will work with Veeam. But I will certainly pass it to the developer team to see if we can look into this. Not sure how this will be done without an agent though, but they will know better.
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

Thanks, will be waiting for updates.

About agentless behavior. As I mentioned before, backup with all the flags is initialized on the Hyper-V host level. If Hyper-V child partition shapshot is used, than it triggers VSS snapshot inside guest OS and flags are passed from the Hyper-V Host level. Than VSS inside guest os triggers snapshot through SQL VSS writer and passes all the flags further.
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Copy-Only backup without credentials

Post by foggy » 1 person likes this post

Thanks Alexey, this does sound like a valid feature request and something we may consider for the following versions.
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

Hi.
Is there any news?
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm » 1 person likes this post

Veeam support helped me with this.
There is a non documented registry key to make VSS backups on Hyper-V hosts copy only.
Case # 04639992. So you can refer to it if you have the same problem.
mkaec
Veteran
Posts: 462
Liked: 133 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Copy-Only backup without credentials

Post by mkaec » 1 person likes this post

I'm super puzzled by this. The Hyper-V documentation has a note:

"For VMs on Microsoft Hyper-V Server 2016 and later, mind the following:

If you enable Hyper-V guest quiescence and leave application-aware processing disabled in the job, Veeam Backup & Replication performs backup using the VSS_BT_FULL method. This method backs up databases and transaction logs and then truncates the transaction logs.
...
You can change the backup method to VSS_BT_COPY with a registry key. For more information, contact Veeam Customer Support."

I opened a support case asking for how to enable VSS_BT_COPY in B&R late on a Friday. I got a response late Monday giving me the information for how to do it in VAW. I entered a case note indicating that I had been provided information for the wrong product. 2 days later, after no additional response, I clicked the link to request an update and later received the information for B&R. I thought maybe support would include special information about how to correctly use the setting. Perhaps something like "If you turns this on, X, Y, Z will happen and you'll need to account for that with A, B, C." But that didn't happen. I was just told what registry value to set.

This was all unnecessary and a waste of time. At the minimum, the details should be made available in a KB article or directly in the Hyper-V guide. However, I actually think it should be a setting in the job. Veeam B&R is so easy to use that administrators might not even know there is a detailed guide online. Then they fall into the trap of transaction logs being unexpectedly truncated because they tried to do the right thing and not give the Veeam service account domain admin rights. The registry method also makes the change for all jobs globally. It would be much better if there was on option on the same page as the guest quiescence options allowing the VSS mode to be set. That way it would be a visual reminder of what is going to happen if any of the quests have transaction logs.

I get there is an issue if there are 2012 or older Hyper-V hosts in the job that would present a complication to creating a job option. But Windows Server 2012 is EOL in January and exited mainstream support in 2018. Surely the more common configuration now is Hyper-V 2016 or newer.
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

This vas relevant for v10.
Actually, in v11 this settings are adjustable in job creation wizard. Take a look here https://helpcenter.veeam.com/docs/backu ... ml?ver=110
mkaec
Veteran
Posts: 462
Liked: 133 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Copy-Only backup without credentials

Post by mkaec »

It is relevant in v11. That page the link refers to is only available when "Enable application-aware processing" is checked, which requires credentials to be specified that have access to the guest VMs in the job. The settings this thread refers to are in Storage > Advanced > Hyper-V. If Hyper-V guest quiescence is enabled, B&R will, without the secret registry setting, truncate transaction logs that are inside the guest VMs.
Alkochm
Influencer
Posts: 16
Liked: 1 time
Joined: Aug 02, 2016 3:30 pm
Full Name: Alexey
Contact:

Re: Copy-Only backup without credentials

Post by Alkochm »

Yes, my bad, I see now. That's true.
I agree that menu setting would be much better than making a support case and wasting time of both support and you.
PetrM
Veeam Software
Posts: 3229
Liked: 519 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Copy-Only backup without credentials

Post by PetrM »

Hello,

We'll consider the idea to make a UI setting instead of registry key in one of our future releases but I cannot guarantee any ETA, we'll continue to monitor similar requests.

Thanks!
steamingPeople
Influencer
Posts: 11
Liked: 2 times
Joined: Feb 06, 2023 7:22 pm
Contact:

Re: Copy-Only backup without credentials

Post by steamingPeople » 2 people like this post

Alkochm wrote: Hello,

We'll consider the idea to make a UI setting instead of registry key in one of our future releases but I cannot guarantee any ETA, we'll continue to monitor similar requests.

Thanks!

Is there any update on having a GUI option for this?

Even better would be a per backup job setting, as there might be some backups where VSS_BT_FULL is actually useful, so having a global setting makes it impressible to mix and match.
PetrM
Veeam Software
Posts: 3229
Liked: 519 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Copy-Only backup without credentials

Post by PetrM »

Hello,

No changes are planned at the moment but we continue to track the requests for this functionality.

Thanks!
Post Reply

Who is online

Users browsing this forum: reiso22 and 36 guests