Linux Hardened Repository How-To, Settings, Hardware Requirements

[Novox]

I wrote a very lengthy and detailed post that I just completely lost... maybe it's for the better. Also, I didn't want to spam support on release day so I'm posting here.

I'm going to need more assistance creating a Linux Hardened repository than (https://helpcenter.veeam.com/docs/backu ... ml?ver=110) provides.

I have a server, a bunch of disks, a hardware raid controller (which can allow for drives to passthrough directly to the OS), and I can download Ubuntu.

• Do I need "Server" or "Desktop"?

• Should the version of Ubuntu be 20.04 with kernel 5.4 since 5.8 in 20.10 doesn't seem to be supported?

• Is it ok to run Ubuntu on a dedicated USB stick or drive using ext4?

• Should I use hardware raid (for performance) or software XFS/ZFS features (for reliability and auto-healing)?

• How do I setup XFS/zpool/ZVOL?

• How do I change ownership?

• If I disable SSH now, how can the New Linux Repository wizard communicate with the server?

I did search the forums and I have previously reviewed Tom Sightler's work on hardened repositories. I guess I'm hoping for a step-by-step how-to or wizard of some sort.

Congratulations, see you all later today!

[Mildur]

Have a look at this guide. It‘s three parts.
Some of your questions can be answered:

https://www.starwindsoftware.com/blog/v ... ory-part-1

[Novox]

Does Veeam plan on producing additional documentation for this AWESOME new feature?

Mr. Van Hoye's work is a great start, but, for instance, part 1 shows how to add 2 drives as individual XFS repo drives. part 2 shows how to attach to a single repo drive. Must I use hardware RAID (and treat it like one drive), or can I add multiple JBODs and raid them in software with zfs/zpool, etc? If so, how?

Perhaps there's no benefit to this and I should simply do XFS direct on a logical hardware raid volume? I just don't know... I know hardware raid is faster, but with no OS integration, it relies on patrol reads to remedy bit rot. XFS/ZFS on the other hand (even ReFS I believe) when in software RAID mode, integrate directly with the OS and can detect bit rot instantly (on read).

[Novox]

Even better still, could there be any plans for a custom Veeam linux distro, which you can basically install ONLY for the purposes of a linux hardened repository?

(Virtual Appliance could work as well, but then requires the virtual infrastructure abstraction, aka, more attack surface area.)

[Gostev]

We're a backup vendor, we don't do Linux distros just think of all the on-going work required to maintain a custom Linux distro with kernel updates, component patches, security vulnerabilities to address etc. Many companies have built their whole business around this!

Besides, our enterprise customers have been loud and clear that they don't want any custom Linux boxes in their environment, and can only use Linux distribution approved by their security team - which are centrally managed, monitored, updated etc. Which is why we instead focus in all our functionality on providing full support for all leading Linux distributions.

Now, your suggested approach would indeed be beneficial to SMB customers without any Linux expertise, but I'm sure our huge community will close this gap quickly (especially since this functionality is available in the free edition). For example, this Hardened Repo Manager was created already back in October 2020, when v11 was still only available to play with to a few hundred people on this planet! Imagine what happens now when v11 is GA.

As for your questions, from the storage configuration perspective you should not treat hardened repositories any differently from regular Windows or Linux repositories (which we had in the product for close to 15 years now). As always, the safest bet is to just continue using whatever storage configuration you're most comfortable managing, and what you are sure will do the job. If you've been using hardware RAID all these years without issues, then just keep doing this! Let someone else experiment with other configurations, and only consider moving to those if there are enough benefits. For example, I cannot imagine what would make me want to abandon an enterprise-grade hardware RAID controller in favor of a software RAID

[Novox]

All excellent points, thank you Anton.

[WorkingHardInIt]

Hi there,

The articles I wrote are an early look and intended to help people familiarize themselves with it in the lab. Storage options vary but for a backup target I tend to use DAS and with Linux (Ubuntu) I tend to use hardware raid/LVM or combine both. I always use multiple extents /volumes, even on the same host (and in a lab) as I dislike just one large one. I prefer the flexibility multiple smaller ones give me for data life cycle management or to get people out of pickles during troubleshooting. The best SOBR design is not in the scope of this article. The best general advice is to design for failure and not to build something that allows you to paint yourself into a corner. But storage design-wise there is a lot to be discussed and one article cannot hope to cover them all to end up with final and descriptive guidance for all situations. Auto repair with bit rot is very nice with ReFS, is still in development in the Linux world afaik. But even when it works do not bank on it to save you. It can happen the repair fails ... It is an extra measure in the multitude of ayers you can use.

It is early days yet and best practices will develop based on experiences. We are learning and improving along the way. I document what I learn on XFS on my blog along the way.

Take care,
Didier

[omfk]

Hi all,

what are the proposed hardware requirements for using a Hardened Linux Repository? The repository will have to host a 5-8TB file server and several (~5) much smaller (100GB-1TB) application servers. So with 20TB usable space I think I would be quite safe. The network is still only running at 1GB but will hopefully upgraded to 10GB.
* minimum processor ( Intel Bronze/Silver or smallest AMD)
* RAM (64GB enough)
* Hardware RAID
* With 8x 6 or 8TB SAS-Disks RAID 10 vs RAID 5 or 6

Thanks in advance
Frank