create Veeam Immutable copy on Data Domain

[Ahmed Shakran]

To achieve 3 2 1 1 0 rule, you have to create offline/immutable copy for backup images to protect them against cyber-attacks.
Unfortunately, there’s no direct option in Veeam console to create Immutable copy on Data Domain, so we have to do some steps on Data Domain to create Immutable copy of backup images.
Firstly, we have to configure Linux machine to mount Data Domain Mtrees on it and run script automatically by crontab job from it.
Then Identify the MTree used by the Veeam as a repository.
After that Create and Configure the Retention Lock MTree.
“Retention Lock feature prevents data to be modified, overwritten or deleted for the set period as defined by the Retention Lock settings.”
Finally perform Fast Copy feature to copy existing backup images in repo to Retention Lock MTree.
Below script automates creating immutable copy and checking its retention period then deleting it, and you have to change only 7 variables as shown below then create crontab job to automatically run the script on a schedule.

Code: Select all

#############################################################
# Script to automate creating immutable copy and checking its retention peroid then deleting it
#############################################################

# The following 7 variables need to be set for this script to work
DATADOMAIN='fqdn'               # FQDN or IP address of Data Domain; DATADOMAIN='datadomain.domain.local'
DDACCOUNT='account'             # The Data Domain account used to create the SSH certificate configuration; eg 'fastcopy'
APPMTREE='/data/col1/.…'        # Data Domain MTRee location used by the Application; APPMTREE='/data/col1/test'
RLMTREE='/data/col1/.…/'        # Data Domain MTree location of the 'Retention Lock' MTRee; RLMTREE='/data/col1/test-rl/' 
NFSMOUNT='/mnt/nfs/….'          # NFS export on Linux host of 'Retention Lock' MTree on the Data Domain; NFSMOUNT='/mnt/nfs/test-rl'
OUTPUT='/…/…./'                 # Directory location of the output files; OUTPUT='/tmp/script_output/test/'
RLDAYS=14                       # Retention period in days as defined in the Data Domain 'automatic retention period' parameter for the 'Retention Lock' MTRee; RLDAYS=14
# Note that a backslash is required at the end of the RLMTREE and OUTPUT variables

# Grabbing the current date/time and assigning it to the variable DATE
DATE=$(date +%Y-%m-%d_%H:%M)

# Echo the DATE stamp to the script-log text file
echo "Date and time Format to be used: $DATE" > "$OUTPUT$DATE"-script-log.txt

# Echo the Fast Copy command of the application MTree (APPMTREE) to the 'Retention Lock' MTree (RLMTREE) in the script-log text file
echo "Fast Copy of $APPMTREE to $RLMTREE$DATE" >> "$OUTPUT$DATE"-script-log.txt

# Create a Fast Copy of the application MTree (APPMTREE) and save it to the 'Retention Lock' MTree (RLMTREE) via a SSH connection
# Output from this command is captured to the script-log text file
ssh $DDACCOUNT@$DATADOMAIN filesys fastcopy source $APPMTREE destination $RLMTREE$DATE >> "$OUTPUT$DATE"-script-log.txt

# Echo Fast Copy directories that were created more than the number of days as specified in variable (RLDAYS) for log purposes
echo "Finding directories in $RLMTREE created move than $RLDAYS days ago" >> "$OUTPUT$DATE"-script-log.txt

# Find Fast Copy directories that were created more than the number of days as specified in variable (RLDAYS)
find $NFSMOUNT -maxdepth 1 -type d -ctime +$RLDAYS ! -path '*snapshot*' -printf '%p\n' >> $OUTPUT$DATE-directories.txt

# Check to see if the directories file contains any directory listings
if [ -s $OUTPUT$DATE-directories.txt ]
	then 
		echo "$OUTPUT$DATE-directories.txt contains directory listing" >> "$OUTPUT$DATE"-script-log.txt
		# Delete the directories found and listed in the $OUTPUT$DATE-directories.txt files
		# Every directory found is read and then deleted
		cat $OUTPUT$DATE-directories.txt | while read LINE
		do
			echo "Found directory: " $LINE >> "$OUTPUT$DATE"-script-log.txt
			rm -rf $LINE
			# running $? command to get he output of the above listed rm command.
			# If a 0 is returned, the directory was successful deleted
			# if a 1 is returned, the the deletion command was not completed successfully
			if [ $? -eq 0 ]
				then
					echo "Successfully deleted directory: " $LINE >> "$OUTPUT$DATE"-script-log.txt
				else
					echo "Failed to deleted directory: " $LINE >> "$OUTPUT$DATE"-script-log.txt
			fi
		done
	else
		echo "No directories found" >> "$OUTPUT$DATE"-script-log.txt
	fi

echo "End of script: " $DATE >> "$OUTPUT$DATE"-script-log.txt

# end of script


https://educationstg.dellemc.com/content/dam/dell-emc/documents/en-us/2020KS_Steen_Immutable_Data_Protection_for_Any_Application.pdf

[foggy]

Hi Ahmed, FYI, Veeam B&R v12a will natively support Retention Lock on Data Domain.

[stevekarra]

You may want to add some "buffer" to the RLDAYS variable so you don't run into problems with trying to recover files from day 13 or 14 backups when they are part of a backup chain that depends upon a full from say day 17. (restore points != retention)

Or better still, wait for Veeam 12a.

[Ahmed Shakran]

Hello Stevekarra,
Is this period sufficient if our full backup is weekly?

[stevekarra]

Yes, that could work..

It's easiest to understand by drawing what your backup chain looks like -

F i i i i i i F i i i i i i F i

Just prior to that last full, you need to retain all those copies (14 of them) to have the 7 day retention. Be aware that running an ad-hoc (manual) backup changes that, as does missed backups.

When using DD Fastcopy, you are effectively taking a snapshot of the entire backup chain.

[bartoque]

Hi Ahmed, FYI, Veeam B&R v12a will natively support Retention Lock on Data Domain.

Any information already known of what the implementation would be like? Besides the veeam 2023 key note reference, I cannot recall more insights being given?

I assume using ddboost integration with DD retention lock? And how veeam will implement this? For example being able to set it on global level so that it would apply to all backups and not only each single backup, would help to have it being applied to all backups (using a DD that is) by default, instead of needing to micromanage each and every backup job? Then you'd have immutability by default.

[Mildur]

Hello Bartoque

Yes, it's DDBoost integration with retention lock. Immutability is enabled on repository level in Veeam and affects all supported backup jobs on this repository.

We released a Beta this week. Please reach out to a Veeam system engineer in your region if you like to test this feature in your lab. Betas are managed by our field system engineers. They can provide you with a Beta builds, if there are free slots available.

Best,
Fabian