Physical Linux server as proxy and repository?

[rex barlow]

For the past several years we have been using beefy Windows servers that have the proxy role and are repository servers with fiber channel connected storage to an Infinidat that is used solely for backups and replicated to another offsite. This has worked well and offers great throughput with san backups.

We would like to leverage the Linux Immutable hardened repository now using theses same big HP Proliant servers that are Windows today but it appears you can't install the proxy role on a Linux server if it has the repos role and the repos are already immutable?

How are others getting around this in a large environment? I can't upgrade all my windows servers to linux if all they will be is repo servers, I would have no proxies! Will it require dedicated physical servers that are just repository servers? Any way to do this without adding more servers to the mix?

I was getting help from support with another issue (Support ID: #xxxxxx) when we ran into this without a clear answers so I thought I would ask in here.

How have others in large environments moved to Linux repositories?
Thanks in advance,
Rex

[HannesK]

Hello,
and welcome to the forums.

Correct: for security reasons, the Hardened Repository is a standalone role today. We will allow NBD proxies on Hardened Repository in V12, because NBD does not require root permissions (other backup modes require "mount" and "mount" requires root).

There are workaround available with LXC / LXD (please use forum search), but you have to ask yourself, whether that reduces security.

The choice is up to you: increased security or higher density. I mean, using Infinidat as backup repository is one of the most expensive ways If it's about saving costs overall, I recommend looking at high density servers. As you mention HPE: HPE has Apollo servers, where we have seen 4-6GByte/s read / write speed from 4 rack units (maxing out 100Gbit/s networks). Of course, also servers from other vendors would work (Cisco, Dell, whatever)

Best regards,
Hannes
PS: I removed your support ID, as that ID is sensitive. If you are asking around technical issues, please post the case number (never support contract IDs)

[ferrus]

We were in the same position last year, with five high spec'd rackmount servers - purchased to host both Windows proxy and repository roles.
When Linux Hardened Repositories were announced, we knew we needed to deploy it, but faced losing all of our proxy resources and wasting a massive amount of RAM/CPU.

In the end, we managed to deploy KVM on the hosts, and spin up Linux VMs for the proxy roles, to re-use all the host unused hardware resources.
This has worked well for us for over a year, and been more stable (and more secure with the hardened repositories), than the previous Windows/ReFS setup.
KVM had much more support and documentation for us - with regard to deploying virtual HBAs and FC connecting the proxy VM guests, than LXC/LXD.

NBD in v12 sounds promising though, to remove this complexity.

The only thing I haven't been able to use in this configuration however, is the server's SSD mirror - which was spec'd for NFS cache/Instant Restores/Virtual Labs.
Although we don't often deploy these, the difference in performance is very significant without them. It could be a serious issue for DR plans.

Perhaps, I could still present them to the guest VM proxies, with a little more work - but I don't think they can be isolated like the other resources (for complete security), and don't know if there'd be a performance hit.

This would be the limitation, that could convince me to use the v12 NBD proxy, if NFS was supported too.

Otherwise - everything else works perfect in this configuration.

[rex barlow]

Thanks everyone, I appreciate the input and may look at the KVM option a bit later. Right now I am testing the use of a dedicated physical Linux hardened repository that is taking over the storage role of a Windows proxy/repository. I have already tested this a bit and the backups show they are using the SAN transport mode, which I assume runs across the network (1Gb in my test environment) backing up a small group of servers.
I am not seeing the same throughput as the same active full job using the direct attached Windows proxy/repository but the job seems to run as quick or quicker, which doesn't make a lot of sense to me.

Will it be a viable solution to have a windows proxy (that has access to the vmware luns) and a Linux Hardened repository if both of those servers run on a 10Gb network? Should I expected it to be faster than my current windows proxy/repo with direct attached storage?
Thoughts?

[HannesK]

Will it be a viable solution to have a windows proxy (that has access to the vmware luns) and a Linux Hardened repository if both of those servers run on a 10Gb network?

yes, that's possible / relatively normal. One could also use Linux proxies of course.

Should I expected it to be faster than my current windows proxy/repo with direct attached storage?

it depends on how much load your current proxy/repo had. By splitting the roles, you add network "in between". That makes it slower because of physical distance / latency of communication.

The question is, whether it's relevant or not.