Managing AWS S3 immutable storage using msdpcldutil tool
MSDP cloud admin tool /usr/openv/pdde/pdcr/bin/msdpcldutil is used to manage immutable.
Before using this tool, set the following environment variables:
export MSDPC_ACCESS_KEY=xxxx export MSDPC_SECRET_KEY=yyyyyyyyyyyyy export MSDPC_REGION=us-east-1 export MSDPC_PROVIDER=amazon
For Amazon S3, MSDPC_ACCESS_KEY is the AWS access key associated with an IAM user. MSDPC_SECRET_KEY is the secret key associated with the access key. MSDPC_REGION is the AWS region where the bucket will be created or accessed.
If NetBackup media server is deployed on Amazon EC2 instance, you can use IAM role-based authentication after the IAM role configuration. You must have the cloud administrator permissions to create the IAM role policy and attach the IAM policy to the role.
See AWS user permissions to create the cloud immutable volume.
Perform the following tasks to create the immutable storage and configure it:
Create a cloud immutable volume.
#/usr/openv/pdde/pdcr/bin/msdpcldutil create -b bucketname -v volumename --mode GOVERNANCE --min 1D --max 30D --live 2021-12-31
List the cloud volumes.
#/usr/openv/pdde/pdcr/bin/msdpcldutil list
Update the cloud immutable volume mode.
#/usr/openv/pdde/pdcr/bin/msdpcldutil update mode -b bucketname -v volumename --mode COMPLIANCE --live 2021-12-31 --inherit enable
--inherit disable If your Governance mode data is testing and does not need to be protected, you must use this option.
--inherit enable If you want to protect the Governance mode data, you must use this option.
The volume retention mode can switch from governance to compliance. It cannot switch from compliance to governance. After governance mode is switched to the compliance mode, the new backup image retention mode is compliance. When the mode is switched from governance to compliance mode, due to the nature of deduplication, the images in compliance mode may share some data in the previous images in governance data. Users then have a choice to lock this shared data in either existing governance mode or in compliance mode.
Update the cloud immutable volume min and max retention period.
#/usr/openv/pdde/pdcr/bin/msdpcldutil update range -b bucketname -v volumename --min 1D --max 90D
# /usr/openv/netbackup/bin/admincmd/nbdevconfig -updatedv -stype PureDisk -dp disk_pool_name -dv volumename
The minimum and maximum values are defined by the min and max options. Both values must be between 1 day and 30 years. The maximum value must be less than the volume live duration.
Update the cloud immutable volume live duration.
#/usr/openv/pdde/pdcr/bin/msdpcldutil update live -b bucketname -v volumename -l 2022-01-31
The volume has live period property, which is a timestamp. The backup image retention time must be less than this timestamp. If the live period expires, the volume stops and the backup job fails with the following error message in job details:
Critical bptm (pid=xxxxx) Failed to set WORM immutable and indelible lock for image: clientname_1620671199_C1_IM with status: 2060404 Attempt to WORM lock data past the configured MSDP Cloud lifetime
Cloud administrator can bring the volume back to the running state by extending the live period. You can try the job again.