Installing NetBackup Snapshot Manager in the Docker/Podman environment
From NetBackup version 10.3 onwards, the credential based authentication has been replaced with certificate based TLS authentication between NetBackup primary server and Snapshot Manager. This requires the user to provide the following details during NetBackup Snapshot Manager deployment:
(For NBCA): Mandatory options such as primary server hostname, security authentication token and Snapshot Manager FQDN hostname.
(For ECA): Additional options such as CA, key, chain and CRL path.
The minimum key size requirement for TLS certificates is 2048-bits governed by the Linux Host crypto policies where NetBackup Snapshot Manager is installed.
(For Red Hat Enterprise Linux 8 platform) Refer to Red Hat Knowledgebase article.
(For other supported operating system platforms) Refer to the operating system vendor's documentation.
Note:
When you deploy NetBackup Snapshot Manager, you may want to copy the commands below and paste them in your command line interface. If you do, replace the information in these examples that is different from your own: the product and build version, the download directory path, and so on.
NetBackup Snapshot Manager installation prerequisites on Podman:
Run the following commands to install the required packages (podman-plugins, lvm2, systemd-udev, udica, and policycoreutils-devel) on the hosts:
# yum install -y lvm2-<version>
# yum install -y systemd-udev-<version>
# yum install -y podman-plugins
# yum install -y udica policycoreutils-devel
Installing NetBackup Snapshot Manager
Perform the following appropriate steps depending on the Docker or Podman environment.
To install NetBackup Snapshot Manager
- Download the NetBackup Snapshot Manager image to the system on which you want to deploy NetBackup Snapshot Manager. Navigate to the Veritas Technical Support website.
Note:
You must log on to the support site to download
tar.gzimage file.From the Products drop-down, select NetBackup and select the required version from the Version drop-down. Click Explore. Click Base and upgrade installers.
The NetBackup Snapshot Manager image name resembles the following format for Docker and Podman environment:
NetBackup_SnapshotManager_<version>.tar.gzNote:
The actual file name may vary depending on the release version.
- Un-tar the image file using the following command:
tar -xvf NetBackup_SnapshotManager_11.1.x.x-xxxx.tar.gz
List the contents using the following command:
# ls NetBackup_SnapshotManager_11.1.x.x-xxxx.tar.gz netbackup-flexsnap-11.1.x.x-xxxx.tar.gz flexsnap_preinstall.sh
- Run the following command to prepare the NetBackup Snapshot Manager host for installation:
# sudo ./flexsnap_preinstall.sh
- Use the following command options to configure and install help:
Configure: # flexsnap_configure -h
Usage: flexsnap_configure [OPTIONS] <COMMAND> [CMD_OPTIONS] NetBackup Snapshot Manager (11.1.x.x-xxxx) configuration script Options: -h, --help Print this message and exit Command:backupTo create backup of Snapshot Manager metadata.certsList and analyze certificate data.crlTo list or update Snapshot Manager's CRL database.dmTo recreate and login to the provided datamover ID.installTo install or upgrade the Snapshot Manager stack on a host.recoverTo recover backup of Snapshot Manager metadata using provided tar.renewTo renew Snapshot Manager certificate(s).restartTo restart the Snapshot Manager services on a host.serverinfoTroubleshooting CLI to get NetBackup and Snapshot Manager server information.startTo start the Snapshot Manager services on a host.statusTo get Snapshot Manager or extension health status.stopTo stop the Snapshot Manager services on a host.truststoreTo list or update Snapshot Manager truststore.uninstallTo uninstall the Snapshot Manager stack on a host.updatecilTo update SELinux policy for resolving permission denial issue.updatedbTo update 'client' database with NetBackup details.verifyTo verify Snapshot Manager internal, external or provided certificate.verifycertTo perform certificate validation check.Run flexsnap_configure <COMMAND> --help for more information.Install: # flexsnap_configure install -h
Usage: flexsnap_configure install [OPTIONS]
Options
Description
--add-host <string>
(Optional) Add a custom host-to-IP mapping (host:ip). Can be passed multiple times for each host:ip combination.
--ca <ca>
Absolute path of root CA file.
--chain <chain>
Absolute path of certificate chain containing all intermediate CAs and server certificate except the Root CA certificate.
--crlcheck <level>
Controls how Snapshot Manager is going to perform certificate revocation status check using CRL. Value can be 0 (disable), 1 (leaf) or 2 (chain). Default is 1 (leaf).
--crlpath <directory>
Specify CRL directory location for non CDP based CRL validation. Useful if Certificate Authority is not accessible from Snapshot Manager host.
--extension
Install Snapshot Manager extension. Must be accompanied by --extname and --snapshot-manager in case of fresh installation.
--extname <name>
Snapshot Manager extension name identifier.
--hostnames <IP/FQDN>
Comma separated IP/FQDNs for Snapshot Manager.
--http-proxy <URI>
(Optional) Pass the http proxy to deployment.
Proxy input format: {http}://[username:password@]{fqdn|ip}[:port]
--https-proxy <URI>
(Optional) Pass the https proxy to deployment.
Proxy input format: {https}://[username:password@]{fqdn|ip}[:port]
-i
For interactive installation.
--key <key>
Server certificate private key path.
--no-proxy <URI>
(Optional) Pass the no proxy to deployment.
--no-proxy <hostnames>
(Optional) Hosts that are allowed to bypass the proxy server. For example, localhost,mycompany.com,<ip address>.
Must be accompanied by --http-proxy and --https-proxy.
--level <level>
Controls how certificate revocation check will be performed. Possible values can be leaf (default), chain or disable.
--path <install_path>
Install path for Snapshot Manager (default:
/cloudpoint).--passphrase <file>
Specifies the path of file that contains the passphrase to access the keystore. The first line in the file is used as passphrase.
--port <port_number>
Nginx port for Snapshot Manager(default: 443).
--primary <IP/FQDN>
NetBackup primary server IP or FQDN.
--snapshot-manager <IP/FQDN>
IP/FQDN/Private hostname of NetBackup Snapshot Manager server.
--subnet4 <string>
(Optional) IPv4 subnet in CIDR format.
--subnet6 <string>
(Optional) IPv6 subnet in CIDR format.
--token <token>
Reissue or standard token. For Snapshot Manager extension it acts as workflow token.
(Mandatory) For interactive installation.
(Optional) For Snapshot Manager deployment if NetBackup primary security setting is medium or low.
--kind <kind>
Display certificate chain only if chain option is provided. Complete certificate details will be printed if all option is provided (default). Display minimal certificate details if 'basic' option is provided.
- Interactive and non interactive installation of NetBackup Snapshot Manager:
Interactive installation of NetBackup Snapshot Manager (NBCA/ECA)
NetBackup Snapshot Manager host is behind a proxy server:
# flexsnap_configure install -i --no-proxy <no_proxy_value> --http-proxy <http_proxy_value> --https-proxy <https_proxy_value>
NetBackup Snapshot Manager/Primary server is configured with private hostname:
# flexsnap_configure install -i --add-host <nbsm_hostname>:<IP> --add-host <primary_hostname>:<IP>
NetBackup Snapshot Manager installation on custom path:
# flexsnap_configure install -i --path <installation_path>
Note:
The flexsnap_configure CLI uses privilege flag implicitly (-u 0).
The installer displays messages similar to the following for interactive CLI (NBCA):
# flexsnap_configure install -i Please provide NetBackup Primary details: NetBackup primary server IP Address or FQDN: <nbu_primary_fqdn> Start configuring with NetBackup CA certificate. Provide NetBackup authentication token: <security_token> NetBackup Snapshot Manager hostname for TLS certificate (64 char FQDN limit): <snapshot_manager_fqdn> Port (default:443): Configuration started at time: Wed Jan 3 05:33:08 UTC 2024 Podman server version: 4.2.0 This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx Creating network: flexsnap-network ...done Starting container: flexsnap-fluentd ...done Creating container: flexsnap-postgresql ...done Creating container: flexsnap-rabbitmq ...done Creating container: flexsnap-certauth ...done Creating container: flexsnap-api-gateway ...done Creating container: flexsnap-coordinator ...done Creating container: flexsnap-listener ...done Creating container: flexsnap-agent ...done Creating container: flexsnap-onhostagent ...done Creating container: flexsnap-scheduler ...done Creating container: flexsnap-policy ...done Creating container: flexsnap-notification ...done Creating container: flexsnap-nginx ...done Waiting for Snapshot Manager configuration to complete (21/21) ...done Configuration complete at time Wed Jan 3 05:37:54 UTC 2024! Please register Snapshot Manager with NetBackup primary server
The installer displays messages similar to the following for interactive CLI under ECA:
# flexsnap_configure install -i Please provide NetBackup Primary details: NetBackup primary server IP Address or FQDN: <nbu_primary_fqdn> Start configuring external CA certificate. Absolute path of the root CA certificate file: <root_ca_file> Absolute path of server private key file: <server_key_file> Absolute path of server certificate chain: <server_chain_file> Absolute path of key passphrase file (Press ENTER if keyfile is non encrypted): <server_passphrase_file> Absolute path of CRL directory (Press ENTER for CDP based CRL check): <crl_path> CRL check level, Press ENTER for default 1 i.e. LEAF (0: DISABLE, 1: LEAF and 2:CHAIN): <crl_level> NetBackup Snapshot Manager hostname for TLS certificate (64 char FQDN limit): <snapshot_manager_fqdn> Port (default:443): <snapshot_manager_port> Configuration started at time: Tue Jan 2 10:44:07 UTC 2024 Podman server version: 4.2.0 This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx Creating network: flexsnap-network ...done Starting container: flexsnap-fluentd ...done Creating container: flexsnap-postgresql ...done Creating container: flexsnap-rabbitmq ...done Creating container: flexsnap-certauth ...done Creating container: flexsnap-api-gateway ...done Creating container: flexsnap-coordinator ...done Creating container: flexsnap-listener ...done Creating container: flexsnap-agent ...done Creating container: flexsnap-onhostagent ...done Creating container: flexsnap-scheduler ...done Creating container: flexsnap-policy ...done Creating container: flexsnap-notification ...done Creating container: flexsnap-nginx ...done Waiting for Snapshot Manager configuration to complete (21/21) ...done Configuration complete at time Tue Jan 2 10:49:02 UTC 2024! Please register Snapshot Manager with NetBackup primary server
Non interactive installation of NetBackup Snapshot Manager with NetBackup CA (NBCA)
NetBackup primary server security level is MEDIUM or Snapshot Manager hostname is known to primary server:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn>
NetBackup primary server security level is HIGH or VERY HIGH:
# flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn>
NetBackup Snapshot Manager host is behind a proxy server:
# flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn> --no-proxy <no_proxy_value> --http-proxy <http_proxy_value> --https-proxy <https_proxy_value>
NetBackup Snapshot Manager/Primary server is configured with private hostname:
# flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn> --add-host <nbsm_hostname:IP> --add-host <primary_hostname:IP>
NetBackup Snapshot Manager installation on custom path/port:
# flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn> --path <installation_path> --port <port>
The installer displays messages similar to the following for non-interactive CLI (NBCA):
# flexsnap_configure install --primary <nbu_primary_fqdn> --token <security_token> --hostnames <snapshot_manager_fqdn> Start configuring with NetBackup CA certificate. Configuration started at time: Wed Jan 3 05:33:08 UTC 2024 Podman server version: 4.2.0 This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx Creating network: flexsnap-network ...done Starting container: flexsnap-fluentd ...done Creating container: flexsnap-postgresql ...done Creating container: flexsnap-rabbitmq ...done Creating container: flexsnap-certauth ...done Creating container: flexsnap-api-gateway ...done Creating container: flexsnap-coordinator ...done Creating container: flexsnap-listener ...done Creating container: flexsnap-agent ...done Creating container: flexsnap-onhostagent ...done Creating container: flexsnap-scheduler ...done Creating container: flexsnap-policy ...done Creating container: flexsnap-notification ...done Creating container: flexsnap-nginx ...done Waiting for Snapshot Manager configuration to complete (21/21) ...done Configuration complete at time Wed Jan 3 05:37:54 UTC 2024! Please register Snapshot Manager with NetBackup primary server
Non interactive installation of NetBackup Snapshot Manager with external CA (ECA)
Encrypted private key:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --passphrase <file>
Non encrypted private key:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file>
With user provided CRL path/CRL check:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --crlpath <directory> --crlcheck <level>
NetBackup Snapshot Manager host is behind a proxy server:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --no-proxy <no_proxy_value> --http-proxy <http_proxy_value> --https-proxy <https_proxy_value>
NetBackup Snapshot Manager/Primary server is configured with private hostname:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --add-host <nbsm_hostname:IP> --add-host <primary_hostname:IP>
NetBackup Snapshot Manager installation on custom path/port:
# flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --path <installation_path> --port <port>
The installer displays messages similar to the following for non-interactive CLI (ECA):
# flexsnap_configure install --primary <nbu_primary_fqdn> --hostnames <snapshot_manager_fqdn> --ca <root_ca_file> --key <server_key_file> --chain <server_chain_file> --passphrase <server_passphrase_file> --crlpath <crl_path> --crlcheck <level> Start configuring external CA certificate. Configuration started at time: Tue Jan 2 11:35:21 UTC 2024 Podman server version: 4.2.0 This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx Creating network: flexsnap-network ...done Starting container: flexsnap-fluentd ...done Creating container: flexsnap-postgresql ...done Creating container: flexsnap-rabbitmq ...done Creating container: flexsnap-certauth ...done Creating container: flexsnap-api-gateway ...done Creating container: flexsnap-coordinator ...done Creating container: flexsnap-listener ...done Creating container: flexsnap-agent ...done Creating container: flexsnap-onhostagent ...done Creating container: flexsnap-scheduler ...done Creating container: flexsnap-policy ...done Creating container: flexsnap-notification ...done Creating container: flexsnap-nginx ...done Waiting for Snapshot Manager configuration to complete (21/21) ...done Configuration complete at time Tue Jan 2 11:40:12 UTC 2024! Please register Snapshot Manager with NetBackup primary server
Parameter
Description
Following parameters are required only if the instance uses a proxy server
<http_proxy_value>
Represents the value to be used as the HTTP proxy for all connections.
For example,
"http://proxy.mycompany.com:8080/".<https_proxy_value>
Represents the value to be used as the HTTPS proxy for all connections.
For example,
"http://proxy.mycompany.com:8080/".<no_proxy_value>
Represents the addresses that are allowed to bypass the proxy server. You can specify host names, IP addresses, and domain names in this parameter.
Use commas to separate multiple entries. For example,
"localhost,mycompany.com,192.168.0.10:80".Note:
If NetBackup Snapshot Manager is being deployed in the cloud, ensure that you set the following respective values in this parameter:
For an AWS instance: 169.254.169.254
For a GCP virtual machine: 169.254.169.254,metadata,metadata.google.internal
For an Azure virtual machine: 169.254.169.254
NetBackup Snapshot Manager uses these addresses to gather instance metadata from the instance metadata service.
Setting the root CA certificate of the SSL based proxy server
(Applicable only for Azure based VM deployment) The root CA certificate of proxy can be provided after NetBackup Snapshot Manager deployment using the following command:
flexsnap_configure truststore --ca <Root CA Cert File>
- Use the following docker command to view the docker images that are loaded on the host:
(For Docker) # sudo docker images
(For Podman) # sudo podman images
The output resembles as follows:
REPOSITORY TAG IMAGE ID CREATED SIZE veritas/flexsnap-deploy 11.1.x.x-xxxx 5260748d9eab 18 minutes ago 586MB veritas/flexsnap-rabbitmq 11.1.x.x-xxxx cff89dc78a2f 18 minutes ago 546MB veritas/flexsnap-postgresql 11.1.x.x-xxxx 0b87fe88cf94 18 minutes ago 537MB veritas/flexsnap-nginx 11.1.x.x-xxxx ee1cf2a3159e 18 minutes ago 649MB veritas/flexsnap-fluentd 11.1.x.x-xxxx a384e3fc4167 19 minutes ago 681MB veritas/flexsnap-core 11.1.x.x-xxxx 2393b221bf19 20 minutes ago 916MB veritas/flexsnap-datamover 11.1.x.x-xxxx 8254c537bdb4 38 hours ago 1.18GB
- Provide the following details when prompted on the command prompt:
Parameter
Description
Authorization token
If NetBackup Certificate Authority is used, the installer requires an authorization token to successfully deploy security certificates.
Host name for TLS certificate
Specify the IP address or the Fully Qualified Domain Name (FQDN) of the NetBackup Snapshot Manager host.
The specified name or IP address is added to the list of host names to use for configuring NetBackup Snapshot Manager. The installer uses this name to generate a server certificate for the NetBackup Snapshot Manager host.
Port
Specify the port through which the NetBackup Snapshot Manager can communicate. Default is port 443.
The installer then displays messages similar to the following:
Configuring admin credentials ...done Waiting for Snapshot Manager configuration to complete (22/22) ...done Configuration complete at time Thu Jun 9 06:15:43 UTC 2022!
Note:
After the deployment of NetBackup Snapshot Manager, ensure that the IPv6 interface on the system is not disabled.
- This concludes the NetBackup Snapshot Manager deployment process. The next step is to register the NetBackup Snapshot Manager with the Cohesity NetBackup primary server.
If NetBackup Snapshot Manager is deployed in the cloud, refer to the NetBackup Web UI Cloud Administrator's Guide for instructions.
Note:
If you ever need to restart NetBackup Snapshot Manager, use the flexsnap_configure restart command so that your environmental data is preserved.
Non-CDP based CRL validations: User can specify the path to the directory containing revoked certificates of the external CA during installation. The ECA_CRL_PATH parameter would be added to the
/cloudpoint/openv/netbackup/bp.conffile. The path always points to the/cloudpoint/eca/crldirectory where the certificate revocation lists (CRL) of the external CA are located.CDP based installation: Snapshot Manager uses CRL Distribution Point (CDP) to verify revocation status of the peer host's certificate.
Note:
The CIL policy for Podman based deployments would be automatically loaded and applied for RHEL 8 and 9.