4.7 KiB
4.7 KiB
Source
Intro - Hardened Repository
Backup files can be further protected by adding a hardened repository based on a Linux server to the backup infrastructure. It supports the following features:
- Immutability: when adding a hardened repo, specification of the time period while backup files bust be immutable is done. During this period, files stored in this repo cannot be modified or deleted.
- Single-use credentials: credentials that are used only once to deploy Veeam Data Mover, or transport service, while adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure.
About Hardened Repositories
https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_about.html
Requirements and Limitations
Linux Server
- The role of the hardened repository can be assigned to a Linux machine with local or remotely attached block storage. The machine must meet system requirements for backup repos.
Note
To reduce the attack surface, use a physical machine with local storage. For RAID configuration, recommendations are the following:
- [For the OS] RAID 1 on SSDs with at least 100 GB disk space should be used.
- [For backup data] RAID 6/60 with write-back cache should be used. At least one disk must be configured for the drive roaming.
- Internal disk cache must be disabled.
- RAID stripe size should be 128 or 156 KB.
- The Linux machine file system must support immutable files and extended attributes modified by the
chattrandsetxattrcommands. We recommend using XFS for performance and space efficiency reasons (block cloning support). - As the hardened repository requires the block storage, you cannot use the following storage types:
- NFS share or a Linux machine with the mounted NFS volume.
- A Linux machine with the mounted SMB (CIFS) volume.
- Depending on the Linux distribution, Veeam services use one of the following Linux firewall managers to operate correctly:
firewalldufwiptablesip6tablesIf none of the firewall managers are installed, make sure that you open all required ports manually.
- You must add the Linux machine to the Veeam Backup & Replication console as a managed server. The hardened repository cannot be shared between different Veeam Backup & Replication servers.
- The Linux machine should have redundant network connection.
Repository
- To store backup files in a repository, use only a forward incremental backup method with enabled active full backup or synthetic full backup. Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, you cannot select a reverse or a forward incremental backup method.
- For importing a backup, use VBK backup files. Metadata files of a backup chain (.VBM) cannot be immutable because they are updated on every job pass.
- For security reasons, you cannot assign the role of the gateway server to the hardened repository. If you use backup copy and file copy jobs, the role of the gateway server must be assigned to the mount server associated with the hardened repository.
- Starting from version 12.1, Veeam Backup & Replication does not support symlinks in the path to the hardened repository.
Immutability Feature
- To use immutability feature for backup copy jobs, enable the GFS retention policy.
- Do not use the immutability feature for a Nutanix Mine infrastructure. As Mine repositories contain thin-provisioned disks, there may be the case when Veeam Backup & Replication uses full storage capacity of a repository and cannot delete backup from the file system.
Prepare a Linux Server
Installing Ubuntu Linux Server
https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120