Data Backup and Recovery

Some DB2 Questions

magnus_nyvall
2,627 Views

Hi!

We are setting up an environment at Volvo IT for DB2 on Netapp using NFS.

So we are planning to use Snapcreator.

One issue for us is to make sure we do not miss any volume in the configuration.

Now we have a script we run at install that asks db2 which filesystems it is using and by examining mount points we can get vfiler and volumes used.

So we can make it automatic at install phase via this script.

But if they add more databases on other volumes in the future we risk not detecting this.

So are there any plans to integrate the db2 plugin even more so it can detect which volumes to snapshot automatically.

ACS is doing this so it seems to be possible.

Another issue is security.

We can use the option to encypt passwords in the configuration file.

This is of course nice but this also means that if we feel a server has been compromised then we need to change the password on that user and find every server that uses it and change the configuration files as well. This could be a big job if we have many servers ruinning against same filer.

We would like it to be keyfile based like ssh instead. any plans for such a solution in the future? We want to be able to just make the crypto key invalid for a specifik server.

I know vfilers dont support ssl at this time but it will do it in OnTap 8.1 as far as i know.

Another perhaps stupid issue for us is that we have different departments at Volvo and we dont want others to make changes to the configuration file.

We need to be able to garantee a retention time.

Sadly all have root access to the servers. Any idea of securing that nobody can alter the configuration file.

(I know its stupid that all have root access but thats just how it is and it is not easily changed, its politics.)

Right now we have solved this by not letting Snapcreator control snapshot retention. W use PM for all retetion times. PM is exclusivly in our control.

But potentially some "stupid user" could get into the configuration and do bad things without us nowing it.

Regards Magnus

1 ACCEPTED SOLUTION

ktenzer
2,627 Views

So are there any plans to integrate the db2 plugin even more so it can detect which volumes to snapshot automatically?

This already exists. If your DB2 database is mounted through NFS then we can do a discover and actual determine if all the data files are present or if we are missing volumes. To enable this you set VALIDATE_VOLUMES=DATA

We would like it to be keyfile based like ssh instead. any plans for such a solution in the future?

This is not possible at this time. Data OnTap does not support sending keys other than for SSH. One thing we could do is as option communicate through ssh instead of through http/https then we could use ssh keys. Is this what you are requesting, an option for SC to use ssh for communication?

Another perhaps stupid issue for us is that we have different departments at Volvo and we dont want others to make changes to the configuration file.

We need to be able to garantee a retention time.

Sadly all have root access to the servers. Any idea of securing that nobody can alter the configuration file?

In Snap Creator 3.5 the GUI offers multiple users and RBAC so you could limit users like this as long as you dont allow them to use CLI. If you are using CLI then you need to handle it yourself with OS permissions. Snap Creator 4.0 will add RBAC to CLI but that wont be ready for a while.

Regards,

Keith

View solution in original post

1 REPLY 1

ktenzer
2,628 Views

So are there any plans to integrate the db2 plugin even more so it can detect which volumes to snapshot automatically?

This already exists. If your DB2 database is mounted through NFS then we can do a discover and actual determine if all the data files are present or if we are missing volumes. To enable this you set VALIDATE_VOLUMES=DATA

We would like it to be keyfile based like ssh instead. any plans for such a solution in the future?

This is not possible at this time. Data OnTap does not support sending keys other than for SSH. One thing we could do is as option communicate through ssh instead of through http/https then we could use ssh keys. Is this what you are requesting, an option for SC to use ssh for communication?

Another perhaps stupid issue for us is that we have different departments at Volvo and we dont want others to make changes to the configuration file.

We need to be able to garantee a retention time.

Sadly all have root access to the servers. Any idea of securing that nobody can alter the configuration file?

In Snap Creator 3.5 the GUI offers multiple users and RBAC so you could limit users like this as long as you dont allow them to use CLI. If you are using CLI then you need to handle it yourself with OS permissions. Snap Creator 4.0 will add RBAC to CLI but that wont be ready for a while.

Regards,

Keith

Public