Solved: Re: Use NDMP to backup to tape from a volume that's part of the SVM-DR relationship

fll · ‎2020-05-27

I am looking at the possibility of using NDMP for backup to tape in Veeam.

When I run the command:

cluster::> security login create -user-or-group-name ndmpuser -application ssh -authmethod password -vserver <SVM-name> -role vsadmin-backup

NetApp responds:

Error: command failed: This operation is not permitted on a Vserver that is configured as the destination for Vserver DR.

Is it possible to use NDMP to tape from a volume that's part of the SVM-DR relationship?

From Veeam they tell me that it is possible.
How to configure NDMP to do it?

Thaks.

Ontapforrum · ‎2020-05-28

You're welcome.

Not all Backup software supports CAB extensions. Some do such as SnapProtect/CommVault/Veritas etc. It all depends upon the Backup Vendor's integration with NetApp. But, that's not the end of the game, you can still backup data using node-scope, but then you need to ensure that 'Physical Nodes' are added as Backup Client instead of SVM so that the backup data path is local.

What is a CAB extension?
It is used to setup data connections directly to the physical nodes which contain the data. Which means if the Backup Software supports NDMP CAB Extension, then you can simply add 'SVM' as Backup client and backup volumes without worried about which volume is sitting on which Node and if the volume is moved to another Aggregate/Node then 'CAB' extensions automatically informs Backup software about it's new location therefore the backups don't fail.

Without CAB extension: Backup software is not aware of the cluster physical resources, in other words when you add 'SVM/VSERVER' (using SVM-scoped as mentioned in Veeam documentation) which is a virtualisation layer with volumes & LIFs, backup software cannot make a decision about the locality of the volumes, that means if data connection is made on the NODE-1 then only the 'volumes' attached to the 'NODE-1' will have local path to backup-device(tape/disk), however if the 'volume' to backup is sitting on NODE-2, then it has no intelligence to switch data connection to NODE-2, rather it will make it a 3-way backup, from NODE-2 to NODE-1 to Backup-device. For this reason it is better to backup data using 'node-scope' so that the backups are local and simple.

You can use the 'ndmpuser' that you created to add the NetApp physical Nodes as well.

I have never worked with Veeam so have no idea about it's GUI so can't really guide any further, but I am sure you should be fine.

Thanks!

View solution in original post

Ontapforrum · ‎2020-05-27

Hi,

Yes, I am sure it should be possible. NDMP backups just needs to "read" data and therefore even a read-only volume is good enough.

The issue I see in your error is : You are using 'vsadmin-backup' role which is specifically designed for 'Data SVM', and b'cos it is a SVM-DR it probably has it's restrictions I suppose.

Suggestion:
While creating and generating NDMP password for the 'ndmpuser' do not give 'Data SVM' in the -vserver, instead use the 'backup' role, it is created for backup purpose only.

Use the following command:
Create a NDMP backup user with role 'backup':
::> security login create -user-or-group-name ndmpuser -application ssh -authentication-method password -role backup

To confirm it is created:
::> security login show -user-or-group-name ndmpuser

Now, generate NDMP password:
::> vserver services ndmp generate-password -vserver <Admin SVM> -user ndmpuser

Finally, configure/Identify a NDMP data LIF (-preferred-interface-role)

Just go to this section "Configuring SVM-scoped NDMP" in the following link:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.exp-ndmp%2FGUID-476285CF-F6CC-453E-A12A-3080F76BA8AF.html

Summary:

1) Enable SVM-scope
2) Configure a backup user
3) Configure/Identify Data LIF for NDMP backups (Using -preferred-interface-role')

All the information is in the document mentioned above.

Hope this info helps.

Thanks!

fll · ‎2020-05-28

Thanks for the reply.

As I read in the Ontap 9 documentation, there are two levels, SVM level and node level.

"You can perform tape backup and restore operations at the storage virtual machine (SVM) level successfully if the NDMP service is enabled on the SVM. You can back up and restore all volumes hosted across different nodes in the SVM of a cluster if the backup application supports the CAB extension. "

On the other hand, in the Veeam documentation I read the following:

"Limitations for NDMP Servers

Only backup of whole volume is supported.

The NetApp “SVM-scoped NDMP” mode is supported, however Veeam Backup & Replication does not support the NetApp Cluster Aware Backup (CAB) extension of the NDMP protocol. In SVM-scoped configuration, each cluster node must be added to the backup user interface on their own data LIF IP / DNS address. This is also known as “Node-scoped NDMP”.

The NDMP server performs its own backup consistency check for the NDMP volumes. To provide for the correct calculation of the delta of changes and to ensure the backup chain integrity, Veeam Backup & Replication does not allow adding one NDMP volume to more than one file in tape jobs. "

What mode should be used?

If the node level is to be used, would it be valid for SVM-DR?

Thanks.

Ontapforrum · ‎2020-05-28

You're welcome.

Not all Backup software supports CAB extensions. Some do such as SnapProtect/CommVault/Veritas etc. It all depends upon the Backup Vendor's integration with NetApp. But, that's not the end of the game, you can still backup data using node-scope, but then you need to ensure that 'Physical Nodes' are added as Backup Client instead of SVM so that the backup data path is local.

What is a CAB extension?
It is used to setup data connections directly to the physical nodes which contain the data. Which means if the Backup Software supports NDMP CAB Extension, then you can simply add 'SVM' as Backup client and backup volumes without worried about which volume is sitting on which Node and if the volume is moved to another Aggregate/Node then 'CAB' extensions automatically informs Backup software about it's new location therefore the backups don't fail.

Without CAB extension: Backup software is not aware of the cluster physical resources, in other words when you add 'SVM/VSERVER' (using SVM-scoped as mentioned in Veeam documentation) which is a virtualisation layer with volumes & LIFs, backup software cannot make a decision about the locality of the volumes, that means if data connection is made on the NODE-1 then only the 'volumes' attached to the 'NODE-1' will have local path to backup-device(tape/disk), however if the 'volume' to backup is sitting on NODE-2, then it has no intelligence to switch data connection to NODE-2, rather it will make it a 3-way backup, from NODE-2 to NODE-1 to Backup-device. For this reason it is better to backup data using 'node-scope' so that the backups are local and simple.

You can use the 'ndmpuser' that you created to add the NetApp physical Nodes as well.

I have never worked with Veeam so have no idea about it's GUI so can't really guide any further, but I am sure you should be fine.

Thanks!

fll · ‎2020-05-31

Hello, thanks for the answer.

I have managed to connect each node of our FAS2750 cluster as NDMP Server to Veeam Backu Server after executing the command

system services ndmp modify -node * -clear-text true -user-id ndmpuser

Then the SVM-DR CIFS resources are already associated with node-1 of the cluster and I can add them to Veaam's File to Tape jobs.

Best regards