NetApp-specific NDMP configuration

From SEPsesam
Jump to: navigation, search

Copyright © SEP AG 1999-2019. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3/4.4.3 Beefalo. For previous documentation version(s), check Documentation archive.


Overview

SEP sesam enables you to protect and manage your storage file servers by providing support for Network Data Management Protocol (NDMP). To find out more about NDMP, see NDMP Backup.

The following configuration steps represent a NetApp specific part of the NDMP host configuration. They are based on the NetApp article on using NDMP-based copy utilities. The steps below explain how to enable NDMP and set a password on the source and destination storage systems.

By enabling NDMP support on a storage system, you enable the storage system to communicate with SEP sesam Data Management Application (SDMA), data servers, and tape servers participating in backup or recovery operations. All network communications occur over TCP/IP network.

You can perform tape backup and restore in either node-scoped NDMP mode or storage virtual machine (SVM) scoped NDMP mode.

About NDMP modes of operation

Node-scoped NDMP mode
In this mode you can perform backup and restore operations at the node level – on a node that owns the volume. Note that this mode is already deprecated and will be removed in a future major release. Refer to official ONTAP 9 documentation About NDMP modes of operation.
SVM-scoped NDMP mode
You can perform backup and restore at the storage virtual machine (SVM, formerly known as Vserver) level if the NDMP service is enabled on the SVM. You can back up and restore all volumes hosted across different nodes in the SVM of a cluster. If a volume and the tape device share the same affinity, then SEP sesam (by using the CAB extension) can perform a local backup or restore operation.

Procedure

Depending on your configuration, use the NDMP activation and authentication procedure specific to your mode.

7-Mode

  1. Enable NDMP.
  2. netapp> ndmpd on
    
  3. Create a new user specifically for NDMP.
  4. netapp> useradmin user add sepbackup -g "Backup Operators"
    New password: XXXXXXXXX
    Retype new password: XXXXXXXXX
    User <sepbackup> added.
    
  5. Non-root users have a special NDMP password that is different from their login password and is displayed by this command.
  6. netapp> ndmpd password sepbackup
    password MzUV5p6R
    
    Information sign.png Note
    This NDMP password must be set in the client configuration together with the user name.
  7. Set NDMP to accept plaintext and md5 authentication methods:
  8. netapp> options ndmpd.authtype plaintext,challenge
    

Clustered Data ONTAP

Run the following command to verify that your cluster is running in SVM-scoped NDMP mode and not in node-scope mode:

cluster::> system services ndmp node-scope-mode status

If node-scoped NDMP mode is disabled, the cluster is configured for SVM-scoped NDMP mode.

SVM-scoped NDMP mode

You can use the vserver services ndmp commands to manage NDMP on each storage virtual machine (SVM, formerly known as Vserver). These commands are available to cluster administrators at the admin privilege level.
For more information about the vserver commands used below, see the vserver commands man pages.

Configuring SVM-scoped NDMP mode

Cluster Aware Backup (CAB) requires NDMP to be configured in SVM-scoped node at the admin SVM level. This node enables you to back up all the volumes hosted across different nodes of the cluster. When configuring this node, consider the following:

  • In the SVM-scoped NDMP mode, user authentication is integrated with the role-based access control mechanism.
  • By default, NDMP should be in the allowed protocols list. If it is not, NDMP sessions cannot be established.
  • You can control the LIF type on which an NDMP data connection is established by using the -preferred interface-role option. When establishing an NDMP data connection, NDMP chooses an IP address that belongs to the LIF type as specified by this option. If the IP addresses do not belong to any of these LIF types, the NDMP data connection cannot be established.

Steps

  1. Enabling SVM-scoped NDMP mode on the cluster.
  2. Configuring a backup user account for the cluster.
  3. Configuring LIFs for data and control connection.
Enabling SVM-scoped NDMP mode on the cluster
  1. Enable SVM-scoped NDMP mode by using the system services ndmp command with the node-scope-mode parameter.
  2. cluster::> system services ndmp node-scope-mode off
    

    Example

    cluster1::> system services ndmp node-scope-mode off
    NDMP node-scope-mode is disabled.
    
  3. Enable NDMP service on your admin SVM. NDMP service must always be enabled on all nodes in a cluster.
  4. cluster::> vserver services ndmp on -vserver <SVM-name>
    

    Example

    cluster1::> vserver services ndmp on -vserver cluster1
    

    By default, the authentication type is set to challenge and plaintext authentication is disabled. It is recommended that the latter stays disabled to ensure secure communication.

  5. Verify that NDMP service is enabled.
  6. cluster::> vserver services ndmp on -vserver <SVM-name>
    

    Example

    cluster1::> vserver services ndmp on -vserver cluster1
    
  7. Verify that NDMP is allowed on the vserver.
  8. cluster::> vserver services ndmp show 
    cluster::> vserver services ndmp on -vserver <vserver> 
    

    Example

    cluster1::> vserver services ndmp show
    Vserver       Enabled   Authentication type
    ------------- --------- -------------------
    cluster1      true      challenge
    vs1           false     challenge
    
Configuring a backup user account for the cluster

To authenticate NDMP from SEP sesam, create a local backup user account and generate an NDMP password for the user. Note that if you are using an NIS or LDAP user for the cluster with the admin or backup role, you cannot use an Active Directory user – you have to create the user on the respective server.

  1. Create a backup user with the backup role. You can specify a local backup user name or an NIS or LDAP user name for the -user-or-group-name parameter.
  2. cluster::> security login create -user-or-group <user> -application ssh -authmethod password -role backup 
    

    Example: The following command creates the backup user ndmpuser with the backup role.

    cluster1::> security login create -user-or-group-name ndmpuser -application ssh 
    

    -authmethod password -role backup

    Please enter a password for user 'backup_admin1':
    Please enter it again:
    
  3. Generate an NDMP password for the admin SVM. This password is not the same as the password for the user account and will be used to authenticate the NDMP connection by SEP sesam.
  4. cluster::> vserver services ndmp generate-password -vserver <SVM-name> -user <user>
    

    Example

    cluster::> vserver services ndmp generate-password -vserver <SVM-name> -user <user>
    Vserver: cluster1
       User: ndmpuser
    Password: yMGg5d0LyUG8l1kn
    
Configuring LIFs for data and control connection

You must identify the Logical Interfaces (LIFs) that will be used for establishing data connection to be able to send the backup data to the SEP sesam Server or RDS, and for establishing control connection between the admin SVM and SEP sesam. Once the LIFs are identified, you must verify that firewall and failover policies are correctly set. Then you have to specify the preferred interface role that allows you to control the LIF type on which the NDMP data connection is established; NDMP will choose an IP address that belongs to the LIF type as specified by the -preferredinterface-role option.

Information sign.png Note
If the IP addresses are not matched to any of these LIF types, the NDMP data connection cannot be established and your vServer-scoped NDMP backups will fail with an error.

Steps

  1. Indentify the interfaces for the roles of type data, the intercluster, cluster-management, and node-management LIFs.
  2. cluster::> network interface show -role >role-type>
    

    Example 1: Indentify the intercluster LIFs which were created previously for the SVM cluster1.

    cluster1::> network interface show -role intercluster
    
               Logical           Status     Network            Current       Current Is
    Vserver     Interface         Admin/Oper Address/Mask       Node          Port    Home
    ----------- ----------        ---------- ------------------ ------------- ------- ----
    cluster1    IC1               up/up      192.0.2.65/24      cluster1-1    e0a     true
    cluster1    IC2               up/up      192.0.2.68/24      cluster1-2    e0b     true
    

    Example 2: Indentify the cluster-mgmt LIFs which can be used to backup all volumes across all nodes.

    cluster1::> network interface show -role cluster-mgmt
               Logical           Status     Network            Current       Current Is
    Vserver     Interface         Admin/Oper Address/Mask       Node          Port    Home
    ----------- ----------        ---------- ------------------ ------------- ------- ----
    cluster1    cluster_mgmt      up/up      192.0.2.60/24      cluster1-2    e0M     true
    

    Example 3: Indentify the node-mgmt LIFs.

    cluster1::> network interface show -role node-mgmt
               Logical           Status     Network            Current       Current Is
    Vserver     Interface         Admin/Oper Address/Mask       Node          Port    Home
    ----------- ----------        ---------- ------------------ ------------  ------  ------ 
    cluster1    cluster1-1_mgmt1  up/up      192.0.2.69/24      cluster1-1    e0M     true
               cluster1-2_mgmt1  up/up      192.0.2.70/24      cluster1-2    e0M     true
    
  3. Ensure that the firewall policy is enabled for NDMP on all LIF types.
  4. cluster::> system services firewall policy show 
    

    Example

    cluster1::> system services firewall policy show
    Vserver Policy       Service    Allowed
    ------- ------------ ---------- -------------------
    cluster1
            data
                         dns        0.0.0.0/0, ::/0
                         ndmp       0.0.0.0/0, ::/0
                         ndmps      0.0.0.0/0, ::/0
    cluster1
            intercluster
                         ndmp       0.0.0.0/0, ::/0
                         ndmps      0.0.0.0/0, ::/0
    cluster1
            mgmt
                         dns        0.0.0.0/0, ::/0
                         http       0.0.0.0/0, ::/0
                         https      0.0.0.0/0, ::/0
                         ndmp       0.0.0.0/0, ::/0
                         ndmps      0.0.0.0/0, ::/0
                         ntp        0.0.0.0/0, ::/0
                         snmp       0.0.0.0/0, ::/0
                         ssh        0.0.0.0/0, ::/0
    
  5. If the firewall policy is not enabled, enable it by using -service parameter.
  6. Example: The following command enables firewall policy for the intercluster LIF.

    cluster1::> system services firewall policy modify -vserver cluster1 -policy intercluster  service ndmp 0.0.0.0/0
    
  7. Ensure that the failover policy is set appropriately for all LIFs: the failover policy for the cluster-management LIF must be set to broadcast-domain-wide, and the policy for the intercluster and node-management LIFs must be set to local-only.
  8. Example: Displaying the failover policy for the cluster-management, intercluster, and node-management LIFs.

    cluster1::> network interface show -failover
    Logical            Home              Failover              Failover
    Vserver    Interface          Node:Port         Policy                Group
    ---------- -----------------  ----------------- --------------------  --------
    cluster    cluster1_clus1     cluster1-1:e0a    local-only            cluster
                                                         Failover Targets:
                       	                                 .......
    
    cluster1   cluster_mgmt       cluster1-1:e0m    broadcast-domain-wide Default
                                                         Failover Targets: 
                                                         .......
               IC1                 cluster1-1:e0a    local-only           Default
                                                         Failover Targets:
               IC2                 cluster1-1:e0b    local-only           Default
                                                         Failover Targets:
                                                         ....... 
    cluster1-1 cluster1-1_mgmt1   cluster1-1:e0m    local-only            Default
                                                         Failover Targets: 
                                                         ......
    cluster1-2 cluster1-2_mgmt1   cluster1-2:e0m    local-only            Default
                                                         Failover Targets: 
                                                         ......
    

    If the failover policies are not set appropriately, modify them by using the network interface modify command with the -failover-policy parameter. For details on command, refer to NetApp ONTAP man pages system services firewall policy commands.

    cluster::> network interface modify -vserver <vserver> -lif <lif> -failover-policy <policy> 
    
  9. Ensure that the preferred interface roles intercluster, cluster-mgmt and node-mgmt are defined for the NDMP service.
  10. cluster::> vserver services ndmp modify -vserver <vserver> -preferred-interface-role intercluster,cluster-mgmt,node-mgmt
    
  11. Verify that the preferred interface role is set for the cluster.
  12. cluster::> vserver services ndmp show -vserver <vserver> 
    

    Example

    cluster1::> vserver services ndmp show -vserver cluster1
                                Vserver: cluster1
                           NDMP Version: 4
                           .......
                           .......
               Preferred Interface Role: intercluster, cluster-mgmt, node-mgmt
    
  13. Set the preferred interface roles, if they are not set.
  14. cluster::> vserver services ndmp modify -vserver <vserver> -preferred-interface-role intercluster,cluster-mgmt,node-mgmt 
    

Node-scoped NDMP mode

You must use NDMP-specific credentials to access a storage system and perform tape backup and restore.

Information sign.png Note
The following commands are deprecated and will be removed in a future major release.

For more information, see the man pages for the system services ndmp commands.

  1. Enable NDMP.
  2. ::> system services ndmp on -node *
    
  3. Set a password.
  4. ::> system services ndmp modify -node * -user-id root
    Please enter password: XXXXXXXXX
    Confirm password: XXXXXXXXX
    X entries were modified.
    
  5. Set NDMP to accept both plaintext and md5 authentication requests.
  6. ::>system services ndmp modify -node * -clear-text true
    

Firewall Settings

In the environments where the source and target networks are separated by a network firewall, NDMP connection uses a control port 10000 by default to manage backups and restores. This connection is used to send and receive NDMP requests. However, the NDMP data connection that is used for transferring data may use any available port from the firewall configuration randomly.

Specify NDMP data port range

The following example modifies the NDMP data port range on a ONTAP 9.x node named NODE1. The configuration sets the NDMP data port range from default value all to 55100-55200.

NODE1::>  vserver services ndmp modify -vserver NODE1 -data-port-range 55100-55200

The format of this option is start_port and can have values between [1024-65535]. NDMP uses a port within that range to listen for data connections. A listen request fails if no ports in the specified range are free. The default value for this option is all. This option is persistent across reboots. For more information, check the NetApp article vserver services ndmp modify.

[-data-port-range <start_port>-<end port> | all] - Data Port Range

You can show the used data port range with the following command:

NODE1::> vserver services ndmp show -vserver NODE1 -fields data-port-range
vserver data-port-range
------- ---------------
NODE1  55100-55200

As of DOT 7.3.5.1 and 8.0.1, the NDMP data port can be specified as follows:

options ndmpd.data_port_range {start_port-end_port}

Its usage is explained in the NetApp article Designating the range of ports for NDMP data connections. The following information is based on this article.

To specify a range of ports to be used by NDMP data connection, use the following command on NetApp Controller:

options ndmpd.data_port_range {start_port-end_port}
Syntax:      options      ndmpd.data_port_range      {<start_port>-<end_port> | all }. 
                                                     start_port and end_port can have values between 1024 and 65535
                                                     start_port must be less than or equal to end_port
                                                     It is best to use start_port and end_port values between 18600 and 18699.

Example:

options ndmpd.data_port_range {11400-11800}

The default value for this option is all, which means that any available port may be used. By specifying a valid range, a port within this range is used. A listen request fails if no ports in the specified range are free. The additional ports must be open in both directions for backup and restore purposes.

Information sign.png Note
The ndmpd.data_port_range option is persistent across reboots.

Once you have specified the ports, restart ndmpd on NetApp Controller by using ndmpd {on|off}.

For more details about NDMP with firewalls, see:

Known issues

If you have NDMP configuration related problems, check the NDMP troubleshooting.

See also

NDMP Backup