Create a backup relationship for a new bucket (cloud target)

Contributors

When you create new S3 buckets, you can back them up immediately to an S3 SnapMirror target bucket on an object store provider, which can be a StorageGRID system or an AWS S3 deployment.

What you’ll need
  • You have valid account credentials and configuration information for the object store provider.

  • Intercluster network interfaces and an IPspace have been configured on the source system.

  • • The DNS configuration for the source storage VM must be able to resolve the target’s FQDN.

System Manager procedure

  1. Edit the storage VM to add users, and to add users to groups:

    1. Click Storage > storage VMs, click the storage VM, click Settings and then click edit icon under S3.

      See Add S3 users and groups for more information.

  2. Add a Cloud Object Store on the source system:

    1. Click Protection > Overview, then select Cloud Object Stores.

    2. Click Add, then select Amazon S3 or StorageGRID.

    3. Enter the following values:

      • Cloud object store name

      • URL style (path or virtual-hosted)

      • storage VM (enabled for S3)

      • Object store server name (FQDN)

      • Object store certificate

      • Access key

      • Secret key

      • Container (bucket) name

  3. Create an S3 SnapMirror policy if you don’t have an existing one and you don’t want to use the default policy:

    1. Click Protection > Overview, and then click Local Policy Settings.

    2. Click right arrow next to Protection Policies, then click Add.

      • Enter the policy name and description.

      • Select the policy scope, cluster or SVM

      • Select Continuous for S3 SnapMirror relationships.

      • Enter your Throttle and Recovery Point Objective values.

  4. Create a bucket with SnapMirror protection:

    1. Click Storage > Buckets, then click Add.

    2. Enter a name, select the storage VM, enter a size, then click More Options.

    3. Under Permissions, click Add. Verifying permissions is optional but recommended.

      • Principal and Effect - select values corresponding to your user group settings or accept the defaults.

      • Actions - make sure the following values are shown: GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts

      • Resources - use the defaults _(bucketname, bucketname/*) or other values you need.

        See Manage user access to buckets for more information about these fields.

    4. Under Protection, check Enable SnapMirror (ONTAP or Cloud), select Cloud Storage, then select the Cloud Object Store.

When you click Save, a new bucket is created in the source storage VM, and it is backed up to the cloud object store.

CLI procedure

  1. If this is the first S3 SnapMirror relationship for this SVM, verify that root user keys exist for both source and destination SVMs and regenerate them if they do not:
    vserver object-store-server user show

    Verify that there is an access key for the root user. If there is not, enter:
    vserver object-store-server user regenerate-keys -vserver svm_name -user root

    Do not regenerate the key if one already exists

  2. Create a bucket in the source SVM:
    vserver object-store-server bucket create -vserver svm_name -bucket bucket_name [-size integer[KB|MB|GB|TB|PB]] [-comment text] [additional_options]

  3. Add access rules to the default bucket policy:
    vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]

    Example
    clusterA::> vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal - -resource test-bucket, test-bucket /*
  4. Create an S3 SnapMirror policy if you don’t have an existing one and you don’t want to use the default policy:
    snapmirror policy create -vserver svm_name -policy policy_name -type continuous [-rpo integer] [-throttle throttle_type] [-comment text] [additional_options]

    Parameters:

    • type continuous – the only policy type for S3 SnapMirror relationships (required).

    • -rpo – specifies the time for recovery point objective, in seconds (optional).

    • -throttle – specifies the upper limit on throughput/bandwidth, in kilobytes/seconds (optional).

      Example
      clusterA::> snapmirror policy create -vserver vs0 -type continuous -rpo 0 -policy test-policy
  5. If the target is a StorageGRID system, install the StorageGRID CA server certificate on the admin SVM of the source cluster:
    security certificate install -type server-ca -vserver src_admin_svm -cert-name storage_grid_server_certificate

    See the security certificate install man page for details.

  6. Define the S3 SnapMirror destination object store:
    snapmirror object-store config create -vserver svm_name -object-store-name target_store_name -usage data -provider-type {AWS_S3|SGWS} -server target_FQDN -container-name remote_bucket_name -is-ssl-enabled true -port port_number -access-key target_access_key -secret-password target_secret_key

Parameters:
* -object-store-name – the name of the object store target on the local ONTAP system.
* -usage – use data for this workflow.
* -provider-typeAWS_S3 and SGWS (StorageGRID) targets are supported.
* -server – the target server’s FQDN or IP address.
* -is-ssl-enabled –enabling SSL is optional but recommended.

See the snapmirror object-store config create man page for details.

Example

+

src_cluster::> snapmirror object-store config create -vserver vs0 -object-store-name sgws-store -usage data -provider-type SGWS -server sgws.example.com -container-name target-test-bucket -is-ssl-enabled true -port 443 -access-key abc123 -secret-password xyz890
  1. Create an S3 SnapMirror relationship:
    snapmirror create -source-path svm_name:/bucket/bucket_name -destination-path object_store_name:/objstore -policy policy_name

    -destination-path – the object store name you created in the previous step and the fixed value objstore.

    You can use a policy you created or accept the default.

    Example
    src_cluster::> snapmirror create -source-path vs0:/bucket/test-bucket -destination-path sgws-store:/objstore -policy test-policy
  2. Verify that mirroring is active:
    snapmirror show -policy-type continuous -fields status