Skip to main content

Create a mirror relationship for an existing bucket (local cluster)

Contributors netapp-forry netapp-aherbin netapp-barbe netapp-lenida netapp-dbagwell netapp-manini netapp-ahibbard

You can begin protecting existing S3 buckets on the same cluster at any time; for example, if you upgraded an S3 configuration from a release earlier than ONTAP 9.10.1. You can mirror data to a bucket in a different storage VM or the same storage VM as the source.

Before you begin
  • Requirements for ONTAP versions, licensing, and S3 server configuration have been completed.

  • A peering relationship exists between source and destination storage VMs.

  • CA Certificates are needed for the source and destination VMs. You can use self-signed CA certificates or certificates signed by an external CA vendor.

System Manager
  1. If this is the first SnapMirror S3 relationship for this storage VM, verify that root user keys exist for both source and destination storage VMs and regenerate them if they do not:

    1. Click Storage > Storage VMs and then select the storage VM.

    2. In the Settings tab, click Edit icon in the S3 tile.

    3. In the Users tab, verify that there is an access key for the root user.

    4. If there is not, click Menu options icon next to root, then click Regenerate Key.
      Do not regenerate the key if one already exists

  2. Verify that existing users and groups are present and have the correct access in both the source and destination storage VMs:
    Select Storage > Storage VMs, then select the storage VM, and then Settings tab. Finally, locate the S3 tile, select Edit icon, and select the Users tab and then the Groups tab to view user and group access settings.

    See Add S3 users and groups for more information.

  3. Create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:

    1. Click Protection > Overview, and then click Local Policy Setting.

    2. Click Arrow icon next to Protection Policies, then click Add.

      • Enter the policy name and description.

      • Select the policy scope, cluster or SVM

      • Select Continuous for SnapMirror S3 relationships.

      • Enter your Throttle and Recovery Point Objective values.

  4. Verify that the bucket access policy of the existing bucket continues to meet your needs:

    1. Click Storage > Buckets and then select the bucket you want to protect.

    2. In the Permissions tab, click Edit icon Edit, then click Add under Permissions.

      • Principal and Effect - select values corresponding to your user group settings, or accept the defaults.

      • Actions - make sure the following values are shown:

        GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts
      • Resources - use the defaults (bucketname, bucketname/*) or other values you need.

        See Manage user access to buckets for more information about these fields.

  5. Protect an existing bucket with SnapMirror S3:

    1. Click Storage > Buckets and then select the bucket you want to protect.

    2. Click Protect and enter the following values:

      • Destination

        • TARGET: ONTAP System

        • CLUSTER: Select the local cluster.

        • STORAGE VM: Select the same or a different storage VM.

        • S3 SERVER CA CERTIFICATE: Copy and paste the contents of the source certificate.

      • Source

        • S3 SERVER CA CERTIFICATE: Copy and paste the contents of the destination certificate.

  6. Check Use the same certificate on the destination if you are using a certificate signed by an external CA vendor.

  7. If you click Destination Settings, you can also enter your own values in place of the defaults for bucket name, capacity, and performance service level.

  8. Click Save. The existing bucket is mirrored to a new bucket in the destination storage VM.

Back up locked buckets

Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.

When defining the protection settings for a new or existing bucket, you can enable object locking on destination buckets, provided that the source and destination clusters run ONTAP 9.14.1 or later, and that object locking is enabled on the source bucket. The object locking mode and lock retention tenure of the source bucket become applicable for the replicated objects on the destination bucket. You can also define a different lock retention period for the destination bucket in the Destination Settings section. This retention period is also applied to any non-locked objects replicated from the source bucket and S3 interfaces.

For information about how to enable object locking on a bucket, see Create a bucket.

CLI
  1. If this is the first SnapMirror S3 relationship for this SVM, verify that root user keys exist for both source and destination SVMs and regenerate them if they do not:
    vserver object-store-server user show

    Verify that there is an access key for the root user. If there is not, enter:
    vserver object-store-server user regenerate-keys -vserver svm_name -user root

    Do not regenerate the key if one already exists.

  2. Create a bucket on the destination SVM to be the mirror target:

    vserver object-store-server bucket create -vserver svm_name -bucket dest_bucket_name [-size integer[KB|MB|GB|TB|PB]] [-comment text] [additional_options]

  3. Verify that the access rules to the default bucket policies are correct in both the source and destination SVMs:

    vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]`

    Example
    clusterA::> vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal - -resource test-bucket, test-bucket /*
  4. Create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:

    snapmirror policy create -vserver svm_name -policy policy_name -type continuous [-rpo _integer] [-throttle throttle_type] [-comment text] [additional_options]

    Parameters:

    • continuous – the only policy type for SnapMirror S3 relationships (required).

    • -rpo – specifies the time for recovery point objective, in seconds (optional).

    • -throttle – specifies the upper limit on throughput/bandwidth, in kilobytes/seconds (optional).

      Example
      clusterA::> snapmirror policy create -vserver vs0 -type continuous -rpo 0 -policy test-policy
  5. Install CA server certificates on the admin SVM:

    1. Install the CA certificate that signed the source S3 server’s certificate on the admin SVM:
      security certificate install -type server-ca -vserver admin_svm -cert-name src_server_certificate

    2. Install the CA certificate that signed the destination S3 server’s certificate on the admin SVM:
      security certificate install -type server-ca -vserver admin_svm -cert-name dest_server_certificate

      If you are using a certificate signed by an external CA vendor, you only need to install this certificate on the admin SVM.

      See the security certificate install man page for details.

  6. Create an SnapMirror S3 relationship:
    snapmirror create -source-path src_svm_name:/bucket/bucket_name -destination-path dest_peer_svm_name:/bucket/bucket_name, …​} [-policy policy_name]

    You can use a policy you created or accept the default.

    Example
    src_cluster::> snapmirror create -source-path vs0-src:/bucket/test-bucket -destination-path vs1-dest:/bucket/test-bucket-mirror -policy test-policy
  7. Verify that mirroring is active:
    snapmirror show -policy-type continuous -fields status