Skip to main content

Create a mirror relationship for a new bucket (local cluster)

Contributors netapp-forry netapp-barbe netapp-manini netapp-ahibbard

When you create new S3 buckets, you can protect them immediately to an S3 SnapMirror destination on the same cluster. You can mirror data to a bucket in a different storage VM or the same storage VM as the source.

Before you begin
  • Requirements for ONTAP versions, licensing, and S3 server configuration have been completed.

  • A peering relationship exists between source and destination storage VMs.

  • CA Certificates are needed for the source and destination VMs. You can use self-signed CA certificates or certificates signed by an external CA vendor.

System Manager
  1. If this is the first S3 SnapMirror relationship for this storage VM, verify that root user keys exist for both source and destination storage VMs and regenerate them if they do not:

    1. Click Storage > Storage VMs and then select the storage VM.

    2. In the Settings tab, click edit icon in the S3 tile.

    3. In the Users tab, verify that there is an access key for the root user

    4. If there is not, click more icon next to root, then click Regenerate Key.
      Do not regenerate the key if one already exists.

  2. Edit the storage VM to add users, and to add users to groups, in both the source and destination storage VMs:
    Click Storage > storage VMs, click the storage VM, click Settings and then click edit icon under S3.

    See Add S3 users and groups for more information.

  3. Create an S3 SnapMirror policy if you don’t have an existing one and you don’t want to use the default policy:

    1. Click Protection > Overview, and then click Local Policy Settings.

    2. Click right arrow next to Protection Policies, then click Add.

      • Enter the policy name and description.

      • Select the policy scope, cluster or SVM

      • Select Continuous for S3 SnapMirror relationships.

      • Enter your Throttle and Recovery Point Objective values.

  4. Create a bucket with SnapMirror protection:

    1. Click Storage > Buckets then click Add.

    2. Enter a name, select the storage VM, enter a size, then click More Options.

    3. Under Permissions, click Add. Verifying permissions is optional but recommended.

      • Principal and Effect - select values corresponding to your user group settings, or accept the defaults.

      • Actions - make sure the following values are shown:

        GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts
      • Resources - use the defaults (bucketname, bucketname/*) or other values you need

        See Manage user access to buckets for more information about these fields.

    4. Under Protection, check Enable SnapMirror (ONTAP or Cloud). Then enter the following values:

      • Destination

        • TARGET: ONTAP System

        • CLUSTER: Select the local cluster.

        • STORAGE VM: Select a storage VM on the local cluster.

        • S3 SERVER CA CERTIFICATE: Copy and paste the contents of the source certificate.

      • Source

        • S3 SERVER CA CERTIFICATE: Copy and paste the contents of the destination certificate.

  5. Check Use the same certificate on the destination if you are using a certificate signed by an external CA vendor.

  6. If you click Destination Settings, you can also enter your own values in place of the defaults for bucket name, capacity, and performance service level.

  7. Click Save. A new bucket is created in the source storage VM, and it is mirrored to a new bucket that is created the destination storage VM.

Back up locked buckets

Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.

When defining the protection settings for a new or existing bucket, you can enable object locking on destination buckets, provided that the source and destination clusters run ONTAP 9.14.1 or later, and that object locking is enabled on the source bucket. The object locking mode and lock retention tenure of the source bucket become applicable for the replicated objects on the destination bucket. You can also define a different lock retention period for the destination bucket in the Destination Settings section. This retention period is also applied to any non-locked objects replicated from the source bucket and S3 interfaces.

For information about how to enable object locking on a bucket, see Create a bucket.

CLI
  1. If this is the first S3 SnapMirror relationship for this SVM, verify that root user keys exist for both source and destination SVMs and regenerate them if they do not:
    vserver object-store-server user show

    Verify that there is an access key for the root user. If there is not, enter:
    vserver object-store-server user regenerate-keys -vserver svm_name -user root

    Do not regenerate the key if one already exists.

  2. Create buckets in both the source and destination SVMs:

    vserver object-store-server bucket create -vserver svm_name -bucket bucket_name [-size integer[KB|MB|GB|TB|PB]] [-comment text] [additional_options]

  3. Add access rules to the default bucket policies in both the source and destination SVMs:

    vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]

    Example
    src_cluster::> vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal - -resource test-bucket, test-bucket /*
  4. Create an S3 SnapMirror policy if you don’t have an existing one and you don’t want to use the default policy:
    snapmirror policy create -vserver svm_name -policy policy_name -type continuous [-rpo integer] [-throttle throttle_type] [-comment text] [additional_options]

    Parameters:

    • continuous – the only policy type for S3 SnapMirror relationships (required).

    • -rpo – specifies the time for recovery point objective, in seconds (optional).

    • -throttle – specifies the upper limit on throughput/bandwidth, in kilobytes/seconds (optional).

      Example
      src_cluster::> snapmirror policy create -vserver vs0 -type continuous -rpo 0 -policy test-policy
  5. Install CA server certificates on the admin SVM:

    1. Install the CA certificate that signed the source S3 server’s certificate on the admin SVM:
      security certificate install -type server-ca -vserver admin_svm -cert-name src_server_certificate

    2. Install the CA certificate that signed the destination S3 server’s certificate on the admin SVM:
      security certificate install -type server-ca -vserver admin_svm -cert-name dest_server_certificate

      If you are using a certificate signed by an external CA vendor, you only need to install this certificate on the admin SVM.

      See the security certificate install man page for details.

  6. Create an S3 SnapMirror relationship:
    snapmirror create -source-path src_svm_name:/bucket/bucket_name -destination-path dest_peer_svm_name:/bucket/bucket_name, …​} [-policy policy_name]`

    You can use a policy you created or accept the default.

    Example
    src_cluster::> snapmirror create -source-path vs0-src:/bucket/test-bucket -destination-path vs1-dest:/vs1/bucket/test-bucket-mirror -policy test-policy
  7. Verify that mirroring is active:
    snapmirror show -policy-type continuous -fields status