Release notes
Create a mirror relationship for an existing bucket (remote cluster)
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
You can begin protecting existing S3 buckets at any time; for example, if you upgraded an S3 configuration from a release earlier than ONTAP 9.10.1.
You need to perform tasks on both the source and destination clusters.
-
Requirements for ONTAP versions, licensing, and S3 server configuration have been completed.
-
A peering relationship exists between source and destination clusters, and a peering relationship exists between source and destination storage VMs.
-
CA Certificates are needed for the source and destination VMs. You can use self-signed CA certificates or certificates signed by an external CA vendor.
You can create a mirror relationship using System Manager or the ONTAP CLI.
-
If this is the first SnapMirror S3 relationship for this storage VM, verify that root user keys exist for both source and destination storage VMs and regenerate them if they do not:
-
Select Storage > Storage VMs and then select the storage VM.
-
In the Settings tab, click
in the S3 tile. -
In the Users tab, verify that there is an access key for the root user.
-
If there is not, click
next to root, then click Regenerate Key.
Do not regenerate the key if one already exists.
-
-
Verify that existing users and groups are present and have the correct access in both the source and destination storage VMs:
Select Storage > Storage VMs, then select the storage VM, then Settings tab. Finally, locate the S3 tile, select, and select the Users tab and then the Groups tab to view user and group access settings.See Add S3 users and groups for more information.
-
On the source cluster, create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:
-
Select Protection > Overview, and then click Local Policy Settings.
-
Select
next to Protection Policies, then click Add. -
Enter the policy name and description.
-
Select the policy scope, either cluster or SVM.
-
Select Continuous for SnapMirror S3 relationships.
-
Enter your Throttle and Recovery Point Objective values.
-
-
Verify that the bucket access policy of the existing bucket still meets your needs:
-
Click Storage > Buckets and then select the bucket you want to protect.
-
In the Permissions tab, click
Edit, then click Add under Permissions.-
Principal and Effect: select values corresponding to your user group settings, or accept the defaults.
-
Actions: make sure the following values are shown:
GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts
-
Resources: use the defaults
(bucketname, bucketname/*)or other values you need.See Manage user access to buckets for more information about these fields.
-
-
-
Protect an existing bucket with SnapMirror S3 protection:
-
Click Storage > Buckets and then select the bucket you want to protect.
-
Click Protect and enter the following values:
-
Destination
-
TARGET: ONTAP System
-
CLUSTER: Select the remote cluster.
-
STORAGE VM: Select a storage VM on the remote cluster.
-
S3 SERVER CA CERTIFICATE: Copy and paste the contents of the source certificate.
-
-
Source
-
S3 SERVER CA CERTIFICATE: Copy and paste the contents of the destination certificate.
-
-
-
-
Check Use the same certificate on the destination if you are using a certificate signed by an external CA vendor.
-
If you click Destination Settings, you can also enter your own values in place of the defaults for bucket name, capacity, and performance service level.
-
Click Save. The existing bucket is mirrored to a new bucket in the destination storage VM.
Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.
When defining the protection settings for a new or existing bucket, you can enable object locking on destination buckets, provided that the source and destination clusters run ONTAP 9.14.1 or later, and that object locking is enabled on the source bucket. The object locking mode and lock retention tenure of the source bucket become applicable for the replicated objects on the destination bucket. You can also define a different lock retention period for the destination bucket in the Destination Settings section. This retention period is also applied to any non-locked objects replicated from the source bucket and S3 interfaces.
For information about how to enable object locking on a bucket, see Create a bucket.
-
If this is the first SnapMirror S3 relationship for this SVM, verify that root user keys exist for both source and destination SVMs and regenerate them if they do not:
vserver object-store-server user show
Verify that there is an access key for the root user. If there is not, enter:
vserver object-store-server user regenerate-keys -vserver svm_name -user root
Do not regenerate the key if one already exists. -
Create a bucket on the destination SVM to be the mirror target:
vserver object-store-server bucket create -vserver svm_name -bucket dest_bucket_name [-size integer[KB|MB|GB|TB|PB]] [-comment text] [additional_options] -
Verify that the access rules of the default bucket policies are correct in both the source and destination SVMs:
vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]Examplesrc_cluster::> vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal - -resource test-bucket, test-bucket /*
-
On the source SVM, create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:
snapmirror policy create -vserver svm_name -policy policy_name -type continuous [-rpo integer] [-throttle throttle_type] [-comment text] [additional_options]Parameters:
-
continuous– the only policy type for SnapMirror S3 relationships (required). -
-rpo– specifies the time for recovery point objective, in seconds (optional). -
-throttle– specifies the upper limit on throughput/bandwidth, in kilobytes/seconds (optional).Examplesrc_cluster::> snapmirror policy create -vserver vs0 -type continuous -rpo 0 -policy test-policy
-
-
Install CA certificates on the admin SVMs of source and destination clusters:
-
On the source cluster, install the CA certificate that signed the destination S3 server certificate:
security certificate install -type server-ca -vserver src_admin_svm -cert-name dest_server_certificate -
On the destination cluster, install the CA certificate that signed the source S3 server certificate:
security certificate install -type server-ca -vserver dest_admin_svm -cert-name src_server_certificate
If you are using a certificate signed by an external CA vendor, install the same certificate on the source and destination admin SVM.Learn more about
security certificate installin the ONTAP command reference.
-
-
On the source SVM, create an SnapMirror S3 relationship:
snapmirror create -source-path src_svm_name:/bucket/bucket_name -destination-path dest_peer_svm_name:/bucket/bucket_name, …} [-policy policy_name]You can use a policy you created or accept the default.
Examplesrc_cluster::> snapmirror create -source-path vs0:/bucket/test-bucket -destination-path vs1:/bucket/test-bucket-mirror -policy test-policy
-
Verify that mirroring is active:
snapmirror show -policy-type continuous -fields status
