Skip to main content

Create a mirror relationship for an existing bucket (remote cluster)

Contributors netapp-aherbin netapp-forry netapp-lenida netapp-barbe netapp-ahibbard

You can begin protecting existing S3 buckets at any time; for example, if you upgraded an S3 configuration from a release earlier than ONTAP 9.10.1.

About this task

You need to perform tasks on both the source and destination clusters.

Before you begin
  • Requirements for ONTAP versions, licensing, and S3 server configuration have been completed.

  • A peering relationship exists between source and destination clusters, and a peering relationship exists between source and destination storage VMs.

  • CA Certificates are needed for the source and destination VMs. You can use self-signed CA certificates or certificates signed by an external CA vendor.

Steps

You can create a mirror relationship using System Manager or the ONTAP CLI.

System Manager
  1. If this is the first SnapMirror S3 relationship for this storage VM, verify that root user keys exist for both source and destination storage VMs and regenerate them if they do not:

    1. Select Storage > Storage VMs and then select the storage VM.

    2. In the Settings tab, click Edit icon in the S3 tile.

    3. In the Users tab, verify that there is an access key for the root user.

    4. If there is not, click Menu options icon next to root, then click Regenerate Key.
      Do not regenerate the key if one already exists.

  2. Verify that existing users and groups are present and have the correct access in both the source and destination storage VMs:
    Select Storage > Storage VMs, then select the storage VM, then Settings tab. Finally, locate the S3 tile, select Edit icon, and select the Users tab and then the Groups tab to view user and group access settings.

    See Add S3 users and groups for more information.

  3. On the source cluster, create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:

    1. Select Protection > Overview, and then click Local Policy Settings.

    2. Select Arrow icon next to Protection Policies, then click Add.

    3. Enter the policy name and description.

    4. Select the policy scope, either cluster or SVM.

    5. Select Continuous for SnapMirror S3 relationships.

    6. Enter your Throttle and Recovery Point Objective values.

  4. Verify that the bucket access policy of the existing bucket still meets your needs:

    1. Click Storage > Buckets and then select the bucket you want to protect.

    2. In the Permissions tab, click Edit icon Edit, then click Add under Permissions.

      • Principal and Effect: select values corresponding to your user group settings, or accept the defaults.

      • Actions: make sure the following values are shown:

        GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts
      • Resources: use the defaults (bucketname, bucketname/*) or other values you need.

        See Manage user access to buckets for more information about these fields.

  5. Protect an existing bucket with SnapMirror S3 protection:

    1. Click Storage > Buckets and then select the bucket you want to protect.

    2. Click Protect and enter the following values:

      • Destination

        • TARGET: ONTAP System

        • CLUSTER: Select the remote cluster.

        • STORAGE VM: Select a storage VM on the remote cluster.

        • S3 SERVER CA CERTIFICATE: Copy and paste the contents of the source certificate.

      • Source

        • S3 SERVER CA CERTIFICATE: Copy and paste the contents of the destination certificate.

  6. Check Use the same certificate on the destination if you are using a certificate signed by an external CA vendor.

  7. If you click Destination Settings, you can also enter your own values in place of the defaults for bucket name, capacity, and performance service level.

  8. Click Save. The existing bucket is mirrored to a new bucket in the destination storage VM.

Back up locked buckets

Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.

When defining the protection settings for a new or existing bucket, you can enable object locking on destination buckets, provided that the source and destination clusters run ONTAP 9.14.1 or later, and that object locking is enabled on the source bucket. The object locking mode and lock retention tenure of the source bucket become applicable for the replicated objects on the destination bucket. You can also define a different lock retention period for the destination bucket in the Destination Settings section. This retention period is also applied to any non-locked objects replicated from the source bucket and S3 interfaces.

For information about how to enable object locking on a bucket, see Create a bucket.

CLI
  1. If this is the first SnapMirror S3 relationship for this SVM, verify that root user keys exist for both source and destination SVMs and regenerate them if they do not:
    vserver object-store-server user show

    Verify that there is an access key for the root user. If there is not, enter:
    vserver object-store-server user regenerate-keys -vserver svm_name -user root

    Do not regenerate the key if one already exists.

  2. Create a bucket on the destination SVM to be the mirror target:

    vserver object-store-server bucket create -vserver svm_name -bucket dest_bucket_name [-size integer[KB|MB|GB|TB|PB]] [-comment text] [additional_options]

  3. Verify that the access rules of the default bucket policies are correct in both the source and destination SVMs:

    vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]

    Example
    src_cluster::> vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal - -resource test-bucket, test-bucket /*
  4. On the source SVM, create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:

    snapmirror policy create -vserver svm_name -policy policy_name -type continuous [-rpo integer] [-throttle throttle_type] [-comment text] [additional_options]

    Parameters:

    • continuous – the only policy type for SnapMirror S3 relationships (required).

    • -rpo – specifies the time for recovery point objective, in seconds (optional).

    • -throttle – specifies the upper limit on throughput/bandwidth, in kilobytes/seconds (optional).

      Example
      src_cluster::> snapmirror policy create -vserver vs0 -type continuous -rpo 0 -policy test-policy
  5. Install CA certificates on the admin SVMs of source and destination clusters:

    1. On the source cluster, install the CA certificate that signed the destination S3 server certificate:
      security certificate install -type server-ca -vserver src_admin_svm -cert-name dest_server_certificate

    2. On the destination cluster, install the CA certificate that signed the source S3 server certificate:
      security certificate install -type server-ca -vserver dest_admin_svm -cert-name src_server_certificate

      If you are using a certificate signed by an external CA vendor, install the same certificate on the source and destination admin SVM.

      See the security certificate install man page for details.

  6. On the source SVM, create an SnapMirror S3 relationship:

    snapmirror create -source-path src_svm_name:/bucket/bucket_name -destination-path dest_peer_svm_name:/bucket/bucket_name, …​} [-policy policy_name]

    You can use a policy you created or accept the default.

    Example
    src_cluster::> snapmirror create -source-path vs0:/bucket/test-bucket -destination-path vs1:/bucket/test-bucket-mirror -policy test-policy
  7. Verify that mirroring is active:
    snapmirror show -policy-type continuous -fields status