Create a mirror relationship for a new bucket (remote cluster)
When you create new S3 buckets, you can protect them immediately to an SnapMirror S3 destination on a remote cluster.
You will need to perform tasks on both source and destination systems.
-
Requirements for ONTAP versions, licensing, and S3 server configuration have been completed.
-
A peering relationship exists between source and destination clusters, and a peering relationship exists between source and destination storage VMs.
-
CA Certificates are needed for the source and destination VMs. You can use self-signed CA certificates or certificates signed by an external CA vendor.
-
If this is the first SnapMirror S3 relationship for this storage VM, verify that root user keys exist for both source and destination storage VMs and regenerate them if they do not:
-
Click Storage > Storage VMs and then select the storage VM.
-
In the Settings tab, click in the S3 tile.
-
In the Users tab, verify that there is an access key for the root user.
-
If there is not, click next to root, then click Regenerate Key.
Do not regenerate the key if one already exists.
-
-
Edit the storage VM to add users, and to add users to groups, in both the source and destination storage VMs:
Click Storage > storage VMs, click the storage VM, click Settings and then click under S3.
See Add S3 users and groups for more information.
-
On the source cluster, create an SnapMirror S3 policy if you don’t have an existing one and you don’t want to use the default policy:
-
Click Protection > Overview, and then click Local Policy Settings.
-
Click next to Protection Policies, then click Add.
-
Enter the policy name and description.
-
Select the policy scope, cluster or SVM
-
Select Continuous for SnapMirror S3 relationships.
-
Enter your Throttle and Recovery Point Objective values.
-
-
-
Create a bucket with SnapMirror protection:
-
Click Storage > Buckets, then click Add. Verifying permissions is optional but recommended.
-
Enter a name, select the storage VM, enter a size, then click More Options.
-
Under Permissions, click Add.
-
Principal and Effect - select values corresponding to your user group settings or accept the defaults.
-
Actions- make sure the following values are shown:
GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts
-
Resources - use the defaults
(bucketname, bucketname/*)
or other values you need.See Manage user access to buckets for more information about these fields.
-
-
Under Protection, check Enable SnapMirror (ONTAP or Cloud). Then enter the following values:
-
Destination
-
TARGET: ONTAP System
-
CLUSTER: Select the remote cluster.
-
STORAGE VM: Select a storage VM on the remote cluster.
-
S3 SERVER CA CERTIFICATE: Copy and paste the contents of the source certificate.
-
-
Source
-
S3 SERVER CA CERTIFICATE: Copy and paste the contents of the destination certificate.
-
-
-
-
Check Use the same certificate on the destination if you are using a certificate signed by an external CA vendor.
-
If you click Destination Settings, you can also enter your own values in place of the defaults for bucket name, capacity, and performance service level.
-
Click Save. A new bucket is created in the source storage VM, and it is mirrored to a new bucket that is created the destination storage VM.
Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.
When defining the protection settings for a new or existing bucket, you can enable object locking on destination buckets, provided that the source and destination clusters run ONTAP 9.14.1 or later, and that object locking is enabled on the source bucket. The object locking mode and lock retention tenure of the source bucket become applicable for the replicated objects on the destination bucket. You can also define a different lock retention period for the destination bucket in the Destination Settings section. This retention period is also applied to any non-locked objects replicated from the source bucket and S3 interfaces.
For information about how to enable object locking on a bucket, see Create a bucket.
-
If this is the first SnapMirror S3 relationship for this SVM, verify that root user keys exist for both source and destination SVMs and regenerate them if they do not:
vserver object-store-server user show
Verify that there is an access key for the root user. If there is not, enter:
vserver object-store-server user regenerate-keys -vserver svm_name -user root
Do not regenerate the key if one already exists.
-
Create buckets in both the source and destination SVMs:
vserver object-store-server bucket create -vserver svm_name -bucket bucket_name [-size integer[KB|MB|GB|TB|PB]] [-comment text] [additional_options]
-
Add access rules to the default bucket policies in both the source and destination SVMs:
vserver object-store-server bucket policy add-statement -vserver svm_name -bucket bucket_name -effect {allow|deny} -action object_store_actions -principal user_and_group_names -resource object_store_resources [-sid text] [-index integer]
Examplesrc_cluster::> vserver object-store-server bucket policy add-statement -bucket test-bucket -effect allow -action GetObject,PutObject,DeleteObject,ListBucket,GetBucketAcl,GetObjectAcl,ListBucketMultipartUploads,ListMultipartUploadParts -principal - -resource test-bucket, test-bucket /*
-
On the source SVM, create an SnapMirror S3 policy if you don't have an existing one and you don't want to use the default policy:
snapmirror policy create -vserver svm_name -policy policy_name -type continuous [-rpo integer] [-throttle throttle_type] [-comment text] [additional_options]
Parameters:
-
type
continuous
- the only policy type for SnapMirror S3 relationships (required). -
-rpo
- specifies the time for recovery point objective, in seconds (optional). -
-throttle
- specifies the upper limit on throughput/bandwidth, in kilobytes/seconds (optional).Examplesrc_cluster::> snapmirror policy create -vserver vs0 -type continuous -rpo 0 -policy test-policy
-
-
Install CA server certificates on the admin SVMs of the source and destination clusters:
-
On the source cluster, install the CA certificate that signed the destination S3 server certificate:
security certificate install -type server-ca -vserver src_admin_svm -cert-name dest_server_certificate
-
On the destination cluster, install the CA certificate that signed the source S3 server certificate:
security certificate install -type server-ca -vserver dest_admin_svm -cert-name src_server_certificate
If you are using a certificate signed by an external CA vendor, install the same certificate on the source and destination admin SVM.
See the
security certificate install
man page for details.
-
-
On the source SVM, create an SnapMirror S3 relationship:
snapmirror create -source-path src_svm_name:/bucket/bucket_name -destination-path dest_peer_svm_name:/bucket/bucket_name, …} [-policy policy_name]
You can use a policy you created or accept the default.
Examplesrc_cluster::> snapmirror create -source-path vs0-src:/bucket/test-bucket -destination-path vs1-dest:bucket/test-bucket-mirror -policy test-policy
-
Verify that mirroring is active:
snapmirror show -policy-type continuous -fields status