Limitations and Considerations
All requirements and limitations for a Linux backup repository apply to a hardened repository. In addition, mind the following limitations and considerations.
Hosts and File Systems
- Linux host file system must support extended attributes modified by the chattr and setfattr commands. For more information, see these Linux articles: lsattr, xattr.
- The ReiserFS file system does not support immutable files. Thus, you can not select a Linux server running on ReiserFS as a hardened repository.
- Due to Veeam Data Mover requirements, the Linux host version must be 64-bit.
- A hardened repository requires persistent Veeam Data Mover. For security purposes, the rights of Veeam Data Mover are reduced: SSH Connection is necessary only for deployment of Veeam Data Mover to the Linux server. After Veem Data Mover is deployed, you can disable SSH, so that Veeam components use server and client certificates for authentication. For more information, see Specify Credentials and SSH Settings.
- When configuring a hardened repository, you can use either persistent or single-use credentials. For more information, see Specify Credentials and SSH Settings.
The corresponding Linux host should not be used twice in the database:
- If you use single-use credentials, the host where the hardened repository resides cannot have any other role: you cannot add it as a proxy or as a file server.
- If you use persistent credentials, the host where the hardened repository resides cannot have the proxy role, and the file server role is not recommended.
- NFS does not accept immutability commands from Linux. Due to this mind the following:
- You cannot use an NFS Share as a hardened repository.
- You can place both hardened repositories and classic repositories on one Linux server only if you have used single-use credentials when adding the host.
- If you want to store backup files in a hardened repository, you can not select the reverse incremental backup mode.
- While adding a hardened repository to a scale-out backup repository:
- You can add a hardened repository to your scale-out backup repository as a performance extent. For more information, see Scale-Out Backup Repository and Add Performance Extents.
- You can mix both immutable and non-immutable repositories within one scale-out backup repository. In this case, only backup files on immutable extents will be protected.
- If you use the capacity tier option, keep in mind that having hardened repositories as performance extents will affect the capacity tier behavior. You will not be able to move the immutable backup files, because they cannot be deleted from the performance extent; Veeam Backup & Replication will copy such backup files to the capacity tier. When the immutability period is over, Veeam Backup & Replication will delete these files from the performance extent. For more information on copy and move policies, see Copying Backups to Capacity Tier and Moving Backups to Capacity Tier.
- If you evacuate your backups from an immutable performance extent, Veeam Backup & Replication will copy them instead of moving. If the target extent is also immutable, then the immutability of the target extent will apply to the copied backup files. For more information on evacuating backups, see Evacuating Backups from Performance Extents.
- Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, if you want to store backup files in a hardened repository, you must enable active full backup or synthetic full backup in the backup job settings.
- You are not be able to delete immutable backup files manually from a hardened repository.
- Immutability retention overrides job retention: if the job retention period is shorter than the immutability period, Veeam Backup & Replication will not delete the backup files when the retention period is over, but only when the immutability period expires.
- Metadata files of a backup chain (.VBM) cannot be immutable because they are updated on every job pass. When importing a backup, it is recommended to use VBK backup files.
- For backup copy jobs, enable the GFS retention policy. Otherwise, you will not be able to use the immutability feature. For more information, see Long-Term Retention Policy (GFS).
- [For Nutanix Mine] It is not recommended to switch on the repository immutability for the Nutanix Mine infrastructure. As Mine repositories contain thin-provisioned disks, there may be the case when Veeam Backup & Replication uses full storage capacity of the repository and is not able to delete backup files from the file system.
- [For Capacity Tier] If a hardened repository is a part of a scale-out backup repository with the capacity tier added, the immutability period for full backup files with GFS retention policy is set according to the hardened repository setting. Otherwise, the following periods will be compared: the immutability period set for the backup repository and the GFS backup file lifetime. The immutability period for full backup files with GFS retention policy will equal the longest of these periods. For example:
- The backup repository immutability period is 10 days. The GFS backup file lifetime is 3 years. The backup file will be immutable for 3 years.
- The increments from this full backup file will be immutable for 10 days from the moment of the last increment creation.
Veeam Backup & Replication Configuration Backup
Veeam Backup & Replication does not store singe-use credentials in the configuration database. Thus, if you backup Veeam Backup & Replication configuration database and restore settings of Veeam Backup & Replication, a hardened repository will be unavailable in the Veeam Backup & Replication console. To make a repository available again, do the following after the restore:
- In the Veeam Backup & Replication console, open the Backup Infrastructure view.
- In the navigation pane, select Managed Servers.
- In the working area, right-click the Linux server used as a hardened repository and select Properties.
- At the Step 3. Specify Credentials and SSH Settings of the Edit Backup Server wizard, use single-use credentials and click Finish to update settings.