Description
In some busy ideal customer environments, multiple hosts which are configured as NetBackup clients will have the media server packages installed on them. As per the design of NetBackup, a few processes, mainly nbrmms, vmd, etc. will be sending periodic updates / heartbeats to nbemm on the primary server. Even if these requests get rejected by nbemm, it will contribute to the high CPU utilization of the nbemm service.
For NetBackup servers 8.3 and beyond, NetBackup can intercept incoming connections at the PBX layer (similar to a firewall) and stop those requests from being forwarded onto the destination service.
This functionality is implemented via the BLOCK_SERVER_SERVICE touch file located at
/opt/VRTSpbx/bin (UNIX)
install_path\VxPBX (Windows)
Functionality
The file BLOCK_SERVER_SERVICE would be manually updated with a list of IP addresses. These IP addresses represent the connections we like to discard and prevent from reaching their intended destination service.
Essentially, PBX will load the blacklist of IPs in memory and then compare the IP of incoming requests to the primary server with the list and if a match is found, the request will be rejected by PBX. Requests from IP addresses not present in the BLOCK_SERVER_SERVICE continue to function as normal.
Updates to the file are picked up in ~15 minutes and no service restart is necessary. The file has to be populated manually by parsing through pbx logs and identifying if the IP is from a valid media server or a client that has media server software installed.
EXAMPLE
In the example below, the BLOCK_SERVER_SERVICE list contains three IPs which are not allowed to send requests to NBEMM.192.168.0.46 EMM
192.168.0.47 EMM
192.168.0.48 EMM
Let's say if we want to prevent the source IP address passing requests to multiple services, we need to add additional lines to the file indicating the source IP and destination service - each on a new line.
In the example below, the connections from 192.168.0.48 are blocked from being passed to multiple services - NBEMM, NBREM.192.168.0.48 EMM
192.168.0.48 NBREM
Implementation
The PBX blocked list configuration should only be used as a last resort; Users should be using their own firewalls and other tools to block most network traffic, and or configuring NB processes not to start on connecting hosts.
Once PBX recognizes the IPs to be blocked, the following log lines can be found in the PBX logs when the connection is blocked.
12/04/2019 14:20:26.497 [Application] VxICS 50936 103 PID:26070 TID:139873154193216 File ID:103 [No context] [Info] IP address:192.168.0.48 is blocked for Svc:EMM
12/04/2019 14:21:14.633 [Application] VxICS 50936 103 PID:26070 TID:139873154193216 File ID:103 [No context] [Info] IP address:192.168.0.48 is blocked for Svc:NBREM
More Information
Notes
- If a socket connection already exists, the connection must be broken so subsequent requests are handled and blocked by PBX. This can be done by restarting the service on either side of the connection (e.g.nbemm on the master server have a socket connection with vmd on the media server).
- Identify the IP addresses that need to be blocked and add them to
BLOCK_SERVER_SERVICEfile along with the list of services to which connections should be blocked. PBX does not need to be restarted after this change is made. Edits committed to the file are recognized within 10 minutes.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.