NetBackup™ Snapshot Manager Install and Upgrade Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (10.3)
  1. Introduction
    1.  
      About the deployment approach
    2.  
      Deciding where to run NetBackup Snapshot Manager
    3.  
      About deploying NetBackup Snapshot Manager in the cloud
  2. Section I. NetBackup Snapshot Manager installation and configuration
    1. Preparing for NetBackup Snapshot Manager installation
      1.  
        Meeting system requirements
      2.  
        NetBackup Snapshot Manager host sizing recommendations
      3.  
        NetBackup Snapshot Manager extension sizing recommendations
      4.  
        Creating an instance or preparing the host to install NetBackup Snapshot Manager
      5.  
        Installing container platform (Docker, Podman)
      6.  
        Creating and mounting a volume to store NetBackup Snapshot Manager data
      7.  
        Verifying that specific ports are open on the instance or physical host
      8.  
        Preparing NetBackup Snapshot Manager for backup from snapshot jobs
    2. Deploying NetBackup Snapshot Manager using container images
      1.  
        Before you begin installing NetBackup Snapshot Manager
      2. Installing NetBackup Snapshot Manager in the Docker/Podman environment
        1.  
          (Optional) Policies for podman based deployments
      3.  
        Securing the connection to NetBackup Snapshot Manager
      4.  
        Verifying that NetBackup Snapshot Manager is installed successfully
      5.  
        Restarting NetBackup Snapshot Manager
    3. Deploying NetBackup Snapshot Manager extensions
      1.  
        Before you begin installing NetBackup Snapshot Manager extensions
      2.  
        Downloading the NetBackup Snapshot Manager extension
      3. Installing the NetBackup Snapshot Manager extension on a VM
        1.  
          Prerequisites to install the extension on VM
        2.  
          Installing the extension on a VM
      4. Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (AKS) in Azure
        1.  
          Prerequisites to install the extension on a managed Kubernetes cluster in Azure
        2.  
          Installing the extension on Azure (AKS)
      5. Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (EKS) in AWS
        1.  
          Prerequisites to install the extension on a managed Kubernetes cluster in AWS
        2. Installing the extension on AWS (EKS)
          1.  
            Install extension using the extension script
      6. Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (GKE) in GCP
        1.  
          Prerequisites to install the extension on a managed Kubernetes cluster in GCP
        2.  
          Installing the extension on GCP (GKE)
      7.  
        Install extension using the Kustomize and CR YAMLs
      8.  
        Managing the extensions
    4. NetBackup Snapshot Manager cloud providers
      1.  
        Why to configure the NetBackup Snapshot Manager cloud providers?
      2. AWS plug-in configuration notes
        1.  
          Prerequisites for configuring the AWS plug-in
        2.  
          Prerequisites for application consistent snapshots using AWS Systems Service Manager
        3.  
          Configuring AWS permissions for NetBackup Snapshot Manager
        4.  
          AWS permissions required by NetBackup Snapshot Manager
        5.  
          Before you create a cross account configuration
      3. Google Cloud Platform plug-in configuration notes
        1.  
          Google Cloud Platform permissions required by NetBackup Snapshot Manager
        2.  
          Configuring a GCP service account for NetBackup Snapshot Manager
        3.  
          Preparing the GCP service account for plug-in configuration
        4.  
          GCP cross-project restore configuration
      4. Microsoft Azure plug-in configuration notes
        1.  
          Configuring permissions on Microsoft Azure
        2.  
          About Azure snapshots
      5. Microsoft Azure Stack Hub plug-in configuration notes
        1.  
          Configuring permissions on Microsoft Azure Stack Hub
        2.  
          Configuring staging location for Azure Stack Hub VMs to restore from backup
    5. Configuration for protecting assets on cloud hosts/VM
      1.  
        Deciding which feature (on-host agent or agentless) of NetBackup Snapshot Manager is to be used for protecting the assets
      2. Protecting assets with NetBackup Snapshot Manager's on-host agent feature
        1. Installing and configuring NetBackup Snapshot Manager agent
          1.  
            Downloading and installing the NetBackup Snapshot Manager agent
          2. Linux/SUSE Linux-based agent
            1.  
              Preparing to install the Linux/SUSE Linux-based agent
            2.  
              Registering the Linux/SUSE Linux-based agent
          3. Windows-based agent
            1.  
              Preparing to install the Windows-based agent
            2.  
              Registering the Windows-based agent
        2. Configuring the NetBackup Snapshot Manager application plug-in
          1.  
            Configuring an application plug-in
          2. Microsoft SQL plug-in
            1.  
              Microsoft SQL plug-in configuration requirements
            2.  
              Restore requirements and limitations for Microsoft SQL Server
            3.  
              Steps required before restoring SQL AG databases
            4.  
              Additional steps required after restoring SQL AG databases
            5. Additional steps required after a SQL Server instance snapshot restore
              1.  
                Steps required after a SQL Server host-level restore
              2.  
                Steps required after a SQL Server instance disk-level snapshot restore to new location
          3. Oracle plug-in
            1. Oracle plug-in configuration requirements
              1.  
                Optimizing your Oracle database data and metadata files
            2.  
              Restore requirements and limitations for Oracle
            3.  
              Additional steps required after an Oracle snapshot restore
      3. Protecting assets with NetBackup Snapshot Manager's agentless feature
        1. Prerequisites for the agentless configuration
          1.  
            Configuring SMB for Windows (Optional)
          2.  
            Configuring WMI security for Windows (optional)
        2.  
          Configuring the agentless feature
        3.  
          Configuring the agentless feature after upgrading NetBackup Snapshot Manager
    6. Snapshot Manager catalog backup and recovery
      1.  
        About using script
      2.  
        NetBackup Snapshot Manager data backup
      3.  
        NetBackup Snapshot Manager data recovery
    7. NetBackup Snapshot Manager assets protection
      1. NetBackup protection plan
        1.  
          Creating a NetBackup protection plan for cloud assets
        2.  
          Subscribing cloud assets to a NetBackup protection plan
      2.  
        Assigning tags on snapshots and Restore Point Collection
      3.  
        Configuring VSS to store shadow copies on the originating drive
      4.  
        Additional steps required after restoring an AWS RDS database instance
    8. Volume Encryption in NetBackup Snapshot Manager
      1.  
        About volume encryption support in NetBackup Snapshot Manager
      2.  
        Volume encryption for Azure
      3.  
        Volume encryption for GCP
      4.  
        Volume encryption for AWS
    9. NetBackup Snapshot Manager security
      1.  
        Configuring security for Azure Stack
      2.  
        Configuring the cloud connector for Azure Stack
      3.  
        CA configuration for Azure Stack
  3. Section II. NetBackup Snapshot Manager maintenance
    1. NetBackup Snapshot Manager logging
      1.  
        About NetBackup Snapshot Manager logging mechanism
      2. How Fluentd-based NetBackup Snapshot Manager logging works
        1.  
          About the NetBackup Snapshot Manager fluentd configuration file
        2.  
          Modifying the fluentd configuration file
      3.  
        NetBackup Snapshot Manager logs
      4.  
        Troubleshooting NetBackup Snapshot Manager logging
    2. Upgrading NetBackup Snapshot Manager
      1.  
        About NetBackup Snapshot Manager upgrades
      2.  
        Supported upgrade path
      3.  
        Upgrade scenarios
      4.  
        Preparing to upgrade NetBackup Snapshot Manager
      5.  
        Upgrading NetBackup Snapshot Manager
      6.  
        Upgrading NetBackup Snapshot Manager using patch or hotfix
      7.  
        Applying operating system patches on NetBackup Snapshot Manager host
      8. Migrating and upgrading NetBackup Snapshot Manager
        1.  
          Before you begin migrating NetBackup Snapshot Manager
        2.  
          Migrate and upgrade NetBackup Snapshot Manager on RHEL 8.8
      9.  
        GCP configuration for migration from zone to region
      10. Post-upgrade tasks
        1.  
          Upgrading NetBackup Snapshot Manager extensions
      11.  
        Post-migration tasks
    3. Uninstalling NetBackup Snapshot Manager
      1.  
        Preparing to uninstall NetBackup Snapshot Manager
      2.  
        Backing up NetBackup Snapshot Manager
      3.  
        Unconfiguring NetBackup Snapshot Manager plug-ins
      4.  
        Unconfiguring NetBackup Snapshot Manager agents
      5.  
        Removing the NetBackup Snapshot Manager agents
      6.  
        Removing NetBackup Snapshot Manager from a standalone Docker host environment
      7.  
        Removing NetBackup Snapshot Manager extensions - VM-based or managed Kubernetes cluster-based
      8.  
        Restoring NetBackup Snapshot Manager
    4. Troubleshooting NetBackup Snapshot Manager
      1.  
        Troubleshooting NetBackup Snapshot Manager
      2.  
        SQL snapshot or restore and granular restore operations fail if the Windows instance loses connectivity with the NetBackup Snapshot Manager host
      3.  
        Disk-level snapshot restore fails if the original disk is detached from the instance
      4.  
        Discovery is not working even after assigning system managed identity to the control node pool
      5.  
        Performance issue with GCP backup from snapshot
      6.  
        Post migration on host agents fail with an error message
      7.  
        File restore job fails with an error message
      8.  
        Acknowledgment not received for datamover
      9.  
        Upgrade of extension on AWS (EKS) fails when upgrading through script
      10.  
        Backup and restore jobs fail with timeout error
      11.  
        GCP restore with encryption key failed with an error message
      12.  
        Amazon Redshift databases not available after discovery
      13.  
        Shared VPC subnet not visible
      14.  
        Failure of encryption key listing during VM restore
      15.  
        Container manager may not spawn the ephemeral registration container timely
      16.  
        GCP restore from VM fails to obtain firewall rules
      17.  
        Parameterised VM restore fails to retrieve encryption keys

AWS permissions required by NetBackup Snapshot Manager

The following is a IAM role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to configure AWS plugin and discover assets, manage the snapshots and so on.

Table: NetBackup Snapshot Manager feature Vs permissions for AWS cloud provider

Feature

Task/Operation

Required permission

VM based

KMS (Encryption and Decryption)

To list the KMS keys during various operations.

kms:ListKeys

KMS feature provided by NetBackup Snapshot Manager.

kms:Encrypt

kms:Decrypt

kms:GenerateDataKey

kms:GenerateDataKeyWithoutPlaintext

kms:CreateGrant

Internally required by AWS for replication of encrypted snapshot.

kms:ReEncryptTo

kms:ReEncryptFrom

To get the information of a particular KMS key.

kms:DescribeKey

To list the KMS keys aliases during various operations.

kms:ListAliases

Protection of RDS resources

To list RDS database snapshots (discovery).

rds:DescribeDBSnapshots

To list RDS database clusters (discovery).

rds:DescribeDBClusters

To list RDS database cluster snapshots (discovery).

rds:DescribeDBClusterSnapshots

To delete RDS database snapshot (snapshot expiry).

rds:DeleteDBSnapshot

To create RDS database snapshot.

rds:CreateDBSnapshot

To create RDS database cluster snapshot.

rds:CreateDBClusterSnapshot

To share/un share RDS database snapshot with a different account, for cross-account replication.

rds:ModifyDBSnapshotAttribute

To list RDS database subnet groups (discovery).

rds:DescribeDBSubnetGroups

To list RDS database instances (discovery).

rds:DescribeDBInstances

To copy RDS database snapshot between regions, used for replication.

rds:CopyDBSnapshot

To copy RDS database cluster snapshot between regions, used for replication.

rds:CopyDBClusterSnapshot

Implicitly required during restore/replicate operations of cross-account snapshot to read the attributes.

rds:DescribeDBSnapshotAttributes

To delete RDS database cluster snapshot (snapshot expiry).

rds:DeleteDBClusterSnapshot

To list tags for RDS resources.

rds:ListTagsForResource

To add tags for RDS resources, during snapshot, replication and restore.

rds:AddTagsToResource

Recovery of RDS resources

To modify settings for RDS database instance.

To modify security group during restore.

rds:ModifyDBInstance

To share/un share RDS database cluster snapshot with a different account for cross-account replication.

rds:ModifyDBClusterSnapshotAttribute

To create RDS database instance from snapshot (snapshot restore).

rds:RestoreDBInstanceFromDBSnapshot

To modify settings for RDS database cluster.

rds:ModifyDBCluster

To create RDS database cluster from snapshot (snapshot restore).

rds:RestoreDBClusterFromSnapshot

To create RDS database instance while restoring RDS cluster.

rds:CreateDBInstance

Required internally by AWS to restore RDS database cluster.

rds:RestoreDBClusterToPointInTime

To create RDS database security group, restore RDS with default security group.

rds:CreateDBSecurityGroup

To create RDS database cluster.

rds:CreateDBCluster

Required internally by AWS to restore RDS database instance.

rds:RestoreDBInstanceToPointInTime

To get the information about parameter group during restore of RDS cluster snapshot.

rds:DescribeDBClusterParameterGroups

Backup of EC2 resources

To get the information about the user/role being used to make API requests (through which CSP is configured).

sts:GetCallerIdentity

This is required on the source account role, for configuring cross-account provider configuration along with other pre-requisites which are required on the cross account role.

sts:AssumeRole

To create EBS volume snapshot.

ec2:CreateSnapshot

To create EC2 instance snapshot (snapshot of all the attached disks).

ec2:CreateSnapshots

To list EC2 instances (discovery) .

ec2:DescribeInstances

To get the status of the specified EC2 instance.

ec2:DescribeInstanceStatus

To share/un share the EBS snapshots with a different account for cross-account replication.

ec2:ModifySnapshotAttribute

To replicate EBS snapshot from one region to other.

To replicate EC2 instance snapshots disk by disk.

ec2:CopySnapshot

To list EBS snapshots (discovery).

ec2:DescribeSnapshots

To get the status of the specified EBS volume.

ec2:DescribeVolumeStatus

To list EBS volumes (discovery).

ec2:DescribeVolumes

Used during restore of EC2 instance snapshot, an AMI is registered intermediately to launch the EC2 instance.

ec2:RegisterImage

To get the specific attribute of specified EBS volume during various operations.

ec2:DescribeVolumeAttribute

To list subnets (discovery).

ec2:DescribeSubnets

To list VPCs (discovery).

ec2:DescribeVpcs

To de-register intermediate AMI registered during restore of EC2 instance

ec2:DeregisterImage

To delete EBS snapshot (snapshot expiry / cleanup during snapshot creation failure).

ec2:DeleteSnapshot

To get the specific attribute of specified EC2 instance.

ec2:DescribeInstanceAttribute

To list regions.

ec2:DescribeRegions

To list availability zones (discovery).

ec2:DescribeAvailabilityZones

To reset permission settings for the specified snapshot modified during cross account replication.

To reset permission settings for the specified snapshot modified during cross account replication.

ec2:ResetSnapshotAttribute

To list dedicated hosts (discovery).

ec2:DescribeHosts

To list AMIs (EC2 instance snapshots created by NetBackup Snapshot Manager) (discovery)

ec2:DescribeImages

To list security groups (discovery).

ec2:DescribeSecurityGroups

To list the network interfaces of EC2 instance, required for EC2 instance discovery.

ec2:DescribeNetworkInterfaces

Recovery of EC2 resources

To create EC2 instance (restoring the host snapshot).

ec2:RunInstances

Internally used by AWS to attach specified network interface to given instance, required for restore for host snapshot.

ec2:AttachNetworkInterface

To detach EBS volume(s) from EC2 instance during rollback restore. Also, during GRT workflow, the intermediate volume which first gets attached is later detached.

ec2:DetachVolume

To attach the new EBS volume(s) to EC2 instance in case of rollback restore. Also, during restore of volume snapshot to an EC2 instance, the new created disk is attached to the specified instance.

ec2:AttachVolume

To delete tags on EC2 resources. Some NetBackup Snapshot Manager internal tags are created during various operations which need to be removed later.

ec2:DeleteTags

To create tags on EC2 resources. Required to tag the created/restored resources with NetBackup Snapshot Manager metadata tags and source resource tags.

ec2:CreateTags

To power on the specified instance. Required during restore flow where option to start/stop the instance post restore is specified.

ec2:StartInstances

To power off the specified instance. Required during restore flow where option to start/stop the instance post restore is specified.

ec2:StopInstances

To delete EC2 instance in case of failed restore operation. Also required to delete intermediate EC2 instance created during restore from backup copy.

ec2:TerminateInstances

To create EBS volume from snapshot. Used during volume snapshot restore and instance snapshot rollback restore.

ec2:CreateVolume

To delete EBS volume in case of failed restore operation. Delete detached volumes in case of successful rollback restore. Delete intermediate volume created during GRT operation. Delete volumes along with intermediate EC2 instance created during restore from backup copy.

ec2:DeleteVolume

To get IAM instance profile association status for IAM role attached to the restored instance.

ec2:DescribeIamInstanceProfileAssociations

To attach IAM role to the restored EC2 instance.

ec2:AssociateIamInstanceProfile

To associate elastic IP to EC2 instance/network interface during restore.

ec2:AssociateAddress

To list the SSH key pair for validating the user provided key pair for associating with the restored EC2 instance.

ec2:DescribeKeyPairs

To check whether the availability zone associated with the selected subnet for EC2 instance restore supports the instance type.

ec2:DescribeInstanceTypeOfferings

Internally used by AWS to check whether EBS encryption by default is enabled for the account in the current region.

ec2:GetEbsEncryptionByDefault

Backup from snapshot

To list the blocks of the snapshot(s) being backed up.

ebs:ListSnapshotBlocks

To get the data of a particular snapshot block, read snapshot block.

ebs:GetSnapshotBlock

To list the changed blocks between two snapshots of same EBS volume.

ebs:ListChangedBlocks

Restore from backup copy

To mark the snapshot as complete after writing all the blocks, close the snapshot post restore.

ebs:CompleteSnapshot

To write the blocks to the newly created snapshot during restore from backup.

ebs:PutSnapshotBlock

To create an empty snapshot to be used to write blocks for restoring from backup copy.

ebs:StartSnapshot

Identity management and authorization

To get the alias of the AWS account configured in CSP. This is used for display name of the AWS account usable in various contexts including intelligent groups.

iam:ListAccountAliases

Simulates IAM policies and permissions against a set of operations. Used to verify if required permissions are present with the user/role being used for CSP configuration.

iam:SimulatePrincipalPolicy

PaaS workloads protection (DynamoDB)

To list DynamoDB tables used during discovery.

dynamodb:ListTables

To get the information of a particular DynamoDB table during backup .

dynamodb:DescribeTable

To create table during restore.

dynamodb:CreateTable

To do batch write during restore of dynamodb table.

dynamodb:BatchWriteItem

To list the continuous backups of dynamodb table during backup.

dynamodb:DescribeContinuousBackups

To do point in time restore of dyanmodb table which continues backup to s3 during backup.

dynamodb:ExportTableToPointInTime

To check status of export of continues backup of dynamodb table to s3.

dynamodb:DescribeExport

To delete table in case of failure during restore.

dynamodb:DeleteTable

To update dynamodb table metadata.

dynamodb:UpdateTable

To set the continues backup for table if not already set.

dynamodb:UpdateContinuousBackups

PaaS workloads protection (Redshift)

To list databases of a Redshift cluster. Retrieve information about database names and their metadata. This permission is for cluster level.

redshift:ListDatabases

To connect to Redshift cluster database using IAM.

redshift:GetClusterCredentialsWithIAM

To run a query in a Redshift cluster database.

redshift-data:ExecuteStatement

To list databases of a Redshift cluster via redshift-data API which is a different endpoint than redshift API endpoint. This permission is required for redshift without a server.

redshift-data:ListDatabases

To fetch temporarily cached result of an SQL statement executed on Redshift cluster databases.

redshift-data:GetStatementResult

For getting properties of Redshift clusters.

redshift:DescribeClusters

For canceling a query executed on Redshift cluster database used during NetBackup job cancellation.

redshift-data:CancelStatement

To connect to Redshift cluster database.

redshift:GetClusterCredentials

Required to get the details about a specific instance when a query is run by the Amazon Redshift Data API.

redshift-data:DescribeStatement

PaaS workloads protection (S3)

To create a s3 bucket required during DynamoDB and Redshift backup/restores.

s3:CreateBucket

To check if bucket already exists used during DynamoDB and Redshift backup/restores.

s3:ListBucket

To retrieve ACLs of an s3 object (file) stored in bucket during DynamoDB and Redshift backups.

s3:GetObjectAcl

To retrieve contents of an s3 object (file) stored in bucket during DynamoDB and Redshift backups.

s3:GetObject

To remove object from s3 bucket required during DynamoDB and Redshift backup/restores.

s3:DeleteObject

To upload data on s3 bucket required during DynamoDB and Redshift restores.

s3:PutObject

Restore object lock S3

s3:PutObjectRetention

Provider managed consistent snapshots

To send command to the instance configured with SSM, it will run the SSM document to take snapshot.

ssm:SendCommand

To get details of the SSM document and to check the existence of the document created by NetBackup Snapshot Manager for taking application consistent snapshot.

ssm:DescribeDocument

To get the list of instances configured with SSM which are online. The information is also used to fetch platform of the instance.

ssm:DescribeInstanceInformation

To update the default version of the SSM document created by NetBackup Snapshot Manager.

ssm:UpdateDocumentDefaultVersion

To update the contents of the SSM document with the latest one in case of upgrade.

ssm:UpdateDocument

To create the SSM document which will be used to take application consistent snapshot.

ssm:CreateDocument

To get the status and output of the command, that is document execution, and snapshot response.

ssm:GetCommandInvocation

Provider managed consistent snapshots

Role/Policy:AmazonSSMManagedInstanceCore

Permissions on workload VM

To create consistent snapshot of the workload VM on which SSM document runs.

ec2:CreateSnapshots

To create tags to the snapshots created through SSM document.

ec2:CreateTags

To create snapshot of the VM disk by disk.

ec2:CreateSnapshot

Kubernetes cluster based

Role/Policy: AmazonEKSClusterPolicy, AmazonEKSWorkerNodePolicy, AmazonEC2ContainerRegistryReadOnly, AmazonEKS_CNI_Policy, AmazonEKSServicePolicy

EKS

To get kubernetes cluster's nodegroup details regarding scaling configuration.

eks:DescribeNodegroup

To get the status of the scaling done on the cluster.

eks:DescribeUpdate

To scale kubernetes cluster, update node group size.

eks:UpdateNodegroupConfig

To list kubernetes clusters, discover cluster.

eks:ListClusters

To get the information of specified kubernetes cluster, discover cluster attributes.

eks:DescribeCluster

Marketplace deployment

High availability

Required for EKS and for marketplace deployment.

autoscaling:UpdateAutoScalingGroup

autoscaling:AttachInstances

For DR through marketplace.

autoscaling:DescribeScalingActivities

autoscaling:TerminateInstanceInAutoScalingGroup

To send notifications during DR.

sns:Publish

sns:GetTopicAttributes

Deployment

To add the specified outbound (egress) rules to a security group during restore.

ec2:AuthorizeSecurityGroupEgress

To add the specified inbound (ingress) rules to a security group during restore.

ec2:AuthorizeSecurityGroupIngress