NetBackup™ Deduplication Guide
- Introducing the NetBackup media server deduplication option
- Quick start
- Planning your deployment
- Planning your MSDP deployment
- NetBackup naming conventions
- About MSDP deduplication nodes
- About the NetBackup deduplication destinations
- About MSDP storage capacity
- About MSDP storage and connectivity requirements
- About NetBackup media server deduplication
- About NetBackup Client Direct deduplication
- About MSDP remote office client deduplication
- About the NetBackup Deduplication Engine credentials
- About the network interface for MSDP
- About MSDP port usage
- About MSDP optimized synthetic backups
- About MSDP and SAN Client
- About MSDP optimized duplication and replication
- About MSDP performance
- About MSDP stream handlers
- MSDP deployment best practices
- Use fully qualified domain names
- About scaling MSDP
- Send initial full backups to the storage server
- Increase the number of MSDP jobs gradually
- Introduce MSDP load balancing servers gradually
- Implement MSDP client deduplication gradually
- Use MSDP compression and encryption
- About the optimal number of backup streams for MSDP
- About storage unit groups for MSDP
- About protecting the MSDP data
- Save the MSDP storage server configuration
- Plan for disk write caching
- Provisioning the storage
- Licensing deduplication
- Configuring deduplication
- Configuring MSDP server-side deduplication
- Configuring MSDP client-side deduplication
- About the MSDP Deduplication Multi-Threaded Agent
- Configuring the Deduplication Multi-Threaded Agent behavior
- Configuring deduplication plug-in interaction with the Multi-Threaded Agent
- About MSDP fingerprinting
- About the MSDP fingerprint cache
- Configuring the MSDP fingerprint cache behavior
- About seeding the MSDP fingerprint cache for remote client deduplication
- Configuring MSDP fingerprint cache seeding on the client
- Configuring MSDP fingerprint cache seeding on the storage server
- Enabling 400 TB support for MSDP
- About MSDP Encryption using NetBackup KMS service
- About MSDP Encryption using external KMS server
- Configuring a storage server for a Media Server Deduplication Pool
- About disk pools for NetBackup deduplication
- Configuring a disk pool for deduplication
- Creating the data directories for 400 TB MSDP support
- Adding volumes to a 400 TB Media Server Deduplication Pool
- Configuring a Media Server Deduplication Pool storage unit
- Configuring client attributes for MSDP client-side deduplication
- Disabling MSDP client-side deduplication for a client
- About MSDP compression
- About MSDP encryption
- MSDP compression and encryption settings matrix
- Configuring encryption for MSDP backups
- Configuring encryption for MSDP optimized duplication and replication
- About the rolling data conversion mechanism for MSDP
- Modes of rolling data conversion
- MSDP encryption behavior and compatibilities
- Configuring optimized synthetic backups for MSDP
- About a separate network path for MSDP duplication and replication
- Configuring a separate network path for MSDP duplication and replication
- About MSDP optimized duplication within the same domain
- Configuring MSDP optimized duplication within the same NetBackup domain
- About MSDP replication to a different domain
- Configuring MSDP replication to a different NetBackup domain
- About NetBackup Auto Image Replication
- About trusted primary servers for Auto Image Replication
- About the certificate to be used for adding a trusted master server
- Adding a trusted master server using a NetBackup CA-signed (host ID-based) certificate
- Adding a trusted primary server using external CA-signed certificate
- Removing a trusted primary server
- Enabling NetBackup clustered primary server inter-node authentication
- Configuring NetBackup CA and NetBackup host ID-based certificate for secure communication between the source and the target MSDP storage servers
- Configuring external CA for secure communication between the source MSDP storage server and the target MSDP storage server
- Configuring a target for MSDP replication to a remote domain
- About configuring MSDP optimized duplication and replication bandwidth
- About performance tuning of optimized duplication and replication for MSDP cloud
- About storage lifecycle policies
- About the storage lifecycle policies required for Auto Image Replication
- Creating a storage lifecycle policy
- About MSDP backup policy configuration
- Creating a backup policy
- Resilient Network properties
- Specifying resilient connections
- Adding an MSDP load balancing server
- About variable-length deduplication on NetBackup clients
- About the MSDP pd.conf configuration file
- Editing the MSDP pd.conf file
- About the MSDP contentrouter.cfg file
- About saving the MSDP storage server configuration
- Saving the MSDP storage server configuration
- Editing an MSDP storage server configuration file
- Setting the MSDP storage server configuration
- About the MSDP host configuration file
- Deleting an MSDP host configuration file
- Resetting the MSDP registry
- About protecting the MSDP catalog
- Changing the MSDP shadow catalog path
- Changing the MSDP shadow catalog schedule
- Changing the number of MSDP catalog shadow copies
- Configuring an MSDP catalog backup
- Updating an MSDP catalog backup policy
- About MSDP FIPS compliance
- Configuring the NetBackup client-side deduplication to support multiple interfaces of MSDP
- About MSDP multi-domain support
- About MSDP application user support
- About MSDP mutli-domain VLAN Support
- About NetBackup WORM storage support for immutable and indelible data
- MSDP cloud support
- About MSDP cloud support
- Create a Media Server Deduplication Pool (MSDP) storage server in the NetBackup web UI
- Creating a cloud storage unit
- Updating cloud credentials for a cloud LSU
- Updating encryption configurations for a cloud LSU
- Deleting a cloud LSU
- Backup data to cloud by using cloud LSU
- Duplicate data cloud by using cloud LSU
- Configuring AIR to use cloud LSU
- About backward compatibility support
- About the configuration items in cloud.json, contentrouter.cfg, and spa.cfg
- About the tool updates for cloud support
- About the disaster recovery for cloud LSU
- About Image Sharing using MSDP cloud
- About restore from a backup in Microsoft Azure Archive
- About MSDP cloud immutable (WORM) storage support
- Monitoring deduplication activity
- Monitoring the MSDP deduplication and compression rates
- Viewing MSDP job details
- About MSDP storage capacity and usage reporting
- About MSDP container files
- Viewing storage usage within MSDP container files
- Viewing MSDP disk reports
- About monitoring MSDP processes
- Reporting on Auto Image Replication jobs
- Managing deduplication
- Managing MSDP servers
- Viewing MSDP storage servers
- Determining the MSDP storage server state
- Viewing MSDP storage server attributes
- Setting MSDP storage server attributes
- Changing MSDP storage server properties
- Clearing MSDP storage server attributes
- About changing the MSDP storage server name or storage path
- Changing the MSDP storage server name or storage path
- Removing an MSDP load balancing server
- Deleting an MSDP storage server
- Deleting the MSDP storage server configuration
- Managing NetBackup Deduplication Engine credentials
- Managing Media Server Deduplication Pools
- Viewing Media Server Deduplication Pools
- Determining the Media Server Deduplication Pool state
- Changing OpenStorage disk pool state
- Viewing Media Server Deduplication Pool attributes
- Setting a Media Server Deduplication Pool attribute
- Changing a Media Server Deduplication Pool properties
- Clearing a Media Server Deduplication Pool attribute
- Determining the MSDP disk volume state
- Changing the MSDP disk volume state
- Inventorying a NetBackup disk pool
- Deleting a Media Server Deduplication Pool
- Deleting backup images
- About MSDP queue processing
- Processing the MSDP transaction queue manually
- About MSDP data integrity checking
- Configuring MSDP data integrity checking behavior
- About managing MSDP storage read performance
- About MSDP storage rebasing
- About the MSDP data removal process
- Resizing the MSDP storage partition
- How MSDP restores work
- Configuring MSDP restores directly to a client
- About restoring files at a remote site
- About restoring from a backup at a target master domain
- Specifying the restore server
- Managing MSDP servers
- Recovering MSDP
- Replacing MSDP hosts
- Uninstalling MSDP
- Deduplication architecture
- Configuring and using universal shares
- About Universal Shares
- Configuring and using an MSDP build-your-own (BYO) server for Universal Shares
- MSDP build-your-own (BYO) server prerequisites and hardware requirements to configure Universal Shares
- Configuring Universal Share user authentication
- Mounting a Universal Share created from the NetBackup web UI
- Creating a Protection Point for a Universal Share
- Using the ingest mode
- Changing the number of vpfsd instances
- Upgrading to NetBackup 10.0
- Troubleshooting
- About unified logging
- About legacy logging
- NetBackup MSDP log files
- Troubleshooting MSDP installation issues
- Troubleshooting MSDP configuration issues
- Troubleshooting MSDP operational issues
- Verify that the MSDP server has sufficient memory
- MSDP backup or duplication job fails
- MSDP client deduplication fails
- MSDP volume state changes to DOWN when volume is unmounted
- MSDP errors, delayed response, hangs
- Cannot delete an MSDP disk pool
- MSDP media open error (83)
- MSDP media write error (84)
- MSDP no images successfully processed (191)
- MSDP storage full conditions
- Troubleshooting MSDP catalog backup
- Storage Platform Web Service (spws) does not start
- Disk volume API or command line option does not work
- Viewing MSDP disk errors and events
- MSDP event codes and messages
- Unable to obtain the administrator password to use an AWS EC2 instance that has a Windows OS
- Trouble shooting multi-domain issues
- Appendix A. Migrating to MSDP storage
- Appendix B. Migrating from Cloud Catalyst to MSDP direct cloud tiering
- About migration from Cloud Catalyst to MSDP direct cloud tiering
- About Cloud Catalyst migration strategies
- About direct migration from Cloud Catalyst to MSDP direct cloud tiering
- About postmigration configuration and cleanup
- About the Cloud Catalyst migration -dryrun option
- About Cloud Catalyst migration cacontrol options
- Reverting back to Cloud Catalyst from a successful migration
- Reverting back to Cloud Catalyst from a failed migration
- Appendix C. Encryption Crawler
- Index
Command usage example outputs
When encryption is not enforced or the rolling data conversion is not finished, the crcontrol command denies Encryption Crawler related operations. The following is an example of the output:
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/crcontrol --encconvertstate CRControlEncConvertInfoGet failed : operation not supported Please double check the server encryption settings
Check the data format of a data container before the Encryption Crawler process. The following is an example of the output:
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan --so-data-format 3080|head -n 15
Path = /MSDP/data/3/3080.[bhd, bin]
*** Header for container 3080 ***
version : 1
flags : 0xe000(DC_ENTRY_FULL|DC_ENTRY_SHA256|DC_ENTRY_BINHEADER)
data file last position : 67001810
header file last position : 55252
source id : 2505958
retention : 0
file size : 67001810
delete space : 0
active records : 511
total records : 511
deleted records : 0
crc32 : 0x4fd80a49
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan --so-data-format 3080|tail -n 15
type of record : SO
version : 4
flags : 0x2
backup session : 1670238781
fptype : 3
size : 131118
record crc : 4164163489
data crc : 1313121942
ctime : 1642086781
offset : 66870692
digest : 7f7fd0c5d8fc64d9a7e25c7c079af86613b40d9feff9d316cdfc09c1eafb1690
KMS Enc : NO
SO crc : 85135236
data format : [LZO Compressed Streamable, v2, window size 143360 bytes]
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan
--so-data-format 3080|grep "data format"|wc
511 5621 38325
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan
--so-data-format 3080|grep "data format"|tail -n 5
data format : [LZO Compressed Streamable, v2, window size 143360 bytes]
data format : [LZO Compressed Streamable, v2, window size 143360 bytes]
data format : [LZO Compressed Streamable, v2, window size 143360 bytes]
data format : [LZO Compressed Streamable, v2, window size 143360 bytes]
data format : [LZO Compressed Streamable, v2, window size 143360 bytes]
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan
--so-data-format 3080|grep "data format"|grep -i -e "AES" -e "Encrypted"Check the data format of a data container after the Encryption Crawler process. The following is an example of the output:
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan --so-data-format 3080|head -n 15
Path = /MSDP/data/3/3080.[bhd, bin]
*** Header for container 3080 ***
version : 1
flags : 0xe000(DC_ENTRY_FULL|DC_ENTRY_SHA256|DC_ENTRY_BINHEADER)
data file last position : 67009986
header file last position : 55252
source id : 2505958
retention : 0
file size : 67009986
delete space : 0
active records : 511
total records : 511
deleted records : 0
crc32 : 0x54380a69
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan --so-data-format 3080|tail -n 15
type of record : SO
version : 4
flags : 0x2
backup session : 1670238781
fptype : 3
size : 131134
record crc : 4210300849
data crc : 1992124019
ctime : 1642086781
offset : 66878852
digest : 7f7fd0c5d8fc64d9a7e25c7c079af86613b40d9feff9d316cdfc09c1eafb1690
KMS Enc : NO
SO crc : 85331847
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan
--so-data-format 3080|grep "data format"|wc
511 8176 59276
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan
--so-data-format 3080|grep "data format"|tail -n 5
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan
--so-data-format 3080|grep "data format"|grep -i -e "AES" -e "Encrypted"
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
data format : [AES-256-CTR Encrypted archive 256bit key LZO Compressed Streamable,
v2, window size 143360 bytes]
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan --so-is-encrypted 3080
1 of 1: unencrypted 0: container 3080: size 67009986Using dcscan --so-is-encrypted to check if a container or a list of containers are encrypted.
The status message unencrypted 0 indicate it's encrypted already, and unencrypted 1 indicates it's unencrypted and needs to be encrypted. The following is an example of the output:
[root@rsvlmvc01vm0771 /]# /usr/openv/pdde/pdcr/bin/dcscan --so-is-encrypted 3080 1 of 1: unencrypted 1: container 3080: size 67001810
Veritas recommends using the reporting tool encryption_reporting to report the unencrypted data in the MSDP pool.
Note:
The encryption reporting tool is not supported on LinuxS or Flex WORM setups.
Table:
OS and Python requirements | Details |
|---|---|
Python requirements for encryption_reporting on Linux installations. | NetBackup Red Hat installations come with Python and there are no extra steps for getting Python running. |
Python requirements for encryption_reporting on Windows BYO installations. | NetBackup 10.0 and newer versions require you to install Python 3.6.8-3.9.6. Currently, no additional software packages are required to be installed. Installing Python 3.6.8-3.9.6
|
By default, the reporting tool creates a thread pool of two threads. The tool uses these threads to search for unencrypted data or to encrypt the unencrypted data. A thread is used to process one MSDP mount point to completion. Upon completing the processing of a mount point, the thread is returned to the thread pool. The thread is then used to process any additional mount point that is queued up for processing.
The number of threads is equal to the number of mountpoints that can be processed concurrently. You can increase or decrease the thread pool's thread count by specifying the -n option. The minimum thread count is 1 and the maximum is 20.
The reporting tool is I/O intensive. Increasing the thread count up to the total number of MSDP mountpoints usually means better performance for the reporting tool. It also means more load on the system which can affect performance of backup, restore, deduplication, and replication jobs. No performance gains are observed for using more threads than there are mountpoints.
When using the reporting tool to search for the unencrypted data, each thread invokes one instance of dcscan. Each dcscan instance uses roughly N * 160 MB of memory. In this equation, N is the number of MSDP mountpoints on the server. If there are a total of 12 MSDP mountpoints, each dcscan instance uses about 1.8 GB of memory. If there are four threads running in the reporting tool, the reporting tool and the dcscan processes consume more than 7 GB of memory.
On a Windows BYO, the default path to dcscan is C:\Program Files\Veritas\pdde. If you have dcscan installed somewhere else, you must use the -d or --dcscan_dir option to specify the correct location.
The encryption_reporting does not account for data encrypted with the Encryption Crawler. If you have previously run the Encryption Crawler to encrypt data, you must clear the metadata files with the -c option if they exist. Then re-run encryption_reporting to get up-to-date information.
In certain circumstances, data may be reported as Encrypted needs KMS convert. This means that the data is encrypted, but not with KMS. If you see this message, use the crawler commands ./crcontrol - encconvertreset and ./crcontrol - encconverton to encrypt the rest of the data with KMS.
Veritas does not recommend that you run the reporting tool while the Encryption Crawler process is active.
./encryption_reporting -h
Display the help output for the command.
./encryption_reporting -n 4
Reports the amount of unencrypted and encrypted data once the script completes scanning. Use the -n option to define the number of threads in the thread pool. The default number of threads is 2.
./encryption_reporting -r
This command reports the amount of unencrypted data from the metadata files that were generated during a previous scan. It doesn't perform a scan.
./encryption_reporting -e -n 4
Uses the metadata files to submit data container encryption commands through crcontrol. Use the -n option to define the number of threads use in the thread pool. The default number of threads is 2.
./encryption_reporting -c
Delete the metadata files that are created during the scan. Be aware this command deletes all metadata files the previous scan generated.
./encryption_reporting
Runs the script to determine the amount of encrypted and unencrypted data on the media server.
This command generates metadata files for each container directory in the MSDP log directory under a directory called
unencrypted_metadata.The script reads in a configfilepath from
/etc/pdregistry.cfgand parses out the path to read in the mount points fromfstab.cfg. It reads in all mount points infstab.cfg.To determine the amount of encrypted and unencrypted data, look for a line similar to the one shown, bold added for emphasis:
2021-01-28 17:46:05,555 - root - CRITICAL - unencrypted bytes 58.53GB, encrypted bytes 14.46GB