Proxmox Backup

Integrating Proxmox Virtual Environment (PVE) and Veeam Backup & Replication (VBR) is a significant step in optimizing backup and recovery policies. This article outlines the key steps to enable the plug-in of VBR, starting with the system architecture, installing and configuring the plug-in, and adding the Proxmox server to the VBR.

Note that the instructions are based on the Beta version of the plug-in, so there may be differences in the official version.

Rereading the article written a few months ago (available on this site at the following link), I believe that those considering virtualization as a commodity will choose PVE to quickly escape the uncertainty caused by Broadcom’s business choices.

Note 1: PVE is a Debian-based Linux distribution with Ubuntu kernel that allows virtual machines and containers to be deployed and managed.

Note 2: Proxmox is a European company based in Austria.

In this first article (of three) we will look at the basic steps to enable the plug-in that allows VBR to implement backup and recovery policies.

Ask your referring Veeam SE to test the Beta version.

Architecture:

Image 1 shows the operation diagram of the integration. The Plug-in is the component that enables communication between the Veeam Backup Server (VBR) and the Proxmox architecture.

Note 3: The Proxy role (referred to here as Worker) is responsible for collecting the data from the VMs to be protected and copying it to the Backup Repository.

The Backup process involves the triggering of snapshots, and the connection between the Proxmox server and VBR is via REST API.

Picture 1

Once the plug-in is installed on the VBR server, it is necessary:

  1. From the console of VBR under Backup Infrastructure add the Proxmox server (images 2 and 3).

picture 2

Picture 3

2. The next images (4 through 9) show the simple steps to add the architecture PVE in the console of VBR.

Picture 4

Picture 5

Picture 6

Picture 7

Note 4: It is possible to select the storage where the snapshots will be saved.

Image 8

Image 9

When finished, you can immediately deploy the worker (proxy). The advantage is to speed up the backup process (image 10).

Image 10

Note 5: For those coming from the world VMware is exactly how to enable the virtual appliance transport method.

In this last step, it is possible to configure which host to deploy the worker, which storage to use (image 11), which resources to assign (image 12), and which networks to operate on (images 13, 14, and 15 ).

Image 11

Image 12

Image 13

Image 14

Image 15

After checking that all configurations meet the desired ones (image 16), clicking finish completes the setup.

Image 16

In the next article, we will see how to configure Backup jobs.

NAS Backup – GFS to TAPE – Part II

In the previous article, we saw how to operate on backup jobs to obtain Fulls that can be used to create a GFS retention policy when the destination of the jobs is a tape.

In this second article, we find out how a similar result can be achieved by copying tapes.

Note1: A second tape library must be present in the DataCenter to pursue this protection process.

Note2: The most common use case for Copy-Tape is to migrate data contained on tapes from an old technology (LT06) to a new one (LTO9), since the new technology would not be able to natively read the data contained on the old tapes.

There are two steps that will enable us to achieve our goal:

  • Step 1: Creation of a tape pool afferent to the second library.
  • Step 2: Tape copy job.

Stage 1

The creation of the Media Pool (image 1), will need to be customized by setting:

    • The use of a new tape for each copy session (image 2).
    • Setting a retention that for that tape group coincides with that required by the GFS policy (image 3).

Picture 1

picture 2

Picture 3

Note3: A 4-week retention was set in Image 3, which addresses the need to keep the full weekly for 1 month.

Note4: Image 4 highlights the possibility of implementing a Vault policy for tape storage.

Picture 4

PHASE 2

From the VBR GUI by selecting the tape to be copied with the right mouse button (image 5), the copy command can be initiated.

Picture 5

The simple next steps shown by images 6,7,8 and 9 show how to complete the copying operation.

Picture 6

Picture 7

Image 8

Image 9

Latest notes:

  • Documentation to refer to in order to know how many resources it is essential to allocate to the various components is available at the following link.
  • Automation of copying can be done through scripts in powershell.
  • Copy to Tape does not consume capacitive licensing but refer to the following link, Capacity Licensing item to know all the details.

Veeam Backup for Salesforce – OS update

My lab has an Ubuntu 22.04.4 LTS server on which Veeam’s Salesforce environment protection software (Veeam Backup for Salesforce) is installed.

During the monthly operation of updating the operating system, some errors appeared that did not allow me to complete the operation.

The ‘output of the “sudo apt update” command, showed three errors highlighted in image 1 with the blue, green, and red arrows.

Picture 1

1. The first, (blue arrow) indicated that the digital signature linked to the Veeam repository (“https://repository.veeam.com/apt stable/amd64/ In Release”) was no longer valid.

2. The second (green arrow) indicated that the digital signature had also expired for the Ubuntu-security site (“http://security.ubuntu.com/ubuntu bionic-security InRelease”).

3. The third error (actually a warning, red arrow), indicated that the key management methodology named“apt-key” is deprecated recommending the ‘use of a more secure method named “trusted.gpg.d”.

Browsing the Internet, I found the solutions that met my needs:

1. The KB2654 on the Veeam website shows how to import a new key. The only real caution is to run the command as the root user (see image 2).

picture 2

2. As shown in ‘image 3, simply request a key update by entering the required identifier at the end of the command in the output of image 1 (green arrow).

image 3

Note 1: apt-key is a comado used to manage a gpg key fob for secure apt. The keychain is stored in the file ‘/etc/apt/trusted.gpg’ (not to be confused with the related but not very interesting /etc/apt/trustdb.gpg). The command apt-key can display the keys in the keyring and add or remove keys.

3. The last line of image 4 shows the command that addresses the security warning. It involves copying the keychain (trusted.gpg) inside the trusted.gpg.d folder.

Picture 4

In the article“Handeling the apt-key deprecation” you will find all the details that illustrate the security benefits of the new approach.

Note 2: Veeam Backup for Salesforce has its own mechanism for checking for new product versions and updates.

The same mechanism later allows the necessary software packages to be downloaded and installed.

I remember that these are product updates, not operating system updates.

Enterprise Manager – Delegation of Restores

An article devoted to how you can delegate restores with Veeam Backup & Replication (VBR).

The case study is related to the protection of files in shared folders, but can be extended to many of the objects protected with VBR. (see image 7)

  1. Image 1 shows the three shared network folders (SHARE-A, SHARE-B, SHARE-C) that are used as the source of the files to be protected.

share-sourcePicture 1

In the scenario, it is assumed that for each individual shared folder, only a specific user can proceed with the recovery tasks.

  1. Image 2 highlights the creation of three Domain users, ShareA, ShareB, ShareC.

users-ADpicture 2

Files pertaining to a specific shared folder will be restorable by the user with the identical ending letter in the name. For example, files pertaining to SHARE-A will be restorable by the ShareA user.

(
Editor’s note: For simplicity of exposition, the letter X will replace one of the three letters of the alphabet A-B-C)

  1. A Backup job named “BkF-Share-X” was created for each shared folder.

Image 3 shows that the “BKF-Share-A” job (orange arrow) protects the entire SHARE-A (Blue arrow).

Picture 3

  1. Image 4 highlights the “configuration” menu from the Enterprise Manager.

Administration credentials are required at this configuration stage.

Picture 4

  1. From the submenu
    role
    (image 5 – orange arrow) the three previously created users (ShareX) are added (green arrow) and assigned the role of Restore Operator (blue arrow).

rolePicture 5

  1. Image 6 shows the delegation options.

The ShareA user (green arrow) is assigned the ability to restore all VBR-protected objects via the “Choose” button (orange arrow); in the restore options, only in-place restoration can be allowed (blue arrow).

The next images (7-8) show how to make the choice of objects to be displayed during the restoration delegation operations.

role-1Picture 6

scopeimage 7

role-2Image 8

  1. Image 9 illustrates and confirms that when logged in from the Enterprise Manager with ShareX user credentials (Blue arrow), only files in the corresponding shared folder (orange arrow) are visible and restorable.

ProxyImage 9

Final Note:

XFS – Resize the immutable file system

In the Veeam Backup & Replication environment, it may be necessary to expand the allocated space of a Linux repository.

In my environment, there is an Ubuntu 22.04 server to which a second disk(dev/sdb) was added, formatted as xfs, and made available as mount point /mnt/backup/ .

The server is used in hardened repository mode (immutability)
(https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=120).

Let’s look at the simple procedure:

  • The packages to install are cloud-guest-utils and gdisk:
    “sudo apt -y install cloud-guest-utils gdisk”
  • To find out the structure of the file system use the command:
    “sudo lsblk”

      • The result shows the sizing, and mount point of Ubuntu server file system:
        NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
        sda 8:0 0 16G 0 disk
        ├─sda1 8:1 0 1M 0 part
        ├─sda2 8:2 0 1.8G 0 part /boot
        └─sda3 8:3 0 14.2G 0 part
        └─ubuntu–vg-ubuntu–lv 253:0 0 10G 0 lvm /
        sdb 8:16 0 100G 0 disk. └─sdb1 8:17 0 80G 0 part /mnt/backup
        sr0 11:0 1 1024M 0 rom
  • To find out if the file system has additional space to allocate:
    “sudo growpart /dev/sdb 1”

    • The result shows the item changed
      CHANGED: partition=1 start=2048 old: size=167770079 end=167772126 new: size=209713119 end=209715166
  • The final command that widens the file system is: sudo “xfs_growfs /mnt/backup/”
  • Check the result through the command already seen: sudo lsblk”

Veeam Disaster Recovery Orchestrator – Creating the plan

We have arrived at the latest article on Veeam Disaster Recovery Orchestrator version 5.

In this last part, we will concentrate on the efforts made previously and available on this site, to implement the Disaster Recovery Orchestration plan.

After logging in, the dashboard illustrates the status of the completed plans (image 1).

Picture 1

Note that, unlike the previous VDrO version, it is possible to filter planes based on “scopes” (image 2).

picture 2

A second and very useful novelty of version 5 is the presence of the inventory items (image 3), where the VM Groups are reported.

This option immediately verifies that in the chosen “scope” there is the group of VMs that will implement the DR plan.

Picture 3

Image 4 shows the details of the Orchestration plans already created.

Picture 4

Let’s see now how to create a plan:

From the manage, menu selects the New item (image 5).

Picture 5

And continuing with the wizard, we enter a name (image 6), the scope (image 7), and the type of floor (image 8).

Picture 6

Picture 7

Image 8

After adding the VM group to be orchestrated (image 9, 10 and 11)

Image 9

Image 10

Image 11

It is possible to customize the Recovery options, (for example whether to process the VMs in parallel or sequential mode) (image 12).

Image 12

Now I add the steps necessary for the realization of the plan (in the example the shutdown of the production VM was added as the first activity of the plan) (see images 13, 14, 15, and 16).

Image 13

Image 14

Image 15

Image 16

The wizard ends with:

  • The option to backup the VMs that were started during the DR plan (image 17)
  • The RTPO values that must be respected for the plan to be executed (image 18)
  • The choice of the language of the template to be used (image 19)
  • The time at which the reports will be automatically generated (image 20)
  • Whether to immediately create the readiness report (which verifies all components of the plan) (image 21)

image 17

image 18

image 19

image 20

image 21

Now you can test and start your orchestration plans later