#Snaplock s3 buckets workflow question.

Hello folks ,

"Beginning with 9.14.1, object locking is supported on S3 buckets."

There is no real workflow how to do this .
**The purpose of the POC is to have a bucket that is mirrored ( continous protection that is async 1h snapmirror obj replication ) and the target is snaplocked for 2days.
**

From what i understand :

1. enable snaplock compliance clock on nodes source/target
2. create a management lif for the SVM where the s3 target bucket is and assign to an use the vsadmin-snapock rights .
   '3) create an snaplock policy with this user ( i created 2 of them for one day and 2 days ) .
3. create s3 snapmirror .

*sm2-ca004-s3-01-DR::snaplock event-retention policy> show
Vserver Name Retention Period

sm2-ca004-s3-01-DR 24hours 24 hours
sm2-ca004-s3-01-DR 48hours 2 days
2 entries were displayed.

sm2-ca004-s3-01-DR::snaplock event-retention policy>
*
On Target i have the sapmirror session
CL2-FAS8200-HA-01::> snapmirror show
Progress
Source Destination Mirror Relationship Total Last
Path Type Path State Status Progress Healthy Updated

sm2-ca004-s3-01:/bucket/test
XDP sm2-ca004-s3-01-DR:/bucket/test-dest
Snapmirrored

how do i lock the target bucket ? what is a clear workflow ? the documentation does not show this ...

https://docs.netapp.com/us-en/ontap/s3-snapmirror/create-remote-mirror-existing-bucket-task.html
https://docs.netapp.com/us-en/ontap/s3-config/create-bucket-task.html#configure-additional-permissions-and-restrictions

PS : i have ontapp one on source FAS8200 and on target C250 clusters.

I don't think this is how object locking is supposed to work. It is different from SnapMirror. With S3, it is the application that requests objects to be locked, through an http header. So if the application does not do that, your objects are not locked, not on primary and not on secondary. I am not sure you can do what you want to do without writing a custom script/application to do the copying and locking for you. At least I have not found a way to do that (yet)

The problem is that the mechanics of it are not clear ; for ex Veeam cand lock files in buckets with or without worm / snaplock enabled on a bucket but this does not protect the bucket from deletion ... Continous bucket protection does snapmirror with a specific RPO - default is 1h copy ( a bucket is basically an container on a flexgroup volume that is hidden .. shows up in CLI in GUI is not there for some unknown reason/decision ) ;

what i want to do is to have a copy that has it's content immutable for 1-2 days. Maybe a Veaam backup with immutability and a protection of it on a 2nd system via S3 protection should do the trick : --- reference : https://community.veeam.com/discussion-boards-66/ontap-9-14-1-now-supported-with-veeam-data-platform-12-1-6635

This is the guidance ( it is in german but chrome page translate works just fine ) :https://tecblog.au.de/ontap-9-14-1p1-veeam-s3-backup-mit-object-lock/

restore for S3 protect seems to be only from CLI ; i set RPO to 24h .

in gui there is no restore for this S3 bucket protection .

not at 9.14.1p7 level that is

according to the German article you just enable Snaplock compliance clock ( have the license ofc / or ontap one that includes this ) . ; retention lock is done on Veeam level ( so app level ) and to protect the bucket if the primary storage fails just protect the bucket ( the name of continuous protection is misleading it is async at 1h and you have to modify it so the RPO is larger ... less granular ) .

Hi Alex V, we know that article, it's from our colleague 😉
But I don't understand your issue. If you have configured it like in the article your object already have a object lock retention set by Veeam. You should not be able to delete these object. Or better: You can delete them for example via S3 Browser, but they should still be there since versioning is activated. The objects still have the retention time.
Veeam should also be able to restore since it checks the versions.

I understood it as using no object locking on the primary storage and only locking the copy (similar to LockVault, just with an S3 bucket). But maybe I misunderstood the setup

so the user had a FAS8200 that was used as datastore for veeam

after that they changed the requirement ; now they want lock and 2nd copy ... added snaplock license and now i have a 2nd copy on a C250

the idea was i did not exactly the workflow of how the lock is set

the lock is set on the software not on netapp side .

so the solution is do normal veeam backup with a specific retention set in veeam and s3 protect on c250

and i dont do locking on netapp side

from the normal netapp doc it is not clear 🙂 from the document posted above i can see locking is on the managing software / veeam or whatever

and i modified the 1h so called continous protection to 24h

to match the requirement

Still don't understand sorry.
And just noticed this cmd in your first post: snaplock event-retention policy show

Don't use this on your volumes which provide the S3 buckets. This is for something completely different (Event Based Retention (EBR)) and can't be used with ONTAP S3 and object locking.

https://docs.netapp.com/us-en/ontap/snaplock/set-retention-period-task.html#set-the-file-retention-period-after-an-event

yes the idea is when i started i did not understand the workflow on where and who is setting the lock

on a normal snaplock volume the WORM trigger is set on netapp not on a 3rd party app

a bucket with lockable objects is a bit different ...

ok, your screenshot shows SnapMirror S3, this: https://docs.netapp.com/us-en/ontap/s3-snapmirror/index.html

yes this is to protect the bucket in case of failure of the FAS

the lock is not yet set but it will be from veeam

right now i do bucket mirror since i just understood the workflow

and i have to speak with veeam admin at client side

So you have ONTAP S3 running on your FAS8200 which provides a S3 bucket. Veeam writes its backup to this bucket together with object lock activated on Veeam side.
Now you want to protect this S3 bucket by replicating it via SnapMirror S3 to the C250.

Is this correct?

yes 🙂

Oke, now I understand

but what's the question? 😅

i did not know how to set the lock ... as snaplock i thought it is from netapp side

it is not ... it is from app side

the question was related of how to do the task and i got it wrong since i thought i should do it ( the lock ) from netapps side .

but i found the article that shows how to do it and it is clear the lock is from app side

if the doc had like a diagram or an workflow ... they used to have them

Never replicated a bucket which has object lock enabled but I guess it should work as designed.
I would do the following:

1. make sure Compliance clock is enabled on your C250
2. create the object-store-server and the bucket (make sure you add this -retention-mode compliance -versioning-state enabled -default-retention-period none) and then start the replication according to the this guide: https://docs.netapp.com/us-en/ontap/s3-snapmirror/create-remote-mirror-new-bucket-task.html

I'm not 100% sure but in my opinion SnapMirror S3 will simply replicate all the objects including all the metadata, so it should retain the existing retention time if it's set on an object. So ONTAP S3 on your C250 should also have these objects locked.

But I've never tried this (replicating locked objects via SnapMirror S3), unsure if it's possible or even supported.

Maybe it's better to simply backup your data directly to both clusters. So add two Object Storage Repositories in Veeam (one on your FAS8200 and one on your C250) and backup your data to both. Like a fan-out configuration.

the idea is i have requirements from the customer i did not chose this config since i dont have experience with s3 on veeam with locking or s3 bucket mirroring .

the only mirrors i did before on s3 were the one from fabric pool when you want to decom the bucket and move it to another and promote target after they are 100% in sync

about backing up locked buckets

a
Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.

https://docs.netapp.com/us-en/ontap/pdfs/sidebar/Protect_buckets_with_S3_SnapMirror.pdf

they say this is supported to protect s3 buckets with lock on .

hey, nice find, I've only checked under CLI, but under System Manager it's actually mentioned: https://docs.netapp.com/us-en/ontap/s3-snapmirror/create-remote-mirror-new-bucket-task.html

Beginning with ONTAP 9.14.1, you can back up locked S3 buckets and restore them as required.
When defining the protection settings for a new or existing bucket, you can enable object locking on destination buckets, provided that the source and destination clusters run ONTAP 9.14.1 or later, and that object locking is enabled on the source bucket. The object locking mode and lock retention tenure of the source bucket become applicable for the replicated objects on the destination bucket. You can also define a different lock retention period for the destination bucket in the Destination Settings section. This retention period is also applied to any non-locked objects replicated from the source bucket and S3 interfaces.
For information about how to enable object locking on a bucket, see Create a bucket.