XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Feedback on immutability

    Scheduled Pinned Locked Moved Backup
    56 Posts 10 Posters 15.7k Views 12 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rtjdamen @florent
      last edited by

      @florent thanks for the feedback, so if i understand correct, currenlty there can only be one retention be used, if u use a retention of 14 days and 30 days mixed, u can only set immutablity for 13 days, otherwise you would run into issues with merge?

      maybe this is something we can think a better solution for in future versions. we will implement your comments into the script and test it on our lab. If it's working we will share the code.

      1 Reply Last reply Reply Quote 0
      • R Offline
        rtjdamen @florent
        last edited by

        @florent Goodmorning,

        We have prepared the script here https://github.com/Virtual-Computing-bv/Xen-Orchestra-Immutability-SYNOLOGY

        Would it be possible for you to do a check on this script to see if u have any comments?

        1 Reply Last reply Reply Quote 0
        • R Offline
          rtjdamen
          last edited by

          We are further testing with immutability and have encountered a question that came to mind. Suppose you run a 14-day backup, merging your oldest delta into the full backup every day. If you're doing forever incremental, the oldest file will keep being modified. This means that either this file becomes immutable for another 14 days after each merge, or it remains editable after 14 days, rendering immutability ineffective. How do you handle this in your setup?

          florentF 1 Reply Last reply Reply Quote 0
          • florentF Offline
            florent Vates 🪐 XO Team @rtjdamen
            last edited by

            @rtjdamen for the immutability to be useful, the full chain must be immutable and must never be out of immutability

            the merge process can't lift/ put back the immutability , and increasing synchronization between process will extend the attack surface.

            immutability duration must be longer than or equal to 2 time the full backup interval -1
            the retention must be strictly longer than the immutability .

            for example, if you have a full backup interval of 7 a retention of 14 and immutability duration of 13 , key backup are K, delta are D. Immutable backup are in bold . unprotected chain are striked

            KDDDDDDKDDDDDD worst case, only one full chain protected
            KDDDDDKDDDDDDK
            KDDDDKDDDDDDKD
            KDDDKDDDDDDKDD
            KDDKDDDDDDKDDD
            KDKDDDDDDKDDDD
            KKDDDDDDKDDDDD best case almost 2 full chain protected

            R A 2 Replies Last reply Reply Quote 1
            • R Offline
              rtjdamen @florent
              last edited by

              @florent so this does mean it will never work when a forever incremental is used?

              florentF 1 Reply Last reply Reply Quote 0
              • florentF Offline
                florent Vates 🪐 XO Team @rtjdamen
                last edited by

                @rtjdamen said in Feedback on immutability:

                @florent so this does mean it will never work when a forever incremental is used?

                you can't have a immutable forever backup without having a infinite length, and an infinite

                It may be possible only if we release the constraints.
                The immutable script could release the immutability , merge the disks, but that means : the immutability will be lifted from time to time, and the responsibilities of the immutability script will be greater, and we'll need a way to track the vhd to merge and transmit the information to the immutability script

                1 Reply Last reply Reply Quote 0
                • A Offline
                  afk @florent
                  last edited by

                  @florent said in Feedback on immutability:

                  @rtjdamen for the immutability to be useful, the full chain must be immutable and must never be out of immutability

                  the merge process can't lift/ put back the immutability , and increasing synchronization between process will extend the attack surface.

                  immutability duration must be longer than or equal to 2 time the full backup interval -1
                  the retention must be strictly longer than the immutability .

                  for example, if you have a full backup interval of 7 a retention of 14 and immutability duration of 13 , key backup are K, delta are D. Immutable backup are in bold . unprotected chain are striked

                  KDDDDDDKDDDDDD worst case, only one full chain protected
                  KDDDDDKDDDDDDK
                  KDDDDKDDDDDDKD
                  KDDDKDDDDDDKDD
                  KDDKDDDDDDKDDD
                  KDKDDDDDDKDDDD
                  KKDDDDDDKDDDDD best case almost 2 full chain protected

                  I have not tried backups in XO yet but I'm really looking forward to test the immutability as we have it configured on all veeam backups at work.

                  Just to be sure, the XO immutability "agent" only does its immutability check by date right ?
                  Would it be possible to consider the entire backup chain related to the oldest immutable restore point instead ? This would prevent misconfigurations from the user that result in insecure backup chains.

                  florentF 1 Reply Last reply Reply Quote 0
                  • florentF Offline
                    florent Vates 🪐 XO Team @afk
                    last edited by

                    @afk the agent is as dumb as possible

                    also if you encrypt the backup, the agent will need to decrypt the metadata to detect the chains, thus having access to the encryption key, which need getting the encryption key out of XO and transferred to the immutability agent

                    I think it will be easier to provide more feedback on the immutabiltiy backup, XO has access to the chain , and / or alert when something seems to be strange

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      vkeven
                      last edited by vkeven

                      Where is the doc for these ? edit ok right here https://github.com/vatesfr/xen-orchestra/tree/master/%40xen-orchestra/immutable-backups , with V**m there is an option for immutability when you add the S3 bucket directly so its look like its only a flag sent at bucket creation and using the versionning/compliance feature

                      florentF 1 Reply Last reply Reply Quote 1
                      • florentF Offline
                        florent Vates 🪐 XO Team @vkeven
                        last edited by

                        @vkeven we don't have ( for now) the feature to create bucket directly from XO. Also I think it is more secure if XO don't know at all the credits of the bucket admin

                        1 Reply Last reply Reply Quote 0
                        • olivierlambertO Offline
                          olivierlambert Vates 🪐 Co-Founder CEO
                          last edited by

                          Indeed, because if XO is compromised, then it could disable immutability.

                          V 1 Reply Last reply Reply Quote 0
                          • V Offline
                            vkeven @olivierlambert
                            last edited by

                            @olivierlambert We tried adding compliance( prevent any file manipulation for X period) directly into bucket but XOA could not do his backup job correctly and the logs are full of access denied probably because of file merging or manipulation refused , so how we should do this ?

                            R 1 Reply Last reply Reply Quote 0
                            • R Offline
                              rtjdamen @vkeven
                              last edited by

                              @vkeven same problem here, we decided not to proceed with this as it would never work with an incremental delta without doing a full every few weeks. We are going to handle this with s3 and synology internal features.

                              1 Reply Last reply Reply Quote 0
                              • olivierlambertO Offline
                                olivierlambert Vates 🪐 Co-Founder CEO
                                last edited by

                                Thanks for your feedback, we'll discuss internally if there's any other possible approach (and I'm not sure).

                                R 1 Reply Last reply Reply Quote 0
                                • V Offline
                                  vkeven
                                  last edited by

                                  So what is the deal with these guy ?

                                  1 Reply Last reply Reply Quote 0
                                  • olivierlambertO olivierlambert referenced this topic on
                                  • R Offline
                                    redneckitguy @olivierlambert
                                    last edited by

                                    @olivierlambert
                                    Any updates on this? We're using Backblaze buckets with compliance turned on at the bucket level, but we keep getting failures once the retention period expires and it starts to remove the old backup chains.

                                    We tried setting 28 days of retention at the bucket level, 42 in XenOrchestra, and are running a full backup every 2 weeks. I have a ticket open with support but so far a resolution hasn't been found.

                                    1 Reply Last reply Reply Quote 0
                                    • olivierlambertO Offline
                                      olivierlambert Vates 🪐 Co-Founder CEO
                                      last edited by

                                      In theory that should work 🤔 Ping @florent

                                      R 1 Reply Last reply Reply Quote 0
                                      • R Offline
                                        redneckitguy @olivierlambert
                                        last edited by redneckitguy

                                        @olivierlambert
                                        So it looks like the issue is not related to object lock or immutability but rather Backblaze not handling the merge requests very well. Not sure why this isn't impacting the other backup job without object lock, but anyways.... guess we're in the market for a different storage provider.

                                        1 Reply Last reply Reply Quote 1
                                        • olivierlambertO Offline
                                          olivierlambert Vates 🪐 Co-Founder CEO
                                          last edited by

                                          Sadly, Backblaze is often having issues on S3 (timeout, not reliable etc). We are updating our doc to give a "tiering" support.

                                          1 Reply Last reply Reply Quote 1
                                          • First post
                                            Last post