[{"content":"Today, personal data protection is no longer a conversation that lives only in the legal department. With the effective date of Chile Law 21.719 set for December 1, 2026, IT areas become a critical actor in compliance, and backup, recovery, and incident response plans become auditable evidence in front of the new Personal Data Protection Agency. Fines can reach UTM 20,000 or 4% of annual revenue from sales and services in Chile (around USD 1.2 million at the UTM cap, and up to three times that amount for repeat offenses), forcing us to translate each principle of the law into a concrete technical control, not into a declaration of good intentions.\nFrom law to technical control to stack: each principle maps to a concrete component. Important note: This post is a technical interpretation from a Solutions Architect Nerd perspective, not legal advice. The definitive legal analysis for any organization must be performed together with its legal team and, when applicable, with external counsel specialized in personal data protection.\nIntroduction # In Chile, the old Law 19.628 on protection of private life remained for more than two decades without a real supervisory authority, without effective sanctions, and without clearly defined technical obligations for organizations processing personal data. That changes profoundly with the enactment of Law 21.719, published on December 13, 2024, with full effect from December 1, 2026.\nThe new law brings Chile to the European GDPR standard in terms of data subject rights, controller obligations, sanctions, and, above all, the creation of a Personal Data Protection Agency with real supervisory and sanctioning powers. For IT teams, this means that technical controls over personal data become subject to external audit, and that the documentation supporting each control becomes evidence that can be requested during a supervisory process.\nIn this context, the Veeam Platform is a key component to implement and evidence several of the principles established by the law, particularly those related to confidentiality, integrity, and availability of personal data. In this post, we will see how each principle maps to specific capabilities of Veeam Backup \u0026amp; Replication, Veeam ONE, and the rest of the stack, with the goal of delivering an auditable matrix that you can take directly to your organization\u0026rsquo;s documentation management system.\nWhat changes with Law 21.719 versus Law 19.628 # Before going down to technical controls, it is important to understand what is actually new. The difference between both legal frameworks is not about wording, it is a paradigm shift.\nCreation of the Personal Data Protection Agency # The Agency is the new autonomous body in charge of supervising compliance with the law, receiving complaints, instructing sanctioning procedures, and issuing general and specific guidelines. Unlike the previous model, where the data subject had to resort to civil courts to enforce their rights, now there is a specialized administrative path and, most relevant for IT, a technical authority that can request documentary evidence of implemented security measures.\nGraduated sanctions with real deterrent effect # Sanctions are classified into three levels, with a floor from 1 UTM and the caps detailed below (reference: UTM ~$69,611 CLP as of February 2026, equivalent to roughly USD 72):\nMinor infringements (Art. 34 bis): up to UTM 5,000, approximately $348 million Chilean pesos (~USD 305K).\nSerious infringements (Art. 34 ter): up to UTM 10,000, or alternatively up to 2% of annual revenue from sales and services in Chile for companies that do not qualify as SMEs (whichever results higher). The UTM cap equates to approximately $696 million CLP (~USD 610K).\nVery serious infringements (Art. 34 quáter): up to UTM 20,000, or alternatively up to 4% of annual revenue from sales and services in Chile for companies that do not qualify as SMEs (whichever results higher). The UTM cap equates to approximately $1,392 million CLP (~USD 1.2 million), plus the possibility of suspending processing operations.\nRepeat offenses: fines can be tripled when serious or very serious infringements recur, reaching up to UTM 60,000 (~USD 3.6 million).\nSpecial regime for SMEs (adaptation period): during the first year of full effect of the law (December 1, 2026 to December 1, 2027), small and medium enterprises are only subject to written warning for their infringements, not to fines. This is a meaningful adaptation margin for the Chilean SME segment, but it does not exempt them from the prior implementation work: the Agency will start documenting non-compliance from day one, and at the end of the grace period those records become part of the company\u0026rsquo;s history.\nThe omission of reasonable security measures, international transfer without adequate guarantees, and failure to notify a breach in time all fall within the range of serious or very serious infringement.\nData Protection Officer (DPO) obligation # Organizations that perform massive personal data processing or habitual processing of sensitive data must designate a Data Protection Officer. While the role is typically led by the legal or compliance area, the DPO requires permanent technical support from IT to validate that the controls declared in the Record of Processing Activities (ROPA) match operational reality.\nData Protection Impact Assessments (DPIA) for high-risk processing # Before starting a processing activity that may generate high risk to data subject rights, for example automated decisions, profiling, large-scale processing of sensitive data, or wide-scale video surveillance, the organization must perform an Impact Assessment. This point has a direct technical implication: any new backup or replication architecture involving sensitive data or international transfer must go through a documented DPIA before implementation.\nMandatory 72-hour breach notification # Art. 14 sexies states that when a security breach affecting personal data is detected, the controller must notify the Agency within a maximum of 72 hours from knowledge of the breach. And depending on severity, the affected data subjects as well. This is the point that generates the most technical pressure, because it forces organizations to have real detection, containment, and communication capabilities within a very tight timeframe.\nHow it compares with GDPR: what we already have advanced and what needs adjustment # For organizations already operating under GDPR, typically because they have subsidiaries in Europe, European clients, or because they voluntarily adopted the standard, the good news is that most of the technical work is already done. Law 21.719 takes the GDPR model as reference and replicates almost all of its principles, rights, and obligations. What changes is the detail, jurisdiction, and in some cases the deadlines.\nWhat stays almost identical # Processing principles: lawfulness, fairness, transparency, specific purpose, minimization, accuracy, storage limitation, integrity and confidentiality, and demonstrable accountability. The seven principles match one to one.\nData subject rights: access, rectification, erasure (right to be forgotten), objection, portability, and restriction of processing. They remain essentially unchanged.\nDPIA and DPO for high-risk processing and for organizations that process massive or sensitive data.\n72-hour breach notification from knowledge of the event.\nInternational transfer mechanisms: standard clauses, BCRs, countries with adequate level, data subject consent in specific cases.\nController and processor regime with established minimum contractual obligations.\nRelevant differences we do need to adjust # Sanction amounts: GDPR reaches up to 4% of global annual turnover or EUR 20 million (whichever is greater). Law 21.719 reaches up to UTM 20,000 (~USD 1.2 million) or 4% of annual revenue from sales and services in Chile (whichever is greater for non-SME companies), with tripling for repeat offenses up to UTM 60,000. The structure is very similar to the GDPR scheme, with the difference that the Chilean revenue calculation is limited to operations in Chile, not global.\nTerritorial application: GDPR has extraterritorial application, it applies to any organization processing data of EU residents regardless of where it is established. Law 21.719 has a more limited scope to processing that occurs in Chile or that affects Chilean residents, without the same automatic extraterritorial extension.\nJurisprudence and official guidance: GDPR has several years of European jurisprudence, decisions from national authorities, and most importantly, European Data Protection Board (EDPB) guidance that clarifies grey areas. Law 21.719 will start with initial Agency guidance, but interpretation will be built up over the first years of application.\nSensitive data: both laws consider special categories (health, biometric, ethnic origin, political opinions, etc.), but the specific definitions have nuances, particularly in processing by State bodies and applicable exceptions.\nPublic sector regime: Law 21.719 establishes a specific regime for State bodies, with nuances in consent, purposes, and lawful bases that differ from the GDPR model.\nPractical implication for IT # If your organization already complies with GDPR, the technical stack controls, encryption with KMS, immutability, RBAC, justified retention, breach response runbook, ROPA, are reused almost entirely. What changes is the documentation, the contracts with cloud providers, and the regulatory interlocutor. The auditable matrix delivered to the Chilean Agency can be built from documentation that already exists for GDPR, adjusting regulatory references and to the new authority. In practical terms, the Veeam stack that complies with GDPR complies with Law 21.719, and the remaining effort is more legal-administrative than technical.\nWhy backups stop being an operational topic and become a legal topic # There is an installed idea in many organizations that backup is purely an operational topic, owned by the infrastructure area, and that its role before the regulator is secondary. With Law 21.719 this stops being true.\nThe principle of integrity and confidentiality established in Art. 3 of the law, together with the duty of security in the following articles, requires us to protect personal data against unauthorized loss, alteration, or destruction, whether accidental or intentional. A well-documented backup and recovery strategy stops being a best practice and becomes evidence of compliance. The absence of reasonable measures in this area can be interpreted as a serious or very serious infringement by omission, especially if as a result of a ransomware incident, hardware failure, or human error, there is loss of personal data that was reasonably preventable.\nAdditionally, facing a breach or an incident, the ability to recover data from a point in time prior to the event is the difference between reporting to the Agency \u0026ldquo;the data was lost\u0026rdquo; and \u0026ldquo;the data was recovered without loss\u0026rdquo;. The Veeam Platform, with its capabilities for immutability, granular recovery, and automated verification, is the technical response to these scenarios, maintaining the integrity and availability of the protected data.\nConfidentiality: end-to-end encryption with Veeam and external KMS # The first principle we must attack technically is confidentiality. The law requires that personal data be protected against unauthorized access, both in transit and at rest, including all backup copies.\nEncryption in backup jobs # Veeam Backup \u0026amp; Replication allows enabling AES-256 encryption at the job level, which means data is encrypted from the moment of backup and remains encrypted in the destination repository, including replicated copies to remote sites or capacity tiers in object storage. It is important to note that encryption must be enabled at the job level, not only at the repository, because repository encryption (when available) only protects against storage access, while job encryption additionally protects data in transit and the data that travels to secondary copies.\nIntegration with external KMS # One of the practices that most differentiates solid compliance from superficial compliance is the separation of responsibilities in key management. If the encryption key lives on the same Veeam Backup Server that runs the backup, then the backup operator has indirect access to data in cleartext, which violates the least privilege principle.\nThe solution is to integrate Veeam with an external Key Management Service, options include:\nHashiCorp Vault: the option for Kubernetes environments protected with Veeam Kasten. Vault manages encryption keys and secrets for K8s applications covered by the backup, integrating natively with Kasten for the complete cycle of backup, recovery, and cross-cluster replication.\nAWS KMS: when the primary or secondary repository resides in AWS, it is the natural option. Supports CMK with granular IAM policies.\nAzure Key Vault: analogous to the above, for Azure environments. Allows Hardware Security Module (HSM) in the Premium tier.\nGoogle Cloud KMS: for GCP environments, with CMEK support and project separation.\nKMIP (Key Management Interoperability Protocol): OASIS standard natively supported by Veeam Backup \u0026amp; Replication. Allows integration with any compatible enterprise KMS (Thales CipherTrust, Entrust KeyControl, Fortanix DSM, IBM Security Guardium, among others) without being tied to a specific cloud vendor. It is the natural option when the organization already has its own corporate key management solution and prefers to remain cloud-agnostic, or when sovereignty requirements demand that the key never leave the customer\u0026rsquo;s infrastructure.\nWhat this integration does is move the key outside the Backup Server, so that decrypting a backup requires authorization from both the Veeam operator and the key custodian in the KMS, with independent audit logs. In other words, no single role has the ability to exfiltrate personal data in cleartext.\nAuditable evidence we deliver # Facing a supervisory process, the documents that support this control are:\nExport of the job configuration showing that AES-256 encryption is enabled. Capture of the KMS audit log showing key usage events (encrypt, decrypt, rotate). Documented procedure for periodic key rotation, with frequency justified by the organization\u0026rsquo;s risk analysis. Documented procedure for key revocation in case of compromise, with target times (specific RTO for revocation). Integrity: Hardened Repository and real immutability, not the marketing kind # The second principle we must address is integrity. Here enters the most strategic component of any modern backup architecture: immutability.\nObject Lock in Compliance versus Governance mode # When we talk about immutability over object storage (S3, Azure Blob with Immutable Policies, Google Cloud Storage Bucket Lock), there are two possible modes:\nGovernance mode: the object cannot be deleted, but a user with specific elevated privileges (typically with \u0026ldquo;BypassGovernanceRetention\u0026rdquo; permission or equivalent) can remove the lock and delete the data.\nCompliance mode: the object cannot be deleted by anyone until the configured retention expires. Not even the root user of the cloud account can bypass this lock.\nThe difference between both modes is not an implementation detail, it is the difference between your immutability being valid before the law or not. Under the principle of integrity and confidentiality of Art. 3 of Law 21.719 and the obligation to adopt reasonable security measures to prevent unauthorized alteration or destruction of data, only Compliance mode is defendable as a sufficient technical measure, because only Compliance mode guarantees that neither an attacker who compromises privileged credentials, nor an insider with administrative access, can delete the backup copies within the declared retention period.\nLinux Hardened Repository on-premise # For on-premise backups, Veeam offers the possibility of configuring a Linux Hardened Repository. This architecture combines several controls:\nImmutable Filesystem flag: backup files are marked with chattr +i, which prevents their modification or deletion at the filesystem level until the immutability period expires.\nSingle Use Credentials: the Backup Server authenticates to the repository only once to write the backup, and afterwards does not store the SSH credentials. This means that if the Backup Server is compromised, the repository credentials are not available to the attacker.\nRepository outside Active Directory domain: the server acting as Hardened Repository must not be joined to the production AD domain, because that would expose it to lateral movements based on domain credential compromise.\nBackup Server isolation # In addition to the Hardened Repository, the Veeam Backup Server itself must be isolated from the main AD domain, ideally in a dedicated domain or workgroup, with mandatory MFA on the console and granular RBAC so that no operator has simultaneous access to production and to the backup console.\nAuditable evidence we deliver # Repository configuration showing that immutability is enabled in Compliance mode. Veeam ONE report confirming the percentage of jobs with immutable destination. Architecture documentation showing the network and identity isolation of the Backup Server and the Hardened Repository. Periodic failed deletion attempt test, with timestamp, as proof that the lock works. Availability: the 3-2-1-1-0 rule translated into auditable evidence # The third principle is availability. Here, the 3-2-1-1-0 rule that the industry has adopted translates directly into a compliance matrix.\n3 copies of the data. 2 different media. 1 offsite copy. 1 offline or immutable copy. 0 errors in verification. Each copy, each medium, and each verification is documented as an annex to the Record of Processing Activities. The difference between \u0026ldquo;we believe the backup works\u0026rdquo; and \u0026ldquo;we have monthly evidence that the backup works\u0026rdquo; is what SureBackup does. SureBackup performs automated and isolated verification of the backup: starts a virtual machine from the copy, validates that the operating system boots, validates that critical services (such as SQL, Active Directory, or Oracle) respond, and generates a report with the result.\nThe SureBackup report, together with the monthly Veeam ONE reports on effective RPO and RTO, are the documents that are attached to the Record of Processing Activities as formal evidence of the availability control. What the auditor will ask for is not \u0026ldquo;show me your Backup Server\u0026rdquo;, it is \u0026ldquo;show me the twelve monthly verification reports of the last year\u0026rdquo;.\nRight to be forgotten over immutable backups: the operational response with Veeam # This is the point that generates the most confusion in organizations, and which deserves a dedicated section because the superficial answer is wrong.\nArt. 7 of the law establishes the right of erasure of the data subject: when a person exercises their right to be forgotten over their personal data, because it is no longer necessary for the processing purpose, because consent was revoked without another legal basis, because the processing was unlawful, or by court order, the organization is obliged to delete it within a reasonable period. The problem is that backups by definition are designed to not be deleted selectively. If I have a full backup of a database from last Monday, I cannot \u0026ldquo;delete John Doe\u0026rsquo;s row\u0026rdquo; without invalidating the entire backup. And if the backups are immutable, the problem doubles.\nThe primary answer: Staged Restore + minimum retention + immutability + documentation # For the vast majority of organizations that protect traditional workloads with Veeam (VMs, databases, file shares, SaaS), the combination that defendably complies with the right of erasure under Law 21.719 is the following:\nStaged Restore to ensure that the active production state reflects the suppression of the data subject\u0026rsquo;s data. This is the effective and operational control, and where the right to be forgotten is truly fulfilled. Retention at the minimum legal applicable, justified documentally. Historical backups of the data subject exist, but for a limited and demonstrable period in the Record of Processing Activities. Immutability over that same historical backup, demonstrating that during the retention period nobody can access or modify the data subject\u0026rsquo;s data. Honest documentary record that explicitly recognizes: \u0026ldquo;the data subject\u0026rsquo;s data was deleted from the production state on day X via Staged Restore; it persists in historical backups for N months due to legal obligation Y; upon retention expiration it will be automatically deleted; during the period no operations are performed on those backups\u0026rdquo;. This combination is the defendable response before the Agency, and is what really applies to the typical Veeam setup protecting mixed workloads. We detail it in depth in the Staged Restore section that follows.\nStaged Restore: Veeam\u0026rsquo;s operational response for the right to be forgotten # Veeam Backup \u0026amp; Replication offers, since version 9.5 Update 4, a functionality specifically designed for right-to-be-forgotten flows and selective deletion obligations: Staged Restore.\nWhat Staged Restore does is the following:\nRecovery to an isolated environment: the VM or workload is restored from the immutable backup to a test or \u0026ldquo;lab\u0026rdquo; environment isolated from production, without being exposed to the corporate network.\nExecution of sanitization scripts: before the VM is published to production, Veeam executes a custom script (PowerShell, Bash, or whatever language is required) that operates on the restored data. For example: delete records of a specific data subject from a database, delete sensitive files, anonymize fields, apply reversible or irreversible transformations.\nPublication of sanitized state: once the script terminates successfully, the sanitized workload is published to production replacing the previous state.\nComplete record: each Staged Restore is registered in the Veeam job log with timestamp, executed script, exit code, and duration, which serves as operational evidence before the regulator.\nThis flow does not modify the original backup (which remains immutable), but allows the active production version to comply with the suppression obligation without having to wait for the backup to expire by retention.\nStaged Restore: recovery to lab → sanitization script → publication of cleaned state to production. Staged Restore use cases aligned with Law 21.719 # Right of erasure: delete records of a data subject in production databases from a recent backup, without touching the immutable backup. Anonymization: apply transformations (hash, mask, generalization) before migrating data to an environment with lower control level. Pre-restore cleanup after an incident: execute AV/EDR verifications, apply critical patches, or sanitize insecure configurations before the VM touches production. Contractual compliance with processors: ensure that information shared with a third party does not contain personal data beyond what is strictly necessary. Secure Restore # Along with Staged Restore, Veeam offers Secure Restore, which automatically scans the VM with an antivirus or EDR before publishing it. While its focus is on operational security (anti-ransomware, anti-malware), it also provides complementary evidence to compliance, demonstrating that each restore goes through a formal prior validation and that we are not reintroducing into production a threat that could compromise personal data.\nLimitations to keep in mind # Staged Restore operates at the level of a complete VM. For more granular cases, for example deleting a single user from a database table without touching the rest of the workload, it is complemented with Veeam Explorer for Microsoft SQL or the corresponding Explorer, which allows recovery at the application object level. For data that lives in SaaS or native cloud services without a Veeam backup agent, the deletion flow must be complemented with the provider\u0026rsquo;s native APIs (M365, Salesforce, etc.) and with Veeam Backup for Microsoft 365 or Veeam Backup for Salesforce, which do support granular restore and auditable record. The sanitization script is the responsibility of the IT team; Veeam executes the script but does not generate the deletion logic. This means that the quality of compliance depends on how well the script is written and on its maintenance over time. I recommend versioning it in the same Git repository of the organization, with review and testing before each productive use. Staged Restore acts on the restored state, not on historical backups. For past backups, the correct response is the combination of retention controlled to the minimum legal applicable, immutability during that period, and honest record, there is no technical shortcut to \u0026ldquo;selectively delete from history\u0026rdquo; in traditional architectures. What NOT to do # Do not promise the data subject that their data was deleted from the backup if it actually remains there. The correct statement is that the data has been deleted from the production state and is held in historical backups for the minimum legal period, identifying that period and the legal basis that justifies it. Do not assume that Law 21.719 requires immediate physical deletion of history. The law requires reasonable and proportional measures, not impossible ones. Controlled retention + immutability + Staged Restore + honest documentation is a defendable response. Do not look for technical shortcuts that promise to \u0026ldquo;selectively delete from the backup\u0026rdquo;. In traditional architectures they do not exist. What exists is Staged Restore for the production state and properly managed retention so that history expires in the right time. Do not forget that the honesty of the record is what differentiates a defendable process from one that does not withstand supervision. The regulator tolerates an imperfect architecture documented with honesty far better than an \u0026ldquo;ideal on paper\u0026rdquo; architecture that does not hold up when scrutinized. Minimization and storage limitation period # The minimization principle requires that we only keep personal data for the time necessary to fulfill the declared processing purpose. In the context of backups, this translates into retention and GFS policies justified documentally.\nGFS is not decorative. Each retention period must be supported by a legal, contractual, or operational basis. Some typical examples:\nAccounting data and invoices: 6 years due to tax obligations from the Servicio de Impuestos Internos. Critical systems access logs: 1 year for internal compliance and incident traceability. Marketing and CRM data: the consent period granted by the data subject, typically between 1 and 3 years with renewal option. Health or sensitive data: the period declared in the Record of Processing Activities, typically aligned with applicable sectoral regulation. Veeam allows configuring GFS policies per job with daily, weekly, monthly, and annual granularity. What is important from a compliance standpoint is that the Veeam ONE retention report matches what is declared in the ROPA, and that any deviation is documented and justified.\n72-hour breach notification # Art. 14 sexies establishes the obligation to notify the Agency and, depending on severity, the affected data subjects. The 72-hour window counts from knowledge of the breach, not from the breach itself. This means the clock starts when someone within the organization (typically the IT team or SOC) detects the situation. If detection takes days, the 72-hour period counts from that moment, but the detection delay can be interpreted as a monitoring control failure, configuring an additional infringement.\nVeeam capabilities for early detection # The Veeam Platform incorporates several specific capabilities to shorten detection time:\nVeeam Recon Scanner: automated analysis of backups searching for indicators of compromise, including known IOCs and anomalous behavior in the backed-up data.\nThreat Center: centralized dashboard that correlates security events detected during backups, with prioritization by severity.\nMalware Detection with entropy analysis: automated detection of anomalous encryption in files, characteristic of an ongoing ransomware event.\nMass deletion alerts: immediate notification when atypical data deletion is detected in backups or in protected workloads.\nRunbook connected with NIST 800-61 # Once the breach is detected, the response flow must be documented and rehearsed. This connects directly with what we already covered in the post on Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam, and with the perimeter detection capabilities of the post on Veeam Decoys - Early Detection.\nThe recommended flow is:\nVeeam Detection (Recon Scanner, Threat Center, Decoys, Malware Detection). Analysis and triage of the incident by the CSIRT. Containment through network isolation, credential revocation, and activation of the Hardened Repository as a clean site. Eradication and recovery from the last verified immutable point. Formal notification to the Agency within 72 hours, with the information required by the law (nature, categories, and approximate number of affected data subjects, probable consequences, and measures adopted). Notification to affected data subjects when the breach represents a high risk to their rights. Post-mortem analysis and update of the response plan. International transfer: every backup that crosses the border is a transfer # When we replicate a backup to S3 in us-east-1 or to Azure East-US, we are performing an international transfer of personal data subject to the provisions of Art. 27 and 28 of the law (transfer to countries with an adequate level and standard clauses, respectively), with general supervision established in Art. 29. This is a point that many organizations overlook in the design phase of their backup architecture, and that is very expensive to fix later.\nGuarantee mechanisms accepted by the law # Law 21.719 admits several mechanisms for an international transfer to be valid:\nCountries with adequate level of protection: the Agency will maintain a list of countries whose legislation is considered equivalent. Until that list is published, the recommended practice is to work with the presumption that most destinations will require additional guarantees.\nStandard clauses: standardized contracts approved by the Agency that are incorporated into the service contract with the cloud provider.\nBinding Corporate Rules (BCR): applicable to intra-group transfers in multinational organizations.\nExpress consent of the data subject: applicable in certain specific cases, not recommended as a general basis for backup infrastructure.\nDocumentation in the ROPA # Every international transfer must be reflected in the Record of Processing Activities, identifying the destination country, the provider, the category of data transferred, the purpose of the transfer, and the guarantee mechanism used. If we replicate backups to AWS us-east-1, that must be in the ROPA.\nAlternatives to keep data in LATAM # A strategy many organizations are adopting is to minimize international transfer by choosing cloud regions or capacity tiers in LATAM. The 2026 landscape looks like this:\nAWS: operational regions in São Paulo and Mexico (Central), with Santiago de Chile announced for end of 2026. Azure: operational regions in Brazil South (São Paulo), Brazil Southeast (Rio de Janeiro), Mexico Central (Querétaro), and Chile Central (Santiago) with announced availability and rollout in progress. Google Cloud: operational regions in São Paulo and Santiago. On-premise object storage with Veeam Hardened Repository + S3-compatible capacity tier (MinIO, Cloudian, Scality, Pure Storage, NetApp StorageGRID) hosted in local provider data centers or on own infrastructure. This is the option that most regulated organizations are choosing when data sensitivity does not allow any exit from the country. Veeam Data Cloud Vault as object storage managed by Veeam with default WORM immutability, AES-256 encryption in transit and at rest, logical air-gap from production, and particularly relevant for predictable budgets, flat per-TB pricing that includes API calls, restore, and egress (unlike the pure S3 model where these charges are variable and often surprise on the invoice). This decision is not only about compliance, it also has impacts on latency and egress cost that must be evaluated case by case. Very important: the mere fact that a provider has a region in LATAM does not mean that your subscription automatically routes data there, the destination region is configured explicitly in the Veeam job and must be documented in the ROPA.\nSecuriti AI (now part of Veeam): DSPM, privacy operations, and AI trust # While Veeam Backup \u0026amp; Replication solidly covers the pillars of integrity, availability, and confidentiality over backed-up data, there are compliance layers that occur upstream of the backup: discovery, classification, privacy governance, data subject rights management, impact assessments, that historically required external tools. That changed in December 2025: Veeam completed the acquisition of Securiti AI for USD 1.725 billion (formal closing on December 11, 2025), incorporating into the portfolio Securiti\u0026rsquo;s Data Command Center: DSPM, privacy operations, AI governance, under the slogan \u0026ldquo;first trusted Data Platform\u0026rdquo;. Rehan Jalil, Securiti founder and CEO, took the role of President of Security and AI at Veeam, and Securiti\u0026rsquo;s 600 employees joined the team.\nIn practice, this means that the capabilities I detail below stop being \u0026ldquo;an integration between two vendors\u0026rdquo; and become pieces of the same Veeam portfolio, with a single commercial interlocutor, single support, and in the medium term deeper technical integration with VBR, VRO, and the rest of the stack. For an organization building its compliance architecture under Law 21.719, this significantly lowers the friction of adoption.\nWhat Securiti AI solves that VBR does not solve # Data Security Posture Management (DSPM): automated discovery of where personal data lives across the entire organization, databases, data lakes, SaaS, file shares, and cloud storage, with automatic classification by category (personally identifiable data, sensitive data, specially protected data such as health or biometrics). Without this prior discovery, we don\u0026rsquo;t know what data we are backing up nor to which jobs to apply the strictest policies.\nAutomatic classification and labeling: identification of national ID numbers, health data, financial data, minors\u0026rsquo; data, biometric data, etc., using pre-trained models. The output of this classification directly feeds the differentiated retention and encryption policies in Veeam.\nPrivacy Operations (DSAR): automation of the response flow to data subject requests (Data Subject Access Requests), access, rectification, suppression, portability. This lowers the operational cost of complying with data subject rights from person-days to hours, and leaves an auditable trace of each request and its resolution.\nConsent management: registration and traceability of consent given by each data subject, with direct linkage to the purposes declared in the Record of Processing Activities.\nDPIA automation: assisted workflow to perform Impact Assessments, with templates aligned to multiple regulatory frameworks (GDPR, LGPD, CCPA, and those emerging for Law 21.719).\nCompliance automation and multi-framework mapping: when an organization operates in several countries, Securiti AI allows mapping implemented controls to multiple laws simultaneously, avoiding duplication of documentation effort and maintaining coherence among regulations that share principles but differ in detail.\nAI security and governance: specific capabilities to govern the use of personal data in AI projects, protection of training data, prompt sanitization, traceability of inferences and derived models.\nHow they integrate in a combined architecture # A mature compliance architecture under Law 21.719 combines both layers of the Veeam portfolio operating on distinct but coordinated planes:\nSecuriti AI in the discovery, classification, governance, and privacy operations layer, acting as the intelligence system that knows what personal data exists, where it lives, who processes it, with what purpose, and under what consent.\nVeeam Backup \u0026amp; Replication + Recovery Orchestrator in the backup, recovery, immutability, and incident response layer, acting as the system that ensures the integrity and availability of that data when something goes wrong.\nIntegration by APIs and tags: the classification produced by Securiti AI translates into differentiated policies in Veeam, jobs with encryption and dedicated KMS for sensitive data, extended retention for data subject to specific legal obligations, replication restricted to LATAM regions for data that does not admit international transfer, Threat Center alerts prioritized according to the regulatory criticality of the compromised dataset. This integration will deepen during 2026 as the portfolio unification progresses post-acquisition.\nSecuriti AI discovers, classifies, and governs; Veeam backs up, protects, and recovers; both generate the evidence delivered to the Agency. What additional evidence Securiti AI brings to the regulator # Facing a supervisory process, Securiti AI contributes documentation that Veeam cannot generate natively:\nInventory report of personal data by category and by system, with timestamp and change traceability. DSAR log with response times and traceability of the action executed on production systems. Mapping of controls to specific articles of Law 21.719 and to analogous frameworks such as GDPR, LGPD, or CCPA. Documented DPIAs, archived, and with formal approval flow. Consent registry with timestamps, sources, and modification traceability. The underlying question is not Veeam or Securiti AI, the question is how they complement each other to cover the complete personal data cycle: discover, classify, govern (Securiti AI) → back up, protect, recover (Veeam) → respond and provide evidence to the regulator (both combined).\nAdditional Veeam capabilities aligned with Law 21.719: VRO, Coveware, Threat Hunter and more # Beyond the pillars already covered (encryption with KMS, Hardened Repository, 3-2-1-1-0 rule, Staged Restore, Recon Scanner, Threat Center), the Veeam Platform has several specific capabilities worth knowing because they map directly to the principles of Law 21.719 and to the documentary requirements that the supervisory process will have. Several of these are recent functionalities incorporated in v12.3 (early 2025) and v13 that many organizations have not yet enabled.\nVeeam Recovery Orchestrator (VRO): the availability control documented automatically # Veeam Recovery Orchestrator is the component that orchestrates disaster recovery and, what is most relevant for our case, automatically generates the documentation the auditor will ask for. Instead of manually maintaining the DR plan, runbooks, and test reports, VRO produces and updates them automatically when the plan is executed or tested.\nWhat it brings for Law 21.719:\nAutomated runbooks that detail step by step how to recover critical workloads containing personal data, without depending on the memory of the operator on duty. Automated tests with record: DR drills are executed in an isolated environment and leave a dated report of the result, which constitutes formal evidence of the availability control before the regulator. Monthly Audit Report with Full Change Tracking (incorporated in v13 of the Platform): records all activities and changes on recovery plans during the month, generating traceability that we will hardly produce by hand. Offline malware scanning before recovery: backups are scanned offline before being brought up to production, preventing reintroduction of threats that could compromise personal data in the production environment. Compliance dashboards that show the DR compliance status against internally declared SLAs and the timeframes committed in the ROPA. For an organization that has to demonstrate before the Agency that its availability measures are real and verifiable, VRO is the way to go from \u0026ldquo;we have a plan\u0026rdquo; to \u0026ldquo;here are the monthly reports that demonstrate the plan works and is tested periodically\u0026rdquo;.\nCoveware by Veeam: the response team we activate when prevention fails # Veeam acquired Coveware in April 2024 and the brand operates today as Coveware by Veeam. It is a service specialized in response to cyber extortion and ransomware incidents, that is, exactly the scenario that triggers the 72-hour notification obligation under Law 21.719.\nWhat it brings:\nIncident Response Retainer: preventive contract that gives priority access to the response team when the incident occurs. In practice, avoiding the initial \u0026ldquo;scramble\u0026rdquo; of searching for and hiring specialists while the crisis is active, which typically burns the first days of the notification period. Negotiation with extortion actors when applicable, handled by a team with thousands of closed cases. The decision to negotiate or not is legal and business, but the technical ability to do it or to professionally avoid it is something the average organization does not have internally. Forensics and damage assessment: technical analysis of the incident, entry vector, affected data. This information is exactly what the regulator will require as part of the formal breach notification. Recon and Unidecrypt: Coveware\u0026rsquo;s own tools for incident cost analysis and decryption in cases where it is technically possible. Integration with Veeam Cyber Secure program: the elite services program of Veeam Data Platform Premium that combines a Ransomware SWAT team available 24/7 with a 30-minute SLA, quarterly security assessments executed by Veeam experts, advanced seven-phase onboarding, and for enrolled clients, up to two incidents per year attended by Coveware at no additional cost. For Law 21.719 this is particularly relevant because the 72-hour notification is not just \u0026ldquo;inform the Agency\u0026rdquo;: it is delivering a technical analysis that makes sense. A typical internal team cannot produce that analysis in three days from scratch. With Coveware on retainer, and even more so if the organization is a Cyber Secure client with a 30-minute SLA, that analysis starts on day zero of the incident.\nVeeam Threat Hunter, YARA, and Inline Malware Scanning: detection integrated into the backup engine # Since version 12.3 of Veeam Backup \u0026amp; Replication (early 2025), the Platform incorporates detection capabilities that previously required external tools:\nVeeam Threat Hunter: combines scanning with YARA rules, antivirus-style detection, machine learning, and heuristic analysis, all integrated into the backup engine. Detects polymorphic malware that evades traditional signatures. The threat database is updated multiple times daily from Veeam. Inline Malware Scanning: the scan occurs during the backup job, not as a subsequent step. If a compromised VM is being backed up with files encrypted by ransomware or with malicious binaries, the alert is immediate and within the job\u0026rsquo;s own window. Indicators of Compromise (IoC) Detection: identifies known attack patterns within backed-up data, fed by integrated threat intelligence. Custom YARA rules: the security team can define their own rules to detect threats specific to their industry, environment, or a particular case under investigation. For Law 21.719, what is critical is the time to detection. Let\u0026rsquo;s remember that the 72 hours count from knowledge of the breach. Every hour that passes without detecting the incident erodes the time available for an orderly response and to build the formal notification to the Agency. These capabilities significantly lower that detection time and, equally importantly, leave auditable logs of each detection and each false positive dismissed.\nFour-Eyes Authorization: enforceable separation of duties # Another recent incorporation is Four-Eyes Authorization, which requires the approval of a second authorized operator before executing sensitive operations on the backup infrastructure: deleting jobs, modifying retention policies, disabling encryption, modifying configurations of immutable repositories.\nThis capability directly attacks the risk of malicious insider and of accidental action with destructive consequences. For Law 21.719, it complies with the principle of \u0026ldquo;reasonable measures\u0026rdquo; in role separation, especially for operations that affect retention or deletion of personal data, operations that could otherwise be used to evade compliance or to destroy evidence before the regulator. This connects with the multi-tenant RBAC approach we already covered in the post on Kasten RBAC multi-tenant multi-cluster with Keycloak, where the separation of responsibilities at the platform level is also applied to the backup of Kubernetes workloads.\nEach approval is registered in the audit log with both operators identified, date, operation performed, and textual justification when applicable. It is the type of control that an auditor asks to verify directly, and that without Four-Eyes Authorization is built with manual processes that rarely comply 100%.\nAuditable matrix and 12-month checklist # To close, here is a summary table with the cross \u0026ldquo;principle of the law → technical control → Veeam component → auditable evidence\u0026rdquo;, and a milestone checklist so that your organization arrives prepared for December 1, 2026.\nHow are the technical controls mapped to the principles of Law 21.719? # The following matrix translates each principle of the law into a specific technical control, its responsible Veeam component, and the documentary evidence we deliver to the regulator. It is the short and actionable answer to the question that almost all readers will have when arriving here.\nLaw 21.719 Principle Technical Control Veeam Component Auditable Evidence Confidentiality AES-256 encryption + external KMS Job encryption + Vault/KMS integration Job config, KMS audit log Integrity Immutability Compliance mode Hardened Repository + Veeam Vault Veeam ONE immutability report Operational availability 3-2-1-1-0 + verification SureBackup + Veeam ONE Monthly SureBackup reports Orchestrated availability Automated runbooks + DR auditing Veeam Recovery Orchestrator (VRO) Monthly Audit Report + dated runbooks Minimization Retention justified in ROPA GFS per job Veeam ONE retention report Right of erasure Staged Restore + controlled retention VBR Staged Restore + GFS + immutability Staged Restore job log + DSAR record Integrated detection YARA + ML + IoC + Inline Scan Veeam Threat Hunter (v12.3+) Detection logs with timestamp Breach notification Detection + forensic analysis Recon Scanner + Threat Center + Coveware by Veeam Runbook + logs + forensic report Separation of duties for deletion Dual authorization on critical operations Four-Eyes Authorization Audit log with two approvers International transfer Standard clauses + ROPA Documented capacity tier Updated ROPA 12-month checklist # Suggested roadmap to arrive at December 1, 2026 with auditable documentation ready. T-12 months (December 2025): implementation and testing of external KMS, integration with Veeam Backup \u0026amp; Replication, definition of key rotation policy.\nT-9 months (March 2026): deployment of Hardened Repository in Compliance mode, migration of critical jobs to immutable destination, validation of network and identity isolation.\nT-6 months (June 2026): execution of DPIA for the backup flow, especially for jobs involving sensitive data or international transfer. Update of the Record of Processing Activities.\nT-3 months (September 2026): complete simulation of breach notification, measuring detection time, containment time, notification time. Adjustments to the runbook based on findings.\nT-1 month (November 2026): external compliance audit, review of all documentation that would be delivered to the Agency in case of an eventual requirement.\nDecember 1, 2026: full entry into force of Law 21.719.\nFrequently Asked Questions # When does Law 21.719 enter into force? # Law 21.719 was published on December 13, 2024, and enters into full force on December 1, 2026, 24 months after publication. From that date, the Personal Data Protection Agency can supervise compliance and apply sanctions.\nWhat are the maximum sanctions under Law 21.719? # Up to UTM 20,000 or 4% of annual revenue in Chile in the highest category (~$1,392M CLP at the UTM cap). Repeat offenses can triple the fine, reaching up to UTM 60,000.\nMust SMEs comply with Law 21.719 from day one? # Yes, but with an adaptation margin: during the first year of effect (Dec 1, 2026 to Dec 1, 2027), SMEs are subject only to written warning, not to fines. After that period, sanctions apply fully.\nHow to comply with the right of erasure over immutable backups? # For traditional architectures, the defendable response is the combination of Staged Restore (Veeam B\u0026amp;R 9.5 U4+) over the active production state, retention at the minimum legal applicable documented in the ROPA, immutability of the historical backup during that period, and honest record that documents the action before the data subject and the regulator.\nWhat is Staged Restore in Veeam? # It is a functionality of Veeam Backup \u0026amp; Replication (since 9.5 Update 4) that allows recovering a VM from the backup to an isolated environment, executing a sanitization script (PowerShell, Bash) on the restored data, for example deleting records of a data subject, anonymizing fields, and publishing the sanitized state to production. The original backup remains immutable.\nHow does Law 21.719 relate to GDPR? # Law 21.719 takes the conceptual model of GDPR and replicates almost all of its principles, data subject rights, DPO obligations, DPIA, and 72-hour breach notification. The main differences are the absolute amount of sanctions, the territorial scope (limited to Chile rather than extraterritorial), and the jurisprudence, which in Chile is just beginning to be built.\nConclusion # Law 21.719 finally takes us to a scenario where personal data protection translates into concrete and supervisable technical obligations. For IT areas, and particularly for teams in charge of backup and recovery infrastructure, this represents an opportunity to professionalize and document practices that are often already applied, but were not formalized as compliance evidence.\nThe good news is that most of the controls the law requires can be implemented and evidenced with the native capabilities of the Veeam Platform: encryption with KMS, real immutability in Compliance mode, RBAC with MFA, justified retention, Staged Restore for the right of erasure, automated detection with Veeam Threat Hunter and Threat Center, periodic verification with SureBackup, orchestration with Veeam Recovery Orchestrator, and specialized response with Coveware by Veeam. What differentiates solid compliance from superficial compliance is the discipline to document each control and keep up to date the auditable matrix we deliver to the regulator.\nFor Chilean SMEs there is an additional margin during the first year of effect (Dec 1, 2026 to Dec 1, 2027), where infringements are sanctioned only with warning. But that period is not for \u0026ldquo;starting later\u0026rdquo;, it is to finish landing what should already be in motion: at the end of the grace period, the accumulated records become part of the history before the Agency.\nIf your organization does not yet have a clear plan to arrive at December 1, 2026 with the house in order, the recommendation is to start today with the 12-month checklist, and advance systematically and documented. As I always say, in security and resilience there are no shortcuts: either it is done right, or it is not done.\nIf this post was useful, or if you have questions about how to apply these controls in your specific architecture, write me on LinkedIn.\nRelated posts # Veeam Hardened (Immutable) Repository Veeam Decoys - Early Detection Veeam + Kasten Veeam Capacity Tier Oracle Cloud Object Storage ","date":"7 May 2026","externalUrl":null,"permalink":"/en/posts/law-21719-veeam/","section":"Blog","summary":"Technical compliance with Chile Law 21.719 using Veeam Data Platform: encryption, immutability, Staged Restore, VRO, Threat Hunter, and an auditable matrix. Effective Dec 1, 2026.","title":"Chile Law 21.719: technical compliance manual with Veeam","type":"posts"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/categories/compliance/","section":"Categories","summary":"","title":"Compliance","type":"categories"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/coveware/","section":"Tags","summary":"","title":"Coveware","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/dspm/","section":"Tags","summary":"","title":"DSPM","type":"tags"},{"content":"","date":"May 7, 2026","externalUrl":null,"permalink":"/es/tags/gdpr-comparativa/","section":"Etiquetas","summary":"","title":"GDPR-Comparativa","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/gdpr-comparison/","section":"Tags","summary":"","title":"GDPR-Comparison","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/law-21719/","section":"Tags","summary":"","title":"Law-21719","type":"tags"},{"content":"","date":"May 7, 2026","externalUrl":null,"permalink":"/es/tags/ley-21719/","section":"Etiquetas","summary":"","title":"Ley-21719","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/categories/personal-data-protection/","section":"Categories","summary":"","title":"Personal Data Protection","type":"categories"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/personal-data-protection/","section":"Tags","summary":"","title":"Personal-Data-Protection","type":"tags"},{"content":"","date":"May 7, 2026","externalUrl":null,"permalink":"/es/categories/protecci%C3%B3n-de-datos-personales/","section":"Categorías","summary":"","title":"Protección De Datos Personales","type":"categories"},{"content":"","date":"May 7, 2026","externalUrl":null,"permalink":"/es/tags/proteccion-datos-personales/","section":"Etiquetas","summary":"","title":"Proteccion-Datos-Personales","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/securiti-ai/","section":"Tags","summary":"","title":"Securiti-Ai","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/categories/security/","section":"Categories","summary":"","title":"Security","type":"categories"},{"content":"","date":"May 7, 2026","externalUrl":null,"permalink":"/es/categories/seguridad/","section":"Categorías","summary":"","title":"Seguridad","type":"categories"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/staged-restore/","section":"Tags","summary":"","title":"Staged-Restore","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/categories/veeam-backup--replication/","section":"Categories","summary":"","title":"Veeam Backup \u0026 Replication","type":"categories"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/veeam-backup-replication/","section":"Tags","summary":"","title":"Veeam-Backup-Replication","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/veeam-recovery-orchestrator/","section":"Tags","summary":"","title":"Veeam-Recovery-Orchestrator","type":"tags"},{"content":"","date":"7 May 2026","externalUrl":null,"permalink":"/en/tags/veeam-threat-hunter/","section":"Tags","summary":"","title":"Veeam-Threat-Hunter","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/categories/architecture/","section":"Categories","summary":"","title":"Architecture","type":"categories"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/categories/arquitectura/","section":"Categorías","summary":"","title":"Arquitectura","type":"categories"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/categories/backup/","section":"Categories","summary":"","title":"Backup","type":"categories"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/backup/","section":"Etiquetas","summary":"","title":"Backup","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/cisa-kev/","section":"Etiquetas","summary":"","title":"Cisa-Kev","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/categories/design/","section":"Categories","summary":"","title":"Design","type":"categories"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/escaneo/","section":"Etiquetas","summary":"","title":"Escaneo","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/grype/","section":"Etiquetas","summary":"","title":"Grype","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/categories/gu%C3%ADa/","section":"Categorías","summary":"","title":"Guía","type":"categories"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/categories/guide/","section":"Categories","summary":"","title":"Guide","type":"categories"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/tags/jadi/","section":"Tags","summary":"","title":"Jadi","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/macos/","section":"Etiquetas","summary":"","title":"Macos","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/categories/microsoft/","section":"Categorías","summary":"","title":"Microsoft","type":"categories"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/open-source/","section":"Etiquetas","summary":"","title":"Open-Source","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/categories/respaldo/","section":"Categorías","summary":"","title":"Respaldo","type":"categories"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/rest-api/","section":"Etiquetas","summary":"","title":"Rest-Api","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/restore-point/","section":"Etiquetas","summary":"","title":"Restore-Point","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/tags/scanner/","section":"Tags","summary":"","title":"Scanner","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/tags/scanning/","section":"Tags","summary":"","title":"Scanning","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/tags/security/","section":"Tags","summary":"","title":"Security","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/seguridad/","section":"Etiquetas","summary":"","title":"Seguridad","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/ssh/","section":"Etiquetas","summary":"","title":"Ssh","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/trivy/","section":"Etiquetas","summary":"","title":"Trivy","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/categories/vmware/","section":"Categories","summary":"","title":"VMware","type":"categories"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/vscan/","section":"Etiquetas","summary":"","title":"Vscan","type":"tags"},{"content":" In this post we\u0026rsquo;ll take a detailed look at vScan 2.0, an open-source desktop application I developed to scan Veeam Backup \u0026amp; Replication v13+ restore points for security vulnerabilities. We\u0026rsquo;ll go over the architecture, installation, configuration, scanning capabilities, vulnerability management, reports, security and much more.\nWhy Scan Your Backups? # First things first, we should always ask ourselves: why do we need to scan our backups? The answer is simple: if a server was compromised weeks ago and we discover it today, all the restore points from that period contain the vulnerabilities or malware. If we need to restore and don\u0026rsquo;t know which restore point is safe, we\u0026rsquo;re restoring blind.\nWith vScan we can scan any restore point before restoring it, know exactly which vulnerabilities it contains and make an informed decision.\nAlso, keep in mind that Veeam already includes entropy analysis, malware detection, among others in the solution. So vScan comes in as an additional complement so that when needed, you can verify with the latest vulnerability publications whether your machine or backup that you\u0026rsquo;re about to recover has vulnerabilities or not, and perform the recovery in an isolated environment to apply vulnerability mitigation before deploying to production.\nWhat is vScan? # vScan is a desktop application for Windows and macOS that integrates with Veeam Backup \u0026amp; Replication v13+ through its REST API. The application mounts virtual disks from any restore point on a remote Linux server via SSH and runs vulnerability scanners against the mounted filesystem.\nIt\u0026rsquo;s not just a scanner — vScan provides complete vulnerability lifecycle management: tracking, states, automatic fix detection, integration with CISA\u0026rsquo;s KEV catalog, executive and technical PDF reports, email and desktop notifications, batch scanning, scheduled scans and much more.\nThe application is available on GitHub: https://github.com/mescobarcl/vScan\nSupported Platforms # macOS Windows Minimum version 13.0 (Ventura) 10 (1803+) Tested Ventura 13, Sonoma 14, Sequoia 15, Tahoe 26 Windows 10, 11, Server 2019/2022/2025 Architecture Apple Silicon (arm64) x86_64 Installer .dmg .exe Biometrics Touch ID, Face ID Windows Hello Credentials macOS Keychain Windows Credential Manager A remote Linux server with SSH is required to mount the disks and run the vulnerability scanners.\nRequirements # To use vScan we\u0026rsquo;ll need:\nComponent Requirement Operating System Windows 10+ or macOS 13+ Veeam VBR Veeam Backup \u0026amp; Replication v13 or higher Linux Server Rocky Linux 9+ Scanners Trivy, Grype and Jadi Installation # Installation is very straightforward — we download the installer from the releases page on GitHub:\nhttps://github.com/mescobarcl/vScan/releases\nFor macOS we download the .dmg file and drag the application to the Applications folder. For Windows we download the .exe and run the installer.\nInitial Configuration – Master Password # When launching vScan for the first time it will ask us to create a Master Password. This password protects all credentials stored in the application using AES-256-GCM encryption with Argon2id key derivation.\nIt\u0026rsquo;s very important to save the Recovery Key that\u0026rsquo;s generated automatically. This key in VSCAN-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX format is the only way to recover access if the Master Password is forgotten.\nOnce the Master Password is configured, vScan supports biometric unlock with Touch ID on macOS and Windows Hello on Windows for quick access.\nVBR Server Connection # The first step after creating the Master Password is connecting to our Veeam Backup \u0026amp; Replication server. We go to the configuration section and we\u0026rsquo;ll see a 5-step wizard that will guide us:\nIn Step 1 we configure the VBR connection:\nEnter the hostname or IP of the VBR server Port (default 9419 for REST API) Username in domain\\user format Password vScan connects to the Veeam REST API and automatically retrieves the server information: VBR version, license edition, SQL database version, etc.\nLinux Server Connection # In Step 2 we configure the Linux server that will act as the scanner host. Here we have two options:\nImport from VBR: If we have Linux servers registered as managed servers in VBR, we can import them directly Manual configuration: We enter the IP, SSH port, user and password or private key When connecting, vScan runs an automatic 8-step setup process:\nValidate credentials Establish SSH connection Accept Fingerprint Detect Rocky operating system Verify and install system packages Configure Trivy scanner Configure Grype scanner Configure Jadi scanner Save configuration vScan automatically detects if the scanners are installed, what their current version is, and offers to install or update them. Downloads are verified with SHA-256 before installation to prevent tampering.\nIt also performs SSH host key verification using TOFU: the first time we connect to a server, the fingerprint is stored. If the fingerprint changes on future connections, vScan alerts us of a possible Man-in-the-Middle attack.\nNotifications – Email and Desktop # vScan supports two notification channels:\nNative operating system notifications for real-time events SMTP configuration with STARTTLS/SSL for email alerts The 6 configurable event types are:\nEvent Description Scan Completed When a scan finishes successfully Scan Failed When a scan fails Batch Completed When a batch scan finishes Schedule Started When a scheduled scan starts KEV Found When an actively exploited vulnerability is detected Critical Vulnerabilities When critical severity vulnerabilities are found Dashboard # Once the connections are configured, vScan\u0026rsquo;s main view is the Dashboard which shows us a complete summary of the security posture:\nThe dashboard includes:\nVulnerability counters by severity: Critical, High, Medium, Low KEV counter: vulnerabilities that are in CISA\u0026rsquo;s Known Exploited Vulnerabilities catalog Severity distribution chart Vulnerability trend over time Top most vulnerable VMs with ranking by severity Recent scans with real-time status Scan statistics: total, last 7 days, last 30 days Data updates in real time as new scans complete.\nThree Scanning Engines: Trivy, Grype and Jadi # vScan supports three vulnerability scanning engines:\nTrivy # Scanner by Aqua Security, one of the most widely used in the industry. Excellent for Linux distribution packages and containers. vScan installs and manages it automatically. Official documentation: https://github.com/aquasecurity/trivy\nGrype # Scanner by Anchore, another popular option for vulnerability scanning. Complements Trivy nicely with a different approach. Official documentation: https://github.com/anchore/grype\nJadi # My own CLI scanner written in Rust, specifically designed to cover the gap that Trivy and Grype leave in detecting vulnerabilities in Windows binary software and KB patches. Jadi uses multiple vulnerability sources:\nNVD (National Vulnerability Database) for CPE matching MSRC (Microsoft Security Response Center) for Windows vulnerabilities and KBs OSV (Open Source Vulnerabilities) for language ecosystems GHSA (GitHub Security Advisories) CISA KEV (Known Exploited Vulnerabilities) Each scanner can be installed, updated and uninstalled directly from vScan\u0026rsquo;s UI. Installations are verified with SHA-256 to ensure binary integrity.\nhttps://github.com/mescobarcl/jadi\nHow to Scan Backups # To scan a VM, vScan provides a guided 5-step wizard:\nStep 1: Select VMs # We select the VM we want to scan. vScan retrieves the VM list directly from the VBR API.\nStep 2: Select Restore Point # We choose the restore point we want to scan. The date, type and size of each available restore point are displayed.\nStep 3: Select Disks # We select which disks of the VM we want to mount and scan. We can select all of them or just specific ones.\nStep 4: Mount Disks # vScan publishes the restore point through Veeam\u0026rsquo;s Data Integration API and mounts the disks on the Linux server using FUSE or iSCSI. Mount progress is shown in real time.\nStep 5: Scan and Results # Once the disks are mounted, the selected scanner runs against the filesystem. Progress is shown in real time with estimated ETA.\nWhen finished we see the results with the total vulnerabilities found by severity.\nVulnerability Lifecycle Management # This is one of the most important features of vScan 2.0. It\u0026rsquo;s not just a scanner, it\u0026rsquo;s a vulnerability lifecycle management platform.\nVulnerability Browser # The browser allows filtering and searching vulnerabilities with multiple criteria:\nSeverity: Critical, High, Medium, Low, Negligible Status: Open, Fixed, Won\u0026rsquo;t Fix, Accepted, False Positive VM Name: filter by specific server Package Name: search by affected package Scanner Type: filter by Trivy, Grype or Jadi Date range: first detection or last detection KEV: only vulnerabilities in the CISA catalog Lifecycle Tracking # Each vulnerability is tracked with complete timestamps:\nFirst detection: when it was found for the first time Last seen: when was the last time it appeared in a scan Auto-fix: if a vulnerability doesn\u0026rsquo;t appear in a subsequent scan, it\u0026rsquo;s automatically marked as \u0026ldquo;fixed\u0026rdquo; Reopening: if a vulnerability marked as fixed reappears, it\u0026rsquo;s automatically reopened History by scan: in which exact scans it was detected (complete audit trail) State Management # The available states are:\nStateDescriptionOpenVulnerability detected and pending remediationFixedRemediated (automatically marked when it doesn\u0026rsquo;t appear in a new scan)Won\u0026rsquo;t FixDecision not to remediate (with justification)AcceptedRisk accepted by the organizationFalse PositiveIncorrect scanner detection\nState operations can also be done in bulk to manage multiple vulnerabilities simultaneously.\nCISA KEV – Known Exploited Vulnerabilities # vScan integrates with CISA\u0026rsquo;s Known Exploited Vulnerabilities (KEV) catalog, which syncs automatically every 24 hours.\nEach detected vulnerability is cross-referenced against this catalog. Those that appear there are flagged specially because it means that vulnerability is being actively exploited. Remediation priority should be immediate.\nCatalog validation includes integrity verification: entry count, CVE ID format and JSON structure to mitigate malicious data injection.\nDocumentation # vScan includes complete documentation in two languages:\nLanguage Link English docs/en/ Spanish docs/es/ Conclusion # vScan 2.0 transforms your Veeam backup infrastructure into a continuous security monitoring platform. Instead of waiting for an incident to discover vulnerabilities in your restore points, now you can proactively scan them, track the lifecycle of each vulnerability and make informed decisions before restoring.\nThe main features we covered in this post are:\nNative integration with Veeam VBR v13+ REST API Three scanning engines: Trivy, Grype and Jadi Comparison between scanners and restore points Batch scanning with configurable parallelism Scheduled scans with cron expressions Complete vulnerability lifecycle management Integration with CISA KEV (Known Exploited Vulnerabilities) Executive and technical PDF reports with branding CSV export up to 50,000 vulnerabilities Email and desktop notifications (6 event types) Security with AES-256-GCM, Argon2id, Keychain, biometrics Auto-lock, brute force protection, recovery key System tray with full menu Dark mode Automatic database maintenance Documentation in English and Spanish The application is available on GitHub under the MIT license: https://github.com/mescobarcl/vScan\nAnd with that we wrap up this post! Any ideas or suggestions are welcome as always!\nRelated posts # JADI Scanner Veeam Decoys - Early Detection Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam Veeam Hardened (Immutable) Repository ","date":"6 April 2026","externalUrl":null,"permalink":"/en/posts/vscan-vulnerability-scanner-2-0/","section":"Blog","summary":"vScan 2.0, open-source app to scan Veeam Backup \u0026 Replication restore points with Trivy, Grype and Jadi. Lifecycle, CISA KEV, PDF reports.","title":"vScan Vulnerability Scanner 2.0","type":"posts"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/vulnerabilidades/","section":"Etiquetas","summary":"","title":"Vulnerabilidades","type":"tags"},{"content":"","date":"6 April 2026","externalUrl":null,"permalink":"/en/tags/vulnerabilitites/","section":"Tags","summary":"","title":"Vulnerabilitites","type":"tags"},{"content":"","date":"April 6, 2026","externalUrl":null,"permalink":"/es/tags/windows/","section":"Etiquetas","summary":"","title":"Windows","type":"tags"},{"content":"","date":"25 March 2026","externalUrl":null,"permalink":"/en/tags/24xsiempre/","section":"Tags","summary":"","title":"24Xsiempre","type":"tags"},{"content":"","date":"25 March 2026","externalUrl":null,"permalink":"/en/tags/backup-scan/","section":"Tags","summary":"","title":"Backup-Scan","type":"tags"},{"content":"","date":"March 25, 2026","externalUrl":null,"permalink":"/es/categories/dise%C3%B1o/","section":"Categorías","summary":"","title":"Diseño","type":"categories"},{"content":"","date":"25 March 2026","externalUrl":null,"permalink":"/en/tags/forensics/","section":"Tags","summary":"","title":"Forensics","type":"tags"},{"content":" Something I\u0026rsquo;ve been working on for several months and that is finally taking shape is Jadi, a vulnerability scanner specifically designed to analyze mounted backups and filesystems. The name is no coincidence JADI stands for my kid\u0026rsquo;s initials, so this project holds a special meaning for me beyond the technical side. In this post I\u0026rsquo;ll walk you through what it\u0026rsquo;s all about, why I built it, how it works under the hood, and what\u0026rsquo;s coming next.\n¿Why Jadi? # Those who know me know I\u0026rsquo;ve been working with Cloud, Kubernetes, AI, data protection, backup, and security technologies for several years now. And along the way, a question that always comes up in incident response and forensic analysis scenarios is: what vulnerable software did that system have when it was compromised?\nThere are excellent vulnerability scanning tools out there like Trivy and Grype, and I fully recommend them for Linux environments, containers, and images. They do a beautiful job. But when the scenario involves Windows operating systems, registry hives, installed KBs, Microsoft patch supersedence chains, the story changes quite a bit. Windows coverage in these tools is limited or nonexistent, and that\u0026rsquo;s a real problem when most enterprise environments are still running Windows on their servers and workstations.\nOn top of that, existing tools are designed to scan live systems — installed agents, running containers, active repositories. But when you have a backup mounted in read-only mode, a snapshot of a server that no longer exists, or a forensic disk image, most solutions simply don\u0026rsquo;t apply.\nThat combination of needs, offline backup scanning + real Windows coverage is what motivated me to start working on this idea months ago. That\u0026rsquo;s where Jadi comes in. The idea is simple but powerful: mount a backup, scan it, and get a complete report of known vulnerabilities without needing to install anything on the original system.\n¿What does Jadi do? # The project is available at github.com/mescobarcl/jadi and is currently at version 0.1.0 with a published release for Linux x86_64. It\u0026rsquo;s a binary written in Rust that runs on your local machine or Linux server and analyzes any mounted filesystem, preferably Microsoft Windows.\n12 Ecosystem Scanners # Jadi detects software by analyzing configuration files and manifests across multiple ecosystems: npm, PyPI, Maven, Gradle, Go, NuGet, Composer (PHP), RubyGems, Cargo (Rust), .NET, and JAR files. It also performs binary pattern matching to detect versions of OpenSSL, Apache, nginx, PHP, MySQL, PostgreSQL, Redis, and Node.js directly from binaries.\nOffline Windows Analysis # It parses registry hives (SOFTWARE, NTUSER.DAT) without needing Windows to be running. It detects installed software, KBs/hotfixes, Windows versions, and .NET Framework. It also resolves Microsoft patch supersedence chains, something very few tools do correctly.\n5 Vulnerability Sources # It correlates detected software against NVD, OSV, MSRC, GitHub Security Advisories (GHSA), and CISA KEV. The vulnerability database is automatically updated daily on the CDN, and by running jadi update-db the latest version is downloaded with SHA256 integrity verification.\nImportant: Since the database is updated every day with new vulnerabilities, it\u0026rsquo;s recommended to always run jadi update-db before each scan to make sure you\u0026rsquo;re working with the most up-to-date information. New CVEs are published constantly, and a single day\u0026rsquo;s difference could mean missing a critical vulnerability.\nKEV and Ransomware Intelligence # It doesn\u0026rsquo;t just tell you what vulnerabilities you have, it also tells you which ones are being actively exploited according to the CISA catalog, and which ones are associated with known ransomware campaigns. This is key for prioritization in incident response scenarios.\nSBOM Generation # It generates software inventories in SPDX 2.3 and CycloneDX 1.5 formats, which is exactly what\u0026rsquo;s needed for compliance.\n7 Output Formats # Table (with terminal colors), JSON, SARIF (for CI/CD), CSV, Markdown, SPDX, and CycloneDX. It also includes severity-based exit codes (0 = clean, 2 = critical vulnerabilities found), making it perfect for pipeline integration.\nQuick Example # # Install (Linux x86_64) curl -LO https://github.com/mescobarcl/jadi/releases/latest/download/jadi-linux-x86_64 chmod +x jadi-linux-x86_64 \u0026amp;\u0026amp; sudo mv jadi-linux-x86_64 /usr/local/bin/jadi # Download the vulnerability database jadi update-db # Scan a mounted backup jadi scan /mnt/backup # Only critical KEV vulnerabilities associated with ransomware jadi scan /mnt/backup --min-severity critical --kev-only --ransomware-only # Generate SBOM in SPDX format jadi scan /mnt/backup -o spdx -f sbom.spdx.json The terminal output looks something like this:\nArchitecture # Jadi\u0026rsquo;s architecture is designed in well-defined layers:\nScanner Layer: 12 specialized scanners that traverse the filesystem looking for configuration files, manifests, lockfiles, registry hives, and binaries. Each scanner generates a list of detected software in PURL or CPE format.\nMatcher Layer: 4 matchers that correlate detected software against vulnerability databases. The PURL Matcher queries OSV and GHSA, the CPE Matcher queries NVD, the KB Matcher queries MSRC (with KB supersedence resolution), and the KEV Matcher enriches results with active exploitation data from CISA.\nDatabase: A unified local database of ~500MB containing all vulnerabilities from the 5 sources. It\u0026rsquo;s updated daily from the CDN with a simple jadi update-db. Integrity verification is automatic, SHA256 checksum, incremental updates, HTTPS connections, and protection against malicious responses.\nOutput Layer: Generates reports in any of the 7 supported formats, with filters by severity, KEV, ransomware, and configurable suppression rules with expiration dates.\nTechnical Decisions # Some design decisions worth mentioning:\nWhy Rust? Performance and memory safety. When you\u0026rsquo;re scanning a filesystem with thousands of files, parsing JSON/YAML/TOML lockfiles, and doing parallel matching against hundreds of thousands of CVEs, you need the tool to be fast. Rust gives us that without sacrificing safety. The codebase currently has around 80 .rs files and over 525 tests.\nWhy local SQLite instead of direct APIs? Originally the scanner queried vulnerability APIs directly, but this had serious issues: network dependency, rate limits, latency, and the inability to use the tool in air-gapped environments. Migrating to a pre-built database distributed via CDN solved all of this at once. Now you can download the DB once, disconnect from the internet, and scan everything you need with --offline.\nWhy Cloudflare R2 as CDN? Free egress. When you\u0026rsquo;re distributing a ~500MB file to potentially many users, egress costs on S3 or GCS scale up fast. With R2 the infrastructure cost is practically zero.\nFlexible configuration: Jadi supports TOML-based configuration for vulnerability suppression rules, useful when you already know about certain findings and want to exclude them from the report. Suppressions include expiration dates so they don\u0026rsquo;t get forgotten over time.\nUse Cases # Where does Jadi fit into your workflow?\nForensic Analysis / Incident Response: You have a backup of a compromised server. You mount it in read-only mode and run Jadi to identify what vulnerabilities existed at the time of the backup. Was there Log4Shell? Was there an unpatched Exchange? Immediate answer.\nCompliance Auditing: You need to generate an SBOM of a legacy system to meet regulations. You mount the backup, generate the inventory in SPDX or CycloneDX, and you have your compliance evidence.\nPre-Restoration Risk Assessment: Before restoring a backup to production, scan it. If it has critical vulnerabilities with active exploits (KEV), better to know before putting it back in production or connecting it to the internet.\nBackup Verification: As part of your backup verification process (which everyone should have), add a vulnerability scan. You\u0026rsquo;re not just verifying that the backup is valid, but that the backed-up system wasn\u0026rsquo;t a risk.\nPerformance Options # For large backups, Jadi offers several optimization options:\n# Increase scan threads jadi scan /mnt/backup --threads 16 # Parallel matching with connection pool jadi scan /mnt/backup --pool-size 8 --parallel-match # Skip noisy Windows folders (WinSxS) jadi scan /mnt/windows-backup --skip-windows-noise # Exclude specific folders jadi scan /mnt/backup \\ --exclude-path \u0026#34;node_modules\u0026#34; \\ --exclude-path \u0026#34;.git\u0026#34; \\ --exclude-path \u0026#34;vendor\u0026#34; # Limit search depth jadi scan /mnt/backup --max-depth 10 What\u0026rsquo;s Next # The project is at v0.1.0 and there\u0026rsquo;s a long road ahead. Some of the areas I\u0026rsquo;m working on:\nImproving code testing with dependency injection and repository traits Performance optimization with regex caching and reducing unnecessary cloning Expanding test coverage, especially in the sync modules Refactoring some modules More complete documentation vScan Integration # But what excites me the most about what\u0026rsquo;s coming is the integration with vScan. For those who don\u0026rsquo;t know it, vScan is a tool that allows you to scan for vulnerabilities directly from Veeam backups. Today vScan already supports Trivy and Grype as scanning engines, which as I mentioned before are excellent for Linux and container environments. In the upcoming vScan 2.0.0, support for Jadi will be added, which will cover the gap that currently exists with Windows, scanning Windows server and workstation backups with the same ease that containers and Linux are scanned today.\nThe integration is already prepared on Jadi\u0026rsquo;s side, the JSON output generates a compatible format that vScan auto-detects, allowing results to integrate natively into the data protection workflow with Veeam. This means you\u0026rsquo;ll be able to scan your Veeam backups for vulnerabilities as part of your verification and restoration process, now including Windows as well.\nWhen I launch vScan 2.0.0 I\u0026rsquo;ll update this post with all the integration details, including usage examples, the complete solution architecture, and specific use cases for Veeam environments. So stay tuned. Or I\u0026rsquo;ll create a separate post with all the vScan details.\nConclusion # Jadi was born from a real need I saw in our industry: the lack of specialized tools to assess the security posture of backups and offline systems. It\u0026rsquo;s free, written in Rust for maximum performance, supports a considerable number of ecosystems and vulnerability sources, and is designed to integrate into existing workflows.\nIf you work with backups, forensic analysis, incident response, or simply want to know what vulnerabilities that server you backed up last week has, give Jadi a try.\nThe repository is available at github.com/mescobarcl/jadi. As always, any feedback, bug reports, or feature requests are welcome through the issues.\nAnd as you know, I\u0026rsquo;m available 24xSiempre!\nRelated posts # vScan Vulnerability Scanner 2.0 Veeam Decoys - Early Detection Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam Veeam Hardened (Immutable) Repository ","date":"25 March 2026","externalUrl":null,"permalink":"/en/posts/jadi-scanner/","section":"Blog","summary":"Something I’ve been working on for several months and that is finally taking shape is Jadi, a vulnerability scanner specifically designed to analyze mounted backups and filesystems. The name is no coincidence JADI stands for my kid’s initials, so this project holds a special meaning for me beyond the technical side. In this post I’ll walk you through what it’s all about, why I built it, how it works under the hood, and what’s coming next.","title":"JADI Scanner","type":"posts"},{"content":"","date":"March 25, 2026","externalUrl":null,"permalink":"/es/tags/rust/","section":"Etiquetas","summary":"","title":"Rust","type":"tags"},{"content":"","date":"25 March 2026","externalUrl":null,"permalink":"/en/tags/sbom/","section":"Tags","summary":"","title":"Sbom","type":"tags"},{"content":"","date":"25 March 2026","externalUrl":null,"permalink":"/en/tags/vulnerability/","section":"Tags","summary":"","title":"Vulnerability","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/automate/","section":"Etiquetas","summary":"","title":"Automate","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/control-file/","section":"Etiquetas","summary":"","title":"Control-File","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/database-recovery/","section":"Tags","summary":"","title":"Database-Recovery","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/dbid-recovery/","section":"Tags","summary":"","title":"Dbid-Recovery","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/estrategia-respaldo-oracle/","section":"Etiquetas","summary":"","title":"Estrategia-Respaldo-Oracle","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/categories/oracle/","section":"Categories","summary":"","title":"Oracle","type":"categories"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/oracle-backup/","section":"Tags","summary":"","title":"Oracle-Backup","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/oracle-backup-strategy/","section":"Tags","summary":"","title":"Oracle-Backup-Strategy","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/oracle-recovery/","section":"Tags","summary":"","title":"Oracle-Recovery","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/oracle-rman/","section":"Etiquetas","summary":"","title":"Oracle-Rman","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/plugin-oracle-veeam/","section":"Etiquetas","summary":"","title":"Plugin-Oracle-Veeam","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/recuperaci%C3%B3n-dbid/","section":"Etiquetas","summary":"","title":"Recuperación-Dbid","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/restore-rman/","section":"Etiquetas","summary":"","title":"Restore-Rman","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/rman-backup/","section":"Tags","summary":"","title":"Rman-Backup","type":"tags"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/spfile/","section":"Etiquetas","summary":"","title":"Spfile","type":"tags"},{"content":" One of the frequent questions I\u0026rsquo;m always receiving is how to perform database recovery with Veeam Explorer for Oracle, which has different ways to accomplish this when using Veeam Oracle Plugin, commonly used in RAC installations as well as in installations where the Oracle database is standalone. In particular, this post is only for performing the Veeam Plugin installation from the Veeam Backup \u0026amp; Replication console, and we\u0026rsquo;ll also review the recovery options when performing backups through the RMAN Plugin.\nIntroduction # There\u0026rsquo;s always the question of how to easily backup and recover Oracle with Veeam, or how RMAN backups work with Veeam. Just by reading the Veeam help center documentation, you can understand everything, but traditionally, who reads the manuals completely? :)\nOracle Recovery Manager / RMAN # We should always take into account both Oracle RMAN and Veeam documentation when performing these types of backups and recovery, especially to clearly understand how it works if you don\u0026rsquo;t have in-depth knowledge of the solutions:\nRMAN: https://docs.oracle.com/en/database/oracle/oracle-database/23/bradv/introduction-backup-recovery.html Veeam Plugins for Oracle RMAN: https://helpcenter.veeam.com/docs/backup/plugins/rman_plugin.html?ver=120 Veeam Explorer for Oracle: https://helpcenter.veeam.com/docs/backup/explorers/rman_backups.html?ver=120 Let\u0026rsquo;s remember that several versions ago, Veeam supports centralized management of database plugin installation, Managed Mode, and the traditional version Unmanaged Mode. The main difference is that in the first mode, it will be completely managed by the Veeam Backup Server, while in the second mode, the plugin will send backups to the configured Veeam Backup repositories, but won\u0026rsquo;t have any management from Veeam Backup Server, except for recoveries.\nOracle Plugin Installation from Veeam Backup # Installation on Oracle Standalone or RAC servers is simple, as you just need to create a \u0026ldquo;Protection Group\u0026rdquo; within Veeam Backup, add the servers where we want to install the plugin, then configure what type of plugin and whether it should be kept updated, just like it\u0026rsquo;s currently done with Veeam agents for Windows, Linux, etc.\nIn case you\u0026rsquo;re not using root, you can use an account with sudo permissions, as administrative privileges are necessary to install our plugin.\nAt this stage it\u0026rsquo;s important, as shown in the previous image, we need to decide whether to install the backup agent, install the plugin, or both. For this case, we\u0026rsquo;ll only select \u0026ldquo;Install application plug-ins to be installed\u0026rdquo; and then click on \u0026ldquo;Configure…\u0026rdquo; to select the plugin to install.\nThen click next to see that everything is configured correctly:\nAnd finally click on Finish to see the installation status of both nodes\nThe installation is now complete. In the previous image, you can see the result, and in the server list, it shows that the plugin is installed on each machine.\nOracle RMAN Backup Policy Configuration # Now it\u0026rsquo;s as simple as creating the new backup policy to protect existing databases. In this case, we\u0026rsquo;ll back up the \u0026ldquo;AUSTIN\u0026rdquo; database to later test the recovery options:\nAfter selecting the Storage or repository where we\u0026rsquo;ll store our backups, we need to specify the credential to use for a correct and consistent backup. Select either operating system or database credentials - in this case, we\u0026rsquo;ll use the \u0026ldquo;oracle\u0026rdquo; user.\nIn the previous image, define what to do with the archive logs, how many channels will be used for the archive logs, and in case Pluggable Databases exist, the selection or exclusion of those databases. Finally, the Schedule and Finish the Wizard. Then Veeam Backup will show when it will execute:\nIn this case, we\u0026rsquo;ll force a database backup to run tests and we\u0026rsquo;ll see the successful execution of the backup:\nRecovery to Another Oracle Instance - Original Instance # For recovery, there are multiple ways, but for this example, we\u0026rsquo;ll use 4 recovery methods:\nRecover the database to the same original instance Recover the database to the same original instance but with a different database name Recover the database to another instance with the original name and DBID Recover the database to another instance but with a different database name Starting with the first one, we just need to access Veeam Backup \u0026amp; Replication, go to \u0026ldquo;Backup -\u0026gt;Disk\u0026rdquo;, select the Oracle RMAN backup and click on \u0026ldquo;Restore from Oracle RMAN…\u0026rdquo;\nIt will open Veeam Explorer for Oracle and show us the protected databases, in this case, AUSTIN. We select the database and click on \u0026ldquo;Restore\u0026rdquo;:\nWe select the instance where to recover, in this case, the original one from where we obtained the backup, and we log in with the \u0026ldquo;oracle\u0026rdquo; user:\nSince we\u0026rsquo;re going to recover to the same instance, the requirement is always to have \u0026quot; At least an empty database with the same name and DBID must exist on the specified server\u0026quot; - the previous text is very important when you need to preserve the same database name. Then next and we\u0026rsquo;ll select the restore point that\u0026rsquo;s needed, in this case use the last available restore point.\nThen we select where the files are located:\nAnd finally, how many RMAN channels we\u0026rsquo;ll use for recovery. Remember that there\u0026rsquo;s a post on this blog where it explains in detail how RMAN channels work.\nAnd then just wait for the recovery:\nRecover the DB to the Same Original Instance | Different DB Name # We follow the same previous steps, but what changes here is the name of the instance we\u0026rsquo;re going to recover. In this case, we\u0026rsquo;ll use \u0026ldquo;TEXAS\u0026rdquo;, so when we reach the following screen, it\u0026rsquo;s possible to change the name:\nThen select which restore point to use for recovery, and indicate to generate a new DBID:\nAnd finally, specify or review the paths where the folders will be generated for the recovery with the new name:\nThen restore and view the restoration status:\nRecover the DB to Another Instance with the Original Name and DBID # For this option, you need to review the Oracle RMAN documentation to correctly understand how to recover the database with the same name and DBID from the backup. In fact, the following link indicates the procedure with RMAN to recover to another server or host:\nhttps://docs.oracle.com/en/database/oracle/oracle-database/21/bradv/rman-recovery-advanced.html#GUID-0EE8068A-5D2F-41FF-BDB9-DEEC8CBCCDB9 In summary, what the Oracle RMAN documentation indicates is that to restore the database with the same name, it\u0026rsquo;s always necessary to preserve the database DBID, use the backed-up control file with the AUTOBACKUP configuration that Veeam performs, and of course the SPFILE. Therefore, to make the destination server preparation easier and more accessible, I have the following script to execute on the server where you want to recover with Veeam Explorer for Oracle RMAN.\nhttps://github.com/mescobarcl/veor-restore\nWhen visiting the script link on GitHub, it has a readme with details of what the script does and the necessary requirements. The idea of the script is to make it possible to perform these types of recoveries easily without the need to be a DBA in case the company doesn\u0026rsquo;t have a DBA or the DBA isn\u0026rsquo;t available. Therefore, the requirements are:\nRun as oracle user Have the Oracle instance operational The Veeam Plugin for Oracle installed and configured from the Veeam console (Initial step) Then we begin by downloading the script and giving it execution permissions:\nWe execute it and enter the data that the script requests:\nAfter entering \u0026quot; y\u0026quot;, it will create the necessary folders, files, and password files, and then ask if we need to configure the Veeam plugin:\nThe configuration will request the authentication method, which can be by user or recovery token. In this case, we\u0026rsquo;ll use the second option and generate it from the Veeam Console:\nCopy the recovery token (valid for 24 hours) and paste it where the script requests it, and then it will ask us if we need to recover the Control File:\nThen it will ask us if we know the Veeam Backup ID or not. If we do it by default, the script will help us obtain the Backup ID\nNow it will ask us for the control file backup name. To obtain it is simple, there are two options: if you select \u0026ldquo;n\u0026rdquo; the script will search within the backup for the control file AUTOBACKUP. To avoid the search, it\u0026rsquo;s easier to go to the original instance and execute the following:\nLook for the backup name that begins with c-\nFinally, when you copy the control file backup name, you paste it into the script and the complete preparation will begin:\nAnd the instance is completely prepared to recover from Veeam Explorer with the same name and DBID. We validate that the instance is not running and go to Veeam Backup Server to perform the recovery with the Explorer:\nThe only difference we\u0026rsquo;ll make here is to change the server where we\u0026rsquo;ll recover:\nThe original server was oraclem1 and we\u0026rsquo;re going to recover the original database to server oraclem2 and we\u0026rsquo;ll see the successful recovery\nRecover the DB to Another Instance with Different Name and DBID # Just like in the section \u0026ldquo;Recover the DB to the Same Original Instance | Different DB Name\u0026rdquo;, you just need to follow the same steps but only change the destination server and the database name that you want to recover in the destination instance, and it will simply work.\nRelated posts # Veeam Oracle RMAN Plugin Best practices Veeam Oracle RMAN plugin Solution Veeam Oracle Permission Denied Veeam Agent Linux - Oracle Linux / Exadata ","date":"11 July 2025","externalUrl":null,"permalink":"/en/posts/veeam-explorer-oracle-rman/","section":"Blog","summary":"One of the frequent questions I’m always receiving is how to perform database recovery with Veeam Explorer for Oracle, which has different ways to accomplish this when using Veeam Oracle Plugin, commonly used in RAC installations as well as in installations where the Oracle database is standalone. In particular, this post is only for performing the Veeam Plugin installation from the Veeam Backup \u0026 Replication console, and we’ll also review the recovery options when performing backups through the RMAN Plugin.","title":"Veeam Explorer Oracle RMAN","type":"posts"},{"content":"","date":"July 11, 2025","externalUrl":null,"permalink":"/es/tags/veeam-explorer/","section":"Etiquetas","summary":"","title":"Veeam-Explorer","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/veeam-explorer-for-oracle/","section":"Tags","summary":"","title":"Veeam-Explorer-for-Oracle","type":"tags"},{"content":"","date":"11 July 2025","externalUrl":null,"permalink":"/en/tags/veeam-plugin/","section":"Tags","summary":"","title":"Veeam-Plugin","type":"tags"},{"content":"","date":"December 17, 2024","externalUrl":null,"permalink":"/es/tags/appliance/","section":"Etiquetas","summary":"","title":"Appliance","type":"tags"},{"content":"","date":"December 17, 2024","externalUrl":null,"permalink":"/es/tags/decoys/","section":"Etiquetas","summary":"","title":"Decoys","type":"tags"},{"content":"","date":"December 17, 2024","externalUrl":null,"permalink":"/es/tags/se%C3%B1uelos/","section":"Etiquetas","summary":"","title":"Señuelos","type":"tags"},{"content":" We are always looking for ways to better protect our data protection infrastructure. Recent investigations and evidence of ransomware attacks have revealed something key: attackers are focusing their efforts on compromising and destroying backup solutions. Why? Simple: without backups, organizations are more likely to pay the ransom. This is where Veeam Decoys comes in, an open source project I developed some time ago to help detect lateral movements (TA0008) and service discovery (TA0007) in your internal network.\nIntroduction # The reality is that detecting data protection solutions in a network is relatively simple. Services use specific ports and documentation is public. For an attacker who already has access with administrative credentials, it\u0026rsquo;s just a matter of time before finding and potentially compromising these critical systems.\nThis is why, in addition to following the 3-2-1-1-0 rule and implementing immutability in your backups, you need an additional layer of early detection.\nSimple but Effective Solution # Veeam Decoys creates \u0026ldquo;honeypots\u0026rdquo; that appear to be real Veeam services. It\u0026rsquo;s like putting motion sensors in your house, but in this case, it\u0026rsquo;s in your internal network. These decoys detect if someone or some software is:\nScanning your network looking for Veeam servers or services Attempting to connect to the Veeam console Trying to connect to backup repositories Testing credentials on remote administration services, RDP, SSH, Netbios Performing lateral movements in your infrastructure What\u0026rsquo;s it for? Simple - if an attacker is looking for Veeam services, this solution will detect network scans targeting Veeam services and send notifications through:\nSyslog, sending all logs to your SIEM Email notifications This way, you can know early on when attackers are already in your network, using Mitre tactics TA0007 and TA0008 to conduct the respective investigation or initiate the incident response plan.\nSimulated Services # Veeam Backup Server Veeam Hardened Repository Veeam Windows Repository Veeam Backup Enterprise Manager SSH Remote Desktop (RDP) Netbios Key Benefits # Minimal Resources 1 vCPU 2GB RAM 50GB storage Perfect for multiple deployments Flexible Implementation Deploy across multiple VLANs with a single instance Distributed architecture for greater coverage Disposable appliance – easy to replace Integration and Notification Send logs to SIEM via Syslog Email alerts Compatible with existing monitoring tools Simple and Distributed Architecture # Simple Architecture: Ideal for small and medium businesses:\nOne Veeam Decoy per critical VLAN Centralized SIEM integration Email monitoring Distributed Architecture: Perfect for large enterprises:\nHierarchical monitoring Multiple Decoys per location Strategically distributed honeypots Detailed information about each architecture can be found in the documentation.\nResults # Multiple tests quickly detected:\nAutomatic network scans that were previously unknown Connection attempts from unauthorized equipment Misconfigured inventory tools Suspicious lateral movements Login attempts on the Veeam Console Decoy Download and Installation # Virtual Appliance\nDownload: https://dl.24xsiempre.com/DecoyV1.ova Implementation time: ~15 minutes Manual Installation\nGitHub: https://github.com/VeeamHub/veeam-decoy Single command installation Documentation # English: https://dl.24xsiempre.com/Decoy_Manual_EN.pdf\nSpanish: https://dl.24xsiempre.com/Decoy_Manual_ES.pdf\nFrequently Asked Questions # Q: Does it impact my current infrastructure performance?\nA: No, the decoys are extremely lightweight and don\u0026rsquo;t interfere with production services.\nQ: Do I need to modify my existing infrastructure?\nA: No, Veeam Decoys operates independently.\nQ: What should I do if I detect suspicious activity?\nA: The tool allows you to initiate your incident response process early. And it should be treated as a priority.\nConclusion # In an environment where attacks are increasingly sophisticated, we need to be proactive in our defense. Veeam Decoys provides an additional security layer, giving you early visibility of potential threats to your backup infrastructure.\nRelated posts # Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam Veeam Hardened (Immutable) Repository JADI Scanner vScan Vulnerability Scanner 2.0 Chile Law 21.719: technical compliance manual with Veeam ","date":"17 December 2024","externalUrl":null,"permalink":"/en/posts/veeam-decoys-early-detection/","section":"Blog","summary":"We are always looking for ways to better protect our data protection infrastructure. Recent investigations and evidence of ransomware attacks have revealed something key: attackers are focusing their efforts on compromising and destroying backup solutions. Why? Simple: without backups, organizations are more likely to pay the ransom. This is where Veeam Decoys comes in, an open source project I developed some time ago to help detect lateral movements (TA0008) and service discovery (TA0007) in your internal network.","title":"Veeam Decoys - Early Detection","type":"posts"},{"content":"","date":"17 December 2024","externalUrl":null,"permalink":"/en/tags/veeam-decoys/","section":"Tags","summary":"","title":"Veeam-Decoys","type":"tags"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/tags/icewhale/","section":"Tags","summary":"","title":"Icewhale","type":"tags"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/categories/kubernetes-backup/","section":"Categories","summary":"","title":"Kubernetes Backup","type":"categories"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/tags/proxmox/","section":"Tags","summary":"","title":"Proxmox","type":"tags"},{"content":" According to the latest news from Veeam, where support for Proxmox Virtual Environment (VE) was announced and before the update was released, I started reviewing how to put together a small lab to install Proxmox on physical machines and avoid doing nested virtualization in vSphere. In this post we will see what servers I am using and how this solution works.\nServers # Searching for computers on the internet, I found some posts about the advantages of using certain Single Board Computers (SBC) to install hypervisors or operating systems to use as a server, so I ended up on the page https://www.zimaspace.com/ reviewing their products where I found the ZimaBlade which has in summary the following characteristics of ZimaBlade 7700:\nCPU: N3450 / J3455 / E3950 Quad Cores 1.1GHz / 1.5GHz / 1.6GHz base frequency 2.2 GHz / 2.3GHz / 2.0GHz Burst 2MB L2 cache RAM: 1x SODIMM Slot / Compatible with 16GB DDR3L Storage: eMMC 5.1 / 32 GB HDD: 2x SATA 6.0 Gb/s Ports LAN: 1x GbE LAN Port PCIe: 1x PCIe 2.0 x4 TDP: 6W/10W On the other hand, to improve performance and avoid changing the Proxmox VE installation parameters on an eMMC, I purchased 3 PCIe cards:\nM.2 NVME to PCIe 4.0/3.0 Proxmox VE # After installing proxmox on one of the servers, we can see very good performance, I configured the storage with my current storage via iSCSI and the performance is going very well!\nSo the only thing missing would be the release of Veeam for Proxmox 🙂\nRelated posts # Veeam Backup for Red Hat Virtualization Veeam Citrix Hypervisor / Xenserver Protecting Oracle KVM with Veeam Veeam Hardened (Immutable) Repository ","date":"21 June 2024","externalUrl":null,"permalink":"/en/posts/proxmox-lab-with-zimablade/","section":"Blog","summary":"According to the latest news from Veeam, where support for Proxmox Virtual Environment (VE) was announced and before the update was released, I started reviewing how to put together a small lab to install Proxmox on physical machines and avoid doing nested virtualization in vSphere. In this post we will see what servers I am using and how this solution works.","title":"Proxmox Lab with ZimaBlade","type":"posts"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/tags/proxmox-backup/","section":"Tags","summary":"","title":"Proxmox-Backup","type":"tags"},{"content":"","date":"June 21, 2024","externalUrl":null,"permalink":"/es/categories/respaldo-kubernetes/","section":"Categorías","summary":"","title":"Respaldo Kubernetes","type":"categories"},{"content":"","date":"June 21, 2024","externalUrl":null,"permalink":"/es/tags/respaldo-proxmox/","section":"Etiquetas","summary":"","title":"Respaldo-Proxmox","type":"tags"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/tags/veeam/","section":"Tags","summary":"","title":"Veeam","type":"tags"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/tags/zimablade/","section":"Tags","summary":"","title":"Zimablade","type":"tags"},{"content":"","date":"21 June 2024","externalUrl":null,"permalink":"/en/tags/zimaboard/","section":"Tags","summary":"","title":"Zimaboard","type":"tags"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/tags/cbt/","section":"Tags","summary":"","title":"Cbt","type":"tags"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/categories/cloud/","section":"Categories","summary":"","title":"Cloud","type":"categories"},{"content":"","date":"April 3, 2024","externalUrl":null,"permalink":"/es/categories/immutable/","section":"Categorías","summary":"","title":"Immutable","type":"categories"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/tags/kvm/","section":"Tags","summary":"","title":"Kvm","type":"tags"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/tags/oracle-kvm/","section":"Tags","summary":"","title":"Oracle-Kvm","type":"tags"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/tags/ovirt/","section":"Tags","summary":"","title":"Ovirt","type":"tags"},{"content":" In this post we will review the configuration of Veeam Backup \u0026amp; Replication and integration with Oracle KVM to protect virtual machines running on this platform. We will also see some important characteristics in relation to disks, types of disks in KVM and how to create disks to obtain Changed Block Tracking in incremental backups.\nIntroduction # Recently Veeam has released support for a new hypervisor, in this case, Oracle KVM, which is not very different from RedHat Enterprise Virtualization, therefore, we will review the updated documentation of Veeam for KVM or oVirt:\nhttps://helpcenter.veeam.com/docs/vbrhv/userguide/overview.html?ver=41 oVirt KVM Plugin Installation Veeam # We download from our customer portal or directly from the website veeam:\nhttps://www.veeam.com/kvm-backup-recovery.html?ad=homepage-workload-logo And unzip file on server Veeam Backup \u0026amp; Replication. Then run the installation, if the server does not meet the requirements, the following message will appear:\nJust click “OK” and it will install the prerequisites and go to the installation wizard:\nAdd Oracle KVM to Veeam Backup \u0026amp; Replication # Enter the console Veeam Backup \u0026amp; Replication, then in “Backup Infrastructure” right click on “Managed Servers” and then click on “Add Server”:\nAnd we select “Oracle Linux KVM”, then we will enter the IP address or fqdn of the administration server, Oracle Virtualization Manager:\nWe enter the credentials (it is important to add the profile in this case @internal):\nWe accept and we will see that it was added successfully:\nWe finish and the assistant will ask us:\nWe select “Yes” and the proxy creation wizard will be executed:\nWe select the KVM cluster:\nWe enter a name and select the “Storage Domain”:\nThen “next” and select the network where the proxy will be created:\nIt is possible to use DHCP or Fixed IP address, in my case I always use fixed:\nThen we select an existing user or create one to generate it as a local user in the proxy:\nAllow access to all repositories or just one in particular:\nAnd while waiting for the process to finish, we can observe the creation of the proxy in the Oracle KVM console:\nand we finish:\nVM Backup on Oracle KVM # Now we will create a Backup job for virtual machines in Oracle KVM\nAnd we will see the correct execution:\nPreviously we selected a VM that has incremental backup enabled from Oracle KVM, to validate that it is enabled, it is only necessary to review the disks created in the VM:\nBy default when disks are created in the latest versions of oVirt KVM, “Enable Incremental Backup” is selected, if there are VMs that come from previous versions of oVirt, and this option is not enabled, when performing the backup task Veeam Backup will show:\nRecovery # Data recovery is just like any other backup. Veeam Backup \u0026amp; Replication:\nRelated posts # Veeam Oracle RMAN Plugin Veeam Agent Linux - Oracle Linux / Exadata Veeam Oracle Weblogic Veeam Backup for Red Hat Virtualization ","date":"3 April 2024","externalUrl":null,"permalink":"/en/posts/protecting-oracle-kvm-with-veeam/","section":"Blog","summary":"In this post we will review the configuration of Veeam Backup \u0026 Replication and integration with Oracle KVM to protect virtual machines running on this platform. We will also see some important characteristics in relation to disks, types of disks in KVM and how to create disks to obtain Changed Block Tracking in incremental backups.","title":"Protecting Oracle KVM with Veeam","type":"posts"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/tags/qcow2/","section":"Tags","summary":"","title":"Qcow2","type":"tags"},{"content":"","date":"3 April 2024","externalUrl":null,"permalink":"/en/tags/qemu/","section":"Tags","summary":"","title":"Qemu","type":"tags"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/aks/","section":"Tags","summary":"","title":"AKS","type":"tags"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/azure-aks/","section":"Tags","summary":"","title":"Azure-Aks","type":"tags"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/container-backup/","section":"Tags","summary":"","title":"Container-Backup","type":"tags"},{"content":" Continuing with the series of guides for the protection of applications on cloud services, Kubernetes in public clouds, now it\u0026rsquo;s Microsoft Azure\u0026rsquo;s turn Kubernetes Service or Azure AKS, where we will review step by step the installation, configuration and execution of backup policies with Kasten K10, integrating the console with K10 Multi-Cluster Manager for centralized management and protection of applications in AKS.\nFirst steps # We should always review the official documentation of Kasten, for the installation we must review the following links and of course never forget the execution of the \u0026ldquo;Pre-Flight Checks\u0026rdquo;:\nhttps://docs.kasten.io/latest/install/requirements.html https://docs.kasten.io/latest/install/azure/azure.html Now we will connect via “cli” to our cluster AKS from the console interface in the Azure portal or from your computer where you manage your clusters kubernetes. In case you don\u0026rsquo;t have the kubeconfig file configured yet, just run the following command in the Azure shell:\naz aks get-credentials -g 24xsiempre -n demoaks ```bash Where after \u0026#34;-g\u0026#34; you must enter the name of the associated \u0026#34;Resource Group\u0026#34; and after \u0026#34;-n\u0026#34; you must enter the name of the cluster AKS, with the previous command the “config” file will be created inside the “.kube” folder in the user\u0026#39;s home. And to validate, you can list the cluster nodes AKS running: ```bash kubectl get nodes -o wide ```bash ## Install Kasten K10 on Azure AKS Since we are connected to the Azure cluster AKS, we will execute the pre-requisites command that the documentation of Kasten, therefore we will proceed to create the namespace “kasten-io” to then run the script: ```bash helm repo add kasten https://charts.kasten.io/ kubectl create namespace kasten-io curl https://docs.kasten.io/tools/k10_primer.sh | bash ```bash It is very important to record the messages delivered by the pre-check script, since it will indicate that a \u0026#34;VolumeSnapshotClass\u0026#34; is needed for the StorageClass that is being used by default in AKS, which we will review later. Before proceeding with the installation via \u0026#34;helm\u0026#34;, we must register an application in Azure to obtain the necessary variables, therefore in the Azure portal, in the default directory, we will create a new application: Then we will create the key in \u0026#34;Certificates and Secrets\u0026#34;, we will assign the name and create: After the creation of the application in Azure, we will take the following data: - azureTenantId - azureClientId - azureClientSecret You will find the first two IDs in the \u0026#34;General Information\u0026#34; of the created application and the third or secret you copy from the previous creation, to generate the following command: ```bash helm install k10 kasten/k10 --namespace=kasten-io \\ --set secrets.azureTenantId=9afedb96-a2f5-4e9c-a78a-123456789012 \\ --set secrets.azureClientId=849b0886-5fa1-4464-863d-123456789012 \\ --set secrets.azureClientSecret=REPLACE_WITH_YOUR_AZURE_CLIENT_SECRET \\ --set externalGateway.create=true \\ --set auth.tokenAuth.enabled=true ```bash With the above, we install Kasten K10 on Azure AKS including the creation of the “LoadBalancer” and token Authentikation, which we have reviewed on many occasions. To validate the correct operation of Kasten K10, you must execute the command: ```bash kubectl get pods -n kasten-io ```bash As all the pods are in \u0026#34;Running\u0026#34; we will proceed to check which is the IP address to access the web interface of Kasten K10 with the following command: ```bash kubectl get svc -n kasten-io ```bash So the console access in this case is http://20.98.177.166/k10/ where we can Authentikate via token: If you still don\u0026#39;t know how to extract the token ```bash sa_secret=$(kubectl get serviceaccount k10-k10 -o jsonpath=\u0026#34;{.secrets[0].name}\u0026#34; --namespace kasten-io) kubectl get secret $sa_secret --namespace kasten-io -ojsonpath=\u0026#34;{.data.token}{\u0026#39;\\n\u0026#39;}\u0026#34; | base64 --decode ```bash ## Integration with K10 Multi Cluster Manager If you don\u0026#39;t have installed yet K10 Multi-Cluster Manager, check: \u0026gt; [Install Kasten Multi Cluster Manager](/en/install-kasten-multi-cluster-manager/) /instalar-kasten-multi-cluster-manager/embed/#?secret=2c3GsuLR41#?secret=fVb74dLruJ And in this case for Microsoft AKS we must copy the kubeconfig of the cluster AKS, within the Azure shell we will execute: ```text cat .kube/config ```json We copy the kubeconfig and paste it in our K10 Multi-Cluster Manager, after clicking “Add Cluster”: An important fact, in this case, it is not necessary to prepare the kubeconfig file with the executable k10multicluster, as if other providers need it, therefore, the configuration is direct, you enter the name of the cluster that will appear, the address of the \u0026#34;Ingress URL\u0026#34; and finally disabling the TLS verification. In case you have TLS activated, just leave it by default and you will be able to see the cluster AKS in the Multi-Cluster console: ## Azure Blob Storage Now we will configure a repository to host our backups in “Location Profiles”, enter the name, select “Azure Storage” and enter the credentials, location and container When saving the \u0026#34;Profile\u0026#34; we will have our repository to host backups and it will be seen: ## Azure Backup Policy AKS We will create a basic backup policy by selecting “Snapshot” and using the previously created repository to then execute the policy: When the policy runs and tries to take a snapshot of the persistent volume it is using, in this case, MongoDB, it will display the following error: ```text ... Failed to run CSI prechecks for PVC Failed to get K10 VolumeSnapshotClass ... ```bash And this is where it is shown that it is very important to run the script that checks the \u0026#34;Pre-Flight Checks\u0026#34;, since when it is run for the first time it will indicate that the \u0026#34;VolumeSnapshotClass\u0026#34; does not exist as we saw earlier. Therefore, we will proceed to create the VSC with the following command: ```bash cat \u0026lt;\u0026lt;EOF | kubectl apply -f - apiVersion: snapshot.storage.k8s.io/v1beta1 kind: VolumeSnapshotClass metadata: annotations: k10.kasten.io/is-snapshot-class: \u0026#34;true\u0026#34; name: csi-azure-vsc driver: disk.csi.azure.com deletionPolicy: Delete parameters: incremental: \u0026#34;true\u0026#34; EOF ```bash And then we run the “Pre-Flight Checks” script again: ```bash curl https://docs.kasten.io/tools/k10_primer.sh | bash And we will see the successful message of the correct configuration of this VSC with the default StorageClass. Then run the backup policy again and it will finish successfully:\nBackups in Azure Blob # For the backup, we can see the files generated by Kasten K10 in the Azure Blob container that we configured earlier in “Location Profiles”, by entering the Storage explorer of the Microsoft Azure portal:\nRecommendations # As always, security comes first, applying access only through trusted addresses as well as applying RBAC to access via Multi-Cluster Manager and of course if necessary applying permissions to service accounts with the minimum access for operation.\nRelated posts # How to install Kasten K10 on AWS EKS How to install Kasten K10 at Google GKE How to use Kasten K10 with Google Anthos How to Configure NFS Repository for Kasten K10 Configure Email Alerts in Kasten K10 Veeam + Kasten ","date":"18 March 2024","externalUrl":null,"permalink":"/en/posts/how-to-install-kasten-k10-on-azure-aks/","section":"Blog","summary":"Continuing with the series of guides for the protection of applications on cloud services, Kubernetes in public clouds, now it’s Microsoft Azure’s turn Kubernetes Service or Azure AKS, where we will review step by step the installation, configuration and execution of backup policies with Kasten K10, integrating the console with K10 Multi-Cluster Manager for centralized management and protection of applications in AKS.","title":"How to install Kasten K10 on Azure AKS","type":"posts"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/kasten-k10/","section":"Tags","summary":"","title":"Kasten-K10","type":"tags"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/kasten-multi-cluster/","section":"Tags","summary":"","title":"Kasten-Multi-Cluster","type":"tags"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/categories/kubernetes/","section":"Categories","summary":"","title":"Kubernetes","type":"categories"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/kubernetes-backup/","section":"Tags","summary":"","title":"Kubernetes-Backup","type":"tags"},{"content":"","date":"18 March 2024","externalUrl":null,"permalink":"/en/tags/microsoft-azure-kubernetes-service/","section":"Tags","summary":"","title":"Microsoft-Azure-Kubernetes-Service","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/controles-de-seguridad-nist-800-53r5/","section":"Etiquetas","summary":"","title":"Controles-De-Seguridad-Nist-800-53R5","type":"tags"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/disaster-recovery-with-veeam/","section":"Tags","summary":"","title":"Disaster-Recovery-With-Veeam","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/estrategias-de-seguridad-mitre-attampck/","section":"Etiquetas","summary":"","title":"Estrategias-De-Seguridad-Mitre-Att\u0026Amp;Ck","type":"tags"},{"content":" In today\u0026rsquo;s cybersecurity landscape, being prepared for incidents is as crucial as preventing them. NIST regulations 800-61 and 800-53r5, along with the Mitre ATT\u0026amp;CK enterprise matrix, provide solid guidelines for creating an effective incident response plan. In this post, we will review the importance of these frameworks and how the Veeam Platform it is a strategically in incident response.\nIntroduction # Nowadays, computer threats evolve at an unprecedented pace, preparation and response capacity for security incidents become fundamental pillars for the protection of computer services. Implementing a robust and effective incident response plan is more than a preventive measure; It is a necessity to ensure the continuity and integrity of the business or organization. In this context, the guidelines established by NIST, through its publications 800-61 and 800-53r5, along with the Mitre ATT\u0026amp;CK Tactics, Techniques, and Procedures (TTP) Matrix, provide a robust framework for developing, implementing, and managing cybersecurity incident response.\nWe will delve into the importance of having a well-structured incident response plan, based on the principles and practices recommended by NIST 800-61, the incident response guide, and NIST 800-53r5, the catalog of security controls and privacy. Additionally, we will review how the Mitre ATT\u0026amp;CK framework can enrich this plan, providing detailed insight into the tactics and techniques employed by adversaries or attackers, allowing organizations anticipate and more effectively mitigate attacks.\nIn this scenario, the Veeam platform emerges as a critical component entity, offering advanced tools for rapid data recovery and business continuity in the face of security incidents. The capacity of Veeam to provide fast and reliable recovery of data from immutable environments is presented as a robust countermeasure against various forms of threats, including ransomware, ensuring that the integrity and availability of critical data remains intact.\nThe Importance of an Incident Response Plan # Creating and maintaining an incident response plan, separate from or included in a DRP, is crucial in cybersecurity management. This plan not only helps organizations it can handle and recover from incidents, but also plays a vital role in preventing future security breaches.\nPrevention and Preparation: Pillars of Computer Security # Risk Mitigation: An effective response plan helps identify and address vulnerabilities before they are exploited.\nReducing the Impact of Incidents: By having a plan in place, organizations can act quickly to contain and mitigate the damage, thereby reducing the overall impact of the incident.\nNormative compliance: Many regulations and industry standards require that organizations have an incident response plan, making its development and maintenance also a matter of legal compliance.\nKey Elements for an Effective Plan # Communication: Establish effective internal and external communication channels, including notifications a affected parties and regulatory authorities.\nTraining and Education of Staff: Regular training of staff in incident response procedures is essential to ensure a rapid and efficient response.\nDrills and Tests: Conducting incident simulation exercises helps identify areas for improvement and ensures the team is prepared to respond in a real-world scenario.\nAdaptability and Continuous Improvement # An incident response plan should not be static. Cyber ​​threats are constantly evolving, and the plan must adapt to address new attack tactics and techniques.\nRegular Review and Update: It is essential to review and update the incident response plan regularly, especially after an actual incident or a significant change in the IT environment or threat landscape.\nIntegration of New Technologies and Strategies: The adoption of new technologies and strategies, such as artificial intelligence for threat detection or advanced solutions in backup and recovery, like Veeam, can significantly improve the effectiveness of the plan.\nNIST 800-61: Incident Response Guide # The NIST Special Publication 800-61, “Computer Security Incident Handling Guide”, is a key document in computer security management. Provides a detailed framework for establishing an effective response plan for cybersecurity incidents.\nPreparation # This phase is critical to establishing an effective incident response plan. Includes:\nCreation of an Incident Response Team (CSIRT): Formation of a specialized team with defined roles and responsibilities.\nPolicy and Procedure Development: Develop clear policies and procedures for incident management, including incident classification and response protocols.\nTools and Technologies Configuration: Implement and configure appropriate tools for incident detection and analysis, such as intrusion detection systems and incident management software.\nEducation: Train staff in security practices and incident response.\nDetection and Analysis # This stage focuses on identifying and analyzing possible incidents:\nMonitoring and Detection: Use monitoring tools to identify suspicious or anomalous activities that may indicate an incident.\nIncident Analysis: Determine the nature and scope of the incident. This includes identifying the type of incident, the systems affected, and the possible cause.\nPriorization: Base the response on the criticality of the incident, its impact and urgency.\nContainment, Eradication and Recovery # In this phase, measures are taken to control and remedy the incident:\nContainment: Implement short- and long-term containment strategies to limit the scope of the incident.\nEradication: Delete the incident components, such as malware or unauthorized access.\nRecovery: Restore the systems to their normal state and ensure that there are no security loopholes through the Veeam Platform.\nPost-Incident # After an incident, it is vital to carry out follow-up activities:\nPost-Incident Analysis: Review and analyze how the incident was handled to identify what was learned and improve response practices.\nReports and Documentation: Prepare detailed reports on the incident, including actions taken and recommendations to prevent future incidents.\nContinuous Improvement: Update response plans and security policies based on lessons learned.\nNIST 800-53r5: Security and Privacy Controls # The NIST 800-53, Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” is a comprehensive standard that provides a set of security and privacy controls to protect systems and organizations against a wide range of computer threats. Its relevance in creating an incident response plan is essential.\nFocus on Protection and Resilience # Security controls: NIST 800-53r5 establishes a series of security controls that cover areas such as information protection, identity and access, intrusion detections, and disaster recovery. These controls are designed to protect critical systems and data from cyber threats.\nPrivacy Controls: In addition to security controls, this standard also includes specific privacy controls to protect personal information and ensure compliance with laws and regulations of privacy.\nIT Resilience: NIST 800-53r5 put a particular emphasis on resilience, that is, the ability of an organization to anticipate, resist, recover and adapt to adverse events, including cyberattacks.\nAdaptation and Customization of Controls # Possibility to choose: NIST 800-53r5 allows organizations select and customize controls based on your risk assessment, legal and regulatory requirements, and specific business needs.\nRisk Based: This approach ensures that the controls implemented are proportional to the risks and threats facing the organization.\nIntegration with Incident Response Plans # Preventive and Reactive Controls: The controls established in NIST 800-53r5 not only serve to prevent incidents, but also play a crucial role in the response phase. For example, intrusion detection controls facilitate quick identification of incidents.\nRecovery Support: Controls related to disaster recovery and business continuity are essential to restore systems and services affected by an incident.\nContinuous Improvement and Regulatory Compliance # Compliance and Evaluation: NIST 800-53r5 is a valuable tool for evaluating organizational compliances regarding various regulations of computer security.\nContinuous Improvement: The implementation of these controls must be part of a continuous improvement process, where organizations regularly review and update their security and privacy controls to adapt to changing cyber threats.\nMitre ATT\u0026amp;CK: Understanding the Adversary # The matrix Mitre ATT\u0026amp;CK(Adversarial Tactics, Techniques, and Common Knowledge) is an essential tool for understanding the tactics and techniques used by cyber adversaries. This framework provides detailed information on the various ways attackers can penetrate, exploit, and compromise systems and networks.\nEach Mitre ATT\u0026amp;CK matrix is ​​divided into tactics, which are the objectives that adversaries seek to achieve, techniques, and subtechniques or procedures, which are the methods they use to achieve those objectives. For example, in the Enterprise matrix there are the following tactics:\nRecognition: The adversary attempts to gather information that can be used to plan future operations.\nResource Development: The adversary is trying to establish resources that it can use to support operations.\nInitial Access: How adversaries enter a system or network.\nExecution: Methods to execute malicious code.\nPerseverance: Techniques to maintain your presence in a compromised system.\nPrivilege Escalation: Strategies to gain greater privileges in a system.\nDefense Evasion: Techniques to avoid being detected.\nAccess Credentials: The adversary attempts to steal account names and passwords.\nDiscovery: The adversary is trying to figure out his surroundings.\nLateral movement: The adversary is trying to move through his environment.\nData Collection: The adversary tries to collect data of interest to its objective\nCommand and Control: The adversary attempts to communicate with the compromised systems to control them.\nData Exfiltration: Methods to steal data.\nImpact: The adversary attempts to manipulate, disrupt or destroy your systems and data.\nApplication in Incident Response # Understanding Mitre ATT\u0026amp;CK tactics and techniques is key to developing effective response and mitigation strategies:\nSimulations and Training: Use Mitre ATT\u0026amp;CK scenarios to conduct simulation exercises and train personnel in identifying and responding to specific threats.\nImprovement of Security Strategies: The organizations can use this information to improve their defenses, adapting their security tools and processes to address specific techniques used by attackers.\nForensic and Root Cause Analysis: In the event of an incident, knowledge of specific Mitre ATT\u0026amp;CK techniques can assist in forensic analysis and identification of the root cause of the attack.\nIntegration with Other Regulations and Frameworks # Supplement to NIST 800-61 and 800-53r5: While NIST provides the framework for developing a security and incident response program, Mitre ATT\u0026amp;CK offers detailed insight into the tactics and techniques adversaries may employ, thus enabling more targeted and effective preparation and response.\nVeeam Platform # The Veeam Platform is an integral solution in the incident response strategy, providing a key line of defense against cyber threats.\nData Protection and Recovery # Reliable Backup: Veeam offers robust backup systems solutions, ensuring that data is protected and can be recovered in the event of loss or corruption.\nFast recovery: The capacity of Veeam Quickly restoring systems and data is essential to minimize downtime after an incident, which is critical to business continuity.\nBackup Security # Immunity against Ransomware: Veeam provides features that help protect backups against ransomware, ensuring backup data remains intact and secure.\nData Isolation (Air-Gap): The capacity of Veeam Creating isolated backups (air-gapped) is vital to protect data against attacks that seek to corrupt or delete data backups.\nCompliance and Compliance # Compliance with Regulations: Veeam helps organizations to comply with various regulations data security by providing a secure and reliable data backup and recovery solution.\nAudits and Reports: Veeam facilitates the generation of reports and audits, allowing organizations document they data protection and incident response efforts.\nAutomation and Efficiency # Process automation: Veeam automates many aspects of backup and recovery, reducing the margin for human error and increasing efficiency in incident response.\nRecovery Orchestration: Recovery orchestration Veeam simplifies the process of restoring services and applications critical, following a predefined order to ensure consistent and efficient recovery.\nFlexibility and Scalability # Adaptability to Various Environments: Veeam supports a variety of IT environments, including cloud, virtual and physical environments, making it adaptable to the needs of different organizations.\nScalability: As the organizations grow, Veeam can scale to meet growing data protection and disaster recovery demands.\nRecommendations # As we conclude this discussion of the importance of an incident response plan based on NIST 800-61, NIST 800-53r5, and Mitre ATT\u0026amp;CK, and the importance of the Veeam, here we present some key recommendations for organizations looking to strengthen their computer security:\nImplement a Comprehensive Response Plan: Develop and maintain an incident response plan that incorporates NIST 800-61 and 800-53r5 guidelines. This plan must be comprehensive, including clear procedures for incident detection, analysis, containment, eradication and recovery.\nContinuous training: Invest in regular training of employees and stakeholders on cybersecurity practices. This includes becoming familiar with the tactics and techniques outlined in the Mitre ATT\u0026amp;CK framework.\nEvaluation and Continuous Improvement: Conduct audits and periodic reviews of the incident response plan to identify areas for improvement. Adapt to new threats and changes in the computer security landscape.\nIntegrate Advanced Backup and Recovery Solutions: Use Veeam Backup \u0026amp; Replication to ensure quick and effective recovery in the event of incidents. This is crucial to minimize downtime and data loss.\nIncident Drills: Conduct incident simulation exercises regularly to test and improve the effectiveness of the response plan. These exercises must reflect realistic scenarios based on Mitre ATT\u0026amp;CK tactics and techniques.\nCollaboration and Information Sharing: Encourage collaboration between internal teams and with other organizations. Sharing information on threats and best practices can help improve collective defense strategies.\nProactive Approach to Computer Security: Take a proactive, not just reactive, approach to cybersecurity. This includes staying up to date on the latest trends in cyber threats and security technologies.\nLegal and Compliance Response: Ensure the incident response plan is aligned with legal and compliance requirements. This is crucial to effectively manage the legal implications and reputational issues that may arise from a security incident.\nImplementing these recommendations, the organizations can significantly improve your ability to prevent, detect and respond to cybersecurity incidents, thereby ensuring the continued protection of your critical assets and business continuity in an increasingly challenging digital environment.\nRelated posts # Veeam Hardened (Immutable) Repository Chile Law 21.719: technical compliance manual with Veeam Veeam Decoys - Early Detection JADI Scanner vScan Vulnerability Scanner 2.0 Which Operating System is More Secure? ","date":"31 January 2024","externalUrl":null,"permalink":"/en/posts/incident-response-plan/","section":"Blog","summary":"Incident response plan based on NIST 800-61, NIST 800-53r5 and MITRE ATT\u0026CK with Veeam for ransomware protection and resilience.","title":"Incident response plan with NIST and Veeam","type":"posts"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/incident-response-plan/","section":"Tags","summary":"","title":"Incident-Response-Plan","type":"tags"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/mitre-attampck-security-strategies/","section":"Tags","summary":"","title":"Mitre-Att\u0026Amp;Ck-Security-Strategies","type":"tags"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/nist-800-53r5-security-controls/","section":"Tags","summary":"","title":"Nist-800-53R5-Security-Controls","type":"tags"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/nist-800-61-incident-response/","section":"Tags","summary":"","title":"Nist-800-61-Incident-Response","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/nist-800-61-respuesta-a-incidentes/","section":"Etiquetas","summary":"","title":"Nist-800-61-Respuesta-a-Incidentes","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/plan-de-respuesta-ante-incidentes/","section":"Etiquetas","summary":"","title":"Plan-De-Respuesta-Ante-Incidentes","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/protecci%C3%B3n-contra-ransomware/","section":"Etiquetas","summary":"","title":"Protección-Contra-Ransomware","type":"tags"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/ransomware-protection/","section":"Tags","summary":"","title":"Ransomware-Protection","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/recuperaci%C3%B3n-ante-desastres-con-veeam/","section":"Etiquetas","summary":"","title":"Recuperación-Ante-Desastres-Con-Veeam","type":"tags"},{"content":"","date":"January 31, 2024","externalUrl":null,"permalink":"/es/tags/resiliencia/","section":"Etiquetas","summary":"","title":"Resiliencia","type":"tags"},{"content":"","date":"31 January 2024","externalUrl":null,"permalink":"/en/tags/resiliency/","section":"Tags","summary":"","title":"Resiliency","type":"tags"},{"content":"","date":"November 3, 2023","externalUrl":null,"permalink":"/es/tags/actualizaciones/","section":"Etiquetas","summary":"","title":"Actualizaciones","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/drp/","section":"Tags","summary":"","title":"Drp","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/freebsd/","section":"Tags","summary":"","title":"Freebsd","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/linux/","section":"Tags","summary":"","title":"Linux","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/openbsd/","section":"Tags","summary":"","title":"Openbsd","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/rbac/","section":"Tags","summary":"","title":"RBAC","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/secure/","section":"Tags","summary":"","title":"Secure","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/sistema-operativo/","section":"Tags","summary":"","title":"Sistema-Operativo","type":"tags"},{"content":"","date":"3 November 2023","externalUrl":null,"permalink":"/en/tags/updates/","section":"Tags","summary":"","title":"Updates","type":"tags"},{"content":" In this post, we will review the operating systems most used by organizations in IT environments, whether in the public cloud or local data centers, asking the typical question, which operating system is more secure? Microsoft Windows, Linux, OpenBSD, FreeBSD? Or, from another point of view, what are the protection measures that will be applied to operating systems? Is only Firewall and Antivirus enough? Is it sufficient to disable the SSH service in Linux environments? Is it enough to not use root?\nIntroduction # Some time ago, and in recent VeeamON Tours of Latin America, I talked with clients and co-workers about the typical question: Which operating system is more secure? Some said Linux is always safer, others said Windows, and finally, others opted for OpenBSD (One of its objectives is to be the most secure OS) and FreeBSD, but the operating system really matters, or what matters is the way it is deployed. And are operating systems protected? Always speaking from a security point of view.\nIn general, there is always talk of “hardening” operating systems, aiming for default security, but is this “hardening” updated over time? People who indicate that Linux is more secure, how many times do they update Linux servers since a vulnerability is found? In general, in Latam and according to my experience, there are very few organizations I know yes. They keep their servers with the Linux or BSD operating system up to date. Still, another no small part prefers to be exposed to any attack based on a Linux/BSD vulnerability or an application that provides services. And not to mention the professionals who do not want to update Windows because they do not know if the solution they have installed will work or they have the idea that ​​\u0026quot;they are not going to attack my company.\u0026quot;\nIs your Organization prepared to receive an Attack? # It is a tremendous question since it is not easy to answer, and in general, the answer is always No since there can be many factors in organizations that do not allow IT areas to minimize the risk, for example, some of the most common problems I have seen:\nBudget Old or Legacy Applications Lack of training Lack of use of a Security Framework Lack of Controls in IT Infrastructure Credential Reuse Lack of use of RBAC or Role based Access Control Lack of documentation So, with the previous examples, it becomes very complex to prepare for an attack, in fact, it is only necessary to do some type of OSINT to identify specific organizations with their respective published services (RDP, ILO, SQL, IDRAC, etc.) on the Internet without the necessary security.\nWhat Security Framework to use to minimize the Risk? # As additional information, since when talking about security frameworks a separate post is necessary, the first framework to use in your organization may be the Cyber ​​Security Framework (CSF) either the currently published version 1.1 or the upcoming draft version, 2.0, from the National Institute of Standards and Technology of the USA ( NIST), where, according to version 2.0, are 6 functions Main:\nWith these functions, it is possible to implement a necessary strategy to minimize the cybersecurity risk so that in the event of an attack, you can react promptly. An excellent recommendation in conjunction with CSF is the use of the special publication SP 800-53r5 for the application of the necessary controls.\nCSF https://www.nist.gov/cyberframework SP 800-53r5 https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final What Operating System to choose for the Services to be Provided? # Returning to the main topic, Which Operating System is More Secure?, the first thing we must review is which service or services we are going to install or use on our server; then, depending on the organization or manufacturer\u0026rsquo;s requirements, check if the implementation of The solution may be possible in the native cloud, hybrid, on-premises, Kubernetes, serverless to find the best way to provide high availability.\nNow, regarding the decision with which operating system to work, whether defined by the software that will run on the server or by organizational guidelines, the first thing we must review is if we are going to expose services to the Internet, what type of services, Authentikation of internal or external users, to achieve what will be the security solutions that will allow us to provide at least basic protection to deliver the services.\nAlready having knowledge of the services to be provided, it is necessary to define ALWAYS, what will be the protection of these services or operating system, of course, with a correct data backup strategy, which allows us to recover the data in different ways so that in case of attack, we have multiple options recoveries according to the need for business continuity.\nFinally, by reviewing the requirements of the software or platform to be installed on the server, a decision can be made that is favorable for the solution and is directly related to the security policies of the organization or company.\nSo, Which Operating System is More Secure? # The answer is quite simple: the most secure operating system will always be the one that complies with a correct implementation from a point of view of comprehensive security and safe use, complying with security controls, for example 800-53r5, application of local security policies, monitoring, use of different network and local security systems, therefore, it is not only about the operating system, it is about all the procedures, tools, security policies that accompany the management and use of the services to be used.\nAll operating systems, including applications, have or will have security vulnerabilities since there will always be people or organizations dedicated to finding some type of vulnerability, whether as a hobby, malware creation, or a beautiful research.\nTherefore, one of the options the best thing to always consider is to review the capacity or frequency of security updates or features of the different manufacturers of operating systems and applications; for example, in the case of some solutions based on Kubernetes, the update frequency of the images used and the application as such, are continually improved or updated to minimize the risk of any vulnerability.\nThat is why it is not an issue of the operating system type; for example, is Linux more secure than Windows? Windows is more secure than Linux? is MacOS more secure than the previous ones? OpenBSD, is it the most secure system? As we have seen, none is safer than the other since it is only necessary to search the different Vulnerabilities databases:\nhttps://www.cve.org/ https://nvd.nist.gov/vuln/search https://packetstormsecurity.com/ In the previous links, you will find not only the vulnerabilities of the operating systems but also of the applications that can run on servers or workstations.\nMonitoring and Protection # Every time a new server is generated, whether virtual or physical, SHOULD, have an associated mechanism for monitoring services and behavior of the different resources that the server will be using and MANDATORY the patch update scheme and data protection, of course with Veeam :), since as we saw previously when using a security framework, it is imperative to have the information on what the disaster recovery plans will be and the definition of RTO / RPO to meet the necessary times.\nWhy is Monitoring important? Beyond monitoring services, current monitoring systems, such as Veeam ONE, allow you to have information on the behavior of the virtual machines; that is, it is possible to identify the consumption of IOps, CPU, which could be suspicious on a day that is not a monthly load, with this, by having the necessary information it will be possible to apply the corrective actions manually or automatically.\nFor example, for zero-day or 0-day vulnerabilities, it is of utmost importance to monitor the systems or services to know if these vulnerabilities are being exploited or if the server has started exhibiting abnormal behavior.\nUpdates # Yes or yes, maintain strict update policies, independent of the operating system used, since the first attack is to take advantage of existing vulnerabilities in operating systems, for example, remote command execution, RCE, which has recently been used in versions of VMware hypervisors. On the other hand, by having the operating systems updated, it is also of utmost importance to keep the dependencies and applications updated that will be providing services, such as solutions of Atlassian, that multiple critical vulnerabilities have been found lately.\nSecurity Application Technical Guides # One of the widely used practices is the application of guides DISA STIG, OpenSCAP, whether for operating systems or for applications that will be executed on the servers. It is crucial to review these guides since the recommendations could be fully implemented select the recommendations that indicate, for example, if you need to apply security controls for Microsoft Windows Server 2022 and Ubuntu 20.04, you only have to visit:\nhttps://public.cyber.mil/stigs/downloads/ https://ncp.nist.gov/repository To mention a few, there are more; depending on the need, it will be possible to apply the necessary controls according to the need or business of your organization.\nBad Security Practices in Operating Systems or Services # Some that I have seen repeatedly:\nUse Administrator or root to install applications Use the same access credentials by multiple users Ex: administrator@vsphere.local Do not use or enable MFA Not having a strict password change and complexity policy. Not having a backup and recovery testing policy. Do not centralize logs or events of operating systems and applications Save passwords to an Excel/TXT file Little or no documentation of systems or architectures. Using only Antivirus No use of encryption Best Security Practices in Operating Systems or Services # Some that should be used:\nAlways use service accounts for applications Segment and apply RBAc to accounts by user Disable default or unused accounts Enable MFA where possible and save backup codes. Apply Password Change Policy Back up all data where possible and test recovery from time to time Monitor and save logs of all critical systems Use Business Password Managers Document all necessary architectures and processes. Use of security solutions in each of the operating systems Encrypt communications and Backups Recommendations # The first mandatory rule is always to keep all operating systems and services installed on the server updated, in addition to the corresponding monitoring either from the point of view of service availability or audit logs to identify strange behavior to the solution and apply corrective measures.\nOf course, install security solutions on the different operating systems (not just Windows) to obtain a complete vision and monitoring from a security point of view.\nAlways use the principle of least privilege and do not use weak Authentication methods; if the service is not being used, disable it or simply uninstall the service completely.\nAnd, of course, the use of the Platform Veeam to protect all your data in the organization, whether in your data center, Public Cloud, or workstations, validating recoverability in an automated way, analyzing and searching for malware in backups and then automatically creating and documenting Disaster Recovery Plans, DRP, to recover the organization with the data in a clean and accessible manner without reinfection.\nRelated posts # Veeam Hardened (Immutable) Repository Veeam Immutable Repository with Red Hat Enterprise Linux Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam Chile Law 21.719: technical compliance manual with Veeam ","date":"3 November 2023","externalUrl":null,"permalink":"/en/posts/which-operating-system-is-more-secure/","section":"Blog","summary":"In this post, we will review the operating systems most used by organizations in IT environments, whether in the public cloud or local data centers, asking the typical question, which operating system is more secure? Microsoft Windows, Linux, OpenBSD, FreeBSD? Or, from another point of view, what are the protection measures that will be applied to operating systems? Is only Firewall and Antivirus enough? Is it sufficient to disable the SSH service in Linux environments? Is it enough to not use root?","title":"Which Operating System is More Secure?","type":"posts"},{"content":"","date":"25 April 2023","externalUrl":null,"permalink":"/en/tags/active-directory-kasten/","section":"Tags","summary":"","title":"Active-Directory-Kasten","type":"tags"},{"content":" In this post, we will review how to configure Kasten K10 installed via Operator for Red Hat Openshift to integrate the Authentikation of Microsoft Active Directory to access the console of K10 with Dex.\nDocumentation # As always, we must visit the official documentation of the solutions that we will use for this post:\nKasten K10 https://docs.kasten.io/latest/install/openshift/operator.html Kasten Auth https://docs.kasten.io/latest/access/Authentikation.html Red Hat OpenShift https://docs.openshift.com/ Included in Kasten, Dex https://dexidp.io/docs/ One of the integrations most used in business environments for Authentikation and centralized access is Microsoft Active Directory, with different solutions. In this case, we will review the access to the console Kasten K10 installed from the Operator with its respective “ro\nWhen installing from the operator, changes must be made to the yaml configuration file, which can be accessed from the OpenShift console:\nActive Directory Authentication Configuration # Using user groups to manage access to different platforms is always good. In this case, we will also use user groups. The first thing to create is a User Group in Active Directory with a name related to the Cluster Roles of Kasten K10:\nWe will add the users who need access to Kasten K10, and we will proceed to generate the Cluster Role Binding and Role Binding necessary for Kasten K10 so that users belonging to the group “k10admins”. The first ClusterRoleBinding required is the following:\nkubectl create clusterrolebinding k10-ad-oc --clusterrole=k10-admin --group=k10admins ```bash The following RoleBinding is performed on the namespace of \u0026#34;kasten-io” with the role of k10-ns-admin: ```bash kubectl create rolebinding k10-ad-ns --role=k10-ns-admin \\ --namespace=kasten-io \\ --group=k10admins ```bash With these requirements created, we will proceed to configure Kasten K10. ## Configuration Kasten K10 and Microsoft Active Directory We have to enter the configuration of the Red Hat Operator OpenShift and then, in the instance of K10 installed to access the yaml file: Here it will be very important that we are careful when modifying this file, since, if any of the configuration or conditions are not met, OpenShift, it will re-apply the previously working yaml file and the changes will not be reflected. Inside the yaml file, there is an “auth” variable with its respective settings, it must be added after the last configuration or replace the entire block with: ```bash ldap: enabled: true bindPW: \u0026#39;SuperDuperPassword\u0026#39; usernameClaim: email groupSearch: baseDN: \u0026#39;DC=24xsiempre,DC=cl\u0026#39; filter: (objectClass=group) nameAttr: cn userMatchers: - groupAttr: member userAttr: distinguishedName bindDN: \u0026#39;CN=administrator,CN=Users,DC=24xsiempre,DC=cl\u0026#39; host: \u0026#39;ad.24xsiempre.cl:389\u0026#39; usernamePrefix: \u0026#39;-\u0026#39; insecureNoSSL: true groupnameClaim: groups userSearch: baseDN: \u0026#39;DC=24xsiempre,DC=cl\u0026#39; emailAttr: userPrincipalName filter: (objectClass=user) idAttr: sAMAccountName nameAttr: givenName username: sAMAccountName restartPod: false insecureSkipVerifySSL: true startTLS: false usernamePrompt: Email Address secretName: \u0026#39;\u0026#39; dashboardURL: \u0026#39;http://k10-route-kasten-io.apps.oc.24xsiempre.cl/k10/\u0026#39; groupnamePrefix: \u0026#39;-\u0026#39; tokenAuth: enabled: false ```bash As seen in the previous data, it is necessary to change the following variables with the data of your environment: - bindPW \\| Password to Authenticate in AD or use secret - baseDN \\| Domain of your environment DC=24xsiempre,DC=cl - bindDN \\| User that will Authenticate in AD as service CN=administrator,CN=Users,DC=24xsiempre,DC=cl - host \\| DNS or AD server IP - baseDN \\| Domain of your environment DC=24xsiempre,DC=cl - dashboardURL \\| The route generated in OpenShift http://k10-route-kasten-io.apps.oc.24xsiempre.cl/k10/ Then make sure to click on \u0026#34;Save\u0026#34; to validate the configuration. There can be two ways here, do a rollout restart or remove all the pods from Kasten and wait until they are all in \u0026#34;Running\u0026#34; again to eliminate all the pods from kasten-io and then auto-generate: ```bash kubectl delete pods -all -n kasten-io ```bash After that, access the \u0026#34;route\u0026#34; of OpenShift created and validate Authentication. ## Log Review In case of any problem with Authentication to Microsoft Active Directory, it is essential to review the \u0026#34;Dex\u0026#34; Logs, which is the interface that is connected to Active Directory, and look for the users associated with the groups that will be Authenticated in the console Kasten K10, to view the logs from the console OpenShift, you have to enter “Workloads”, “Pods”, within the project or namespace “kasten-io” and select the pod “auth-svc-“ Then click on “Logs” and finally, next to “Log Streaming” select “dex” ## Search Attributes in Active Directory If errors appear where dex or Authentication indicates that it cannot find the users or groups, it is necessary to validate the search for the attributes in the domain. One of the most used tools in Linux is \u0026#34;ldapsearch.\u0026#34; For example, Ubuntu 22.04.2 is installed as follows: ```bash sudo apt-get install ldap-utils ```text To then use the ldapsearch commands and correctly search for the users and groups that need to be configured in the path of “baseDN\u0026#34; for example with the following command, we will validate the attribute of \u0026#34;userPrincipalName\u0026#34; **baseDN**\u0026#34;, for example with the following command, we will validate the attribute of \u0026#34;userPrincipalName\u0026#34; ```text ldapsearch -H \u0026#39;ldap://20.20.20.20\u0026#39; -D \u0026#39;veeam@24xsiempre.cl\u0026#39; -W -b \u0026#39;DC=24xsiempre,DC=cl\u0026#39; \u0026#39;SamAccountName=veeam\u0026#39; ```bash ## Using Secret to Authenticate with Active Directory In the case of environments where it is not allowed to use the password directly in the yaml, it is possible to configure the password with a secret where the command to use to create the secret is the following: ```bash kubectl create secret generic k10-ad-secret-prod --from-literal=bindPW=SuperDuperPassword -n kasten-io ```bash Already with the password of the user that is Authenticated in Active Directory in secret, we only need to configure the yaml of the instance K10 created in Operator Kasten at Red Hat OpenShift: ```bash ldap: enabled: true usernameClaim: email groupSearch: baseDN: \u0026#39;DC=24xsiempre,DC=cl\u0026#39; filter: (objectClass=group) nameAttr: cn userMatchers: - groupAttr: member userAttr: distinguishedName bindDN: \u0026#39;CN=administrator,CN=Users,DC=24xsiempre,DC=cl\u0026#39; host: \u0026#39;ad.24xsiempre.cl:389\u0026#39; usernamePrefix: \u0026#39;-\u0026#39; insecureNoSSL: true groupnameClaim: groups userSearch: baseDN: \u0026#39;DC=24xsiempre,DC=cl\u0026#39; emailAttr: userPrincipalName filter: (objectClass=user) idAttr: sAMAccountName nameAttr: givenName username: sAMAccountName restartPod: false insecureSkipVerifySSL: true startTLS: false usernamePrompt: Email Address secretName: \u0026#39;\u0026#39; dashboardURL: \u0026#39;http://k10-route-kasten-io.apps.oc.24xsiempre.cl/k10/\u0026#39; groupnamePrefix: \u0026#39;-\u0026#39; bindPWSecretName: k10-ad-secret tokenAuth: enabled: false ```bash In the previous configuration, the variable is observed: - bindPWSecretName It is associated with the secret\u0026#39;s name that has the user\u0026#39;s password to Authenticate. Now all that remains is to wait for the pods to restart or delete all the pods with the command: ```bash kubectl delete pods --all -n kasten-io And it will be possible again to Authenticate with Active Directory and Kasten K10\nRelated posts # Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 Kasten K10 Authentik Red Hat OpenShift in vSphere with Kasten How to Install vSphere CSI Driver on RedHat OpenShift 4.x ","date":"25 April 2023","externalUrl":null,"permalink":"/en/posts/how-to-integrate-active-directory-with-kasten-k10-and-openshift/","section":"Blog","summary":"In this post, we will review how to configure Kasten K10 installed via Operator for Red Hat Openshift to integrate the Authentikation of Microsoft Active Directory to access the console of K10 with Dex.","title":"How to Integrate Active Directory with Kasten K10 and OpenShift","type":"posts"},{"content":"","date":"25 April 2023","externalUrl":null,"permalink":"/en/tags/openshift/","section":"Tags","summary":"","title":"OpenShift","type":"tags"},{"content":"","date":"25 April 2023","externalUrl":null,"permalink":"/en/tags/openshift-active-directory/","section":"Tags","summary":"","title":"Openshift-Active-Directory","type":"tags"},{"content":"","date":"April 25, 2023","externalUrl":null,"permalink":"/es/tags/respaldo-contenedores/","section":"Etiquetas","summary":"","title":"Respaldo-Contenedores","type":"tags"},{"content":"","date":"April 25, 2023","externalUrl":null,"permalink":"/es/tags/respaldo-kubernetes/","section":"Etiquetas","summary":"","title":"Respaldo-Kubernetes","type":"tags"},{"content":"","date":"April 25, 2023","externalUrl":null,"permalink":"/es/categories/vsphere-csi/","section":"Categorías","summary":"","title":"Vsphere-Csi","type":"categories"},{"content":"","date":"April 18, 2023","externalUrl":null,"permalink":"/es/categories/aks/","section":"Categorías","summary":"","title":"Aks","type":"categories"},{"content":"","date":"18 April 2023","externalUrl":null,"permalink":"/en/tags/google-anthos/","section":"Tags","summary":"","title":"Google-Anthos","type":"tags"},{"content":"","date":"18 April 2023","externalUrl":null,"permalink":"/en/tags/google-anthos-vmware/","section":"Tags","summary":"","title":"Google-Anthos-Vmware","type":"tags"},{"content":" One of the architectures that are used in multiple clients with hybrid infrastructure is Google Anthos, a beautiful technology that allows to deploy clusters of Kubernetes in different environments using Google settings Kubernetes Engine, GKE, as well as adding other distributions to Google Anthos from different providers or public clouds. In this post, we will review the Anthos architecture and where to install Kasten K10 to protect applications.\nGoogle Anthos Documentation # As always, we will review the official documentation of the platforms or solutions that we will be reviewing in this post, in this case, Google Anthos, Google Kubernetes engine, and of course, Kasten K10 to protect applications.\nGoogle Anthos: https://cloud.google.com/anthos/docs/concepts/overview Kasten K10: https://docs.kasten.io/latest/index.html Therefore, when reading the documentation we can see that Google Anthos allows us to manage multiple clusters of Kubernetes, either, EKS, AKS, Bare Metal, VMware, among others. In addition, other features that allow security validation, application of configuration policies for multiple clusters, service mesh, among others.\nFor this post, we will review where to install Kasten K10 and how to manage the protection of multiple applications in clusters of kubernetes Managed by Google Anthos.\nGoogle Cloud Anthos Backup # Before installing Kasten K10 to protect our applications in different distributions of Kubernetes managed by Google Anthos, we must pay attention to the documentation on node protection offered by Google Anthos, particularly in the following links:\nhttps://cloud.google.com/anthos/clusters/docs/on-prem/latest/how-to/back-up-admin-cluster https://cloud.google.com/anthos/clusters/docs/on-prem/latest/how-to/back-up-user-cluster As the official documentation indicates, there is no protection for the applications, persistent volumes, among others, that are executed in the clusters of kubernetes Managed by Google Anthos. Therefore, the only thing you can protect from Anthos, are the settings of ETCD via snapshots for management clusters and user clusters, including new features that are in BETA and mentioned in the documentation to support management clusters via gkectl, has additional limitations, for example, it is not possible to generate more than 6 ETCD backups.\nSo by looking at these limitations and not focusing on the applications running on the different clusters, Kubernetes managed by Anthos, is that it is necessary to use Kasten K10, to protect applications running on different distributions Kubernetes, enabling the protection, recovery, migration and disaster recovery of applications in Kubernetes.\nArchitecture Kasten K10 with Google Anthos. # One of the great virtues of Kasten K10 is that it can protect the applications of any cluster Kubernetes supported, either from the backup, recovery, migration, and disaster recovery of the applications between different distributions of Kubernetes. Allowing to offer centralized management of the protection and contributing this data management to the architecture of Google Anthos.\nAs can be seen in the image above, the architecture is very simple with Kasten K10, since, you just have to install K10 in each of the clusters Kubernetes managed by Google Anthos to then designate or use a management cluster for centralized management through Kasten K10 Multi-Cluster Manager.\nResources used by Google Anthos on VMware # For this post, the configuration of Google Anthos and the deployment of clusters in VMware were carried out to validate the configurations and versions of Kubernetes. In this case, they were deployed:\n1 VM: Admin Workstation (gloud cli and resource management) 3 VM: 1 Control Plane and 2 Worker Node for the Administration Cluster 6 VM: 3 Control Plane and 3 Worker Nodes for the User Cluster (k10anthos) Remember that when a cluster of Kubernetes from Google Anthos, the configuration applied, for example, in VMware, is in accordance with good practices, that is, it will use the vSphere CSI driver. Of course it is always possible to configure the cluster to use the necessary drivers.\nResources from Google Cloud Console # This Anthos configuration can be done from the command line as well as from the Google Cloud graphical console; as seen in the previous image, Google Cloud Authentikates itself in the clusters of Kubernetes deployed in the VMware cluster to monitor and apply configurations of security, administration policies, service mesh or whatever the administrator wishes to activate for the correct execution of their applications.\nIn fact, it is possible to review all the resources used and make changes directly from the Google Cloud console, either in the reviews of the workloads as well as editing the amount of CPU or RAM usage of the nodes managed by Google Anthos.\nClusters of Kubernetes # If we review the clusters created using kubectl, we can see the creation of the two clusters, Admin and User, with their respective nodes.\nHow to install Kasten K10 in these clusters? It is very simple, it is installed as if it were a cluster of Kubernetes more, in fact, these clusters are based on GKE, for the installation, you can check the following links of this blog:\nVeeam + Kasten\n/veeam-kasten/embed/#?secret=bYEKXJ7zfI#?secret=J0bRfSY8he\nInstall Kasten Multi Cluster Manager\n/instalar-kasten-multi-cluster-manager/embed/#?secret=P4T70iJHKw#?secret=tvTbfkx6Sc\nKasten K10 Multi-Cluster Dashboard # Of course, Google Anthos, by managing multiple distributions of Kubernetes centrally, you need application protection also managed centrally, which is why it is necessary to enable K10 Multi-Cluster Manager for the management of resources, policies, and disaster recovery flows between different distributions of Kubernetes\nFinally, it is always necessary to use Kasten K10 in all implementations of Kubernetes regardless of the distribution of Kubernetes since, in multiple cases, limitations are observed in relation to the protection of the applications of the business, including disaster recovery.\nRelated posts # How to install Kasten K10 at Google GKE How to install Kasten K10 on AWS EKS How to install Kasten K10 on Azure AKS How to Configure NFS Repository for Kasten K10 Kasten K10 Multi-Cluster ","date":"18 April 2023","externalUrl":null,"permalink":"/en/posts/how-to-use-kasten-k10-with-google-anthos/","section":"Blog","summary":"One of the architectures that are used in multiple clients with hybrid infrastructure is Google Anthos, a beautiful technology that allows to deploy clusters of Kubernetes in different environments using Google settings Kubernetes Engine, GKE, as well as adding other distributions to Google Anthos from different providers or public clouds. In this post, we will review the Anthos architecture and where to install Kasten K10 to protect applications.","title":"How to use Kasten K10 with Google Anthos","type":"posts"},{"content":"","date":"18 April 2023","externalUrl":null,"permalink":"/en/tags/kasten-anthos/","section":"Tags","summary":"","title":"Kasten-Anthos","type":"tags"},{"content":"","date":"18 April 2023","externalUrl":null,"permalink":"/en/categories/tanzu/","section":"Categories","summary":"","title":"Tanzu","type":"categories"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/backups/","section":"Tags","summary":"","title":"Backups","type":"tags"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/como-configurar-nfs-kasten/","section":"Tags","summary":"","title":"Como-Configurar-Nfs-Kasten","type":"tags"},{"content":" One of the options that many companies use to host their backups is NFS, in this guide, we will review how to configure an NFS Profile to be used by Kasten K10, in accordance with the good practices that are indicated in the documentation of Kasten.\nDocumentation # First of all we must always review the documentation of the technologies that we will use to achieve our objective, in this case we will use Kasten K10 and NFS Subdir External Provisioner, the official information can be found:\nKasten K10 https://docs.kasten.io/latest/index.html NFS https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner Requirements # For the use of NFS as a profile in Kasten K10, as the documentation indicates, we will need to comply with the following:\nNFS service accessible from all nodes where it is installed K10 A shared folder via NFS, which can be mounted on all nodes where it is installed K10 A PV defining the NFS shared folder A PVC with its respective StorageClassName for k10 Complying with the previous requirements we will have our NFS profile correctly configured to host our backups.\nNFS Folder Configuration # Like any NFS server, it is necessary to create a folder or use an existing one to host the backups, always with its respective access configuration either by Authentication or allowing access by HOST in NFS, for example in my QNAP I have configured the following:\nAfter having this configured, we will move on to the installation and configuration of the NFS Subdir External Provisioner\nInstalling NFS Subdir External Provisioner # Again, according to the solution documentation, the first thing we must do is configure the helm repository, so we must execute the following command:\nhelm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/ ```bash To then configure with helm and its respective information of the NFS server to use: Validation of the installation with: ```bash kubectl get pods ```bash ## Storage Class Configuration To meet the requirements of Kasten K10, we must have a StorageClass, in fact, when installing and configuring with helm, the StorageClass is created automatically: ```bash kubectl get sc ```yaml ## Creating Persistent Disk using NFS Now, since we have everything, we must test the creation of the PVC using our new StorageClass, for this we will execute the following (modify size and name if necessary): ```yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: prueba-disco-nfs spec: storageClassName: nfs-client accessModes: - ReadWriteMany resources: requests: storage: 100Gi ```bash Validate configuration in kubernetes and also in our NFS shared folder: We will now delete this disk to prepare a disk needed for Kasten K10: ```bash kubectl delete pvc prueba-disco-nfs ```bash Now we will create the necessary disk for Kasten K10 in its own namespace, with the following file: ```bash kind: PersistentVolumeClaim apiVersion: v1 metadata: name: repo-nfs-respaldos namespace: kasten-io spec: storageClassName: nfs-client accessModes: - ReadWriteMany resources: requests: storage: 100Gi ```bash If we list the PVCs without namespace, we will see that none exist: ```bash kubectl get pvc ```bash Now, if we list the PVCs with the namespace kasten-io we will see our new disk: ```bash kubectl get pvc -n kasten-io NFS profile configuration Kasten K10 # Now, we will enter the console Kasten K10 in the cluster that we configured our NFS, entering the name of the PVC:\nWe validate the configuration:\nWe will now test a backup to this new NFS profile to host the backups.\nTest Run Backup to NFS # For this, we just need to create some backup policy using our new profile:\nThen we Execute it and wait for the completion:\nWe validate the backup in our NFS:\nAnd finally a recovery test in another namespace in this case, nfspacman:\nIn the dashboard of Kasten k10 we will see:\nAnd in kubernetes:\nAnd finally the pacman application working as expected:\nRelated posts # How to install Kasten K10 on AWS EKS How to install Kasten K10 on Azure AKS How to install Kasten K10 at Google GKE How to use Kasten K10 with Google Anthos Upgrading Kasten k10 Configure Email Alerts in Kasten K10 ","date":"23 January 2023","externalUrl":null,"permalink":"/en/posts/how-to-configure-nfs-repository-for-kasten-k10/","section":"Blog","summary":"One of the options that many companies use to host their backups is NFS, in this guide, we will review how to configure an NFS Profile to be used by Kasten K10, in accordance with the good practices that are indicated in the documentation of Kasten.","title":"How to Configure NFS Repository for Kasten K10","type":"posts"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/kasten/","section":"Tags","summary":"","title":"Kasten","type":"tags"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/nfs/","section":"Tags","summary":"","title":"NFS","type":"tags"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/nfs-profile-k10/","section":"Tags","summary":"","title":"Nfs-Profile-K10","type":"tags"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/nfs-profile-kasten/","section":"Tags","summary":"","title":"Nfs-Profile-Kasten","type":"tags"},{"content":"","date":"23 January 2023","externalUrl":null,"permalink":"/en/tags/repositorio-nfs/","section":"Tags","summary":"","title":"Repositorio-Nfs","type":"tags"},{"content":"","date":"January 23, 2023","externalUrl":null,"permalink":"/es/tags/respaldos/","section":"Etiquetas","summary":"","title":"Respaldos","type":"tags"},{"content":"","date":"October 17, 2022","externalUrl":null,"permalink":"/es/categories/authentik/","section":"Categorías","summary":"","title":"Authentik","type":"categories"},{"content":"","date":"17 October 2022","externalUrl":null,"permalink":"/en/tags/authentik-kasten/","section":"Tags","summary":"","title":"Authentik-Kasten","type":"tags"},{"content":"","date":"17 October 2022","externalUrl":null,"permalink":"/en/tags/k10-openid/","section":"Tags","summary":"","title":"K10-Openid","type":"tags"},{"content":" One of the characteristics of Kasten K10 most used, is the integration with centralized Authentikation and identity systems, through different protocols, for the management of access to the different clusters of kubernetes using RBAC by means of K10 and/or for the access of K10 Multi-Cluster in environments with multiple clusters of kubernetes. In this post, we will review the easy setup of Authentik and integration with Kasten K10.\nInitial Steps # In this guide we will see how easy it is to configure Authentik with Kasten K10, using the default variables of the installation of Kasten K10 in relation to the groups used for role-based access management.\nAs usual, we will review the official documentation of the resources that we will use.\nAuthentik https://goauthentik.io/\nKasten K10 https://docs.kasten.io/latest/\nRBAC Kasten K10 https://docs.kasten.io/latest/access/rbac.html\nRBAC Kasten K10 Multi-Cluster Manage r https://docs.kasten.io/latest/multicluster/rbac.html\nAuthentik # What is Authentik? As we have already seen in this blog, there are multiple solutions Open Source for identity management, roles, integration with kubernetes and/or single sign on (SSO), for example, we have previously reviewed Keycloak, in this post we will review Authentik, which is another platform widely used in different companies for managing single access, as well as access protection by Authentikation of applications via different protocols or through proxy.\nKasten K10, supports multiple Authentikation protocols, of course, we will use OpenID which allows us to easily Authentikate each other Kasten and Kasten K10 for centralized user management. Authentik installation is very simple and has different ways of installation, in my case, I installed it on kubernetes with helm, you can check the options in:\nhttps://goauthentik.io/docs/installation\nConfiguration Requirements Authentik # After installation, Authentik asks to create the credentials of the initial user \u0026ldquo;akadmin\u0026rdquo;, to then log in Authentik, we enter the “Administrator Interface”:\nNow we will enter from the menu in “Customisation”, “Property Mappings” and finally click on “Create”:\nAt this stage we will select “Scope Mapping” click on “Next” and add the scope “groups” and the expression as shown in the following image:\nreturn { \u0026#34;groups\u0026#34;: [group.name for group in request.user.ak_groups.all()], } ```bash With the previous configuration, we will be able to use or map the groups of Kasten K10 to assign access to the console K10, that is, we will be able to create users in Authentik, create and assign groups of K10 to the users created and access, therefore, we will validate that it works correctly by clicking the test icon, selecting a user and pressing “Test” By bringing the groups to which the user belongs, it means that the “Scope” is working correctly. If the user does not have any group assigned, it will not show anything, therefore, we will now proceed to create the first administration group for Kasten K10 en Authentik. ## Creation of Users and Groups in Authentik To integrate Authentik with Kasten K10, we need of course to create users and groups that are related to K10, in this case, we will start by creating the group “k10:admins”, which allows you to have administrator access to the console K10 o Multi-Cluster Manager, we will enter “Directory” then “Groups” and click on “Create”: Enter the name of the group \u0026#34;k10:admins\u0026#34; and click “Create”: Now we will create a user and in the same creation we will add it to the same group that we just created. Therefore, now we will enter “Directory” and then “Users”, we enter the “Username”, “Name”, “Email”, and by clicking on “+” we add it to the group that we created previously. Next, we select the newly created user and click on “Set Password” and enter the desired password: ## OpenID creation in Authentik now for what Authentik, can be integrated with Kasten K10, we need to enable and configure the OpenID protocol, we enter “Applications”, then “Providers” and click on “Create” At this stage we must select “OAuth2/OpenID Provider” and click “Next” to move on to the most important stage, now we enter the name and leave the default “Authorization Flow”: Now in “Protocol Settings” Where: - **ClientType:** Confidential - **Customer ID:** Automatically generated ( **copy to a notepad**) - **Client Secrets:** Automatically generated ( **copy to a notepad**) - **Redirect Uri/Origins:** https://kast24xsiempre.com/en/k10/auth-svc/v0/oidc/redirect - **Signing Key:** Authentik self-signed Then in “Advanced protocol Settings”, make sure that the Scopes “groups” is selected: And finally click on “Finish”. ## Creation of Application in Authentik For Authentik provide the service, an application is generated, entering \u0026#34;Applications\u0026#34; and again in \u0026#34;Applications\u0026#34; to click on \u0026#34;Create\u0026#34;, we enter the \u0026#34;Name\u0026#34;, the \u0026#34;Slug\u0026#34; and in \u0026#34;Provider\u0026#34; we select the OpenID provider that we create above, ending with clicking “Create” ## Setting Kasten K10 As we saw earlier in the documentation, [https://docs.kasten.io/latest/access/rbac.html#k10-admin-binding](https://docs.kasten.io/latest/access/rbac.html#k10-admin-binding), we know we have the group “k10:admins” and we already have it mapped with our installation of Authentik, next we will see the command to execute in our installation of Kasten K10 or in the primary cluster of K10 Multi Cluster Manager: ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io --set auth.oidcAuth.enabled=true --set auth.oidcAuth.providerURL=\u0026#34;https://atk.24xsiempre.com/application/o/kasten/\u0026#34; --set auth.oidcAuth.redirectURL=\u0026#34;https://kast24xsiempre.com/en/\u0026#34; --set auth.oidcAuth.scopes=\u0026#34;groups profile email\u0026#34; --set auth.oidcAuth.groupClaim=\u0026#34;groups\u0026#34; --set auth.oidcAuth.prompt=\u0026#34;login\u0026#34; --set auth.oidcAuth.clientID=\u0026#34;SuperDuperClientID\u0026#34; --set auth.oidcAuth.clientSecret=\u0026#34;SuperDuperClientSecret\u0026#34; --set auth.oidcAuth.usernameClaim=\u0026#34;email\u0026#34; --reuse-values --set externalGateway.create=true Now we will see what each of these variables means:\n\u0026ndash;set auth.oidcAuth.enabled=true / We enable OpenID Authentikation –set auth.oidcAuth.providerURL=\u0026ldquo;https://atk.24xsiempre.com/application/o/kasten\" / Url to Authenticate –set auth.oidcAuth.redirectURL=\u0026ldquo;https://kast24xsiempre.com/en/\" / application url K10 \u0026ndash;set auth.oidcAuth.scopes=”groups profile email” / Client Scopes to validate \u0026ndash;set auth.oidcAuth.groupClaim=”groups” / Client Scope Group Name \u0026ndash;set auth.oidcAuth.prompt=”login” / Login Message \u0026ndash;set auth.oidcAuth.clientID=”SuperDuperClientID” / Client ID \u0026ndash;set auth.oidcAuth.clientSecret=”SuperDuperClientSecret” /Client secret \u0026ndash;set auth.oidcAuth.usernameClaim=”email” / In case of email Authentikation \u0026ndash;reuse-values / Reuse values ​​already configured \u0026ndash;set externalGateway.create=true / Reconfigure gateway service in K10 for remote access Console Access Kasten K10 # By entering the url address https://kast24xsiempre.com/en/k10/#/ will be redirected to the login of Authentik:\nWe will enter username and password\nWith this we finish the configuration!\nRelated posts # Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 How to Integrate Active Directory with Kasten K10 and OpenShift Kasten K10 Multi-Cluster How to install Kasten K10 on AWS EKS Configure Email Alerts in Kasten K10 ","date":"17 October 2022","externalUrl":null,"permalink":"/en/posts/kasten-k10-authentik/","section":"Blog","summary":"One of the characteristics of Kasten K10 most used, is the integration with centralized Authentikation and identity systems, through different protocols, for the management of access to the different clusters of kubernetes using RBAC by means of K10 and/or for the access of K10 Multi-Cluster in environments with multiple clusters of kubernetes. In this post, we will review the easy setup of Authentik and integration with Kasten K10.","title":"Kasten K10 Authentik","type":"posts"},{"content":"","date":"17 October 2022","externalUrl":null,"permalink":"/en/tags/kasten-sso/","section":"Tags","summary":"","title":"Kasten-Sso","type":"tags"},{"content":"","date":"17 October 2022","externalUrl":null,"permalink":"/en/tags/sso/","section":"Tags","summary":"","title":"Sso","type":"tags"},{"content":"","date":"21 July 2022","externalUrl":null,"permalink":"/en/tags/alertas-email/","section":"Tags","summary":"","title":"Alertas-Email","type":"tags"},{"content":"","date":"21 July 2022","externalUrl":null,"permalink":"/en/tags/alertas-kasten/","section":"Tags","summary":"","title":"Alertas-Kasten","type":"tags"},{"content":" In this guide we will review the installation and configuration of prometheus in order to obtain alerts via email using the federation, rules and alertmanager of prometheus in conjunction with the monitoring of Kasten K10.\nInitial Steps # As usual, we will always review the official documentation of the solutions that we will install and/or configure in this guide.\nPrometheus: https://prometheus.io/\nKasten: https://docs.kasten.io/latest/operating/monitoring.html\nWe will carry out the configuration in a first part with the integration of K10 Multi-Cluster Manager and then we will see how to configure the rules when it is an installation without centralized administration.\nWhat is Prometheus? # Prometheus is a solution focused on monitoring the resources of kubernetes based on time series metrics, that is, real-time monitoring of the actions that have been configured. For example, with Prometheus you could monitor, via rules, the use of CPU, Memory, Connections, sessions or whatever you want to configure.\nIt is also the standard solution for monitoring clusters of kubernetes since it allows us to have a very detailed view of the resources to be monitored as well as helping us to solve any errors that exist.\nKasten K10 and Prometheus # Kasten also uses Prometheus for its internal monitoring of K10. In fact, in the previous link, we can see that there are many metrics that Kasten k10 export to Prometheus as for example:\ncatalog jobs actions backup restore export import report run So, how can we configure Prometheus to send us an email when, for example, some backup policy does not work correctly?\nPrometheus setup on Kasten K10 # As we know, prometheus already comes pre-installed on Kasten K10, but for this instance it is not recommended that it be modified, since it is managed by helm and has certain configurations that work directly with the default reports of Kasten K10 and also for K10 Multi-Cluster Manager if you have it activated. Therefore the idea is to federate Prometheus that comes pre-installed (so as not to modify it) with a new instance of Prometheus:\nInstallation and Configuration Prometheus # Now we will proceed to create a namespace for our monitoring instance, in this case we will call it alerts, for this we will execute the following in our cluster of kubernetes:\nkubectl create ns alertas ```bash And now we will add the repository for Prometheus helm: ```bash helm repo add prometheus-community https://prometheus-community.github.io/helm-charts ```bash And we will create a new file named “kasten\\_prometheus\\_values\\_smtp.yaml”: ```bash defaultRules: create: false alertmanager: config: global: resolve_timeout: 5m route: repeat_interval: 30m receiver: \u0026#39;email\u0026#39; routes: - receiver: \u0026#39;email\u0026#39; match: severity: kasten receivers: - name: \u0026#39;email\u0026#39; email_configs: - to: SuperAdmin@email.com from: kastenalerts@24xsiempre.com smarthost: smtp.24xsiempre.com:25 auth_username: SuperDuperUserName auth_password: SuperDuperPassword prometheus: prometheusSpec: additionalScrapeConfigs: - job_name: k10 scrape_interval: 15s honor_labels: true scheme: http metrics_path: \u0026#39;/k10/prometheus/federate\u0026#39; params: \u0026#39;match[]\u0026#39;: - \u0026#39;{__name__=~\u0026#34;jobs.*\u0026#34;}\u0026#39; - \u0026#39;{__name__=~\u0026#34;catalog.*\u0026#34;}\u0026#39; static_configs: - targets: - \u0026#39;prometheus-server.kasten-io.svc.cluster.local\u0026#39; labels: app: \u0026#34;k10\u0026#34; #Valores para deshabilitar componentes que no son necesarios grafana: enabled: false kubeApiServer: enabled: false kubelet: enabled: false kubeStateMetrics: enabled: false kubeControllerManager: enabled: false kubeEtcd: enabled: false kubeProxy: enabled: false coreDns: enabled: false kubeScheduler: enabled: false ```bash Where the following lines should be edited: - **to**: SuperAdmin@email.com - **from**: kastenalerts@24xsiempre.com - **smart host**: smtp.24xsiempre.com:25 - **auth\\_username**: SuperDuperUserName - **auth\\_password**: SuperDuperPassword Modify the above variables with the correct data and save “kasten\\_prometheus\\_values\\_smtp.yaml”: And now we install Prometheus with the following command: ```bash helm install prometheus prometheus-community/kube-prometheus-stack -n alertas -f kasten_prometheus_values_smtp.yaml ```bash And to validate that it has been installed correctly, we execute: ```bash kubectl --namespace alertas get pods -l \u0026#34;release=prometheus\u0026#34; ```bash ## Creation of Prometheus Rules for K10 Multi Cluster Manager Here we will make the most important configuration, since we are using K10 Multi-Cluster Manager, we must know how to correctly identify each of the clusters that is being protected by Kasten K10Therefore, when reading the documentation, a key “Tip” appears, where it indicates that to identify the secondary clusters, the variable {cluster=”development”} must be added, where the name of the cluster is how we identify it in Multi-Cluster Manager. And for the primary cluster it should be {cluster=””}. For this guide, I have 3 clusters configured: - production (primary cluster for K10 Multi-Cluster) - development (secondary cluster for K10 Multi-Cluster) - tanzu (secondary cluster for K10 Multi-Cluster) Therefore, we will create the configuration file with the name “alertas\\_cluster.yaml” and copy the content: ```bash apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: labels: app: kube-prometheus-stack release: prometheus name: prometheus-kube-prometheus-kasten.rules spec: groups: - name: kasten_alert rules: - alert: K10JobsFailsClusterProd expr: |- increase(catalog_actions_count{cluster=\u0026#34;\u0026#34;, status=\u0026#34;failed\u0026#34;}[10m]) \u0026gt; 0 for: 1m labels: severity: kasten annotations: summary: \u0026#34;Politicas de Kasten K10 con error hace 10 minutos\u0026#34; description: \u0026#34;Politica \u0026lt;\u0026lt; {{ $labels.policy }} \u0026gt;\u0026gt; en cluster \u0026lt;\u0026lt; produccion \u0026gt;\u0026gt; Ha fallado en los ultimos 10 minutos\u0026#34; - alert: K10JobsFailsClusterDev expr: |- increase(catalog_actions_count{cluster=\u0026#34;desarrollo\u0026#34;, status=\u0026#34;failed\u0026#34;}[10m]) \u0026gt; 0 for: 1m labels: severity: kasten annotations: summary: \u0026#34;Politicas de Kasten K10 con error hace 10 minutos\u0026#34; description: \u0026#34;Politica \u0026lt;\u0026lt; {{ $labels.policy }} \u0026gt;\u0026gt; en cluster \u0026lt;\u0026lt; {{ $labels.cluster }} \u0026gt;\u0026gt; Ha fallado en los ultimos 10 minutos\u0026#34; - alert: K10JobsFailsClusterTanzu expr: |- increase(catalog_actions_count{cluster=\u0026#34;tanzu\u0026#34;, status=\u0026#34;failed\u0026#34;}[10m]) \u0026gt; 0 for: 1m labels: severity: kasten annotations: summary: \u0026#34;Politicas de Kasten K10 con error hace 10 minutos\u0026#34; description: \u0026#34;Politica \u0026lt;\u0026lt; {{ $labels.policy }} \u0026gt;\u0026gt; en cluster \u0026lt;\u0026lt; {{ $labels.cluster }} \u0026gt;\u0026gt; Ha fallado en los ultimos 10 minutos\u0026#34; ```bash The variables to edit are in each of the alerts: - alert: Name of the Alert - expr: ONLY edit the cluster name (remember the previous tip) - summary: Summary text without editing the variables - description: Descriptive text The most important variable in the above file is \u0026#34;expr\u0026#34; which is the \u0026#34;query\u0026#34; or query to prometheus according to the metrics of Kasten K10 To detect the failure in the jobs, if you want to create new queries you can visit: https://prometheus.io/docs/prometheus/latest/querying/basics And finally we will create the rules in our Prometheus instance: ```bash kubectl apply -f alertas_cluster.yaml -n alertas ```bash And to validate the creation of the rule: ```bash kubectl get prometheusrules.monitoring.coreos.com -n alertas ```bash ## Creation of Prometheus Rules without K10 multi-cluster In case you have installed Kasten K10 without the use of K10 Multi-Cluster, also, it is possible to configure rules without the need to declare the name of the cluster, the only difference is the creation of the rule that must be like the following: ```bash apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: labels: app: kube-prometheus-stack release: prometheus name: prometheus-kube-prometheus-kasten.rules spec: groups: - name: kasten_alert rules: - alert: K10JobsFail expr: |- increase(catalog_actions_count{status=\u0026#34;failed\u0026#34;}[10m]) \u0026gt; 0 for: 1m labels: severity: kasten annotations: summary: \u0026#34;Politicas de Kasten K10 con error hace 10 minutos\u0026#34; description: \u0026#34;Politica \u0026lt;\u0026lt; {{ $labels.policy }} Ha fallado en los ultimos 10 minutos\u0026#34; ```bash ## Testing Email Alerts To test this configuration, we need to generate errors in the backup policies of the clusters, for that, in the existing backup policies we will eliminate the backup repositories of Kasten K10 o “Location Profiles” to force the error, where the policies will be shown like this: And finally we execute the policies that generate the error. With this we should wait for the alerts to arrive by email. If we run the following command: ```bash kubectl port-forward service/prometheus-kube-prometheus-prometheus 9090:9090 -n alertas We can enter the Prometheus web console to see the created rules:\nRunning the backup policies with errors, prometheus, will detect through the rules that there are some errors:\nWhere finally it marks it and the sending of the alerts by email is executed:\nSome examples of notifications or alerts that arrive by email, which include the name of the backup policy and its respective cluster where the error exists:\nRecommendations # In some cases where instances of Prometheus already exist, it is possible, that adding the instance to monitor and federate prometheus from Kasten K10 didn\u0026rsquo;t work correctly, for example in Rancher, with “cattle-monitoring” it is necessary to disable the prometheus operator, otherwise both instances will try to override with the other forcing the pods to restart.\nRegarding notifications or alerts Kasten K10, it is possible to create new queries or queries to obtain other types of data, such as licenses, used space, etc.\nRelated posts # How to Configure NFS Repository for Kasten K10 Upgrading Kasten k10 How to install Kasten K10 on AWS EKS Kasten K10 Multi-Cluster Kasten K10 Authentik ","date":"21 July 2022","externalUrl":null,"permalink":"/en/posts/set-up-email-alerts-kasten-k10/","section":"Blog","summary":"In this guide we will review the installation and configuration of prometheus in order to obtain alerts via email using the federation, rules and alertmanager of prometheus in conjunction with the monitoring of Kasten K10.","title":"Configure Email Alerts in Kasten K10","type":"posts"},{"content":"","date":"21 July 2022","externalUrl":null,"permalink":"/en/tags/kasten-prometheus/","section":"Tags","summary":"","title":"Kasten-Prometheus","type":"tags"},{"content":"","date":"21 July 2022","externalUrl":null,"permalink":"/en/tags/notificacion/","section":"Tags","summary":"","title":"Notificacion","type":"tags"},{"content":"","date":"July 21, 2022","externalUrl":null,"permalink":"/es/categories/prometheus/","section":"Categorías","summary":"","title":"Prometheus","type":"categories"},{"content":"","date":"21 July 2022","externalUrl":null,"permalink":"/en/tags/prometheus/","section":"Tags","summary":"","title":"Prometheus","type":"tags"},{"content":"","date":"21 July 2022","externalUrl":null,"permalink":"/en/categories/tanzu-kubernetes-grid/","section":"Categories","summary":"","title":"Tanzu-Kubernetes-Grid","type":"categories"},{"content":" One of the recurring queries we have lately is how to configure the vSphere CSI Driver in environments OpenShift 4.x without the need to use the operator that VMWare already developed, but that is only supported for production from version 4.10 of OpenShiftTherefore, in this guide we will review how to install and configure the driver in versions prior to 4.10 without the need to use the VMware operator.\nIntroduction # As is generally known, it is possible to install the vSphere CSI Driver to provision volumes directly as First Class Disk using the configured DataStores of the vSphere environment. In addition, as of version 4.8 there is an operator of OpenShift in Preview to install the CSI Driver, which is supported, for production environments completely in the latest version of OpenShift 4.10.\nGenerally users of OpenShift do not automatically update to the latest versions of OpenShift until your applications and/or new features or versions of kOpenShift have some higher update or are compatible / supported, therefore, this guide is to install the vSphere CSI driver from the command line.\nThis guide assumes that the reader knows the environment of OpenShift as well as connecting via command line. In this case the version of OpenShift 4.8.39\nRequirements # We will create 2 files, csi-vsphere.conf and vsphere.conf, which contain the vSphere access credentials:\ncsi-vsphere.conf\n[Global] # Para conseguir el ID del cluster se debe ejecutar el siguiente comando # oc get clusterversion -o jsonpath=\u0026#39;{.items[].spec.clusterID}{\u0026#34;\\n\u0026#34;}\u0026#39; cluster-id = \u0026#34;5341dc3e-4ea8-4de6-a4fd-f2715c75a0b8\u0026#34; [VirtualCenter \u0026#34;vcenter.24xsiempre.cl\u0026#34;] insecure-flag = \u0026#34;true\u0026#34; user = \u0026#34;SuperUserdevSphere\u0026#34; password = \u0026#34;SuperDuperPassword\u0026#34; port = \u0026#34;443\u0026#34; datacenters = \u0026#34;24xSiempre\u0026#34; ```bash In the previous points, the information of our vSphere environment must be entered: - cluster-id: openshift cluster id, the command indicated in the file must be executed - VirtualCenter: vcenter fqdn address - User: vCenter user used with OpenShift - Password: Password of the vCenter user - Datacenters: Name of the vCenter Datacenter Then we will create the following file: vsphere.conf ```bash [Global] # Para conseguir el ID del cluster se debe ejecutar el siguiente comando # oc get clusterversion -o jsonpath=\u0026#39;{.items[].spec.clusterID}{\u0026#34;\\n\u0026#34;}\u0026#39; cluster-id = \u0026#34;5341dc3e-4ea8-4de6-a4fd-f2715c75a0b8\u0026#34; [VirtualCenter \u0026#34;vcenter.24xsiempre.cl\u0026#34;] insecure-flag = \u0026#34;true\u0026#34; user = \u0026#34;SuperUserdevSphere\u0026#34; password = \u0026#34;SuperDuperPassword\u0026#34; port = \u0026#34;443\u0026#34; datacenters = \u0026#34;24xSiempre\u0026#34; ```bash In the previous points, the information of our vSphere environment must be entered: - cluster-id: openshift cluster id, the command indicated in the file must be executed - VirtualCenter: vcenter fqdn address - User: vCenter user used with OpenShift - Password: Password of the vCenter user - Datacenters: Name of the vCenter Datacenter After generating the files we will proceed to configure the \u0026#34;secrets\u0026#34; from these files, executing the following commands: ```bash oc create secret generic vsphere-config-secret --from-file=csi-vsphere.conf --namespace=kube-system oc create configmap cloud-config --from-file=vsphere.conf --namespace=kube-system ```json And to validate if they were created correctly we will execute: ```bash oc get secret vsphere-config-secret --namespace=kube-system oc get configmap cloud-config --namespace=kube-system ```bash Now we will proceed to leave all the nodes in \u0026#34;Taint\u0026#34; with the following command: ```bash kubectl taint nodes --all \u0026#39;node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule\u0026#39; ```json And we will proceed to apply the following yaml files: ```bash oc apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-vsphere/master/manifests/controller-manager/cloud-controller-manager-roles.yaml oc apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-vsphere/master/manifests/controller-manager/cloud-controller-manager-role-bindings.yaml oc apply -f https://github.com/kubernetes/cloud-provider-vsphere/raw/master/manifests/controller-manager/vsphere-cloud-controller-manager-ds.yaml ```json And to validate the correct application of the previous files, we will execute: ```bash oc describe nodes | grep \u0026#34;ProviderID\u0026#34; ```json ## vSphere-CSI Installation Now we will apply the installation of the driver with the application of the following files: ```bash oc apply -f https://raw.githubusercontent.com/kubernetes-sigs/vsphere-csi-driver/v2.1.1/manifests/v2.1.1/vsphere-7.0u1/vanilla/rbac/vsphere-csi-controller-rbac.yaml oc apply -f https://raw.githubusercontent.com/kubernetes-sigs/vsphere-csi-driver/v2.1.1/manifests/v2.1.1/vsphere-7.0u1/vanilla/deploy/vsphere-csi-node-ds.yaml oc apply -f https://raw.githubusercontent.com/kubernetes-sigs/vsphere-csi-driver/v2.1.1/manifests/v2.1.1/vsphere-7.0u1/vanilla/deploy/vsphere-csi-controller-deployment.yaml ```json We will execute the following command: ```bash oc get deployments --namespace=kube-system ```text And we will wait until \u0026#34;READY\u0026#34; is in state 1/1: And we will validate the installation of the driver in the nodes with the following command: ```bash oc get CSINode ```bash ## Create StorageClass We will now move on to configuring the StorageClass to use the vSphere CSI driver. First of all, in vCenter we will generate a \u0026#34;Storage Policy\u0026#34;, this case named \u0026#34;Containers\u0026#34; which must be associated with the DataStore that we will use to host our persistent disks: Then we edit the following file: ```bash cat \u0026lt;\u0026lt; EOF | kubectl apply -f - kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: sc-csi-vsphere annotations: storageclass.kubernetes.io/is-default-class: \u0026#34;false\u0026#34; provisioner: csi.vsphere.vmware.com parameters: StoragePolicyName: \u0026#34;Contenedores\u0026#34; datastoreURL: \u0026#34;ds:///vmfs/volumes/60634600-6fcc5d36-bd83-dcfe07e145f9/\u0026#34; EOF Where we must modify the following parameters:\nname: It is the name we want for the StorageClass. StoragePolicyName: The name of the “Storeage Policy” that we created earlier. datastoreURL: The URL of the vCenter Datastore. In the following image is the info. After the changes that we apply in the file, we will execute it in the console and it will show us:\nAnd we can also validate it in the console OpenShift:\nPersistent Disk Creation # We will create a persistent disk from the console OpenShift to validate the creation and deletion of disks with the new StorageClass. We will enter the console OpenShift, Storage, PersistenVolumeClaims and we will click on “Create PersistentVolumeClaim”:\nWe select the StorageClass that we created with vSphere CSI We enter the Name of the Volume We enter the size Click on “Create” And we will see the creation of the disc in OpenShift:\nIn the configured Datastore:\nNow we will eliminate the disk to validate the correct operation:\nconfirmation in OpenShift:\nDelete Confirmation in vCenter:\nDefault StorageClass setting # We will enter the console OpenShift, then Storage and we will click on “StorageClasses”, where we will see:\nAs can be seen in the previous image, the default StorageClass is \u0026ldquo;thin\u0026rdquo;, which is created automatically when installing OpenShift, we will select the “thin”, then “Edit Annotations” and we will change the parameter “storageclass.kubernetes.io/is-default-class” to “false” and save:\nAnd finally, we select our StorageClass that uses the vSphere CSI driver, in this case, “sc-csi-vsphere”, click on “Edit Annotations” and change the parameter “storageclass.kubernetes.io/is-default-class” to “true” and save:\nNow we will see that our StorageClass is default and every new persistent disk creation will use it:\nSo now all you have to do is install Kasten K10 to protect all your applications in OpenShift, where in this blog there are multiple guides to install and configure Kasten K10.\nRelated posts # Red Hat OpenShift in vSphere with Kasten Install Cluster Kubernetes with vSphere CSI How to Integrate Active Directory with Kasten K10 and OpenShift Veeam + Kasten ","date":"31 May 2022","externalUrl":null,"permalink":"/en/posts/how-to-install-vsphere-csi-driver-on-redhat-openshift-4x/","section":"Blog","summary":"One of the recurring queries we have lately is how to configure the vSphere CSI Driver in environments OpenShift 4.x without the need to use the operator that VMWare already developed, but that is only supported for production from version 4.10 of OpenShiftTherefore, in this guide we will review how to install and configure the driver in versions prior to 4.10 without the need to use the VMware operator.","title":"How to Install vSphere CSI Driver on RedHat OpenShift 4.x","type":"posts"},{"content":"","date":"31 May 2022","externalUrl":null,"permalink":"/en/tags/openshift-csi-driver/","section":"Tags","summary":"","title":"Openshift-Csi-Driver","type":"tags"},{"content":"","date":"31 May 2022","externalUrl":null,"permalink":"/en/tags/storageclass-openshift-csi/","section":"Tags","summary":"","title":"Storageclass-Openshift-Csi","type":"tags"},{"content":"","date":"31 May 2022","externalUrl":null,"permalink":"/en/tags/vcenter-openshift/","section":"Tags","summary":"","title":"Vcenter-Openshift","type":"tags"},{"content":"","date":"31 May 2022","externalUrl":null,"permalink":"/en/tags/vmware-openshift/","section":"Tags","summary":"","title":"Vmware-Openshift","type":"tags"},{"content":"","date":"31 May 2022","externalUrl":null,"permalink":"/en/tags/vsphere-csi/","section":"Tags","summary":"","title":"Vsphere-Csi","type":"tags"},{"content":"","date":"2 March 2022","externalUrl":null,"permalink":"/en/tags/gke/","section":"Tags","summary":"","title":"GKE","type":"tags"},{"content":"","date":"2 March 2022","externalUrl":null,"permalink":"/en/tags/google-cloud/","section":"Tags","summary":"","title":"Google-Cloud","type":"tags"},{"content":"","date":"2 March 2022","externalUrl":null,"permalink":"/en/tags/google-cloud-storage/","section":"Tags","summary":"","title":"Google-Cloud-Storage","type":"tags"},{"content":"","date":"2 March 2022","externalUrl":null,"permalink":"/en/tags/google-gke/","section":"Tags","summary":"","title":"Google-Gke","type":"tags"},{"content":"","date":"2 March 2022","externalUrl":null,"permalink":"/en/tags/google-kubernetes/","section":"Tags","summary":"","title":"Google-Kubernetes","type":"tags"},{"content":"","date":"2 March 2022","externalUrl":null,"permalink":"/en/tags/google-kubernetes-engine/","section":"Tags","summary":"","title":"Google-Kubernetes-Engine","type":"tags"},{"content":" According to the latest surveys by cncf.io and other companies, one of the most used services is Google Kubernetes Engine, GKE, therefore, as expected, it is always necessary to protect the applications that run on these types of services, as well as the use of Google\u0026rsquo;s infrastructure to store backups. In this guide we will see how to install Kasten K10 to protect applications running on GKE and also integrate it with K10 Multi-Cluster Manager.\nFirst steps # As always we must visit the official documentation of Kasten K10 to install the solution on Google Kubernetes Engine:\nRequirements: https://docs.kasten.io/latest/install/requirements.html#install-prereqs Installation on Google GKE: https://docs.kasten.io/latest/install/google/google.html After reading the documentation we will confirm how easy it is to install Kasten K10 at Google Kubernetes Engine, since the recommendation is to install it with a service account (Service Account), since Kasten You need two types of service accounts, one to access Google\u0026rsquo;s infrastructure, such as storage, and one to access Google resources. kubernetes. We will review the option of a separate service account as it is the recommendation and good practice to perform application protection in GKE\nGoogle Cloud Service Account Creation # First we will make sure that we are in the Google Cloud console and we have access to the Cluster GKE:\nThen we will access the Google \u0026ldquo;Cloud Shell\u0026rdquo; by clicking on the \u0026ldquo;Prompt\u0026rdquo; icon to the left of the question mark in the upper right side of the Google console:\nThen we will execute the following command to access the cluster GKE:\ngcloud container clusters get-credentials NombreMiClusterGKE --zone ZonaGoogle ```bash Where you should enter the name of your cluster GKE and the area where you configured it, for example in this case, the cluster name is “demo-gke-k10” and the zone is “us-central1-c”: With this, we ensure the configuration of the kubeconfig file in .kube/config for management via kubectl, if we execute the following command we will see the nodes running in GKE: ```bash kubectl get nodes -o wide ```bash We are now ready to generate the service account. Important, the permissions that we will need to add to the service account will be: - roles/compute.storageAdmin for access to Google infrastructure - roles/storage.admin for access to buckets for backup in Google Cloud Storage \\\\*\\\\*\\\\* According to the security of each company you can segment storage.admin permissions \\*\\*\\* Therefore, as indicated in the documentation of Kasten We will proceed to execute the following commands in the Google Cloud Shell: ```bash myproject=$(gcloud config get-value core/project) gcloud iam service-accounts create k10-sa --display-name \u0026#34;K10 Service Account\u0026#34; k10saemail=$(gcloud iam service-accounts list --filter \u0026#34;k10-sa\u0026#34; --format=\u0026#34;value(email)\u0026#34;) gcloud iam service-accounts keys create --iam-account=${k10saemail} k10-sa-key.json gcloud projects add-iam-policy-binding ${myproject} --member serviceAccount:${k10saemail} --role roles/compute.storageAdmin ```bash We will then add the permissions for bucket access, because this could be the same service account or another that is used exclusively to access Google Cloud Storage buckets. To validate we can go to \u0026#34;IAM\u0026#34; within the Google Cloud console and confirm the creation of the service account: As seen in the previous image we observe that there is “k10-sa@inspiring-cat-342913.iam.gserviceaccount.com” which is the service account that has been created earlier with the executed commands and then we will edit the account, in this case, to use it to also access Google Cloud Storage, we will add the Storage.Admin role to the service account: And we can validate that the necessary role has been assigned: ## Installation of Kasten K10 If we follow the documentation of Kasten K10, for the installation, we must always review the prerequisites that I mentioned at the beginning of this post, we will add the helm repository and create the namespace for kasten, by name \u0026#34;kasten-io” with the following commands: ```bash helm repo add kasten https://charts.kasten.io/ kubectl create namespace kasten-io ```bash With the above created, we proceed to install Kasten K10 with the service account that we created previously and its respective key with the following commands: ```bash sa_key=$(base64 -w0 k10-sa-key.json) helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key ```bash Finally we check that all the pods of the namespace are in \u0026#34;RUNNING\u0026#34;: ```bash kubectl get pods -n kasten-io ```bash Now we need to access the web console of Kasten and since we have configured it several times in this blog, we only have to execute the command: ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io \\ --reuse-values \\ --set externalGateway.create=true \\ --set auth.tokenAuth.enabled=true ```bash Again we validate that the pods of the namespace of kasten is in “RUNNING” and then we review the service that has been created to access the console with the following command: ```bash kubectl get svc -n kasten-io ```bash And we see that in this case I have assigned the IP: 34.121.31.71 as \u0026#34;LoadBalancer\u0026#34;, we will enter the web with http://34.121.31.71/k10/ # / And the credential is obtained from the token, as we saw in a previous post in this blog, we just have to execute: ```bash sa_secret=$(kubectl get serviceaccount k10-k10 -o jsonpath=\u0026#34;{.secrets[0].name}\u0026#34; --namespace kasten-io) kubectl get secret $sa_secret --namespace kasten-io -ojsonpath=\u0026#34;{.data.token}{\u0026#39;\\n\u0026#39;}\u0026#34; | base64 --decode ```bash And it will show us the token to enter: ## Configuration Infrastructure Google We already mentioned that Kasten you need access to Google infrastructure as well as Google Cloud Storage to host the backups, since we configure with the service account, the infrastructure profile is generated in Kasten automatically, to validate, we can see it in the configuration of the cluster of Kasten “Settings” and then in “Infrastructure”: We only need to add the backup repository with a Google Cloud Storage bucket, we will create the Google bucket in the standard way and then from kasten enter the following data: To generate the service key, we enter \u0026#34;IAM\u0026#34;, then \u0026#34;Service Accounts\u0026#34;, we select the service account of Kasten what we create”k10-sa”, click on “Keys” and we generate one in json format: Where: - Profile Name: Profile name - Cloud Storage Provider: We select Google Cloud Storage - GCP Project ID: We take the name of the Google Project ID in this case “inspiring-cat-342913” - GCP Service key: We copy the content of the json that we generated previously - Location: Location of the bucket when it was generated or you can see it in the bucket properties - Bucket Name: Name of the previously created bucket And now we are ready to make backups. ## Integration with K10 Multi Cluster Manager In the next post we will see how to integrate our cluster GKE with K10 Multi-Cluster manager, if you need to install K10 Multi-Cluster: \u0026gt; [Install Kasten Multi Cluster Manager](/en/install-kasten-multi-cluster-manager/) /instalar-kasten-multi-cluster-manager/embed/#?secret=cygiegwj0g#?secret=YFsOO0bgjS And in this case for Google, we must execute k10multicluster to modify the kubeconfig of the cluster. To copy the cluster\u0026#39;s kubeconfig GKE, we must execute in the “Cloud Shell”: ```text cat .kube/config ```bash We entered our primary cluster of kubernetes for Kasten, and enter the route: ```text cd cd .kube/ ```text And we will generate a file with nano named google to paste the content of the kubeconfig: ```text nano google ```bash We set it as environment variable in your profile and you can list the contexts of kubernetes: ```bash kubectl config get-contexts ```json And we focus on the context of Google, in this case gke\\_inspiring-cat-342913\\_us-central1-c\\_demo-gke-k10 and we will execute the following command (remember to set the context of your cluster): ```text k10multicluster kubeconfig prepare --context gke_inspiring-cat-342913_us-central1-c_demo-gke-k10 We copy the created file content to our K10 multi-cluster,\nCluster Display Name: name that we want to display the cluster Ingress URL: Address of the console Kasten en GKE K10 Namespace: Name of the namespace where it was installed Kasten Helm release name: k10 Insecure TLS: If you use http, disable it, otherwise use SSL with a valid certificate. And we already have our Google cluster GKE centrally managed.\nRecommendations # As always, security comes first, applying access only through trusted addresses as well as applying RBAC to access via Multi-Cluster Manager and of course if necessary applying permissions to service accounts with the minimum access for operation.\nRelated posts # How to install Kasten K10 on AWS EKS How to install Kasten K10 on Azure AKS How to use Kasten K10 with Google Anthos How to Configure NFS Repository for Kasten K10 Kasten K10 Multi-Cluster Veeam + Kasten ","date":"2 March 2022","externalUrl":null,"permalink":"/en/posts/how-to-install-kasten-k10-on-google-gke/","section":"Blog","summary":"According to the latest surveys by cncf.io and other companies, one of the most used services is Google Kubernetes Engine, GKE, therefore, as expected, it is always necessary to protect the applications that run on these types of services, as well as the use of Google’s infrastructure to store backups. In this guide we will see how to install Kasten K10 to protect applications running on GKE and also integrate it with K10 Multi-Cluster Manager.","title":"How to install Kasten K10 at Google GKE","type":"posts"},{"content":"","date":"10 February 2022","externalUrl":null,"permalink":"/en/tags/aws-eks/","section":"Tags","summary":"","title":"Aws-Eks","type":"tags"},{"content":"","date":"10 February 2022","externalUrl":null,"permalink":"/en/tags/backup-eks/","section":"Tags","summary":"","title":"Backup-Eks","type":"tags"},{"content":"","date":"10 February 2022","externalUrl":null,"permalink":"/en/tags/eks-backup/","section":"Tags","summary":"","title":"Eks-Backup","type":"tags"},{"content":" One of the most widely used cloud-native services are cloud-orchestrated containers. Kubernetes, where public cloud services are one of the most used for this type of workload. In fact, in one of the 2020 cncf.io surveys, it shows us that about 60% of users / companies use cloud-native storage for their containers directly from Google (81%), AWS (80%) and Azure ( 74%), surely these percentages have changed over the years. That is why in this post we will review how to protect all containers in AWS EKS.\nInitial Steps # Initially, since I mentioned the cncf.io report, you can check it out here:\nhttps://www.cncf.io/wp-content/uploads/2020/12/CNCF_Survey_Report_2020.pdf\nAs always we must review the official documentation of Kasten:\nhttps://docs.kasten.io/latest/install/aws/aws.html\nHere we will see the recommended way of installation, there is another, but we must always try to approach good practices.\nInstallation Kasten with IAM Role # The recommended way is to use the integration with an IAM role associated with a service account, in this case, k10-k10, therefore we will start by creating the IAM policies to assign the permissions according to the official configuration of Kasten:\nhttps://docs.kasten.io/latest/install/aws/using_aws_iam_roles.html#using-aws-iam-roles https://docs.kasten.io/latest/install/aws/aws_permissions.html The first link tells us the necessary permissions to take snapshots, restore and migrate between different clusters. In the second link we see all the permissions for each service that access is needed according to what you need to protect. In this case we will see 3 IAM policies to create and have a granularity of permissions to the service account.\nWe will generate 3 policies, associated to the json that shows us the documentation of KastenFor example, to make the AWS EBS policy we must click on “Create Policy”, click on “JSON” and paste the content:\nThen, click on next, to apply tags and then as a last step we will enter the name of the policy:\n**Important: The necessary policies must be created, therefore, this step must be repeated, with the policies for the necessary services from the second previous link**\nEnable OIDC on EKS # We must use Cloudshell or a local configuration of aws cli, configuring the Authentikation as an administrator user for the management of the following commands.\nTo have a correct Authentikation, we can configure OIDC in our cluster EKS with the following command (you must enter the name of your cluster):\neksctl utils associate-iam-oidc-provider --cluster NombreCluster --approve ```bash As stated in the documentation: https://docs.kasten.io/latest/install/aws/using\\_aws\\_iam\\_roles.html#creating-an-iam-role-for-k10-install It should be considered that the name of the service account that we will create must be \u0026#34;k10-k10”, the namespace “kasten-io” and also add the ARN of the policies that we generate, to obtain the ARN of the policies, you must enter IAM and click on the name of the policy to see the ARN, we copy each of the ARN of the created policies previously: Now we will create the namespace “kasten-io” ```bash kubectl create ns kasten-io ```bash And then we generate the service account with the following command: ```bash eksctl create iamserviceaccount \\ --name k10-k10 \\ --namespace kasten-io \\ --cluster Lab-EKS \\ --attach-policy-arn arn:aws:iam::123456789000:policy/k10-EBS \\ --attach-policy-arn arn:aws:iam::123456789000:policy/k10-RDS \\ --attach-policy-arn arn:aws:iam::123456789000:policy/k10-S3 \\ --approve \\ --override-existing-serviceaccounts ```bash **\\*\\*remember to enter the name of the cluster EKS and the RNA of each policy\\*\\*** After this we will see in IAM, a new Role: As seen in the previous image, the policies are associated with this new role generated and associated with the service account. We will copy the ARN of the new role and proceed to the installation of Kasten K10 ## Installation Kasten K10 AWS EKS As we have seen several times in this blog, we must have \u0026#34;helm\u0026#34; configured with its respective chart, you can see it here: \u0026gt; [Veeam + Kasten](/en/veeam-kasten/) /veeam-kasten/embed/#?secret=KfxpkOJaRX#?secret=hRCMNgXjyM And now we will install Kasten K10 with the following command: ```bash helm install k10 kasten/k10 --namespace=kasten-io --set secrets.awsIamRole=\u0026#34;arn:aws:iam::123456789000:role/eksctl-Lab-EKS-addon-iamserviceaccount-kaste-Role1-12FASDASDCKA\u0026#34; ```bash **\\*Remember that you must enter the ARN of the previously created Role\\*** \\\\*\\\\* In case you get an error claiming the existence of a service account, just delete and re-create the namespace kasten-io\\*\\* We hope that the pods of “kasten-io” remain in the “running” state by checking them with the following command: ```bash watch kubectl get pods -n kasten-io ```bash If you want to see the disks that were created automatically with the installation of Kasten K10: ```bash kubectl get pvc -n kasten-io ```bash Finally we need access to the console Kasten K10, we just have to execute the following command: ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io \\ --reuse-values \\ --set externalGateway.create=true \\ --set auth.tokenAuth.enabled=true ```bash Which will create a \u0026#34;Load Balancer\u0026#34; service and assign an AWS dns address: ```bash kubectl get svc gateway-ext -n kasten-io ```bash We only have to enter the url, in this case: http://a8c57c2bded63432194a6545af3ce024-1753718719.sa-east-1.elb.amazonaws.com/k10/#/ and we will proceed to Authentikate as seen in the official documentation: https://docs.kasten.io/latest/access/Authentikation.html#obtaining-tokens So far you can use Kasten K10 to back up your loads on AWS EKS : ) ## integrate with K10 Multi-Cluster Manager AWS EKS We have already seen how to install K10 Multi-Cluster Manager, if you haven\u0026#39;t checked it out yet: \u0026gt; [Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1](/en/kasten-rbac-multi-tenant-multi-cluster-keycloak/) /kasten-rbac-multi-tenant-multi-cluster-keycloak/embed/#?secret=MIlKOe6eZN#?secret=LGzFX95dGH or install K10 Multi-Cluster Manager without Keycloak: \u0026gt; [Install Kasten Multi Cluster Manager](/en/install-kasten-multi-cluster-manager/) /instalar-kasten-multi-cluster-manager/embed/#?secret=JEgxvfjbM1#?secret=oF7QN5V4wF Now, we have to configure the kubeconfig file in our Multi-Cluster Manager interface, we will try to add the cluster through the web interface, by clicking on “Add Clusters” and we will paste the content of the kubeconfig file of our AWS cluster EKS and it will show us the following: As we can see, the cluster cannot be selected, since K10MultiCluster needs a previous step to prepare the kubeconfig file correctly, for this we will perform the following command to identify the context of kubernetes used: ```bash kubectl config get-contexts ```json We copy the name of the context and then we execute the command: ```text k10multicluster kubeconfig prepare --context arn:aws:eks:sa-east-1:12345678900:cluster/Lab-EKS We copy the content after “—” and paste it again in K10 Multi-Cluster Manager in “Add Clusters” and we will see that the options to add the AWS cluster are now enabled EKS:\nWe select the cluster and pass it to the right, to then enter the \u0026ldquo;Cluster Display Name\u0026rdquo;, the \u0026ldquo;Ingress URL\u0026rdquo; which is the URL that was assigned to us in the services of kasten-io, always adding as indicated by the interface, namespace “kasten-io”, helm release name “k10” and disable TLS, since we are adding it without TLS, in case you configure access with a certificate, enable it, then click on “Add Clusters”:\nAnd we will have the AWS cluster EKS at our K10 Multi-Cluster Manager configured to apply the necessary policies.\nAdd S3 Bucket with IAM Role # As previously we configured all the permissions associated with a service account of kasten k10 and the policies associated with the role created, when we configure a \u0026ldquo;Location Profile\u0026rdquo; we can use the same IAM Role for Authentikation by selecting:\nWe enter the Region, Bucket Name and save the profile, of course if the bucket has immutability enabled you can also use it.\nRecommendations # I always recommend things at the security level, always only allow the IP\u0026rsquo;s authorized to access the services of kasten, through firewall rules to preserve privacy, on the other hand, if it is necessary to generate more permissions to the role, you should only generate the necessary policy, such as to support with the necessary permissions of RDS and associate it to the generated role.\nRelated posts # How to install Kasten K10 on Azure AKS How to install Kasten K10 at Google GKE How to use Kasten K10 with Google Anthos How to Configure NFS Repository for Kasten K10 Kasten K10 Multi-Cluster Veeam + Kasten ","date":"10 February 2022","externalUrl":null,"permalink":"/en/posts/how-to-install-kasten-k10-on-aws-eks/","section":"Blog","summary":"One of the most widely used cloud-native services are cloud-orchestrated containers. Kubernetes, where public cloud services are one of the most used for this type of workload. In fact, in one of the 2020 cncf.io surveys, it shows us that about 60% of users / companies use cloud-native storage for their containers directly from Google (81%), AWS (80%) and Azure ( 74%), surely these percentages have changed over the years. That is why in this post we will review how to protect all containers in AWS EKS.","title":"How to install Kasten K10 on AWS EKS","type":"posts"},{"content":"","date":"10 February 2022","externalUrl":null,"permalink":"/en/tags/iam-role/","section":"Tags","summary":"","title":"Iam-Role","type":"tags"},{"content":"","date":"10 February 2022","externalUrl":null,"permalink":"/en/tags/kasten-eks/","section":"Tags","summary":"","title":"Kasten-Eks","type":"tags"},{"content":"","date":"10 February 2022","externalUrl":null,"permalink":"/en/tags/kasten-k10-eks/","section":"Tags","summary":"","title":"Kasten-K10-Eks","type":"tags"},{"content":"","date":"February 10, 2022","externalUrl":null,"permalink":"/es/tags/respaldo-eks/","section":"Etiquetas","summary":"","title":"Respaldo-Eks","type":"tags"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/categories/eks/","section":"Categories","summary":"","title":"Eks","type":"categories"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/categories/elastic-kubernetes-service/","section":"Categories","summary":"","title":"Elastic-Kubernetes-Service","type":"categories"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/categories/gke/","section":"Categories","summary":"","title":"Gke","type":"categories"},{"content":" In this post, we will look at Role Based Access Control (RBAC) configuration in conjunction with Kasten K10 for access to one or multiple clusters protected by Kasten, is aimed both at clients who manage 1 or more clusters of any distribution of kubernetes supported by K10, as well as to service providers (SP or MSP) that offer the support of containers of kubernetes with Kasten K10, with the aim of providing controlled access to users / clients according to the granular roles required by each cluster or operation. We will also use a Single Sign-On (SSO) solution using OpenID in this case, Keycloak, for the centralized management of access credentials for either users or groups.\nInitial Steps # The idea of ​​this series is to explain how to generate the groups, roles, clusterroles and other resources associated with RBAC, without the need to modify directly in the cluster of kubernetes over time, so all the management of user creation, groups, group assignment is done in Keycloak.\nAs usual in this blog, we should always refer to the official documentation of what we are going to install / configure or apply, since we must stay as close as possible to the good practices or guidelines of the creators of the solutions we will use.\nkeycloak https://www.keycloak.org/documentation\nKasten K10 https://docs.kasten.io/latest/\nRBAC Kasten K10 https://docs.kasten.io/latest/access/rbac.html\nRBAC Kasten K10 Multi Cluster Manager https://docs.kasten.io/latest/multicluster/rbac.html\nInstallation of K10 and Multi-Cluster # We will not go into depth in the installation of the products in this post, since in the following links you have step by step the installation of Kasten K10 y Kasten Multi Cluster Manager:\nKasten K10 /veeam-kasten/\nKasten K10 Multi Cluster Manager /instalar-kasten-multi-cluster-manager/\nAnd regarding the installation of keycloak, it\u0026rsquo;s very easy from helm or you can use one of the many guides on the internet to install it as a container or as an application on a server. (Leave a comment if you need a step by step guide)\nWe will now go on to review a summary of the existing roles and clusterroles for granular permission creation.\nKasten K10 RBAC # When we review the documentation, we see that there is RBAC for the individual installation of kasten k10, maintaining the standards of kubernetes as well as RBAC for multi-cluster installations using Multi-Cluster Manager.\nIn this case we will review the application of Roles, RoleBinding, ClusterRole, ClusterRoleBindings on kasten k10 to get granular access to our implementation of k10 according to the need of the operation. Therefore, when reviewing the documentation we will find the default ClusterRoles that are created when installing K10, which are 3:\nk10-admin / Full access to the implementation of Kasten K10 k10-basic / Operational access to users on specific resources k10-config-view / Access to configuration without permissions to create or modify You can list them with the following command:\nkubectl get clusterrole | grep k10 ```bash In fact, if the permissions are reviewed in detail by consulting each clusterrole, for example: ```bash kubectl describe clusterrole k10-admin ```bash All the permissions, resources and verbs (what it can do) of each of the clusterroles are observed, which are the basis for the creation of granular access permissions to K10. It is possible to use them as a basis to later create clusterrolebinding associated with users or user groups that will access via OpenID. One of the important roles that also exist within the installation of K10 is the role **k10-ns-admin** which provides access to the secrets and also to see the status of the services directly from the console K10, to list the role, the namespace must be included **kasten-I** ```bash kubectl get roles -n kasten-io ```bash ## K10 Multi-Cluster Manager RBAC Like above when setting K10 Multi-Cluster Manager from the primary cluster, 2 clusterroles are generated by default and also clusterroles specific to k10: - k10-mc-admin / Allows full access to manage multiple clusters and resources - k10-mc-user / Allows access to the cluster but not to management resources ```bash kubectl get clusterrole | grep k10-mc ```bash Specific clusterroles of K10 for the management of RBAC within K10 multi-cluster - k10-multi-cluster-admin / Allows full access to manage multiple clusters and resources - k10-multi-cluster-basic / Allows access to the cluster but not to management resources - k10-multi-cluster-config-view / Allows access to the cluster and configuration view ```bash kubectl get k10clusterrole -n kasten-io-mc Why do they have two types of clusterroles? the first roles are associated with resources and clusters of kubernetes and k10clusterroles are associated with the internal management of the Multi-Cluster Manager in order to provide access via RBAC within K10.\nIn this guide we will configure clusterroles and specific roles according to the need for access and operation using the resources provided. Kasten K10, but first we will go to the Keycloak configuration\nKeycloak Configuration # After installing Keycloak, it is possible to access the “master” domain or realm via the web with the user you have configured, for example, in my case I use auth.24xsiempre.com and enter the administration console:\nYou can keep the default settings or enable at least brute force detection in the “Security Defenses” menu.\nNow, we will create a new exclusive Realm for Kasten K10, therefore we will select the “master” realm in the main menu and click on “Add Realm”, then we enter the name of the new realm and finally click on “create”:\nWithin “Realm Settings” there are several configurations as seen in the Keycloak menu, for this case we will enable in “Security Defenses” the brute force detection (optional, but recommended) and most importantly in the “Login” menu the following options:\nIt is preferable to use these options, in the case of “forgot password” and “Verify Email” it is necessary to have SMTP configured in Keycloak where it is very easy to enter the address, username and password of the SMTP server in the “Email” menu.\nKeycloak Client Configuration # We already have the basics of Keycloak, now we will fully enter the configuration of a client in Keycloak for the use of OpenID in conjunction with K10. Click on “Clients” and then on “Create” to enter the name of the “Client ID” (in this case kasten) making sure that the “Client Protocol” is “openid-connect”:\nTo then enter the new client from the “Clients” menu.\nNow we will configure the client in detail to use OpenID and allow access to users or groups, therefore the configurations that must be applied are the following:\nNext I will explain each of the configured fields:\nEnabled = Enables the Keycloak client Always Display in Console = To view sessions in the Keycloak console Login Theme = Type of graphical interface Client Protocol = Enables the openid-connect protocol that we will use with K10 Access Type = Requires a credential to be used to use the Keycloak client Standard Flow Enabled = Enables OpenID redirects for Authentikation and authorization. Direct Access Grants Enabled = Access to user and password and exchange with Keycloak Service Accounts Enabled = In case of using service accounts OAuth 2.0 Device Authorization Grant Enabled = OAuth 2.0 Support Authorization Enabled = Granular Authorization enabled Valid Redirect URIs = The valid URIs that are used for entry and exit of the application Web Origins = CORS Origins Configuration Backchannel Logout URL = Client logout url Backchannel Logout Session Required = Validate if the session id is included in the logout Backchannel Logout Revoke Offline Sessions = Revoke offline access Browser Flow = Will use Authentikation with the browser Direct Grant Flow = Will deliver the session directly Now we will add a role, so that it is associated with k10, we will enter “Roles” within the same “Client” that we already configured and add a new role named “k10\u0026quot;\nNow you enter the newly created role then in “Composite Roles” we click on “Client Roles” we select “kasten” and assign the new role “k10” in “Associated Roles”\nAnd finally we will add the new role by default, click on “Roles” and then in the “Default Roles” menu, select “kasten” in “Client Roles” and add the new role “k10” to default roles:\nKeycloak Groups Configuration # Keycloak by default does not have the groups configured in \u0026ldquo;Client Scopes\u0026rdquo;, that is, if we configure the Authentikation associated with groups, it will not work, since kasten or the application will not be able to read the groups created in Keycloak. Therefore we will click on “Client Scopes” and then click on “Create” and enter the name “groups”, making sure to use the “openid-connect” protocol and save:\nWe will enter the recently created “Client Scope” “groups” and then we will click on “Mappers” to create a new association click on “Create”, we will enter the name “groups”, then we select the “Mapper Type” which should be “Group Membership”, then in “Token Claim Name” we enter “groups” and deactivate “Full group path” to leave the other options activated and save:\nThen we click on “Scope”, we select the “Client Roles” which is “kasten” to add the assigned role “k10\u0026quot;\nAnd finally we need to add the new “Client Scope” by default so that it can be read by Kasten. In “Clients Scopes” select the “Default Client Scopes” menu and move “groups” to the scopes assigned by default:\nCreating Groups in Keycloak # An excellent way of managing users is to associate them with groups that already have the associated permissions or roles to make their administration much more expeditious. Therefore, a good practice is to use the same nomenclature of Kasten for creating groups. We will click on “Groups” and then on “New” to add the name of the group, for example, “k10:admins” and save.\nThen we select and edit the group, to select the “Role Mappings” menu and in “Client Roles” we will select “kasten” to then assign the role “k10” as we can see in the following image:\nYou can generate the groups that are necessary and assign the previous role to each of them as we did before.\nCreating Users in Keycloak # Now we will create an administration user for the management of Kasten K10 either a single cluster or using Multi-Cluster Manager, therefore, we will enter the “Users” menu and enter the requested information and the associated group, in this case “k10:admins”, remember that in the case of email verification you must have the SMTP server configured. Otherwise you just enable it:\nSomething important, optionally, you can ask the client to configure MFA for better security, you just have to add it in “Required User Action”. Now we will assign a password to the user, click on “Credentials”, enter the necessary “password”, deactivate the “Temporary” option and click on “Set Password”:\nWe are now ready to start setting up Authentikation. Kasten K10 with keycloak. In the next post (Click Here) We will review step by step.\nRelated posts # Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 2 Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 3 Kasten K10 Authentik How to Integrate Active Directory with Kasten K10 and OpenShift Chile Law 21.719: technical compliance manual with Veeam ","date":"26 January 2022","externalUrl":null,"permalink":"/en/posts/kasten-rbac-multi-tenant-multi-cluster-keycloak/","section":"Blog","summary":"In this post, we will look at Role Based Access Control (RBAC) configuration in conjunction with Kasten K10 for access to one or multiple clusters protected by Kasten, is aimed both at clients who manage 1 or more clusters of any distribution of kubernetes supported by K10, as well as to service providers (SP or MSP) that offer the support of containers of kubernetes with Kasten K10, with the aim of providing controlled access to users / clients according to the granular roles required by each cluster or operation. We will also use a Single Sign-On (SSO) solution using OpenID in this case, Keycloak, for the centralized management of access credentials for either users or groups.","title":"Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1","type":"posts"},{"content":" Excellent topic we\u0026rsquo;re reviewing — in the previous post we reviewed everything related to configuring Keycloak for centralized user management through OpenID, preparing it for integration with Kasten K10 and Kasten K10 Multi-Cluster Manager. So in this post we will go through step-by-step configuration of the ClusterRoles, Roles and groups needed to manage Kasten K10 via RBAC.\nKasten Keycloak Configuration # \\\\\\* The idea of this series is to explain how to generate the groups, roles, clusterroles and other resources associated with RBAC, without the need to be directly modifying user permissions in the Kubernetes cluster over time. This way, all user creation, group creation and group assignment is done in Keycloak. ***\nWe must connect to the primary Kubernetes cluster where Kasten K10 is installed and then configure the authentication with Keycloak. But first, we need to extract the \u0026ldquo;Secret\u0026rdquo; from our \u0026ldquo;kasten\u0026rdquo; Client in the \u0026ldquo;Credentials\u0026rdquo; menu and replace it in the \u0026ldquo;auth.oidcAuth.clientSecret\u0026rdquo; variable (replace SuperDuperClientSecret), replacing the values with your own DNS or IP data. Run the following command (for security I removed part of the secret):\nhelm upgrade k10 kasten/k10 --namespace=kasten-io --set auth.oidcAuth.enabled=true --set auth.oidcAuth.providerURL=\u0026#34;https://auth.24xsiempre.com/auth/realms/kasten\u0026#34; --set auth.oidcAuth.redirectURL=\u0026#34;https://kasten.24xsiempre.com/\u0026#34; --set auth.oidcAuth.scopes=\u0026#34;groups profile email\u0026#34; --set auth.oidcAuth.groupClaim=\u0026#34;groups\u0026#34; --set auth.oidcAuth.prompt=\u0026#34;login\u0026#34; --set auth.oidcAuth.clientID=\u0026#34;kasten\u0026#34; --set auth.oidcAuth.clientSecret=\u0026#34;SuperDuperClientSecret\u0026#34; --set auth.oidcAuth.usernameClaim=\u0026#34;email\u0026#34; --reuse-values --set externalGateway.create=true Now we\u0026rsquo;ll see what each of these variables means:\n\u0026ndash;set auth.oidcAuth.enabled=true / Enables OpenID authentication \u0026ndash;set auth.oidcAuth.providerURL=\u0026ldquo;https://auth.24xsiempre.com/auth/realms/kasten\" / Authentication URL \u0026ndash;set auth.oidcAuth.redirectURL=\u0026ldquo;https://kasten.24xsiempre.com/\" / K10 application URL \u0026ndash;set auth.oidcAuth.scopes=\u0026ldquo;groups profile email\u0026rdquo; / Client Scopes to validate \u0026ndash;set auth.oidcAuth.groupClaim=\u0026ldquo;groups\u0026rdquo; / Name of the Client Scope group \u0026ndash;set auth.oidcAuth.prompt=\u0026ldquo;login\u0026rdquo; / Login prompt message \u0026ndash;set auth.oidcAuth.clientID=\u0026ldquo;kasten\u0026rdquo; / Name of the Client in the created Realm \u0026ndash;set auth.oidcAuth.clientSecret=\u0026ldquo;SuperDuperClientSecret\u0026rdquo; / Client secret \u0026ndash;set auth.oidcAuth.usernameClaim=\u0026ldquo;email\u0026rdquo; / In case of email-based authentication \u0026ndash;reuse-values / Reuse already configured values \u0026ndash;set externalGateway.create=true / Reconfigures the K10 gateway service for remote access An important note: if you already have an authentication method configured for Kasten, it\u0026rsquo;s better to disable it and then run the previous command in case of errors.\nUser Access # Since we already have everything configured — including the user we created in the previous post — we just need to log in to the Kasten web interface. Let\u0026rsquo;s recall the user details:\nUser: kastenadmin Password: SuperDuperPassword or whatever was applied Group: k10:admins Now we will access the Kasten URL (in my case https://kasten.24xsiempre.com/k10/#/) and it will redirect us to the Keycloak login form in the kasten realm. We enter the credentials:\nAnd we\u0026rsquo;ll see that we have a successful login with all permissions, since we belong to the \u0026ldquo;k10:admins\u0026rdquo; group and we didn\u0026rsquo;t have to edit any ClusterRole or Roles.\nTo confirm the permissions, you can validate them graphically by either viewing \u0026ldquo;permissions\u0026rdquo; \u0026ldquo;unrestricted\u0026rdquo; or entering the primary cluster, then \u0026ldquo;Cluster Settings\u0026rdquo;, then \u0026ldquo;Support\u0026rdquo; and finally clicking on \u0026ldquo;View Current User Details\u0026rdquo;. You\u0026rsquo;ll be able to see all the permissions of that user and the group they belong to:\nSo far so good, but what if we move the \u0026ldquo;kastenadmin\u0026rdquo; user to a different group? We\u0026rsquo;ll enter Keycloak again and change the group from \u0026ldquo;k10:admins\u0026rdquo; to \u0026ldquo;k10:basic\u0026rdquo;:\nAnd when we log in to Kasten again, we\u0026rsquo;ll see the following:\nThe \u0026ldquo;kastenadmin\u0026rdquo; user no longer belongs to \u0026ldquo;k10:admins\u0026rdquo; and now belongs to \u0026ldquo;k10:basic\u0026rdquo;, which is not configured with its respective ClusterRoleBinding or RoleBinding associated with any ClusterRole or Role.\nCreating Access Roles in Kasten K10 # As we saw earlier, we have the Kasten K10 primary cluster configured, as well as Kasten Multi-Cluster Manager. We\u0026rsquo;ll start by reviewing access only to the primary cluster without the need to access Multi-Cluster roles.\nAdministrator User # In case we don\u0026rsquo;t need Multi-Cluster Manager, it\u0026rsquo;s possible to manage users with Keycloak. So we\u0026rsquo;ll create a group in Keycloak to access the cluster, named \u0026ldquo;k10:solo\u0026rdquo;, and associate it with the user \u0026ldquo;kastenadmin\u0026rdquo;:\nAnd now, via SSH, we\u0026rsquo;ll list the ClusterRoles:\nkubectl get clusterrole | grep k10 We\u0026rsquo;ll create a YAML file with the following content:\nnano k10solo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k10-k10-solo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: k10-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: k10:solo And then apply it with the command:\nkubectl apply -f k10solo.yaml We\u0026rsquo;ll confirm the creation of the ClusterRoleBinding by listing with the command:\nkubectl get clusterrolebindings | grep k10 And if we log in to Kasten K10 again, we\u0026rsquo;ll be able to validate that we only have access to the production cluster as administrator. Now, why do I have access as administrator? On line 5 of the YAML file we generated, there is a reference to the ClusterRole \u0026ldquo;k10-admin\u0026rdquo; which grants us the role. When accessing, we\u0026rsquo;ll see that we have access to everything, except for the following error:\nWhat Kasten K10 is telling us is that it doesn\u0026rsquo;t have permissions over the \u0026ldquo;kasten-io\u0026rdquo; namespace to query or list deployments and know the status of the services. For this we must add the \u0026ldquo;k10:solo\u0026rdquo; group to the \u0026ldquo;k10-ns-admin\u0026rdquo; Role in that namespace. To list the role:\nkubectl get roles -n kasten-io There are always several ways to edit these roles — you can edit it directly with the command kubectl edit roles k10-ns-admin -n kasten-io or use the following yaml:\nnano ns-admin-k10solo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: k10-k10-ns-solo namespace: kasten-io roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: k10-ns-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: k10:solo kubectl apply -f ns-admin-k10solo.yaml We\u0026rsquo;ll confirm the creation of the RoleBinding by listing with the command:\nkubectl get rolebindings -n kasten-io And now we\u0026rsquo;ll validate the permissions again, checking that the Kasten K10 service status error no longer appears:\nAnd now we have everything in a great color :). Now, what if I want a user who can execute but cannot modify the configurations?\nOperator User # As we\u0026rsquo;ve seen before, we\u0026rsquo;re going to create a group in Keycloak called \u0026ldquo;k10:operador\u0026rdquo; and assign it as a single group again to the user \u0026ldquo;kastenadmin\u0026rdquo;.\nWhat does an operator need, for example — that they can see all the applications, all the backup policies as well as the automatically generated reports, and also have access to create and edit backup policies but NOT to delete any resource or edit any configuration.\nSo we\u0026rsquo;re going to create a ClusterRole that allows us to have the permissions necessary for the \u0026ldquo;Operator\u0026rdquo; role. We\u0026rsquo;ll create the file with its respective content:\nnano k10operadorclusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: k10-operador rules: - apiGroups: - actions.kio.kasten.io - apps.kio.kasten.io - config.kio.kasten.io - reporting.kio.kasten.io - vault.kio.kasten.io resources: - \u0026#39;*\u0026#39; verbs: - get - list - patch - update - watch - create - apiGroups: - cr.kanister.io resources: - \u0026#39;*\u0026#39; verbs: - \u0026#39;*\u0026#39; - apiGroups: - \u0026#34;\u0026#34; resources: - namespaces verbs: - create - get - list And we apply the file:\nkubectl apply -f k10operadorclusterrole.yaml\nAs we can see in the file, the operator clusterrole does not have delete permissions. We validate the clusterrole creation:\nkubectl get clusterrole | grep k10 Now we generate the clusterrolebinding to associate it with our user group \u0026ldquo;k10:operador\u0026rdquo;:\nnano k10operadorbind.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k10-k10-operador roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: k10-operador subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: k10:operador And we apply the file:\nkubectl apply -f k10operadorbind.yaml We validate:\nkubectl get clusterrolebindings | grep k10 And finally, since the user will be able to access but not delete, we\u0026rsquo;ll also add them to \u0026ldquo;ns-admin\u0026rdquo;:\nnano k10operadornsadmin.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: k10-k10-ns-operador namespace: kasten-io roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: k10-ns-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: k10:operador We validate the creation:\nkubectl get rolebinding -n kasten-io We validate access to Kasten K10:\nFor example, if the user wants to delete a Backup Policy, they will receive the following message:\nBut if they want to create a backup policy, they will be able to do so:\nOr if they want to delete a \u0026ldquo;Location Profile\u0026rdquo; they won\u0026rsquo;t be able to, since they don\u0026rsquo;t have permission for it and the delete button is disabled:\nWith this it\u0026rsquo;s demonstrated that you can generate RBAC resources associated with groups, managing users directly from Keycloak, without the need to create local users or edit the clusterroles / clusterrolebindings every time a user needs access to the Kasten platform. But we haven\u0026rsquo;t finished yet — we still need to review the RBAC of Kasten Multi-Cluster Manager, which we will cover in the next post, Click Here!\nRelated posts # Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 3 Kasten K10 Authentik How to Integrate Active Directory with Kasten K10 and OpenShift ","date":"26 January 2022","externalUrl":null,"permalink":"/en/posts/kasten-rbac-multi-tenant-multi-cluster-keycloak-2/","section":"Blog","summary":"Excellent topic we’re reviewing — in the previous post we reviewed everything related to configuring Keycloak for centralized user management through OpenID, preparing it for integration with Kasten K10 and Kasten K10 Multi-Cluster Manager. So in this post we will go through step-by-step configuration of the ClusterRoles, Roles and groups needed to manage Kasten K10 via RBAC.","title":"Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 2","type":"posts"},{"content":" And we continue with this excellent topic that we are reviewing, in the previous post we reviewed everything related to the configuration of clusterroles, roles, bindings for Kasten K10, creating cluster roles for Administrators and for Operators of a particular cluster. In this last post we will see the configuration of roles, clusterroles, bindings with Kasten K10 Multi-Cluster Manager and of course with Keycloak for the management of Users and Groups.\nConfiguration Kasten K10 Multi-Cluster Keycloak # \\\\\\* The idea of ​​this series is to explain how to generate the groups, roles, clusterroles and other resources associated with RBAC, without the need to modify directly in the cluster of kubernetes user permissions over time, so all the management of user creation, groups, group assignment is done in Keycloak. ***\n***OpenID configuration with Kasten K10 Multi-Cluster Manager is almost identical to that of Kasten K10, since the same steps are needed to enable Authentikation, I\u0026rsquo;ll repeat them in this post, in case you landed right here.***\nWe need to connect to the primary cluster of Kubernetes where is it installed Kasten K10 Multi-Cluster Manager and we will proceed to the Authentikation configuration with Keycloak, but first, we need to extract the “Secret” from our “Client” kasten in the “Credentials” menu replacing the variable “auth.oidcAuth.clientSecret”, (replace SuperDuperClientSecret) and of course replacing the values ​​with your DNS or IP data, executing the following command (for security, remove part of the secret):\nhelm upgrade k10 kasten/k10 --namespace=kasten-io --set auth.oidcAuth.enabled=true --set auth.oidcAuth.providerURL=\u0026#34;https://auth.24xsiempre.com/auth/realms/kasten\u0026#34; --set auth.oidcAuth.redirectURL=\u0026#34;https://kast24xsiempre.com/en/\u0026#34; --set auth.oidcAuth.scopes=\u0026#34;groups profile email\u0026#34; --set auth.oidcAuth.groupClaim=\u0026#34;groups\u0026#34; --set auth.oidcAuth.prompt=\u0026#34;login\u0026#34; --set auth.oidcAuth.clientID=\u0026#34;kasten\u0026#34; --set auth.oidcAuth.clientSecret=\u0026#34;SuperDuperClientSecret\u0026#34; --set auth.oidcAuth.usernameClaim=\u0026#34;email\u0026#34; --reuse-values --set externalGateway.create=true ```bash Now we will see what each of these variables means: - **--set auth.oidcAuth.enabled=true** / We enable OpenID Authentikation - **–set auth.oidcAuth.providerURL=”https://auth.24x siempre.com/auth/realms/kasten\u0026#34;** / Url to Authenticate - **–set auth.oidcAuth.redirectURL=\u0026#34;https://kast24xsiempre.com/en/\u0026#34;** / application url K10 - **--set auth.oidcAuth.scopes=”groups profile email”** / Client Scopes to validate - **--set auth.oidcAuth.groupClaim=”groups”** / Client Scope Group Name - **--set auth.oidcAuth.prompt=”login”** / Login Message - **--set auth.oidcAuth.clientID=”kasten\u0026#34;** / Name of the Client in the Realm created. - **--set auth.oidcAuth.clientSecret=”SuperDuperClientSecret”** /Client secret - **--set auth.oidcAuth.usernameClaim=”email”** / In case of email Authentikation - **--reuse-values** / Reuse values ​​already configured - **--set externalGateway.create=true** / Reconfigure gateway service in K10 for remote access An important piece of information if you already have an Authentikation method configured for Kasten, it is better to disable it and then run the above command on error. ## Users access As we already have everything configured, the creation of the user that we made in the previous post, we only have to enter the keycloak web interface and make sure that the user has these permissions: - User: kastenadmin - Password: SuperDuperPassword or the one that has been applied - Group: k10:admins Then we will only enter the Url of Kasten in my case https://kast24xsiempre.com/en/k10/#/ and it will redirect us to the Keycloak login form in the realm of Kasten, we enter the credentials: And we will be able to observe that we have a successful entry and with all the permits since we belong to the group \u0026#34;k10:admins” and we didn\u0026#39;t have to edit any ClusterRole or Roles. To confirm the permissions, it is possible to validate them graphically either by viewing “permissions” “unrestricted” or entering the primary cluster, then “Cluster Settings”, then “Support” and finally click on “View Current User Details” and you will be able to view all the permissions of that user and the group it belongs to: ## Creation of Access Roles in Kasten K10 Multi Cluster Manager As we saw before, we have configured the primary cluster of Kasten K10. Now we will configure the necessary roles associated with groups to access Kasten K10 Multi Cluster Manager ### User Administrator Important to note that K10 Multi-Cluster Manager is intended only for administrators, it is possible to give access to a regular user without administration permissions on Multi-Cluster Manager, even so, as we saw in the previous post, it is possible to give full access to a user to the cluster protected by K10 even if you are using Multi-Cluster Manager resources or distributions Using Multi-Cluster Manager it is possible to manage users with Keycloak. As I mentioned before, for administration it is necessary to belong to the group “k10:admin” And if we validate access: Now I need access to K10 Multi-Cluster Manager as a user without the ability to modify global settings. ### User Operator In general, a user with limited permissions at the user level is always necessary. K10 Multi-Cluster Manager, always remembering that it is possible to assign a direct operation role to a group of users to Kasten K10 without the need to access the Multi-Cluster Manager, therefore, in Keycloak we will change the user\u0026#39;s group \u0026#34;kastenadmin” to “k10:mc-user” If we validate access we will get the following error: The previous error is because the RoleBinding has not been generated for the group \u0026#34;k10:mc-user”, so we will do it as follows: ```bash kubectl create rolebinding k10-mc-user-demo --clusterrole=k10-mc-user \\ --namespace=kasten-io-mc \\ --group=k10:mc-user ```bash We will validate the creation of the RoleBinding: ```bash kubectl get rolebindings -n kasten-io-mc And we validate access to Kasten:\nAs we can see in the previous image, it does not have access to the “qadesarrollo” cluster and it cannot view the resources of the primary cluster either. It is a good practice in case of granting access to the K10 Multi-Cluster Manager, restrict the administration of the primary cluster, since the centralized configuration of all resources is concentrated in this cluster.\nAssignment K10ClusterRoles in Multi-Cluster Manager # As we have already done the binding of the group at the clusterrole level, we need to allow the user access to the administration of a cluster preferably, therefore, with an administrator user, who belongs to the group “k10:admins”, we will add the user “kastenadmin” to a K10ClusterRole so that you can manage a cluster.\nWhen generating the K10ClusterRole, we indicate that it is administrator of the cluster \u0026ldquo;qadesarrollo\u0026rdquo;, remember that there are 3 K10ClusterRoles that you can assign to the user “k10-multi-cluster-admin”, “k10-multi-cluster-basic”, “k10-multi-cluster-config-view” and if we validate access again we will see that it already has the necessary permissions:\nConclusions and recommendations # As we saw in this series of 3 posts, it is possible to use the entire RBAC to access resources with granular permissions. Kasten K10 y Kasten K10 Multi-Cluster Manager, even when clusters are managed centrally, it is possible to generate direct access to the desired cluster by any client or user of Kasten without the need to access the Multi-Cluster, it is for them that it is always recommended to use an SSO solution, as in this case Keycloak or the one of your preference since the OpenID protocol is standard. As a recommendation, always use the principle of least possible privilege and grant permissions according to the need of the operation, as well as generate the specific ClusterRoles to later only add user groups.\nBook demo Kasten K10 # If for any reason, you need to test this type of access, I have left the operating platform in the laboratory, so that any user can register and access the K10 Multi-Cluster Manager and be able to play with the test environment, to register and get access you just have to enter:\nhttps://kast24xsiempre.com/en\nAnd click on “Register” / “Register”\nWhen you register, it will ask for email verification and then you will have access to the laboratory. 🙂\nRelated posts # Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 2 Kasten K10 Authentik How to Integrate Active Directory with Kasten K10 and OpenShift ","date":"26 January 2022","externalUrl":null,"permalink":"/en/posts/kasten-rbac-multi-tenant-multi-cluster-keycloak-3/","section":"Blog","summary":"And we continue with this excellent topic that we are reviewing, in the previous post we reviewed everything related to the configuration of clusterroles, roles, bindings for Kasten K10, creating cluster roles for Administrators and for Operators of a particular cluster. In this last post we will see the configuration of roles, clusterroles, bindings with Kasten K10 Multi-Cluster Manager and of course with Keycloak for the management of Users and Groups.","title":"Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 3","type":"posts"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/tags/kasten-keycloak/","section":"Tags","summary":"","title":"Kasten-Keycloak","type":"tags"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/categories/keycloak/","section":"Categories","summary":"","title":"Keycloak","type":"categories"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/tags/keycloak/","section":"Tags","summary":"","title":"Keycloak","type":"tags"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/categories/multi-tenant/","section":"Categories","summary":"","title":"Multi-Tenant","type":"categories"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/tags/multi-tenant/","section":"Tags","summary":"","title":"Multi-Tenant","type":"tags"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/categories/openshift/","section":"Categories","summary":"","title":"Openshift","type":"categories"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/tags/role-based-access-control/","section":"Tags","summary":"","title":"Role-Based-Access-Control","type":"tags"},{"content":"","date":"26 January 2022","externalUrl":null,"permalink":"/en/tags/service-provider/","section":"Tags","summary":"","title":"Service-Provider","type":"tags"},{"content":"","date":"13 October 2021","externalUrl":null,"permalink":"/en/tags/red-hat/","section":"Tags","summary":"","title":"Red-Hat","type":"tags"},{"content":"","date":"13 October 2021","externalUrl":null,"permalink":"/en/tags/red-hat-backup/","section":"Tags","summary":"","title":"Red-Hat-Backup","type":"tags"},{"content":"","date":"13 October 2021","externalUrl":null,"permalink":"/en/tags/red-hat-virtualization/","section":"Tags","summary":"","title":"Red-Hat-Virtualization","type":"tags"},{"content":"","date":"October 13, 2021","externalUrl":null,"permalink":"/es/tags/respaldo-red-hat/","section":"Etiquetas","summary":"","title":"Respaldo-Red-Hat","type":"tags"},{"content":"","date":"October 13, 2021","externalUrl":null,"permalink":"/es/tags/respaldo-rhv/","section":"Etiquetas","summary":"","title":"Respaldo-Rhv","type":"tags"},{"content":"","date":"13 October 2021","externalUrl":null,"permalink":"/en/tags/rhv/","section":"Tags","summary":"","title":"Rhv","type":"tags"},{"content":"","date":"13 October 2021","externalUrl":null,"permalink":"/en/tags/rhv-backup/","section":"Tags","summary":"","title":"Rhv-Backup","type":"tags"},{"content":" Tremendous news from Veeam! Now it supports a new virtualization platform, Red Hat Virtualization, with the aim of protecting virtual machines in an easy way and taking advantage of the integration of the new CBT APIs that have been implemented in RHV. In this post we will see how to deploy Veeam for Red Hat Virtualization integrated with Veeam Backup \u0026amp; Replication reviewing the features and dependencies necessary for complete RHV protection.\nInitial Steps # As usual, we should always go to the official documentation of the solution, in this case Veeam Backup for RHV 1.0\nManual: https://helpcenter.veeam.com/docs/vbrhv/userguide/overview.html?ver=10 Release Notes: https://www.veeam.com/veeam_backup_for_rhv_1_0_release_notes_rn.pdf Download from Veeam RHV: https://www.veeam.com/backup-red-hat-virtualization-download.html Something very important to point out in this version of Veeam Backup for RHV, is in format public BETA, that is, you can download it, deploy it with official support from Veeam. You need valid licensing in your VBR since it has integration with Veeam Universal License. Of course you can use trial licenses.\nRequirements # To host our backups we need a repository with Veeam Backup \u0026amp; Replication:\nVeeam Backup \u0026amp; Replication 11a (11.0.1.1261) or higher Red Hat Virtualization 4.4.8 or higher virtual hardware for Veeam RHV\n4 CPU cores + 1 for each concurrent task (more can be added if necessary) 4 GB RAM minimum (more can be added if needed) 64GB Space It is recommended that if the amount of CPU is increased in parallel, the amount of RAM is increased, that is, if the appliance has 8 CPU cores, it must also have 8 GB of RAM and so on.\nRed\nDHCP (then we can change the IP address from the Interface) Ports\nhttps://helpcenter.veeam.com/docs/vbrhv/userguide/used_ports.html?ver=10 Virtual Machine Disks\nThis option is important to take advantage of the use of API CBT in the machines that run in Red Hat Virtualization, the machines that will be protected on their disks must have the option enabled \u0026quot; Enable Incremental Backup\u0026quot;\nSince it is a limitation of the virtualization platform, it is important to review:\nhttps://helpcenter.veeam.com/docs/vbrhv/userguide/backup_job_prerequisites.html?ver=10 Installation Veeam Backup for RHV # As we have already downloaded the appliance, we must copy it to a host in the cluster through ssh, in my case I use WinSCP and I will leave it in the path /tmp/veeam/\nThen we will assign permissions so that the RHV host can read the files (remember I have them in the /tmp/ pathveeam) from the appliance with the commands:\nchmod -R 755 veeam/ chown 36:36 -R veeam/ ls -ltrh veeam/ As seen in the image above, the vdsm user and kvm group now have access to the files, so it\u0026rsquo;s time to import the appliance into the Red Hat Virtualization console. We will enter Compute -\u0026gt; Virtual Machines and in the drop-down menu we will select the option “ Import\u0026quot;\nThen we select the Datacenter, Source, which must be “ VirtualAppliance“, the RHV host where we upload the appliance files and finally enter the path of the files, in this case, / tmp /veeam/ and click on \u0026quot; Load” will show us the name of the appliance to select it and pass it to “ Virtual Machines to Import\u0026quot;\nThen click “Next” to select CPU, Allocation, etc. settings, you can leave them as default and click “OK”\nWith the above we just have to wait for the appliance import task to finish, you can follow it in \u0026ldquo;Tasks\u0026rdquo; or directly in the virtual machine:\nNow we only have to turn on the machine, we select our machine \u0026ldquo;veeam_rhv_proxy_beta_vm_1.0.1488” or whatever name you entered and click “ Run\u0026rdquo;\nIf you want to see the boot, select the virtual machine and click on “Console” to download a utility to see the virtual machine:\nA file is automatically downloaded console.vv” you execute it and you will be able to have access to the virtual machine:\n\\\\ In case the IP is not assigned by DHCP, check with the RHV administrator or Restart the appliance**\nConfiguration Veeam Backup for RHV # As we could see in the last image, it indicates the IP address that was assigned by DHCP, therefore, we must enter via HTTPS to that address:\nThe username and password for the first access is “ veeam” and we enter Veeam for Red Hat Virtualization\nOf course we select the “Install” option to accept the EULA and enter the requested settings:\nAfter clicking “Next” you enter the new password\nIn this option you can assign server name, fixed IP address and dns, for example:\nNext and we will see the summary of the configuration to finish by clicking on “Finish”\nNow wait 60 seconds for the configuration to be applied and services are internally restarted\nThen we enter via fqdn or IP to enter our new credentials:\nUpdate Veeam Backup for RHV # Already in the Dashboard, we must click on the configuration icon (gear) in the upper right\nAnd we will select “Appliance Settings”, Here we can configure what is necessary for the appliance, in this case we will configure the “Time Zone” and then we will apply updates\nThen click on “Updates” and then click on “Check and view updates”\nIt will open another tab and you will be able to check if there are updates available or not, either for the operating system or for Veeam Backup for RHV\nSelect all updates and install the updates\nClose the updates tab and we will move on to configure Veeam Backup for RHV with the hypervisor and Veeam Backup \u0026amp; Replication.\nConfiguration Veeam Backup \u0026amp; Replication # Again we go to the configuration icon (gear) and select \u0026ldquo;Manage Backup Server\u0026rdquo;\nClick on “ Add” and enter the information of Veeam Backup \u0026amp; Replication, and then click on “ OK\u0026quot;\nAnd it will show us the applied configuration\nConfiguring Red Hat Virtualization Manager # Now we will click on “ Manage Virtualization Manager” and then in “ Add” and enter the data, something very important is that everything must be configured to use DNS\nThe user must always be an administrative user of the form “admin@internal” and if the first time it does not recognize the certificate, you just have to retry.\nClicking \u0026quot; OK” will tell us if we want to accept the certificate and proceed\nAnd it will show us the version of RHV and the configuration applied\nNow. We return to the \u0026ldquo;Dashboard\u0026rdquo; we will see that it recognizes the existing virtual machines and the configuration of the repository of Veeam Backup \u0026amp; Replication:\nBackup Job Creation # We must select the “Jobs” menu within the “Dashboard” to enter the Jobs panel, of course we do not have any configured\nClick on “Add” and enter the name of the backup job:\nAfter clicking on “Next” we will go on to add virtual machines to protect\nWe will click on “Add” and select the machines to be backed up\nAnd after clicking on “Add” we will go to the configuration of the repository where the backups will be hosted, in this step, you only have to choose the repository of Veeam Backup \u0026amp; Replication and restore points\nThen we go to the scheduling by clicking on “Next” and enter what is necessary.\nAnd finally, we will see the summary of the job configuration and we will start the backup job after creation by selecting “Run job when I click Finish”\nAnd we will see the backup statistics:\nAnd in our console Veeam Backup \u0026amp; Replication We will see the backup job and if it is running or not:\nAnd of course the completion of the backup:\nAnd if you want to check an incremental backup run the Job and in the statistics you will get\nFile Recovery or Virtual Machine # Recoveries can be performed from both Veeam Backup \u0026amp; Replication as well as from the web interface of Veeam Backup for RHV, for example you can perform all recoveries from VBR as shown in the following image:\nAnd from veeam Backup for RHV, by clicking on “Protected VMs”, selecting the virtual machine you will be able to see the restore points as well as the two initial options to recover the entire machine or just disks:\nClicking \u0026quot; Restore” allows you to recover the virtual machine to the same location or another one with different configurations and in the case of using “ Disk Restore” it is possible to map the disk that you want to recover to the virtual machine that you need to use at that moment. To recover the complete machine it will show us the following\nWhere we can select the restore point using the “Point” icon\nWe select the point that we want to use and we go to select the restoration mode, in this case I will use “Restore to Original Location”\nClick on “Next” and enter the reason for the restoration\nIt will indicate that the current virtual machine will be removed from the virtual infrastructure to proceed with the recovery:\nAnd we will select to power on the VM after recovering:\nAnd we will see the recovery statistics:\nRecommendations # It is very important to read the limitations of the disks, since in order to use native incremental backups from Red Hat Virtualization, these must be in QCOW2 format which allows the use of the CBT API as indicated.\nhttps://helpcenter.veeam.com/docs/vbrhv/userguide/backup_job_prerequisites.html?ver=10 Also in case of any communication problem between the solutions you can check\nhttps://helpcenter.veeam.com/docs/vbrhv/userguide/troubleshooting.html?ver=10 And for cases when incremental backup is disabled throughout the system or you have disks without enabling incremental backup, the \u0026ldquo;Enable Incremental Backup\u0026rdquo; option should be visited\nhttps://www.veeam.com/kb4208 Finally, if you do not enable the previous option, you can also protect your virtual machines with Veeam Backup for Red Hat Virtualization.\nRelated posts # Veeam Citrix Hypervisor / Xenserver Protecting Oracle KVM with Veeam Proxmox Lab with ZimaBlade Veeam + Kasten ","date":"13 October 2021","externalUrl":null,"permalink":"/en/posts/veeam-backup-for-red-hat-virtualization/","section":"Blog","summary":"Tremendous news from Veeam! Now it supports a new virtualization platform, Red Hat Virtualization, with the aim of protecting virtual machines in an easy way and taking advantage of the integration of the new CBT APIs that have been implemented in RHV. In this post we will see how to deploy Veeam for Red Hat Virtualization integrated with Veeam Backup \u0026 Replication reviewing the features and dependencies necessary for complete RHV protection.","title":"Veeam Backup for Red Hat Virtualization","type":"posts"},{"content":"","date":"13 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-backup-for-rhv/","section":"Tags","summary":"","title":"Veeam-Backup-for-Rhv","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/baas/","section":"Tags","summary":"","title":"Baas","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/clave/","section":"Tags","summary":"","title":"Clave","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/draas/","section":"Tags","summary":"","title":"Draas","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/performance/","section":"Tags","summary":"","title":"Performance","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/registro/","section":"Tags","summary":"","title":"Registro","type":"tags"},{"content":"","date":"October 8, 2021","externalUrl":null,"permalink":"/es/tags/rendimiento/","section":"Etiquetas","summary":"","title":"Rendimiento","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/vcloud/","section":"Tags","summary":"","title":"Vcloud","type":"tags"},{"content":"","date":"October 8, 2021","externalUrl":null,"permalink":"/es/categories/vcloud-director/","section":"Categorías","summary":"","title":"Vcloud-Director","type":"categories"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/vcloud-director/","section":"Tags","summary":"","title":"Vcloud-Director","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/vcsp/","section":"Tags","summary":"","title":"Vcsp","type":"tags"},{"content":" One of the most used platforms to offer remote management services, backup, disaster recovery, among others is Veeam Cloud Connect with Veeam Service Provider Console, which enable service providers to offer multiple data protection options. In addition, there is Veeam Cloud Connect for Enterprise that allows large companies to offer services internally according to the needs of their business. In this post we will review a simple configuration to improve the performance of receiving data.\nInitial Steps # As always we should visit the official documentation and also check the new updates, such as the latest version of Veeam Service Provider Console which is in its version 6, to download the ISO you must enter Veeam.com and request the download, in the following link you have the release notes of the latest version, as well as the addresses of the solution manuals:\nRelease Notes Veeam Service Provider Console v6: https://www.veeam.com/vspc_6_0_release_notes_rn.pdf Manual Veeam Service Provider Console v6: https://helpcenter.veeam.com/docs/vac/provider_user/about.html?ver=60 Manual Veeam CloudConnect: https://helpcenter.veeam.com/docs/backup/cloud/cloud_overview.html?ver=110 Here we will see a configuration at the registry level with its respective comparison of before and after the change on an environment that uses Veeam CloudConnect and Veeam Service Provider Console, about VMware v7.0U2 over the Internet in my lab.\nTest environment # Very simple, perform the installation and configuration for the laboratory of only 1 virtual machine, that is, All In One, with the following versions:\nVeeam Cloud Connect v11 Veeam Service Provider Console v6 Veeam Backup \u0026amp; Replication 11a (Tenant for VM Backup) Resources Virtual Machines for VCC and VSPC AIO ( For no reason use for production)\n8 vCPUs 12 GB RAM OS Disk 150GB Repo Disk ReFS 500GB As the configuration is AIO (for lab), all the roles are deployed in the same console, Cloud Gateway Repository, etc.\nIt is also very important to point out that this configuration change at the registry level also applies to environments that have Veeam Cloud Connect / vCloud Director and/or the respective plugin for vCloud Director that you provide access to the self-care portal from Veeam Enterprise Manager. Of course it also applies to V eeam Cloud Connect for Enterprise. Since in my case I only have 2 ESXi and vCenter.\nTests before the Change # In this step we will perform two tests by making backups Full of a virtual machine and also of multiple virtual machines with backups Full pointing directly to the repository Veeam Managed Cloud Connect with Veeam Service Provider Console.\nThe configuration of the Backup Job in my environment Veeam Backup \u0026amp; Replication Location it is by default and we only change repository that this case will be that of Veeam Cloud Connect that we configured earlier:\nAnd then we execute the backup tasks using the method Activate Full for both Jobs and we wait for them to finish\nJob Statistics with Multiple Virtual Machines\nAnd if we check the console from the console of Veeam Cloud Connect we will see the statistics for the Job of a machine:\nAnd the statistics for the multiple virtual machines Job:\nBackup Task Review # As we can see in the previous statistics we have the following:\nJob Name Status Start Time End Time Data Sent Data Received Processing Rate DC → VCSP (Active Full) Success 07-10-2021 20:23 07-10-2021 20:30 34.4 KB 7.8 GB 60 MB/s Multiple VMs → VCSP (Active Full) Success 07-10-2021 22:22 07-10-2021 22:50 227.4 KB 49.6 GB 69 MB/s In the task of the virtual machine we can see that the duration of the Full backup was approximately 7 minutes with a \u0026ldquo;Processing Rate\u0026rdquo; of 60 MB/s. For the job with multiple machines, the Full backup duration was approximately 28 minutes with a \u0026ldquo;Processing Rate\u0026rdquo; of 69 MB/s:\nJob Duration Processing Rate DC → VCSP (Active Full) 6.44 minutes 60 MB/s Multiple VMs → VCSP (Active Full) 28 minutes 69 MB/s Therefore according to the default settings of Veeam Cloud Connect and traffic data via the internet, which in total add up to around 57.4 GB works correctly.\nRegistry Key Configuration # At this stage we will review the space quota allocation behavior when backing up to a cloud repository in Veeam CloudConnect. This applies to backups being performed on top of vCloud director with VCC as well.\nThe behavior with respect to the allocation of space quotas that you use Veeamagent.exe, every 10 or 15 seconds assigns 512MB to store data, if in case this is exceeded, it will try to allocate more space and write in the log “Storage size quota exceeded. Waiting for quota increase” which could generate a bottleneck when data is transferred quickly.\nFor this type of use case or environment that we reviewed earlier, there is a registry key to add and change the logic of the mechanism, which must be applied in:\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Veeam\\Veeam Backup and Replication ```text And we must add the key **DWORD**: ```text CloudConnectQuotaAllocationMode There are 3 options for this registry key:\n0 = Default value and behavior of 512MB every 10 seconds. 1 = VeeamAgent.exe requests the necessary space without the need to wait the 10 seconds. 2 = Use a combination of the above values. Therefore, for our case we will use the value 1 to configure the key and it would be as follows in our server of Veeam Cloud Connect o Veeam Vbr that they are using with vCloud Director:\nAnd after just restarting the service \u0026quot; Veeam Backup service” of the server where the services of Veeam Cloud Connect or Veeam VBR with vCloud Director\nResults # After restarting the service and executing the Jobs again, forcing Active Fulls for each of them, we can see the following:\na virtual machine\nMultiple virtual machines:\nStatistics from the Console Veeam CloudConnect:\nIf we review the data after the change made, the summary would be as follows:\nJob Name Status Start Time End Time Data Sent Data Received Processing Rate DC → VCSP (Active Full) Success 07-10-2021 21:47 07-10-2021 21:51 29.2 KB 7.8 GB 170 MB/s Multiple VMs → VCSP (Active Full) Success 07-10-2021 22:58 07-10-2021 23:11 206.1 KB 49.6 GB 175 MB/s And the detail:\nJob Duration Processing Rate DC → VCSP (Active Full) 4.12 minutes 170 MB/s Multiple VMs → VCSP (Active Full) 13 minutes 175 MB/s Time and Processing Differences # Therefore in relation to the execution and file transfer times as well as the processing rate after the application of the registration key we obtained a very noticeable performance improvement, For example:\nThe initial \u0026ldquo;Processing Rate\u0026rdquo; of a virtual machine before the change was 60 MB / s and after applying the key we got an increment to 170 MB / s The initial \u0026ldquo;Processing Rate\u0026rdquo; of multiple virtual machines before the change was 69 MB / s and after applying the key we got an increment to 175 MB / s The duration of the backup a virtual machine before the change was 6.44 minute s and after application the key went down to 4.12 minutes The duration of the backup multiple virtual machines before the change was 28 minute s and after application the key went down to 13 minutes Thus, we see our performance increased by 2 or 3 times in this case, which could be higher if there is a dedicated infrastructure with its respective architecture for this type of service.\nConclusion # As we saw, the application of this registry key allows us to improve the performance of our backups to repositories in Veeam Cloud Connect or with vCloud Director integration, as always it is highly advisable to review the use case for each of the environments being involved and that have fast data upload speeds or internal solutions.\nRelated posts # Veeam Capacity Tier Oracle Cloud Object Storage Veeam Backup for AWS v3 Chile Law 21.719: technical compliance manual with Veeam Veeam Hardened (Immutable) Repository ","date":"8 October 2021","externalUrl":null,"permalink":"/en/posts/veeam-cloud-connect-performance/","section":"Blog","summary":"One of the most used platforms to offer remote management services, backup, disaster recovery, among others is Veeam Cloud Connect with Veeam Service Provider Console, which enable service providers to offer multiple data protection options. In addition, there is Veeam Cloud Connect for Enterprise that allows large companies to offer services internally according to the needs of their business. In this post we will review a simple configuration to improve the performance of receiving data.","title":"Veeam Cloud Connect Performance","type":"posts"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-cloud/","section":"Tags","summary":"","title":"Veeam-Cloud","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-cloud-connect/","section":"Tags","summary":"","title":"Veeam-Cloud-Connect","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-service-provider-console/","section":"Tags","summary":"","title":"Veeam-Service-Provider-Console","type":"tags"},{"content":"","date":"8 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-vcsp/","section":"Tags","summary":"","title":"Veeam-Vcsp","type":"tags"},{"content":"","date":"6 October 2021","externalUrl":null,"permalink":"/en/tags/como-instalar-veeam-agent-solaris/","section":"Tags","summary":"","title":"Como-Instalar-Veeam-Agent-Solaris","type":"tags"},{"content":"","date":"6 October 2021","externalUrl":null,"permalink":"/en/tags/solaris/","section":"Tags","summary":"","title":"Solaris","type":"tags"},{"content":"","date":"6 October 2021","externalUrl":null,"permalink":"/en/tags/solaris-veeam-console/","section":"Tags","summary":"","title":"Solaris-Veeam-Console","type":"tags"},{"content":" In this post we will review one of the new features in the latest version of Veeam Backup \u0026amp; Replication 11a which has been recently released and includes console management of Veeam Backup \u0026amp; Replication for Unix agents, Veeam Agent for Solaris and Veeam Agent for AIX.\nWhere to download Veeam 11a # As usual, we will always check the official documentation to find out what\u0026rsquo;s new in this new version as well as any limitations related to some environments if there are any, for them we will visit the following addresses:\nVeeam Backup \u0026amp; Replication 11a\nhttps://www.veeam.com/kb4215 Veeam ONE 11a\nhttps://www.veeam.com/kb4197 In addition, new versions of the other solutions have been released. veeam, for example, Veeam Backup for AWS v4, for more information on other updates visit veeam.com\nAs we see in KB4215, it indicates the centralized management of Unix, Solaris and AIX agents, therefore we will see how to install, configure and manage the agents through the VBR console and its respective protection group.\nProtection Group # In the Inventory menu and then in Physical Infrastructure, we will create a new Protection Group and after assigning the name, we will select “Computers with pre-installed agents”\nAfter selecting the previous option, we will select \u0026ldquo;Export Path\u0026rdquo; and enter the folder where we will leave the agents (in my case only Solaris - Intel, but you can select the one that is necessary) for the subsequent configuration and select \u0026ldquo;Apply\u0026rdquo;\nAnd it will show us the Status\nInstallers Review # Now. Once we finish the configuration, we will go to the folder we selected, in my case I left it on the server desktop, to see the files that were exported\nThere are 3 files (in my case only for solaris – intel)\nreadme.txt Unix.xml VeeamAgentSolaris Where readme.txt It will tell us step by step how to install Veeam Agent for Solaris Unix.xml, where the name is related to the protection group and contains the VBR access configuration and finally the installation package of Veeam Agent for Solaris. We unzip this package and copy it with your preferred tool (in my case WinSCP) mlocate-0.26-i386.pkg VeeamAgent-3.0.0.561-i386.pkg to the Solaris server that we want to protect.\nAnd we will do what readme.txt indicates\nInstallation and configuration Veeam Agent for Solaris # We already have the files copied, we will follow the steps indicated in readme.txt and install the packages, we will start with mlocate using the command\npkgadd -G -d mlocate-0.26-i386.pkg ```json And then the installation of Veeam Agent for Solaris, with the command ```text pkgadd -G -d VeeamAgent-3.0.0.561-i386.pkg ```json Now we will import the configuration with the xml file that we copied to the server with the following command ```text veeamconfig mode setVbrSettings --cfg Unix.xml ```bash And it will tell us that the agent is registering with the server Veeam Backup And we can see the state of the agent in the protection group that we created earlier ## Backup Policy Creation Now in the console Veeam Backup \u0026amp; Replication We will configure a backup policy to be applied to the Veeam Agent for Solaris that we installed earlier. We just have to go to “Backup Job” and select “Unix Computer” Being Unix, in this version of VBR, the option selected by default will be \u0026#34;Managed by Agent\u0026#34;, therefore, you just have to click Next and go on to configure the name of our policy After adding the name to the policy we must select the protection group or the server that we are going to configure And it will show us the server (or protection group) selected, then next In this step we must select how we are going to back up the server, two options appear: The two options are: - Entire Machine – Will back up the entire server, excluding network mount points - Custom Scope – Will back up the routes that are entered in the backup policy After defining whether the entire operating system will be backed up or just some server paths (in my case I selected the entire server) it will ask us to indicate which will be the repository for our backups, we select “Veeam backup repository”: And then we will enter the address of our Veeam BackupServer: We will select the repository where we will host the backup and the number of restore points Then we will check if we will use Scripts or File Indexing And if it is necessary to select “enable Application-aware processing” to use scripts where the configuration is simple To then move on to the scheduling of the execution of the backup Finally we will see a summary of the configuration And we\u0026#39;ll see politics at work Finally, as a recommendation, only for the first time, we can force the first synchronization between Veeam Agent for Solaris as indicated in the readme.txt with the command from the Solaris server ```text veeamconfig mode syncnow Then in the execution of the backup we can see the statistics:\nAnd finally the recovery of any file.\nRelated posts # Veeam Agent Linux - Oracle Linux / Exadata Veeam Oracle RMAN Plugin Veeam Plugin SAP HANA ","date":"6 October 2021","externalUrl":null,"permalink":"/en/posts/veeam-agent-for-solaris-and-veeam-11a/","section":"Blog","summary":"In this post we will review one of the new features in the latest version of Veeam Backup \u0026 Replication 11a which has been recently released and includes console management of Veeam Backup \u0026 Replication for Unix agents, Veeam Agent for Solaris and Veeam Agent for AIX.","title":"Veeam Agent for Solaris and Veeam 11a","type":"posts"},{"content":"","date":"6 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-agent-for-solaris/","section":"Tags","summary":"","title":"Veeam-Agent-for-Solaris","type":"tags"},{"content":"","date":"6 October 2021","externalUrl":null,"permalink":"/en/tags/veeam-oracle-solaris/","section":"Tags","summary":"","title":"Veeam-Oracle-Solaris","type":"tags"},{"content":"","date":"August 2, 2021","externalUrl":null,"permalink":"/es/tags/respaldo-inmutables-rhel/","section":"Etiquetas","summary":"","title":"Respaldo-Inmutables-Rhel","type":"tags"},{"content":"","date":"August 2, 2021","externalUrl":null,"permalink":"/es/tags/respaldos-inmutables/","section":"Etiquetas","summary":"","title":"Respaldos-Inmutables","type":"tags"},{"content":"","date":"1 August 2021","externalUrl":null,"permalink":"/en/tags/como-instalar-hardened-repository/","section":"Tags","summary":"","title":"Como-Instalar-Hardened-Repository","type":"tags"},{"content":"","date":"1 August 2021","externalUrl":null,"permalink":"/en/tags/immutable-backup-rhel/","section":"Tags","summary":"","title":"Immutable-Backup-Rhel","type":"tags"},{"content":"","date":"1 August 2021","externalUrl":null,"permalink":"/en/tags/immutable-backups/","section":"Tags","summary":"","title":"Immutable-Backups","type":"tags"},{"content":" In this post, we will review installing an Immutable repository from Veeam With Red Hat Enterprise Linux, we previously reviewed an application for Ubuntu called VeeamHubRepo, which allows us to easily set up an immutable repository on Ubuntu Linux. Now we will review how to do the configuration in Red Hat Enterprise Linux, with a small script for the configuration of the repository automatically and in an easy to use way.\nIntroduction # As we saw earlier in another post, we have the step-by-step guide to configuring the immutable repository of Veeam for Ubuntu with a utility, you can check it at:\n/veeam-hardened-immutable-repository/\nNow if you are looking for an easy way to configure but in Red Hat Enterprise Linux To provide backup immutability in your local environment, this post is for you.\nGood practices Veeam Immutable Repository # Below we will review some good practices for this type of repository that allows us to store our backups immutably on Linux:\nDo not add more roles Veeam or other services, i.e. this repository should be for immutable backups only Preferably it is a Physical server with local drives s (JBOD) Block or disable any remote administration applications or services, i.e. SSH (after setting up the repository), ILO, IDRAC, etc. Why is it not recommended to add more roles veeam or other Linux services?, such as nginx, the answer is simple, the idea is to keep it as isolated as possible, trying to reduce the risk in case of any vulnerability or unauthorized access to the server. Since as we know, lately, we have multiple 0day vulnerabilities that affect Linux operating systems and services.\nWhy do you prefer a Physical Server with local drives? If it is a virtual machine and in the event of an attack, unfortunately, the security of the virtual environment was compromised, of course the attacker or attackers will even have the possibility of eliminating the virtual machine with all its content or encrypting the entire virtual environment. Regarding the recommendation of local disks, it is exclusively aimed at avoiding that in the event that the security of the storage or Storage has been compromised, it is not possible to delete the data that is stored in the repository.\nAnd finally, block or disable any type of remote administration access, so that in the event of compromise of centralized administration credentials or vulnerabilities in remote administration systems, it will not be possible to connect to the operating system.\nThe only thing that needs to be connected is Veeam Backup \u0026amp; Replication to send Immutable Backups to the server.\nConfigure Red Hat Enterprise Linux as Veeam Immutable Repository # In this case, install RHEL 8.3 as a server with the minimum option or by default without a graphical interface. And we connect via SSH with root:\nIf it is a physical server that already has the disks installed, we will proceed to execute a script that you can download from:\nhttps://github.com/mescobarcl/rhelimmutable\nWe select the file \u0026ldquo;rhelimm.sh\u0026rdquo; to see the content and copy it:\nAfter copying the content of the file, we will return to the SSH session that we have open. We will create a new file with the \u0026ldquo;vi\u0026rdquo; editor, therefore in the ssh session we will execute:\nvi rhelimm.sh ```bash We press “i” to allow entering text or pasting text in the file: And we exit the file by pressing “ESC :” we enter “wq!” press enter and return to the command line Now we will assign execute permissions to the file with the following command: ```bash chmod +x rhelimm.sh ```json And now we will execute the script with the command: ```text ./rhelimm.sh And we press “Enter” to execute the script that will request information.\nScript Execution # Now we have already executed the script with the previous step, the first thing it does is a scan of existing new disks on the server. Then it lists the disks it found for us to ask if we want to use only one disk or several that exist on the server.\nIn this case for the demonstration add 4 disks of 50 TB, it should be noted, that it is possible to use multiple disks or just one, depending on your hardware configuration. therefore the script will ask us to enter the disks in “/dev/sdb” format and if you use multiple disks just add a space after each disk when entering it:\nAs shown in the previous image, the discs appear “ / Dev / sdb /dev/sdc /dev/sdd /dev/sde“. I enter them in the desired format and press “Enter” for execution:\nWhen entering the disks, are created the physical volumes, the volume Group and the logical group to manage via LVM finally the logical volume \u0026ldquo;repoveeam\u0026rdquo; is formatted with XFS, in the formatting is included \u0026ldquo;Reflink\u0026rdquo; for the support of “Fast Clone” in this type of repository.\nAfter formatting the script asks us for the password for the connection user, the script creates a user named “ repouser“, we enter the password:\nImmutable Repository Configuration Veeam Backup \u0026amp; Replication # And now the script tells us that we must add the new repository in Veeam Backup \u0026amp; Replication with the credentials of repouser” We connect to VBR and add the RHEL server within “Managed Servers”, we will select “Linux Server” to enter the IP address or DNS of the server:\nAfter clicking on “Next” it will ask us how the Authentikation with the new RHEL server will be:\nAnd we will select “Single-use credentials for hardened repository….” to enter the credentials, we will use the user created by the script “ repouser” with your respective password that was entered in the script steps and also very important, we will select “ Elevate account privileges automatically\u0026ldquo;And\u0026rdquo; Use your if sudo fails” and enter the “root” password, press “OK” and then “Next”:\nThe users and passwords we are entering will only be used in this connection, afterwards the credentials are not stored in the database. Veeam Backup \u0026amp; Replication. Now we select “YES”\nAnd we will be able to see the installation of the necessary component for Veeam Backup \u0026amp; Replication:\nWe select “Apply” and we will see the finished installation:\nClick “Finish” and we will be back to the SSH session. The script was waiting for the installation of the Veeam necessary checking if the process appears and then asking us if we want to disable SSH completely:\nWe enter 1 to disable and stop the SSH service and then we disconnect with the “exit” command. Then we can see that it will not be possible to connect again via SSH even after a reboot. It should be noted that the script adds the volume in “ / etc / fstab” so that in case of restart the disks are automatically mounted.\nNow we go back to Veeam Backup \u0026amp; Replication to finish the configuration of the Immutable Repository.\nThe Creation Veeam Immutable Repository # In the VBR console, we will enter “Backup Repositories”, then right click and select “Add Backup Repository”, then “Direct Attached Storage”, then “Linux” to enter the data requested Veeam:\nClick on “Next” and we will select our new Linux RHEL server. where we will also click on “Populate” to see the disk or mount point to store the backups:\nWe select “/repoveeam” and click on “Next”\nWhere we will enable “Use fast cloning on XFS volumes…” and “Make recent backup immutable for”, here you can leave the immutability of backups by default for 7 days or enter the necessary configuration in days. Then “Next”\nWe will select the “Mount Server” then “Next”, then “Apply” to see the configuration status:\nThen it will ask us if we want to change the backup location of the configuration and we select “No”.\nConfiguration Validation # Now we will create a backup Job of some virtual machine and select our new immutable repository:\nAnd we execute it, we wait for the completion:\nAnd finally we will try to delete the backup from the console Veeam Backup \u0026amp; Replication, where it will tell us:\nThe backup cannot be deleted until 08-08-2021.\nRelated posts # Veeam Hardened (Immutable) Repository Chile Law 21.719: technical compliance manual with Veeam Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam Which Operating System is More Secure? ","date":"1 August 2021","externalUrl":null,"permalink":"/en/posts/veeam-hardened-repository-rhel/","section":"Blog","summary":"In this post, we will review installing an Immutable repository from Veeam With Red Hat Enterprise Linux, we previously reviewed an application for Ubuntu called VeeamHubRepo, which allows us to easily set up an immutable repository on Ubuntu Linux. Now we will review how to do the configuration in Red Hat Enterprise Linux, with a small script for the configuration of the repository automatically and in an easy to use way.","title":"Veeam Immutable Repository with Red Hat Enterprise Linux","type":"posts"},{"content":"","date":"1 August 2021","externalUrl":null,"permalink":"/en/tags/veeam-hardened-repository/","section":"Tags","summary":"","title":"Veeam-Hardened-Repository","type":"tags"},{"content":"","date":"1 August 2021","externalUrl":null,"permalink":"/en/tags/veeam-immutable-repository/","section":"Tags","summary":"","title":"Veeam-Immutable-Repository","type":"tags"},{"content":" In this post we will review the best practices when installing, configuring and managing Veeam Plugin for Oracle RMAN, based on the experience of multiple installations and revisions in different companies of various sizes. Including simple architectures, as well as complex architectures in high availability with Oracle RAC on different platforms x86, SPARC, Power. The objective of this post is to try to maintain a standard configuration and tasks to perform to maintain an ideal environment for the protection of Oracle data. In addition, this post includes a guide to update to the new version of backup files generated by the Plugin in its latest release.\nIntroduction # This post is based on the experience of operating multiple users in Latin America who have the Oracle database solution configured in high availability through Oracle RAC. Where different types of architectures of Veeam Backup \u0026amp; Replication with the use of Veeam Plugin for Oracle RMAN. The post seeks to generate a base review of the requirements, configurations and to know the operation of Veeam Plugin for Oracle RMAN for Oracle RAC environments with the objective of achieving correct operation and in accordance with the configurations necessary for its execution.\nThis document applies to the version of Veeam Backup \u0026amp; Replication v11 as also for Veeam Plugin for Oracle RMAN v11 However, several of the recommendations described in this document apply to an earlier version (v10).\nGood practices Veeam Plugin for Oracle RMAN # One of the most widely used database solutions at the enterprise level is Oracle, where we can find different types of installations to achieve high availability. Most of the time we find Oracle Real Application Cluster (RAC), where the most important high availability databases are stored and executed, if not the core of the business of those who use Oracle.\nBeing such an important solution for companies, of course, Veeam developed a solution for integration between Oracle and Veeam, to be more specific, with Oracle Recovery Manager (RMAN), which allows database administrators to continue with their data protection protocols through RMAN, let us remember that RMAN is Oracle\u0026rsquo;s native solution for performing backups of Oracle databases, but in this case, we will use Veeam Plugin for Oracle RMAN, to have the possibility of saving the backups in the repositories of Veeam Backup \u0026amp; Replication.\nRecall that Veeam Plugin for Oracle technically, it is a library for Oracle RMAN of the SBT type, which allows us to provide the space of the repositories of Veeam Backup \u0026amp; Replication for Oracle RMAN in order to save backups made natively from RMAN.\nOne of the great advantages of Veeam Plugin for Oracle RMAN is that it allows us to perform the recovery of Oracle databases either via the command line or through Veeam Explorers, which makes disaster recovery much easier. In addition, there is also an integration with Oracle when they are virtual machines performing backup via image including support for Oracle Automatic Storage Management (ASM), which also includes automated backup of Archive Logs for granular recovery and of course including performing instant oracle database recovery For more information go to the following link:\nhttps://helpcenter.veeam.com/docs/backup/vsphere/oracle_backup.html?ver=110\nAs we know Veeam Backup \u0026amp; Replication maintains different Veeam Explorers, such as Veeam explorer for Active Directory, Veeam explorer for Exchange, Veeam explorer for SharePoint, Veeam explorer for SQL Server, Veeam explorer for OneDrive (Veeam Office 365), Veeam explorer for Microsoft Teams (Veeam Office 365) and of course Veeam Explorer for Oracle. For more information go to the following link:\nhttps://helpcenter.veeam.com/docs/backup/explorers/explorers_introduction.html?ver=110\nFor this reason, it is convenient to perform the integration between Veeam and Oracle via Plugin Veeam for Oracle, in this post, we will talk exclusively about some good practices for the use of Veeam Plugin for Oracle RMAN, according to direct experience in different companies.\nInstallation # The main good practice for installation is to use the architecture that applies to the operating system and Oracle where we are installing. Veeam Plugin for Oracle RMAN, always the recommendation is to install Veeam Plugin for Oracle RMAN on all Oracle RAC nodes remember that Veeam Backup \u0026amp; Replication has the following versions of the Plugin:\nVeeam Plugin for Oracle RMAN about AIX ppc64 Veeam Plugin for Oracle RMAN about Linux x86 and x64 Veeam Plugin for Oracle RMAN about Solaris x86 and SPARC Veeam Plugin for Oracle RMAN about Windows ** https://helpcenter.veeam.com/docs/backup/plugins/rman_plugin.html?ver=110 **\nIn most cases we find Oracle RAC on Linux, therefore, we will talk about good practices associated with this type of environment, which does not mean that it does not apply to other versions and/or operating systems.\nAccording to the version that is installed, the first good practice is:\nInstallation with “root” user Configuration with the user who owns the Oracle installation, usually the user “oracle” And this is where it is very important that the user who owns the Oracle installation maintains the necessary permissions either at the level of files, folders and group memberships of the Oracle installation, including Oracle Grid, as indicated in:\nhttps://helpcenter.veeam.com/docs/backup/plugins/rman_plugin_permissions.html?ver=110\nThere is even a post on the blog related to permissions or the error that appears in the configuration when they do not have the appropriate permissions:\n/solucion-veeam-oracle-permission-denied/\nOracle Temp Tablespace # A very good practice in Oracle databases is to always keep space available in temporary tables or as it is well known Temp Tablespace for normal database operations as well as to store temporary data of the instances that are currently active.\nWhat is the interaction between temporary tables with the RMAN fallback via Veeam Plugin for Oracle RMAN? In this temporary table, Oracle RMAN uses the space to store statistical data about backup sessions as well as resource utilization data to make decisions about running backups on servers that maintain free resources. For example, Oracle RMAN uses this temporary table to store metadata about recovered objects for the order of recovered objects.\nAs well, Veeam Plugin for Oracle RMAN, queries statistics of Oracle RMAN processes, that is why, that it must be validated that there is always space available in the temporary table so that unexpected errors do not occur or during execution time on the platform.\nConfiguration # Before any configuration in Oracle RAC, we must first prepare a dedicated repository for Oracle RMAN backups via Veeam Plugin for Oracle RMAN, where after creating the repository using REFS or XFS, either Simple or Scale-Out (SOBR), the user that will have permissions to use the repository in conjunction with the Plugin must be added. Veeam, for this we must add it in “Access Permissions”\nOf course, when configuring our repositories to receive Oracle RMAN backups, we will need to maintain a correct configuration of concurrent tasks so that there are no bottlenecks or process queues to write the data to the repository, in fact, later we will review the requirements for Oracle RMAN channels and tasks Veeam Backup \u0026amp; Replication.By doing this we can move on to the Plugin configuration.\nAs we saw in the previous point of Installation, the configuration must be done with the user who owns the Oracle installation, generally the \u0026ldquo;oracle\u0026rdquo; user is used, where the command that is displayed at the end of the Plugin installation must be executed \u0026quot; OracleRMANConfigTool –wizard\u0026quot;\nWhen executing the command, Veeam Plugin for Oracle RMAN examines and/or analyzes all the configuration of the existing instances in the Oracle installation, it will review the Oracle configuration files that maintain information of the instances and in turn the execution of some commands to validate the identification of the instances of databases, as well as query\u0026rsquo;s or queries to the instances for the identification of ASM, validation of CONTROLFILE, SPFILE, etc. Some of the reviewed files and commands are:\n/etc/oratab /u01/app/oraInventory/ContentsXML/inventory.xml /u01/app/oracle/product/[version]/db_1/oraInst.loc srvctl status home srvctl config database -d [DB Name] srvctl status instance -d [DB Name] -n [Oracle Server] Due to the above, the permissions and memberships of the Oracle installation groups used by the user who owns the application (generally “oracle”) are very important for detecting and configuring the environment for Veeam Plugin for Oracle RMAN.\nVeeam Plugin for Oracle RMAN will ask us for certain information that we must enter, such as the server address of Veeam, the default port and the user credentials that we added in the “Access Permissions” configuration for access to the backup repository. Now we will visualize the repository that we have configured, we will select it with the number that precedes the name of the repository.\nIn this part it is possible to make the configuration towards multiple backup repositories of Veeam Backup \u0026amp; Replication, only repositories should be added by number containing a space.\nAnd in the next question, “ Enter the number of data streams (From 1 to 254) to run in parallel for each repository (RMAN DEVICE PARALLELISM value). Channel count per device [4]:” It is very important to know how many channels or streams we will use when performing the backup. For this we must consider the following:\n1 CPU Core and 200 MB RAM for each channel used on the Oracle server or RAC node 1 CPU Core and 1 GB RAM for every 5 channels used for the repository Veeam Backup Therefore, when we configure this option we must take into account the hardware requirements for the Oracle servers as well as for the repository. Veeam Backup \u0026amp; Replication, otherwise we could have some kind of bottleneck.\nThis point usually always brings up questions, such as, How does it work? We know that Oracle RMAN can use multiple channels ( with a maximum of 255 channels and each channel can read 64 files in parallel) with the aim of improving performance and parallelism for carrying out the backup natively, but in this case, with Veeam Plugin for Oracle RMAN seeks to configure the number of channels used by default in each backup globally. Of course, these types of global configurations can always be replaced in the backup task or script maintained by the database administrators and/or Oracle.\nIt should be noted, as stated above, that Veeam Plugin for Oracle RMAN must be installed on each of the servers that make up the Oracle RAC, since Oracle RMAN can use any available node with resources to perform its tasks and this is where we will review a very important Oracle table.\nHow many channels should be used, depending on the resources, with 4 channels is a good start Of course, the number of channels will always be limited by the amount of resources that exist in the Oracle cluster. In general, users always use excellent hardware resources for this type of solution. It is always convenient that when there are resources, the number of channels to be used is increased to improve performance.\nAnd since we are talking about resources and channels that RMAN will use, of course, it is necessary recommend a 10gb network, since the greater number of channels used is the greater the amount of bandwidth that Oracle RMAN will use and Veeam Plugin for Oracle RMAN for the transfer of backups to the repository of Veeam Backup \u0026amp; Replication.\nAnd finally, if you want to assign channels manually, you should check the following link:\nhttps://helpcenter.veeam.com/docs/backup/plugins/rman_allocation_backup.html?ver=110\nAfter understanding and entering the channels to be used by Oracle RMAN through Veeam Plugin for Oracle RMAN, the solution asks us the following question, Do you want to use Veeam compression? (y/n). Here again it is a question of resources as well as a decision whether or not it is necessary to enable the compression of Veeam Backup \u0026amp; Replication, in the following link is the detail of the compression that it performs Veeam Backup \u0026amp; Replication and the resources that are necessary\nhttps://helpcenter.veeam.com/docs/backup/vsphere/compression_deduplication.html?ver=110\nBut since we are talking about good practices according to user experience, the initial recommendation is Do not keep both Oracle and SQL compression enabled. Veeam as it will demand resources and affect the entire performance of the backup processes.\nAnd as a general recommendation initially don\u0026rsquo;t use compression de Veeam unless there are resources left over to run compression on the Oracle data.\nWhen selecting that we will not perform the compression, Veeam Plugin for Oracle RMAN will tell us which instances it detected in the operating system and, of course, the configuration that will be applied to Oracle RMAN globally.\nThen there are the following 3 options that tell us whether we will apply the changes to Oracle RMAN, Export the configuration to apply it manually or, finally, not apply any changes.\nBackup Operation and Execution # Generally, for the operation and execution of backups with Oracle RMAN, they always use scripts already developed by Database administrators with the desired configuration of retention as well as additional parameters according to business requirements.\nAt this point one of the most important recommendations for the protection of instances is that the scripts backup are as simple as possible and use the global Oracle RMAN configuration which applies to set up Veeam Plugin for Oracle RMAN, without the need to declare the SBT library or channels used in the backup scripts.\nAs well as it applies to the Archive Logs backup where it is recommended that the execution uses the RMAN global variables.\nThis does not mean that you cannot override the settings from the script, just that based on the settings we have reviewed, It has been the best option for a standardization of scripts and their maintenance.\nAnother very important issue, you should always finish the execution with the output of the script using the EXIT command, since in the event that Oracle RMAN could not release the session, it will be taken and the process will remain running until the RMAN process is manually canceled. In Veeam Backup \u0026amp; Replication, you will see the statistics window always running waiting for the end of the Oracle RMAN session.\nAdditional Files to Backup # Apart from the database files and archive logs that will be protected with Oracle RMAN through Veeam Plugin for Oracle RMAN, Oracle configuration files should always be backed up, typically the root folders ($ORACLE_HOME) of Oracle and Grid users.\nIn addition, it is necessary to back up the configuration files of Veeam Plugin for Oracle RMAN that are generated in the operating system.\nTo backup these folders it is possible to use Veeam Agent for Linux with file-level backup configuration without snapshots:\nhttps://helpcenter.veeam.com/docs/agentforlinux/userguide/file_backup_snapshotless.html?ver=50\nGenerally the routes with all their recursive content to be backed up are:\n/etc/oratab /u01/ / Opt /veeam Of course if the installation paths are different, it is necessary to add them.\nAnd any other paths that are necessary for database administrators and/or for disaster recovery.\nInteroperability and Updates # For users who already have Veeam Plugin for Oracle RMAN from version of Veeam Backup \u0026amp; Replication 9.5 where updates have been made to the latest version of Veeam Backup \u0026amp; Replication (V11 as of the date of this document), it was always considered to validate the interoperability of the versions, which are:\nVeeam Plug-in for Oracle RMAN 9.5 Update 4 supports integration with Veeam Backup \u0026amp; Replication version 9.5 Update 4, 9.5 Update 4a, and 9.5 Update 4b, 10. Veeam Plug-in for Oracle RMAN 10 (10.0.1.4854) supports integration only with Veeam Backup \u0026amp; Replication version 10. Veeam Plug-in for Oracle RMAN 10.0.1.4854 (10a Cumulative Patch 20201202) supports integration with Veeam Backup \u0026amp; Replication version 10, 11. Veeam Plug-in for Oracle RMAN 11 supports integration only with Veeam Backup \u0026amp; Replication version 11. It is important to point out this interoperability since many times only the versions of Veeam Backup \u0026amp; Replication and no update Veeam Plugin for Oracle RMAN leading to unexpected errors Therefore, it is always recommended to perform the update of all components that involve the implementation of Veeam Backup \u0026amp; Replication.\nFrom version 11 of Veeam Plugin for Oracle RMAN uses a new format for backup files. Instead of using only one metadata file for all backup files as was used in previous versions, in version 11 there is now a separate metadata file for all backup files. This allows for improved productivity of backup and recovery operations.\nTo actualize Veeam Plugin for Oracle RMAN is very easy, depending on the operating system, proceed to download the new version of the installation package as explained in the following documentation\nhttps://helpcenter.veeam.com/docs/backup/plugins/update_rman_plugin.html?ver=110\nSince in v11 there are new backup files and metadata it is necessary to update these, if backups made with previous versions of Veeam Plugin for Oracle RMAN, for example, in the following image we see a backup with version 10 of Veeam Plugin for Oracle RMAN, where it tells us:\n“Backup metadata is not up to date. Please upgrade the backup “\nThe message indicates that the metadata must be updated, to perform this recommended action, first of all, we must have updated Veeam Backup \u0026amp; Replication in the latest V11 and of course Veeam Plugin for Oracle RMAN in the latest V11 and then you must enter the console Veeam Backup \u0026amp; Replication, then in the “Backups” menu, select “Disk” where we will see the Oracle RMAN backup and right click on it:\nHere we will see a new “Upgrade” function that will always appear in backups with versions prior to v11, which will allow us to update our backup files and metadata with Veeam Plugin for Oracle RMAN from previous versions. By clicking “Upgrade” Veeam Backup \u0026amp; Replication It will indicate that the disabled backup tasks are needed to perform the update action.\nWe only have to enter the task management of Veeam Backup \u0026amp; Replication clicking “Jobs” and then “Backup” to then identify the backup job of Veeam Plugin for Oracle RMAN and proceed to disable it\nBy keeping the backup task disabled, we will return to \u0026ldquo;Backups\u0026rdquo; then \u0026ldquo;Disk\u0026rdquo; and select the Oracle RMAN backup again to perform the \u0026ldquo;Upgrade\u0026rdquo; where the message indicated\nChecking if we have all the components updated to the latest version, that is, Veeam Backup \u0026amp; Replication v11 (in its last update), as well as Veeam Plugin for Oracle RMAN in its latest version, selecting \u0026ldquo;Yes\u0026rdquo; will show us the status of the operation\nThe duration of this operation will always depend on the number of Oracle backup files, the type of repository and of course the workload on the file system. If the files are hosted on a Deduplication device, it may take longer depending on the operations of the same device that must rehydrate the data so that Veeam Backup \u0026amp; Replication update the files and metadata.\nConfiguration Files and Logs # In certain cases it is always advisable to know the location of the different configuration files, in case it is necessary to edit manually, support indicates any change and of course know the location of the log files in case of making a review for a wrong solution behavior or grab the files to update a support case.\nThe default location of the configuration files Veeam Plugin for Oracle RMAN\nLinux, Solaris, AIX in /opt/veeam/VeeamPluginforOracleRMAN Windows C:\\Program Files\\Veeam\\VeeamPluginforOracleRMAN These configuration files must be edited according to the technical support guidelines of Veeam.\nAnd for occasions where it is necessary to review log files or send logs to support, the path to these files\nLinux, Solaris, AIX /tmp/veeam_plugin_logs/ Windows %ProgramData%\\Veeam\\Backup\\RmanPluginLogs Or use the KB\nhttps://www.veeam.com/kb2871\nGeneral considerations # A general recommendation is that the operating systems involved in the protection of Oracle databases must always be updated, as long as the operation allows it, in the case of the roles of Veeam Backup \u0026amp; Replication, specifically the repositories, in addition to having the updates of the drivers of network devices, since in certain when updating either the operating system and also the drivers of the network interfaces, the data backup improved considerably.\nOn the other hand, it is always recommended that all services, servers and systems involved have addresses DNS-FQDN so that the configuration is as complete as possible.\nThat\u0026rsquo;s all, try to make it as complete and detailed as possible, as always, additional ideas or comments are welcome.\nRelated posts # Veeam Oracle RMAN Plugin Veeam Explorer Oracle RMAN Solution Veeam Oracle Permission Denied Veeam Agent Linux - Oracle Linux / Exadata ","date":"28 June 2021","externalUrl":null,"permalink":"/en/posts/best-practices-veeam-plugin-oracle-rman/","section":"Blog","summary":"In this post we will review the best practices when installing, configuring and managing Veeam Plugin for Oracle RMAN, based on the experience of multiple installations and revisions in different companies of various sizes. Including simple architectures, as well as complex architectures in high availability with Oracle RAC on different platforms x86, SPARC, Power. The objective of this post is to try to maintain a standard configuration and tasks to perform to maintain an ideal environment for the protection of Oracle data. In addition, this post includes a guide to update to the new version of backup files generated by the Plugin in its latest release.","title":"Best practices Veeam Oracle RMAN plugin","type":"posts"},{"content":"","date":"28 June 2021","externalUrl":null,"permalink":"/en/tags/best-practices-oracle/","section":"Tags","summary":"","title":"Best-Practices-Oracle","type":"tags"},{"content":"","date":"28 June 2021","externalUrl":null,"permalink":"/en/tags/buenas-practicas/","section":"Tags","summary":"","title":"Buenas-Practicas","type":"tags"},{"content":"","date":"28 June 2021","externalUrl":null,"permalink":"/en/tags/buenas-practicas-veeam-oracle-plugin/","section":"Tags","summary":"","title":"Buenas-Practicas-Veeam-Oracle-Plugin","type":"tags"},{"content":"","date":"28 June 2021","externalUrl":null,"permalink":"/en/tags/veeam-oracle/","section":"Tags","summary":"","title":"Veeam-Oracle","type":"tags"},{"content":"","date":"28 June 2021","externalUrl":null,"permalink":"/en/tags/veeam-oracle-best-practices/","section":"Tags","summary":"","title":"Veeam-Oracle-Best-Practices","type":"tags"},{"content":"","date":"28 June 2021","externalUrl":null,"permalink":"/en/tags/veeam-rman/","section":"Tags","summary":"","title":"Veeam-Rman","type":"tags"},{"content":" In this guide we will review how to install Kasten Multi-Cluster Manager for the management and protection of containers from multiple clusters of kubernetes in different environments with centralized resource management. Usually in most companies that maintain application development teams there are different types of environments such as Development, QA and Production, in other companies they also manage Pre-Production, Staging, UAT, etc. environments. In the same way everything depends a lot on the development life cycle as well as the architectures of each company, this is why with Kasten Multi-Cluster Manager we will be able to achieve the protection of multiple environments and/or clusters of kubernetes.\nInitial Steps # As I mentioned before, it is necessary to have protection of your data regardless of where it is housed or the type of workload, since in the event of a disaster, malware attack or other reasons it is possible to lose data and even more than today we handle data in many environments, spread out geographically and needing centralized resource management and protection.\nIt is therefore, Kasten by Veeam developed the solution Kasten Multi-Cluster Manager that allows us to centrally manage backup resources as well as data protection based on backup policies for clusters. As always we will review the official documentation that we will find\nhttps://docs.kasten.io/latest/multicluster/index.html\nEnvironments # For this guide I have two clusters of kubernetes integrated with vSphere through vSphere-CSI, each with 3 Worker nodes and 1 Master, I also have a ubuntu Linux that I use for administration of kubernetesThey also have MongoDB, MySQL and WordPress containers installed to validate the backup of the environments with applications, apart from all the services associated with the cluster.\nMust have installed on each cluster kubernetes or your distribution kubernetes, Kasten K10, if you still do not have it installed, you can follow the guide that applies to any version of kasten k10:\n/veeam-kasten/#Instalacion_de_Kasten\nAnd an important consideration is define which will be your Primary and Secondary Cluster(s), in this case I will define my cluster named \u0026ldquo;production\u0026rdquo; as primary and the secondary as \u0026ldquo;development\u0026rdquo;, this is key for the configuration of the Multi-Cluster of Kasten.\nKubernetes contexts # This configuration of kubernetes contexts will allow us in a few words to manage multiple clusters of kubernetes centrally and natively from a machine that contains the configuration and/or connection files, commonly known as KUBECONFIG, therefore we will proceed to copy them to the administration machine\nscp /home/mescobar/.kube/config mescobar@mgmtCLI:/home/mescobar/.kube/produccion scp /home/mescobar/.kube/config mescobar@mgmtCLI:/home/mescobar/.kube/desarrollo ```text In the above commands I am copying the config file from my servers **MASTER** where you will usually find it in $HOME/.kube/config or inside the home of the user you are using in the hidden .kube folder towards my administration server (mgmtCLI). In the event that for some reason you cannot find the configuration file, you can copy the following file from the following path to your administration server ```bash sudo scp /etc/kubernetes/admin.conf mescobar@mgmtCLI:/home/mescobar/.kube/produccion ```bash Now if we list the directory we can see the different files of the clusters And with the following command we will check which configuration file is loaded ```bash echo $KUBECONFIG kubectl config get-contexts ```json As seen in the previous image, I have another configuration file and it is loaded in the context, therefore we are going to configure the KUBECONFIG environment variable so that it loads the clusters every time we enter the administration server with our user, therefore we will do the following: Next ```text cd $HOME nano .bashrc ```text And we go to the last line and add ```bash export KUBECONFIG=$HOME/.kube/produccion ```json We save the file and execute the following command to load the environment variable ```text . .bashrc ```bash So with this we can validate again if the file we need is loaded ```bash echo $KUBECONFIG kubectl config get-contexts ```bash ### Context configuration As we can see in the previous image, the name of our cluster is by default “kubernetes-admin@kubernetes” which could cause confusion to know which cluster we are managing, that is why we are going to change the name to make it much easier with the following command: ```bash kubectl config rename-context kubernetes-admin@kubernetes produccion ```json Now we have identified the cluster and we will proceed to add the development cluster. As we saw in a previous point we will add in the .bashrc file the path of the development configuration file and we will execute the command to load that new variable (use the name of the file that belongs to your clusters) ```bash export KUBECONFIG=$HOME/.kube/produccion:$HOME/.kube/desarrollo ```bash We execute the commands to load the variable and see the contexts and again we change the default name to identify the development environment ```bash kubectl config rename-context kubernetes-admin@kubernetes desarrollo ```bash Why do we do the above? clearly because when clusters of kubernetes With default settings, the cluster name will always be kubernetes-admin@kubernetes, also the name of the cluster will be kubernetes, the name change in the context is important to know which cluster we will be connecting to. And finally, to change between clusters or contexts we will use the following command ```bash kubectl config use-context desarrollo ```bash As you can see in the previous image or in your session, to see the change of context it is confirmed in the column “ **Current**” where you see a **\\*** is the cluster you are currently managing. Also as **recommendation** across **configuration files you can change the name of the cluster to make sure** even more about what cluster you are using, as there is a lot of information on the internet that covers this configuration. ## Configuration Kasten As you will remember, previously we defined our primary and/or secondary cluster\u0026#39;s since it is a requirement of Kasten Multi-Cluster that must have installed Kasten k10 and another requirement that we must meet is that the Authentikation of the Kasten **k10 installed in each** of the cluster\u0026#39;s that will be **SECONDARY** must be via token. Therefore we can use the Authentikation that we want in the primary cluster, but token Authentikation will always be mandatory in the secondary clusters. For more information: https://docs.kasten.io/latest/access/Authentikation.html#token-Authentikation Now in our secondary cluster we will configure the Authentikation by token for which they must execute the following command in the context of their secondary cluster or directly in the master server of the **SECONDARY CLUSTER** ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io \\ \u0026gt; --reuse-values \\ \u0026gt; --set externalGateway.create=true \\ \u0026gt; --set auth.tokenAuth.enabled=true ```bash With the above command **executed on the SECONDARY cluster(s)** we do not ensure that they are Authentikated via token. and the cluster **PRIMARY** you can use whatever Authentikation method is necessary. In this case in the cluster **PRIMARY** We will use basic Authentikation, to configure this it is necessary to execute (user and password “kasten\u0026#34;): ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io \\ --set auth.basicAuth.enabled=true \\ --set auth.basicAuth.htpasswd=\u0026#39;kasten:$apr1$twc26zga$AA47exHs1a3uNq/4lDKxD.\u0026#39; \\ --set externalGateway.create=true ```bash And then to know the ip address that will be using this access with the command ```bash kubectl get svc gateway-ext --namespace kasten-io -o wide ```bash And in the column “ **EXTERNAL-IP**” you will be able to see the IP address assigned by MetalLB and of course you can associate it with a DNS, in my case I will use kasten.24xsiempre.cl and kastendev.24xsiempre.cl to access the clusters. ## Configuration Kasten Multi Cluster Manager Now that we have our clusters configured with the requirements for Multi-Cluster of Kasten, we will download the solution in our administration server or in the server that you are using as MASTER for the management of the clusters. To download Kasten Multi-Cluster Manager, you must do it from the following address (To date we will download version 4.0.3): https://github.com/kastenhq/external-tools/releases/download/4.0.3/k10multicluster\\_4.0.3\\_linux\\_amd64 To download directly from the command line, grant execute permissions and move to executable directory: ```bash wget https://github.com/kastenhq/external-tools/releases/download/4.0.3/k10multicluster_4.0.3_linux_amd64 chmod +x k10multicluster_4.0.3_linux_amd64 sudo mv k10multicluster_4.0.3_linux_amd64 /usr/local/bin/k10multicluster k10multicluster ```bash Now we will make sure that we are in the context of the primary server that we defined earlier with the command ```bash kubectl config get-contexts ```json We check the context of my primary cluster, in this case production and proceed to configure K10 Multi-Cluster Manager. With the following command we will configure the cluster **PRIMARY** ```text k10multicluster setup-primary \\ --context=produccion \\ --name=produccion ```bash Where **context** is the name of the context that we have in the configuration of kubernetes y **name** is the name that will appear in the interface. Now we will add the cluster **SECONDARY** with the following command ```bash k10multicluster bootstrap \\ --primary-context=produccion \\ --primary-name=produccion \\ --secondary-context=desarrollo \\ --secondary-name=desarrollo \\ --secondary-cluster-ingress=http://kastendev.24xsiempre.cl/k10/ After the steps above, you may get a 503 or 400 error on the interface. Kasten Multi-Cluster, this is because it may not have management permissions, for this we must enter RBAC Entry and add the user or users that we will use to manage data protection, in my case add the user k10-admin and with this I was able to enter all the management.\nIf there are any doubts in this part, you should only visit\nhttps://docs.kasten.io/latest/multicluster/access.html#multi-cluster-admins\nhttps://docs.kasten.io/latest/multicluster/user_access.html#configuring-access-for-multi-cluster-users\nAnd finally we need to configure all the global resources as well as global policies that are needed, for details on how to do it you must visit a post that I made previously\n/kasten-k10-multi-cluster/\nConclusions # One of the great advantages that this solution does not provide is the centralized management of resources to assign, either by applications, clusters or according to the needs of the solutions that will be protected. It is important to note that Kasten Multi-Cluster Manager allows you to add clusters from different distributions kubernetes, for example Red Hat OpenShift,Rancher, EKS, AKS o kubernetes, as long as the necessary requirements are met, such as installing Kasten K10 in each of the clusters, it will allow us to have a unique and centralized access for container protection.\nRelated posts # Kasten K10 Multi-Cluster Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 Kasten K10 Authentik How to install Kasten K10 on AWS EKS ","date":"8 June 2021","externalUrl":null,"permalink":"/en/posts/install-kasten-multi-cluster-manager/","section":"Blog","summary":"In this guide we will review how to install Kasten Multi-Cluster Manager for the management and protection of containers from multiple clusters of kubernetes in different environments with centralized resource management. Usually in most companies that maintain application development teams there are different types of environments such as Development, QA and Production, in other companies they also manage Pre-Production, Staging, UAT, etc. environments. In the same way everything depends a lot on the development life cycle as well as the architectures of each company, this is why with Kasten Multi-Cluster Manager we will be able to achieve the protection of multiple environments and/or clusters of kubernetes.","title":"Install Kasten Multi Cluster Manager","type":"posts"},{"content":"","date":"8 June 2021","externalUrl":null,"permalink":"/en/tags/kasten-openshift/","section":"Tags","summary":"","title":"Kasten-Openshift","type":"tags"},{"content":"","date":"8 June 2021","externalUrl":null,"permalink":"/en/tags/multi-cluster/","section":"Tags","summary":"","title":"Multi-Cluster","type":"tags"},{"content":"","date":"8 June 2021","externalUrl":null,"permalink":"/en/tags/rancher/","section":"Tags","summary":"","title":"Rancher","type":"tags"},{"content":"","date":"8 June 2021","externalUrl":null,"permalink":"/en/tags/red-hat-openshift/","section":"Tags","summary":"","title":"Red-Hat-Openshift","type":"tags"},{"content":"","date":"4 June 2021","externalUrl":null,"permalink":"/en/tags/cluster-kubernetes/","section":"Tags","summary":"","title":"Cluster-Kubernetes","type":"tags"},{"content":"","date":"4 June 2021","externalUrl":null,"permalink":"/en/tags/containerd/","section":"Tags","summary":"","title":"Containerd","type":"tags"},{"content":"","date":"4 June 2021","externalUrl":null,"permalink":"/en/tags/first-class-disk/","section":"Tags","summary":"","title":"First-Class-Disk","type":"tags"},{"content":" In this guide we will review the installation and configuration of a cluster Kubernetes on Ubuntu 20.04 using containerd, calico, performing the integration via vSphere CSI (Container Storage Interface) to provide the persistent volumes for the containers that will work in the cluster. We will also use MetalLB as a load balancer to access our services.\nIntroduction # If you are already here, it is possible that you are starting or you already know what it is Kubernetes (k8\u0026rsquo;s), what it is used for or what is the main function. Even so, it is always good to check the official documentation to know the new versions, features and support of kubernetes, containerd, calico, MetalLB and the CSI drivers, where in this case, we are going to use vSphere CSI to take advantage of the benefits of this integration.\nhttps://kubernetes.io https://containerd.io h https://www.projectcalico.org https://metallb.universe.tf/ https://vsphere-csi-driver.sigs.k8s.io/ So for the installation of the cluster we are going to use 4 virtual machines, with the default installation of the Ubuntu server 20.04.2 image. It is important to point out that this is for a laboratory environment, even so if you want to go to production you must always have at least 3 master nodes to achieve the high availability necessary for the management of kubernetes.\nServers # For this guide, we will use the following requirements and machines:\nFirst NameCPURAMDiscHWVersionYou advancedIPmaster prd4vcpu8G30gbVersion 15 or higherdisk.EnableUUID = TRUE40.40.40.206workerprd012vcpu4G30gbVersion 15 or higherdisk.EnableUUID = TRUE40.40.40.204workerprd022vcpu4G30gbVersion 15 or higherdisk.EnableUUID = TRUE40.40.40.203workerprd032vcpu4G30gbVersion 15 or higherdisk.EnableUUID = TRUE40.40.40.202\nFor the names always use dns or alternatively add them in the host table of each server, for this guide I use my internal dns for name management. Regarding the version of the virtual hw, it is necessary that must be from the version 15 which is equivalent to the version of vSphere 6.7 U2 or a higher version, in this case we will be configuring it with the version of hw 18 since I have vSphere 7U2 installed and lastly, very importantly, each virtual machine must be configured with the advanced parameter disk. EnableUUID since they are the necessary requirements to use vSphere CSI. They must also have internet access.\nCluster Installation Kubernetes # We validate in ALL servers are fully up to date after installation\nsudo apt update sudo apt -y upgrade \u0026amp;\u0026amp; sudo reboot ```bash We connect again via SSH with our servers and make sure they respond via DNS now we will go to the installation of some necessary packages and the configuration of the repository for apt and later an update of the apt repositories ```bash sudo apt -y install curl apt-transport-https curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - echo \u0026#34;deb https://apt.kubernetes.io/ kubernetes-xenial main\u0026#34; | sudo tee /etc/apt/sources.list.d/kubernetes.list sudo apt update ```bash Now we will move on to installing the important packages for the configuration and administration of kubernetes, ```bash sudo apt -y install vim git curl wget kubelet kubeadm kubectl containerd sudo apt-mark hold kubelet kubeadm kubectl containerd ```bash sudo apt-mark hold is so that packages are not automatically removed or upgraded. ## Disable swapping As a requirement for the cluster of kubernetes it is necessary to disable swap, therefore with the following commands we will do it ```bash sudo swapoff -a sudo nano /etc/fstab ```text With the first command swap is disabled and in the second it comments the line in fstab so that when it is restarted it is not activated again, so it would look like this ## ContainerD Configuration Now it is necessary to configure some modules necessary for the operation of ContainerD ```bash cat \u0026lt;\u0026lt;EOF | sudo tee /etc/modules-load.d/containerd.conf overlay br_netfilter EOF ```text With the previous command we are generating the containerd.conf file in the path so that it loads the overlay and br\\_netfilter modules, after that we will activate the changes with the following commands: ```bash sudo modprobe overlay sudo modprobe br_netfilter ```text And we can validate the configuration with the command ```bash lsmod | grep br_netfilter ```json Now according to the needs of ContainerD we will make some necessary configurations that involve kernel parameters for proper functioning ```bash cat \u0026lt;\u0026lt;EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 EOF ```text And with the following command we apply the changes ```bash sudo sysctl --system ```bash Finally we carry out the configuration and end of containerd ```bash sudo mkdir -p /etc/containerd containerd config default | sudo tee /etc/containerd/config.toml sudo systemctl restart containerd ```bash With the first command the folder is generated and then with the second command leave the configuration file in the path and finally we restart the services and make sure that they start at boot. ## Master Node Configuration In this stage **Only with MIDA Professional Nail Care** we will perform the commands in the node **MASTER (MPS)** to start with the necessary configuration. Therefore with the following command in the master node we are going to initialize kubernetes ```bash sudo kubeadm init ```bash This command can take some time, so you just have to go make a coffee. When the execution finishes, it will show us the following: It is important to note that now the application is asking us to perform the following steps: ```bash To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: export KUBECONFIG=/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. Run \u0026#34;kubectl apply -f [podnetwork].yaml\u0026#34; with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 40.40.40.206:6443 --token u31dsc.dbotgztbrid0f6h0 \\ --discovery-token-ca-cert-hash sha256:efecb019f0351590c1a3b30e61a1ac06b65c617b61bfcf63daae2bf7de010540 ```bash The first part generates a hidden folder in the user\u0026#39;s home to store the configuration file of kubernetes and with which we can connect and the export is to leave it as an environment variable in the configuration file and it is possible to connect easily. And lastly and very important is the kubeadm join command which is used to add the worker nodes to the master. To leave this configuration persistent we must do the following: ```text nano .bashrc ```text And we add at the end of the file ```bash export KUBECONFIG=$HOME/.kube/config ```bash So every time we enter the server via ssh we will have the environment variable configured to connect. ## Worker Node Configuration At this stage the commands should be executed only on the **worker nodes** Therefore, as we saw previously, we must execute the command that shows us on the screen, which is unique for each cluster in my case: ```bash sudo kubeadm join 40.40.40.206:6443 --token u31dsc.dbotgztbrid0f6h0 \\ --discovery-token-ca-cert-hash ```bash And when you run it on each of the worker nodes you will see the following result: ## Cluster Configuration Review Now we go back to the ssh session of the master node or reconnect to the master node and run the following command ```bash kubectl get nodes -o wide ```bash With which we will see if the worker nodes were added to the cluster and their status: As we see in the previous image, we have all the information of the cluster, the only difference is that in the status of the nodes “NotReady” appears, this status appears since we have not configured the cluster network kubernetes where we will use in this case Project Calico. ## Calico Cluster Network Configuration To install calico on our cluster kubernetes, we just have to execute the following command in **our MASTER node** ```bash kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml ```bash Then, we check our cluster again with the command to validate the status ```bash kubectl get nodes -o wide ```bash And we already have the status in “Ready”. ## MetalLB Balancer Configuration To install MetalLB in our cluster of kubernetes, we just have to execute the following commands in **our MASTER node** ```bash kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.9.6/manifests/namespace.yaml kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.9.6/manifests/metallb.yaml ```bash The first command will generate the namespace of MetalLB and the second all the requirements for the operation Then we will generate a random password for the encryption of communications. ```bash kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey=\u0026#34;$(openssl rand -base64 128)\u0026#34; ```bash And finally we must configure the range of IP addresses that MetalLB will use to assign and be able to access the services from the network. To do this we must use the following configuration ```bash cat \u0026lt;\u0026lt;EOF | kubectl create -f - apiVersion: v1 kind: ConfigMap metadata: namespace: metallb-system name: config data: config: | address-pools: - name: address-pool-1 protocol: layer2 addresses: - 40.40.40.190-40.40.40.200 EOF ```text As we see in the previous command, in my case I will be using a range of 10 IP addresses from my network. If you want you can add the entire /24 network, but you must make sure that the **IP addresses are available**. Then run it on your server **MASTER (MPS)** ## vSphere CSI Configuration To start configuring vSphere CSI, you need to create two files with the configuration needed to connect to vCenter: csi-vsphere.conf ```ini [Global] cluster-id = \u0026#34;kubernetes\u0026#34; #[NetPermissions \u0026#34;A\u0026#34;] #ips = \u0026#34;*\u0026#34; #permissions = \u0026#34;READ_WRITE\u0026#34; #rootsquash = false #[NetPermissions \u0026#34;B\u0026#34;] #ips = \u0026#34;10.20.20.0/24\u0026#34; #permissions = \u0026#34;READ_ONLY\u0026#34; #rootsquash = true [VirtualCenter \u0026#34;vcenter.24xsiempre.cl\u0026#34;] insecure-flag = \u0026#34;true\u0026#34; user = \u0026#34;administrator@vsphere.local\u0026#34; password = \u0026#34;PASSWORD\u0026#34; port = \u0026#34;443\u0026#34; datacenters = \u0026#34;24xSiempre\u0026#34; # Opcional cuando configures con VSAN File Services #targetvSANFileShareDatastoreURLs = \u0026#34;ds:///vmfs/volumes/vsan:52635b9067079319-95a7473222c4c9cd/\u0026#34; ```text vsphere.conf ```ini [Global] cluster-id = \u0026#34;kubernetes\u0026#34; [VirtualCenter \u0026#34;vcenter.24xsiempre.cl\u0026#34;] insecure-flag = \u0026#34;true\u0026#34; user = \u0026#34;administrator@vsphere.local\u0026#34; password = \u0026#34;PASSWORD\u0026#34; port = \u0026#34;443\u0026#34; datacenters = \u0026#34;24xSiempre\u0026#34; ```bash Now you might be wondering why we are generating two files with the same content but different names? The first one is clearly to be used as a “secret” or to store Authentikation data, as well as if you want to add other configurations, such as for VSAN, and the second file is for the creation of the “configmap” to store these variables and make them available to the cluster. Therefore, we create these files on the server. **MASTER (MPS)** ```text nano csi-vsphere.conf nano vsphere.conf ```bash You save the files and we will execute them on the MASTER server ```bash kubectl create secret generic vsphere-config-secret --from-file=csi-vsphere.conf --namespace=kube-system kubectl create configmap cloud-config --from-file=vsphere.conf --namespace=kube-system ```bash Now that we have configured the credentials and variables, we will configure the CSI to initially get the \u0026#34;ProviderID\u0026#34;, first we must leave the nodes in \u0026#34;Taint\u0026#34; for this we will execute in the **MASTER (MPS)** ```bash kubectl taint nodes --all \u0026#39;node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule\u0026#39; ```bash And then run the following to configure ```bash kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-vsphere/master/manifests/controller-manager/cloud-controller-manager-roles.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-vsphere/master/manifests/controller-manager/cloud-controller-manager-role-bindings.yaml kubectl apply -f https://github.com/kubernetes/cloud-provider-vsphere/raw/master/manifests/controller-manager/vsphere-cloud-controller-manager-ds.yaml ```bash And we will validate if the configuration is generated and we obtain the “ProviderID”, with the command ```bash kubectl describe nodes | grep \u0026#34;ProviderID\u0026#34; ```bash Now we will install the CSI driver version 2.1.1 with the following: ```bash kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/vsphere-csi-driver/v2.1.1/manifests/v2.1.1/vsphere-7.0u1/vanilla/rbac/vsphere-csi-controller-rbac.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/vsphere-csi-driver/v2.1.1/manifests/v2.1.1/vsphere-7.0u1/vanilla/deploy/vsphere-csi-node-ds.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/vsphere-csi-driver/v2.1.1/manifests/v2.1.1/vsphere-7.0u1/vanilla/deploy/vsphere-csi-controller-deployment.yaml kubectl get CSINode ```bash Since we have our driver installed we must create the Storage Class to use our vSphere datastore and generate the volumes or First Class Disk, before this we must generate a Storage Policy Name in vCenter associated with the datastore that we will use to host the persistent volumes And then we generate the Storage Class ```bash cat \u0026lt;\u0026lt; EOF | kubectl apply -f - kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: csi-sc-vmc annotations: storageclass.kubernetes.io/is-default-class: \u0026#34;true\u0026#34; provisioner: csi.vsphere.vmware.com parameters: StoragePolicyName: \u0026#34;Contenedores\u0026#34; datastoreURL: \u0026#34;ds:///vmfs/volumes/60634600-6fcc5d36-bd83-dcfe07e145f9/\u0026#34; EOF ```bash In datastoreURL you must enter the address found in the summary of the datastore in vCenter and you will have the result Now we will check that the Storage Class is correct and we will create a test disk ```bash kubectl get sc ```bash Now we create a disk of 5 gigabytes ```bash cat \u0026lt;\u0026lt; EOF | kubectl apply -f - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pruebasc spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: csi-sc-vmc EOF When executing the above, we can see the creation of the disk in vCenter\nAnd with this you have a cluster kubernetes using the vSphere platform as storage for persistent volumes, and then back it up with Kasten, which in a future post we will review how to support multiple clusters using Kasten multi-cluster.\nRelated posts # How to Install vSphere CSI Driver on RedHat OpenShift 4.x Red Hat OpenShift in vSphere with Kasten How to Integrate Active Directory with Kasten K10 and OpenShift Veeam + Kasten ","date":"4 June 2021","externalUrl":null,"permalink":"/en/posts/install-kubernetes-cluster-with-vsphere-csi/","section":"Blog","summary":"In this guide we will review the installation and configuration of a cluster Kubernetes on Ubuntu 20.04 using containerd, calico, performing the integration via vSphere CSI (Container Storage Interface) to provide the persistent volumes for the containers that will work in the cluster. We will also use MetalLB as a load balancer to access our services.","title":"Install Cluster Kubernetes with vSphere CSI","type":"posts"},{"content":"","date":"4 June 2021","externalUrl":null,"permalink":"/en/tags/kubernetes/","section":"Tags","summary":"","title":"Kubernetes","type":"tags"},{"content":"","date":"4 June 2021","externalUrl":null,"permalink":"/en/tags/storageclass/","section":"Tags","summary":"","title":"Storageclass","type":"tags"},{"content":"","date":"March 25, 2021","externalUrl":null,"permalink":"/es/tags/respaldo-weblogic/","section":"Etiquetas","summary":"","title":"Respaldo-Weblogic","type":"tags"},{"content":" In this post we will review how to protect the data of one of the most widely used application servers in large enterprises, Oracle Weblogic, backing it up with Veeam Backup \u0026amp; Replication while following the best practices recommended by Oracle.\nAs always, we should go to the official Oracle Weblogic documentation where we\u0026rsquo;ll find the best practices and recommended options for backing up Oracle Weblogic-specific data:\nhttps://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html\nAfter reading the documentation, we know that there are two types of backups, as well as the protection of specific Oracle Weblogic folders:\nOffline Backup Online Backup And if applicable to the installation, the \u0026ldquo;Backup Artifacts\u0026rdquo; must be included — these are simply other operating system configuration folders.\nBackup with Veeam Backup \u0026amp; Replication # Backing up Oracle Weblogic with Veeam Backup \u0026amp; Replication is very simple, since whether the machine is physical or virtual, the backup methodology will be via Snapshot (using the default options), which will include all the files necessary to recover Oracle Weblogic in case of any issue with the application server.\nNow, as always, backups must be performed as indicated by the official documentation, which is why we will review the file and folder paths that must be backed up for a successful recovery — either granular or with the great features of Veeam Backup \u0026amp; Replication.\nAs we reviewed earlier, there are two types of backup: Offline and Online. As the name says, for an Offline backup it is mandatory to shut down all Oracle Weblogic services and then back up the Backup Artifacts — that is, the files or folders — and then bring the services back up. In today\u0026rsquo;s world (unless strictly necessary) this is probably not the best option because we will have service downtime, and that is unacceptable these days, right?\nThat\u0026rsquo;s why we will review the Online backup, which is the best option and has no Oracle Weblogic service downtime. Therefore, when reviewing the official documentation, we must ensure that at the time the backup runs there are no configuration changes so that the backup remains consistent.\nAnd of course, recovery is based on the Weblogic configuration files, via Instant VM Recovery or whichever Veeam Backup \u0026amp; Replication mechanism you require.\nRelated posts # Veeam Oracle RMAN Plugin Best practices Veeam Oracle RMAN plugin Protecting Oracle KVM with Veeam Veeam Capacity Tier Oracle Cloud Object Storage ","date":"25 March 2021","externalUrl":null,"permalink":"/en/posts/veeam-oracle-weblogic/","section":"Blog","summary":"In this post we will review how to protect the data of one of the most widely used application servers in large enterprises, Oracle Weblogic, backing it up with Veeam Backup \u0026 Replication while following the best practices recommended by Oracle.","title":"Veeam Oracle Weblogic","type":"posts"},{"content":"","date":"25 March 2021","externalUrl":null,"permalink":"/en/tags/veeam-backup-weblogic/","section":"Tags","summary":"","title":"Veeam-Backup-Weblogic","type":"tags"},{"content":"","date":"25 March 2021","externalUrl":null,"permalink":"/en/tags/veeam-weblogic/","section":"Tags","summary":"","title":"Veeam-Weblogic","type":"tags"},{"content":"","date":"25 March 2021","externalUrl":null,"permalink":"/en/tags/weblogic-backup/","section":"Tags","summary":"","title":"Weblogic-Backup","type":"tags"},{"content":"","date":"16 March 2021","externalUrl":null,"permalink":"/en/tags/openshift-backup/","section":"Tags","summary":"","title":"Openshift-Backup","type":"tags"},{"content":"","date":"16 March 2021","externalUrl":null,"permalink":"/en/tags/openshift-vmware/","section":"Tags","summary":"","title":"Openshift-Vmware","type":"tags"},{"content":" One of the most used platforms in companies for the management, operation and maintenance of Containers is Red Hat OpenShift, in the following guide we will review how to protect our containers in Red Hat OpenShift 4.x integrated VMware vSphere through its Container Storage Interface with Kasten K10 Platform, configuring routes to access the administration interface of K10 and using Minio S3 as backup destination.\nInitial Steps # As we always have to start with the review of the official documentation of the applications, we will first start with Red Hat OpenShift 4.7 (Latest version as of the date of this guide):\nhttps://docs.openshift.com/container-platform/4.7/installing/installing_vsphere/installing-vsphere-installer-provisioned.html\nWhere the documentation indicates the requirements and form of installation of Red Hat OpenShift 4.7 through IPI (Installer Provisioned Infrastructure) where the installer is run and we only have to enter the requested data from VMware vCenter. In this post I will not explain how to install OpenShift since with IPI it is very easy to do it. If we must review a very important part of the documentation of OpenShift in relation to the volumes\nhttps://docs.openshift.com/container-platform/4.7/storage/persistent_storage/persistent-storage-vsphere.html#vsphere-pv-backup_persistent-storage-efs\nThe default Storage Class that is configured in OpenShift via IPI is named \u0026ldquo;thin\u0026rdquo; using kubernetes.io/vsphere-volume where by requiring a persistent volume for the containers, this storage class will provide us with independent and persistent disks from vSphere, therefore, as we know, we will not be able to take snapshots of those volumes, that is why it is important to review the documentation that precedes us.\nAnd of course review the documentation of Kasten K10 Platform, currently at version 3.0.9 (as of this post) for requirements and installation steps on Red Hat OpenShift\nhttps://docs.kasten.io/latest/index.html\nInstallation Kasten OpenShift 4.x # Before installing Kasten in any distribution Kubernetes, we must always execute a script to perform checks prior to installation and validate if we have support for the features of Kasten K10, with the following command:\ncurl https://docs.kasten.io/tools/k10_primer.sh | bash ```bash If you do not find the helm executable, you can see the installation of the prerequisites in the link in the installation part of Kasten: /veeam-kasten/ Now since we have the prerequisites, helm, kubectl, vSphere CSI (in this case version 2.1.1) we will start with the installation of Kasten K10, as the documentation indicates, we must perform two commands: ```bash helm repo add kasten https://charts.kasten.io/ kubectl create namespace kasten-io ```bash We already have everything pre-configured, we only need the installation, as indicated in the documentation of Kasten, we will perform the following command ```bash helm install k10 kasten/k10 --namespace=kasten-io \\ --set scc.create=true ```bash As seen in the previous image, we already have our Kasten K10 about OpenShift, now we will check the status of the pods with the command: ```bash watch oc get pods -n kasten-io ```bash We should expect that all pods of Kasten are in “running” state And if we check the persistent volumes you use Kasten from the command line: ```bash oc get pv,pvc We observe that it is using the Storage Class, vsphere-csi, and associated with the volumes that we can also observe in the datastore that we use in vCenter:\nAs well as in the Red Hat console OpenShift\nLog in K10 Dashboard via Route In OpenShift # To access the management console Kasten K10, we only have to make a route in OpenShift To expose our service, in this case we will do it through the Red Hat Web console OpenShift, we go Networking -\u0026gt; Routes and in the upper left corner we select the project “kasten-io”\nHere we will create the Route by clicking on “Create Route” and enter the following information:\nName: The name you want in this case “k10\u0026quot; Hostname: we leave it blank to assign us a hostname or enter one you want path: default Service: Select the “gateway” service Target Port: Select the only one that displays, if not, only 8000 -\u0026gt; 8000 TCP And then when clicking on “Create” it will show us the details and the access link that is seen in “ Location\u0026quot;\nThen they click or copy the URL address found in “ Location” and add “/k10/#/” to access the administration console, the url in my case would be:\nhttp://k10-kasten-io.apps.oc.24xsiempre.cl/k10/#/\nAnd when accessing the URL we will see the console and welcome message of Kasten:\nWe enter our data and proceed to configure our solution Kasten K10 Platform.\nConfiguration Kasten K10 with Mini S3 # First we will install Minio on Ubuntu, where you can follow one of the many very simple guides to configure, for example:\nhttps://www.digitalocean.com/community/tutorials/how-to-set-up-an-object-storage-server-using-minio-on-ubuntu-18-04-es\nAfter having operating Minio S3, we will make the configuration of Kasten k10 entering “Settings” to add a new “Profile”\nWhere we will enter the name of the profile and select \u0026ldquo;S3 Compatible\u0026rdquo; to use with Minio\nProfile Name: openshift, or it can be any name you want Cloud Storage Provider: S3 Compatible, to use with Minio it must be this option, otherwise you can use the one you need S3 Access Key: Access key, from Minio or your object storage provider S3 Secret: Secret or Password, from Minio or your object storage provider Endpoint: http://40.40.40.100:9000/ , or the address of your mini server Skip Certificate chain and hostname verification: Enabled, since we are not using SSL in this case. Region: Leave Blank Bucket Name: openshift, name of the bucket to use And the configuration will be displayed like this:\nConfiguration Kasten K10 with vSphere vCenter # Going into “Settings” and selecting “Infrastructure” we will generate a new “Profile”\nWhere\nProfile Name: vcenter, or whatever name you want Infrastructure Type: vSphere vCenter Server: vcenter ip or dns address, preferably fqdn vSphere User - privileged vcenter user vSphere Password: password And once you have all this configured, you will be able to make backups using the CSI interface for vSphere, creating snapshots of the persistent volumes that exist in the configured datastores.\nAnd of course the generation of backup policies with Kasten k10 you can check it in /veeam-kasten/\nRelated posts # How to Install vSphere CSI Driver on RedHat OpenShift 4.x How to Integrate Active Directory with Kasten K10 and OpenShift Install Cluster Kubernetes with vSphere CSI Kasten K10 Authentik Kasten K10 Multi-Cluster Veeam + Kasten ","date":"16 March 2021","externalUrl":null,"permalink":"/en/posts/red-hat-openshift-in-vsphere-with-kasten/","section":"Blog","summary":"One of the most used platforms in companies for the management, operation and maintenance of Containers is Red Hat OpenShift, in the following guide we will review how to protect our containers in Red Hat OpenShift 4.x integrated VMware vSphere through its Container Storage Interface with Kasten K10 Platform, configuring routes to access the administration interface of K10 and using Minio S3 as backup destination.","title":"Red Hat OpenShift in vSphere with Kasten","type":"posts"},{"content":"","date":"March 16, 2021","externalUrl":null,"permalink":"/es/tags/respaldo-openshift/","section":"Etiquetas","summary":"","title":"Respaldo-Openshift","type":"tags"},{"content":"","date":"16 March 2021","externalUrl":null,"permalink":"/en/tags/vsphere/","section":"Tags","summary":"","title":"VSphere","type":"tags"},{"content":"","date":"25 February 2021","externalUrl":null,"permalink":"/en/tags/backup-immutable/","section":"Tags","summary":"","title":"Backup-Immutable","type":"tags"},{"content":"","date":"25 February 2021","externalUrl":null,"permalink":"/en/tags/hardened-linux-repository-veeam/","section":"Tags","summary":"","title":"Hardened-Linux-Repository-Veeam","type":"tags"},{"content":"","date":"25 February 2021","externalUrl":null,"permalink":"/en/tags/immutable-backup/","section":"Tags","summary":"","title":"Immutable-Backup","type":"tags"},{"content":"","date":"25 February 2021","externalUrl":null,"permalink":"/en/tags/immutable-ransomware/","section":"Tags","summary":"","title":"Immutable-Ransomware","type":"tags"},{"content":"","date":"25 February 2021","externalUrl":null,"permalink":"/en/tags/linux-repository/","section":"Tags","summary":"","title":"Linux-Repository","type":"tags"},{"content":"","date":"February 25, 2021","externalUrl":null,"permalink":"/es/tags/respaldo-inmutable/","section":"Etiquetas","summary":"","title":"Respaldo-Inmutable","type":"tags"},{"content":" Tremendous news with the release of version 11 of Veeam Availability Suite containing over 200 enhancements, CDP Snapshotless Replication, Instant Recovery for NAS / Databases and also Veeam Hardened Repository. In this post we will focus on the installation, configuration in detail of this new type of repository that will allow us to keep our backups immutable!\nInitial Steps # As usual, we will always check the official documentation of Veeam, for this case of the Immutable Linux Repository:\nhttps://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=110\nWhere we can see all the requirements for this feature where one of the most important is that the backup jobs should use Forward Incremental with Full or Synthetic backups for the correct operation of immutability.\nAfter reading the documentation we move on to the base installation of a Linux Ubuntu 20.04 LTS and after finishing, we connect via SSH and perform the operating system update:\nsudo apt-get update -y sudo apt-get upgrade -y ```json After the update, we will shut down the Linux server with the command: ```bash sudo poweroff ```bash In my case, being a virtual machine, I will add a disk of the necessary size to use it as a repository, therefore, we edit the VM configuration and add a disk (for this LAB I will add a 2 TB disk) and then we turn on the machine : ## Veeam Repos Manager Again we connect via SSH and in this case we will use a great tool, Veeam Repo Manager, to further facilitate the configuration of the immutable repository of Veeam, which can be found on the Github of Timothy Dewin, Solutions Architect at Veeam: https://github.com/tdewin/veeamhubrepo This tool allows us to visually configure all the requirements to achieve the correct configuration of the repository, therefore, we will proceed to install it. ## Installation and configuration Since we are connected via SSH to the Ubuntu 20.04 LTS Linux server and we also added a disk to store the backups, we must execute the following: ```bash sudo wget -O ./veeamhubrepo.deb https://github.com/tdewin/veeamhubrepo/releases/download/v0.3.1/veeamhubrepo_noarch.deb sudo apt-get install ./veeamhubrepo.deb sudo veeamhubrepo ```bash And with the last command we run “sudo veeamhubrepo ” will show us the wizard of this tool: Where we will select \u0026#34;Yes\u0026#34; by pressing \u0026#34;Enter\u0026#34; and then enter the username that will have the momentary privileges to use immutability, by default it is \u0026#34;veeamrepo”, if you want to change it, do it according to your user nomenclature, if not, leave it as default: Then we select \u0026#34;OK\u0026#34; to indicate that the user does not exist and confirm its creation: We select “Yes” and enter the password for this user: Then it will confirm that the user was created and we select \u0026#34;OK\u0026#34; so that we can go to the configuration of the partition of the added disk: In this LAB I need to select the disk number \u0026#34;3\u0026#34; which we additionally add 2 TB, moving with the keyboard arrows and then press \u0026#34;Enter\u0026#34;, in your case you must select the disk that you added: We confirm the selection and then “OK” After confirming and applying the changes, it will indicate in which path or path the disk will be mounted: If you want to change the path or route it is possible to edit it, in our case we will leave it by default in /backups/repo001 and we will select “OK” to confirm the creation and mounting: After the configuration of the disk where the backups with immutability characteristics will be stored, there is a very important part to configure the time and time zone and we select “Yes”: In my case I will select: ```text /usr/share/zoneinfo/Chile/Continental ```json Selecting and pressing Enter on “OK” will confirm the configuration: Then when selecting \u0026#34;OK\u0026#34; it will ask us for our NTP service, which can be local or via the internet Then it will show us if we want to update At the end you will lose connection with the server, so we will connect through the vCenter Web console and execute the command: ```bash sudo veeamhubrepo Access without SSH # And we will proceed to Register our new repository, selecting option \u0026ldquo;3\u0026rdquo; and confirm that the SSH service starts:\nAnd it will tell us to connect with the credentials we created previously from Veeam Backup Replication and add it as a repository:\nRepository Creation Veeam Backup \u0026amp; Replication # Since Veeam Backup \u0026amp; Replication, we will add the repository:\nAnd as we see in the previous image we will select “Single-use credentials for hardened repository…” in we enter the credentials\nThen we click on “Next” and confirm:\nTo finish viewing the configuration summary:\nWhile setting from Veeam Backup \u0026amp; Replication the Repo Manager utility detects the process of Veeam\nAnd then we continue with the repository configuration by selecting the partition to host the backups\nAnd here is the most important part for this type of repository, this tool configures the partition with XFS enabling reflink to take advantage of the features when we perform Synthetic Full for example and also enable the option to make backups immutable for any number of days necessary, default is 7 days:\nThis is where the magic appears, as you can see in the previous image\nThen we release a new backup to the new Hardened Linux Repository\nTesting Elimination Backup # Since we have a backup in the repository and we previously enabled immutability in the repository, we will check if it is possible to delete backups, so in Veeam Backup Server, we will go to the backup and delete the file:\nAfter confirming the deletion, the operation status window appears where we will observe that it is NOT possible to delete the backup file and also indicates the day (03/03/2021 20:02) when this immutability is deactivated, since it we enable for 7 days:\nEven if you access the server you will not be able to delete the file since it has the advanced parameter +i that even root cannot delete.\nI know what you are thinking right now, and if root removes the +i parameter, and delete, if possible, the important thing here is that the credentials of this server and the access methods are totally restricted so that from the network no the backup files are reached and deleted by some malicious agent.\nIn addition, this solution maintains a daemon on the linux server to use the immutability logic and make changes according to the days of immutability that you have configured.\nWith this we finish this post in detail for the immutability configuration with the new type of repository for Veeam Backup \u0026amp; Replication called Linux Hardened Repository.\nRelated posts # Veeam Immutable Repository with Red Hat Enterprise Linux Chile Law 21.719: technical compliance manual with Veeam Incident Response Plan with NIST 800-61, 800-53r5, Mitre ATT\u0026amp;CK and Veeam Veeam Decoys - Early Detection JADI Scanner vScan Vulnerability Scanner 2.0 ","date":"25 February 2021","externalUrl":null,"permalink":"/en/posts/veeam-hardened-immutable-repository/","section":"Blog","summary":"Tremendous news with the release of version 11 of Veeam Availability Suite containing over 200 enhancements, CDP Snapshotless Replication, Instant Recovery for NAS / Databases and also Veeam Hardened Repository. In this post we will focus on the installation, configuration in detail of this new type of repository that will allow us to keep our backups immutable!","title":"Veeam Hardened (Immutable) Repository","type":"posts"},{"content":"","date":"25 February 2021","externalUrl":null,"permalink":"/en/tags/veeam-ransomware-prevention/","section":"Tags","summary":"","title":"Veeam-Ransomware-Prevention","type":"tags"},{"content":"","date":"December 9, 2020","externalUrl":null,"permalink":"/es/tags/actualizar-veeam-aws/","section":"Etiquetas","summary":"","title":"Actualizar-Veeam-Aws","type":"tags"},{"content":"","date":"9 December 2020","externalUrl":null,"permalink":"/en/tags/amazon-rds-backup/","section":"Tags","summary":"","title":"Amazon-Rds-Backup","type":"tags"},{"content":"","date":"December 9, 2020","externalUrl":null,"permalink":"/es/tags/respaldo-amazon-rds/","section":"Etiquetas","summary":"","title":"Respaldo-Amazon-Rds","type":"tags"},{"content":"","date":"December 9, 2020","externalUrl":null,"permalink":"/es/tags/respaldo-vpc/","section":"Etiquetas","summary":"","title":"Respaldo-Vpc","type":"tags"},{"content":"","date":"9 December 2020","externalUrl":null,"permalink":"/en/tags/upgrade-veeam-aws/","section":"Tags","summary":"","title":"Upgrade-Veeam-Aws","type":"tags"},{"content":" Excellent news about the release of the new version of Veeam Backup for AWS v3 brings the necessary features for instance protection, VPC configuration protection, and Amazon RDS databases. In this post, we will see how to update to the latest version and make backups with the new features.\nInitial Steps # So we\u0026rsquo;ll start as usual by reviewing the official documentation of Veeam Backup for AWS v3 that can be found at:\nhttps://helpcenter.veeam.com/docs/vbaws/guide/welcome.html?ver=30\nFirst we will see the new features that this new version brings us:\nSupport for Amazon RDS Support for VPC configuration Access by RBAC Granular File Recovery Improvements AWS Outpost Of course, the backup and replication of snapshots of existing instances in AWS that already comes from v1 and v2 respectively.\nGoing into detail, Amazon RDS backup support includes:\nMicrosoft SQL Server Oracle MariaDB MySQL PostgreSQL Regarding the VPC configuration backup, it allows you to protect all the elements within the VPC, including security groups, subnets, etc. Something extremely important is that it will allow us to compare the configurations we have in the backup versus the ones currently being used, so in case of any modification we will be able to know what was modified in production 🙂\nFor Role Based Access Control, this new version includes the roles\nPortal Manager Operator Portal Restore Operator This allows us to maintain a segregation of users for the management of Veeam Backup for AWS v3.\nUpdate Veeam AWS Backup # This is very simple, if it is the first time you will use Veeam Backup for AWS v3, you just have to install it from the AWS marketplace and if you already have version 2 you must go to “Configuration” then “Support Information”:\nAnd then by clicking on “Check and view updates”, a page will open that will show us the details of the update\nThen select version 3, install the updates and automatically restart if necessary, to click “Install Updates Now”\nThen we log in again and it will show us the following:\nAnd with that we finish the update. Veeam Backup for AWS v3, very easy right? 🙂\nBefore you start using the new features, it is very important to mention that Veeam Backup for AWS v3 will always allow us to check the permissions that the role has to be able to perform the backup, whether from EC2, RDS or VPC, so as a tip, when you are generating a new protection policy, always check the permissions and something like this will appear\nWhere clicking on “Grant” will request a temporary credential that has administration permissions to assign what is necessary\nAnd after clicking on “Apply” you will see the permissions correctly assigned\nAmazon RDS support # This feature is key, since many of us need to make backups of our databases that run on Amazon RDS and with Veeam Backup for AWS we can protect it, first we must click on “Policies” and we will see the following\nAs we can see in the image above, there are options, EC2, RDS and VPC, selecting EC2 will allow us to make backups of all our instances that exist and we have permissions to access, something key here is that it will allow us to make consistent backups of our instances at the application level as well as if necessary execute pre and post backup scripts.\nIn RDS it will not allow backups of the databases that we have in the Amazon RDS service, in this case I have configured a MariaDB database and an existing MySQL snapshot, so we will click on RDS and then on “Add”\nAfter entering the name of the policy, we will select, the role to use, region and which resources to protect (Always remember to check permissions as we reviewed before)\nThen if we want or not to replicate the snaphosts, in this case I will not configure it, but we know that it is very simple. Next we follow “Schedule” and configure the execution schedule\nThen we will see the cost, this feature is beautiful, since you can know how much the backup will cost before making them, so you will not find surprises and when we talk about using resources in the cloud, we must always have a look at the budget\nThen the retry settings and finally finish creating the backup policy\nWe will execute the backup, selecting the policy and clicking on “Start”\nAnd we will see the successful execution.\nAmazon RDS Recovery # We already have a backup, now we need to recover our database in Amazon RDS, first I will delete my db24xsiempre database\nThen we go back to Veeam Backup for AWS, and click on “Protected Data” and select RDS to see our databases\nWe select the database, in this case, db24xsiempre and click on “Restore Instance”, which will allow us to select the restore point for said database.\nThen we click on “Next” and select the role that we will use to recover, always remember to check permissions and go to the next screen where it will indicate where we want to recover\nAnd finally we see the summary of what will be done\nThen we see the recovery status in “Sessions Log”\nAnd if we check the AWS console we can see\nThe Amazon RDS MariaDB instance is being created as we requested the recovery, if you observed correctly, the name of the instance is temporary for the recovery, after a few minutes we will have\nAnd in the Amazon RDS console\nBackup VPC Configuration # In this case, Veeam Backup for AWS automatically generates a backup policy for the entire VPC, keeping it disabled so that if a backup is necessary, it is only enabled and the entire VPC configuration is backed up.\nTherefore, we must enable it, selecting the policy and clicking on “Enable”\nAnd the policy is now enabled, then we edit it to assign more VPCs from other regions or only protect the current one, by clicking on “Edit” we will see\nAnd by clicking on “Next” it will allow us to make the backup to our repository of Veeam Backup for AWS in Amazon S3, we enable and select our repository, then “Next”\nHere we will select the backup retention of the VPC configuration according to the need of each one\nAnd finally we will see the summary of the configuration\nNow we execute the policy and we will see the statistics\nAnd we already have our backup of the VPC configuration 🙂\nRecovery AWS VPC Configuration # Before recovering, as I mentioned before, there is an extremely important feature for AWS administrators since by having the VPC configuration backed up, Veeam Backup for AWS allows us to compare the existing configuration in AWS versus the one we have in the backup, we just have to click on “Compare”\nAnd we can select to show only the attributes that have been changed or it will indicate that there are no differences between production and backup. And finally if you want to export the configuration or restore it, excellent!\nNow we will see how to restore all the configuration or only some elements of the VPC configuration, we select the VPC that we want to recover and we will click on “Restore”\nIf you select “Selected Items” you will be able to retrieve granularly the configurations of your VPC\nOr in my case I will perform the complete recovery of my VPC configuration\nThen we select the Role with which we will recover, always check the permissions\nWe restore to the original location or to a new one\nAnd finally the summary\nTo end the recovery state\nexcellent version of Veeam Backup for AWS v3 that allows us to protect our resources in AWS. Totally recommended!\nRelated posts # Veeam Capacity Tier Oracle Cloud Object Storage Veeam Cloud Connect Performance How to install Kasten K10 on AWS EKS Veeam + Kasten ","date":"9 December 2020","externalUrl":null,"permalink":"/en/posts/veeam-backup-for-aws-v3/","section":"Blog","summary":"Excellent news about the release of the new version of Veeam Backup for AWS v3 brings the necessary features for instance protection, VPC configuration protection, and Amazon RDS databases. In this post, we will see how to update to the latest version and make backups with the new features.","title":"Veeam Backup for AWS v3","type":"posts"},{"content":"","date":"9 December 2020","externalUrl":null,"permalink":"/en/tags/veeam-backup-aws/","section":"Tags","summary":"","title":"Veeam-Backup-Aws","type":"tags"},{"content":"","date":"9 December 2020","externalUrl":null,"permalink":"/en/tags/veeam-rds-mysql-respaldo/","section":"Tags","summary":"","title":"Veeam-Rds-Mysql-Respaldo","type":"tags"},{"content":"","date":"9 December 2020","externalUrl":null,"permalink":"/en/tags/vpc-backup/","section":"Tags","summary":"","title":"Vpc-Backup","type":"tags"},{"content":"","date":"2 December 2020","externalUrl":null,"permalink":"/en/tags/citrix/","section":"Tags","summary":"","title":"Citrix","type":"tags"},{"content":"","date":"December 2, 2020","externalUrl":null,"permalink":"/es/tags/migracion-xenserver/","section":"Etiquetas","summary":"","title":"Migracion-Xenserver","type":"tags"},{"content":"","date":"December 2, 2020","externalUrl":null,"permalink":"/es/tags/recuperacion-xenserver/","section":"Etiquetas","summary":"","title":"Recuperacion-Xenserver","type":"tags"},{"content":"","date":"December 2, 2020","externalUrl":null,"permalink":"/es/tags/respaldo/","section":"Etiquetas","summary":"","title":"Respaldo","type":"tags"},{"content":" In this post we will see how to protect virtual machines on Citrix XenServer or Citrix Hypervisor with Veeam v10 and their respective agents, allowing recovery on the same hypervisor or performing instant recovery or migration to VMware vSphere.\nIntroduction # We all know that the hypervisors supported with integration (so far) by Veeam Backup \u0026amp; Replication are VMware and Hyper-V. Therefore, when we talk about other hypervisors such as Citrix XenServer (Citrix Hypervisor), Oracle VM, Proxmox to name a few, we will need to use Veeam Agents to perform full protection of the virtual machines.\nSince we must use agents, in this case we will use Veeam Agent for Windows and Veeam Agent for Linux, which provide an excellent solution for performing a complete backup of the machines and also offer application consistency for databases or applications when required.\nOf course, there are also other backup options depending on the needs of each environment, which you can review at:\nVeeam Agent for Windows: https://helpcenter.veeam.com/docs/agentforwindows/userguide/backup_job_create.html?ver=40\nVeeam Agent for Linux: https://helpcenter.veeam.com/docs/agentforlinux/userguide/backup_job_create.html?ver=40\nInstalled Citrix Hypervisor / XenServer environment # In the lab I installed a single hypervisor node and its respective XenCenter for testing. The installed versions are the latest I could download from the Citrix page:\nhttps://www.citrix.com/downloads/citrix-hypervisor/\nThe version used for the hypervisor and XenCenter is 8.2. Then I installed a Windows Server 2019 machine with Citrix VM Tools 9.0.42 and a CentOS 8 machine with Citrix VM Tools 7.20.0-1 to then back up both machines.\nProtection Group # When we talk about agents with Veeam, we should always manage them from a protection group, since this allows us to centralize management and organize, according to the company\u0026rsquo;s needs, the different servers that will use agents.\nAs seen in the image above, we see both servers with their respective agents installed. Remember that when creating the protection group, Veeam Backup \u0026amp; Replication will install the agent for Windows or Linux automatically.\nAfter confirming the installation of the agents, Veeam Agent for Windows or Veeam Agent for Linux, we will create the respective Backup Jobs, which we will configure to back up the entire machine so we then have the Bare Metal Recovery option in case we want to fully recover the server on XenServer or on VMware vSphere.\nThen we run the Backup Job for both servers and see the statistics when they finish.\nXenServer Image Recovery # Now comes the important part: performing the Bare Metal Restore, either Linux or Windows, to Citrix XenServer / Hypervisor. If you want to review the Veeam manual to see the procedure:\nVAW: https://helpcenter.veeam.com/docs/agentforwindows/userguide/image_boot.html?ver=40\nVAL: https://helpcenter.veeam.com/docs/agentforlinux/userguide/baremetal.html?ver=40\nAs you will see in the manual, for Windows you need to create the Recovery Media ISO, which you can do directly from the console and save wherever you see fit by clicking NNF.\nFor the case of backups with Veeam Agent for Linux, you must download the Recovery ISO from the Veeam downloads page:\nhttps://www.veeam.com/linux-backup-download.html\nThen copy both ISOs to the repository you have in Citrix.\nAnd finally, create a virtual machine from XenCenter with the same virtual hardware characteristics to perform the recovery.\nThen start the virtual machine with the ISO attached to perform the recovery.\nSelect \u0026ldquo;Network Storage\u0026rdquo; next, then \u0026ldquo;Veeam Backup Repository\u0026rdquo;, and assign an IP address where it says \u0026ldquo;Configure Network Settings\u0026rdquo;.\nThen we enter the data for our Veeam Backup \u0026amp; Replication repository.\nWe select the backup we want to recover.\nAnd we select to recover \u0026ldquo;Entire Computer\u0026rdquo;.\nAnd then we proceed to the recovery of the virtual machine on Citrix XenServer / Hypervisor.\nThen reboot and remove the recovery ISO to see the Windows boot and verify that the XenTools run:\nAnd with this we finish the recovery of entire machines on XenServer.\nRecovery to VMware # One of the most beautiful features that Veeam Backup \u0026amp; Replication has is recovering any backup directly to VMware vSphere, which allows us to maintain a multicloud and hybrid strategy for data recovery. If you want to know more:\nhttps://helpcenter.veeam.com/docs/backup/vsphere/performing_instant_recovery_vm.html?ver=100\nTherefore, if you want to have the option to recover or migrate virtual machines from XenServer to VMware, you can do it with Instant Recovery directly from the Veeam Backup \u0026amp; Replication console.\nWhen clicking on Instant VM Recovery, it will show us the Wizard for the recovery of the XenServer machine, and then we select the desired Recovery Point:\nAfter selecting the restore point, we will enter the required VMware data and then click NNF.\nAnd we can select whether we want to power on the machine and connect it to the network.\nAnd we will see the status of the recovery:\nThen it waits to perform the migration:\nThe machine is already working! Now we will perform the migration to the production vSphere datastore; we select the vSphere resources we will use.\nThen either use proxies or leave them in automatic.\nFinally review the summary of what will be done.\nAnd lastly the statistics.\nSo with Veeam Backup \u0026amp; Replication you can protect your virtual machines on Citrix XenServer / Hypervisor and fully recover them on the same Xen, or recover / migrate to VMware vSphere.\nRelated posts # Veeam Backup for Red Hat Virtualization Protecting Oracle KVM with Veeam Proxmox Lab with ZimaBlade Veeam Agent Linux - Oracle Linux / Exadata ","date":"2 December 2020","externalUrl":null,"permalink":"/en/posts/veeam-citrix-hypervisor-xenserver/","section":"Blog","summary":"In this post we will see how to protect virtual machines on Citrix XenServer or Citrix Hypervisor with Veeam v10 and their respective agents, allowing recovery on the same hypervisor or performing instant recovery or migration to VMware vSphere.","title":"Veeam Citrix Hypervisor / Xenserver","type":"posts"},{"content":"","date":"2 December 2020","externalUrl":null,"permalink":"/en/tags/veeam-citrix/","section":"Tags","summary":"","title":"Veeam-Citrix","type":"tags"},{"content":"","date":"2 December 2020","externalUrl":null,"permalink":"/en/tags/xenserver/","section":"Tags","summary":"","title":"XenServer","type":"tags"},{"content":"","date":"2 December 2020","externalUrl":null,"permalink":"/en/tags/xenserver-backup/","section":"Tags","summary":"","title":"Xenserver-Backup","type":"tags"},{"content":"","date":"2 December 2020","externalUrl":null,"permalink":"/en/tags/xenserver-migration/","section":"Tags","summary":"","title":"Xenserver-Migration","type":"tags"},{"content":"","date":"2 December 2020","externalUrl":null,"permalink":"/en/tags/xenserver-recovery/","section":"Tags","summary":"","title":"Xenserver-Recovery","type":"tags"},{"content":"","date":"17 November 2020","externalUrl":null,"permalink":"/en/tags/k10multicluster/","section":"Tags","summary":"","title":"K10Multicluster","type":"tags"},{"content":" In the latest version of Kasten, 3.0.1, we can find a series of improvements and an extremely important solution, the centralized administration of Multiple Clusters of Kubernetes For complete data protection, in this post we will see the features and functionalities of k10multicluster.\nIntroduction # As we saw in a previous post, it is necessary to update to the latest version of Kasten k10, you can find it:\nhttps://www.24xsiempre.com/actualizar-kasten-k10/\nAfter completing the update, we can go to the configuration of k10 Multi-Cluster, where, as always, we must review the official documentation that we can find at:\nhttps://docs.kasten.io/latest/multicluster/index.html\nIn this post we will focus on the benefits of the new solution, soon I will write the installation guide that is very simple. Therefore, one of the requirements k10multicluster is the use of Kubernetes contexts, where in my case I have:\nkubectl config get-contexts Where you can keep as many clusters as you need for administration, of course there must be communication between all the clusters.\nAfter that you can download the executable k10multicluster from\nhttps://github.com/kastenhq/external-tools/releases\nKasten k10 Multi-Cluster uses the allocation of Primary and Secondary clusters (Secondaries), where there will always be only 1 primary and the others that are added will be secondary, therefore, you must select which will be your primary cluster and then add the secondary ones easily. In my case I will use the context kubernetes-admin@kubernetes as primary.\nIn the image above we can see the Multi-Cluster Dashboard with the “Production” and “Development” cluster configuration. This is where we will review the most important options offered by this great solution.\nGlobal Resources # One of the great advantages is that it allows us to create resources for all clusters or assign only some resources to certain clusters, for example, as we have seen in previous posts, Kasten k10 always needs “Location Profiles” or profiles where we will store the data in object storage that you can use:\nGoogle Cloud Storage Amazon S3 AzureStorage S3 Supported This way you will be able to keep the resources needed by your different Clusters of Kubernetes. as well Kasten k10 requires the \u0026ldquo;Policies\u0026rdquo; or Backup Policies which you can assign globally, even so each installation of Kasten k10 you can have your own policies if needed\nAnd finally the assignment of \u0026ldquo;Distributions\u0026rdquo; or distribution of global resources that can be assigned to each of the clusters or share the same resources:\nAnd this is where the important thing happens, because what we saw previously about “Location Profiles” and “Policies” we have already used in normal installations of Kasten k10, but in this case, “Distributions” appears to assign and synchronize the resources and policies to the clusters of Kubernetes that we need to perform data protection, for example:\nThe “wpprd” distribution, which is to protect a wordpress instance and its respective MySQL, has an S3 bucket assigned to it called kastenprod with the respective support policy and execution scheduling for the productive cluster. Even if we enter the instance of Kasten k10 of production we can see:\nWhich cannot be edited directly from the productive instance, it can only be edited from global resources.\nIn a future post, I will explain how to install and configure this tool step by step!\nRelated posts # Install Kasten Multi Cluster Manager Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 How to install Kasten K10 on AWS EKS Kasten K10 Authentik Veeam + Kasten ","date":"17 November 2020","externalUrl":null,"permalink":"/en/posts/kasten-k10-multi-cluster/","section":"Blog","summary":"In the latest version of Kasten, 3.0.1, we can find a series of improvements and an extremely important solution, the centralized administration of Multiple Clusters of Kubernetes For complete data protection, in this post we will see the features and functionalities of k10multicluster.","title":"Kasten K10 Multi-Cluster","type":"posts"},{"content":"","date":"17 November 2020","externalUrl":null,"permalink":"/en/tags/multicluster/","section":"Tags","summary":"","title":"Multicluster","type":"tags"},{"content":"","date":"November 11, 2020","externalUrl":null,"permalink":"/es/tags/actualizar-k10/","section":"Etiquetas","summary":"","title":"Actualizar-K10","type":"tags"},{"content":"","date":"November 11, 2020","externalUrl":null,"permalink":"/es/tags/actualizar-kasten/","section":"Etiquetas","summary":"","title":"Actualizar-Kasten","type":"tags"},{"content":"","date":"November 11, 2020","externalUrl":null,"permalink":"/es/tags/como-actualizar-kasten/","section":"Etiquetas","summary":"","title":"Como-Actualizar-Kasten","type":"tags"},{"content":"","date":"11 November 2020","externalUrl":null,"permalink":"/en/tags/how-to-upgrade-kasten/","section":"Tags","summary":"","title":"How-to-Upgrade-Kasten","type":"tags"},{"content":"","date":"11 November 2020","externalUrl":null,"permalink":"/en/tags/upgrade-k10/","section":"Tags","summary":"","title":"Upgrade-K10","type":"tags"},{"content":"","date":"11 November 2020","externalUrl":null,"permalink":"/en/tags/upgrade-kasten/","section":"Tags","summary":"","title":"Upgrade-Kasten","type":"tags"},{"content":" In this next post, we will see how easy it is to upgrade Kasten to new versions to gain new features as well as, of course, bug fixes.\nAs always, we should visit the official documentation of the solution to know the new released versions and the features they bring. For that, check:\nhttps://docs.kasten.io/latest/releasenotes.html\nNow, if you don\u0026rsquo;t want to visit pages to check for new versions, you can also see it on the Kasten k10 configuration page in the \u0026ldquo;Support\u0026rdquo; menu:\nIt will indicate whether there is an update for Kasten k10 — just click on \u0026ldquo;Upgrade to Version…\u0026rdquo; and it will take you to the page with the upgrade command (in my case with helm 3):\nhelm repo update \u0026amp;\u0026amp; \\ helm get values k10 --output yaml --namespace=kasten-io \u0026gt; k10_val.yaml \u0026amp;\u0026amp; \\ helm upgrade k10 kasten/k10 --namespace=kasten-io -f k10_val.yaml Before running it, it\u0026rsquo;s always recommended to check if there is any Policy or Job running, so you can either stop it or wait for it to finish before performing the upgrade.\nIf you installed Kasten k10 in another namespace, just change it and then run it:\nAfter running the command, we see it updates the helm repositories or charts and upgrades to the new version.\nYou\u0026rsquo;ll then notice that some Kasten Pods are recreated, which takes approximately a few seconds, and you\u0026rsquo;ll be able to access the k10 Dashboard again. With the following command you can check the status:\nwatch kubectl -n kasten-io get pods Once all Pods are in \u0026ldquo;Running\u0026rdquo; state, you must log into the Kasten k10 Dashboard, then go to \u0026ldquo;Settings\u0026rdquo; and finally to \u0026ldquo;Support\u0026rdquo; to verify the updated version:\nYou\u0026rsquo;ll also confirm that all the statistics, policies and configurations that exist in Kasten k10 are preserved.\nAnd with that we\u0026rsquo;re done — upgrading is very simple!\nRelated posts # How to Configure NFS Repository for Kasten K10 Configure Email Alerts in Kasten K10 How to install Kasten K10 on AWS EKS Kasten K10 Multi-Cluster Veeam + Kasten ","date":"11 November 2020","externalUrl":null,"permalink":"/en/posts/upgrading-kasten-k10/","section":"Blog","summary":"In this next post, we will see how easy it is to upgrade Kasten to new versions to gain new features as well as, of course, bug fixes.","title":"Upgrading Kasten k10","type":"posts"},{"content":"","date":"21 October 2020","externalUrl":null,"permalink":"/en/tags/boostfilesystemstatus/","section":"Tags","summary":"","title":"Boost::Filesystem::Status:","type":"tags"},{"content":"","date":"21 October 2020","externalUrl":null,"permalink":"/en/tags/error-veeam-oracle/","section":"Tags","summary":"","title":"Error-Veeam-Oracle","type":"tags"},{"content":"","date":"21 October 2020","externalUrl":null,"permalink":"/en/tags/inventory.xml/","section":"Tags","summary":"","title":"Inventory.Xml","type":"tags"},{"content":"","date":"21 October 2020","externalUrl":null,"permalink":"/en/tags/orainst.loc/","section":"Tags","summary":"","title":"Orainst.Loc","type":"tags"},{"content":"","date":"21 October 2020","externalUrl":null,"permalink":"/en/tags/permission-denied/","section":"Tags","summary":"","title":"Permission-Denied","type":"tags"},{"content":" During the past week I have been receiving some queries about some errors found in the log files of Veeam with Oracle integration. Whether the native integration of Veeam with Oracle on VMware or using Veeam Plugin for Oracle RMAN. In this post we will see how to solve an error that appears frequently and is easy to solve.\nIntroduction # The error I was referring to is the following:\nError has occurred while executing SSH command: boost::filesystem::status: Permission denied: \u0026#34;/grid/app/grid/product/12.2.0.1/oraInst.loc\u0026#34; Error has occurred while executing SSH command: boost::filesystem::status: Permission denied: \u0026#34;/oracle/oraInventory/ContentsXML/inventory.xml\u0026#34; ```bash The error appears in Veeam Backup \u0026amp; Replication o Veeam Plugin for Oracle RMAN when trying to detect the Oracle Database instances that exist on the server, as we see, the solutions of Veeam They don\u0026#39;t have access to the files. We will also see that the user used by Veeam for consistency, you can directly read the oraInst.loc and inventory.xml files from the operating system command line. But when running from the solutions Veeam, either the plugin or VBR, still does not detect the instances and the error appears again in the log files. To solve the above we must validate the permission requirements of Veeam Backup \u0026amp; Replication o Veeam Plugin for Oracle, whatever your case: VBR (Down to Oracle-specific permissions): https://helpcenter.veeam.com/docs/backup/vsphere/required\\_permissions.html?ver=100 Veeam Plugin: https://helpcenter.veeam.com/docs/backup/plugins/rman\\_plugin\\_permissions.html?ver=100 In the event that the service user veeam (must be able to elevate to root) do not have the required permissions, they will need to be added to the required groups, such as: ```text usermod -a -G oinstall,dba,grid usuarioveeam ```bash And of course, as it also appears in the documentation, the user used for Oracle Authentikation must have SYSDBA permissions: As valid if the user who delivered has SYSDBA permissions?, with the following SQL script you can validate it: ```python select username,sysdba,sysoper,sysasm,sysbackup,sysdg,syskm from v$pwfile_users; ```bash Where you must validate that the user exists in the following command output: Otherwise, ask the DBA to add the user to the SYSDBA role. ## Oracle permissions If even so, they still cannot detect the instances, the solution is to recreate the permissions of the folders where Oracle is installed, since for some reason they were modified. Therefore, in this step, you must have the help or authorization of the DBA to automatically recreate the permissions with a root.sh installation script or directly execute the following in the Oracle paths: ```bash chown -R grid:oinstall /u01 chown -R oracle:oinstall /u01/app/oracle chmod -R 775 /u01/ Where /u01 is the folder where the Oracle software was installed and -R means recursive. And with that, the detection and backup of your Oracle databases will work in case you have problems with folder and/or file permissions.\nRelated posts # Veeam Oracle RMAN Plugin Best practices Veeam Oracle RMAN plugin Veeam Explorer Oracle RMAN Veeam Agent Linux - Oracle Linux / Exadata ","date":"21 October 2020","externalUrl":null,"permalink":"/en/posts/veeam-oracle-permission-denied-solution/","section":"Blog","summary":"During the past week I have been receiving some queries about some errors found in the log files of Veeam with Oracle integration. Whether the native integration of Veeam with Oracle on VMware or using Veeam Plugin for Oracle RMAN. In this post we will see how to solve an error that appears frequently and is easy to solve.","title":"Solution Veeam Oracle Permission Denied","type":"posts"},{"content":"","date":"8 October 2020","externalUrl":null,"permalink":"/en/tags/k8s/","section":"Tags","summary":"","title":"K8S","type":"tags"},{"content":"","date":"October 8, 2020","externalUrl":null,"permalink":"/es/tags/respaldo-tkg/","section":"Etiquetas","summary":"","title":"Respaldo-Tkg","type":"tags"},{"content":"","date":"8 October 2020","externalUrl":null,"permalink":"/en/tags/tanzu-backup/","section":"Tags","summary":"","title":"Tanzu-Backup","type":"tags"},{"content":"","date":"8 October 2020","externalUrl":null,"permalink":"/en/tags/tkg-backup/","section":"Tags","summary":"","title":"Tkg-Backup","type":"tags"},{"content":" Great news! The acquisition of Kasten by Veeam Software, which extends the benefits of data protection of Veeam in modern data centers with container technologies using Kubernetes or k8s. In this post we will see the installation, configuration and recovery of containers with Kasten in a cluster of Kubernetes based on tanzu Kubernetes grid.\nIntroduction # Now more than one will wonder, what is Kasten?, Okay, Kasten is the backup and disaster recovery leader for Kubernetes, one of the important features is that it is a very easy to use solution, it is developed for kubernetes and in a cloud-native architecture.\nIt is because of that Kasten can help protect your containers with application integration either in Public or Private Clouds, for example, Google Kubernetes Engine, AWS Elastic Kubernetes Services, Azure Kubernetes Services, IBM Kubernetes Services, VMware vSphere, Red Hat OpenShift, among others.\nAs well as integrate with different Storage technologies, such as:\nAmazon Elastic Block Store (EBS) Amazon Elastic File System (EFS) Azure Managed Disks Google PersistentDisk IBM Cloud Block Storage Ceph (RBD) Cinder-based providers on OpenStack vSphere Cloud Native Storage (CNS) (Requires vSphere 6.7u3+) portworx Pure storage netapp It also allows container migrations between different container services in case of a disaster, change of provider, testing or simply maintaining a hybrid architecture.\nIf you want to know more about Kasten, you can enter their website and the documentation website:\nhttps://www.kasten.io\nhttps://docs.kasten.io/latest\nAfter knowing a little what it is Kasten, we will start by detailing what I have as an environment to support my containers Subsidiary Kubernetes Grid 1.1.3, a vSphere 7 Update 1, remember that it can be used from vSphere 6.7 Update 3\nTanzu Productive Cluster Kubernetes grid: # Where the management cluster is with a production plan, and for the application cluster I also use the production plan to use multiple k8s roles, if you want to know more about the plans offered by Tanzu Kubernetes Grid or TKG visit:\nhttps://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/1.1/vmware-tanzu-kubernetes-grid-11/GUID-tanzu-k8s-clusters-create.html\nAnd if we review the cluster resources we can see: With the command:\nkubectl get pvc,pv,sc --all-namespaces ```bash It will indicate the requests for pvc (PersistentVolumeClaim) disks for applications, persistent volumes that are provided by the system or dynamic pv (PersistentVolume), and the storage class offered to the cluster sc (Storage Classes). ```bash kubectl get pod --all-namespaces ```bash It will indicate all the pods that Tanzu installs by default when creating a cluster and their respective namespaces, which allows us to identify the project that is installed in the cluster. ```bash kubectl get node --all-namespaces ```text And finally see the number of nodes that are involved in the cluster and their respective role, as can be seen in the previous image it is possible to see: ```text kube-system vsphere-csi-controller-8c9b98f7f-tt9p6 5/5 Running 8 3h30m kube-system vsphere-csi-node-5k2fp 3/3 Running 0 3h17m kube-system vsphere-csi-node-5skv2 3/3 Running 3 3h11m kube-system vsphere-csi-node-g9dpn 3/3 Running 0 3h17m kube-system vsphere-csi-node-rptch 3/3 Running 3 3h30m kube-system vsphere-csi-node-vgn7s 3/3 Running 3 3h17m kube-system vsphere-csi-node-xg6mb 3/3 Running 3 3h17m ```bash This indicates that the vSphere CSI driver is already installed, CSI is the acronym for Container Storage Interface: https://github.com/kubernetes-sigs/vsphere-csi-driver This driver is the essential piece for the integration of Kubernetes with vSphere as it allows you to create disks to assign them to the persistent volumes needed for the applications installed in the Tanzu cluster Kubernetes grid. ## storage class Now one of the requirements of Kasten they are persistent disks and as we saw before, the cluster by default does not have any Storage Class enabled, therefore, the application that we install will not be able to create the volumes that it needs for its operation, for this we must execute on the machine that is administering TKG: ```bash echo \u0026#34; kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: 24xs-vol annotations: storageclass.kubernetes.io/is-default-class: \\\u0026#34;true\\\u0026#34; provisioner: csi.vsphere.vmware.com parameters: DatastoreURL: \u0026#34;ds:///vmfs/volumes/5b00a1aa-6b210381-9411-54e1ad1b3bcd/\u0026#34; fstype: ext4 \u0026#34; \u0026gt; 24xs-vol.yaml kubectl create -f 24xs-vol.yaml ```bash where on the line **5** we can assign the name of the Storage Class, in the line **7** make sure the value is **true**” since with this we make sure that it is configured and enabled by default, line **8** we make sure that it is the vsphere csi driver, on the line **10** It is key to indicate the url of the Datastore that we will use as the destination of the persistent volumes in vSphere (in the following image you will see where to take the data from) and finally the name of the file to save it with its .yaml extension. As we can see in the previous image, the first command shows us that we do not have any Storage Class in our Tanzu cluster and then we execute the file to generate the Storage Class that we can see with the command: ```bash kubectl get sc ```bash Now, if we check the monitoring of the DataStore that we selected to be the storage of our persistent volumes, we will see the following in vCenter: So now we have everything ready to install. Kasten k10 in its latest version 2.5.22. ## Installation of Kasten We will now review the prerequisites of Kasten that you can find them: https://docs.kasten.io/latest/install/requirements.html The first thing you need is to install helm, which is a package manager for easily installing applications: https://helm.sh The installation of helm is very simple, we just have to download the file from github and move it to the executable folder of the server that you are using to administer Tanzu Kubernetes Grid or TKG: ```bash wget https://get.helm.sh/helm-v3.3.4-linux-amd64.tar.gz ```json ```bash tar xvzf helm-v3.3.4-linux-amd64.tar.gz ```json ```text cd linux-amd64/ ```bash And finally we move it to the executable folder: ```bash mv helm /usr/local/bin/ ```bash if we execute the command helm version we will see the version of helm: As indicated in the manual Kasten, what we must do now is add the repository of Kasten in helm, with the following command: ```bash helm repo add kasten https://charts.kasten.io/ ```bash And then create the project name or namespace with the command: ```bash kubectl create namespace kasten-io ```bash Then we will proceed to the installation as indicated in: https://docs.kasten.io/latest/install/vmware/vsphere.html The first command to run is: ```bash helm install k10 kasten/k10 --namespace=kasten-io ```bash Which will show us: And then with the following command we can see the installation progress: ```bash kubectl get pods --namespace kasten-io --watch ```bash And we can see: We must ensure that all pods are in the “ **Running**” since with this we can then access the console of Kasten. If we review our Datastore that previously did not store persistent volumes and update we can see: It will list the volumes used by Kasten for its correct operation. And we make sure again that all the pods are in their “Running” state: And we already have installed Kasten! ## Access to Kasten As we saw in a previous image, Kasten It indicated that to access the Dashboard we need to enter a command: ```bash kubectl --namespace kasten-io port-forward service/gateway 8080:8000 ```text And then enter the url: ```text http://127.0.0.1:8080/k10/#/. ```bash And obviously if you have GUI or Desktop installed in your Tanzu administration linux Kubernetes Grid you will be able to access. But what happens if I don\u0026#39;t have GUI installed and I need to access it from the network via Web? There are different ways to access the Dashboard of Kasten, here we will see the simplest and fastest with Authentikation that you can even find in the manual of Kasten, in fact we will review the following links: https://docs.kasten.io/latest/access/dashboard.html#dashboard https://docs.kasten.io/latest/access/Authentikation.html#basic-auth ```bash https://hostingcanada.org/htpasswd-generator/ ```bash The first link tells us the multiple ways to enter the Dashboard, in this case we will use “ **Accessing via LoadBalancer**“, for this we will install “metallb” which is a balancer for k8s: https://metallb.universe.tf The installation is very simple, we must execute the following command: ```bash kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.8.3/manifests/metallb.yaml ```bash And it\u0026#39;s already installed. Now we\u0026#39;ll configure it with the IP address range we want it to work with: ```bash cat \u0026lt;\u0026lt;EOF | kubectl apply -f - apiVersion: v1 kind: ConfigMap metadata: namespace: metallb-system name: config data: config: | address-pools: - name: default protocol: layer2 # MetalLB IP Pool addresses: - 20.20.20.110-20.20.20.140 EOF ```bash On the line **15**, we must enter a pool of IP addresses to be assigned to the services we install. And we execute: After this we return to the configuration of Kasten, we must generate a password htpasswd, in the previous links there is a website that allows us to do it online: We copy the username and password and add it in the following command (If you copy and paste the encrypted password is 24xsiempre.com): ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io \\ --set auth.basicAuth.enabled=true \\ --set auth.basicAuth.htpasswd=\u0026#39;admin:$apr1$8zsf2361$V3BlxNRZsfbnUmDFM.XRa1\u0026#39; ```bash On the line **3**, you must copy your username and password generated on the web. Then we run: With the previous command we only configure the Authentikation mechanism, now with the following instruction we will indicate that it allows us to access through the gateway of Kasten and the balancer: ```bash helm upgrade k10 kasten/k10 --namespace=kasten-io \\ --reuse-values \\ --set externalGateway.create=true ```bash We saw that the message changed and Kasten Now it indicates that we must access the Dashboard via: ```bash The K10 Dashboard is accessible via a LoadBalancer. Find the service\u0026#39;s EXTERNAL IP using: `kubectl get svc gateway-ext --namespace kasten-io -o wide` And use it in following URL `http://SERVICE_EXTERNAL_IP/k10/#/` ```bash Therefore, we only have to know the IP address to access, which we will obtain with the following command: ```bash kubectl get svc gateway-ext --namespace kasten-io -o wide **It should be noted that I have DHCP enabled in TKG**\nIn my case the access url will be http://kastentkg.24xsiempre.cl/k10/#/ since the IP address associates it with the DNS (If you do not directly access the IP of EXTERNAL-IP) and will request the previously configured username and password through the page that generates the htpasswd: And we will see the Welcome screen of Kasten, we enter company, mail and accept: configuration Kasten # we already have it working Kasten, with the possibility of remote access with username and password, now we only need to enable and configure the solution, an important message appears at the bottom of the Dashboard “ K10 Disaster Recovery is not enabled for this cluster. “ We click on \u0026quot; see settings\u0026quot; where it will indicate that we must make some configurations before enabling Kasten: We click on \u0026quot; Room rental” and we will create a new profile, in this case Amazon s3: As can be seen, you can use different profiles to store the Containers, which can be:\nGoogle Cloud Storage Amazon S3 AzureStorage S3 Supported Enter the requested data and we will see the created profile: Then click on “ Infrastructure” and we will generate a profile for vSphere: Like the previous profile, we have different options:\nOpenStack front portworx vSphere Now we click on “ K10 Disaster Recovery” and we will proceed to enable Kasten by clicking on \u0026quot; Enable K10 DR“, we select the profile of “ Location” and assign a password to encrypt the backups. Very important Save the password as you will need it for some recoveries And then if you want, you change the Dashboard theme in the “Dashboard” menu and we return to the beginning to configure Backup Policies: At the same time I installed a wordpress in its own namespace to see the backups of an additional application: When creating a new namespace, Kasten will automatically recognize it in the “ Applications” and will indicate that it is “ unmanaged” since it has no associated backup policy: You can throw a Snapshot” directly from “ Applications“, perform restore tasks or “ Export” the Container you want.\nBackup Policies # We will enter \u0026quot; Policies” and we will see a default policy of Kasten to protect yourself: Which, as a recommendation, we should not change since it will be running with its respective retention policy. Now we will click on “ Create New Policy” and we will enter the requested data: Where we enter the name, comments and action, for the case of data protection we need to select “ Snapshot” and select the frequency of the snapshots and their respective retention. If you click on “ Show Advanced Frequency Options” you can select the execution time: Then if we wish, we can export the backups to the S3 bucket by enabling “ Backups via Snapshot Exports\u0026quot; Then we will select the application to back up, searching for it by “ Name” or if you want by “ Label” in this case I will select wordpress And finally we click on “ Create Policy\u0026quot; Now we can run the backup directly or wait for the schedule. I will run it to view the backup by clicking “ run eleven\u0026quot; And we will return to the Dashboard to see the status of the backup: We will also see snapshot executions in vCenter: We will also see all the executions that we configured in the policy: And we are already endorsing our Tanzu Kubernetes grid with Kasten!\nRecovery Containers with Kasten # If we click on “ Applications” we will see our successful backup policy for wordpress: At the bottom of the policy you will see a button “ Restore” will show us the restore points we have: And if we click on the restore point: It will allow us to choose where you want to recover from, either from s3 or from the local snapshot, in this case I will select the local one: To confirm: And finally we return to the Dashboard to see the status: And we can see the successful recovery: There are multiple recovery options that must be analyzed according to the need, but as we saw the backup is simple, the detection of namespaces does it automatically and it is very easy to configure backup policies, in the following link you have the details of all the recovery options:\nhttps://docs.kasten.io/latest/usage/restore.html\nAnd with that we end this guide to use Kasten! Any idea is welcome as always!\nRelated posts # Kasten RBAC Multi-Tenant Multi-Cluster Keycloak – 1 Red Hat OpenShift in vSphere with Kasten How to install Kasten K10 on AWS EKS Kasten K10 Multi-Cluster Chile Law 21.719: technical compliance manual with Veeam ","date":"8 October 2020","externalUrl":null,"permalink":"/en/posts/veeam-kasten/","section":"Blog","summary":"Great news! The acquisition of Kasten by Veeam Software, which extends the benefits of data protection of Veeam in modern data centers with container technologies using Kubernetes or k8s. In this post we will see the installation, configuration and recovery of containers with Kasten in a cluster of Kubernetes based on tanzu Kubernetes grid.","title":"Veeam + Kasten","type":"posts"},{"content":"","date":"6 October 2020","externalUrl":null,"permalink":"/en/tags/agendar-respaldos/","section":"Tags","summary":"","title":"Agendar-Respaldos","type":"tags"},{"content":"","date":"6 October 2020","externalUrl":null,"permalink":"/en/tags/cockpit/","section":"Tags","summary":"","title":"Cockpit","type":"tags"},{"content":"","date":"October 6, 2020","externalUrl":null,"permalink":"/es/tags/respaldo-sap-hana/","section":"Etiquetas","summary":"","title":"Respaldo-Sap-Hana","type":"tags"},{"content":"","date":"6 October 2020","externalUrl":null,"permalink":"/en/tags/sap-hana/","section":"Tags","summary":"","title":"Sap-Hana","type":"tags"},{"content":"","date":"6 October 2020","externalUrl":null,"permalink":"/en/tags/sap-hana-backup/","section":"Tags","summary":"","title":"Sap-Hana-Backup","type":"tags"},{"content":" Now it is the turn of another of the plugins, Veeam for SAP HANA, where it is very simple to implement it as well as make the configurations in SAP HANA, in this post, we will see the installation, configuration, scheduling of backups from SAP HANA and of course the data recovery.\nInitial Steps # First, as always, we must review the official documentation of Veeam Plugin for SAP HANA to validate supported versions:\nhttps://helpcenter.veeam.com/docs/backup/plugins/system_requirements_saphana.html?ver=100\nWe already know that our SAP HANA has been supported since Veeam to perform backups through the Plugin, which is a \u0026ldquo;Backint\u0026rdquo; interface since it needs manufacturer certification, in this case SAP HANA, for proper operation, to validate the certification we can see it at:\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=451067853\nInstallation # Now that we know all the above data, we need to install the plugin on the SAP HANA server, we will mount the ISO of Veeam Backup \u0026amp; Replication v10a and we will copy the plugin VeeamPluginforSAPHANA-10.0.1.4854-1.x86_64.rpm, for example with WinSCP:\nAfter that we enter via SSH to the server, either with the “root” user or with the application user that has sudo permissions, in my case, I will use “hxeadm”.\nAlways remember that plugins Veeam they are installed with root and configured with the user of the application.\nTherefore we will install the plugin with the following command:\nsudo rpm -ivh VeeamPluginforSAPHANA-10.0.1.4854-1.x86_64.rpm ```json ## Configuration After installing the plugin Veeam for SAP HANA it will indicate that we must perform the command: ```text Run \u0026#34;SapBackintConfigTool --wizard\u0026#34; to configure the Veeam Plug-in for SAP HANA ```bash Here we will execute the command that was indicated to us without sudo and with the application user, in my case hxeadm and we enter the parameters that it requests: As seen in the previous image, it only asks us for the data of our Veeam Backup \u0026amp; Replication and the repository that we will use to backup. Remember that if a repository does not appear, you must give it access in the repository properties in the “Access Permissions” menu: We already have the plugin configured on the SAP HANA server, to validate the configuration we must review the backup menu in SAP HANA Studio, for example: Where we will see: ```text Backint Agent: /opt/veeam/VeeamPluginforSAPHANA/hdbbackint Which is the path where the configuration files and the Backint interface are hosted. In the “Log Backup Settings” part, it is recommended to configure them with “Backint” instead of “File”, since we will be taking the backups and logs of the database to the repository of Veeam.\nWe only have to perform the backup of SAP HANA from SAP HANA Studio, since it is the way and how backups must be made to maintain SAP support.\nWe select the database that we want to back up and then we indicate the type of backup that we need, Full, Differential or Incremental and of course the type of destination that must be backint:\nThen we click on “Next” and “Finish” to observe the status of the backup, we can also observe it in Veeam Backup \u0026amp; Replication:\nAnd quickly we already have supporting SAP HANA in the repositories of Veeam through Veeam Plugin for SAP HANA.\nScheduling # Here we enter the question that we always get asked:\nHow is SAP HANA Backup Scheduling done?\nTo answer the question, there are multiple ways to schedule backups, for example:\nAgenda / Schedule of Veeam Agent for Linux Control-M Operating System Proprietary SAP HANA Cockpit Many more… Therefore, as I mentioned before, there are several ways to schedule the execution of SAP HANA backups using Veeam Plugin for SAP HANA, one of the most used is to integrate it with Veeam Agent for Linux to backup SAP HANA configuration files and run the backup script, configuring it together with a protection group as we saw in the post of Veeam OracleLinux:\nVeeam Agent Linux – Oracle Linux / Exadata\nhttps://www.24xsiempre.com/veeam-agent-linux-oracle-linux-exadata/embed/#?secret=C1mhSzALCO\nNow we are going to see another way to schedule backups, directly from SAP HANA, using the tool SAP HANA Cockpit But before scheduling backups, let\u0026rsquo;s look at some advanced SAP HANA backup settings. In the SAP HANA configuration in the Backup section, it is possible to change the following variables:\ndata_backup_buffer_size parallel_data_backup_backint_channels Which will allow the backup by multiple streams with the memory buffer that indicates the good practice from SAP HANA, make sure you have memory resources, if you want to review the parameters in the following SAP links you have the information:\nhttps://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.04/en-US/5c6a0d4a81db4eebba7f5b2620d53a63.html?q=data_backup_buffer_size\nhttps://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.04/en-US/18db704959a24809be8d01cc0a409681.html\nIn this case we have entered 4 streams, 2048 MB of buffer (512MB for each stream):\nIt is very important to review these points with the SAP HANA DBA or with your technology partner, since they are system configurations and need to be validated, even so, in this post we are using information directly from the SAP HANA manual, Additionally, if you want to add advanced features or back up the catalog, it is also necessary to involve the DBA.\nWe will now return to SAP HANA Cockpit ( link), where it will allow us to carry out backups natively integrated with Veeam Plugin for SAP HANA, to access the SAP HANA Cockpit website, in my case the address is https://hxehost:51045/cockpit#Shell-home:\nWhen entering the instance that we want to back up we will see a widget for backups:\nIf we click on “Backup Schedules” we can enter the SAP HANA Backup configuration and see a summary of the types of backups made or to be made. Then we click on the icon “ +” to add a backup schedule:\nAnd we will select “Schedule a Series of Backups” to go to Step 2 and enter the name of the backup:\nGoing to step 3 “Backup Settings” we must configure the type of backup:\nAnd in “Backup Settings” the important configuration is the type of backup and that we will use “Backint” to take our backups to the repository of Veeam Backup \u0026amp; Replication through Veeam Plugin for SAP HANA. Then we will select the times that we will execute the backup:\nAnd finally, what time and days do we need the backup to be executed:\nWe enter the time zone, backup execution time, execution days and finally when to activate the execution of the backup task. Finally we save the changes with “Save Schedule”\nWe will return to the home page where the agenda will appear:\nIn the schedule that we configure will be executed:\nWe will also see the execution of the task in Veeam Backup \u0026amp; Replication\nIn SAP HANA Studio we can also see the backups made:\nTherefore now we will see the recovery, you can do it both from SAP HANA Cockpit or from SAP HANA STUDIO, in this case we will use the traditional way of recovering a database from SAP HANA Studio from the backups in Veeam Backup \u0026amp; Replication:\nRecovery # And as we saw in the previous images, we can now easily recover SAP HANA Studio databases, we go to the console and select the following:\nThen SAP HANA tells us to recover databases in this case SYSTEM the services must be stopped:\nWe expect services to stop:\nAnd then we can perform the recovery of the database for example to the most recent state:\nWe do the following and when we get to the next screen, select a backup and click on “Check Availability”:\nThen continue to the end:\nAnd click “Finish” to wait for the recovery:\nAnd we will also see the recovery as a running task in Veeam Backup \u0026amp; Replication\nWith that we end the post about Veeam Plugin for SAP HANA to protect your environments and using existing tools in the solution. All suggestions are welcome!\nRelated posts # Veeam Oracle RMAN Plugin Veeam Agent Linux - Oracle Linux / Exadata Veeam Hardened (Immutable) Repository Veeam Agent for Solaris and Veeam 11a ","date":"6 October 2020","externalUrl":null,"permalink":"/en/posts/veeam-plugin-sap-hana-cockpit/","section":"Blog","summary":"Now it is the turn of another of the plugins, Veeam for SAP HANA, where it is very simple to implement it as well as make the configurations in SAP HANA, in this post, we will see the installation, configuration, scheduling of backups from SAP HANA and of course the data recovery.","title":"Veeam Plugin SAP HANA","type":"posts"},{"content":"","date":"6 October 2020","externalUrl":null,"permalink":"/en/tags/veeam-plugin-sap-hana/","section":"Tags","summary":"","title":"Veeam-Plugin-Sap-Hana","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/dkms/","section":"Tags","summary":"","title":"Dkms","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/exadata/","section":"Tags","summary":"","title":"Exadata","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/instalacion-veeam-agent-linux-oracle/","section":"Tags","summary":"","title":"Instalacion-Veeam-Agent-Linux-Oracle","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/kernel-uek/","section":"Tags","summary":"","title":"Kernel-Uek","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-linux/","section":"Tags","summary":"","title":"Oracle-Linux","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-uek/","section":"Tags","summary":"","title":"Oracle-Uek","type":"tags"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/snapshotless/","section":"Tags","summary":"","title":"Snapshotless","type":"tags"},{"content":" And since we have reviewed Oracle database support, integration with Oracle Cloud using Object Storage, now we need to see data protection with Veeam Agent for Linux, for the protection of Oracle Linux operating systems, Exadata Appliances, folders or any important data of the systems to be protected as well as reviewing the installation method in a UEK Kernel vs a RedHat Kernel and of course installing Kernel versions and dependencies with the same versions that you need. Veeam Agent for Linux.\nIntroduction # This is usually one of the questions I always answer, since technically the versions of Oracle Linux and Redhat are very similar, but in particular, Oracle has its own version of Kernel, known as UEK (Unbreakable Enterprise Kernel) and in the following link you can see all the versions since when they were released as well as the latest released ones:\nhttps://blogs.oracle.com/scoter/oracle-linux-and-unbreakable-enterprise-kernel-uek-releases\nIn addition, many companies already have or are thinking of acquiring Oracle Exadata, which is an Appliance optimized for the database service with integration to Oracle\u0026rsquo;s public Cloud (I will not go into details since there is a lot of information on the internet) which in its x86 version is based on Oracle Enterprise Linux, therefore, it will be possible to protect them with Veeam Agent for Linux, I have seen Exadata with different versions of Oracle Linux, for example from OEL version 6 to OEL 7.7 versions. In the latest releases of Exadata they are including the OEL 7.7 UEK5 version as indicated in the documentation:\nhttps://docs.oracle.com/en/engineered-systems/exadata-database-machine/dbmso/new-features-exadata-system-software-release-19.html#GUID-3B6B74A6-F225-4BD7-813D-BDC6053CE122\nSince we have seen information about Oracle Linux and Exadata, we will also see the operating systems supported by Veeam to perform backups on these systems, which in the case of Oracle Linux, has support for:\nOracle Linux 6 – 8.2 (RHCK)3 Oracle Linux 6 (starting from UEK R1) – Oracle Linux 8.0 (up to UEK R6)3 Where of course you can see more updated information in the manual Veeam Agent for Linux:\nhttps://helpcenter.veeam.com/docs/agentforlinux/userguide/system_requirements.html?ver=40\nConfiguration # Now, since we know we have support from Veeam Agent for Linux to support these beautiful solutions, we will proceed to the important thing, installing the dependencies that it requires Veeam Agent for Linux, but first, we must know what version of Kernel and system we are going to protect, in my case:\nFrom the previous image we can see that we have an Oracle Linux 7.7 and its respective kernel 4.14.35-2025.400.9.el7uek.x86_64, so we will return to the dependencies of Veeam Agent for Linux, which requires:\ndkms kernel-uek-devel And the version of the Kernel or better said Kernel UEK needs the installation of the previous packages to work with Veeam Agent for Linux, but if it were a Redhat Kernel, you would only need to install Kernel-headers on the same version of the current Kernel since veeam use kmodveeamsnap. As always, in this case, we will find the Kernel-UEK and we must install the packages I mentioned with the command:\nyum install kernel-uek-devel-$(uname -r)\nEntering \u0026ldquo;Y\u0026rdquo; will already install all the packages and their dependencies to finish:\nTherefore we already have a package installed, now we need to install DKMS, which stands for Dynamic Kernel Module Support and will help us use packages from veeam (veeamsnap itself) at the kernel level, we must ensure that the version of kernel-uek and the version of kernel-uek-devel must be exactly the same version:\nNow that we are certain of the versions, we will proceed to install DKMS, with the command:\nyum install dkms\nDoing the above command will return an error:\nThis error appears because we do not have the Oracle Linux EPEL (Extra Packages for Enterprise Linux) repository enabled/installed, so we will proceed to install it. We must enter the folder:\ncd /etc/yum.repos.d/ vi epel.repo ```text And then type/paste: ```ini [ol7_epel] name=Oracle Linux $releasever EPEL ($basearch) baseurl=http://yum.oracle.com/repo/OracleLinux/OL7/developer_EPEL/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=1 With the above we re-execute the command to install dkms and its dependencies:\nyum install dkms\nVeeam Backup \u0026amp; Replication # With that we have the dependencies required by Veeam Agent for Linux for Oracle Linux or Exadata that maintain the supported version and now it is just a matter of adding them to a protection group Veeam Backup \u0026amp; Replication:\nWhere in the previous image you see the creation of a protection group and then when you click on \u0026ldquo;FINISH\u0026rdquo;, we will see the automated installation of Veeam Agent for Linux from the console Veeam Backup \u0026amp; Replication (If you need to install it manually, you have to download the packages from veeam.com and install them directly on the server):\nWith this we are ready to back up our Oracle Linux or Exadata at the file / filesystem level and integrate it with Veeam Plugin for Oracle RMAN that can be read at this link:\nVeeam Oracle RMAN Plugin\nhttps://www.24xsiempre.com/veeam-oracle-rman-plugin/embed/#?secret=8crdHtd8Ge How to configure Veeam Plugin for Oracle RMAN\nA good recommendation that I will make is that when you configure the Job or backup task with the Veeam Agent for Linux on an Oracle Database, Oracle RAC or Oracle Exadata, is that they use the option of File Level Backup and Snapshotless backup to protect only the folders that need to be backed up and adding Veeam Plugin for Oracle RMAN:\nAnd the rest is known history, for the configuration of tasks / backup jobs.\nRelated posts # Veeam Oracle RMAN Plugin Best practices Veeam Oracle RMAN plugin Veeam Explorer Oracle RMAN Protecting Oracle KVM with Veeam ","date":"29 September 2020","externalUrl":null,"permalink":"/en/posts/veeam-agent-linux-oracle-linux-exadata/","section":"Blog","summary":"And since we have reviewed Oracle database support, integration with Oracle Cloud using Object Storage, now we need to see data protection with Veeam Agent for Linux, for the protection of Oracle Linux operating systems, Exadata Appliances, folders or any important data of the systems to be protected as well as reviewing the installation method in a UEK Kernel vs a RedHat Kernel and of course installing Kernel versions and dependencies with the same versions that you need. Veeam Agent for Linux.","title":"Veeam Agent Linux - Oracle Linux / Exadata","type":"posts"},{"content":"","date":"29 September 2020","externalUrl":null,"permalink":"/en/tags/veeam-exadata/","section":"Tags","summary":"","title":"Veeam-Exadata","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/categories/capacity-tier/","section":"Categories","summary":"","title":"Capacity-Tier","type":"categories"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/oracle/","section":"Tags","summary":"","title":"Oracle","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-cloud/","section":"Tags","summary":"","title":"Oracle-Cloud","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-cloud-object-storage/","section":"Tags","summary":"","title":"Oracle-Cloud-Object-Storage","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/s3-compatible/","section":"Tags","summary":"","title":"S3-Compatible","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/scale-out-backup/","section":"Tags","summary":"","title":"Scale-Out-Backup","type":"tags"},{"content":" Lately some people have asked me if Veeam supports or works with the Oracle Cloud Object Storage service, to configure it in Veeam Capacity Tier and since in the previous post we talked about Oracle, in this post we will see how to integrate the Oracle Cloud Object Storage service with a Veeam Scale-Out Backup Repository or SOBR and demonstrate the benefits of having a multi-cloud mobility solution.\nIntroduction # To know more about Veeam Capacity Tier, configurations, requirements, etc. (Since we will not go into details of Capacity Tier in this guide), we must review the official documentation to observe the supported services:\nhttps://helpcenter.veeam.com/docs/backup/vsphere/capacity_tier.html?ver=100\nAs seen in the previous link, we see that there is no \u0026ldquo;direct support\u0026rdquo; to work with Oracle Cloud Object Storage, but yes, we have an option that appears as \u0026ldquo;S3-compatible object storage repository\u0026rdquo; which we must confirm if it is possible to add it this way.\nThat is why in the forums of Veeam ( Forums Veeam, Register) there is an \u0026ldquo;Unofficial\u0026rdquo; list where you can find all the Object Storage providers that have compatibility, support for immutability and of course it is always being updated:\nhttps://forums.veeam.com/object-storage-f52/unoffizial-compatibility-list-for-veeam-cloud-tier-t56956.html\nIn the previous link we will find as “Compatible” Oracle Cloud Object Storage (Cloud Object Storage) NEWS, which lets us know that there is compatibility between the two solutions, so let\u0026rsquo;s configure it! It is very important to validate with support from Veeam if you need a guarantee of operation.\nBucket Creation # Already with our Oracle Cloud account (For tests you can use the Oracle Cloud Free Mode that provides 10GB of space in Object Storage), we must create the access credentials to the Oracle Cloud services, for this, within the Oracle Cloud console, we will enter Identity \u0026gt; Users:\nOracle Cloud Users Then we will create a user by pressing \u0026ldquo;Create User\u0026rdquo; selecting the IAM mode, then enter the username, description and email if you have it, to finally see the created user and its details:\nWe add the user to the Administrators Group:\nThen we will create the “Customer Secret Keys” to be able to Authentikate to the Object Storage service in Oracle Cloud, by clicking on “Generate Secret Key”, we enter the name of the key and then we copy the generated key:\nAnd we can see the new key in the Customer Secret Keys table:\nNow inside the Oracle Cloud Console, we must go to the Object Storage administration and you will be able to see:\nWhere we will create the Bucket that will store the backups sent through Capacity Tier of VeeamTo do this, you must click on “Create Bucket” and enter a unique name, selecting the following:\nWhen generating the bucket according to the previous configurations, it will list the bucket created with the name we entered:\nNow we have created the Object Storage bucket in Oracle Cloud and we must start with the configuration of Veeam Backup \u0026amp; Replication.\nOVER Configuration Veeam Backup # Since we already know that the Object Storage service in Oracle Cloud supports Veeam Backup \u0026amp; Replication, why do we visit the forums of Veeam confirming the compatibility, we only have to make the configuration that is very simple to do, we will add an Object Storage repository that is S3 Compatible:\nThen we will enter the name of the Repository, we click Next and here comes the interesting part, where we must enter the Service Point, Region and the credentials that we previously generated in “Customer Secret Keys”\nHere I will explain something very important, to know the previous data, since first we need to know the URL of the Service Point, which has the following nomenclature:\n\u0026lt;object-storage-namespace\u0026gt;.compat.objectstorage.\u0026lt;region\u0026gt;.oraclecloud.com ```bash Where the first thing I need to look for is the since we will always know the region when we see our Oracle Cloud console, to know this information, we need to go to our Tenant\u0026#39;s menu and click on \u0026#34;Tenancy: My Tenant Name\u0026#34;, which in your case will be the name that they have assigned to the tenant: And then you can see: Copy it and you will have the Service Point for the configuration of Veeam Backup \u0026amp; Replication, which would look like this (in my case the region I used was us-ashburn-1): ```text asdasdW$AWAXasda.compat.objectstorage.us-ashburn-1.oraclecloud.com Now that we have the Service Point, we enter it in the configuration of Veeam, the Region and the Credentials that we generated before to be able to access the service, if you want you can use a Gateway Server defined in Veeam Backup \u0026amp; Replication to make the connection via Internet with the service and then click on next, where we can see the Bucket:\nThen, we generate a folder inside the Bucket, by clicking on “Browse” (In my case I call it Backup, which is original 🙂 ):\nAnd only if you need it, you can configure the Bucket usage limit in relation to the amount of TB, otherwise, you leave it unconfigured as well as the immutability (remember that it is only compatible as Object Storage without immutability), Click on “Next” and you will see the configuration summary:\nThen we edit our beautiful Scale-Out Backup Repository or SOBR from Veeam Backup \u0026amp; Replication to enable the Capacity Tier feature and select how to upload backups:\nRemember that the first \u0026ldquo;Copy\u0026rdquo; option will make a copy of the backups made by Veeam Backup \u0026amp; Replication as soon as they finish the Backup Job, this way you can be sure to have a copy of your backups almost at the same time as you have them on-premises. And the second option, “Move”, allows you to move all your backups after a certain number of days to free up space on your local storage or server, allowing you to perform granular recoveries as well as complete virtual machines directly from Object Storage.\nThey apply the configuration and run a backup of their virtual machines so that they can later see the sending of the data directly in the statistics of Veeam Backup \u0026amp; Replication:\nAnd finally you can certify that your backups are being sent to the Object Storage service in Oracle Cloud, by entering the Oracle Cloud console and navigating inside the Bucket:\nIn the image above, we see the folders created by Veeam Backup \u0026amp; Replication as well as the backup we send to store it.\nIn summary, as we could see, if it is possible to use the Oracle Cloud Object Storage service with Veeam Backup \u0026amp; Replication for people who are evaluating the service or are already Oracle Cloud customers.\nThis fully demonstrates about the multicloud mobility it possesses Veeam Backup \u0026amp; Replication, which allows us to keep copies of our backups on multiple platforms or Cloud services to be able to recover quickly in the event of a disaster or ransomware attack.\nRegards!\nRelated posts # Veeam Oracle RMAN Plugin Veeam Oracle Weblogic Veeam Cloud Connect Performance Chile Law 21.719: technical compliance manual with Veeam ","date":"21 September 2020","externalUrl":null,"permalink":"/en/posts/veeam-capacity-tier-oracle-cloud-object-storage/","section":"Blog","summary":"Lately some people have asked me if Veeam supports or works with the Oracle Cloud Object Storage service, to configure it in Veeam Capacity Tier and since in the previous post we talked about Oracle, in this post we will see how to integrate the Oracle Cloud Object Storage service with a Veeam Scale-Out Backup Repository or SOBR and demonstrate the benefits of having a multi-cloud mobility solution.","title":"Veeam Capacity Tier Oracle Cloud Object Storage","type":"posts"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/veeam-backup-amp-replication/","section":"Tags","summary":"","title":"Veeam-Backup-\u0026Amp;-Replication","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/veeam-capacity-tier/","section":"Tags","summary":"","title":"Veeam-Capacity-Tier","type":"tags"},{"content":"","date":"21 September 2020","externalUrl":null,"permalink":"/en/tags/veeam-sobr/","section":"Tags","summary":"","title":"Veeam-Sobr","type":"tags"},{"content":"","date":"14 September 2020","externalUrl":null,"permalink":"/en/tags/backup-amp-replication/","section":"Tags","summary":"","title":"Backup-\u0026Amp;-Replication","type":"tags"},{"content":"","date":"14 September 2020","externalUrl":null,"permalink":"/en/tags/cluster/","section":"Tags","summary":"","title":"Cluster","type":"tags"},{"content":"","date":"14 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-asm/","section":"Tags","summary":"","title":"Oracle-Asm","type":"tags"},{"content":"","date":"14 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-backup-veeam/","section":"Tags","summary":"","title":"Oracle-Backup-Veeam","type":"tags"},{"content":"","date":"14 September 2020","externalUrl":null,"permalink":"/en/tags/oracle-rac/","section":"Tags","summary":"","title":"Oracle-Rac","type":"tags"},{"content":"","date":"September 14, 2020","externalUrl":null,"permalink":"/es/tags/respaldo-oracle/","section":"Etiquetas","summary":"","title":"Respaldo-Oracle","type":"tags"},{"content":"","date":"September 14, 2020","externalUrl":null,"permalink":"/es/tags/respaldo-oracle-veeam/","section":"Etiquetas","summary":"","title":"Respaldo-Oracle-Veeam","type":"tags"},{"content":"","date":"14 September 2020","externalUrl":null,"permalink":"/en/tags/rman-oracle-script/","section":"Tags","summary":"","title":"Rman-Oracle-Script","type":"tags"},{"content":"","date":"September 14, 2020","externalUrl":null,"permalink":"/es/tags/script-rman-oracle/","section":"Etiquetas","summary":"","title":"Script-Rman-Oracle","type":"tags"},{"content":" This time we will review the installation, configuration and backup with scripts (and of course tips) to get Veeam Oracle RMAN Plugin fully functional, since I\u0026rsquo;m always asked about this solution in different places — it\u0026rsquo;s a simple, flexible and reliable solution to store RMAN (Recovery Manager) backups. This post focuses only on Oracle RAC on Linux with ASM and database recovery with Veeam Explorer for Oracle. This is a 4-in-1 post.\nIntroduction # First of all we need to know something very important: Veeam Oracle RMAN Plugin is a tool that works together with Recovery Manager (RMAN), which is Oracle\u0026rsquo;s native backup solution and which allows vendor-supported backups to be performed.\nWith that said, we\u0026rsquo;re going to briefly explain what Veeam Oracle RMAN Plugin is and what it does, since as we know the backup is performed by RMAN working together with the Plugin.\nOf course, there are other ways to back up Oracle databases with Veeam — for example, with Veeam Agent for Linux or with the native Oracle integration for virtualized environments. We\u0026rsquo;ll cover those in other posts.\nWhat is Veeam Oracle RMAN Plugin? # This Plugin is an Oracle-certified Veeam solution (Certification Link) to perform backups with RMAN and store them in the Veeam Backup \u0026amp; Replication repository. You can store backups of your Oracle databases running in a Cluster (Oracle RAC), or without a cluster (standalone using ASM), and of course perform recovery through Veeam Explorer for Oracle RMAN.\nTechnically, what Veeam Oracle RMAN Plugin does is function as an SBT library, configured with RMAN, so that RMAN uses the library to access the Veeam VBR repositories and store the backups with whatever retention policy is used with RMAN.\nInstallation # Before installing, you must meet the system requirements and supported versions of Veeam Oracle RMAN Plugin, which you can find at:\nhttps://helpcenter.veeam.com/docs/backup/plugins/system_requirements.html?ver=100\nThe Oracle RAC I have installed in my lab consists of 2 nodes with the following details:\nComponent Value Operating System Oracle Linux 7.8 CPU 8 vCPU RAM 16 GB OS Disk 50 GB Oracle iSCSI Disks 8 x 20 GB (Shared) Oracle Version 19.3.0.0.0 Oracle Grid Version 19.0.0.0.0 ASM Yes Databases BRAZIL, CHILE, RAC19C Table: Oracle RAC Lab 24xSiempre Details\nView of the RAC configuration with the command:\nOnce we\u0026rsquo;re completely sure we have the supported versions, we need to download or mount the Veeam Backup \u0026amp; Replication ISO to copy the Veeam Oracle RMAN Plugin installation package:\nIn my case, as of the date of this post, the latest version of Veeam Oracle RMAN Plugin is:\nVeeamPluginforOracleRMAN-10.0.1.4854-1.x86_64.rpm We will use the 64-bit version and the RPM package to install it on all Oracle RAC nodes, which is the recommended way, since RMAN can decide which node to perform the backup on through a feature called RMAN Node Affinity Awareness.\nCopy the file to the nodes however you prefer — in my case I\u0026rsquo;ll do it with WinSCP:\nAs shown in the image above, I copied as the root user the RPM to both RAC nodes (20.20.20.91 and 20.20.20.92).\nSomething very important and key for the installation of Veeam Oracle RMAN Plugin is that it must be installed with the \u0026ldquo;root\u0026rdquo; user and then configured with the Oracle user, which is generally \u0026ldquo;oracle\u0026rdquo;. Use this as a general rule — if you configure with \u0026ldquo;root\u0026rdquo; you won\u0026rsquo;t have access to the Oracle environment variables and will therefore get errors.\nNow we\u0026rsquo;ll install the plugin on both nodes with the following command:\nLinux rpm -ivh VeeamPluginforOracleRMAN-10.0.1.4854-1.x86_64.rpm Solaris SPARC pkgadd -d /VeeamPluginforOracleRMAN-10.0.1.4854-1.SPARC.pkg Since my Oracle RAC is on Oracle Linux I\u0026rsquo;ll use the Linux command. If you have an Oracle RAC on SPARC, you should use the command for that operating system. When running on each node, you\u0026rsquo;ll get this result:\nNode 1: [root@rac19cn1 ~]# rpm -ivh VeeamPluginforOracleRMAN-10.0.1.4854-1.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:VeeamPluginforOracleRMAN-10.0.1.4################################# [100%] Run \u0026#34;OracleRMANConfigTool --wizard\u0026#34; to configure the Veeam Plug-in for Oracle RMAN [root@rac19cn1 ~]# Node 2: [root@rac19cn2 ~]# rpm -ivh VeeamPluginforOracleRMAN-10.0.1.4854-1.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:VeeamPluginforOracleRMAN-10.0.1.4################################# [100%] Run \u0026#34;OracleRMANConfigTool --wizard\u0026#34; to configure the Veeam Plug-in for Oracle RMAN [root@rac19cn2 ~]# And as I explained earlier, for the configuration we will use the Oracle user, which in this case is \u0026ldquo;oracle\u0026rdquo;.\nConfiguration # Now we must connect via SSH with the \u0026ldquo;oracle\u0026rdquo; user, or whichever user belongs to the Oracle installation, to run the Veeam Plugin for Oracle RMAN configuration. Something very important is that the user must have the Oracle environment variables loaded — otherwise, load the profile.\nMany times different database administrators (DBAs) prefer to maintain profile files for each Oracle instance, while others configure the variables directly in the default user profile. When performing the configuration, first validate how the profile is loaded and its respective configurations.\nAs the message indicated when we installed the plugin, we must run the command \u0026ldquo;OracleRMANConfigTool \u0026ndash;wizard\u0026rdquo; with the oracle user, which will output the following:\n[oracle@rac19cn2 ~]$ OracleRMANConfigTool --wizard Enter backup server name or IP address: veeam24xs.24xsiempre.cl Enter backup server port [10006]: Enter username: 24xsiempre\\veeam Enter password for 24xsiempre\\veeam: Veeam repositories: 1. Default Backup Repository Specify up to 4 Veeam repositories to use as target using whitespace as a separator: 1 Enter the number of data streams (From 1 to 254) to send to each repository concurrently(RMAN DEVICE PARALLELISM value). Channel count per device [1]: 4 Enable Veeam compression? (Y/n): n Cannot find any Oracle instances. Please apply the following RMAN settings manually: CONFIGURE DEFAULT DEVICE TYPE TO SBT_TAPE; CONFIGURE CHANNEL DEVICE TYPE SBT_TAPE PARMS \u0026#39;SBT_LIBRARY=/opt/veeam/VeeamPluginforOracleRMAN/libOracleRMANPlugin.so\u0026#39; FORMAT \u0026#39;88788f9e-d8f5-4eb4-bc4f-9b3f5403bcec/RMAN_%I_%d_%T_%U.vab\u0026#39;; CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE SBT_TAPE TO 1; CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE SBT_TAPE TO 1; CONFIGURE DEVICE TYPE SBT_TAPE PARALLELISM 4; CONFIGURE CONTROLFILE AUTOBACKUP ON; CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE SBT_TAPE TO \u0026#39;%F_RMAN_AUTOBACKUP.vab\u0026#39;; Channel definition for RMAN scripts: ALLOCATE CHANNEL VeeamAgentChannel1 DEVICE TYPE SBT_TAPE PARMS \u0026#39;SBT_LIBRARY=/opt/veeam/VeeamPluginforOracleRMAN/libOracleRMANPlugin.so\u0026#39; FORMAT \u0026#39;88788f9e-d8f5-4eb4-bc4f-9b3f5403bcec/RMAN_%I_%d_%T_%U.vab\u0026#39;; Save configuration? 1. Apply configuration to the Oracle environment 1. Export configuration into a file for manual setup 1. Cancel without saving Enter:3 *** No Oracle database instances were configured *** As we can see in the log above, there are two highlighted lines, 7 and 12, and we can also see that the Plugin could not be configured.\nRegarding line 7, this only shows the repositories that the user has been allowed to access — that is, in the Repository configuration of Veeam Backup \u0026amp; Replication, in the \u0026ldquo;Access Permissions\u0026rdquo; section, by default access is always allowed to the Default Backup Repository. The first time we configure the Plugin we\u0026rsquo;ll always see this repository, for example:\nTo give access to other Repositories, I recommend setting \u0026ldquo;Deny to Everyone\u0026rdquo; on the \u0026ldquo;Default Backup Repository\u0026rdquo; or only allowing the users who will access via Veeam Oracle RMAN Plugin. In my case I\u0026rsquo;ll block access to the Default Repository and allow access to a Scale-Out Backup Repository (SOBR) to store the backups:\nRegarding point 12, this is directly related to the Oracle version running in a RAC, since starting with version 12.2.0.1.171017 GI RU/PSU (patch 26737266) and 12.2.0.1.171017 OCW RU/PSU (patch 26729536). MOS Note Doc ID 2329359.1, the way instances are updated in the /etc/oratab file has changed — that is, the mentioned file is no longer updated with the names of instances running in the Oracle RAC.\nWhen Veeam Oracle RMAN Plugin is configured, it reads the /etc/oratab file to detect instance names, but if the instances are not in this file, unfortunately it will not be possible to configure the plugin.\nThere are two solutions: the first is to manually add the name of each instance running in Oracle RAC (which I don\u0026rsquo;t like), and the second option is to run a script to read the RAC instances and update the /etc/oratab file. We\u0026rsquo;ll implement a script here to automate the update of that file.\n\\\\ In Veeam Backup \u0026amp; Replication version 11 this workaround will no longer be needed**\nAs a recommendation, it should be run on all Oracle RAC nodes (RMAN Node Affinity Awareness):\noriginal=\u0026#34;#\\n\\n\\n\\n# This file is used by ORACLE utilities. It is created by root.sh\\n# and updated by either Database Configuration Assistant while creating\\n# a database or ASM Configuration Assistant while creating ASM instance.\\n\\n# A colon, \u0026#39;:\u0026#39;, is used as the field terminator. A new line terminates\\n# the entry. Lines beginning with a pound sign, \u0026#39;#\u0026#39;, are comments.\\n#\\n# Entries are of the form:\\n# $ORACLE_SID:$ORACLE_HOME:\u0026lt;N|Y\u0026gt;:\\n#\\n# The first and second fields are the system identifier and home\\n# directory of the database respectively. The third field indicates\\n# to the dbstart utility that the database should , \\\u0026#34;Y\\\u0026#34;, or should not,\\n# \\\u0026#34;N\\\u0026#34;, be brought up at system boot time.\\n#\\n# Multiple entries with the same $ORACLE_SID are not allowed.\\n# \\n# \\n\u0026#34; path=\u0026#34;/oracle/grid/19.3.0/grid_home/bin/crsctl\u0026#34; cat /dev/null \u0026gt; /etc/oratab printf \u0026#34;$original\u0026#34; \u0026gt;\u0026gt; /etc/oratab for resource in $($path status resource -w \u0026#34;((TYPE = ora.database.type) AND (LAST_SERVER = $(hostname -s)))\u0026#34; | grep ^NAME | sed \u0026#39;s/.*=//\u0026#39;); do full_resource=$($path status resource -w \u0026#34;((NAME = $resource) AND (LAST_SERVER = $(hostname -s)))\u0026#34; -f) db_name=$(echo \u0026#34;$full_resource\u0026#34; | grep ^DB_UNIQUE_NAME | awk -F= \u0026#39;{ print $2 }\u0026#39;) ora_home=$(echo \u0026#34;$full_resource\u0026#34; | grep ^ORACLE_HOME= | awk -F= \u0026#39;{ print $2 }\u0026#39;) instance=\u0026#34;1\u0026#34; # Change number based on node and instance number oracle=\u0026#34;$db_name$instance:$ora_home:N \\n\u0026#34; printf \u0026#34;$oracle\u0026#34; \u0026amp;\u0026gt;\u0026gt; /etc/oratab done # Reconfigure Oracle Plugin echo=\u0026#34;\u0026#34; no=\u0026#34;n\u0026#34; # change to \u0026#34;y\u0026#34; if you need to enable Veeam compression uno=\u0026#34;1\u0026#34; # apply changes exec \u0026gt;\u0026gt; /home/oracle/veeam.log 2\u0026gt;\u0026amp;1 # log path OracleRMANConfigTool --wizard \u0026lt;\u0026lt;EOF $echo $echo $echo $echo $echo $echo $no $uno EOF Copy the file to the nodes with the name addoratab.sh and give it execution permissions with chmod +x addoratab.sh. Something key, as seen in line 10, the number must be changed according to the RAC node — for example in node 1 the instance name would be \u0026ldquo;CHILE1\u0026rdquo; and in node 2 it would be \u0026ldquo;CHILE2\u0026rdquo;. And of course, run the script with sh addoratab.sh or ./addoratab.sh with the \u0026ldquo;oracle\u0026rdquo; user. You can observe the updated file with the command cat /etc/oratab.\nAfter configuring the Veeam Backup \u0026amp; Replication repository permissions and updating the /etc/oratab file through the script, we run the plugin wizard again, which will show us the following:\n[oracle@rac19cn1 ~]$ OracleRMANConfigTool --wizard Enter backup server name or IP address: veeam24xs.24xsiempre.cl Enter backup server port [10006]: Enter username: 24xsiempre\\veeam Enter password for 24xsiempre\\veeam: Veeam repositories: 1. SOBR Specify up to 4 Veeam repositories to use as target using whitespace as a separator: 1 Enter the number of data streams (From 1 to 254) to send to each repository concurrently(RMAN DEVICE PARALLELISM value). Channel count per device [1]: 4 Enable Veeam compression? (Y/n): n RMAN settings will be applied automatically to the following databases: ORACLE_SID=BRAZIL1 ORACLE_HOME=/oracle/db/19.3.0/db_home ORACLE_SID=CHILE1 ORACLE_HOME=/oracle/db/19.3.0/db_home ORACLE_SID=RAC19C1 ORACLE_HOME=/oracle/db/19.3.0/db_home RMAN settings: CONFIGURE DEFAULT DEVICE TYPE TO SBT_TAPE; CONFIGURE CHANNEL DEVICE TYPE SBT_TAPE PARMS \u0026#39;SBT_LIBRARY=/opt/veeam/VeeamPluginforOracleRMAN/libOracleRMANPlugin.so\u0026#39; FORMAT \u0026#39;60fc82ee-cedc-458f-beda-346323f93c1e/RMAN_%I_%d_%T_%U.vab\u0026#39;; CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE SBT_TAPE TO 1; CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE SBT_TAPE TO 1; CONFIGURE DEVICE TYPE SBT_TAPE PARALLELISM 4; CONFIGURE CONTROLFILE AUTOBACKUP ON; CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE SBT_TAPE TO \u0026#39;%F_RMAN_AUTOBACKUP.vab\u0026#39;; Channel definition for RMAN scripts: ALLOCATE CHANNEL VeeamAgentChannel1 DEVICE TYPE SBT_TAPE PARMS \u0026#39;SBT_LIBRARY=/opt/veeam/VeeamPluginforOracleRMAN/libOracleRMANPlugin.so\u0026#39; FORMAT \u0026#39;60fc82ee-cedc-458f-beda-346323f93c1e/RMAN_%I_%d_%T_%U.vab\u0026#39;; Save configuration? 1. Apply configuration to the Oracle environment 1. Export configuration into a file for manual setup 1. Cancel without saving Enter: 1 *** Database instance BRAZIL1 is configured *** *** Database instance CHILE1 is configured *** *** Database instance RAC19C1 is configured *** [oracle@rac19cn1 ~]$ As we see, line 7 now only shows the SOBR assigned for the Oracle backups with Veeam Oracle RMAN Plugin, and in lines 13, 14, 15 we can see that it recognizes the RAC instances so RMAN is configured to proceed with the backup.\nSomething very important: what happens if I later add another instance to the Oracle RAC? Simple — if you don\u0026rsquo;t add the instance to the /etc/oratab file again, Veeam Oracle RMAN Plugin won\u0026rsquo;t process it. That\u0026rsquo;s why here\u0026rsquo;s a very good solution or tip. The addoratab.sh script is already preconfigured so that when you schedule the daily execution of the addoratab.sh script, it automatically adds the new instance and reconfigures the Veeam Oracle RMAN Plugin without manual intervention.\nYou just need to schedule it in crontab with the \u0026ldquo;oracle\u0026rdquo; user — for example:\n[oracle@rac19cn1 ~]$ crontab -e then add: 0 0 1 ? * * * /home/oracle/addoratab.sh Close with esc:wq It runs every day at 1 AM Backup # To back up the RAC databases, it\u0026rsquo;s literally up to the consumer — or in this case, up to the DBAs — since generally DBAs maintain their beautiful scripts to back up the databases.\nWhat if I don\u0026rsquo;t have a Script and need to back up my Oracle RAC? Here I\u0026rsquo;ll leave a script to back up all the instances running in the Oracle RAC, using the \u0026ldquo;oracle\u0026rdquo; user, logging all the commands, searching for errors if any exist, and of course sending email alerts. (You must configure mailx.)\n#!/bin/bash . /home/oracle/.bash_profile # Load Profile and Oracle user environment variables MAQUINA=`hostname` # Set machine name variable LOG=/home/oracle/ # Folder to store logs HORA=`date +%H%M_%d%m%Y` # Hour syntax FECHA=`date +%d%m%Y` # Date syntax CORREO=your-email@example.com Append=1 # node number where it runs # Start Script for ORACLE_SID in $($ORACLE_HOME/bin/srvctl config database) # Loop to extract SID names from file do export ORACLE_SID=$ORACLE_SID$Append LOGFILE=${LOG}/${ORACLE_SID}_${FECHA}_${HORA}.log # Build log filename exec \u0026gt;\u0026gt; ${LOGFILE} 2\u0026gt;\u0026amp;1 # Write log # RMAN execution; the client\u0026#39;s RMAN script can go here ${ORACLE_HOME}/bin/rman \u0026lt;\u0026lt;EOF connect target / run { backup database plus archivelog; } LIST BACKUP SUMMARY; EOF echo Database: \u0026#34;${ORACLE_SID}\u0026#34; \u0026gt;\u0026gt; ${LOG}/mail # Write the SID in mail log to send the name cat ${LOGFILE} \u0026gt;\u0026gt; ${LOG}/mail # Read the log file and insert it into mail done # End of Loop grep RMAN-06273 ${LOG}/mail \u0026gt;\u0026gt;/dev/null # Look for RMAN error in case of failure. if [ $? -eq 0 ] # If not equal to 0, move on; if equal to 0, send alert email then ASUNTO=\u0026#39;ALERT!: Backup of \u0026#39;${MAQUINA}\u0026#39; has failed\u0026#39; # Alert 1 subject configuration else grep -i error ${LOGFILE} \u0026gt;\u0026gt;/dev/null # Look for the word \u0026#34;error\u0026#34; if [ $? -eq 0 ] # If not equal to 0, move on; if equal to 0, send alert email then ASUNTO=\u0026#39;ALERT!: Backup of \u0026#39;${MAQUINA}\u0026#39; has failed\u0026#39; # Alert 2 subject configuration else ASUNTO=\u0026#39;Backup \u0026#39;${MAQUINA}\u0026#39; OK\u0026#39; # If everything is OK, send email with correct subject. fi fi ## Mail ## cat ${LOG}/mail | /usr/bin/mailx -s \u0026#34;${ASUNTO}\u0026#34; \u0026#34;${CORREO}\u0026#34; # Read the Mail file to send as email body. rm -rf ${LOG}/mail # Remove used log echo $exit 0 On lines 17 to 21, where the RMAN instructions for the backup go, you can edit the script however you want — just don\u0026rsquo;t forget to change the email and some of the parameters visible, like the node number where it runs. This script performs a full backup of the databases including the ArchiveLogs.\nFor the more detail-oriented: the script loops over the instances via a \u0026ldquo;for\u0026rdquo; using the command srvctl config database, appends the node number to the instance, enters RMAN and runs the backup. When it finishes with one instance, it continues backing up the next one until it finishes all of them.\nWhen running the backup script, you will get the following:\nYou\u0026rsquo;ll be able to see the RMAN execution logs for each of the instances, and if you have mailx configured you\u0026rsquo;ll receive the successful backup notification. In addition, you\u0026rsquo;ll be able to see the successful backup in Veeam Backup \u0026amp; Replication:\nWith this we already have our Oracle RAC instance backups running easily — for example, if you want to schedule the backup, just add the backup.sh script to crontab on the days you see fit and edit the RMAN part to perform the backup as needed, or run it with your preferred scheduler or with Veeam Agent for Linux if you have it installed and are backing up some files.\nRecovery # Now that we have backups, they will appear in the Veeam Backup \u0026amp; Replication console menu, after Backup in Disks:\nAnd we can select the backup to restore it in case of any problem:\nAnd we can see Veeam Explorer for Oracle RMAN:\nSelect the database to recover and configure the requirements:\nAs always, it\u0026rsquo;s important to read specific information from the Veeam manual:\nhttps:// helpcenter.veeam.com /docs/ backup /explorers/veor_considerations.html?ver=100\nYou can also restore directly from RMAN with its respective commands.\nLogs # The log files — in case of installation or configuration problems — are in the path: /tmp/veeam\\_plugin\\_logs, where you can look for errors or send them to Veeam support in case of any problem, as well as the logs generated by the addoratab.sh and backup.sh scripts, which are stored in /home/oracle/.\nWith that last part we wrap up this first blog post :) What do you think for the first one? Leave your comments or rate it.\nRelated posts # Best practices Veeam Oracle RMAN plugin Veeam Explorer Oracle RMAN Solution Veeam Oracle Permission Denied Veeam Agent Linux - Oracle Linux / Exadata Protecting Oracle KVM with Veeam Veeam Capacity Tier Oracle Cloud Object Storage ","date":"14 September 2020","externalUrl":null,"permalink":"/en/posts/veeam-oracle-rman-plugin/","section":"Blog","summary":"This time we will review the installation, configuration and backup with scripts (and of course tips) to get Veeam Oracle RMAN Plugin fully functional, since I’m always asked about this solution in different places — it’s a simple, flexible and reliable solution to store RMAN (Recovery Manager) backups. This post focuses only on Oracle RAC on Linux with ASM and database recovery with Veeam Explorer for Oracle. This is a 4-in-1 post.","title":"Veeam Oracle RMAN Plugin","type":"posts"},{"content":" Marco Escobar # Lead Solutions Architect @ Veeam · LATAM\nOver 11 years at Veeam covering enterprise customers across LATAM and the USA. Technical escalation lead on complex deals, and regional technical reference for sales teams, partners and customers in Chile, Brazil, Mexico, Argentina, Colombia and other markets across the region.\nDay to day I mix data protection architecture, discovery sessions with customers, POCs, and landing solutions in environments ranging from banks and mining companies to cloud providers.\nOutside the formal role I like to build: security tools, AI governance frameworks, integrations, automation. Usually solving a problem of my own first and only then evaluating whether it makes sense to turn it into a product. Lately focused on the intersection of cybersecurity, AI and data protection, where I believe the strategy of the coming years will be.\n24xsiempre.com is where I share what I learn with the community of Solution Architects and sysadmins in the region: technical deep-dives, real configurations and lab experiments.\nTechnical experience # Data Protection # Veeam Data Platform: VBR, Veeam ONE, Veeam Recovery Orchestrator, Veeam Data Cloud Veeam Backup for Microsoft 365, Salesforce, AWS, Azure, GCP, Nutanix AHV, Red Hat Kasten K10: Kubernetes-native data protection and DR Oracle: RMAN, RAC, ASM, Data Guard (on-premise and Exadata Cloud@Customer) Platforms and Cloud # Kubernetes: OpenShift, EKS, AKS, GKE, Tanzu, Rancher Virtualization: VMware vSphere, Hyper-V, Proxmox, HPE VM Essentials, KVM, oVirt, OpenShift Virtualization, Rancher Harvester, KubeVirt Public and hybrid cloud: AWS, Azure, GCP, OCI Systems: Linux at kernel level, Windows Server, PowerShell, Bash, Rust Cybersecurity # Ransomware protection and immutable backup architectures Hardening (STIG, CIS), PAM, appliance security validation Pentesting and vulnerability analysis Security frameworks and standards Incident response aligned with NIST SP 800-61r3 Threat intel, eBPF, detection and honeypots AI and Automation # Autonomous agents for technical and presales workflows AI governance in enterprise environments Integrations with Copilot Studio, Salesforce and multi-agent orchestration MCP (Model Context Protocol) to connect LLMs with internal tooling Presales and Consulting # Architecture design and technical validation for enterprise deals POCs, RFP/RFI response, competitive positioning Technical enablement for partners and regional teams Leadership and community # Beyond the individual contributor role, a big part of what I do is multiplying technical capacity across the team and the region.\nTrusted Advisor for strategic enterprise customers and the sales teams covering them, from initial architecture to deal close. Mentoring and enablement of junior SAs and partners across LATAM: technical sessions, shadowing on complex deals, and internal frameworks that lower the learning curve. Technical evangelism at events, webinars and public content. I represent Veeam to the region\u0026rsquo;s technical community. Cross-functional escalation with product management and engineering: bringing real feedback from our LATAM customers into product decisions, as well as proposing new features across all products. Internal tooling used by other teams: governance frameworks, documentation generators and automation of repetitive presales tasks. Contact # LinkedIn: linkedin.com/in/24xsiempre GitHub: github.com/mescobarcl Email: marco [at] 24xsiempre.com ","externalUrl":null,"permalink":"/en/about/","section":"Home","summary":"","title":"About","type":"page"},{"content":"","externalUrl":null,"permalink":"/en/posts/","section":"Blog","summary":"","title":"Blog","type":"posts"},{"content":"","externalUrl":null,"permalink":"/en/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","externalUrl":null,"permalink":"/en/","section":"Home","summary":"","title":"Home","type":"page"},{"content":"","externalUrl":null,"permalink":"/en/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"}]