Hi Thomas_VDB,
Hi,
Veeam Immutable backups require linux, and as Scale is linux based, can a TrueNAS scale box be configured as a hardened/immutable backup repo.
I've read that Veeam's immutable backup principle relies on XFS. And TrueNAS uses ZFS. So no go?
Thomas.
I could just use a regular linux install to create my immutable backup repo, but my server's HBA card does not do RAID, and I need to present a big volume.
Don't want to go software raid with regular linux.
for a real hardended immutable Veeam repo, you'd want a box that is locked down to console only access: No SSH, no remote management, no Web interface etc. I don't know whether TrueNAS can somehow be administered via local console, i.e. how to access the web interface from there. The other point: yes, Veeam uses XFS specifics to achieve immutability. I can think about using a standard install of linux with OpenZFS and using a ZVOL as a device for XFS, but I've never tried that and can't vouch whether it would work or be practical. But to do it "right", you'll need a separate box for the hardened repository because it won't do anything else than store your data - the reason being: what can't be remote controlled, can't be hacked. And the Veeam services take useful (at least from what I understand) steps to enforce immutability.
The whole Minio setup would also work but it would take lots and lots of storage because of Minio versioning saving each version as a full copy - maybe that could be counteracted with ZFS dedup, but I haven't read many success stories for using ZFS dedup yet. If anyone knows some, please point me to it.
Also Minio immutability relies on the internals of the minio software stack - if there's an issue there, you could possibly still lose the data. If Minio could somehow be integrated with ZFS' immutability flag (eg. periodically read/copy Minio's immutability status and set file flags accordingly), that would be pretty neat and much closer to veeam's own solution in terms of security: unprivileged account for the service that writes the data, and a second, privileged service that sets immutability flag in file system - probably keeping track of how long a file should be immutable and preventing the flag to be removed before that time.