Veeam strives to listen to the community and aims to address perceived challenges. In Veeam Backup & Replication v10, we saw the first Backup Proxies being powered by Linux. In V11, we go even further and enhance the possibilities with those Linux Backup Proxies. Flexibility and the freedom of choice on which type of components to use with Veeam Backup & Replication fuels further enrichments done with Linux-related enhancements. Let’s dive in and uncover those Linux-related enhancements in our flagship.
New Linux backup proxy modes
In Veeam Backup & Replication v10, we introduced the Linux backup proxy with virtual appliance mode (HotAdd). In the wizard, the virtual appliance mode is automatically selected and the button to choose a different transport mode is greyed out.
In V11, we expanded the possible choices for the transport mode when using a Linux backup proxy to match the choices you have with a backup proxy running Windows. The only exception is that you cannot leverage backup from storage snapshots when using the NFS protocol.
When you configure backup proxy settings, you can manually select a transport mode, or let Veeam Backup & Replication select the most appropriate mode automatically. If you use automatic mode selection, Veeam Backup & Replication will scan the backup proxy’s configuration and its connection to the deployed infrastructure to choose the optimal transport mode.
In case multiple transport modes are available for the same backup proxy, Veeam Backup & Replication will choose the transport mode in the following order:
- Direct storage access
- Virtual appliance
- Network.
The virtual appliance (HotAdd) transport mode is also improved, to get the performance more in-line with the Windows backup proxy that has been out for many years now. The performance was increased by adding asynchronous read support and leveraging the Veeam advanced data fetcher.
Other enhancements related to Linux in Veeam Backup & Replication v11 include using file-level restore without a helper appliance and deployment of a persistent Linux data mover. All these enhancements are done with security top of mind!
Linux file-level restore
Being able to do file-level restores without having to deploy a helper appliance gives speed increase, flexibility and freedom of choice. In the past, you were required to run a VMware vSphere or Microsoft Hyper-V host to be able to deploy the helper appliance for a file-level restore on Linux. Deploying a helper appliance could potentially add complexity and trigger security concerns when deploying a third-party appliance in your infrastructure.
To overcome these challenges, in V11, Linux FLR can mount backups to any Linux machine: dedicated, original or target. The original machine is of course guaranteed to “understand” which file system you’re restoring from. The best part is that restores now run 50% faster compared to the V10 file-level recovery appliance! Most will possibly use a dedicated machine for this task. You can increase security, fit it in your present network easily and enforce patching/hardening by processes already in place.
The temporary Veeam helper appliance will still be available and a viable option, especially when you’re restoring from a few-years-old backup and you already upgraded your production environment to newer versions and file systems currently at hand. The default template for the helper appliance is also updated with a faster network interface card and SCSI controller to run higher restore speeds up to 50%.
Persistent Linux data mover
In the past, we pushed the Veeam data mover process in real-time towards the Linux repository and started the task at hand. Pushing the data mover every time on the fly posed a security risk, because we would need root access, a SSH server running and the root credentials needed to be stored on the Veeam Backup & Replication server.
To overcome this posed security risk, the data mover process is deployed persistently now in V11. After installation of the data mover, it auto-starts at system start up and immediately reduces its privileges to the limited user from the credential set it was deployed with. As such, the internal data mover cannot be used as a steppingstone to overtake the operating system.
Certificates in a public key infrastructure (PKI) are then used for further authentication and authorization between the Veeam backup server and the data mover using a key-pair that is auto-generated at the initial deployment of the data mover. All of our SSH usage outside of the deployment time has been moved to the data mover itself, potentially disabling SSH completely.
The above-mentioned changes means that for Linux repositories, SSH and root credentials are required for deploy and upgrade times only. A new single-user credentials option allows users to register a new Linux server without saving any of the credentials into the backup server credentials manager.
All other Linux-based Veeam components, except the Hardened Repository, will still require saved credentials with a root password for now. Furthermore, auto-update components will not be possible for Linux servers added with the single-use credentials now. You will need to follow the upgrade wizard and specify credentials manually.
Hardened Repository
All these security-related changes to Linux-based Veeam components cleared the way for another major added security feature, Veeam Hardened Repository. A hardened Linux backup repository is a backup repository with an option for switching on immutability.
Immutability protects your data against a rogue backup administrator, a malicious attacker who gained full control of the Veeam Backup & Replication server or ransomware trying to encrypt the backup data. Immutability locks the backup files for a set amount of time by temporarily prohibiting the deletion of data during the immutability time window set by the organization.
For more insights into what the new Veeam Hardened Linux Repository feature can bring, read the “V11: Immutable primary backup storage with a hardware-agnostic touch” blog by Michael Cade.
Conclusion
With all the added “tender loving care” put to Linux-based components and features, you have the choice to separate the control plane on Windows and the data plane on Linux in your infrastructure. Dictate where the Veeam Backup & Replication Server (control) will run on Microsoft Windows and where the proxies and repositories (data) will run on Linux.