Solved

Linux Media Agent or Windows Media agent

  • 28 October 2021
  • 6 replies
  • 148 views

Userlevel 2
Badge +8

Hi Team,

Is it recommended to use Linux Media agents instead of Windows media agent from ransomware protection and security perspective ?

Can we convert existing windows media agents to Linux easily ? If yes , what is the procedure .

We are using UNC sharing(double slashes or backslashes) of mount paths between windows media agents , How can we achieve such sharing of mount paths in case on Linux media agents ?

Regards, Mohit

icon

Best answer by jgeorges 1 November 2021, 22:26

View original

6 replies

Userlevel 7
Badge +23

One thing to consider for now (in 11.25) is that we automatically apply Ransomware Protection to all Windows Media Agents with Mount Paths:

https://documentation.commvault.com/11.25/essential/142279_enabling_ransomware_protection_on_mediaagent.html

However, we can do it via a script for Linux:

https://documentation.commvault.com/11.25/expert/122761_ransomware_protection_for_disk_libraries_on_linux_mediaagent.html

As for moving mount paths, you can move from Windows to Linux if you decide:

https://documentation.commvault.com/11.25/expert/9303_moving_mount_path_support.html

This should cover all of your concerns, though let me know if it doesn’t!

Userlevel 2
Badge +8

@Mike Struening

Thank you . 

I understand that Move mount path is not supported from Windows to Linux and vice versa .

But one ques is still not answered , how UNC path sharing between media agents is handled in Linux media agents ?

 

Also , can i have both Linux as well as Windows media agent configured in one library ?

Userlevel 4
Badge +7

I would recommend we take a step by into why we’re asking this question.

Ransomware Protection is supported for both Linux and Windows MAs.  I would suggest going with whatever OS you’re more comfortable administering and, especially, securing.  We can protect the mount paths on both, but if the servers themselves are not secured well you have larger issues.

Thanks,
Scott
 

Userlevel 2
Badge +8

@Mike Struening and @Scott Moseman 

So we can not perform move mount path from Windows media agent to Linux ?

We have to wait for existing data on windows media agent to expire and then remove it from library before adding Linux MAs .

Do you have answers for below ques :

  1. We are using UNC sharing(double slashes or backslashes) of mount paths between windows media agents , How can we achieve such sharing of mount paths in case on Linux media agents ?
  1. can i have both Linux as well as Windows media agent configured in one library ?

 

 

Userlevel 7
Badge +23

As long as the OS sees the Mount Path on the hosting server, sharing mount paths in the GUI is easy.

You can share between Linux and Windows as well, just be sure to enable Ransomware protection on BOTH Media Agents.

Here’s the instructions for sharing:

https://documentation.commvault.com/11.24/expert/9391_sharing_mount_path_using_dataserver_ip.html

Userlevel 5
Badge +7

@Mohit Chordia 
Move mount path is supported between OS as of more recent Service Packs.
However, you cannot move from CIFS to NFS.
Local Drive to NFS and vice versa is no issues.
 


However as yours using CIFS there is no need to move mountpaths, as the storage is not contained within 1 server. 

 

  1. You can discuss with your storage vendor, depending who and how the storage is presented as CIFS and may be able to mount as NFS. Otherwise you can leverage something like Samba to ‘translate’ CIFS shares as NFS shares from the Linux side.
  2. I think i’ve answered this as per above, but if you have 1 CIFS share and both Linux and Windows MA’s can access than you’ve got a shared library between both Operating Systems.
    You can also use DataServerIP, which will leverage the Commvault services to move data between Operating Systems. There is a slight performance cost, but much easier to implement.
    https://documentation.commvault.com/11.24/expert/9391_sharing_mount_path_using_dataserver_ip.html


I’ll also note that its important to understand how Ransomware Protection works within Commvault,. By running a filter driver at the OS of the machine hosting the mountpath (like Antivirus) we can inspect all processes accessing those shared mountpaths and stop those that should not be in there. If it is local disk, this works very well.

With CIFS however, if anything outside of the Media Agent has access, assuming that its presented from the network, we cannot protect the storage from outside of the Media Agent OS. You can limit access by restricted permissions however modern ransomware easily gets around this.
For this reason, its important that if you are using CIFs, that the storage network is isolated or at least not sitting on your production network and you implement any hardening you can.

 

Cheers,
Jase

Reply