Pure Storage – Configuring ObjectEngine Bucket Security

This is a quick post as a reminder for me next time I need to do something with basic S3 bucket security. A little while I ago I was testing Pure Storage’s ObjectEngine (OE) device with a number of data protection products. I’ve done a few articles previously on what it looked like from the Cohesity and Commvault perspective, but thought it would be worthwhile to document what I did on the OE side of things.

The first step is to create the bucket in the OE dashboard.

You’ll need to call it something, and there are rules around the naming convention and length of the name.

In this example, I’m creating a bucket for Commvault to use, so I’ve called this one “commvault-test”.

Once the bucket has been created, you should add a security policy to the bucket.

Click on “Add” and you’ll be prompted to get started with the Bucket Policy Editor.

I’m pretty hopeless with this stuff, but fortunately there’s a policy generator on the AWS site you can use.

Once you’ve generated your policy, click on Save and you’ll be good to go. Keep in mind that any user you reference in the policy will need to exist in OE for the policy to work.

Here’s the policy I applied to this particular bucket. The user is commvault, and the bucket name is commvault-test.

{
  "Id": "Policy1563859773493",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1563859751962",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::commvault-test",
      "Principal": {
        "AWS": [
          "arn:aws:iam::0:user/commvault"
        ]
      }
    },
    {
      "Sid": "Stmt1563859771357",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::commvault-test/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::0:user/commvault"
        ]
      }
    }
  ]
}

You can read more about the policy elements here.

Random Short Take #20

Here are some links to some random news items and other content that I recently found interesting. You might find them interesting too. Episode 20 – feels like it’s becoming a thing.

  • Scale Computing seems to be having a fair bit of success with their VDI solutions. Here’s a press release about what they did with Harlingen WaterWorks System.
  • I don’t read Corey Quinn’s articles enough, but I am glad I read this one. Regardless of what you think about the enforceability of non-compete agreements (and regardless of where you’re employed), these things have no place in the modern workforce.
  • If you’re getting along to VMworld US this year, I imagine there’s plenty in your schedule already. If you have the time – I recommend getting around to seeing what Cody and Pure Storage are up to. I find Cody to be a great presenter, and Pure have been doing some neat stuff lately.
  • Speaking of VMworld, this article from Tom about packing the little things for conferences in preparation for any eventuality was useful. And if you’re heading to VMworld, be sure to swing past the VMUG booth. There’s a bunch of VMUG stuff happening at VMworld – you can read more about that here.
  • I promise this is pretty much the last bit of news I’ll share regarding VMworld. Anthony from Veeam put up a post about their competition to win a pass to VMworld. If you’re on the fence about going, check it out now (as the competition closes on the 19th August).
  • It wouldn’t be a random short take without some mention of data protection. This article about tiering protection data from George Crump was bang on the money.
  • Backblaze published their quarterly roundup of hard drive stats – you can read more here.
  • This article from Paul on freelancing and side gigs was comprehensive and enlightening. If you’re thinking of taking on some extra work in the hopes of making it your full-time job, or just wanting to earn a little more pin money, it’s worthwhile reading this post.

Brisbane VMUG – September 2019

hero_vmug_express_2011

The September 2019 edition of the Brisbane VMUG meeting will be held on Tuesday 10th September at Fishburners (Level 2, 155 Queen Street, Brisbane City) from 4 – 6pm. It’s sponsored by StorageCraft and promises to be a great afternoon.

Here’s the agenda:

  • VMUG Intro
  • VMware Presentation
  • StorageCraft Presentation
  • Q&A
  • Light refreshments

StorageCraft have gone to great lengths to make sure this will be a fun and informative session and I’m really looking forward to hearing about what they’ve been up to. You can find out more information and register for the event here. I hope to see you there. Also, if you’re interested in sponsoring one of these events, please get in touch with me and I can help make it happen.

Random Short Take #19

Here are some links to some random news items and other content that I recently found interesting. You might find them interesting too. Episode 19 – let’s get tropical! It’s all happening.

  • I seem to link to Alastair’s blog a lot. That’s mainly because he’s writing about things that interest me, like this article on data governance and data protection. Plus he’s a good bloke.
  • Speaking of data protection, Chris M. Evans has been writing some interesting articles lately on things like backup as a service. Having worked in the service provider space for a piece of my career, I wholeheartedly agree that it can be a “leap of faith” on the part of the customer to adopt these kinds of services.
  • This post by Raffaello Poltronieri on VMware’s vRealize Operations session at Tech Field Day 19 makes for good reading.
  • This podcast episode from W. Curtis Preston was well worth the listen. I’m constantly fascinated by the challenges presented to infrastructure in media and entertainment environments, particularly when it comes to data protection.
  • I always enjoy reading Preston’s perspective on data protection challenges, and this article is no exception.
  • This article from Tom Hollingsworth was honest and probably cut too close to the bone with a lot of readers. There are a lot of bad habits that we develop in our jobs, whether we’re coding, running infrastructure, or flipping burgers. The key is to identify those behaviours and work to address them where possible.
  • Over at SimplyGeek.co.uk, Gavin has been posting a number of Ansible-related articles, including this one on automating vSphere VM and ova deployments. A number fo folks in the industry talk a tough game when it comes to automation, and it’s nice to see Gavin putting it on wax and setting a great example.
  • The Mark Of Cain have announced a national tour to commemorate the 30th anniversary of their Battlesick album. Unfortunately I may not be in the country when they’re playing in my part of the woods, but if you’re in Australia you can find out more information here.

Druva – In The Cloud, Of The Cloud, Protecting The Cloud

Disclaimer: I recently attended Tech Field Day 19.  My flights, accommodation and other expenses were paid for by Tech Field Day. There is no requirement for me to blog about any of the content presented and I am not compensated in any way for my time at the event.  Some materials presented were discussed under NDA and don’t form part of my blog posts, but could influence future discussions.

 

Druva recently presented at Tech Field Day 19. You can see videos of their presentation here, and download my rough notes from here. Here’s a photo of Jaspreet Singh kicking things off.

 

Let’s Talk About You

What do people want in a backup system?

I’ll tell you what we want. What we really, really want. Less Spice Girls ear worms. And a data protection service. It seems simplistic, but it’s true. A lot of organisations are tired of being IT organisations and they just want to consume services from companies that are IT organisations. That’s not a copout. They want to make money doing the things they’re good at. It’s one of the big reasons public cloud has proven so popular. Druva offers a service, and are positioning themselves as being to backups what Salesforce is to CRM. The key selling point is that they can do data protection simpler, faster, cheaper, and safer. And you get the two big benefits of SaaS:

  • There’s nothing to maintain; and
  • New features are made available immediately.

Am I The Ideal Druva Customer?

Are you a good fit though? If you’re running modern / virtualised workloads, Druva want to talk to you. To wit, if you find yourself in one of these categories you should be okay:

  • “Versatilist” Users;
  • Cloud focus or initiative;
  • Hybrid cloud environment;
  • Distributed workloads, including laptops;
  • SaaS adopter (SFDC, O365, G Suite); and
  • Moving away from legacy Unix and apps.

The more distributed your company is – the better Druva looks.

Who’s not a good fit for Druva though? Enterprises that:

  • Must have an on-premises backup system;
  • Have no desire to leverage cloud; and
  • Want a backup system for legacy OS / apps.

Poor enterprises, missing out again.

 

Challenges Solved by Druva

Curtis knows a bit about data protection, and he’s been around for a while now, so he remembers when not everything was peaches and cream in the data protection world. He talked about the various trends in data protection over the years and used the below table as an anchor point. The gist of it is that a solution such as the one Druva has doesn’t have quite as many challenges as the more “traditional” data protection systems we were using through for the last 20 plus years (yes, and longer still, I know).

! $ ? Challenges
$ ? Design, maintain, refresh physical backup server & storage
! $ ? Patch & upgrade backup server OS
! $ ? Patch & upgrade backup server software
! $ ? Manage multiple vendors (server, backup sw, tape, disk)
! Tape can be lost or stolen ???
$ ? Tape requires constant performance tweaking
$ Tape requires offsite vaulting vendor ???
$ Hardware typically bought in advance
$ ? Over-provision compute / storage (growth and variable load)
$ ? Not easy to scale
$ Unexpected / variable costs
$ Massive capital expenditures
! First large backup
! Any large restore

Every vendor can look good when you take tape out of consideration. It has an awful a lot of advantages in terms of capacity and economy, but the execution can often be a real pain. Druva also compete pretty well with the “hyper-converged” backup vendors, although I think they get a bad rap for having a focus on hardware that isn’t necessarily as much of a problem as some people think. The real killer feature for Druva is the cloud-native architecture, and the SaaS story in general.

 

Thoughts and Further Reading

It’s no secret that I’ve been a fan of Curtis for years, so when he moved to Druva I was intrigued and wanted to hear more. But Druva isn’t just Curtis. There are a whole bunch of people at the company who know cloud, and data protection, and have managed to put them together into a solution that makes a lot of sense. And I like what I’ve seen thus far. There’s a really good story here, particularly if you’re all in on cloud, and running relatively modern applications. The heritage in endpoint protection has helped them overcome some obstacles that other vendors haven’t had to deal with yet. They’re also willing to admit that not everything is perfect, particularly when it comes to getting that first large backup done. They also believe that “[w]ithin the limits of physics they can scale to meet the needs of most customers”. You’re not going to be able to achieve RPO 0 and RTO 0 with Druva. But that’s what things like replication are for. What they do offer, however, is an RTO of minutes, not hours. A few other things they don’t do include VM live mount and native support for Azure and GCP.

What Druva do do well is understand that customers have requirements that can be satisfied though the use of protection data. They also understand the real operational value (in terms of resiliency and reduced spend) that can be had with SaaS-based offerings. We all talk a tough game when it comes to buying what we think is the absolute best solution to protect our data, and rightly so. A business’s data is (hopefully) one of its most critical assets, and we should do anything we can to protect it. Druva are as dedicated as the next company to that philosophy, but they’ve also realised that the average business is under constant pressure to reduce costs wherever possible. Now you don’t just get to access the benefits of running your applications in the cloud – you can also get the benefit of protecting them in the cloud too.

Tape was hard to do well, and many of us have horror stories about things going wrong. Cloud can be hard to do well too, and there are plenty of stories of cloud going horribly wrong. Druva isn’t magic, but it does help take away a lot of the complexity that’s been frequently attached with protecting cloud-native workloads.

Brisbane VMUG – August 2019

hero_vmug_express_2011

The August edition of the Brisbane VMUG meeting will be held on Tuesday 20th August at Fishburners from 4 – 6pm. It’s sponsored by Dell EMC and should to be a great afternoon.

Here’s the agenda:

  • VMUG Intro
  • VMware Presentation: TBA
  • Dell EMC Presentation: Protecting Your Critical Assets With Dell EMC
  • Q&A
  • Refreshments and drinks.

Dell EMC have gone to great lengths to make sure this will be a fun and informative session and I’m really looking forward to hearing about their data protection portfolio. You can find out more information and register for the event here. I hope to see you there. Also, if you’re interested in sponsoring one of these events, please get in touch with me and I can help make it happen.

Random Short Take #18

Here are some links to some random news items and other content that I recently found interesting. You might find them interesting too. Episode 18 – buckle up kids! It’s all happening.

  • Cohesity added support for Active Directory protection with version 6.3 of the DataPlatform. Matt covered it pretty comprehensively here.
  • Speaking of Cohesity, Alastair wrote this article on getting started with the Cohesity PowerShell Module.
  • In keeping with the data protection theme (hey, it’s what I’m into), here’s a great article from W. Curtis Preston on SaaS data protection, and what you need to consider to not become another cautionary tale on the Internet. Curtis has written a lot about data protection over the years, and you could do a lot worse than reading what he has to say. And that’s not just because he signed a book for me.
  • Did you ever stop and think just how insecure some of the things that you put your money into are? It’s a little scary. Shell are doing some stuff with Cybera to improve things. Read more about that here.
  • I used to work with Vincent, and he’s a super smart guy. I’ve been at him for years to start blogging, and he’s started to put out some articles. He’s very good at taking complex topics and distilling them down to something that’s easy to understand. Here’s his summary of VMware vRealize Automation configuration.
  • Tom’s take on some recent CloudFlare outages makes for good reading.
  • Google Cloud has announced it’s acquiring Elastifile. That part of the business doesn’t seem to be as brutal as the broader Alphabet group when it comes to acquiring and discarding companies, and I’m hoping that the good folks at Elastifile are looked after. You can read more on that here.
  • A lot of people are getting upset with terms like “disaggregated HCI”. Chris Mellor does a bang up job explaining the differences between the various architectures here. It’s my belief that there’s a place for all of this, and assuming that one architecture will suit every situation is a little naive. But what do I know?

Random Short Take #17

Here are some links to some random news items and other content that I recently found interesting. You might find them interesting too. Episode 17 – am I over-sharing? There’s so much I want you to know about.

  • I seem to always be including a link from the Backblaze blog. That’s mainly because they write about things I’m interested in. In this case, they’ve posted an article discussing the differences between availability and durability that I think is worth your time.
  • Speaking of interesting topics, Preston posted an article on NetWorker Pools with Data Domain that’s worth looking at if you’re into that kind of thing.
  • Maintaining the data protection theme, Alastair wrote an interesting article titled “The Best Automation Is One You Don’t Write” (you know, like the best IO is one you don’t need to do?) as part of his work with Cohesity. It’s a good article, and not just because he mentions my name in it.
  • I recently wanted to change the edition of Microsoft Office I was using on my MacBook Pro and couldn’t really work out how to do it. In the end, the answer is simple. Download a Microsoft utility to remove your Office licenses, and then fire up an Office product and it will prompt you to re-enter your information at that point.
  • This is an old article, but it answered my question about validating MD5 checksums on macOS.
  • Excelero have been doing some cool stuff with Imperial College London – you can read more about that here.
  • Oh hey, Flixster Video is closing down. I received this in my inbox recently: “[f]ollowing the announcement by UltraViolet that it will be discontinuing its service on July 31, 2019, we are writing to provide you notice that Flixster Video is planning to shut down its website, applications and operations on October 31, 2019”. It makes sense, obviously, given UltraViolet’s demise, but it still drives me nuts. The ephemeral nature of digital media is why I still have a house full of various sized discs with various kinds of media stored on them. I think the answer is to give yourself over to the streaming lifestyle, and understand that you’ll never “own” media like you used to think you did. But I can’t help but feel like people outside of the US are getting shafted in that scenario.
  • In keeping up with the “random” theme of these posts, it was only last week that I learned that “Television, the Drug of the Nation” from the very excellent album “Hypocrisy Is the Greatest Luxury” by The Disposable Heroes of Hiphoprisy was originally released by Michael Franti and Rono Tse when they were members of The Beatnigs. If you’re unfamiliar with any of this I recommend you check them out.

Cohesity Basics – Configuring An External Target For Cloud Archive

I’ve been working in the lab with Pure Storage’s ObjectEngine and thought it might be nice to document the process to set it up as an external target for use with Cohesity’s Cloud Archive capability. I’ve written in the past about Cloud Tier and Cloud Archive, but in that article I focused more on the Cloud Tier capability. I don’t want to sound too pretentious, but I’ll quote myself from the other article: “With Cloud Archive you can send copies of snapshots up to the cloud to keep as a copy separate to the backup data you might have replicated to a secondary appliance. This is useful if you have some requirement to keep a monthly or six-monthly copy somewhere for compliance reasons.”

I would like to be clear that this process hasn’t been blessed or vetted by Pure Storage or Cohesity. I imagine they are working on delivering a validated solution at some stage, as they have with Veeam and Commvault. So don’t go out and jam this in production and complain to me when Pure or Cohesity tell you it’s wrong.

There are a couple of ways you can configure an external target via the Cohesity UI. In this example, I’ll do it from the dashboard, rather than during the protection job configuration. Click on Protection and select External Target.

You’ll then be presented with the New Target configuration dialogue.

In this example, I’m calling my external target PureOE, and setting its purpose as Archival (as opposed to Tiering).

The Type of target is “S3 Compatible”.

Once you select that, you’ll be asked for a bunch of S3-type information, including Bucket Name and Access Key ID. This assumes you’ve already created the bucket and configured appropriate security on the ObjectEngine side of things.

Enter the required information. I’ve de-selected compression and source side deduplication, as I’m wanting that the data reduction to be done by the ObjectEngine. I’ve also disabled encryption, as I’m guessing this will have an impact on the ObjectEngine as well. I need to confirm that with my friends at Pure. I’m using the fully qualified domain name of the ObjectEngine as the endpoint here as well.

Once you click on Register, you’ll be presented with a summary of the configuration.

You’re then right to use this as an external target for Archival parts of protection jobs within your Cohesity environment. Once you’ve run a few protection jobs, you should start to see files within the test bucket on the ObjectEngine. Don’t forget that, as fas as I’m aware, it’s still very difficult (impossible?) to remove external targets from the the Cohesity Data Platform, so don’t get too carried away with configuring a bunch of different test targets thinking that you can remove them later.

Random Short Take #16

Here are a few links to some random news items and other content that I recently found interesting. You might find them interesting too. Episode 16 – please enjoy these semi-irregular updates.

  • Scale Computing has been doing a bit in the healthcare sector lately – you can read news about that here.
  • This was a nice roundup of the news from Apple’s recent WWDC from Six Colors. Hat tip to Stephen Foskett for the link. Speaking of WWDC news, you may have been wondering what happened to all of your purchased content with the imminent demise of iTunes on macOS. It’s still a little fuzzy, but this article attempts to shed some light on things. Spoiler: you should be okay (for the moment).
  • There’s a great post on the Dropbox Tech Blog from James Cowling discussing the mission versus the system.
  • The more things change, the more they remain the same. For years I had a Windows PC running Media Center and recording TV. I used IceTV as the XMLTV-based program guide provider. I then started to mess about with some HDHomeRun devices and the PC died and I went back to a traditional DVR arrangement. Plex now has DVR capabilities and it has been doing a reasonable job with guide data (and recording in general), but they’ve decided it’s all a bit too hard to curate guides and want users (at least in Australia) to use XMLTV-based guides instead. So I’m back to using IceTV with Plex. They’re offering a free trial at the moment for Plex users, and setup instructions are here. No, I don’t get paid if you click on the links.
  • Speaking of axe-throwing, the Cohesity team in Queensland is organising a social event for Friday 21st June from 2 – 4 pm at Maniax Axe Throwing in Newstead. You can get in contact with Casey if you’d like to register.
  • VeeamON Forum Australia is coming up soon. It will be held at the Hyatt Regency Hotel in Sydney on July 24th and should be a great event. You can find out more information and register for it here. The Vanguards are also planning something cool, so hopefully we’ll see you there.
  • Speaking of Veeam, Anthony Spiteri recently published his longest title in the Virtualization is Life! catalogue – Orchestration Of NSX By Terraform For Cloud Connect Replication With vCloud Director. It’s a great article, and worth checking out.
  • There’s a lot of talk and slideware devoted to digital transformation, and a lot of it is rubbish. But I found this article from Chin-Fah to be particularly insightful.