Testing Tamperproof Snapshots (TPS)

An example of testing Tamperproof Snapshots (TPS.)

Retentions are 2 hours for production(cluster1)/DR(cluster2) and 3 days for vault(cluster3).

 

cluster1::> snapshot policy create -policy 24x5minTP -schedule1 5min -count1 24 -snapmirror-label1 5minTP -retention-period1 2 hours -schedule2 hourly -count2 2 -snapmirror-label2 hourlyTP -retention-period2 2 hours -enabled true

cluster1::> volume create -volume tpsTest001 -snapshot-locking-enabled true -snapshot-policy 24x5minTP -vserver svm1 -aggregate cluster1_01

 

cluster2::> snapshot policy create -policy 24x5minTP -schedule1 5min -count1 24 -snapmirror-label1 5minTP -retention-period1 2 hours -schedule2 hourly -count2 2 -snapmirror-label2 hourlyTP -retention-period2 2 hours -enabled true

cluster2::> volume create -volume tpsTest001 -snapshot-locking-enabled true -vserver svm2 -aggregate cluster2_01 -type DP

cluster2::> snapmirror create -source-path svm1:tpsTest001 -destination-path svm2:tpsTest001 -policy MirrorAllSnapshots -schedule 5min

cluster2::> snapmirror initialize -destination-path svm2:tpsTest001

 

cluster3::> snapmirror policy create -policy 3daysVaultTP -type mirror-vault -vserver cluster3

cluster3::> snapmirror policy add-rule -policy 3daysVaultTP -snapmirror-label hourlyTP -keep 36 -retention-period 3 days -vserver cluster3

cluster3::> volume create -volume tpsTest001 -snapshot-locking-enabled true -vserver svm3 -aggregate cluster3_01 -type DP

cluster3::> snapmirror create -source-path svm1:tpsTest001 -destination-path svm3:tpsTest001 -policy 3daysVaultTP -schedule hourly

cluster3::> snapmirror initialize -destination-path svm3:tpsTest001

 

Here we try to delete one of the SnapVault snapshots before the snaplock-expiry-time and get the expected error:

 

cluster3::> volume snapshot show -vserver svm3 -volume tpsTest001 -fields snaplock-expiry-time

vserver volume     snapshot               snaplock-expiry-time

------- ---------- ---------------------- -------------------------

svm3    tpsTest001 hourly.2025-01-19_2005 2/23/2025 20:05:00 +00:00

svm3    tpsTest001 hourly.2025-01-19_2105 2/23/2025 21:05:01 +00:00

svm3    tpsTest001 hourly.2025-01-19_2205 2/23/2025 22:05:00 +00:00

svm3    tpsTest001 hourly.2025-01-19_2305 2/23/2025 23:05:00 +00:00

svm3    tpsTest001 hourly.2025-01-20_0005 2/24/2025 00:05:00 +00:00

svm3    tpsTest001 hourly.2025-01-20_0105 2/24/2025 01:05:00 +00:00

svm3    tpsTest001 hourly.2025-01-20_0205 2/24/2025 02:05:02 +00:00

svm3    tpsTest001 hourly.2025-01-20_0305 2/24/2025 03:05:01 +00:00

svm3    tpsTest001 hourly.2025-01-20_0405 2/24/2025 04:05:01 +00:00

svm3    tpsTest001 hourly.2025-01-20_0505 2/24/2025 05:05:00 +00:00

svm3    tpsTest001 hourly.2025-01-20_0605 2/24/2025 06:05:01 +00:00

svm3    tpsTest001 hourly.2025-01-20_0705 2/24/2025 07:05:01 +00:00

svm3    tpsTest001 hourly.2025-01-20_0805 2/24/2025 08:05:01 +00:00

svm3    tpsTest001 snapmirror.10836302-ca9d-11ee-a6c4-005056b05cf5_2150272463.2025-01-20_080500

                                          -

svm3    tpsTest001 hourly.2025-01-20_0905 2/24/2025 09:05:00 +00:00

svm3    tpsTest001 snapmirror.10836302-ca9d-11ee-a6c4-005056b05cf5_2150272463.2025-01-20_090500

 

cluster3::> date

Node      Date                     Time zone

--------- ------------------------ -------------------------

cluster3-01

          Mon Jan 20 09:15:16 2025 Etc/UTC

 

cluster3::> volume snapshot delete -vserver  svm3 -volume tpsTest001 -snapshot hourly.2025-01-20_0305

 

Warning: Deleting a Snapshot copy permanently removes data that is stored only in that Snapshot copy. Are you sure you want to delete Snapshot copy "hourly.2025-01-20_0305" for volume "tpsTest001" in Vserver "svm3" ? {y|n}: y

 

Error: command failed: Failed to delete Snapshot copy "hourly.2025-01-20_0305" of volume "tpsTest001" on Vserver "svm3". Reason: Illegal operation on Snapshot locked by SnapLock.

Q: Enabling Tamperproof Snapshots on a Volume with FabricPool Tiered Data?

If you decide you want to enable Tamperproof Snapshots on a volume with FabricPool tiered data, you will need to:

1. Modify volume tiering policy to none
2. Force cloud retrieval or wait for snapshots to age out (if using snapshot only tiering)
3. Enable snapshot locking on the volume and configure tamperproof snapshots (once no volume data remains in the cloud tier)

This is the error you get when you try to enable snapshot locking on a volume with tiered data (even if volume tiering policy is set to none):

cluster1::*> volume modify -vserver svm1 -volume testvol001 -snapshot-locking-enabled true

Warning: Snapshot copy locking is being enabled on volume "testvol001" in Vserver "svm1". It cannot be disabled until all locked Snapshot copies are past their expiry time. A volume with unexpired locked Snapshot copies cannot be deleted.

Do you want to continue? {y|n}: y

Error: command failed: Snapshot copy locking cannot be enabled on volumes with tiering policy other than "none" or on volumes which have data tiered out to an object store.