How Can We Help?
NetApp – How to move a SnapLock Volume in ONTAP 9
This procedure explains how to move a SnapLock volume in ONTAP 9.10.1 and later. The steps provided are a consolidation of the process in the NetApp KB article How to move a SnapLock Volume in ONTAP 9.
Requirements
Starting in ONTAP 9.8, SnapLock volumes can be moved using the volume move command with certain restrictions:
- A SnapLock security administrator account needs to be created if it does not already exist.
- You must create a SnapLock-protected audit log before performing a SnapLock volume move.
Nomenclature
For this procedure, the following nomenclature is used. Please modify accordingly for your environment.
- The
cluster1prompt indicates the name of the cluster - The
svm1prompt indicates the name of the data SVM - The
aggr1prompt indicates the name of the aggregate - The ‘SnapLockAdmin’ prompt indicates the name of the SnapLock administrator account
Create a SnapLock security administrator account
You must have SnapLock security administrator privileges to perform a SnapLock volume move. This privilege is granted to you with the snaplock role, introduced in ONTAP 9.8. If you have not already been assigned that role, you can ask your cluster administrator to create a SnapLock security user with this SnapLock security role.
Step
- Via SSH, log into the cluster with an account that has cluster administration permission
- Create an SVM administrator account on the cluster vserver with the SnapLock administrator role:
cluster1::> security login create -vserver cluster1 -user-or-group-name SnapLockAdmin -application ssh -authmethod password -role snaplock
Create a SnapLock audit log
A NetApp SnapLock audit log is a non-erasable record of all administrative activities performed on a SnapLock-protected volume, including the creation of administrators, privileged delete operations, and Legal Hold placements. It is a separate SnapLock-protected volume that is required to track and prove compliance with data retention policies by providing a tamper-proof audit trail of all privileged actions.
What it records
- SnapLock administrator activity: Creation and deletion of accounts with privileged access.
- Privileged operations: Actions such as privileged delete, which allow a file to be deleted before its retention period expires.
- Legal holds: The placement of a Legal Hold on files or volumes.
- Configuration changes: Modifications to the audit log volume itself.
- SnapLock volume moves: Operations to move the protected volume
If an audit log has not already been created, use the steps below to create it
Steps
- Create a volume on the SVM that contains the SnapLock volumes
cluster1::> volume create -vserver svm1 -volume snaplock_audit_log -aggregate aggr1 -snaplock-type compliance -size 5T - Set the SnapLock retention time (auto commit, minimum, and maximum)
cluster1::> volume snaplock modify -vserver svm1 -volume snaplock_audit_log -autocommit-period 5 minutes -minimum-retention-period 1 years -maximum-retention-period 2 years - Configure the SVM for audit logging
cluster1::> snaplock log create -vserver svm1 -volume snaplock_audit_log -max-log-size 100GB -default-retention-period 1 years - On the SVM that you configured for audit logging, you must mount the SnapLock volume at the junction path
/snaplock_audit_log
cluster1::> volume mount -vserver svm1 -volume snaplock_audit_log -junction-path /snaplock_audit_log
Move a SnapLock volume
Now that the above has been completed, you can start the volume moves.
Steps
- Using SSH, log in to the cluster using the SnapLock administration account that you created
ssh SnapLockAdmin@cluster1 - Move a SnapLock volume
volume move start -vserver svm1 -volume <SnapLock_volume_name> -destination-aggregate <destination_aggregate_name>NOTE: If the original SnapLock volume is not using any of the NetApp software-based encryption methods (NVE or NAE) and the destination aggregate is using NAE, add the
-encrypt-with-aggr-key trueoption to thevolume movecommand - Check the status of the volume move operation
volume move show -volume <SnapLock_volume_name> -vserver svm1 -fields volume,phase,vserver,percent-complete,estimated-completion-time