NetBackup 7.7.2 - BPCD_WHITELIST_PATH will cause NetBackup commands to fail with "file open failed" or "unable to write to progress log" if not configured
Problem
After upgrading to NetBackup 7.7.2 or higher, running NetBackup commands, like bpbackup, fail with Error 12 - "file open failed" or "unable to write to progress log".Bpbackup
bpbackup -w 0 -p Prod_Offline_SQL -s Monthly_Full -h server1 -L "F:\Tapebackup\Log\NB_Monthly_SQL.log" "F:\mssql\backup"
Example Error:
EXIT STATUS 12: file open failed
Bpduplicate
bpduplicate -backupid server1_1479312904 -dstunit AdvancedDisk -L /root/duplication.log
Note that the console output reports a successful duplication and no errors.
Activity monitor job id = 1821
INF - Skipping copy 2 of backup id server1_1479312904, is not required copy 1.
INF - Skipping copy 3 of backup id server1_1479312904, is not required copy 1.
INF - Destination storage unit AdvancedDisk on host nbumaster.labs.veritas.com
INF - Duplicating policy Linux schedule FULL backup id server1_1479312904 copy 1 created on 11/16/2016 08:15:04 on source path @aaaab
INF - Duplicate of backupid server1_1479312904 successful.
INF - Status = successfully duplicated 1 of 1 images .
On viewing the progress log file however, it reveals that it was created but was not populated with any output from the NetBackup command.
ls -al /root/d*
-rw-------. 1 root root 0 Dec 5 16:03 /root/duplication.log
On further investigation, if a review of the Admin log is preformed, the cause of the error becomes obvious.
Admin Log
15:56:38.086 [30828] <8> open_progress_log: cannot open progress file /root/duplication.log on sclr710-07, error = 6000
15:56:38.086 [30828] <8> open_progress_log: Access to /root/duplication.log denied: The provided path is not whitelisted
Error Message
NetBackup Status Code 12 - "file open failed" or "unable to write to progress log"* This error is seen on the console or Job Details
NetBackup Status Code 6000 - "The provided path is not whitelisted"
* This error is seen when viewing the Admin log on the Master
Cause
A new security feature introduced in NetBackup 7.7.2 is the BPCD_WHITELIST_PATH. If left unconfigured, NetBackup will deny access to creating files that are specified outside of the following paths:- NetBackup executable file paths
- Default location for progress log, rename files, etc.
- NetBackup configuration files
- NetBackup logs folder
- NetBackup temp folders
- Operating System Temp folders
Solution
How to view, add or modify the BPCD_WHITELIST_PATH
To view, add or modify the current BPCD_WHITELIST_PATH settings, use the nbgetconfig and the nbsetconfig commands.
Refer to the NetBackup Command Reference Guide for usage details
Viewing the current BPCD_WHITELIST_PATH settings
The easiest way to view the BPCD_WHITELIST_PATH settings is to use the command bpgetconfig.
Unix/Linux - /usr/openv/netbackup/bin/admincmd/bpgetconfig
Windows - C:\Program Files\Veritas\NetBackup\bin\admincmd>bpgetconfig
Use the bpgetconfig command line to display existing “BPCD_WHITELIST_PATH=” entries on a NetBackup system from its local console:
Unconfigured - setting will appear empty
>bpgetconfig BPCD_WHITELIST_PATH
BPCD_WHITELIST_PATH
Configured - paths will appear for previously configured entries
>bpgetconfig BPCD_WHITELIST_PATH
BPCD_WHITELIST_PATH = /root
BPCD_WHITELIST_PATH = /disk
BPCD_WHITELIST_PATH = /var/log
Adding or Editing the BPCD_WHITELIST_PATH settings
Record the entries collected with bpgetconfig before adding or modifying the “BPCD_WHITELIST_PATH=” paths on a server. Whenever modifying the BPCD_WHITE_LIST setting with bpsetconfig, the tool overwrites existing entries and all previous whitelist entries are removed. To add entries, add all previous entries first. Then add each new path to be added. When folders are added to the whitelist, all of the sub-folders are allowed by the whitelist as well. Avoid creating a security issue by specifying a custom directory that does not reside within a sensitive area of the Operating System volume. Use this dedicated location for custom logging or other non-standard NetBackup files.
Note: Wildcard characters in “BPCD_WHITELIST_PATH” are not allowed.
Option #1: From the NetBackup Master server, use bpsetconfig to add the paths
C:\Program Files\Veritas\NetBackup\bin\admincmd\bpsetconfig -h <client_name>
bpsetconfig> BPCD_WHITELIST_PATH=/home/NBuser
bpsetconfig> BPCD_WHITELIST_PATH=/home/shared
bpsetconfig> (<Ctrl> - D) + enter for UNIX
(<Ctrl> - Z) + enter for WINDOWS
Option #2: From the Client, manually add the paths to the registry or bp.conf
Windows:
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config
Create a MULTI-STRING called BPCD_WHITELIST_PATH
- In the right hand area right click > new > multi-string value give it the name BPCD_WHITELIST_PATH
- double click and add on your separate lines for the correct paths you want to use, e.g.:
F:\Tapebackup\Log\NB_DB.log
F:\mssql\backup
UNIX:
vi /usr/openv/netbackup/bp.conf
BPCD_WHITELIST_PATH = /tmp
BPCD_WHITELIST_PATH = /root
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.