Avamar: How to Delete a Backup When Retention Lock (Governance Mode) is Enabled

To delete a backup when retention lock (governance mode) is enabled, these steps must be followed in this specific order.

Step 1 - Avamar:

Log in to the Avamar Utility Node as admin.

Determine the path to the client using the following command:

avmgr getl --path=<domain path to client> | grep -i '<client name>'

Example:

avmgr getl --path=/clients/physical | grep -i 'testclientA'

1  testclientA.company.com      location: d057f520d4f5ab5b26c2b754714c9f21f50255c2      pswd: c1015019cf10175d15984d7cc9c833754f3cff3e

Make note of the location. This is also called the Client ID (CID).

This information is required to find the full path on the Data Domain in later steps.

Step 2 - Avamar:

To delete an entire client, or all backups from a client, go to step 3.

To delete a single backup, multiple (but not all) backups, run the following command to retrieve the list of backups for that Avamar client:

avmgr getb --path=<full path to client> --format=xml

Example:

avmgr getb --path=/clients/physical/testclientA.company.com --format=xml

1  Request succeeded
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<backuplist version="3.0">
  <backuplistrec flags="19922945" labelnum="488" label="1800-phy-file_srv_phy-1576465200020" created="1576466965" roothash="23f00d475c58c8ff95b5f1d298e01a1d4a632f72" totalbytes="4775684341760.00" ispresentbytes="0.00" pidnum="3001" percentnew="1" expires="0" created_prectime="0x1d5b3c104506658" partial="0" retentiontype="daily,weekly" backuptype="Full" ddrindex="1" locked="0" direct_restore="1" tier="0" appconsistent="not_available" sealstate="COMPLETE" imu_locked="false" imu_locked_weeks="0" force_no_imulock="false"/>
  <backuplistrec flags="19922945" labelnum="481" label="1800-phy-file_srv_phy-1575860400016" created="1575862022" roothash="895eae1260310a6e27316d29e8d52fdff562cb76" totalbytes="4779966201856.00" ispresentbytes="0.00" pidnum="3001" percentnew="1" expires="0" created_prectime="0x1d5ae4085e092a0" partial="0" retentiontype="daily,weekly" backuptype="Full" ddrindex="1" locked="0" direct_restore="1" tier="0" appconsistent="not_available" sealstate="COMPLETE" imu_locked="false" imu_locked_weeks="0" force_no_imulock="false"/>
  <backuplistrec flags="24117249" labelnum="474" label="1800-phy-file_srv_phy-1575255600018" created="1575257228" roothash="fadf73cd92ce3d97d4e5223c13255aca49716631" totalbytes="4774015008768.00" ispresentbytes="0.00" pidnum="3001" percentnew="1" expires="0" created_prectime="0x1d5a8c060960b04" partial="0" retentiontype="daily,weekly,monthly" backuptype="Full" ddrindex="1" locked="0" direct_restore="1" tier="0" appconsistent="not_available" sealstate="COMPLETE" imu_locked="false" imu_locked_weeks="0" force_no_imulock="false"/>
  <backuplistrec flags="19922945" labelnum="467" label="1800-phy-file_srv_phy-1574650800019" created="1574652417" roothash="afafe01c88300c5376a4042c4323d066a8c49cc2" totalbytes="4766955470848.00" ispresentbytes="0.00" pidnum="3001" percentnew="1" expires="0" created_prectime="0x1d5a3403120cb82" partial="0" retentiontype="daily,weekly" backuptype="Full" ddrindex="1" locked="0" direct_restore="1" tier="0" appconsistent="not_available" sealstate="COMPLETE" imu_locked="false" imu_locked_weeks="0" force_no_imulock="false"/>
</backuplist>

• • • The value is always seen as "0x" followed by the timestamp (For example "0x1d5a8c060960b04"). 
    • The value following the "0x" is what is required from this output (Which would be "1d5a8c060960b04" in this example). 

Step 3 - Data Domain:

On the Data Domain, log in as sysadmin.

Run the following command to list the mtrees:

mtree list

Example:

mtree list

Name                           Pre-Comp (GiB)   Status
----------------------------   --------------   -------
/data/col1/avamar-1234567890           9080.1   RW/RLGE
/data/col1/backup                         0.0   RW
----------------------------   --------------   -------
 D    : Deleted
 Q    : Quota Defined
 RO   : Read Only
 RW   : Read Write
 RD   : Replication Destination
 IRH  : Retention-Lock Indefinite Retention Hold Enabled
 ARL  : Automatic-Retention-Lock Enabled
 RLGE : Retention-Lock Governance Enabled
 RLGD : Retention-Lock Governance Disabled
 RLCE : Retention-Lock Compliance Enabled
 M    : Mobile
 m    : Migratable

Make note of the Avamar mtree. The mtree name is required for reverting the retention lock later in this procedure.

Step 4 - Avamar:

Verify the Avamar mtree name by running the following command:

avmaint hfscreate 

Sample output:

1234567890

Then prepend the string "/data/col1/avamar-"

In this example, the resulting mtree name is /data/col1/avamar-1234567890, matching the output from step 3.

Step 5 - Data Domain:

• Dell Technologies Avamar Technical Support Team Members:

Refer to the "Internal Notes" section for the next steps.

• All others:

Run the following command to generate a report of all the retention-locked files on the Data Domain:
(This is used to find the clients and backups to be deleted.)

mtree retention-lock report generate retention-details mtrees /data/col1/<avamar-xxxxxxxx> output-file <filename.txt>

(Where the "mtrees" is Avamar mtree determined earlier (in this example: /data/col1/avamar-1234567890)

Example:

mtree retention-lock report generate retention-details mtrees /data/col1/avamar-1234567890 output-file dd_retentionlock.txt

This generates a report with all the locked files.

The output is sent to the /ddvar/log/debug/retention-lock-reports/ directory (or the directory specified when the command is run). 

Use the Client ID (CID) gathered from the step 1 and find the backup path on Data Domain from the output-file generated (in this example dd_retentionlock.txt)

Step 6 - Data Domain:

Once the path is found, run the following command to revert the backup lock (making it possible to be deleted):

mtree retention-lock revert <path to client/backup>

The command prompts for the sysadmin password for the revert process to be completed.

Depending on what is being deleted, the command varies slightly:

If deleting all backups, or a client, the command uses the Client ID (CID) from step 1.

Example:

mtree retention-lock revert /data/col1/avamar-1234567890/cur/d057f520d4f5ab5b26c2b754714c9f21f50255c2

The 'mtree retention-lock revert' command removes retention-lock on this path thereby making it unprotected.
        Are you sure? (yes|no) [no]: yes

ok, proceeding.

Please enter sysadmin password to confirm 'mtree retention-lock revert':

If deleting individual backups, the command consists of both the client ID (CID) from step 1, and the backup ID from step 4 (this must be entered in Upper Case):

Example:

mtree retention-lock revert /data/col1/avamar-1234567890/cur/d057f520d4f5ab5b26c2b754714c9f21f50255c2/1D5A8C060960B04

The 'mtree retention-lock revert' command removes retention-lock on this path thereby making it unprotected.
        Are you sure? (yes|no) [no]: yes

ok, proceeding.

Please enter sysadmin password to confirm 'mtree retention-lock revert':

A separate command must be run for every individual backup being deleted.

For example, to delete two of the backups:

mtree retention-lock revert /data/col1/avamar-1234567890/cur/d057f520d4f5ab5b26c2b754714c9f21f50255c2/1D5A8C060960B04

mtree retention-lock revert /data/col1/avamar-1234567890/cur/d057f520d4f5ab5b26c2b754714c9f21f50255c2/1D5A3403120cB82

Step 7 - Avamar:

Once the revert of the lock is completed, run the following command on the Avamar grid to disable governance mode temporarily:

avmaint config governancemode=false --ava

Step 8 - Avamar (UI, AUI, or MCCLI):

Once governance mode is disabled, the backups or clients can be deleted using the Avamar web Interface (AUI), Management Console (MC UI), or mccli.

Step 9 - Avamar:

After deleting the clients or backups, reenable governance mode on the Avamar grid running the following command:

avmaint config governancemode=true --ava