Backup Warning: "repository time shift detected, immutability flag cannot be set."
Challenge
A Backup or Backup Copy job using an Immutable Hardened Linux Repository displays the warning:
A problem occurred during setting the immutable flag: repository time shift detected, immutability flag cannot be set. Please refer to KB4482 for more details
Cause
This warning is displayed when a time shift has been detected within the Linux OS of the Hardened Linux Repository.
Timeshift detection was implemented to prevent the restore point immutability state from being manipulated. However, this system could also be triggered by user-caused timeshifts such as:
- Intentional changes to the system time by an administrator.
- Powering off the Linux machine for an extended time.
- Stopping the VeeamTransport service, which is used to track the time.
- Adding a Hardened Linux Repository that was previously used and already has a timeLog file present.
Explanation
When the immutable service starts on the Linux machine backing the Hardened Repository, a timeLog file is created in the directory /etc/veeam/immureposvc/. Every 10 minutes, the current UTC time (systemTime) and HW time (hwTime) are written to the timeLog file. Each time timeLog is updated, the difference between the current and previous value is calculated and added to a parameter named moveTime. This allows the software to detect if a time shift has occurred. If the moveTime value exceeds 86400 seconds (24 hours), an immutable file named retainLock is created containing information about the changed time. The presence of the retainLock file blocks the immutable service from changing the immutability state of backup files, both existing and new.
Solution
After confirming that the timeshift was expected and that the current time is correct, the retainLock can be removed manually to allow the software to return to updating the immutable status of backup data.
reatinLock Removal Procedure
- Stop and disable all jobs that use the immutable repository.
Note: This step can be skipped; however, backup files that are being written will not gain immutability until the next time they run, after the new timeLog is created. - Use the following commands to disable immutability on the file and then delete the retainLock file:
- After deleting the retainLock file, the immutability status will not be assigned to files until a new timeLog is created by the VeeamTransport service. The VeeamTransport service will create a new timeLog when it starts or after 8 minutes. You may choose to either force the VeeamTransport service to restart or wait up to 8 minutes.
Note: Restarting the VeeamTransport service may interrupt any running job using the repository. If you could not stop active jobs or chose not to, you are advised to wait until a new timeLog file is created before starting new jobs.
- Enable any jobs that were disabled in Step 1.
More Information
Advanced Configuration
The TimeShift detection feature is configurable by creating the file /etc/veeam/immureposvc/config and setting parameters as desired.
The config file must be created with permissions 600 and belong to the root user.
Available Parameters:
- disableCheck - parameter responsible for the general enabling or disabling of the functionality.
- checkHwTime - controls whether the HW time is checked. Some systems may not have this clock.
- maxDeltaValueInSec - determines the value of shifted time after which the retention is blocked.
Example config file formatting with default settings:
<TimeDefenderConfig disableCheck="0" checkHwTime="1" maxDeltaValueInSec="86400" />
After creating or modifying the config file, the veeamtransport service must be restarted.
Note: The config file overrides the hardcoded defaults; if it is not present or not configured as documented, the defaults will be used.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.