Veeam Support Knowledge Base
Backup Warning: "repository time shift detected, immutability flag cannot be set."

Backup Warning: "repository time shift detected, immutability flag cannot be set."

KB ID:	4482
Product:	Veeam Backup & Replication \| 12.1
Published:	2023-12-05
Last Modified:	2023-12-05

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please try again later.

Challenge

A Backup or Backup Copy job using an Immutable Hardened Linux Repository displays the warning:

A problem occurred during setting the immutable flag: repository time shift detected, immutability flag cannot be set. Please refer to KB4482 for more details

Cause

This warning is displayed when a time shift has been detected within the Linux OS of the Hardened Linux Repository.

Timeshift detection was implemented to prevent the restore point immutability state from being manipulated. However, this system could also be triggered by user-caused timeshifts such as:

Intentional changes to the system time by an administrator.
Powering off the Linux machine for an extended time.
Stopping the VeeamTransport service, which is used to track the time.
Adding a Hardened Linux Repository that was previously used and already has a timeLog file present.

Explanation
When the immutable service starts on the Linux machine backing the Hardened Repository, a timeLog file is created in the directory /etc/veeam/immureposvc/. Every 10 minutes, the current UTC time (systemTime) and HW time (hwTime) are written to the timeLog file. Each time timeLog is updated, the difference between the current and previous value is calculated and added to a parameter named moveTime. This allows the software to detect if a time shift has occurred. If the moveTime value exceeds 86400 seconds (24 hours), an immutable file named retainLock is created containing information about the changed time. The presence of the retainLock file blocks the immutable service from changing the immutability state of backup files, both existing and new.

Solution

Procedure Requires Root Privileges

To complete the procedure documented below, root privileges are required, either through direct use of the root account or privilege elevation using an account with sudo rights.

After confirming that the timeshift was expected and that the current time is correct, the retainLock can be removed manually to allow the software to return to updating the immutable status of backup data.

retainLock Removal Procedure

Stop and disable all jobs that use the immutable repository.
^{Note: This step can be skipped; however, backup files that are being written will not gain immutability until the next time they run, after the new timeLog is created.}
Use the following commands to disable immutability on the file and then delete the retainLock file:

#remove the immutable state from retainLock file
sudo chattr -i /etc/veeam/immureposvc/retainLock
#remove the retainLock file
sudo rm /etc/veeam/immureposvc/retainLock
                
            

After deleting the retainLock file, the immutability status will not be assigned to files until a new timeLog is created by the VeeamTransport service. The VeeamTransport service will create a new timeLog when it starts or after 8 minutes. You may choose to either force the VeeamTransport service to restart or wait up to 8 minutes.

Note: Restarting the VeeamTransport service may interrupt any running job using the repository. If you could not stop active jobs or chose not to, you are advised to wait until a new timeLog file is created before starting new jobs.

sudo service veeamtransport restart

Enable any jobs that were disabled in Step 1.

More Information

Advanced Configuration

The TimeShift detection feature is configurable by creating the file /etc/veeam/immureposvc/config and setting parameters as desired.

The config file must be created with permissions 600 and belong to the root user.

Available Parameters:

disableCheck - parameter responsible for the general enabling or disabling of the functionality.
checkHwTime - controls whether the HW time is checked. Some systems may not have this clock.
maxDeltaValueInSec - determines the value of shifted time after which the retention is blocked.

Example config file formatting with default settings:

<TimeDefenderConfig disableCheck="0" checkHwTime="1" maxDeltaValueInSec="86400" />

After creating or modifying the config file, the veeamtransport service must be restarted.

Note: The config file overrides the hardcoded defaults; if it is not present or not configured as documented, the defaults will be used.

If you have any questions or concerns, please create a support case for assistance.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.