Data protection is a service designed to back up and restore the instances data, by taking regular backups and storing them in the backup storage. Unlike infrastructure protection, this service relies on the agent - a component installed inside of the instance, that can read and stream instance data to be stored in a backup, as well as perform data restore operations.
The service supports a number of backup data types and methods, and ability to manage data protection via CLI/API and via the portal UI. Currently, portal UI supports protection of files only. To protect any other data (such as databases or application data), it may to be converted to file format first (for example by making a local backup), before it can be included into a data protection backup, or by leveraging CLI/API of the service (see the section below).
The service consist of the following components:
Freezer-scheduler runs as a system service on the instance where it is installed. You can check status of the service in your instances by running a command:
Linux:
systemctl status freezer-scheduler
Windows:
nssm status FreezerScheduler
The instance components interact with the platform API services, and those services that require authentication. As a result, the instances that have data protection software installed also store authentication credentials in the configuration files - /etc/freezer/env.rc on Linux, and C:\freezer\env.bat on Windows.
Proper credentials are supplied automatically by the platform upon the data protection agent deployment. Normally you don't need to manually manage those credentials. However, in case you update the credentials (see Credentials update below), you will need to modify the credentials stored in the existing instances (newly created instances will get new credentials).
Every data protection task is initiated from within the instance. Even if the task is created outside of the instance (like a backup or a restore task created from the Portal), the actual task is executed from the inside, after freezer-agent pulls the task details from the data protection API.
That means that data protection software does not need any incoming network connections, and does not need any inbound ports opened in the security groups for the data protection agent to operate. However, it does need to have outbound connections allowed to the platform API endpoints (you can find list of IPs and ports in the "API Docs" section of the portal).
Typically, security groups (including the default security group created for every new account) have outgoing connections allowed without restrictions. However, if you change this and still need to have data protection software operational, make sure you add those exceptions in your security group rules, allowing outgoing connections to the IP address(es) and the ports of API endpoints, listed under "API docs" -> "Api endpoints" section of the Portal.
To create a periodic backup task, you need to create a protection plan. A protection plan includes:
To create a new protection plan, do the following:
Only the instances that have data protection agent installed show in the list. You can see the status of the data protection agent on the instance management page - "Details" -> "Hardware and software" section -> "Data protection agent status".
To initiate a data restore, navigate to the required backup first (via "Data Protection" -> "Backups"). Then, select the backup action menu and chose "Restore". Then, select the target instance (it must have the data protection agent installed) and specify target folder (which must be empty before the restore), and click "restore".
Once the task is picked up by the platform, you will be able to find it in the "View restores" action menu. To see actual restore status, log in to the instance and check out the data protection agent logs (/var/log/freezer-agent.log on Linux, C:\freezer\freezer.log on Windows.
Data protection credentials are individual for your account, and stored in every instance that has data protection installed. They are separate and less permissive than your normal account access credentials. Normally you don't need to modify those credentials. However, if you suspect those credentials are compromised and want to update them, you can do the following:
As mentioned previously, data protection credentials are individual for your account. For this reason, the same credentials will be used on all of your projects. When you have multiple projects and create data protection credentials, these credentials will be stored on all of your projects. However, if you create a new project after creating the credentials, you will need to update the credentials again for this project. Don't worry this won't create new credentials, it will get the credentials from the other projects so that all projects have the same credentials. To do this in a new project, follow these steps:
For project invitation, only roles with data protection can use the data protection feature. However, even roles with this feature won't be able to see or generate your data protection credentials. If they want to use data protection features but the project they're invited to hasn't enabled freezer (by generating the credentials) they will need to ask the project owner to generate the credentials so that they can use the freezer features.
The Portal UI only implements limited set of scenarios supported by the data protection agent software, namely:
You can create more advanced configurations more suitable for your applications by leveraging command line tools directly from within the instances where they are installed. For details on the usage, refer to the community supported documentation at https://docs.openstack.org/freezer/latest/user/index.html