Data protection


About data protection

Data protection is a service designed to back up and restore the instances data, by taking regular backups and storing them in the backup storage. Unlike infrastructure protection, this service relies on the agent - a component installed inside of the instance, that can read and stream instance data to be stored in a backup, as well as perform data restore operations.

The service supports a number of backup data types and methods, and ability to manage data protection via CLI/API and via the portal UI. Currently, portal UI supports protection of files only. To protect any other data (such as databases or application data), it may to be converted to file format first (for example by making a local backup), before it can be included into a data protection backup, or by leveraging CLI/API of the service (see the section below).


Data protection service architecture and requirements

Service components

The service consist of the following components:

  • Freezer-agent is installed to every instance that needs to interact with the data protection service. This component is responsible for performing actual backup and restore tasks.
  • Freezer-scheduler is also installed along with freezer-agent. This component is responsible for retrieving and managing data protection tasks from the data protection service, as well as for interacting with freezer-agent.
  • Data protection service API and other API endpoints are used by the freezer-agent and freezer-scheduler to perform tasks that depend on the external components and services - such as hypervisor/volume level backup and restore, backup storage, etc.

Freezer-scheduler runs as a system service on the instance where it is installed. You can check status of the service in your instances by running a command:

Linux:

systemctl status freezer-scheduler

Windows:

nssm status FreezerScheduler

Data protection credentials

The instance components interact with the platform API services, and those services that require authentication. As a result, the instances that have data protection software installed also store authentication credentials in the configuration files - /etc/freezer/env.rc on Linux, and C:\freezer\env.bat on Windows.

Proper credentials are supplied automatically by the platform upon the data protection agent deployment. Normally you don't need to manually manage those credentials. However, in case you update the credentials (see Credentials update below), you will need to modify the credentials stored in the existing instances (newly created instances will get new credentials).

Networking requirements

Every data protection task is initiated from within the instance. Even if the task is created outside of the instance (like a backup or a restore task created from the Portal), the actual task is executed from the inside, after freezer-agent pulls the task details from the data protection API.

That means that data protection software does not need any incoming network connections, and does not need any inbound ports opened in the security groups for the data protection agent to operate. However, it does need to have outbound connections allowed to the platform API endpoints (you can find list of IPs and ports in the "API Docs" section of the portal).

Typically, security groups (including the default security group created for every new account) have outgoing connections allowed without restrictions. However, if you change this and still need to have data protection software operational, make sure you add those exceptions in your security group rules, allowing outgoing connections to the IP address(es) and the ports of API endpoints, listed under "API docs" -> "Api endpoints" section of the Portal.

Managing data protection

Creating and managing data protection plans via Portal

To create a periodic backup task, you need to create a protection plan. A protection plan includes:

  • List of resources (files) protected by the plan.
  • List of instances included in the plan. Same set of files
  • Protection schedule (interval).
  • Backup destination (object storage container name).

To create a new protection plan, do the following:

  • Make sure you have an instance with a data protection agent installed. You can install such agent when creating a new instance by selecting "Install Data Protection Software" checkbox on the instance creation page.
  • Navigate to "Data protection -> Plans" in the left side navigation bar.
  • Click "Create a plan" button.
  • Specify plan parameters - name, interval, backup destination (default option will create a container on the object storage).
  • Specify which files or folders you want to include into the backup plan.
  • Specify which instances the plan applies to.

Only the instances that have data protection agent installed show in the list. You can see the status of the data protection agent on the instance management page - "Details" -> "Hardware and software" section -> "Data protection agent status".

Data restores

To initiate a data restore, navigate to the required backup first (via "Data Protection" -> "Backups"). Then, select the backup action menu and chose "Restore". Then, select the target instance (it must have the data protection agent installed) and specify target folder (which must be empty before the restore), and click "restore".

Once the task is picked up by the platform, you will be able to find it in the "View restores" action menu. To see actual restore status, log in to the instance and check out the data protection agent logs (/var/log/freezer-agent.log on Linux, C:\freezer\freezer.log on Windows.

Credentials update

Data protection credentials are individual for your account, and stored in every instance that has data protection installed. They are separate and less permissive than your normal account access credentials. Normally you don't need to modify those credentials. However, if you suspect those credentials are compromised and want to update them, you can do the following:

  • In the Portal navigation bar, go to the "Data protection" -> "Plans".
  • Click "View credentials" button on top of the page.
  • Click "Regenerate" button and confirm.

Advanced usage (CLI)

The Portal UI only implements limited set of scenarios supported by the data protection agent software, namely:

  • File backup only.
  • Not using file system snapshots (such backups may be unsuitable for databases).
  • Limited scheduler options.
  • Only object storage supported as backup destination.

You can create more advanced configurations more suitable for your applications by leveraging command line tools directly from within the instances where they are installed. For details on the usage, refer to the community supported documentation at https://docs.openstack.org/freezer/latest/user/index.html