Skip to main content
Version: 2.8

Create object lock enabled manual backup

After the prerequisites mentioned are met, you can either create object lock enabled manual or scheduled backups. You need object lock enabled schedule policies to create object lock enabled scheduled backups.

Portworx Backup supports object lock for all S3 compliant object stores and allows configuring object lock with a bucket-level locking mechanism to secure the objects placed in a bucket. All objects in a bucket comply with the object lock settings defined for the bucket. Object lock provides following features to secure your objects:

  • Retention modes:

    • Governance: you cannot overwrite or delete an object version or alter its lock settings unless they have special permissions.

    • Compliance: you cannot overwrite or delete a protected object version even if you are the root user of an AWS account.

  • Retention period: specifies a fixed period of time during which an object remains locked

Protection period is the number of days your backup will be protected from ransomware attack. Protection period acts as the determiner for retention period.

For an object lock enabled backup, retention period in days = protection period in days + 6 days of buffer.

Prerequisites

  • In S3 compliant object store web console, create a bucket, enable object lock, and set retention period.

    note

    Object lock enabled backup locations should be configured with a minimum retention period of 7 days or above.

  • For all S3 compliant object store, enable the following permissions for the IAM role:

    • s3:GetBucketObjectLockConfiguration
    • s3:GetObjectLegalHold
    • s3:GetObjectRetention
    note

    To configure object lock on S3 buckets in all S3 compliant object stores, below S3 permissions are needed for IAM role:

    • s3:BypassGovernanceRetention
    • s3:PutBucketObjectLockConfiguration
    • s3:PutObjectLegalHold
    • s3:PutObjectRetention
  • Configure an AWS/S3 cloud account in Portworx Backup.

  • Install the latest version of MinIO that supports object lock.

  • Install or upgrade to Stork version 23.9.1 for object lock.

    Backups to object lock enabled buckets fail with the following error message if the minimum Stork version is not installed:

    object lock retention period is zero for locked backup. Please make sure the Stork version is 2.10 on the application cluster

Create object lock enabled manual backup

To configure an object lock enabled manual backup:

  1. From the home page, click Clusters icon in the left navigation pane.

  2. On the Clusters page, select the cluster that contains the namespace(s) you want to back up.

  3. Navigate to Backups > NS tab.

  4. Select the required namespace(s) and apply label selectors to filter the resources you want to back up.

  5. Click Backup.

  6. In the Create Backup window, specify the following fields, refer Create a backup for more information on these fields.

  • Cross Cloud Backup/Restore: you can enable or disable this option

    • Snapshot Class Mapping: facilitates mapping of your storage provisioner with volume snapshot class

      • CSI Provisioner: lists the CSI provisioners associated with the PVCs present in the namespaces selected for the backup

      • Volume snapshot class: lists all the volume snapshot class (vsc) resources along with default vsc

      • Offload CSI snapshots to backup location: offloads the CSI snapshot to the specified backup location

    • Backup type: allows you to choose the type of backup required (manual or scheduled backup)

      • On a schedule: disable this option to create a one-time manual backup
    • Pre-exec rule: select a rule from the drop drown to execute before the backup is created

    • Post-exec rule: select a post rule you want to execute after the backup is created

    • Backup Labels: any labels that you want to add to the backup you are going to create

    • NAMESPACES LIST: lists all the namespaces selected for backup creation

  1. Click Create.

    A secure manual backup is created with a lock icon.

    note

    You cannot delete an object lock enabled backup until the retention period expires.