PCE Database Backup

This section provides step-by-step instructions for backing up the PCE databases. Before you start, be sure you understand the technical details of the two PCE databases; see About the PCE Databases for information.

NOTE:

The PCE runtime configuration file, runtime_env.yml, is not included in database backups. You must back up this important file separately. See Back Up the PCE Runtime Environment File.

About PCE Database Backup

You use the PCE database command line utility illumio-pce-db-management to back up, migrate, manage failover, and restore the PCE databases.

IMPORTANT:

You must run the PCE database commands as the PCE runtime user ilo-pce

When to Back Up

Follow your organization's backup policies and procedures, including frequency (such as, hourly, daily, or weekly) and retention location (namely, offsite or on a system other than the PCE cluster nodes).

Illumio recommends backing up the PCE databases in the following situations:

  • Before and after a PCE version upgrade
  • After pairing a large number of VENs
  • After updating a large number of workloads (such as, changing workload policy state or applying labels)
  • After provisioning major policy changes
  • After making major changes in your environment that affect workload information (such as, IP address changes)
  • On-demand backups before performing the procedures in this guide

Back Up the Policy Database

Perform these steps to back up all PCE data, such as before upgrading the PCE.

  1. (On an SNC, skip this step.) Before you back up the PCE, determine which data node is running the agent_traffic_redis_server service:

    $ sudo -u ilo-pce illumio-pce-ctl cluster-status

    You see the following output:

    SERVICES (runlevel: 5) NODES (Reachable: 1 of 1)
====================== ===========================
agent_background_worker_service 192.168.33.90
agent_service NOT RUNNING
agent_slony_service 192.168.33.90
agent_traffic_redis_cache 192.168.33.90
agent_traffic_redis_server 192.168.33.90          <=== run the dump command from this node
agent_traffic_service NOT RUNNING
...

  2. On the data node that is running the agent_traffic_redis_server service, run the following command:

    $ sudo -u ilo-pce illumio-pce-db-management dump --file <location-of-db-dump-file>

    In location-of-db-dump-file, enter a file name.

    NOTE:

    On an SNC, run this command on the single node.

  3. After the dump command finishes, copy the backup files to a fault-tolerant storage location.

Back Up the Traffic Database

Perform these steps to back up the traffic database only.

  1. On any data node, run the following command: 

    $ sudo -u ilo-pce illumio-pce-db-management traffic dump --file <path_to_traffic_backup_file.tar.gz>

    In path_to_traffic_backup_file.tar.gz, include the filename extension .tar.gz.

  2. After the command finishes, copy the backup file to a fault-tolerant storage location.

Using pgbackrest for Traffic Data Backups

Instead of using the built-in PCE backup commands, you can use the pgbackrest tool. For example, pgbackrest can be useful if you have dedicated storage for backups, such as NFS network shared storage. If you have a multi-node traffic database, you must use pgbackrest for backups to ensure adequate space and performance.

Hardware Requirements

A shared filesystem such as NFS mount which is mounted on all the PCE nodes is required for pgbackrest to work. Make sure the NFS disk has enough space to store multiple backups.

Enable pgbackrest

To enable pgbackrest on a PCE, add the following lines to runtime_env.yml, then use the pgbackrest versions of the PCE backup and restore commands as shown below.

traffic_datastore_backup_service:
  pgbackrest_enabled: true
  backup_destination_type: filesystem
  backup_root: "/path/to/backups/directory"

Back Up the Traffic Database (pgbackrest)

Use the following command to take a backup of the traffic database cluster:

$ sudo -u ilo-pce  illumio-pce-db-management traffic cluster-backup

List Available Backups (pgbackrest)

Use the following command to get the list of backups available, in the order in which they were taken:

$ sudo -u ilo-pce  illumio-pce-db-management traffic cluster-backup-list

Restore a Backup (pgbackrest)

Use the following commands to restore data from a given backup. For backupLabel, substitute the label of the backup to restore:

$ sudo -u ilo-pce  illumio-pce-ctl set-runlevel 1
$ sudo -u ilo-pce  illumio-pce-db-management traffic cluster-restore --backup-label backupLabel

Back Up the PCE Runtime Environment File

The PCE runtime configuration file, runtime_env.yml, is not included in automatic PCE backups. You must manually back up this file to a secure location.

Store a copy of each node's runtime_env.yml file on a system that is not part of the PCE cluster. By default, the PCE Runtime Environment File is located at the following location on each node:

/etc/illumio-pce/runtime_env.yml

If the file is not found there, it has been moved to a custom location. To find the file, check the ILLUMIO_RUNTIME_ENV environment variable.

IMPORTANT:

The runtime_env.yml file contains sensitive information that should be kept secret, such as encryption keys. Take steps to ensure the confidentiality of this file.