This blog post describes the setup for an Oracle Database Appliance ODA database backup by RMAN to the Oracle Cloud Infrastructure. Basically there are three destinations for backup and recovery possible:
• Oracle Fast Recovery Area (FRA) disk – the Internal FRA
• Network File System (NFS) location – external FRA
• Oracle Cloud Infrastructure Object Storage – Oracle Object Storage
When using backup to the Oracle Cloud Infrastructure Object Storage, the Oracle Database Backup Cloud Service module (opc_installer.jar) is configured in the background. A configuration can be created by the ODA browser interface or by command line tool odacli – what I prefer. When you have already worked with the Oracle Database Backup Service and the OPC module, the setup will be familiar for you.
Prerequisites
- OCI user with an Authentication Token
- IAM policy for the usage of the Object Storage
- Oracle Database Appliance access to Oracle Cloud Infrastructure Object Storage direct or via proxy
- ODA Object Storage Credentials
- ODA Backup Policy
- ODA Database modify Backup Policy
And finally, execute an RMAN backup.
My Setup
- Oracle Database Appliance X7-2S
- Oracle Database Appliance release 19.13
- Oracle Enterprise Edition database release 19.13
OCI user with an Authentication Token
A user called oda-box-01-backup and a group grp-oda-box-01-backup is created. The group is required later for the IAM policy. In Identity – User – User Details, create an Auth Token. Record the generated token, It will not be shown again.
IAM Policy
We need two policies for the user group to use the Oracle Cloud Infrastructure Object Storage for backup operations.
Allow group grp-oda-box-01-backup to manage objects in compartment <your_compartment_here> where target.bucket.name = '<your_bucket_name_here>' Allow group grp-oda-box-01-backup to read buckets in compartment <your_compartment_here>
Oracle Database Appliance access to Oracle Cloud Infrastructure Object Storage direct or via proxy
Verify the internet connection to the Object Storage endpoints. For example for endpoint in OCI Switzerland:
[root@oda-box-01 ~]# ping swiftobjectstorage.eu-zurich-1.oraclecloud.com PING swiftobjectstorage.eu-zurich-1.oci.oraclecloud.com (134.70.88.3) 56(84) bytes of data. 64 bytes from 134.70.88.3 (134.70.88.3): icmp_seq=1 ttl=57 time=23.9 ms 64 bytes from 134.70.88.3 (134.70.88.3): icmp_seq=2 ttl=57 time=24.3 ms
Oracle Database Appliance Object Storage Credentials
The password is the user Auth Token created above. In this case, we use the region Zurich as target.
[root@oda-box-01 ~]# odacli create-objectstoreswift -e https://swiftobjectstorage.eu-zurich-1.oraclecloud.com/v1 -n ObjectStoreSwift -t <your_namespace_here> -u oda-box-01-backup Enter object store swift password: Retype object store swift password:
Parameters:
- -e: endpoint in format swiftobjectstorage.region.oraclecloud.com/v1
- -n: name for the credential
- -t: Object Storage namespace – attention, take a look in your tenancy details, it can be differ from the tenancy name
- -u: OCI user
Screenshot from the ODA Browser Interface
Oracle Database Appliance Backup Policy
Based on the credential, the backup policy can be created. Here we use the OCI Object Storage backup dboda01-backup.
[root@oda-box-01 ~]# odacli create-backupconfig -n dboda01a_7d_cloud -d Objectstore -w 7 -o a7c0e6a7-2009-450b-9cf2-3c5195715c82 -c dboda01a-backup -cr
Parameters:
- -n: name for the policy
- -d: target Objectstore
- -w: retention time in days
- -o: the credential id – gather it from odacli list-objectstoreswifts
- -c: OCI Object Storage bucket name
- -cr: a RMAN crosscheck is executed
Screenshot from the ODA Browser Interface
Errors:
According the documentation, maximum allowed retention period is 30 days – error when defined to long:
OssRecoveryWindow must be integer and between 1 to 30
Wrong bucket or missing IAM policy:
DCS-10406:failed to connect to "https://swiftobjectstorage.eu-zurich-1.oraclecloud.com/v1/<your_namespace_here>/<your_bucket_here>". Make sure the URL name can be resolved.
Background Information
Here you find the OCI Object Storage configuration from the OPC module:
oracle@oda-box-01:/opt/oracle/dcs/commonstore/objectstore/opc_pfile/2127971840/ [rdbms19_2] cat opc_dboda01a.ora OPC_HOST=https://swiftobjectstorage.eu-zurich-1.oraclecloud.com/v1/<your_namespace_here> OPC_WALLET='LOCATION=file:/opt/oracle/dcs/commonstore/objectstore/wallets/44b6311a-38f0-4e71-b21e-30d47c241be9 CREDENTIAL_ALIAS=alias_opc' OPC_CONTAINER=dboda01a-backup
ODA Database modify Backup Policy
When credentials and the backup policy is set, the policy can be added to the database. As the RMAN backup target is Oracle Cloud Infrastructure, the backup has to be encrypted before upload.
[root@oda-box-01 ~]# odacli modify-database -i c580563c-e4ee-47fc-8240-d6c56e3aa063 -bi 44b6311a-38f0-4e71-b21e-30d47c241be9 -bp Enter RMAN backup encryption password: Retype RMAN backup encryption password:
Parameters:
- -i: database id – gather it from odacli list-databases
- -bi: backup policy id – gather it from odacli list-backupconfigs
- -bp: an encryption password is required
Pain point: If you have a two-location backup strategy with on-prem and cloud, only one policy can be activated per database. In this case, use the ODA for the first selection, and a script or you use my favourite Oracle backup framework: our Trivadis db* backup tool.
Screenshot from the ODA Browser Interface
ODA execute RMAN Backup
This can be done by CLI or ODA browser interface.
[root@oda-box-01 ~]# odacli create-backup -i c580563c-e4ee-47fc-8240-d6c56e3aa063 -bt Regular-L0 -t 2022Feb02_HRLevel0
Parameters:
- -i: database id – gather it from odacli list-databases
- -bt: backup type – {Regular-L0|Regular-L1|Longterm|archivelog}
- -t: tag
Screenshot from the ODA Browser Interface
Verify the available Backup Files in Oracle Cloud Infrastructure Object Storage Bucket
Feature: Create a Database from Object Storage Backup
When you have stored the backup report locally as JSON (Save Backup Report), then you can use this information to create a new Oracle database clone from backup. One of my favourite actions 🙂
Set RMAN decryption password and define parameters for the new database.
Job Details
[root@oda-box-01 log]# odacli describe-job -i ce7233b1-6413-483a-8d1e-614bf2ed5204
Job details
----------------------------------------------------------------
ID: ce7233b1-6413-483a-8d1e-614bf2ed5204
Description: Database service recovery with db name: dboda01c
Status: Success
Created: February 3, 2022 8:19:52 AM GMT
Message:
Task Name Start Time End Time Status
---------------------------------------- ----------------------------------- ----------------------------------- ----------
Check if cluster ware is running February 3, 2022 8:20:02 AM GMT February 3, 2022 8:20:02 AM GMT Success
Creating DbStorage for DbRestore February 3, 2022 8:20:02 AM GMT February 3, 2022 8:20:04 AM GMT Success
Validating DiskSpace for DATA February 3, 2022 8:20:02 AM GMT February 3, 2022 8:20:03 AM GMT Success
Generating SSH key February 3, 2022 8:20:03 AM GMT February 3, 2022 8:20:03 AM GMT Success
SSH key February 3, 2022 8:20:03 AM GMT February 3, 2022 8:20:03 AM GMT Success
SSH key scan February 3, 2022 8:20:03 AM GMT February 3, 2022 8:20:03 AM GMT Success
Audit directory creation February 3, 2022 8:20:04 AM GMT February 3, 2022 8:20:04 AM GMT Success
Restoring Spfile From Casper February 3, 2022 8:20:04 AM GMT February 3, 2022 8:20:29 AM GMT Success
Customize Db Parameters February 3, 2022 8:20:29 AM GMT February 3, 2022 8:20:29 AM GMT Success
Create spfile for restore db February 3, 2022 8:20:30 AM GMT February 3, 2022 8:20:31 AM GMT Success
Deleting FRA February 3, 2022 8:20:31 AM GMT February 3, 2022 8:20:32 AM GMT Success
Restoring control file February 3, 2022 8:20:32 AM GMT February 3, 2022 8:21:13 AM GMT Success
Mounting db February 3, 2022 8:21:13 AM GMT February 3, 2022 8:21:41 AM GMT Success
Validating backup for RestoreDB February 3, 2022 8:21:41 AM GMT February 3, 2022 8:24:07 AM GMT Success
Restoring DB for migration February 3, 2022 8:24:07 AM GMT February 3, 2022 8:26:59 AM GMT Success
Re-Create control file February 3, 2022 8:26:59 AM GMT February 3, 2022 8:27:56 AM GMT Success
Change DBID and/or DBName February 3, 2022 8:27:56 AM GMT February 3, 2022 8:31:30 AM GMT Success
Removing Disabled Redo Threads February 3, 2022 8:31:30 AM GMT February 3, 2022 8:31:31 AM GMT Success
Updating DB attributes February 3, 2022 8:31:31 AM GMT February 3, 2022 8:31:32 AM GMT Success
Register Database taskflow February 3, 2022 8:31:35 AM GMT February 3, 2022 8:36:54 AM GMT Success
Create SPFile in shared loc February 3, 2022 8:31:35 AM GMT February 3, 2022 8:31:41 AM GMT Success
Delete Local Spfile February 3, 2022 8:31:41 AM GMT February 3, 2022 8:31:41 AM GMT Success
Register DB with clusterware February 3, 2022 8:31:41 AM GMT February 3, 2022 8:33:17 AM GMT Success
Add Startup Trigger to Open all PDBS February 3, 2022 8:33:17 AM GMT February 3, 2022 8:33:17 AM GMT Success
Set SysPassword and Create PwFile February 3, 2022 8:33:17 AM GMT February 3, 2022 8:33:20 AM GMT Success
Enable block change tracking February 3, 2022 8:33:20 AM GMT February 3, 2022 8:33:28 AM GMT Success
Creating pfile February 3, 2022 8:33:28 AM GMT February 3, 2022 8:33:29 AM GMT Success
Updating db env February 3, 2022 8:33:29 AM GMT February 3, 2022 8:33:30 AM GMT Success
Enable DbSizing Template February 3, 2022 8:33:30 AM GMT February 3, 2022 8:35:04 AM GMT Success
Update Database Global Name February 3, 2022 8:35:04 AM GMT February 3, 2022 8:35:05 AM GMT Success
Create tns entry February 3, 2022 8:35:05 AM GMT February 3, 2022 8:35:06 AM GMT Success
Running datapatch February 3, 2022 8:35:06 AM GMT February 3, 2022 8:35:24 AM GMT Success
Set CPU pool February 3, 2022 8:35:24 AM GMT February 3, 2022 8:35:24 AM GMT Success
Reset Associated Networks February 3, 2022 8:36:55 AM GMT February 3, 2022 8:36:59 AM GMT Success
Set log_archive_dest for Database February 3, 2022 8:36:59 AM GMT February 3, 2022 8:37:03 AM GMT Success
Copy Pwfile to Shared Storage February 3, 2022 8:37:03 AM GMT February 3, 2022 8:37:07 AM GMT Success
And some minutes later…
Licensing
After a short exchange with My Oracle Support – thanks to Bernard for clarification – there is a Special License Right for this use case available:
Oracle Database Backup Cloud Service includes use of the following two features from the Oracle Advanced Security option or the Oracle Advanced Compression option at no additional cost:
- RMAN backup encryption
- All RMAN backup compression algorithms
To use additional features of the Oracle Advanced Security option or the Oracle Advanced Compression option, you must license those options separately. In addition, the Oracle Advanced Security option must be separately licensed when performing RMAN encrypted backups directly to disk.
Link: Licensing Information (oracle.com)
Summary
Easy to configure, easy to handle – this are the key values of an Oracle Engineered System like the Oracle Database Appliance. The cloud as a backup target is never a bad solution, it depends on your requirements like your company’s backup strategy, internet connection and important things like RPO/RTO. Next step after the policy apply: verify and, if required, modify the backup schedule.
To have only one policy active at once is not really funny, but there are other solutions for a DBA to support two or more backup destinations like scripts, frameworks – or why not to change the policy by REST API endpoint /databases/modifyDb temporarily?
Have fun with backup to Oracle Cloud Infrastructure Object Storage!
Links:
- ODA Deployment and User Guide – Backup, Restore and Recover Databases
- Backup and Recovery Best Practices for the Oracle Database Appliance
- Best Practices for On-Premises Database Backup & Recovery
- https://docs.oracle.com/en/engineered-systems/oracle-database-appliance/19.13/odapi/op-databases-modifydb-put.html