Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
3
minLevel1
maxLevel2
outlinefalse
typelist
printablefalse
Info

Dedicated Backup

Objects in the S3 backup bucket are wholly dedicated to disaster recovery for Swarm and are not for general use by owners of the account where the bucket resides. Consider this feature a restricted form of S3, with constraints on the bucket's namespace that support Swarm's ability to backup and restore. Do not expect the namespace to be end-user-friendly.

Swarm S3 backups to Wasabi targets have been are verified. Complete a one-time set-up of the destination to implement an S3 backup feed: set up an account with Wasabi and then create an S3 bucket dedicated to backing up this cluster.

Setting

...

Up the S3 Bucket

...

Note

Swarm has the Wasabi access granted it as part of this configuration. Neither the S3 Backup feed nor the S3 Backup Restore Tool administers S3 credentials or create any S3 buckets in Wasabi.

See Wasabi Support for assistance.

These instructions are for Wasabi cloud storage, but any Internet-based S3 service has similar functionality:

  1. Service

...

  1. : Sign up for Wasabi if needed.

    1. Navigate to Wasabi's Sign Up page, fill out all fields and select Start Your Free Trial.

    2. Follow the on-screen instructions.

    3. Log in to the Wasabi console once setup is finished.

  2. Bucket

...

  1. : Create a bucket dedicated to backing up the Swarm cluster.

    1. Sign in to the Wasabi console: console.wasabisys.com.

...

    1. Select Create bucket.

    2. Make entries for Name and region:

      1. Enter a DNS compliant name for the new bucket for Bucket name. Buckets cannot be renamed, so choose wisely:

        1. The name must be unique across all existing bucket names in Wasabi S3.

        2. The name must be a valid DNS name, containing lowercase letters and numbers (

...

        1. internal periods, hyphens, and underscores), between 3 and 64 characters.
          (See S3 documentation: Rules for Bucket Naming

...

        1. )
          Tip: Incorporate the name of the Swarm cluster this bucket is dedicated to backing up for easier identification.

...

      1. Select a Region appropriate for business needs.

        Image Modified
    1. Take the defaults for Configure options.
      Best practice: Do not enable versioning or logging unless it is required for the organization.

      Image Modified

...

    1. Select Create, and record the fully qualified bucket name (such as "arn:aws:s3:::remote-bucket") for use later, in policies.

    2. Record these values for configuring the S3 Backup feed in Swarm:

      • Bucket Name

      • Region

  1. User

...

  1. : Create a programmatic (non-human/console) user that dedicated to Swarm access.

    1. Select the service IAM (Identity and Access Management) and click Users on the Wasabi console.
      Image Modified

    2. Add a dedicated user, such as caringo_backup, to provide Programmatic access for Swarm.
      Image Modified

    3. The Wasabi console generates an access key (an access key ID + secret access key), which must be recorded immediately.
      Image Modified

      • The secret access key is not retrievable or viewable after this, so save it in a secure place.

    4. Record the fully qualified user (such as "arn:aws:iam::123456789012:user/caringo_backup") for use later, in policies.

    5. Record these values for configuring the S3 Backup feed in Swarm:

      • Access Key ID

      • Secret Access Key

  2. Policies

...

  1. : Create policies on both the user and the bucket so the programmatic user has exclusive rights to the S3 bucket. Use the policy generators provided or enter edited versions of the examples below.

    1. Create an IAM policy for this user, allowing it all S3 actions on the backup bucket, which needs to be specified as a fully qualified Resource (recorded above), starting with arn:aws:s3:::

      IAM policy

      Code Block
      languagexml
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "s3:*",
                  "Resource": "arn:aws:s3:::example.cluster1.backup"
              }
          ]
      }
    2. Create a matching bucket policy to grant access to the dedicated backup user, which needs to be specified as a fully qualified Principal, which is the User ARN (recorded above) starting with arn:aws:iam::.
      Using the Policy Generator, allow all S3 actions for a bucket, using the full ARN name:
      Image Modified

      Bucket

...

    1. Policy

      Code Block
      languagexml
      {
        "Id": "Policy1560809845679",
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Stmt1560809828003",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::example.cluster1.backup",
            "Principal": {
              "AWS": [
                "arn:aws:iam::123456789012:user/caringo_backup"
              ]
            }
          }
        ]
      }

Configuring the S3 Backup Feed

Create a new S3 backup feed with Wasabi as the target on the Swarm side.

  1. Open the Feeds page in the Swarm UI.
    Image Modified

  2. Click + Add at the top right.
    Image Modified

...

  1. Select the feed type S3 Backup.
    Image Modified

  2. Provide the following values. For details on these fields, see S3 Backup Feeds.

    • Name - For description, such as "Replication to Wasabi"

    • Endpoint - Include the complete endpoint, without the bucket: s3.us-west-1.wasabisys.com

    • Region - This example uses the us-west-1 storage region. Use the appropriate Wasabi service URL for any other region.

    • Bucket - Enter the newly created bucket dedicated to backing up the Swarm cluster.

    • Credentials - Paste in both the Access key name and Secret Key

    • Use SSL - Yes

      Image Modified
  3. Verify the new S3 backup appears in the list of Swarm feeds:
    Image Modified

...