PCE Database Backup

This section provides step-by-step instructions for backing up the PCE databases. Before you start, be sure you understand the technical details of the two PCE databases; see About the PCE Databases for information.

Note

The PCE runtime configuration file, runtime_env.yml, is not included in database backups. You must back up this important file separately. See Back Up the PCE Runtime Environment File.

About PCE Database Backup

You use the PCE database command line utility illumio-pce-db-management to back up, migrate, manage failover, and restore the PCE databases.

Important

You must run the PCE database commands as the PCE runtime user ilo-pce

When to Back Up

Follow your organization's backup policies and procedures, including frequency (such as, hourly, daily, or weekly) and retention location (namely, offsite or on a system other than the PCE cluster nodes).

Illumio recommends backing up the PCE databases in the following situations:

Before and after a PCE version upgrade
After pairing a large number of VENs
After updating a large number of workloads (such as, changing workload policy state or applying labels)
After provisioning major policy changes
After making major changes in your environment that affect workload information (such as, IP address changes)
On-demand backups before performing the procedures in this guide

Back Up the Policy Database

Perform these steps to back up all PCE data, such as before upgrading the PCE.

(On an SNC, skip this step.) Before you back up the PCE, determine which data node is running the agent_traffic_redis_server service:

sudo -u ilo-pce illumio-pce-ctl cluster-status

You see the following output:

SERVICES (runlevel: 5) NODES (Reachable: 1 of 1)
====================== ===========================
agent_background_worker_service 192.168.33.90
agent_service NOT RUNNING
agent_slony_service 192.168.33.90
agent_traffic_redis_cache 192.168.33.90
agent_traffic_redis_server 192.168.33.90          <=== run the dump command from this node
agent_traffic_service NOT RUNNING
...

On the data node that is running the agent_traffic_redis_server service, run the following commands:
```
sudo -u ilo-pce illumio-pce-db-management dump --file <location-of-db-dump-file>
sudo -u ilo-pce illumio-pce-db-management traffic dump --file <location-of-traffic-dump-file>
```
In
location-of-db-dump-file
and
location-of-traffic-dump-file
enter a file name for the policy database dump and the traffic database dump files, respectively.
Note
On an SNC, run these commands on the single node.
After the dump commands finish, copy the backup files to a fault-tolerant storage location.

Back Up the Traffic Database

Perform these steps to back up the traffic database only.

On any data node, run the following command:
```
sudo -u ilo-pce illumio-pce-db-management traffic dump --file <path_to_traffic_backup_file.tar.gz>
```
In path_to_traffic_backup_file.tar.gz, include the filename extension .tar.gz.
After the command finishes, copy the backup file to a fault-tolerant storage location.

Using pgbackrest for Traffic Data Backups

Instead of using the built-in PCE backup commands, you can use the pgbackrest tool. For example, pgbackrest can be useful if you have dedicated storage for backups, such as NFS network shared storage. If you have a multi-node traffic database, you must use pgbackrest for backups to ensure adequate space and performance.

Hardware Requirements

A shared filesystem such as NFS mount which is mounted on all the PCE nodes is required for pgbackrest to work. Make sure the NFS disk has enough space to store multiple backups.

Enabling pgbackrest

To enable the pgbackrest tool, add the following commands to the server runtime_env.yaml, with your cluster values specified where needed:

traffic_datastore_backup_service:
  pgbackrest_enabled: true
  backup_destination_type: 'filesystem'
  backup_root: '<location of NFS root>'
  backup_encryption_key: '<location of file that contains the backup encryption key>'
  max_full_backups: '<max number of full backups to retain>' # Defaults to 2

Back Up the Traffic Database (pgbackrest)

Use the following command to take a backup of the traffic database cluster:

sudo -u ilo-pce  illumio-pce-db-management traffic cluster-backup

List Available Backups (pgbackrest)

Use the following command to get the list of backups available, in the order in which they were taken:

sudo -u ilo-pce  illumio-pce-db-management traffic cluster-backup-list

Restore a Backup (pgbackrest)

Use the following commands to restore data from a given backup. For

backupLabel

, substitute the label of the backup to restore:

sudo -u ilo-pce  illumio-pce-ctl set-runlevel 1
sudo -u ilo-pce  illumio-pce-db-management traffic cluster-restore --backup-label backupLabel

Back Up the PCE Runtime Environment File

The PCE runtime configuration file, runtime_env.yml, is not included in automatic PCE backups. You must manually back up this file to a secure location.

Store a copy of each node's runtime_env.yml file on a system that is not part of the PCE cluster. By default, the PCE Runtime Environment File is located at the following location on each node:

/etc/illumio-pce/runtime_env.yml

If the file is not found there, it has been moved to a custom location. To find the file, check the ILLUMIO_RUNTIME_ENV environment variable.

Important

The runtime_env.yml file contains sensitive information that should be kept secret, such as encryption keys. Take steps to ensure the confidentiality of this file.

Illumio Core 22.2 Administration Guide

PCE Database Backup

Note

About PCE Database Backup

Important

When to Back Up

Back Up the Policy Database

Note

Back Up the Traffic Database

Using pgbackrest for Traffic Data Backups

Back Up the PCE Runtime Environment File

Important

Search results