You can configure automated, physical backups for VMware Tanzu SQL with MySQL for VMs.
Developers can create physical backups using the Cloud Foundry Command Line Interface (cf CLI) or logical backups using mysqldump
.
For more information about physical backups, see Backing Up and Restoring VMware Tanzu SQL with MySQL for VMs.
For more information about logical backups, see Backing Up and Restoring with mysqldump.
You can restore a physical backup by following the procedures in Restore a Service Instance.
You can configure Tanzu SQL for VMs to automatically back up databases to external storage. Tanzu SQL for VMs backs up the entire data directory for each service instance.
Tanzu SQL for VMs backs up your database on a schedule. You configure this schedule with a cron expression.
Configuring a cron expression overrides the default schedule for your service instance.
Developers can override the default for their service instance. For more information, see Backup Schedule.
To configure backups, follow the procedure for your external storage solution:
Secure copy protocol (SCP) enables you to use any storage solution on the destination VM. This is the fastest method for backing up your database.
When you configure backups with SCP, Tanzu SQL for VMs runs an SCP command that uses SFTP to securely copy backups to a VM or physical machine operating outside of your deployment. You provision the backup machine separately from their installation.
To back up your database using SCP:
Tanzu SQL for VMs accesses a remote host as a user with a private key for authentication. VMware recommends that this user and key-pair is only used for Tanzu SQL for VMs.
Determine the remote host that you use to store backups for Tanzu SQL for VMs. Ensure that the MySQL service instances can access the remote host.
Note VMware recommends using a VM outside your deployment for the destination of SCP backups. As a result, you might need to enable public IPs for the MySQL VMs.
(Recommended) Create a new user for Tanzu SQL for VMs on the destination VM.
(Recommended) Create a new public and private key-pair for authenticating as the above user on the destination VM.
Use Tanzu Operations Manager to configure Tanzu SQL for VMs to back up using SCP.
In Tanzu Operations Manager, open the Tanzu SQL for VMs tile Backups pane.
Select SCP.
Configure the fields as follows:
Field | Instructions |
---|---|
Username | Enter the user that you created in Create a Public and Private Key‑Pair. |
Private Key | Enter the private key that you created in Create a Public and Private Key‑Pair. Store the public key that is used for SSH and SCP access on the destination VM. |
Hostname | Enter the IP address or DNS entry that is used to access the destination VM. |
Destination Directory | Enter the directory that Tanzu SQL for VMs uploads backups to. |
SCP Port | Enter the SCP port number for SSH. This port usually is 22 . |
Cron Schedule | Enter a cron expression using standard syntax. The cron expression sets the schedule for taking backups for each service instance. This overrides the default schedule for your service instance. Test your cron expression using a website such as Crontab Guru. Developers can override the default for their service instance. For more information, see Backup Schedule. |
Fingerprint | (Optional) Enter the fingerprint for the destination VM public key. The fingerprint detects any changes to the destination VM. |
When you configure backups for Amazon S3 or Ceph, Tanzu SQL for VMs runs an Amazon S3 client that saves the backups to one of the following:
For information about Amazon S3 buckets, see the Amazon documentation.
For information about Ceph storage clusters, see the Ceph documentation.
To back up your database to Amazon S3 or Ceph:
Tanzu SQL for VMs accesses your S3 bucket through a user account. VMware recommends that this account be only used by Tanzu SQL for VMs. You must apply a minimal policy that enables the user account upload backups to your S3 bucket. Then give the policy the permission to list and upload to buckets.
The procedure in this section assumes that you are using an Amazon S3 bucket. If you are using a Ceph or another S3-compatible bucket to create the policy and access key, follow the documentation for your storage solution. For more information about Ceph S3 bucket policies, see the Ceph documentation.
To create a policy and access key in Amazon Web Services (AWS):
Create a policy for your Tanzu SQL for VMs user account.
In AWS, create a new custom policy by following this procedure in the AWS documentation.
Paste in the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MySQLBackupPolicy",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::MY_BUCKET_NAME/*",
"arn:aws:s3:::MY_BUCKET_NAME"
]
}
]
}
Record the Access Key ID and Secret Access Key user credentials for a new user account by following this procedure in the AWS documentation. Ensure you select Programmatic access and Attach existing policies to user directly. You must attach the policy you created in the previous step.
Use Tanzu Operations Manager to connect Tanzu SQL for VMs to your S3 account.
Important Before beginning this procedure, you must have an S3 bucket in which to store the backups.
In Tanzu Operations Manager, open the Tanzu SQL for VMs tile Backups pane.
Select Ceph or Amazon S3.
Configure the fields as follows:
Field | Instructions |
---|---|
Access Key ID and Secret Access Key | Enter the S3 Access Key ID and Secret Access Key that you created in Create a Custom Policy and Access Key. |
Endpoint URL | Enter the S3-compatible endpoint URL for uploading backups. The URL must start with http:// or https:// . The default is https://s3.amazonaws.com .If you are using a public S3 endpoint, see the S3 Endpoint procedure in Step 3: Director Config Page. |
Region | Enter the region where your bucket is located. |
Bucket Name | Enter the name of your bucket. Do not include an s3:// prefix, a trailing / , or underscores. VMware recommends using the naming convention DEPLOYMENT-backups . For example, sandbox-backups . |
Force path style access to bucket | The default behavior in Tanzu SQL for VMs 2.9 and later uses a virtual-style URL. Select this check box if you use:
If you are using a blobstore that uses a specific set of domains in its server certificate, add a new wildcard domain or use path-style URLs if supported by the blobstore. For general information about the deprecation of S3 path-style URLs, see AWS blog posts: Amazon S3 Path Deprecation Plan – The Rest of the Story and the subsequent Update to Amazon S3 Path Deprecation Plan. |
Bucket Path | (Optional) Enter the path in the bucket to store backups. You can use this to keep the backups from this foundation separate from those of other foundations that might also backup to this bucket. For example, Foundation-1 . This field is only available as of v2.10.3. |
Cron Schedule | Enter a cron expression using standard syntax. The cron expression sets the schedule for taking backups for each service instance. This overrides the default schedule for your service instance. Test your cron expression using a website such as Crontab Guru. Developers can override the default for their service instance. For more information, see Backup Schedule. |
Important Configuring this backup method requires you to run the upgrade-all-service-instances
errand during Apply Changes.
Backups fail until the service instance is upgraded.
When you configure backups for Amazon S3 with Instance Profile, Tanzu SQL for VMs allows the Identity and Access Management (IAM) user or role used by BOSH to pass the new backups IAM role to a new EC2 instance.
You can use the procedure in this section to allow Tanzu SQL for VMs to upload backups to Amazon S3 without static credentials (Access and Secret Access Key ID).
Important You must be running VMware Tanzu Application Service for VMs (TAS for VMs) on AWS.
The process for configuring backups for an Amazon S3 with instance profile is:
To start, you must create a policy for your Tanzu SQL for VMs user account.
For more information about AWS identity and access management, see the AWS documentation.
For more information about users, groups, and roles in AWS, see the AWS documentation.
To create an IAM Role with a custom policy:
In AWS, create an IAM role with a new custom policy by following this procedure in the AWS documentation.
Paste in the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListObjects"
],
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
]
}
Where BUCKET-NAME
is the name of the bucket.
Record the Amazon Resource Name (ARN) of this new IAM role. This is used in Add a policy to the existing Tanzu Operations Manager user or role.
Next, you must add a new policy to the existing Tanzu Operations Manager IAM user or role that is configured in the AWS Config pane of the BOSH Director for AWS tile. This policy allows the IAM user or role used by BOSH to pass the new backups IAM role to a new EC2 instance.
Depending on your configuration, this is either a user or a role.
To find the existing user or role and add a policy:
Select AWS Config.
The following tabs expand to show instructions depending on the type of AWS Config that is already configured:
On the AWS Management Console, add a new policy to that IAM User or Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToCreateInstanceWithMySQLBackupstInstanceProfile",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::540390724081:role/MYSQL-BACKUPS-ROLE"
]
}
]
}
Where MYSQL-BACKUPS-ROLE
is the ARN of the role created in the previous section.
There are two methods that you can use to create a VM Extension in Tanzu Operations Manager:
Using the Tanzu Operations Manager API directly. For more information, see Create or Update a VM Extension in the Tanzu Operations Manager documentation.
Using the Tanzu Operations Manager CLI (om) to create the VM extension. For information about create-vm-extension
, see om create-vm-extension in GitHub.
JSON example to specify the instance profile name:
{
"name": "VM-EXTENSION-NAME",
"cloud_properties": {
"iam_instance_profile": "INSTANCE-PROFILE-NAME"
}
}
Where:
VM-EXTENSION-NAME
is the unique VM extension name that Tanzu Operations Manager managesINSTANCE-PROFILE-NAME
is the name of the instance profile created in Create an IAM Role with a Custom Policy.These are the following methods that you can use to apply the VM extension to the dedicated-mysql-broker
job in the Tanzu SQL for VMs tile:
Using the Tanzu Operations Manager API directly. For more information, see Apply VM Extensions to a Job in the Tanzu Operations Manager documentation.
Using the om CLI to configure the tile. Add the additional_vm_extensions
key in the resource-config
section of the product configuration and use the om CLI.
For information about configuring using a YAML configuration file, see om configure-product in GitHub.
Now that you have created and applied the VM extension, you must set it in the Tanzu SQL for VMs tile.
To set the VM extension name:
Configure the fields as follows:
Field | Instructions |
---|---|
Instance Profile VM Extension Name | Enter the VM-EXTENSION-NAME that you created in Create a VM Extension in Tanzu Operations Manager. |
Endpoint URL | Enter the S3-compatible endpoint URL for uploading backups. The URL must start with http:// or https:// . The default is https://s3.amazonaws.com .If you are using a public S3 endpoint, see the S3 Endpoint procedure in Step 3: Director Config Page in Configuring BOSH Director on AWS. |
Region | Enter the region where your bucket is located. |
Bucket Name | Enter the name of your bucket. Do not include an s3:// prefix, a trailing / , or underscores. VMware recommends using the naming convention DEPLOYMENT-backups . For example, sandbox-backups . |
Force path style access to bucket | The default behavior in Tanzu SQL for VMs 2.9 and later uses a virtual-style URL. Select this check box if you use:
If you are using a blobstore that uses a specific set of domains in its server certificate, add a new wildcard domain or use path-style URLs if supported by the blobstore. For general information about the deprecation of S3 path-style URLs, see AWS blog posts: Amazon S3 Path Deprecation Plan – The Rest of the Story and the subsequent Update to Amazon S3 Path Deprecation Plan. |
Bucket Path | (Optional) Enter the path in the bucket to store backups. You can use this to keep the backups from this foundation separate from those of other foundations that might also backup to this bucket. For example, Foundation-1 . This field is only available as of v2.10.3. |
Cron Schedule | Enter a cron expression using standard syntax. The cron expression sets the schedule for taking backups for each service instance. This overrides the default schedule for your service instance. Test your cron expression using a website such as Crontab Guru. Developers can override the default for their service instance. For more information, see Backup Schedule. |
Click Save.
The changes to your service instances are not complete until you apply your configuration changes.
This allows the service instances to begin using the instance profile instead of static credentials for backup and restore. Static credentials are not provided to existing service instances and backups fail until you upgrade the service instances.
To apply changes and upgrade all service instances for Tanzu SQL for VMs:
Upgrade all On-demand MySQL Service Instances
errand is activated.To verify that the IAM role is associated with the MySQL service instances:
mysql/GUID
.When you configure backups for a Google Cloud Storage (GCS) bucket, Tanzu SQL for VMs runs a GCS SDK that saves backups to a GCS bucket.
For information about GCS buckets, see the GCS documentation.
To back up your database to Google Cloud Storage (GCS):
Tanzu SQL for VMs accesses your GCS bucket through a service account. VMware recommends that this account is only used by Tanzu SQL for VMs. You must apply a minimal policy that enables the service account to upload backups to your GCS bucket.
The service account needs the following permissions:
To create a service account and private key in GCS:
Use Tanzu Operations Manager to connect Tanzu SQL for VMs to your GCS account.
In Tanzu Operations Manager, open the Tanzu SQL for VMs tile Backups pane.
Select GCS.
Configure the fields as follows:
Field | Instructions |
---|---|
Project ID | Enter the Project ID for the Google Cloud project that you are using. |
Bucket name | Enter the bucket name that Tanzu SQL for VMs uploads backups to. |
Bucket Path | (Optional) Enter the path in the bucket to store backups. You can use this to keep the backups from this foundation separate from those of other foundations that might also backup to this bucket. For example, Foundation-1 . This field is only available as of v2.10.3. |
Service Account JSON | Enter the contents of the service account JSON file that you downloaded when creating a service account in Create a service account and private key. |
Cron Schedule | Enter a cron expression using standard syntax. The cron expression sets the schedule for taking backups for each service instance. This overrides the default schedule for your service instance. Test your cron expression using a website such as Crontab Guru. Developers can override the default for their service instance. For more information, see Backup schedule. |
When you configure backups for Azure Storage, Tanzu SQL for VMs runs an Azure SDK that saves backups to an Azure storage account.
For information about Azure Storage, see the Azure documentation.
To back up your database to Azure Storage:
Tanzu SQL for VMs accesses your Azure Storage account through a storage access key. VMware recommends that this account be only used by Tanzu SQL for VMs. You must apply a minimal policy that enables the storage account upload backups to your Azure Storage.
The storage account needs the following permissions:
To create a storage account and access key:
Create a new storage account by following this procedure in the Azure documentation.
View your access key by following this procedure in the Azure documentation
To back up your database to your Azure Storage account:
In Tanzu Operations Manager, open the Tanzu SQL for VMs tile Backups pane.
Select Azure.
</>
Configure the fields as follows:
Field | Instructions |
---|---|
Account | Enter the Azure Storage account name that you created in Create a Storage Account and Access Key. |
Azure Storage Access Key | Enter one of the storage access keys that you viewed in Create a Storage Account and Access Key. |
Container Name | Enter the container name that Tanzu SQL for VMs uploads backups to. |
Blob Store Base URL | To use an on-premise blob storage, enter the hostname of the blob storage. By default, backups are sent to the public Azure blob storage. The Blob Store Base URL must follow the format: my-storage-account.my-custom.domain/MY-CONTAINER-NAME . |
Bucket Path | (Optional) Enter the path in the bucket to store backups. You can use this to keep the backups from this foundation separate from those of other foundations that might also backup to this bucket. For example, Foundation-1 . This field is only available as of v2.10.3. |
Cron Schedule | Enter a cron expression using standard syntax. The cron expression sets the schedule for taking backups for each service instance. This overrides the default schedule for your service instance. Test your cron expression using a website such as Crontab Guru. Developers can override the default for their service instance. For more information, see Backup Schedule. |