• Administer Ops Manager >
• Manage Snapshot Storage >
• Manage S3 Snapshot Storage

Manage S3 Snapshot Storage

Ops Manager can back up MongoDB databases as snapshots to one or more of the following storage options:

• Another MongoDB database, called a blockstore,
• As files stored on a local or network-attached file system, and/or
• An AWS S3 bucket.

This tutorial covers backing up your MongoDB databases as snapshots stored in S3 and S3-compatible buckets. Ops Manager stores the metadata for S3 snapshot stores in a MongoDB database.

Note

You might have issues that require you to use more than one snapshot store. These issues could include needing more capacity, localizing data, or meeting privacy regulations.

To learn how to assign snapshot stores to different data centers, see Assign Snapshot Stores to Specific Data Centers.

Considerations

Requires a Dedicated Bucket

Ops Manager must be the only manager on the S3 bucket that you use for snapshots. You also need to configure the S3 bucket to avoid using features that Ops Manager does not support.

When configuring the S3 bucket:

• Do not create subfolders in the S3 buckets that you use with Ops Manager. Ops Manager only supports using entire S3 buckets.
• Disable AWS S3 bucket versioning. Versioning is not supported in Ops Manager for the S3 buckets used for snapshots.
• Do not create AWS S3 lifecycle rules. Lifecycle rules that expire or transition current versions of Ops Manager snapshot objects to archives results in incomplete snapshots that you can’t use to restore the configuration.

Can’t Move the S3 Snapshot Store

After you create an S3 snapshot store, you cannot move it to another S3 bucket. If you need to use a different S3 bucket to host your S3 snapshot store, you must create a new S3 snapshot store in that S3 bucket.

Supports the Storage API

MongoDB supports endpoints for:

• AWS S3 API
• IBM Cloud Object Storage API
• Dell EMC Elastic Cloud Storage API

IBM and Dell EMC support a subset of the full AWS S3 API.

You can use other S3-compatible endpoints. Ops Manager attempts to validate these endpoints when you save the S3 snapshot store setup. If validation passes, Ops Manager saves the configuration. If validation fails, Ops Manager displays an error and doesn’t save the configuration.

Prerequisites

Metadata Storage Prerequisites

• Deploy the dedicated MongoDB instance(s) to serve the S3 snapshot store metadata and Oplog Store. Serve these instances on separate hosts from the Ops Manager host and the application database to avoid performance and backup issues. Attach one or more storage volumes with enough capacity to store the databases these instances manage.
• Ensure the host serving the Ops Manager Backup Daemon service has enough capacity to store the head database.
• Secure the instance that stores your S3 snapshot store metadata database using authentication and TLS. S3 snapshot store metadata databases support all authentication mechanisms.

AWS S3 Storage Prerequisites

1. Verify that you have an IAM user on AWS.

2. Create your own AWS access keys for your IAM user. This allows you to create S3 buckets and store snapshot files in them. MongoDB does not create or issue AWS access keys.

3. Create your own S3 bucket to store your S3 snapshot store snapshots.

   Note

   The IAM user for which you created the AWS access keys must own the AWS S3 Bucket.

4. (Optional) If you serve your Ops Manager instance on AWS EC2, create an IAM Role to handle authorization.

   This role needs:

   • AWS service as the trusted entity.
   • EC2 as the use case.
   • Permissions to read and write access to your S3 bucket.

   To learn more, see:

   • Attach IAM role
   • Set up S3 bucket access

IBM Cloud Object Storage Prerequisites

1. Create an Access Key and Secret Key using IBM credential tools.
2. Create your own S3-compatible bucket.

Dell EMC Elastic Cloud Storage Prerequisites

1. Create an Access Key and Secret Key from your ECS User ID.
2. Create your own S3-compatible bucket.

Other S3-Compatible Storage

Other S3-compatible endpoints can be used. Ops Manager attempts to validate these endpoints when you save the configuration. If validation passes, the configuration, Ops Manager saves it. If validation fails, Ops Manager displays an error and doesn’t save the configuration.

Procedures

The format of the Username and Password depend upon the authentication mechanism. Select one of the following tabs:

• Username and Password
• X.509
• Kerberos
• LDAP

Add One S3 Snapshot Store

1

Navigate to the Snapshot Storage page.

1. Click the Admin link.
2. Click the Backup tab.
3. (Optional) If you have not previously set the head directory, set it in the Head Directory box.
4. Click the Snapshot Storage page.

2

Click Create New S3 Blockstore.

3

Provide the S3 blockstore details.

Field	Necessity	Contents
Name	Required	Type the label for the S3 snapshot store.
S3 Bucket Name	Required	Type the name of the S3 bucket where you want to host the the S3 snapshot store.
Region Override	Conditional	Type the region where your S3 bucket resides. Use this field only if your S3-compatible store’s S3 Endpoint doesn’t support region scoping. Don’t provide a value for this field with AWS S3 buckets.
S3 Endpoint	Required	Type the URL for this AWS S3 or S3-compatible bucket. What URL you write depends upon: Your S3 Bucket Name and If you checked Path Style Access. Example You created an S3 bucket called mybucket on AWS in the US East region. Path Style Access Checked Not Checked S3 Endpoint s3.us-east-2.amazonaws.com mybucket.s3.us-east-2.amazonaws.com Requests to Bucket https://s3.us-east-2.amazonaws.com/mybucket https://mybucket.s3.us-east-2.amazonaws.com
S3 Max Connections	Required	Type a positive integer indicating the maximum number of connections to this AWS S3 or S3-compatible bucket.
Path Style Access	Optional	Select if you want your AWS S3 or S3-compatible bucket to use a path-style URL endpoint (s3.amazonaws.com/<bucket>) instead of a virtual-host-style URL endpoint (<bucket>.s3.amazonaws.com). To review the S3 bucket URL conventions, see the AWS S3 documentation
Server Side Encryption	Optional	Select to enable server-side encryption. Clear to disable server-side encryption.
S3 Authorization Mode	Required	Select the method used to authorize access to the S3 bucket specified in S3 Bucket Name. Keys Ops Manager uses AWS Access Key and AWS Secret Key to authorize access to your S3 bucket. IAM Role Ops Manager uses an AWS IAM role to authorize access to your S3 bucket. AWS Access Key and AWS Secret Key fields are ignored.
Keys with Custom CA Bundle	Conditional	Click Choose file to add a custom Certificate Authority chain. This chain can validate against a self-signed certificate on the S3 bucket. Ops Manager displays this field when you set S3 Authorization Mode to Keys.
AWS Access Key	Conditional	Type your AWS Access Key ID. Ops Manager displays this field when you set S3 Authorization Mode to Keys.
AWS Secret Key	Conditional	Type your AWS Secret Access Key. Ops Manager displays this field when you set S3 Authorization Mode to Keys.
Datastore Type	Required	Select Standalone, Replica Set or Sharded Cluster. This MongoDB database stores the metadata for the blockstore.
MongoDB Host List	Conditional	Type a comma-separated list of mongod instances (for a Replica Set) or mongos instances (for a Sharded Cluster) in the <hostname:port> format that comprise the blockstore metadata database. Example host1.example.com:27017,host2.example.com:27017,host2.example.com:27018 Ops Manager displays this field when you set Datastore Type to Replica Set or Sharded Cluster.
MongoDB Hostname	Conditional	Type the hostname of the S3 snapshot store metadata database. Ops Manager displays this field when you set Datastore Type to Standalone.
MongoDB Port	Conditional	Type the port number of the S3 snapshot store metadata database. Ops Manager displays this field when you set Datastore Type to Standalone.
Username	Optional	If you set this value: Type the name of the user authorized to access the this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring SCRAM authentication, see SCRAM. Type the RFC 2253-formatted subject from the client certificate of the user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring x.509 authentication, see x.509. Type the UPN of the user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring Kerberos authentication, see Kerberos. Type the name of the LDAP user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring LDAP authentication, see LDAP.
Password	Optional	If you set this value: Warning If you did not use the credentialstool to encrypt this password, it is stored as plaintext in the database. Type the password associated with the username that can access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring SCRAM authentication, see SCRAM. Leave it blank. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring x.509 authentication, see x.509. Kerberos retrieves the password from its keytab file. Don’t type a password into this field. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring Kerberos authentication, see Kerberos. Type the password of the LDAP user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring LDAP authentication, see LDAP.
Connection Options	Optional	Type any additional configuration file options for the MongoDB instance. This field supports unescaped values only. For proper syntax, see Connection String URI Format in the MongoDB manual.
Encrypted Credentials	Optional	Select if the credentials for the database were encrypted using the credentialstool. The credentials include the Username, Password, AWS Access Key ID and AWS Secret Key.
Use TLS/SSL	Optional	Select if the S3 snapshot store metadata database only accepts connection encrypted using TLS. Beyond this checkbox, to connect this S3 snapshot store using TLS, you must enable TLS on the S3 blockstore database.
New Assignment Enabled	Optional	Select if you want to enable this S3 snapshot store after creating it. This is selected by default so the S3 blockstore can be assigned backup jobs. If you clear this checkbox, the S3 snapshot store is created but you cannot assign backups to this S3 snapshot store.
Disable Proxy Settings	Optional	Select if you want to disable proxying to this S3 snapshot store after creating it. AWS S3 respects the HTTP_PROXY and the HTTPS_PROXY environment variables. If you set either of these environment variables, S3 still enables the proxy.

4

Click Create.

Edit One Existing S3 Snapshot Store

Ops Manager lists S3 snapshot stores in a table on the Snapshot Storage page. Each row contains the settings for one S3 snapshot store.

1

Navigate to the Snapshot Storage page.

1. Click the Admin link.
2. Click the Backup tab.
3. (Optional) If you have not previously set the head directory, set it in the Head Directory box.
4. Click the Snapshot Storage page.

2

Go to the row for the S3 snapshot store you want to edit.

3

Update any values that need to be changed.

In the MongoDB Connection column, update any values that need to be changed in the following fields:

Field	Necessity	Contents
S3 Bucket Name	Required	Type the name of the S3 bucket where you want to host the the S3 snapshot store.
Region Override	Conditional	Type the region where your S3 bucket resides. Use this field only if your S3-compatible store’s S3 Endpoint doesn’t support region scoping. Don’t provide a value for this field with AWS S3 buckets.
S3 Endpoint	Required	Type the URL for this AWS S3 or S3-compatible bucket. What URL you write depends upon: Your S3 Bucket Name and If you checked Path Style Access. Example You created an S3 bucket called mybucket on AWS in the US East region. Path Style Access Checked Not Checked S3 Endpoint s3.us-east-2.amazonaws.com mybucket.s3.us-east-2.amazonaws.com Requests to Bucket https://s3.us-east-2.amazonaws.com/mybucket https://mybucket.s3.us-east-2.amazonaws.com
S3 Max Connections	Required	Type a positive integer indicating the maximum number of connections to this AWS S3 or S3-compatible bucket.
Path Style Access	Optional	Click if you want your AWS S3 or S3-compatible bucket to use a path-style URL endpoint (s3.amazonaws.com/<bucket>) instead of a virtual-host-style URL endpoint (<bucket>.s3.amazonaws.com). To review the S3 bucket URL conventions, see the AWS S3 documentation
Server Side Encryption	Optional	Click to enable server-side encryption. Clear to disable server-side encryption.
S3 Authorization Mode	Required	Select the method used to authorize access to the S3 bucket specified in S3 Bucket Name. Keys Ops Manager uses AWS Access Key and AWS Secret Key to authorize access to your S3 bucket. IAM Role Ops Manager uses an AWS IAM role to authorize access to your S3 bucket. AWS Access Key and AWS Secret Key fields are ignored.
Keys with Custom CA Bundle	Conditional	Click Choose file to add a custom Certificate Authority chain. This chain can validate against a self-signed certificate on the S3 bucket. Ops Manager displays this field when you set S3 Authorization Mode to Keys.
AWS Access Key	Conditional	Type your AWS Access Key ID. Ops Manager displays this field when you set S3 Authorization Mode to Keys.
AWS Secret Key	Conditional	Type your AWS Secret Access Key. Ops Manager displays this field when you set S3 Authorization Mode to Keys. Note Ops Manager doesn’t display the existing Secret Access Key.
<hostname>:<port>	Required	Type in one or more hosts that comprise the S3 Snapshot Store metadata database in the <hostname:port> format. Important If these hosts are changed, the blockstore they host must have the same data as the original blockstore. Changing the host to a new blockstore results in data loss. If the S3 snapshot store metadata database is a Replica Set or Sharded Cluster, type a comma-separated list of mongod instances (for a Replica Set) or mongos instances (for a Sharded Cluster). Example host1.example.com:27017,host2.example.com:27017,host2.example.com:27018 If the S3 snapshot store metadata database is a standalone MongoDB instance, type the hostname:port of the instance.
MongoDB Auth Username	Optional	If you set this value: Type the name of the user authorized to access the this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring SCRAM authentication, see SCRAM. Type the RFC 2253-formatted subject from the client certificate of the user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring x.509 authentication, see x.509. Type the UPN of the user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring Kerberos authentication, see Kerberos. Type the name of the LDAP user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring LDAP authentication, see LDAP.
MongoDB Auth Password	Optional	If you set this value: Type the password associated with the username that can access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring SCRAM authentication, see SCRAM. Leave it blank. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring x.509 authentication, see x.509. Kerberos retrieves the password from its keytab file. Don’t type a password into this field. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring Kerberos authentication, see Kerberos. Type the password of the LDAP user authorized to access this database. Note If your Ops Manager Application Database uses authentication or TLS, you must have connections configured to the application database. To learn more, see Configure the Connections to the Application Database. To learn more about configuring LDAP authentication, see LDAP. Warning If you did not use the credentialstool to encrypt this password, it is stored as plaintext in the database. Note Ops Manager doesn’t display the existing MongoDB Auth Password.
Encrypted Credentials	Optional	Select if the credentials for the database were encrypted using the credentialstool. The credentials include the Username, Password, AWS Access Key ID and AWS Secret Key.
Use TLS/SSL	Optional	Select if the blockstore database only accepts connection encrypted using TLS. Beyond this checkbox, to connect this S3 snapshot store using TLS, you must enable TLS on the S3 blockstore database.
Connection Options	Optional	Type any additional configuration file options for the MongoDB instance. This field supports unescaped values only. For proper syntax, see Connection String URI Format in the MongoDB manual.
Assignment Labels	Optional	Type a comma-separated list of labels to assign the S3 blockstores to specific projects.
Load Factor	Optional	Type any positive integer that expresses how much backup work you want this snapshot store to perform compared to another snapshot store. Important If you have only one snapshot store, skip this setting. Backup work includes running backups, restoring snapshots or grooming blockstores. The term of backup work ratio assigned to a single snapshot store is called its Load Factor. By default, Ops Manager assigns each snapshot store a Load Factor of 1. This means each snapshot store would perform the same amount of backup work. As a snapshot store’s Load Factor increases, it performs more backup work compared to another snapshot store. If the Load Factor of snapshot store A is set to 2 and the Load Factor of snapshot store B is set to 1, A performs two times the backup work of B. Example How to estimate Load Factor Consider a five-shard sharded cluster with the following backup storage configuration: File system store (F) manages the backup work for one shard in the cluster. F is running on a single two-core physical server. Blockstore (B) manages the backup work for four shards in the cluster. B is running as a four-node sharded cluster on four physical servers with two cores on each server. In this example, B has four times the capability of F. B should receive the greater part of the ratio of backup work: 4:1. For every one backup task F performs, B performs 4. Set the Load Factors of B to 4 and F to 1. Snapshot stores with greater compute or storage performance should be given a greater Load Factor: A file system store with 16-cores and 128 GB of RAM can back up more databases in less time than a file system store with only 2 cores and 8 GB of RAM. A blockstore backed by a 10-node sharded cluster can back up more databases and groom more databases than a blockstore backed by a single replica set. Load Factor can be set to 0. When one snapshot store’s Load Factor is set to 0, it performs no backup work at all. If a snapshot store’s Load Factor is changed while backup work is in progress, all jobs or tasks running on that snapshot store are allowed to finish. All future backup work then is re- distributed among the remaining snapshot stores with a Load Factor of 1 or greater and have Assignment Enabled selected.
Write Concern	Required	Select your preferred Write Concern: Default Deployment Type Default Write Concern Standalone Journaled Replica sets or sharded clusters W2 Journaled A primary or standalone MongoDB instance acknowledged the write and wrote that write to their on-disk journals. Acknowledged A primary or standalone acknowledged the write. W2 More than one of the cluster members acknowledged the write. Majority A majority of the replica set members acknowledged the write.

4

Select the checkbox in the Assignment Enabled column.

Select if you want to enable this S3 snapshot store after creating it. This is selected by default so the S3 snapshot store can be assigned backup jobs. If you clear this checkbox, the S3 Snapshot Store is created but you cannot assign backups to this S3 Snapshot Store.

5

Click Save.

6

Optional: Restart Ops Manager instances if needed.

If you change any connection string values or the Write Concern, restart all the Ops Manager instances including those running Backup Daemons.

Warning

Modifying the connection string values or the Write Concern for an existing blockstore requires all Ops Manager components, including those only running the Backup Daemon, to be restarted to apply those changes. Connection parameters include:

• <hostname>:<port>
• MongoDB Auth Username
• MongoDB Auth Password
• Encrypted Credentials
• Use TLS/SSL
• Connection Options
• Write Concern

If you change to another blockstore host, the data on the existing blockstore is not copied automatically to the other blockstore.

See also

For more details on the MongoDB connection string URI, see Connection String URI Format in the MongoDB Manual.

Delete One S3 Snapshot Store

1

Navigate to the Snapshot Storage page.

1. Click the Admin link.
2. Click the Backup tab.
3. (Optional) If you have not previously set the head directory, set it in the Head Directory box.
4. Click the Snapshot Storage page.

2

Deselect ASSIGNMENT ENABLED.

3

Click the Delete <blockstore> link under the name of the S3 blockstore you want to delete.

←   Manage Blockstore Snapshot Storage Manage File System Snapshot Storage  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.