To perform an agentless restore to an Oracle Cloud Infrastructure (OCI) instance, verify that the access node and the OCI instance that you want to use as a destination meet the requirements.
Bucket Requirements
-
You must assign a bucket name using the OCIBucketForGuestFileRestore additional setting. This bucket will be used for agentless guest file restore.
-
The bucket should be present in the same region as that of the destination OCI instance.
-
If you do not assign a bucket name, a temporary bucket named _GX_BUCKET_TEMPORARY will be created in the destination instance's region (if it doesn’t exist already) and will be used for the guest file restore.
Destination OCI Instance Requirements
-
The OCI instance must be powered on.
-
The OCI instance must be one that uses images that support the run command feature. For more information, see "Supported Images" in OCI Documentation: Running Commands on an Instance.
-
The Compute Instance Run Command plugin must be enabled and running on the instance.
-
OCI CLI has to be installed on the destination instance. For more information, see "Supported Images" in OCI Documentation: Command Line Interface.
IAM Policies Requirements
-
Permissions are required for a group of users to initiate agentless restore, as follows:
-
Create a group, and then to that group add users who are allowed to perform agentless guest file restore.
-
Create a policy for that group to manage instance-agent-command-family in compartment [Compartment_Name].
-
Create another policy for that group to manage instance-agent-command-execution-family in compartment [Compartment_Name].
For example:
-
Group Name: RunCommandUsers
-
Add users who can initiate agentless restore
-
Policy: Allow group RunCommandUsers to manage instance-agent-command-family in compartment VSA-Dev
-
Policy: Allow group RunCommandUsers to manage instance-agent-command-execution-family in compartment VSA-Dev
-
-
Permissions are required for a "dynamic group" containing destination instances involved in agentless restoration.
-
Create a dynamic group, and then to that group add OCI instances that will be the destination instances for the agentless guest file restore.
-
Create a policy allowing the dynamic group to use instance-agent-command-execution-family in compartment [Compartment_Name] where request.instance.id=target.instance.id
-
Create another policy allowing the dynamic group to manage objects in compartment [Compartment_Name] where all {target.bucket.name = '[Bucket_Name]'}
For example:
-
Group Name: RunCommandDynamicGroup
-
Add instances that are destinations for agentless restore. For example, ocid1.instance.oc1.iad.anuwcljrk7uvtjicz6ojhlnmvcjy3irhg44eaehuyb4mbssscfmlhsjiltiq
-
Policy 1: Allow dynamic group RunCommandDynamicGroup to use instance-agent-command-execution-family in compartment VSA-Dev where request.instance.id=target.instance.id
-
Policy 2: Allow dynamic group RunCommandDynamicGroup to manage objects in compartment VSA-Dev where all {target.bucket.name = '_GX_BACKUP_TEMPORARY'}
-
File System Level Permissions on Destination Instance
-
OCI uses the service account "ocarun" to perform the file operations on the destination instance. The file operations are performed as part of remote commands that copy the files from the OCI bucket to the path on the destination instance.
-
Ensure that the user "ocarun" has the required permissions to create files/folders on the destination path specified for agentless guest file restore.
-
In Linux, you can simply edit the /etc/sudoers file to add 'ocarun ALL=(ALL) NOPASSWD: ALL' so that user "ocarun" can access the destination path and other sudo commands for guest file restore. For more information, see "To grant sudo permissions on Linux instances" on the Oracle Cloud Infrastructure Documentation page Running Commands on an Instance.
-
To grant administrator permission on Windows, run the following command in PowerShell:
run Add-LocalGroupMember -Group "Administrators" -Member "NT SERVICE\OCARUN" | Restart-Service -Name OCARUN -Force. For more information, see "To grant administrator permissions on Windows instances" on the Oracle Cloud Infrastructure Documentation page Running Commands on an Instance.