The configuration backup function enables the administrator to:
Backup the appliance configuration, consisting of system metadata only (such as the network configuration, local users and roles, service settings, and other appliance metadata).
Restore a previously saved configuration from a backup.
Export a saved configuration, as a plain file, so that it may be stored on an external server, or included in a backup of a share on the appliance itself.
Import a saved configuration that was previously exported from this system or another system, making it available for a restore operation.
A configuration backup does include:
Metadata associated with the system as a whole, such as settings for NTP, NIS, LDAP, and other services.
Network device, datalink, and interface configuration.
User accounts, roles and privileges, preferences, and encrypted passwords for local users (not directory users).
Alerts and thresholds and their associated rules.
A configuration backup does not include:
User data (shares and LUNs). Your user data must be backed up separately, using NDMP backup software, snapshots, and/or remote replication.
User passwords for directory users. These remain stored solely in your separate network directory service, such as LDAP or Active Directory, and will not be stored in the backup or restored.
Metadata directly associated with user data, such as snapshot schedules, user quotas, compression settings, and other attributes of shares and LUNs.
Analytics and logs. Events can be redirected to external SNMP trap receivers or e-mail destinations using Alerts rules.
System software. The system software is automatically backed up as part of the System Update capability.
The restore operation takes a selected configuration backup, and modifies all of the corresponding system settings to reflect those in the backup, including removing aspects of the configuration that were not present at the time of the backup. Administrators should adhere to the following guidelines when planning a restore:
Scheduled downtime - The restore process takes several minutes to complete and will impact service to clients, as the active networking configuration and data protocols are reconfigured. Therefore, a configuration restore should only be used on a development system, or during a scheduled downtime.
Service interruption - Clients accessing data on the system through a data protocol such as NFS will see service interrupted, as the network is reconfigured and the NFS service restarted. If the selected backup copy was taken when a service was disabled by the administrator, that setting will be restored, and therefore client sessions will be terminated for that protocol.
Session interruption - If restore is initiated from a web browser, that web browser session will also be disconnected during the restore process as the network is reconfigured. If the restored configuration does not include the same routing and network address settings used by the current browser connection, or if the browser is connected to a network address managed by DHCP, the browser session will be interrupted during the restore. The restore process will complete in the background, but you will need to reload or point the browser at a new, restored network address to continue. For this reason, it may be desirable to initiate a complex configuration restore from the service processor serial console using the CLI.
Un-cluster, restore, and re-cluster - Configuration backups may be initiated for appliances that are joined in a cluster, but a configuration restore may not be used while systems are actively clustered. The clustering process means that settings are being synchronized between cluster peers, and each peer appliance also is maintaining private settings. For this reason, you must first use the Unconfiguring Clustering procedure to un-cluster the two systems. Then, restore the configuration backup on a selected head, and then re-cluster the two systems, at which point the other system will automatically synchronize itself with the restored configuration.
Root privileges required - Configuration backups include all system metadata, and therefore require all possible privileges and authorizations to create or apply. Therefore, unlike other delegated administrative options, only the root user is authorized to perform a configuration backup or restore.
Verify setting for new features - It is permitted to restore a configuration that was saved before applying a system update to a new version of the appliance software. In some cases, services and properties that were present at the time of the backup may have different effects, and new services and properties may exist in the newer software that did not exist at the time of the backup. Similar to the system update process, the configuration restore process will make every effort to transfer applicable settings, and apply reasonable defaults to those properties that did not exist at the time of the backup. When restoring across software versions, administrators should manually verify settings for new features following the restore.
Password maintenance - The root password is not changed or reverted to the password at the time of the backup if it was different. The current root password is maintained on the system across the restore. For more details about passwords, refer to the summary of Security Considerations.
Import or re-configure storage required - Storage will be unconfigured after the restore has completed. Administrators should import or reconfigure storage under the Configuration Storage screen after performing a configuration restore.
A configuration backup contains information that is normally only accessible to the root administrative user on the appliance. Therefore, any configuration backup that is exported to another system or into a filesystem share must apply security restrictions to the backup file to ensure that unauthorized users cannot read the backup file.
Local user passwords are stored in the backup file in encrypted (hashed) format, not as clear text. However, on the system, access to these password hashes is restricted, as they could be used as input to dictionary attacks. Therefore, administrators must carefully protect configuration backups that are exported, either by restricting file access to the backup, or by applying an additional layer of encryption to the entire backup file, or both.
Directory user passwords are not stored in the appliance, and therefore are not stored in the configuration backup. If you have deployed a directory service such as LDAP or AD for administrative user access, there are no copies of directory service password hashes for directory users stored in the configuration backup. Only the user name, user ID, preferences, and authorization settings for directory users are stored in the backup and then restored.
Following a configuration restore, the local root administrative user password is not modified to the root password at the time of the backup. The root password is left as-is, unmodified, by the restore process, to ensure that the password used by the administrator who is executing the restore process (and thus has logged in, using that password) is retained. If the administrator's intent was to also change the root password at the time of configuration restore, that step must be executed manually following the restore, using the normal administrative password change procedure.
The following section outlines how various Configuration Backup tasks can be accomplished using the Configuration Backup area near the bottom of the Maintenance > System screen in the BUI.
To create a backup, simply click the "Backup" button above the list of saved configurations and follow the instructions. You will be prompted to enter a descriptive comment for the backup.
Click the rollback icon on any saved configuration to begin the process of reverting the system to that saved configuration. Review the Restore Impact guidance above, and confirm that it is ok to proceed.
To delete a Saved Configuration simply click the trash can icon to delete the configuration that is no longer required.
To export a Saved Configuration, mouse over the configuration list entry you wish to export and click the download icon. Your browser will prompt you to save the file locally. The file is a compressed archive whose contents are versioned and may vary over time. You should not attempt to unpack or modify the content of the archive, and doing so will render it unable to be imported back to the appliance successfully.
To import a previously exported Saved Configuration, click the add icon at the top of the saved configurations list and then use your web browser's file selection dialog to locate the previously exported configuration. You should upload the single, compressed archive file previously saved using the export function.
The following section outlines how various Configuration Backup tasks can be accomplished using the CLI in the maintenance system configs context.
host:maintenance system configs> list CONFIG DATE SYSTEM VERSION bfa614d7-1db5-655b-cba5-bd0bb0a1efc4 2009-8-5 17:14:28 host 2009.08.04,1-0 cb2f005f-cf2b-608f-90db-fc7a0503db2a 2009-8-24 17:56:53 host 2009.08.18,1-0
The backup command saves a configuration backup. You will be prompted to enter a descriptive comment for the backup, and then enter done to execute the backup operation.
host:maintenance system configs> backup Backup Configuration. Enter a descriptive comment for this configuration, and click Commit to backup current appliance settings: host:maintenance system configs conf_backup step0> set comment="pre-upgrade" comment = pre-upgrade host:maintenance system configs conf_backup step0> done host:maintenance system configs>
The restore command reverts the system to a saved configuration. You will be prompted to enter the universal unique identifier for the backup (see the output of list, above), and then enter done to execute the restore. Review the Restore Impact guidance above, and confirm that it is ok to proceed.
host:maintenance system configs> restore Restore. Select the configuration to restore: host:maintenance system configs conf_restore step0> set uuid=36756f96-b204-4911-8ed5-fefaf89cad6a uuid = 36756f96-b204-4911-8ed5-fefaf89cad6a host:maintenance system configs conf_restore step0> done
Then the destroy command deletes a saved configuration:
host:maintenance system configs> destroy cb2f005f-cf2b-608f-90db-fc7a0503db2a Are you sure you want to delete the saved configuration "new"? y host:maintenance system configs>
The export command exports a saved configuration, by means of executing an HTTP or FTP PUT operation against a remote HTTP or FTP server. You can also use the export function to export the file to a share on the appliance itself, that has the HTTP or FTP protocol enabled for writing. You can enter a username and password for authentication to the remote server if one is required.
The import command imports a saved configuration, by means of executing an HTTP or FTP GET operation against a remote HTTP or FTP server. You can also use the import function to import a configuration stored in a share on the appliance itself, that has the HTTP or FTP protocol enabled for reading. You can enter a username and password for authentication to the remote server if one is required.