About the Volume Data Migration Process
The migration process involves the following steps:
- Define the Admit policy in the old tenancy.
- Define the Endorse policy in the new tenancy.
- Configure the CLI profile.
- Clone or restore the volume.
Description of the illustration deploy-oci-tenancies-arch.png
Define the Admit Policy in the Old Tenancy
NewTenancyIdentityGroup
in the new tenancy.
Both Clone and Restore operations create new volumes, so the policy Admits
only create operations. After the policies are defined along with the Endorse policies
(described below), the users of NewTenancyIdentityGroup
in the new
tenancy will have permissions to clone or restore the volumes from the old tenancy to
the new tenancy.
Admit Policy for Cloning
To allow cloning, use the OCI console or the CLI to create the following
Identity policy in the old tenancy. You can further restrict these policies to admit
access to the volumes in a compartment, by replacing in tenancy
with in compartment compartment name
.
Define tenancy NewTenancy as ocid1.tenancy.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Define group NewTenancyIdentityGroup as ocid1.group.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Admit group NewTenancyIdentityGroup of tenancy NewTenancy to use volumes in tenancy where ANY { request.operation='CreateVolume', request.operation='GetVolume', request.operation='CreateBootVolume', request.operation='GetBootVolume' }
Admit Policy for Restoring
To allow restores, create the following Identity policy in the old tenancy by
using the OCI console or the CLI. You can further restrict these policies to admit access to
the volumes in a compartment, by replacing in tenancy
with in
compartment compartment name
.
Define tenancy NewTenancy as ocid1.tenancy.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Define group NewTenancyIdentityGroup as ocid1.group.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Admit group NewTenancyIdentityGroup of tenancy NewTenancy to read boot-volume-backups in tenancy
Admit group NewTenancyIdentityGroup of tenancy NewTenancy to read volume-backups in tenancy
Admit group NewTenancyIdentityGroup of tenancy NewTenancy to inspect volumes in tenancy
Define the Endorse Policy in the New Tenancy
OCI Endorse policies endorse users of a tenancy to run operations across
tenancies. The following policies should be defined in the new tenancy and gives permissions
to an identity group NewTenancyIdentityGroup
of the new tenancy to clone or
restore volumes from the old tenancy. Cloning and restores create a new volumes, so the
policy endorses create operations
Endorse Policy for Cloning
To allow cloning, create the following Identity policy in the new tenancy by using either the OCI console or the CLI.
Define tenancy OldTenancy as ocid1.tenancy.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Endorse group NewTenancyIdentityGroup to use volumes in tenancy OldTenancy where ANY { request.operation = 'CreateVolume', request.operation='GetVolume', request.operation='CreateBootVolume', request.operation='GetBootVolume' }
Endorse Policy for Restoring
To allow restores, create the following Identity policy in the new tenancy by using either the OCI console or the CLI.
Define tenancy OldTenancy as ocid1.tenancy.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Endorse group NewTenancyIdentityGroup to read boot-volume-backups in tenancy OldTenancy
Endorse group NewTenancyIdentityGroup to read volume-backups in tenancy OldTenancy
Endorse group NewTenancyIdentityGroup to inspect volumes in tenancy OldTenancy
Configure the CLI Profile
Create a CLI profile cross_tenancy_user_profile
for the user
of NewTenancyIdentityGroup
. In the following example,this user is
used to run the cross-tenancy operations. See complete instructions for configuring
the CLI profile in "Configuring the CLI", which you can access from the "Explore
More" topic elsewhere in this playbook.
Clone or Restore the Volume
Finally, to complete the volume migration, you can either clone or restore it.
Clone Volume Across Tenancies
Now that the policies are configured on both old and new tenancies, clone
volumes from the old tenancy to the new tenancy by running the following commands from the
configured CLI profile. Choose the compartment to which you want to clone the volumes and
pass it as the --compartment-id
argument, as shown
here:
# Clone Volume
$ oci bv volume create --profile=cross_tenancy_user_profile --region=us-ashburn-1 --source-volume-id=ocid1.volume.oc1. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --compartment-id=ocid1.compartment.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Clone Boot Volume
$ oci bv boot-volume create --profile=cross_tenancy_user_profile --region=us-ashburn-1 --source-boot-volume-id=ocid1.bootvolume.oc1.iad. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --compartment-id=ocid1.compartment.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Restore Volume Across Tenancies
Now that the policies are configured on both old and new tenancies, restore
volumes from the old tenancy to the new tenancy by running the following commands. Choose
the compartment and AD where you want the volumes to be restored to and pass it as the
--compartment-id
and --availability-domain
arguments,
as shown here:
# Restore Volume
$ oci bv volume create --profile=cross_tenancy_user_profile --region=us-ashburn-1 ---volume-backup-id=ocid1.volumebackup.oc1.iad. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --compartment-id=ocid1.compartment.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --availability-domain=XXXX:US-ASHBURN-AD-1
# Restore Boot Volume
$ oci bv boot-volume create --profile=cross_tenancy_user_profile --region=us-ashburn-1 --boot-volume-backup-id=ocid1.bootvolumebackup.oc1.iad. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --compartment-id=ocid1.compartment.oc1.. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --availability-domain=pjBI:US-ASHBURN-AD-1