Quest IOUG Database & Technology Insights: OCI Backups and the Object Store Service

In previous articles, we have looked at an introduction to cloud databases in Oracle Cloud Infrastructure (OCI), as well as various concepts and tools for managing OCI’s Database as a Service (DBAAS). This article will dive deep into cloud database backups and introduce the Object Storage service. 

As the name implies, Object Storage is OCI’s cloud object store and is comparable to Amazon’s S3 storage service or Microsoft’s Azure Storage. Object Storage can be accessed through myriad interfaces and tools including the OCI web portal, a command-line interface, a REST API, an Amazon S3-compatible API, a Swift API, and a number of SDKs. This article will be limited to using the web portal and the Swift API, which is used by Oracle Recovery Manager (RMAN) to interact with the Object Storage service.


There are a number of ways to back up a database in OCI. This article will detail two different ways of backing up a database to a container in the Object Storage service. The ability to manually back up a database or schedule automatic backups is included in the database service. In many cases, the limited backup and restore functionality of the built-in backup feature is not adequate for a cloud database administrator.

To understand exactly how the database backup functionality works, we will first manually configure the backup module by setting up the required cloud services, and then install and test the backup module on the database instance. Next, we will set up and examine the included automatic backup functionality. Finally, we will examine how these techniques can coexist without losing any of the powerful features of the Oracle Database backup and restore functionality.

Backup Module Services Setup

Access to the OCI Object Store requires a service gateway. The service gateway is a network service that is part of the Virtual Cloud Network. To set up the service gateway, navigate to the OCI web portal. Open the DB System Details page of the database system you want to back up. Select the link to the VCN under the Network heading. In the left pane under the Resources heading, select Service Gateways. Select Create Service Gateway. Give the service gateway a name, select the OCI IAD Object Storage service, and create the service gateway. In the left pane under the Resources heading, select Route Tables, and select the default route for your VCN. Select Add Route Rules and use the Service Gateway Target Type, the OCI IAD Object Storage Destination Service, and the Object Storage Target Service Gateway.

Similar to other cloud infrastructures, OCI Object Storage refers to storage containers as buckets. Create a new bucket by going to the Object Storage service and select Create Bucket. Give the bucket a meaningful name and leave the other fields with their default values.

Access to cloud services requires a user account. It is possible to use an admin user account, but a more secure option is to create a new account with limited permissions. Create a service user account by selecting Identity > Users from the left pane. Select Create User and give the service account a name and description. Now go to the Groups screen, select Create Group, and give the group a name and description.

User account permissions cannot be assigned to a user directly. Authorizations are granted to groups in policy statements. Users are granted authorizations via membership to a group. Create a policy to give the service account access to the Object Storage bucket. Go to the Policies screen, select Create Policy, and give it a name and description. Add the following statements to the policy:

Allow group <group_name> to manage objects in compartment <compartment_name> where = '<bucket_name>'

Allow group <group_name> to read buckets in compartment <compartment_name>

Authorization to connect to the Object Storage cloud service will use an authorization token. In most OCI services, auth tokens are ostensibly the same as passwords. To create an auth token, go back to the Users screen and select the backup service user you created. Under the Resources heading on the left, select Auth Tokens. Select Generate Token and give it a description. The auth token is only displayed once immediately after it is created. Once this dialog is closed, there is no way to see it again, so make sure to copy the token before closing the dialog.

The service account user now needs to be added to the service account group. Go to the Groups screen and select the backup service group. Select Add User to Group under the Group Members heading and select the backup service account.

The last bit of information you need before installing the backup module on the database instance is the object storage namespace. This is the namespace assigned to the Object Storage containers for your tenancy. Select your profile dropdown from the top right, and select the Tenancy link. In the Tenancy Information box, under the Object Storage Settings heading, take note of the Object Storage Namespace. This will be appended to the URL in the next step.

Backup Module Installation

With all of the services set up properly and credentials in hand, the backup module can now be installed on the database instance. The reason the backup module is not already installed is that it requires the credentials and service details during the installation.

Log into the database instance and switch to the oracle user account:

sudo su - oracle

Change to the directory that contains the backup module:

cd /opt/oracle/oak/pkgrepos/oss/odbcs

Use the following command to install the backup module:

java -jar opc_install.jar \
-opcId <backup_service_user> -opcPass '<auth_token>' -container <bucket_name> \
-walletDir ~/hsbtwallet/ -libDir ~/lib/ -configfile ~/config \
-host https://swiftobjectstorage.<region_name><namespace>

The backup module setup does a number of things, including copying the media management library (MML) to the ~/lib directory, creating the credentials wallet in the ~/hsbtwallet directory, creating a configuration file in the ~/config directory, and validating authentication and authorization to the Object Storage service. The configuration file is a text file that tells the MML the container name, the container location, the credential wallet location, and the credential alias in the wallet.

The MML is used in RMAN as an SBT_TAPE channel. The only required parameters are the locations of the library and the configuration file. Just as with any other SBT_TAPE channel configuration, the parameters can be specified as a persistent channel or at runtime as an allocated channel in a RUN block.



Automatic Backups

When automatic backups are configured for the database or a manual backup is triggered through the UI, the backup files are similarly sent to a container in the Object Storage service. Unlike the manual configuration above, however, the automatic backup uses a service local to the database instance called Oracle Database Cloud Service (DCS) to store metadata, credentials and other details. The DCS is utilized for a number of other database related components as well and is managed with the command-line utility dbcli.

The first time a backup is triggered through the UI, the DCS agent automatically creates and configures access credentials, an object container, and a backup configuration. The tasks done by DCS can be reviewed with the command dbcli list-jobs as root. Details on each of these jobs can be found with the command dbcli describe-job -i <job ID>.

The command dbcli list-objectstoreswifts will show the configuration in DCS for the automatic backup container storage. All of the configuration and wallet files are stored in the /opt/oracle/dcs/commonstore directory. The backup module configuration is in the objectstore/opc_pfile/<db_unique_id>/opc_<db_unique_name>.ora file.

When running automatic backups, RMAN interacts with the object store in the same way as the manually created object store. However, it is important to understand that triggering an automatic backup causes DCS to change the persistent RMAN configuration by updating the SBT_TAPE channel to use the new object store.

CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' MAXPIECESIZE 2 G FORMAT '%d_%I_%U_%T_%t' PARMS 'SBT_LIBRARY=/opt/oracle/dcs/commonstore/pkgrepos/oss/odbcs/ ENV=(OPC_PFILE=/opt/oracle/dcs/commonstore/objectstore/opc_pfile/146616115/opc_cdb_iad1cr.ora)';

This channel configuration needs to stay this way for the automatic backup and restore functionality to work properly. This does not mean that you can no longer use the previously created object store, but it does mean that interacting with other object stores through RMAN requires that the channels need to be allocated in a run block as demonstrated in the previous section. This includes maintenance operations on backup files located in the manually created object store container.


There are many differences between traditional, local Oracle databases and Oracle Cloud databases. Most of these differences can be discovered in the process of moving to a cloud architecture without impacting database users. However, the exception to this rule is backup and recovery. The protection of production databases is too important to leave to on-the-job training.

This article should give you a solid understanding of how OCI database backup and recovery works. Backups, and to a certain extent, recoveries can be easily automated in OCI. In most cases, the automatic backups will provide adequate protection for your cloud databases. But, when it comes to tier-one production databases with very specific backup and recovery requirements and techniques, understanding exactly how these processes work is critical for a cloud database administrator.