Navigation

Query a Backup Snapshot

Ops Manager provides queryable backups. This functionality allows you to more quickly query specific backup snapsnots. You can use the queryable backups to:

  • Restore a subset of data within the MongoDB deployment.
  • Compare previous versions of data against the current data.
  • Identify the best point in time to restore a system by comparing data from multiple snapshots.

Considerations

Read-Only Instance

Ops Manager provisions these queryable snapshots as read-only MongoDB instances. Specifically, Ops Manager spins up a mongod with data from the selected snapshot store.

Important

By default, these instances are available for up to 24 hours. You can configure the duration using Expiration (Hours). For other queryable backup settings, see Queryable Snapshot Configuration.

Query Restrictions on the Queryable Snapshots

You cannot perform the following operations on queryable snapshots:

Cannot Query Snapshots on Compressed File System Stores

If snapshots are compressed in a file system store, the snapshot contents cannot be queried.

If you want to be able to query snapshots on a file system store, you need to create a new file system store with compression disabled.

Connection Methods

Connections to these instances are over TLS/SSL and require x.509 authentication. Ops Manager provides:

  • An executable that creates a tunnel which handles the connection, including the client TLS/SSL and the x.509 authentication.

    Requests are routed through the tunnel. The tunnel ensures that the request is speaking to the correct mongod instance.

  • x.509 certificates if you want to handle the connection details manually, including the TLS/SSL and the x.509 authentication.

    Requests come in through the web server, which acts as a proxy to the mongod.

Prerequisites

MongoDB Version Compatibility between Snapshot and Target Database

You can only query snapshots made from replica sets or sharded clusters with CSRS running MongoDB 3.2 or later.

For a queryable backup to succeed, the MongoDB instance that is the target of a restore must run a compatible MongoDB version. The following table lists the compatibility requirements for each deployment type and MongoDB version.

Sharded Clusters

Snapshot Data MongoDB Version Compatible MongoDB Version for Target Database Platform
3.6.x 3.6.5 Enterprise or later Any
3.4.x 3.4.11 Enterprise or later Windows
3.4.x 3.4.2 Enterprise or later Linux or macOS

Replica Sets

Snapshot Data MongoDB Version Compatible MongoDB Version for Target Database Platform
3.6.x 3.4.11 Enterprise or later Windows
3.6.x 3.4.2 Enterprise or later Linux or macOS
3.4.x 3.4.11 Enterprise or later Windows
3.4.x 3.4.2 Enterprise or later Linux or macOS
3.2 3.4.11 Enterprise or later Windows
3.2.x 3.4.2 Enterprise or later Linux or macOS

PEM File Location

For the queryable backup host, you must specify the location of the PEM file (which contains both a public key certificate and its associated private key) using the Proxy Server PEM File setting. If you have not already set up the queryable backup settings:

  1. Click on Admin on the upper-right hand corner. From the Admin screen, click on General arrow right icon Ops Manager Config arrow right icon Backup.

  2. Scroll to the Queryable Snapshot Configuration and specify the Proxy Server PEM File that the tunnel or clients can use to connect to the queryable mongod instance.

    If the file is encrypted, specify the Proxy Server PEM File Password.

  3. Optional. Update other queryable snapshot settings as appropriate. For description of the settings, see Queryable Snapshot Configuration.

    Note

    You must restart the Web Server if you change any of the following settings:

Open Ports for App Server

The app server requires that ports 27700-27719 be open for communication with queryable backup snapshots.

To learn more about port requirements, see Firewall Configuration.

Sufficient Workers for the Ops Manager Backup Daemon

To query a snapshot of a sharded cluster, the Backup Daemon requires at least one worker for the config server, one worker for each shard, and one worker for each mongos instance.

To query a snapshot of a replica set, the Backup Daemon requires at least one worker for the replica set.

Example

If you restore a queryable backup from a 3-shard cluster with 1 shard router (mongos), you would need this value to be at least 5:

  • 1 per shard (3) +
  • 1 for the config server (1) +
  • 1 for the mongos

When the queryable backup begins, the Backup Daemon spins up 5 or more workers to manage these components.

Hostname

The FQDN that hosts the mongod for the queryable backup must match the one found the Daemons page. To find that hostname, click the Admin link, then click Backup, and then click Daemons.

Query Backup (Use Tunnel to Connect)

Note

The tunnel handles the security (TLS/SSL and x.509 authentication) for connecting to the instance.

1

Go to Backup view and click the Overview tab.

For the deployment whose backup you want to query, click the ellipsis button under Options column and select Query.

You can also click the deployment to view its snapshots and click the Query button under the Actions column.

2

Follow the prompts to query a backup snapshot.

  1. Select the snapshot to query and click Next.

  2. Start the process to query a snapshot. You will be prompted for 2-factor verification.

  3. Select Backup Tunnel as the connection method to the queryable snapshot.

  4. Select your Platform and download.

  5. Uncompress the downloaded file.

  6. Open a terminal or command prompt and go to the uncompressed <tunnel> directory. Run the executable to start the tunnel.

    The default port for the tunnel is 27017. To change the port, use the --local flag, as in the following example:

    ./<tunnel executable> --local localhost:27020
    

    Note

    If you change the port, you must include the port information when connecting.

    For the full list of options you can pass to the tunnel, run the tunnel exectuable with the -h option:

    ./<tunnel executable> -h
    
  7. Use the mongo shell or a MongoDB driver to connect to the backup via the tunnel.

    • If connecting locally from the same machine as where the tunnel is running, you do not need to specify a connection string or host information. Otherwise, specify a connection string or host information for the machine where the tunnel is running.
    • If you have changed the port that the tunnel is listening on, you must specify the port information when connecting.

Tip

Once you have finished querying this snapshot, you can terminate the queryable instance:

  1. Go to the Restore History and hover over the Status column for the deployment item.
  2. Click Cancel.

Note

To find the log file for the queryable backup mongod instance, navigate to the following path in the head directory of the Backup Daemon host:

<daemon-hostname>:/<headDirectory>/queryable/<backupId>/mongod.log

Query Backup (Handle TLS/SSL Authentication Manually)

Note

The client X.509 certificate is valid for the same length of time as the queryable instance Expiration (Hours), which is 24 hours by default.

1

Go to Backup view and click the Overview tab.

For the deployment whose backup you want to query, click the ellipsis button under Options column and select Query.

You can also click the deployment to view its snapshots and click the Query button under the Actions column.

2

Follow the prompts to query a backup snapshot.

  1. Select the snapshot to query and click Next.

  2. Start the process to query a snapshot. If prompted for your password, enter your password to verify.

  3. Select Connect Manually as the connection method to the queryable snapshot.

  4. Download the X.509 client PEM file.

  5. Download the CA PEM file.

  6. Use the mongo shell or a MongoDB driver to connect to the queryable backup host. To connect, you must specify the hostname and port, the TLS/SSL option, and the X.509 certificates.

    For example, if using the mongo shell to connect to the instance:

    mongo my-queryable-backup-host.mongodb.com:27217 --ssl --sslPEMKeyFile <client certificate> --sslCAFile mms-backup-ca.pem
    

Tip

Once you have finished querying this snapshot, you can terminate the queryable instance:

  1. Go to the Restore History and hover over the Status column for the deployment item.
  2. Click Cancel.

Next Steps

To restore a database or a collection using the queryable backup MongoDB instance, see Restore a Database or Collection from Queryable Backup.