From 218b613312e552bd1339a63e7605cea7c50cfa3a Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 11 Jun 2026 20:23:42 +0530 Subject: [PATCH 01/60] PBM-1727 Oracle Cloud Storage --- docs/details/oci-storage.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/details/oci-storage.md diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md new file mode 100644 index 00000000..f29bc22e --- /dev/null +++ b/docs/details/oci-storage.md @@ -0,0 +1 @@ +# Configure Oracle Cloud Infrastructure Object Storage \ No newline at end of file From cb1ec3dbf736c31fdf33a99c40ed202c593069b4 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 11 Jun 2026 22:07:29 +0530 Subject: [PATCH 02/60] Update oci-storage.md --- docs/details/oci-storage.md | 239 +++++++++++++++++++++++++++++++++++- 1 file changed, 238 insertions(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index f29bc22e..d1aced83 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -1 +1,238 @@ -# Configure Oracle Cloud Infrastructure Object Storage \ No newline at end of file +# Oracle Cloud Infrastructure Object Storage + +Percona Backup for MongoDB (PBM) supports [OCI Object Storage](https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) as a remote backup destination through a dedicated OCI native driver, allowing you to store and manage MongoDB backups directly in OCI buckets. + +PBM connects to OCI Object Storage using the `userPrincipal` authentication type by default, which uses OCI API signing keys. For keyless authentication, PBM also supports `instancePrincipal` for PBM running on OCI Compute instances. + +## Prerequisites + +Before configuring PBM, ensure that you have: + +- An Oracle Cloud Infrastructure account +- An Object Storage bucket +- A user with access to the bucket +- Customer Secret Keys generated for the user +- Bucket permissions that allow reading and writing objects + + +## Configure OCI CLI + +Initialize the OCI CLI configuration: + +```sh +oci setup config +``` + +Use your tenancy home region as the default CLI region. + +If needed, update local file permissions: + +```bash +oci setup repair-file-permissions --file ~/.oci/config +oci setup repair-file-permissions --file ~/.oci/oci_api_key.pem +``` +If the setup generated a new API key, upload the public key to your OCI user: + +```bash +cat ~/.oci/oci_api_key_public.pem +``` + +In the OCI Console, go to **User settings → Tokens and keys → API keys → Add API key**, and paste the public key. + +## Verify region access + +Check the regions available to your tenancy: + +```bash +oci iam region-subscription list \ --region \ --output table +``` + +!!! note + The region specified in the configuration must be enabled and subscribed to in your OCI tenancy. + +## Get required OCI values + +Export the values required for the PBM configuration: + +```bash +export HOME_REGION= +export BUCKET_REGION= +export COMPARTMENT_NAME= +export BUCKET_NAME= +export PBM_PREFIX=pbm +``` + +Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and O`bject Storage namespace`: + +```bash +export TENANCY_OCID=$(oci iam tenancy get \ +--tenancy-id "$(awk -F= '/^tenancy=/{print $2}' ~/.oci/config)" \ +--region "$HOME_REGION" \ --query 'data.id' \ +--raw-output) + +export USER_OCID=$(awk -F= '/^user=/{print $2}' ~/.oci/config) +export FINGERPRINT=$(awk -F= '/^fingerprint=/{print $2}' ~/.oci/config) +export KEY_FILE=$(awk -F= '/^key_file=/{print $2}' ~/.oci/config) + +export NAMESPACE=$(oci os ns get \ +--region "$BUCKET_REGION" \ --query 'data' \ +--raw-output) +``` + +## Create a compartment + +Create a compartment for PBM backup resources: + +```bash +oci iam compartment create \ + --region "$HOME_REGION" \ --compartment-id "$TENANCY_OCID" \ + --name "$COMPARTMENT_NAME" \ + --description "PBM OCI Object Storage" +``` +Export the compartment OCID: + +```bash +export COMPARTMENT_OCID=$(oci iam compartment list \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --compartment-id-in-subtree true \ + --all \ + --query "data[?name=='$COMPARTMENT_NAME' && \"lifecycle-state\"=='ACTIVE'].id | [0]" \ + --raw-output) +``` +## Create an Object Storage bucket + +Create the bucket: + +```bash +oci os bucket create \ + --region "$BUCKET_REGION" \ + --namespace-name "$NAMESPACE" \ + --compartment-id "$COMPARTMENT_OCID" \ + --name "$BUCKET_NAME" +``` + +Verify the bucket: + +```bash +oci os bucket get \ + --region "$BUCKET_REGION" \ + --namespace-name "$NAMESPACE" \ + --bucket-name "$BUCKET_NAME" +``` + +## Configure IAM policies + +PBM must be able to create, read, overwrite, and delete backup objects. + +Create a policy that allows the PBM user group to manage objects in the bucket: + +Allow group `` to manage object-family in compartment `` + +PBM also uses OCI native server-side copy operations. Add a policy for the regional Object Storage service: + +```bash +Allow service objectstorage- to manage object-family in compartment where any { + request.permission='OBJECT_READ', + request.permission='OBJECT_INSPECT', + request.permission='OBJECT_CREATE', + request.permission='OBJECT_OVERWRITE', + request.permission='OBJECT_DELETE' +} +``` + +Allow a few minutes for IAM policy changes to propagate. + +## Configure PBM with a user principal + +Use user principal authentication when PBM runs outside OCI or when you want to authenticate with OCI API signing keys. + +```yaml +storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: pbm + credentials: + type: userPrincipal + userPrincipal: + tenancy: + user: + fingerprint: + privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- +``` + +!!! tip + Indent the private key correctly before adding it to the configuration: + + ```sh + sed 's/^/ /' "$KEY_FILE" + ``` + +## Configure PBM with an instance principal + +Use instance principal authentication when PBM runs on an OCI Compute instance. This method avoids storing API signing keys in the PBM configuration. + +Create a dynamic group that includes the compute instance: + +```sh +ANY {instance.id = ''} +``` + +Create a policy that allows the dynamic group to access the bucket: + +```sh +Allow dynamic-group to manage objects in compartment where target.bucket.name = '' +``` + +Then configure PBM: + +```yaml +storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: pbm + credentials: + type: instancePrincipal +``` +Wait for few minutes for IAM policy propagation before testing the configuration. + +## Apply the PBM configuration + +Apply the configuration: + +```bash +pbm config --file /path/to/oci-config.yaml +``` + +Force PBM to resync the storage configuration: + +```sh +pbm config --force-resync +``` + +## Verify the configuration + +Run a backup: + +```bash +pbm backup +``` + +Check that PBM created objects under the configured prefix: + +```bash +oci os object list \ + --bucket-name \ + --prefix pbm/ +``` + +You should see backup metadata and backup files stored under the configured prefix. \ No newline at end of file From 6780b884e8cbcafaae2c519b1c64c231ba2d9ed8 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:35:30 +0530 Subject: [PATCH 03/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index d1aced83..1bd8f98f 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -62,7 +62,7 @@ export BUCKET_NAME= export PBM_PREFIX=pbm ``` -Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and O`bject Storage namespace`: +Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and `Object Storage namespace`: ```bash export TENANCY_OCID=$(oci iam tenancy get \ From b6defbd1cab51b4311fbae0cae3134ae30bb483e Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:35:53 +0530 Subject: [PATCH 04/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 1bd8f98f..95e6da1d 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -11,7 +11,7 @@ Before configuring PBM, ensure that you have: - An Oracle Cloud Infrastructure account - An Object Storage bucket - A user with access to the bucket -- Customer Secret Keys generated for the user +- An OCI API signing key pair (private key + uploaded public key) for the user - Bucket permissions that allow reading and writing objects From 434ac3f5271337823c0c33c3e788f2d81a601d11 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:36:36 +0530 Subject: [PATCH 05/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 95e6da1d..9dd4cb61 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -44,7 +44,9 @@ In the OCI Console, go to **User settings → Tokens and keys → API keys → A Check the regions available to your tenancy: ```bash -oci iam region-subscription list \ --region \ --output table +oci iam region-subscription list \ + --region \ + --output table ``` !!! note From 71732c0283a44149f634bafcaf995e491855ff2f Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:37:01 +0530 Subject: [PATCH 06/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 9dd4cb61..3eded983 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -67,18 +67,24 @@ export PBM_PREFIX=pbm Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and `Object Storage namespace`: ```bash -export TENANCY_OCID=$(oci iam tenancy get \ ---tenancy-id "$(awk -F= '/^tenancy=/{print $2}' ~/.oci/config)" \ ---region "$HOME_REGION" \ --query 'data.id' \ ---raw-output) - -export USER_OCID=$(awk -F= '/^user=/{print $2}' ~/.oci/config) -export FINGERPRINT=$(awk -F= '/^fingerprint=/{print $2}' ~/.oci/config) +export TENANCY_OCID=$( + oci iam tenancy get \ + --tenancy-id "$(awk -F= '/^tenancy=/{print $2}' ~/.oci/config)" \ + --region "$HOME_REGION" \ + --query 'data.id' \ + --raw-output +) + +export USER_OCID=$(awk -F= '/^user=/{print $2}' ~/.oci/config) +export FINGERPRINT=$(awk -F= '/^fingerprint=/{print $2}' ~/.oci/config) export KEY_FILE=$(awk -F= '/^key_file=/{print $2}' ~/.oci/config) -export NAMESPACE=$(oci os ns get \ ---region "$BUCKET_REGION" \ --query 'data' \ ---raw-output) +export NAMESPACE=$( + oci os ns get \ + --region "$BUCKET_REGION" \ + --query 'data' \ + --raw-output +) ``` ## Create a compartment From 47d828d8e619c0c07583087d39b707b6af90bfeb Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:37:23 +0530 Subject: [PATCH 07/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 3eded983..45b5ed9c 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -92,9 +92,10 @@ export NAMESPACE=$( Create a compartment for PBM backup resources: ```bash -oci iam compartment create \ - --region "$HOME_REGION" \ --compartment-id "$TENANCY_OCID" \ - --name "$COMPARTMENT_NAME" \ +oci iam compartment create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$COMPARTMENT_NAME" \ --description "PBM OCI Object Storage" ``` Export the compartment OCID: From 826abd42e205d9492224d8c1ba8789a2d2fcd985 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:37:33 +0530 Subject: [PATCH 08/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 45b5ed9c..6a7823a3 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -114,10 +114,10 @@ export COMPARTMENT_OCID=$(oci iam compartment list \ Create the bucket: ```bash -oci os bucket create \ - --region "$BUCKET_REGION" \ - --namespace-name "$NAMESPACE" \ - --compartment-id "$COMPARTMENT_OCID" \ +oci os bucket create \ + --region "$BUCKET_REGION" \ + --namespace-name "$NAMESPACE" \ + --compartment-id "$COMPARTMENT_OCID" \ --name "$BUCKET_NAME" ``` From 2bc680b531562843d37ed84ee05bd89d37a51561 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:37:46 +0530 Subject: [PATCH 09/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 6a7823a3..e889ccb5 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -124,9 +124,9 @@ oci os bucket create \ Verify the bucket: ```bash -oci os bucket get \ - --region "$BUCKET_REGION" \ - --namespace-name "$NAMESPACE" \ +oci os bucket get \ + --region "$BUCKET_REGION" \ + --namespace-name "$NAMESPACE" \ --bucket-name "$BUCKET_NAME" ``` From 7b0c1f26dd1d3308cf63e4785881a13bac87ec51 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:38:09 +0530 Subject: [PATCH 10/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index e889ccb5..84f48cab 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -180,7 +180,7 @@ storage: Indent the private key correctly before adding it to the configuration: ```sh - sed 's/^/ /' "$KEY_FILE" + sed 's/^/ /' "$KEY_FILE" ``` ## Configure PBM with an instance principal From ecd613e7eed4fb1e7506ca2af3cc90d88773ce1f Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:38:25 +0530 Subject: [PATCH 11/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 84f48cab..5fec8752 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -212,7 +212,7 @@ storage: credentials: type: instancePrincipal ``` -Wait for few minutes for IAM policy propagation before testing the configuration. +Wait for a few minutes for IAM policy propagation before testing the configuration. ## Apply the PBM configuration From 3a571eafd820c4e23bc4ac84ccab3bbb9f99137f Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:38:34 +0530 Subject: [PATCH 12/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 5fec8752..6922f7a3 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -239,8 +239,8 @@ pbm backup Check that PBM created objects under the configured prefix: ```bash -oci os object list \ - --bucket-name \ +oci os object list \ + --bucket-name \ --prefix pbm/ ``` From 9306047ec749d8ab67a6f03754c14f1a50a83abe Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:54:27 +0530 Subject: [PATCH 13/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 6922f7a3..c26a9c4f 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -101,13 +101,15 @@ oci iam compartment create \ Export the compartment OCID: ```bash -export COMPARTMENT_OCID=$(oci iam compartment list \ - --region "$HOME_REGION" \ - --compartment-id "$TENANCY_OCID" \ - --compartment-id-in-subtree true \ - --all \ - --query "data[?name=='$COMPARTMENT_NAME' && \"lifecycle-state\"=='ACTIVE'].id | [0]" \ - --raw-output) +export COMPARTMENT_OCID=$( + oci iam compartment list \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --compartment-id-in-subtree true \ + --all \ + --query "data[?name=='$COMPARTMENT_NAME' && \"lifecycle-state\"=='ACTIVE'].id | [0]" \ + --raw-output +) ``` ## Create an Object Storage bucket From 26df0f5053eb6cca8b2dbcef8adb34c9ee3c2255 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:54:57 +0530 Subject: [PATCH 14/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index c26a9c4f..4f01cbba 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -138,8 +138,7 @@ PBM must be able to create, read, overwrite, and delete backup objects. Create a policy that allows the PBM user group to manage objects in the bucket: -Allow group `` to manage object-family in compartment `` - + Allow group to manage object-family in compartment PBM also uses OCI native server-side copy operations. Add a policy for the regional Object Storage service: ```bash From 168ac45bb5925797e1fc12a8ef3a0114e6813c9c Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 11:56:36 +0530 Subject: [PATCH 15/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 4f01cbba..9168b0e7 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -61,8 +61,6 @@ export HOME_REGION= export BUCKET_REGION= export COMPARTMENT_NAME= export BUCKET_NAME= -export PBM_PREFIX=pbm -``` Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and `Object Storage namespace`: From fd77dbd40f64f08f8e2b8c598bafa4200fd35f10 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Jun 2026 06:29:38 +0000 Subject: [PATCH 16/60] Add OCI storage page to docs navigation --- .cache/plugin/git-committers/page-authors.json | 1 + mkdocs-base.yml | 1 + 2 files changed, 2 insertions(+) create mode 100644 .cache/plugin/git-committers/page-authors.json diff --git a/.cache/plugin/git-committers/page-authors.json b/.cache/plugin/git-committers/page-authors.json new file mode 100644 index 00000000..ff6efed6 --- /dev/null +++ b/.cache/plugin/git-committers/page-authors.json @@ -0,0 +1 @@ +{"cache_date": "2026-06-12", "page_authors": {"docs/index.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/404.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/CODE_OF_CONDUCT.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/about-docs.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/copyright.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/get-help.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/installation.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/intro.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/pmm.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/system-requirements.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/trademark-policy.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/architecture.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/authentication.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/azure.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/cli.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/control-collections.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/deployments.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/endpoint-map.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/filesystem-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/gcs.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/minio.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/oci-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/oss.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/pbm-agent.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/s3-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/storage-configuration.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/versions.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/workload-identity-auth.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/backup-sharding.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/backup-types.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/comparison.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/incremental-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/known-limitations.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/logical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/multi-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/point-in-time-recovery.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/restore-new-env.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/restore-remapping.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/selective-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/snapshots.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/split-merge-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/backup-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/configure-authentication.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/docker.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/initial-setup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/repos.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/secure-credentials-systemd.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/source.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/start-pbm-agent.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/tarball.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/automate-s3-access.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/change-nodes.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/configure-remotely.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/logpath.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/overview.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/start-agent-with-config.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/uninstalling.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/upgrading.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/backup-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/config.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/configuration-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/glossary.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/logging-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/pbm-agent-config-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/pbm-commands.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/pitr-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/restore-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/0.5.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.0.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.1.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.1.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.1.3.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.2.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.2.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.2.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.3.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.4.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.4.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.4.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.5.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.6.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.6.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.7.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.8.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.8.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.2.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.3.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.4.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.5.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.1.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.10.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.11.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.12.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.13.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.14.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.2.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.2.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.3.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.3.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.4.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.4.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.5.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.6.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.7.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.8.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.9.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.9.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/index.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/faq.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/pbm-pmm.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/pbm-report.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/restore-partial.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/status.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/troubleshooting.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-external.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-incremental.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-priority.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-selective.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/cancel-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/compression.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/delete-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/describe-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/list-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/logs.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/oplog-replay.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/pitr-physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/pitr-selective.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/pitr-tutorial.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-external-agent-restart.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-external.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-incremental.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-progress.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-selective.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/schedule-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/start-backup.md": {"last_commit_date": "2026-06-12", "authors": []}}} \ No newline at end of file diff --git a/mkdocs-base.yml b/mkdocs-base.yml index b5fde611..efc238f5 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -246,6 +246,7 @@ nav: - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md - details/azure.md + - OCI Object Storage: details/oci-storage.md - details/oss.md - details/filesystem-storage.md - details/endpoint-map.md From 5b4d5487c57fbc149084f57a86b965f4d91dd0da Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:00:53 +0530 Subject: [PATCH 17/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 9168b0e7..44dedc0d 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -62,9 +62,7 @@ export BUCKET_REGION= export COMPARTMENT_NAME= export BUCKET_NAME= -Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and `Object Storage namespace`: - -```bash +# Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and `Object Storage namespace`: export TENANCY_OCID=$( oci iam tenancy get \ --tenancy-id "$(awk -F= '/^tenancy=/{print $2}' ~/.oci/config)" \ From 9be198f2760f466330f9bc45daaa24f4530f43cc Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:01:22 +0530 Subject: [PATCH 18/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 44dedc0d..37c0a3dd 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -132,9 +132,10 @@ oci os bucket get \ PBM must be able to create, read, overwrite, and delete backup objects. -Create a policy that allows the PBM user group to manage objects in the bucket: +Create a policy that allows the PBM user group to manage objects in the compartment: Allow group to manage object-family in compartment + PBM also uses OCI native server-side copy operations. Add a policy for the regional Object Storage service: ```bash From 996f477427b8aac53723a7e98a01aba67c20b7e7 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:01:45 +0530 Subject: [PATCH 19/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 37c0a3dd..c5f5aae5 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -238,6 +238,8 @@ Check that PBM created objects under the configured prefix: ```bash oci os object list \ + --region \ + --namespace-name \ --bucket-name \ --prefix pbm/ ``` From f52f73944c2f3e64f35b67c38d1c6b24b3d7f558 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Jun 2026 06:30:44 +0000 Subject: [PATCH 20/60] Document OCI config options in reference docs --- docs/details/storage-configuration.md | 1 + docs/reference/configuration-options.md | 88 ++++++++++++++++++++++++- 2 files changed, 88 insertions(+), 1 deletion(-) diff --git a/docs/details/storage-configuration.md b/docs/details/storage-configuration.md index 5f49941f..d06bedab 100644 --- a/docs/details/storage-configuration.md +++ b/docs/details/storage-configuration.md @@ -17,6 +17,7 @@ Percona Backup for MongoDB supports the following storage types: * [MinIO and S3-compatible storage](minio.md) * [Filesystem server storage](filesystem-storage.md) * [Microsoft Azure Blob storage](azure.md) +* [Oracle Cloud Infrastructure Object Storage](oci-storage.md) * [Alibaba Cloud OSS storage](oss.md) ### Considerations for choosing a backup storage type for s3-compatible storages diff --git a/docs/reference/configuration-options.md b/docs/reference/configuration-options.md index 7a18330c..f8bef242 100644 --- a/docs/reference/configuration-options.md +++ b/docs/reference/configuration-options.md @@ -7,7 +7,7 @@ *Type*: string
*Required*: YES -Remote backup storage type. Supported values: `s3`, `minio`, `gcs`, `filesystem`, `azure`. +Remote backup storage type. Supported values: `s3`, `minio`, `gcs`, `filesystem`, `azure`, `oci`, `oss`. ## AWS S3 storage options @@ -679,6 +679,92 @@ The minimum time to wait before the next retry, specified as a `time.Duration`. The maximum time to wait before the next retry, specified as a `time.Duration`. Units like ms, s, etc., are supported. Defaults to nanoseconds if no unit is provided. +## OCI Object Storage options + +```yaml +storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: userPrincipal + userPrincipal: + tenancy: + user: + fingerprint: + privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- +``` + +### storage.oci.region + +*Type*: string
+*Required*: YES + +The OCI region where your Object Storage bucket is located. + +### storage.oci.namespace + +*Type*: string
+*Required*: YES + +The Object Storage namespace for your OCI tenancy. + +### storage.oci.bucket + +*Type*: string
+*Required*: YES + +The name of the Object Storage bucket where PBM stores backups. + +### storage.oci.prefix + +*Type*: string
+*Required*: NO + +The path prefix in the bucket. If undefined, backups are stored in the bucket root. + +### storage.oci.credentials.type + +*Type*: string
+*Required*: NO
+*Default*: `userPrincipal` + +Authentication type for OCI access. Supported values: `userPrincipal`, `instancePrincipal`. + +### storage.oci.credentials.userPrincipal.tenancy + +*Type*: string
+*Required*: YES (when `storage.oci.credentials.type=userPrincipal`) + +The tenancy OCID for OCI API signing key authentication. + +### storage.oci.credentials.userPrincipal.user + +*Type*: string
+*Required*: YES (when `storage.oci.credentials.type=userPrincipal`) + +The user OCID for OCI API signing key authentication. + +### storage.oci.credentials.userPrincipal.fingerprint + +*Type*: string
+*Required*: YES (when `storage.oci.credentials.type=userPrincipal`) + +The fingerprint of the uploaded OCI API signing public key. + +### storage.oci.credentials.userPrincipal.privateKey + +*Type*: string
+*Required*: YES (when `storage.oci.credentials.type=userPrincipal`) + +The private key in PEM format that pairs with the uploaded OCI API signing public key. + ## Alibaba Cloud OSS storage options ```yaml From ece2f50ad75f9193b503fd68359e96a8852b3282 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:32:25 +0530 Subject: [PATCH 21/60] Update oci-storage.md --- docs/details/oci-storage.md | 222 +++++++++++++++++++++++++----------- 1 file changed, 153 insertions(+), 69 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index c5f5aae5..c5da97b9 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -1,29 +1,48 @@ # Oracle Cloud Infrastructure Object Storage -Percona Backup for MongoDB (PBM) supports [OCI Object Storage](https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) as a remote backup destination through a dedicated OCI native driver, allowing you to store and manage MongoDB backups directly in OCI buckets. +Percona Backup for MongoDB (PBM) supports [OCI Object Storage] +(https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) +as a remote backup destination through a dedicated OCI native +driver. PBM connects to OCI Object Storage using one of three +authentication types: + +|**Authentication type**| **Use when**| +|---------------------|-------------| +| `userPrincipal`|PBM runs anywhere; authenticates with OCI API signing keys| | +| `instancePrincipal`|PBM runs on an OCI Compute instance| | +| `okeWorkloadIdentity`|PBM runs inside an OKE enhanced cluster| -PBM connects to OCI Object Storage using the `userPrincipal` authentication type by default, which uses OCI API signing keys. For keyless authentication, PBM also supports `instancePrincipal` for PBM running on OCI Compute instances. ## Prerequisites Before configuring PBM, ensure that you have: -- An Oracle Cloud Infrastructure account -- An Object Storage bucket -- A user with access to the bucket -- An OCI API signing key pair (private key + uploaded public key) for the user -- Bucket permissions that allow reading and writing objects - +- An active OCI tenancy with at least one subscribed region +- The OCI CLI installed and configured (`oci setup config`). + See the [OCI CLI documentation](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm) + for installation instructions +- An OCI user with permission to create compartments, buckets, + dynamic groups, and IAM policies in your tenancy +- An OCI API signing key pair: private key on the host running + PBM, public key uploaded to the OCI user -## Configure OCI CLI -Initialize the OCI CLI configuration: +Initialize the OCI CLI configuration if you have not done so already: ```sh oci setup config ``` -Use your tenancy home region as the default CLI region. +Use your tenancy home region as the default CLI region. If the setup generated a new API key, upload the public key +to your OCI user: + +```sh +cat ~/.oci/oci_api_key_public.pem +``` + +In the OCI Console, go to **User settings → Tokens and keys → +API keys → Add API key**, paste the public key, and confirm +the fingerprint matches `~/.oci/config`. If needed, update local file permissions: @@ -31,13 +50,6 @@ If needed, update local file permissions: oci setup repair-file-permissions --file ~/.oci/config oci setup repair-file-permissions --file ~/.oci/oci_api_key.pem ``` -If the setup generated a new API key, upload the public key to your OCI user: - -```bash -cat ~/.oci/oci_api_key_public.pem -``` - -In the OCI Console, go to **User settings → Tokens and keys → API keys → Add API key**, and paste the public key. ## Verify region access @@ -52,17 +64,22 @@ oci iam region-subscription list \ !!! note The region specified in the configuration must be enabled and subscribed to in your OCI tenancy. -## Get required OCI values +## Set up OCI resources -Export the values required for the PBM configuration: +### Export variables -```bash -export HOME_REGION= -export BUCKET_REGION= -export COMPARTMENT_NAME= -export BUCKET_NAME= +Set the following variables before running any commands in this +section. All subsequent commands reference them. + +```sh +export HOME_REGION= # e.g. us-ashburn-1 +export BUCKET_REGION= # e.g. eu-frankfurt-1 +export COMPARTMENT_NAME=pbm-backup +export BUCKET_NAME= +``` +Retrieve and export the values PBM requires: -# Get the `tenancy OCID`, user `OCID`, `API key fingerprint`, `private key path`, and `Object Storage namespace`: +```sh export TENANCY_OCID=$( oci iam tenancy get \ --tenancy-id "$(awk -F= '/^tenancy=/{print $2}' ~/.oci/config)" \ @@ -81,22 +98,31 @@ export NAMESPACE=$( --query 'data' \ --raw-output ) + +echo "TENANCY_OCID: $TENANCY_OCID" +echo "USER_OCID: $USER_OCID" +echo "FINGERPRINT: $FINGERPRINT" +echo "NAMESPACE: $NAMESPACE" ``` +Verify all five values are populated before continuing. An empty +value means the OCI CLI is not authenticated or the variable +was not set correctly. ## Create a compartment Create a compartment for PBM backup resources: -```bash +```sh oci iam compartment create \ --region "$HOME_REGION" \ --compartment-id "$TENANCY_OCID" \ --name "$COMPARTMENT_NAME" \ - --description "PBM OCI Object Storage" + --description "PBM OCI Object Storage backup" ``` -Export the compartment OCID: +Wait until the compartment is active, then export its OCID: -```bash + +```sh export COMPARTMENT_OCID=$( oci iam compartment list \ --region "$HOME_REGION" \ @@ -106,12 +132,15 @@ export COMPARTMENT_OCID=$( --query "data[?name=='$COMPARTMENT_NAME' && \"lifecycle-state\"=='ACTIVE'].id | [0]" \ --raw-output ) + +echo "COMPARTMENT_OCID: $COMPARTMENT_OCID" ``` -## Create an Object Storage bucket + +### Create an Object Storage bucket Create the bucket: -```bash +```sh oci os bucket create \ --region "$BUCKET_REGION" \ --namespace-name "$NAMESPACE" \ @@ -119,40 +148,75 @@ oci os bucket create \ --name "$BUCKET_NAME" ``` -Verify the bucket: +Verify the bucket was created: -```bash +```sh oci os bucket get \ --region "$BUCKET_REGION" \ --namespace-name "$NAMESPACE" \ - --bucket-name "$BUCKET_NAME" + --bucket-name "$BUCKET_NAME" \ + --query 'data.{name:name,namespace:namespace}' \ + --output table ``` -## Configure IAM policies +### Create IAM policies PBM must be able to create, read, overwrite, and delete backup objects. -Create a policy that allows the PBM user group to manage objects in the compartment: +Two policies are required: - Allow group to manage object-family in compartment +**User access policy** — grants your OCI user group permission +to manage objects in the PBM compartment. Replace +`` with the name of the group containing +your PBM user: -PBM also uses OCI native server-side copy operations. Add a policy for the regional Object Storage service: +```sh +oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-user-access \ + --description "Allow PBM user group to manage backup objects" \ + --statements '["Allow group to manage object-family in compartment pbm-backup"]' +``` -```bash -Allow service objectstorage- to manage object-family in compartment where any { - request.permission='OBJECT_READ', - request.permission='OBJECT_INSPECT', - request.permission='OBJECT_CREATE', - request.permission='OBJECT_OVERWRITE', - request.permission='OBJECT_DELETE' -} +**Native copy policy** — grants the OCI Object Storage service +permission to copy objects internally. PBM requires this for +server-side copy operations: + +```sh +oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "pbm-native-copy-$BUCKET_REGION" \ + --description "Allow Object Storage service to copy PBM objects" \ + --statements "[\"Allow service objectstorage-$BUCKET_REGION to manage object-family \ + in compartment $COMPARTMENT_NAME where any { \ + request.permission='OBJECT_READ', \ + request.permission='OBJECT_INSPECT', \ + request.permission='OBJECT_CREATE', \ + request.permission='OBJECT_OVERWRITE', \ + request.permission='OBJECT_DELETE'}\"]" ``` -Allow a few minutes for IAM policy changes to propagate. +!!! note + IAM policy changes can take up to 2 minutes to propagate. + If PBM reports an authorization error immediately after + creating the policies, wait 2 minutes and retry. + +## Configure PBM + +### userPrincipal -## Configure PBM with a user principal +Use this when PBM runs outside OCI, or when you want to +authenticate with OCI API signing keys. -Use user principal authentication when PBM runs outside OCI or when you want to authenticate with OCI API signing keys. +Generate the correctly indented private key before creating +the config file: + +```sh +sed 's/^/ /' "$KEY_FILE" +``` +Create the configuration file: ```yaml storage: @@ -173,6 +237,10 @@ storage: ... -----END PRIVATE KEY----- ``` +!!! warning + The `user` value must be a user OCID starting with + `ocid1.user.oc1`. A bucket or compartment OCID causes + a 401 authentication failure. !!! tip Indent the private key correctly before adding it to the configuration: @@ -181,23 +249,34 @@ storage: sed 's/^/ /' "$KEY_FILE" ``` -## Configure PBM with an instance principal +### instancePrincipal -Use instance principal authentication when PBM runs on an OCI Compute instance. This method avoids storing API signing keys in the PBM configuration. +Use this when PBM runs on an OCI Compute instance. No API +keys are required in the configuration file. -Create a dynamic group that includes the compute instance: +1. Create a dynamic group that includes the compute instance: ```sh -ANY {instance.id = ''} + oci iam dynamic-group create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-instance-group \ + --description "PBM Compute instance principal" \ + --matching-rule "ANY {instance.id = ''}" ``` - -Create a policy that allows the dynamic group to access the bucket: +2. Create a policy granting the dynamic group access to the bucket: ```sh -Allow dynamic-group to manage objects in compartment where target.bucket.name = '' + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-instance-policy \ + --description "Allow PBM instance to access backup bucket" \ + --statements '["Allow dynamic-group pbm-instance-group to manage objects \ + in compartment pbm-backup where target.bucket.name = '"'"''"'"'"]' ``` -Then configure PBM: +3. Configure PBM: ```yaml storage: @@ -212,6 +291,13 @@ storage: ``` Wait for a few minutes for IAM policy propagation before testing the configuration. + +!!! note + IAM changes for dynamic groups can take 5 to 10 minutes + to propagate. The native copy policy from the previous + section is still required alongside the instance + principal policy. + ## Apply the PBM configuration Apply the configuration: @@ -228,20 +314,18 @@ pbm config --force-resync ## Verify the configuration -Run a backup: +Verify all agents connected and storage initialized successfully: -```bash -pbm backup +```sh +pbm status ``` +Every node must show `pbm-agent` as `OK` and storage as `ok`. -Check that PBM created objects under the configured prefix: +Run a test backup to confirm end-to-end functionality: -```bash -oci os object list \ - --region \ - --namespace-name \ - --bucket-name \ - --prefix pbm/ +```sh +pbm backup +pbm list ``` -You should see backup metadata and backup files stored under the configured prefix. \ No newline at end of file +A backup with status `done` confirms the setup is complete. From 373ceeb5486dd12256650b7930f4429f633d92d9 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:42:33 +0530 Subject: [PATCH 22/60] added example --- docs/details/oci-storage.md | 53 +++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index c5da97b9..e605cfde 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -319,6 +319,42 @@ Verify all agents connected and storage initialized successfully: ```sh pbm status ``` + +??? example "Output" + + ```sh + $ pbm status + Cluster: + ======== + rs1: + - rs101:27017 [S]: pbm-agent [v2.15.0] OK + - rs102:27017 [S]: pbm-agent [v2.15.0] OK + - rs103:27017 [P]: pbm-agent [v2.15.0] OK + + PITR incremental backup: + ======================== + Status [OFF] + + Currently running: + ================== + (none) + + Backups: + ======== + Main storage: + Type: OCI + Region: us-ashburn-1 + Path: oci://idvufsl0apl6/rasika-bucket/pbm + Snapshots: + NAME SIZE TYPE PROFILE SEL BASE RESTORE TIME STATUS + ------------------------------------------------------------------------------------------------------------------ + 2026-06-11T13:14:51Z 435.75KB logical no no 2026-06-11T13:15:07 done + [user@b0157cd96911 pbm]$ pbm backup + Starting backup "2026-06-12T07:04:27Z"...... + Backup "2026-06-12T07:04:27Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") + ``` + + Every node must show `pbm-agent` as `OK` and storage as `ok`. Run a test backup to confirm end-to-end functionality: @@ -328,4 +364,21 @@ pbm backup pbm list ``` +??? example "Output" + + ```sh + $ pbm list + Backup snapshots: + NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME + ----------------------------------------------------------------------------------------------------- + 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 + 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 + ``` + + ```sh + $ pbm backup + Starting backup "2026-06-12T07:11:31Z"..... + Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") + ``` + A backup with status `done` confirms the setup is complete. From 6a6c63db1eb496da32105a62b64e884da44c9927 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:44:46 +0530 Subject: [PATCH 23/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index e605cfde..69f61fd5 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -6,11 +6,11 @@ as a remote backup destination through a dedicated OCI native driver. PBM connects to OCI Object Storage using one of three authentication types: -|**Authentication type**| **Use when**| -|---------------------|-------------| -| `userPrincipal`|PBM runs anywhere; authenticates with OCI API signing keys| | -| `instancePrincipal`|PBM runs on an OCI Compute instance| | -| `okeWorkloadIdentity`|PBM runs inside an OKE enhanced cluster| +| **Authentication type** | **Use when** | +| --- | --- | +| `userPrincipal` | PBM runs anywhere; authenticates with OCI API signing keys | +| `instancePrincipal` | PBM runs on an OCI Compute instance | +| `okeWorkloadIdentity` | PBM runs inside an OKE enhanced cluster | ## Prerequisites From e503805eeed2b8e2987f49d74c81aeccbb966fc2 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:45:52 +0530 Subject: [PATCH 24/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 69f61fd5..7beae2a2 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -1,7 +1,6 @@ # Oracle Cloud Infrastructure Object Storage -Percona Backup for MongoDB (PBM) supports [OCI Object Storage] -(https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) +Percona Backup for MongoDB (PBM) supports [OCI Object Storage](https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) as a remote backup destination through a dedicated OCI native driver. PBM connects to OCI Object Storage using one of three authentication types: From 897a91eb2f1b6fe1dd7723a020d67e5cb0d8179b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Jun 2026 07:18:41 +0000 Subject: [PATCH 25/60] Remove generated git-committers cache artifact --- .cache/plugin/git-committers/page-authors.json | 1 - .gitignore | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) delete mode 100644 .cache/plugin/git-committers/page-authors.json diff --git a/.cache/plugin/git-committers/page-authors.json b/.cache/plugin/git-committers/page-authors.json deleted file mode 100644 index ff6efed6..00000000 --- a/.cache/plugin/git-committers/page-authors.json +++ /dev/null @@ -1 +0,0 @@ -{"cache_date": "2026-06-12", "page_authors": {"docs/index.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/404.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/CODE_OF_CONDUCT.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/about-docs.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/copyright.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/get-help.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/installation.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/intro.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/pmm.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/system-requirements.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/trademark-policy.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/architecture.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/authentication.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/azure.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/cli.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/control-collections.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/deployments.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/endpoint-map.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/filesystem-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/gcs.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/minio.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/oci-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/oss.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/pbm-agent.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/s3-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/storage-configuration.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/versions.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/details/workload-identity-auth.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/backup-sharding.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/backup-types.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/comparison.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/incremental-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/known-limitations.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/logical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/multi-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/point-in-time-recovery.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/restore-new-env.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/restore-remapping.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/selective-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/snapshots.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/features/split-merge-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/backup-storage.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/configure-authentication.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/docker.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/initial-setup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/repos.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/secure-credentials-systemd.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/source.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/start-pbm-agent.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/install/tarball.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/automate-s3-access.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/change-nodes.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/configure-remotely.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/logpath.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/overview.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/start-agent-with-config.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/uninstalling.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/manage/upgrading.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/backup-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/config.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/configuration-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/glossary.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/logging-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/pbm-agent-config-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/pbm-commands.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/pitr-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/reference/restore-options.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/0.5.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.0.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.1.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.1.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.1.3.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.2.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.2.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.2.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.3.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.3.4.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.4.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.4.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.5.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.6.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.6.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.7.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.8.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/1.8.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.2.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.3.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.4.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.0.5.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.1.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.10.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.11.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.12.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.13.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.14.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.2.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.2.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.3.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.3.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.4.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.4.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.5.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.6.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.7.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.8.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.9.0.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/release-notes/2.9.1.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/index.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/faq.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/pbm-pmm.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/pbm-report.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/restore-partial.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/status.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/troubleshoot/troubleshooting.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-external.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-incremental.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-priority.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/backup-selective.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/cancel-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/compression.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/delete-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/describe-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/list-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/logs.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/oplog-replay.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/pitr-physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/pitr-selective.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/pitr-tutorial.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-external-agent-restart.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-external.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-incremental.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-physical.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-progress.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore-selective.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/restore.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/schedule-backup.md": {"last_commit_date": "2026-06-12", "authors": []}, "docs/usage/start-backup.md": {"last_commit_date": "2026-06-12", "authors": []}}} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 4da6fc20..3cb6b65e 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,6 @@ styles/ # Allow !styles/config/vocabularies/Percona/** + +# Generated plugin cache +.cache/plugin/git-committers/ From 4fdda27a05ab9954002f21674cc694fde6fb8f48 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:49:40 +0530 Subject: [PATCH 26/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 7beae2a2..38f38b52 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -9,7 +9,6 @@ authentication types: | --- | --- | | `userPrincipal` | PBM runs anywhere; authenticates with OCI API signing keys | | `instancePrincipal` | PBM runs on an OCI Compute instance | -| `okeWorkloadIdentity` | PBM runs inside an OKE enhanced cluster | ## Prerequisites From 7faa675ffadbee4ae85c07202539642781231187 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Jun 2026 07:19:20 +0000 Subject: [PATCH 27/60] Align OCI auth list with documented methods --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 38f38b52..faa71711 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -2,7 +2,7 @@ Percona Backup for MongoDB (PBM) supports [OCI Object Storage](https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) as a remote backup destination through a dedicated OCI native -driver. PBM connects to OCI Object Storage using one of three +driver. PBM connects to OCI Object Storage using one of two authentication types: | **Authentication type** | **Use when** | From 125e38c2bdfa586dd0c51bd68c420876e590ffa5 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:52:25 +0530 Subject: [PATCH 28/60] Update oci-storage.md --- docs/details/oci-storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index faa71711..4d1beac8 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -352,7 +352,6 @@ pbm status Backup "2026-06-12T07:04:27Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") ``` - Every node must show `pbm-agent` as `OK` and storage as `ok`. Run a test backup to confirm end-to-end functionality: From 19b7fe5d26dbbf0b7d90aff0c8adb7e46420a737 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:53:31 +0530 Subject: [PATCH 29/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 4d1beac8..62a1ab9e 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -100,6 +100,7 @@ export NAMESPACE=$( echo "TENANCY_OCID: $TENANCY_OCID" echo "USER_OCID: $USER_OCID" echo "FINGERPRINT: $FINGERPRINT" +echo "KEY_FILE: $KEY_FILE" echo "NAMESPACE: $NAMESPACE" ``` Verify all five values are populated before continuing. An empty From 25cebef4339c06177e6f83784f501cbca1f51cc9 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 12:53:55 +0530 Subject: [PATCH 30/60] Update oci-storage.md --- docs/details/oci-storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 4d1beac8..3216baa1 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -10,7 +10,6 @@ authentication types: | `userPrincipal` | PBM runs anywhere; authenticates with OCI API signing keys | | `instancePrincipal` | PBM runs on an OCI Compute instance | - ## Prerequisites Before configuring PBM, ensure that you have: From ea2d70b108f1fe5bd301c09a65dac40c15cb254f Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 14:55:52 +0530 Subject: [PATCH 31/60] Create oci-WIF.md --- docs/details/oci-WIF.md | 170 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 docs/details/oci-WIF.md diff --git a/docs/details/oci-WIF.md b/docs/details/oci-WIF.md new file mode 100644 index 00000000..7bd6b835 --- /dev/null +++ b/docs/details/oci-WIF.md @@ -0,0 +1,170 @@ +# Oracle Cloud Infrastructure (OCI) Object Storage with Workload Identity Authentication + +Percona Backup for MongoDB (PBM) supports Workload Identity authentication for Oracle Cloud Infrastructure (OCI) Object Storage. With Workload Identity, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. + +Percona Backup for MongoDB (PBM) supports two Workload Identity authentication types for OCI Object Storage, in addition to the default `userPrincipal`: + +| Auth type | When to use | +|---|---| +|`userPrincipal`|PBM is running anywhere — on-premises, on other clouds, or on OCI| +| `instancePrincipal`| PBM is running on a virtual machine inside OCI | +| `okeWorkloadIdentity`| PBM is running inside an OKE enhanced cluster| + +## userPrincipal + +Choose `userPrincipal` when PBM runs outside OCI, or when you want a single authentication approach that works in any environment. PBM authenticates using an OCI user account and an API signing key. + +### Before you begin + +You need: + +- An OCI user account with access to the target bucket +- An [API signing key pair :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm){:target="_blank"} (private key file and its fingerprint) +- The [Oracle Cloud Identifier (OCID) :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the user and tenancy +- The name of the OCI bucket PBM will use for backups + +### Procedure + +1. Create an IAM policy + Grant the user permission to manage objects in the target bucket: + ```sh + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$USER_POLICY_NAME" \ + --description "Allow PBM user to access $BUCKET_NAME" \ + --statements "[\"Allow group $USER_GROUP_NAME to manage objects in compartment $COMPARTMENT_NAME where target.bucket.name = '$BUCKET_NAME'\"]" + ``` + +Replace the following variables: + +| Variable | Description | +|---|---| +| `HOME_REGION` | Your tenancy's home region (e.g. `us-ashburn-1`) | +| `TENANCY_OCID` | OCID of your OCI tenancy | +| `USER_POLICY_NAME` | A name for the policy (e.g. `pbm-user-policy`) | +| `USER_GROUP_NAME` | The IAM group the PBM user belongs to | +| `COMPARTMENT_NAME` | Name of the compartment containing the bucket | +| `BUCKET_NAME` | Name of the OCI Object Storage bucket | + +2. Configure PBM authentication + + In your PBM configuration, set the storage type to `oci` and the credentials type to `userPrincipal`. Provide the path to the private key file and its passphrase if one was set during key generation. + + ```yaml + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: userPrincipal + userPrincipal: + tenancy: + user: + fingerprint: + key: + passphrase: + ``` + +## instancePrincipal + +Choose `instancePrincipal` when PBM runs directly on an OCI Compute instance. PBM automatically obtains OCI credentials from the instance, eliminating the need for credential files or API keys. + +### Before you begin + +You need: + +- The [Oracle Cloud Identifier (OCID) :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the OCI Compute instance running PBM +- The name of the OCI bucket PBM will use for backups. + +### Procedure + +Follow these steps to set up OCI using **`instancePrincipal`:** + +1. **Create a dynamic group for the instance** + + OCI IAM policies cannot target individual instances directly. You must first add the instance to a dynamic group, then write a policy against that group. + + ```sh + oci iam dynamic-group create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$INSTANCE_DYNAMIC_GROUP_NAME" \ + --description "PBM VM instance principal" \ + --matching-rule "ANY {instance.id = '$INSTANCE_OCID'}" + ``` + + Replace the following variables: + + | Variable | Description | + |---|---| + | `HOME_REGION` | Your tenancy's home region (e.g. `us-ashburn-1`) | + | `TENANCY_OCID` | OCID of your OCI tenancy | + | `INSTANCE_DYNAMIC_GROUP_NAME` | A name for the dynamic group (e.g. `pbm-vm-group`) | + | `INSTANCE_OCID` | OCID of the Compute instance running PBM | + +2. **Create an IAM policy** + + Grant the dynamic group permission to manage objects in the target bucket: + + ```sh + export INSTANCE_POLICY_STATEMENT="Allow dynamic-group $INSTANCE_DYNAMIC_GROUP_NAME \ + to manage objects in compartment $COMPARTMENT_NAME \ + where target.bucket.name = '$BUCKET_NAME'" + + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$INSTANCE_POLICY_NAME" \ + --description "Allow PBM VM instance principal to access $BUCKET_NAME" \ + --statements "[\"$INSTANCE_POLICY_STATEMENT\"]" + ``` + + Replace the following additional variables: + + | Variable | Description | + |---|---| + | `COMPARTMENT_NAME` | Name of the compartment containing the bucket | + | `BUCKET_NAME` | Name of the OCI Object Storage bucket | + | `INSTANCE_POLICY_NAME` | A name for the policy (e.g. `pbm-vm-policy`) | + +3. **Configure PBM authentication** + + In your PBM configuration, set the storage type to `oci` and the credentials type to `instancePrincipal`. No key file or passphrase is needed. + + ```yaml + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: instancePrincipal + ``` + +## okeWorkloadIdentity + +Choose `okeWorkloadIdentity` when PBM runs as a workload in an Oracle Kubernetes Engine (OKE) enhanced cluster. The Kubernetes service account token is exchanged for OCI credentials automatically by the OKE Workload Identity service. + +!!! note + Your OKE cluster must be an **enhanced cluster** with Workload Identity enabled. Basic clusters do not support this feature. + +In your PBM configuration, set the storage type to `oci` and the credentials type to `okeWorkloadIdentity`: + +```yaml +storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: okeWorkloadIdentity +``` +For setup instructions, see [Configure OKE Workload Identity for workloads :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From 493dd3b6bfaaa8126dc46f120420a3558bd6cd96 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 14:56:43 +0530 Subject: [PATCH 32/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index f53a6821..08989ba1 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -88,7 +88,7 @@ export TENANCY_OCID=$( export USER_OCID=$(awk -F= '/^user=/{print $2}' ~/.oci/config) export FINGERPRINT=$(awk -F= '/^fingerprint=/{print $2}' ~/.oci/config) export KEY_FILE=$(awk -F= '/^key_file=/{print $2}' ~/.oci/config) - +export KEY_FILE="${KEY_FILE/#\~/$HOME}" export NAMESPACE=$( oci os ns get \ --region "$BUCKET_REGION" \ From 9c958745884c27fda425f94761897c3368eb3879 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 14:57:00 +0530 Subject: [PATCH 33/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 08989ba1..9a684553 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -276,18 +276,19 @@ keys are required in the configuration file. 3. Configure PBM: -```yaml -storage: - type: oci - oci: - region: - namespace: - bucket: - prefix: pbm - credentials: - type: instancePrincipal -``` -Wait for a few minutes for IAM policy propagation before testing the configuration. + ```yaml + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: pbm + credentials: + type: instancePrincipal + ``` + + Wait for a few minutes for IAM policy propagation before testing the configuration. !!! note From f6b89f62e21a0bbeda765ae32778efedf4fd1f4c Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 14:57:18 +0530 Subject: [PATCH 34/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 9a684553..68b29e05 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -254,25 +254,26 @@ keys are required in the configuration file. 1. Create a dynamic group that includes the compute instance: -```sh - oci iam dynamic-group create \ - --region "$HOME_REGION" \ - --compartment-id "$TENANCY_OCID" \ - --name pbm-instance-group \ - --description "PBM Compute instance principal" \ - --matching-rule "ANY {instance.id = ''}" -``` + ```sh + oci iam dynamic-group create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-instance-group \ + --description "PBM Compute instance principal" \ + --matching-rule "ANY {instance.id = ''}" + ``` + 2. Create a policy granting the dynamic group access to the bucket: -```sh - oci iam policy create \ - --region "$HOME_REGION" \ - --compartment-id "$TENANCY_OCID" \ - --name pbm-instance-policy \ - --description "Allow PBM instance to access backup bucket" \ - --statements '["Allow dynamic-group pbm-instance-group to manage objects \ - in compartment pbm-backup where target.bucket.name = '"'"''"'"'"]' -``` + ```sh + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-instance-policy \ + --description "Allow PBM instance to access backup bucket" \ + --statements "[\"Allow dynamic-group pbm-instance-group to manage objects \ + in compartment pbm-backup where target.bucket.name = ''\"]" + ``` 3. Configure PBM: From c9e33701735b572fb7eae2a654e013a569d1e2ce Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:00:45 +0530 Subject: [PATCH 35/60] Added OCI with WIF section --- mkdocs-base.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index efc238f5..aa4e3717 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -242,11 +242,12 @@ nav: - Storage: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md + - Oracle Cloud Storage: details/oci-storage.md + - OCI with Workload Identity Authentication: /details/oci-WIF.md - details/minio.md - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md - details/azure.md - - OCI Object Storage: details/oci-storage.md - details/oss.md - details/filesystem-storage.md - details/endpoint-map.md From 919ba1cd4f2fe56f162e570fe5efa744d6dabc6b Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:02:12 +0530 Subject: [PATCH 36/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 68b29e05..d710aaed 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -174,7 +174,7 @@ oci iam policy create \ --compartment-id "$TENANCY_OCID" \ --name pbm-user-access \ --description "Allow PBM user group to manage backup objects" \ - --statements '["Allow group to manage object-family in compartment pbm-backup"]' + --statements "[\"Allow group to manage object-family in compartment $COMPARTMENT_NAME\"]" ``` **Native copy policy** — grants the OCI Object Storage service From c174fdf79a6740e96eeb2a0cf57e1d9a37172de4 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:02:49 +0530 Subject: [PATCH 37/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-WIF.md | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/details/oci-WIF.md b/docs/details/oci-WIF.md index 7bd6b835..cd135cc3 100644 --- a/docs/details/oci-WIF.md +++ b/docs/details/oci-WIF.md @@ -49,24 +49,26 @@ Replace the following variables: 2. Configure PBM authentication - In your PBM configuration, set the storage type to `oci` and the credentials type to `userPrincipal`. Provide the path to the private key file and its passphrase if one was set during key generation. + In your PBM configuration, set the storage type to `oci` and the credentials type to `userPrincipal`. Provide the API signing key private key in PEM format. ```yaml storage: - type: oci - oci: - region: - namespace: - bucket: - prefix: - credentials: - type: userPrincipal - userPrincipal: - tenancy: - user: - fingerprint: - key: - passphrase: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: userPrincipal + userPrincipal: + tenancy: + user: + fingerprint: + privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- ``` ## instancePrincipal From d051e2a099f95582d80dac387d43bceb347fd482 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Jun 2026 09:34:16 +0000 Subject: [PATCH 38/60] docs: include okeWorkloadIdentity in OCI credentials type options --- docs/reference/configuration-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration-options.md b/docs/reference/configuration-options.md index f8bef242..761e98c3 100644 --- a/docs/reference/configuration-options.md +++ b/docs/reference/configuration-options.md @@ -735,7 +735,7 @@ The path prefix in the bucket. If undefined, backups are stored in the bucket ro *Required*: NO
*Default*: `userPrincipal` -Authentication type for OCI access. Supported values: `userPrincipal`, `instancePrincipal`. +Authentication type for OCI access. Supported values: `userPrincipal`, `instancePrincipal`, `okeWorkloadIdentity`. ### storage.oci.credentials.userPrincipal.tenancy From 799a81d4073e40ae3f22d78715216a89460489fd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Jun 2026 09:36:20 +0000 Subject: [PATCH 39/60] Rename OCI WIF doc filename to lowercase --- docs/details/{oci-WIF.md => oci-wif.md} | 0 mkdocs-base.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/details/{oci-WIF.md => oci-wif.md} (100%) diff --git a/docs/details/oci-WIF.md b/docs/details/oci-wif.md similarity index 100% rename from docs/details/oci-WIF.md rename to docs/details/oci-wif.md diff --git a/mkdocs-base.yml b/mkdocs-base.yml index aa4e3717..6dfffdbf 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -243,7 +243,7 @@ nav: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md - Oracle Cloud Storage: details/oci-storage.md - - OCI with Workload Identity Authentication: /details/oci-WIF.md + - OCI with Workload Identity Authentication: /details/oci-wif.md - details/minio.md - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md From 61a506592879dcdd40c29a71ba634842e3726c01 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:06:51 +0530 Subject: [PATCH 40/60] Update mkdocs-base.yml --- mkdocs-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index aa4e3717..6dfffdbf 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -243,7 +243,7 @@ nav: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md - Oracle Cloud Storage: details/oci-storage.md - - OCI with Workload Identity Authentication: /details/oci-WIF.md + - OCI with Workload Identity Authentication: /details/oci-wif.md - details/minio.md - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md From 33a709f5c52250bcf9428e689cd26d297dc9c74f Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:10:22 +0530 Subject: [PATCH 41/60] Update oci-storage.md --- docs/details/oci-storage.md | 41 +++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index d710aaed..52bd8bec 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -119,7 +119,6 @@ oci iam compartment create \ ``` Wait until the compartment is active, then export its OCID: - ```sh export COMPARTMENT_OCID=$( oci iam compartment list \ @@ -254,26 +253,26 @@ keys are required in the configuration file. 1. Create a dynamic group that includes the compute instance: - ```sh - oci iam dynamic-group create \ - --region "$HOME_REGION" \ - --compartment-id "$TENANCY_OCID" \ - --name pbm-instance-group \ - --description "PBM Compute instance principal" \ - --matching-rule "ANY {instance.id = ''}" - ``` + ```sh + oci iam dynamic-group create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-instance-group \ + --description "PBM Compute instance principal" \ + --matching-rule "ANY {instance.id = ''}" + ``` 2. Create a policy granting the dynamic group access to the bucket: - ```sh - oci iam policy create \ - --region "$HOME_REGION" \ - --compartment-id "$TENANCY_OCID" \ - --name pbm-instance-policy \ - --description "Allow PBM instance to access backup bucket" \ - --statements "[\"Allow dynamic-group pbm-instance-group to manage objects \ - in compartment pbm-backup where target.bucket.name = ''\"]" - ``` + ```sh + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name pbm-instance-policy \ + --description "Allow PBM instance to access backup bucket" \ + --statements "[\"Allow dynamic-group pbm-instance-group to manage objects \ + in compartment pbm-backup where target.bucket.name = ''\"]" + ``` 3. Configure PBM: @@ -292,10 +291,8 @@ keys are required in the configuration file. Wait for a few minutes for IAM policy propagation before testing the configuration. -!!! note - IAM changes for dynamic groups can take 5 to 10 minutes - to propagate. The native copy policy from the previous - section is still required alongside the instance + !!! note + IAM changes for dynamic groups can take 5 to 10 minutes to propagate. The native copy policy from the previous section is still required alongside the instance principal policy. ## Apply the PBM configuration From a054489e4cd8786122b1993ef8a4f10bf98b39bc Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:18:05 +0530 Subject: [PATCH 42/60] Update oci-storage.md --- docs/details/oci-storage.md | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 52bd8bec..0bcfc3bc 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -342,13 +342,7 @@ pbm status Type: OCI Region: us-ashburn-1 Path: oci://idvufsl0apl6/rasika-bucket/pbm - Snapshots: - NAME SIZE TYPE PROFILE SEL BASE RESTORE TIME STATUS - ------------------------------------------------------------------------------------------------------------------ - 2026-06-11T13:14:51Z 435.75KB logical no no 2026-06-11T13:15:07 done - [user@b0157cd96911 pbm]$ pbm backup - Starting backup "2026-06-12T07:04:27Z"...... - Backup "2026-06-12T07:04:27Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") + (no snapshots or PITR chunks) ``` Every node must show `pbm-agent` as `OK` and storage as `ok`. @@ -363,18 +357,21 @@ pbm list ??? example "Output" ```sh - $ pbm list - Backup snapshots: - NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME - ----------------------------------------------------------------------------------------------------- - 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 - 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 + $ pbm backup + Starting backup "2026-06-12T07:11:31Z"..... + Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") ``` ```sh - $ pbm backup - Starting backup "2026-06-12T07:11:31Z"..... - Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") + $ pbm list + Backup snapshots: + NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME + ----------------------------------------------------------------------------------------------------- + 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 + 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 + 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 + +PITR : ``` A backup with status `done` confirms the setup is complete. From 6c49d62db8683c31a6c8be985d56cbde4669f242 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:24:38 +0530 Subject: [PATCH 43/60] Update mkdocs-base.yml --- mkdocs-base.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 6dfffdbf..f30d55e1 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -242,8 +242,9 @@ nav: - Storage: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md - - Oracle Cloud Storage: details/oci-storage.md - - OCI with Workload Identity Authentication: /details/oci-wif.md + - Oracle Cloud Storage: + - Overview: details/oci-storage.md + - Workload Identity authentication: details/oci-wif.md - details/minio.md - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md From cf2755e2f170c051802df8c0b6c8b76f73f9ed7a Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:32:34 +0530 Subject: [PATCH 44/60] Update oci-storage.md --- docs/details/oci-storage.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 0bcfc3bc..1cdc150f 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -363,15 +363,16 @@ pbm list ``` ```sh + $ pbm list Backup snapshots: NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME - ----------------------------------------------------------------------------------------------------- - 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 - 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 - 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 + ----------------------------------------------------- + 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 + 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 + 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 -PITR : + PITR : ``` A backup with status `done` confirms the setup is complete. From ca573834f07514fc8ac7ee1331f7117b4bec17bd Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:34:49 +0530 Subject: [PATCH 45/60] Update oci-wif.md --- docs/details/oci-wif.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/docs/details/oci-wif.md b/docs/details/oci-wif.md index cd135cc3..a5c30308 100644 --- a/docs/details/oci-wif.md +++ b/docs/details/oci-wif.md @@ -25,7 +25,8 @@ You need: ### Procedure -1. Create an IAM policy +1. **Create an IAM policy** + Grant the user permission to manage objects in the target bucket: ```sh oci iam policy create \ @@ -36,18 +37,18 @@ You need: --statements "[\"Allow group $USER_GROUP_NAME to manage objects in compartment $COMPARTMENT_NAME where target.bucket.name = '$BUCKET_NAME'\"]" ``` -Replace the following variables: + Replace the following variables: -| Variable | Description | -|---|---| -| `HOME_REGION` | Your tenancy's home region (e.g. `us-ashburn-1`) | -| `TENANCY_OCID` | OCID of your OCI tenancy | -| `USER_POLICY_NAME` | A name for the policy (e.g. `pbm-user-policy`) | -| `USER_GROUP_NAME` | The IAM group the PBM user belongs to | -| `COMPARTMENT_NAME` | Name of the compartment containing the bucket | -| `BUCKET_NAME` | Name of the OCI Object Storage bucket | - -2. Configure PBM authentication + | Variable | Description | + |---|---| + | `HOME_REGION` | Your tenancy's home region (e.g. `us-ashburn-1`) | + | `TENANCY_OCID` | OCID of your OCI tenancy | + | `USER_POLICY_NAME` | A name for the policy (e.g. `pbm-user-policy`) | + | `USER_GROUP_NAME` | The IAM group the PBM user belongs to | + | `COMPARTMENT_NAME` | Name of the compartment containing the bucket | + | `BUCKET_NAME` | Name of the OCI Object Storage bucket | + +2. **Configure PBM authentication** In your PBM configuration, set the storage type to `oci` and the credentials type to `userPrincipal`. Provide the API signing key private key in PEM format. From 1e7ab2cd62d363929f0d675a847f79601aae87b3 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:37:54 +0530 Subject: [PATCH 46/60] Update oci-wif.md --- docs/details/oci-wif.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/details/oci-wif.md b/docs/details/oci-wif.md index a5c30308..f83d7911 100644 --- a/docs/details/oci-wif.md +++ b/docs/details/oci-wif.md @@ -170,4 +170,5 @@ storage: credentials: type: okeWorkloadIdentity ``` + For setup instructions, see [Configure OKE Workload Identity for workloads :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From dede9070941442bd68a5b2a8eca8b346b7b3dc55 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:47:19 +0530 Subject: [PATCH 47/60] Update oci-storage.md --- docs/details/oci-storage.md | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 1cdc150f..a19bb0a8 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -356,23 +356,42 @@ pbm list ??? example "Output" - ```sh - $ pbm backup - Starting backup "2026-06-12T07:11:31Z"..... - Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") - ``` - - ```sh +```sh + $ pbm backup + Starting backup "2026-06-12T07:11:31Z"..... + Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") +``` +```sh $ pbm list Backup snapshots: NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME ----------------------------------------------------- 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 - 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 + 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 PITR : - ``` +``` + +??? example "Output" + + ```sh + $ pbm backup + Starting backup "2026-06-12T07:11:31Z"..... + Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") + ``` + + ```sh + $ pbm list + Backup snapshots: + NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME + ----------------------------------------------------- + 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 + 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 + 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 + + PITR : + ``` A backup with status `done` confirms the setup is complete. From 022a45b9cbcbf2526f3f54cad82c8b28a05aaf9b Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:50:55 +0530 Subject: [PATCH 48/60] Update oci-storage.md --- docs/details/oci-storage.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index a19bb0a8..97c2acd0 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -356,23 +356,23 @@ pbm list ??? example "Output" -```sh - $ pbm backup - Starting backup "2026-06-12T07:11:31Z"..... - Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") -``` + ```sh + $ pbm backup + Starting backup "2026-06-12T07:11:31Z"..... + Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") + ``` -```sh - $ pbm list - Backup snapshots: - NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME - ----------------------------------------------------- - 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 - 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 - 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 - - PITR : -``` + ```sh + $ pbm list + Backup snapshots: + NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME + ----------------------------------------------------- + 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 + 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 + 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 + + PITR : + ``` ??? example "Output" From c6322b864f91342d1d12f54f7ed4d6358d47f443 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 15:59:06 +0530 Subject: [PATCH 49/60] Update oci-storage.md --- docs/details/oci-storage.md | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 97c2acd0..6572cdef 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -102,9 +102,7 @@ echo "FINGERPRINT: $FINGERPRINT" echo "KEY_FILE: $KEY_FILE" echo "NAMESPACE: $NAMESPACE" ``` -Verify all five values are populated before continuing. An empty -value means the OCI CLI is not authenticated or the variable -was not set correctly. +Verify all five values are populated before continuing. An empty value means the OCI CLI is not authenticated or the variable was not set correctly. ## Create a compartment @@ -196,9 +194,7 @@ oci iam policy create \ ``` !!! note - IAM policy changes can take up to 2 minutes to propagate. - If PBM reports an authorization error immediately after - creating the policies, wait 2 minutes and retry. + IAM policy changes can take up to 2 minutes to propagate. If PBM reports an authorization error immediately after creating the policies, wait 2 minutes and retry. ## Configure PBM @@ -290,8 +286,7 @@ keys are required in the configuration file. Wait for a few minutes for IAM policy propagation before testing the configuration. - - !!! note + !!! note IAM changes for dynamic groups can take 5 to 10 minutes to propagate. The native copy policy from the previous section is still required alongside the instance principal policy. @@ -374,24 +369,4 @@ pbm list PITR : ``` -??? example "Output" - - ```sh - $ pbm backup - Starting backup "2026-06-12T07:11:31Z"..... - Backup "2026-06-12T07:11:31Z" saved to remote store (path: "oci://idvufsl0apl6/rasika-bucket/pbm") - ``` - - ```sh - $ pbm list - Backup snapshots: - NAME TYPE PROFILE SELECTIVE BASE RESTORE TIME - ----------------------------------------------------- - 2026-06-11T13:14:51Z logical no no 2026-06-11T13:15:07 - 2026-06-12T07:04:27Z logical no no 2026-06-12T07:04:42 - 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 - - PITR : - ``` - A backup with status `done` confirms the setup is complete. From 96ba9e1fca1996a07f169068693c7897763b8b8e Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:01:38 +0530 Subject: [PATCH 50/60] Update oci-storage.md --- docs/details/oci-storage.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 6572cdef..80e566a8 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -130,7 +130,6 @@ export COMPARTMENT_OCID=$( echo "COMPARTMENT_OCID: $COMPARTMENT_OCID" ``` - ### Create an Object Storage bucket Create the bucket: @@ -272,17 +271,17 @@ keys are required in the configuration file. 3. Configure PBM: - ```yaml - storage: - type: oci - oci: - region: - namespace: - bucket: - prefix: pbm - credentials: - type: instancePrincipal - ``` + ```yaml + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: pbm + credentials: + type: instancePrincipal + ``` Wait for a few minutes for IAM policy propagation before testing the configuration. From bc0f74e8c64f2baf61a2c8f0f0b8c5a19557a729 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:08:17 +0530 Subject: [PATCH 51/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 80e566a8..f9fdde1b 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -1,15 +1,15 @@ # Oracle Cloud Infrastructure Object Storage Percona Backup for MongoDB (PBM) supports [OCI Object Storage](https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) -as a remote backup destination through a dedicated OCI native -driver. PBM connects to OCI Object Storage using one of two +as a remote backup destination through a dedicated OCI native +driver. PBM connects to OCI Object Storage using one of the following authentication types: | **Authentication type** | **Use when** | | --- | --- | | `userPrincipal` | PBM runs anywhere; authenticates with OCI API signing keys | | `instancePrincipal` | PBM runs on an OCI Compute instance | - +| `okeWorkloadIdentity` | PBM runs inside an OKE enhanced cluster (see [Workload Identity authentication](oci-wif.md)) | ## Prerequisites Before configuring PBM, ensure that you have: From 320974680cec8c0341ddcb99a2667f75eb7ee33f Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:08:38 +0530 Subject: [PATCH 52/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index f9fdde1b..89e2e96d 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -273,14 +273,14 @@ keys are required in the configuration file. ```yaml storage: - type: oci - oci: + type: oci + oci: region: namespace: bucket: prefix: pbm credentials: - type: instancePrincipal + type: instancePrincipal ``` Wait for a few minutes for IAM policy propagation before testing the configuration. From a8b30d712e25f187bdc7a4a6091602e0c413bddc Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:08:58 +0530 Subject: [PATCH 53/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-storage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 89e2e96d..879fa14d 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -286,8 +286,7 @@ keys are required in the configuration file. Wait for a few minutes for IAM policy propagation before testing the configuration. !!! note - IAM changes for dynamic groups can take 5 to 10 minutes to propagate. The native copy policy from the previous section is still required alongside the instance - principal policy. + IAM changes for dynamic groups can take 5 to 10 minutes to propagate. The native copy policy from the previous section is still required alongside the instance principal policy. ## Apply the PBM configuration From f0eb95f9a1b1840093ff8ce8edfc629b62b8c0f4 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:09:23 +0530 Subject: [PATCH 54/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-wif.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/details/oci-wif.md b/docs/details/oci-wif.md index f83d7911..622fa95e 100644 --- a/docs/details/oci-wif.md +++ b/docs/details/oci-wif.md @@ -1,9 +1,8 @@ # Oracle Cloud Infrastructure (OCI) Object Storage with Workload Identity Authentication -Percona Backup for MongoDB (PBM) supports Workload Identity authentication for Oracle Cloud Infrastructure (OCI) Object Storage. With Workload Identity, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. - -Percona Backup for MongoDB (PBM) supports two Workload Identity authentication types for OCI Object Storage, in addition to the default `userPrincipal`: +Percona Backup for MongoDB (PBM) supports multiple authentication methods for Oracle Cloud Infrastructure (OCI) Object Storage, including Workload Identity. With Workload Identity, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. +Percona Backup for MongoDB (PBM) supports the default `userPrincipal` authentication method as well as the following Workload Identity options: | Auth type | When to use | |---|---| |`userPrincipal`|PBM is running anywhere — on-premises, on other clouds, or on OCI| From 3484bf78dcff3c379c61bfe11675adabdf60a901 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:09:41 +0530 Subject: [PATCH 55/60] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- mkdocs-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index f30d55e1..7b63fed5 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -242,7 +242,7 @@ nav: - Storage: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md - - Oracle Cloud Storage: + - Oracle Cloud Storage: - Overview: details/oci-storage.md - Workload Identity authentication: details/oci-wif.md - details/minio.md From 0bae2c9ea77b8f2fc4af25029cc10adfca8a673d Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:17:33 +0530 Subject: [PATCH 56/60] Update oci-wif.md --- docs/details/oci-wif.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/details/oci-wif.md b/docs/details/oci-wif.md index 622fa95e..62676c68 100644 --- a/docs/details/oci-wif.md +++ b/docs/details/oci-wif.md @@ -3,6 +3,7 @@ Percona Backup for MongoDB (PBM) supports multiple authentication methods for Oracle Cloud Infrastructure (OCI) Object Storage, including Workload Identity. With Workload Identity, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. Percona Backup for MongoDB (PBM) supports the default `userPrincipal` authentication method as well as the following Workload Identity options: + | Auth type | When to use | |---|---| |`userPrincipal`|PBM is running anywhere — on-premises, on other clouds, or on OCI| @@ -26,15 +27,15 @@ You need: 1. **Create an IAM policy** - Grant the user permission to manage objects in the target bucket: - ```sh - oci iam policy create \ - --region "$HOME_REGION" \ - --compartment-id "$TENANCY_OCID" \ - --name "$USER_POLICY_NAME" \ - --description "Allow PBM user to access $BUCKET_NAME" \ - --statements "[\"Allow group $USER_GROUP_NAME to manage objects in compartment $COMPARTMENT_NAME where target.bucket.name = '$BUCKET_NAME'\"]" - ``` + Grant the user permission to manage objects in the target bucket: + ```sh + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$USER_POLICY_NAME" \ + --description "Allow PBM user to access $BUCKET_NAME" \ + --statements "[\"Allow group $USER_GROUP_NAME to manage objects in compartment $COMPARTMENT_NAME where target.bucket.name = '$BUCKET_NAME'\"]" + ``` Replace the following variables: From d58d3077d2c131838b91427517a1ade57c20ee85 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:21:23 +0530 Subject: [PATCH 57/60] Update oci-wif.md --- docs/details/oci-wif.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/details/oci-wif.md b/docs/details/oci-wif.md index 62676c68..5b376af1 100644 --- a/docs/details/oci-wif.md +++ b/docs/details/oci-wif.md @@ -28,6 +28,7 @@ You need: 1. **Create an IAM policy** Grant the user permission to manage objects in the target bucket: + ```sh oci iam policy create \ --region "$HOME_REGION" \ @@ -35,7 +36,7 @@ You need: --name "$USER_POLICY_NAME" \ --description "Allow PBM user to access $BUCKET_NAME" \ --statements "[\"Allow group $USER_GROUP_NAME to manage objects in compartment $COMPARTMENT_NAME where target.bucket.name = '$BUCKET_NAME'\"]" - ``` + ``` Replace the following variables: From 5de65e61bfc5e795e601c7615bb191e5f9354ac6 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:24:17 +0530 Subject: [PATCH 58/60] Update oci-storage.md --- docs/details/oci-storage.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 879fa14d..951c3e8a 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -10,6 +10,7 @@ authentication types: | `userPrincipal` | PBM runs anywhere; authenticates with OCI API signing keys | | `instancePrincipal` | PBM runs on an OCI Compute instance | | `okeWorkloadIdentity` | PBM runs inside an OKE enhanced cluster (see [Workload Identity authentication](oci-wif.md)) | + ## Prerequisites Before configuring PBM, ensure that you have: @@ -283,9 +284,9 @@ keys are required in the configuration file. type: instancePrincipal ``` - Wait for a few minutes for IAM policy propagation before testing the configuration. + Wait for a few minutes for IAM policy propagation before testing the configuration. - !!! note + !!! note IAM changes for dynamic groups can take 5 to 10 minutes to propagate. The native copy policy from the previous section is still required alongside the instance principal policy. ## Apply the PBM configuration From c07cad84a458b58cc034578414b9fa0467621d6e Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:26:44 +0530 Subject: [PATCH 59/60] Update oci-storage.md --- docs/details/oci-storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index 951c3e8a..ddfbe047 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -2,8 +2,7 @@ Percona Backup for MongoDB (PBM) supports [OCI Object Storage](https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm) as a remote backup destination through a dedicated OCI native -driver. PBM connects to OCI Object Storage using one of the following -authentication types: +driver. PBM connects to OCI Object Storage using one of the following authentication types: | **Authentication type** | **Use when** | | --- | --- | @@ -11,6 +10,7 @@ authentication types: | `instancePrincipal` | PBM runs on an OCI Compute instance | | `okeWorkloadIdentity` | PBM runs inside an OKE enhanced cluster (see [Workload Identity authentication](oci-wif.md)) | + ## Prerequisites Before configuring PBM, ensure that you have: From eae84da6e952c072e9eaadc3114361a854a5441f Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:29:36 +0530 Subject: [PATCH 60/60] Update oci-storage.md --- docs/details/oci-storage.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/details/oci-storage.md b/docs/details/oci-storage.md index ddfbe047..651f7ca7 100644 --- a/docs/details/oci-storage.md +++ b/docs/details/oci-storage.md @@ -366,6 +366,4 @@ pbm list 2026-06-12T07:11:31Z logical no no 2026-06-12T07:11:46 PITR : - ``` - -A backup with status `done` confirms the setup is complete. + ``` \ No newline at end of file