Discussion: How to support cold storages?

[aawsome]

This issue is meant to discuss which is the best way to implement the support of cold storages in restic.
The need to use restic with cold storages has been addressed in several places, see #1903, #2504, #2611, #2796, #2817 and several discussions in the forum.

There are also some experimental PRs which kind of allow users to use cold storages, see #2516, #2881, #3196 and the already merged prune improvements (#2718 and following PRs) are already made to support cold storages in future.

What should restic do differently? Which functionality do you think we should add?

Allow users to use repository on some "cold storages".
These are usually cheap (cloud) storages where writing is fast and cheap, storing data is extremely cheap, but accessing the data is usually extremely slow (or may even need some extra "warming up" before being able to access it) and/or expensive.
Some cold storages also require minimum file sizes or are expensive for small files, but this is not specific to cold storages, so I would like to skip this in the discussion here.

Examples of cold storages are:

• AWS S3 Glacier and Glacier Deep Archive
• Google Cloud Platform Coldline Storage and Archive Storage
• Azure Blob Storage Cold and Archive
• OVH Cloud Archive
• Maybe self-programmed backends which write to a tape

What are you trying to do? What problem would this solve?

Allow restic to use cheap storages for use-cases where access to file contents is usually never needed, or users are willing to accept the trade-offs that come with those storages. A use-case is disaster-only backups.

What issues need restic to tackle?

1. Define how to split the repository in hot/cold parts
2. Reduce read access to the cold storage as much as possible
3. Reduce all API calls to the cold storage as much as possible
4. Add functionalities to get information which data from cold storage will be needed (+ maybe implement some "warmup" possibilities)
5. Add functionalities to let users restrict the access to cold storage, where possible
6. Allow restic to wait for slow cold storage access

Maybe some more features are needed...

Define how to split the repo in hot/cold parts

First, I think we should talk about the treatment of pack files containing data blobs on one side and all other files in the repo on the other side. The reason is, that usually more than 99% of the repo size is occupied by those files. Only for degenerated case (many very small files), the tree blobs and the index may contribute significantly to the repo size.

Moreover there are a couple of commands that do not need to read/access any "data pack file" and should therefor fully work if only these are located in the cold storage:

• backup
• cache
• copy (destination repo)
• diff
• find
• forget (but not the --prune part)
• init
• key
• list (except packs)
• ls
• recover
• snapshots
• stats
• tag
• unlock

Using different paths in the repo to save packs containing tree blobs and packs containing data blobs was discussed in #628 (comment). This would work for storages that allow to separate hot/cold by paths, like AWS S3. For storages missing that feature however, this would not work and it requires a change of the repo format. I'll call this approach "split-path-approach".

Another (similar) possibility would be to use two repos, "repo-cold" (saving "data pack files") and "repo-hot" (saving all other files). This again would be a new repository format. I'll call this approach "split-repo-approach".

A third solution is to have a cold repo containing all files (which would then be a standard restic repo) and saving all files expect "data pack files" in a "repo-hot". This approach is in fact a caching approach, so I'll call it "cache-approach". Note that #2516 kind of implements this by using the local cache as "repo-hot", #3235 implements this for a more general "repo-hot".

Reduce read access to the cold storage as much as possible

All three approaches would only need to read data from the cold storage when restic accesses a " data pack file". This is the case for all commands that really need to access file contents. prune is already optimized such that it only accesses files that are marked for repacking, rebuild-index is already optimized that it should only reads pack files which are not or not correctly contained in the index. Are there other commands that need optimization here?

Reduce all API calls to the cold storage as much as possible

API calls to the "/data" dir are only Save (for backups etc.), Load (see above) as well as List for list (packs), prune, check and rebuild-index, and Remove for prune which I think cannot be improved. So the "split-path-approach" and "split-repo-approach" would already have minimal API calls.

In the "cache-approach" the cold storage backend would additionally get every Save, List and Remove for non-"/data" files and "tree pack files".

Actually, I don't know about the other API calls, like Test and Stat.

Add functionalities to get information which data from cold storage will be needed (+ maybe implement some "warmup" possibilities)

I think for most commands, the best would be to implement a --dry-run or --warm-up option showing which "data pack files" needs to be accessed in order to run the command. Some cold storage do warm-ups when a file is tried to be accessed, this "access-try" could be also implemented for --warm-up.
This applies to the following commands:

• cat (for data blobs; for packs this is easy 😉 )
• copy (for the source repo)
• dump
• prune (see prune/rebuild-index: Add warmup possibilities #2881)
• rebuild-index (see prune/rebuild-index: Add warmup possibilities #2881)
• restore (see restore --warmup option to enable cold storage based repositories #2796)

For check with --read-data or --read-data-subset n/t it is easy to determine which "data pack files" the check needs. For random subsets, I propose to add an option --read-data-from which allows users to explicitly give a list of pack files to be checked, see #3203.

The command mount does not really work, as it is interactive and the "data pack files" needed are only known when users access them. So I would not allow to use that command for cold storages or make it just list the directory structure without allowing to read any file.

Add functionalities to let users restrict the access to cold storage, where possible

I think this only applies to prune, where a users could give a list of "packs to keep" (see #3196). Moreover, users can use the already existing option --repack-cacheable-only which does not repack any "data pack file".

In case of duplicate blobs this might be interesting for other commands, but I think this is nothing we need to start with to support cold storages, so I'd like to skip discussion about duplicates here.

Allow restic to wait for slow cold storage access

This might need another logic for timeouts or retries. I proposed #2515, but maybe there are better approaches?

Discussion

• Are there other requirements?
• Are there approaches I'm missing? Which approach do you think should be favored by restic?
• Other comments?

[RubenKelevra]

Hey @aawsome, great to see this being discussed/implemented!

• Are there approaches I'm missing? Which approach do you think should be favored by restic?

I feel like the "look into the future" part is missing here.

Restic should be able to determine how long certain blocks will need to be kept when forget is run. This would require two thresholds:

• --copy-to-cold-storage determines which snapshots should be copied to the cold storage
• --move-to-cold-storage determines which snapshots should be removed from the hot storage

Blocks needed to recover snapshots which will be kept for years anyway could be marked to be moved to the cold storage right when the first forget command is run after a backup.

An example:

I create three monthly backups, two last year and one this year and I run forget with --keep-yearly 99 --copy-to-cold-storage 30d --move-to-cold-storage 1y, the forget can mark all blocks needed to recover the last snapshot of last year to be moved to the cold storage, since 99 years exceed the 30 days set by --copy-to-cold-storage, but since last month isn't exceeding the --move-to-cold-storage age of 1 year the blocks for the snapshot are kept in the hot storage as well.

[aawsome]

@RubenKelevra Thanks for your feedback!

Restic should be able to determine how long certain blocks will need to be kept when forget is run. This would require two thresholds:

* `--copy-to-cold-storage` determines which snapshots should be copied to the cold storage

* `--move-to-cold-storage` determines which snapshots should be removed from the hot storage

I like this idea a lot! So in fact you are proposing to:

• keep some data only in hot storage,
• keep some data in both hot and cold storage,
• keep some data only in cold storage,

right? I think that this use-case can be achieved in this way:

• use two "standard" repos that are called "repo-hot" and "repo-cold".
• run your standard backup on "repo-hot"
• use the copy command to copy old enough snapshots to "repo-cold" (we could actually add some copy "policy" here to make this easier)
• run forget --prune on "repo-hot" to remove snapshots that should be moved to the cold storage
• run forget --prune on "repo-cold" if needed for the final data retention

As keeping some snapshots and the according data hot and moving some to cold storage would always imply that we repack packs on the hot repo (which leads to packs differing from hot and cold and therefore index files differing), I actually favor this "two-real-repos" strategy here.

If the "repo-cold" is then located on some real cold storage with restrictions, we are in the use case I'd like to discuss here, i.e. this "standard" repository could be split to hot and cold storage...

[RubenKelevra]

@RubenKelevra Thanks for your feedback!

Welcome :)

I like this idea a lot! So in fact you are proposing to:

• keep some data only in hot storage,
• keep some data in both hot and cold storage,
• keep some data only in cold storage,

right?

Right!

The point here is, that there's cases where you might want to fetch an old snapshot, like if you want to run an old version of something to check for an recession, so "paying" for a slow cold storage request with time and/or money isn't really great.

On the other hand the cold storage should be able to have pretty recent data as well, as second storage if the redundancies on the first one fails. Else a cold storage isn't really that useful to begin with.

I think that this use-case can be achieved in this way:

• use two "standard" repos that are called "repo-hot" and "repo-cold".
• run your standard backup on "repo-hot"
• use the copy command to copy old enough snapshots to "repo-cold" (we could actually add some copy "policy" here to make this easier)
• run forget --prune on "repo-hot" to remove snapshots that should be moved to the cold storage

I feel like forget --prune isn't really very descriptive and breaks the POLA.

Maybe we just need a new command like:

restic -r /some/path --cold-r /some/other/path freeze

• run forget --prune on "repo-cold" if needed for the final data retention

Yeah if there's a need to clean up. But it would be neat if this would require very little reads. So basically be able to determine without any access which files could be safely removed when a certain snapshot would be removed would be nice here.

Not sure if that's currently possible with the current caching strategy.

As keeping some snapshots and the according data hot and moving some to cold storage would always imply that we repack packs on the hot repo (which leads to packs differing from hot and cold and therefore index files differing), I actually favor this "two-real-repos" strategy here.

Yeah, doesn't make any sense to not repack. Bandwidth usage should be kept absolutely minimal.

Some other ideas on the concept:

• We could have a --lazy flag which avoids uploading not-full-packs if the backend doesn't support appending data to files. The blocks would remain marked on the hot storage and would be transferred on the next call when the pack gets completed.

• We could add redundancy files over the packs, like having 3 redundancy file per 50 pack files. Since most cold storages spread the storage in different physical locations on file-level individual files might just get unaccessible in a worst case scenario. Being able to recover from up to 3 unreadable file per 50 files could be worth the additional storage cost.

• We could add the configs of the secondary storage and the data retention strategies as well as the ususal backup cycle to the repo. This way the user wouldn't have to send all those flags all the time to the repo and wouldn't have to specify the secondary repo. The path/credentials would just be read from the primary repo.

• We could also locate the cache files for the secondary repo in the primary repo, to allow different clients to use the same encrypted cache files. So if one client has pushed some new data to the cold storage, another client could fetch them and have an up-to-date cache without accessing the cold repo.

• We could have a more general approach by calling it tiering. A simple flag would mark a real 'cold storage' where we try to do everything to minimize the bandwidth use, like the caching mentioned before. This would allow us to have something like a primary and a secondary location plus a cold storage where we push the weekly snapshots to the secondary location and the monthly to the cold storage.

If the "repo-cold" is then located on some real cold storage with restrictions, we are in the use case I'd like to discuss here, i.e. this "standard" repository could be split to hot and cold storage...

Not sure what you meant with that? :)

[aawsome]

@RubenKelevra sorry for the late reply

On the other hand the cold storage should be able to have pretty recent data as well, as second storage if the redundancies on the first one fails. Else a cold storage isn't really that useful to begin with.

That would argue in the direction of the "cache-approach"

• run forget --prune on "repo-cold" if needed for the final data retention

Yeah if there's a need to clean up. But it would be neat if this would require very little reads. So basically be able to determine without any access which files could be safely removed when a certain snapshot would be removed would be nice here.
Not sure if that's currently possible with the current caching strategy.

The prune in current master is already able to determine what to do by only reading metadata. Plus there is the option --repack-cacheable-only which ensures that no data that would be on the cold storage is read to repack pack files (for the price that partly unused pack files will be kept and occupy the full size in the cold storage). I already tested this successfully using #3235

Some other ideas on the concept:

Puh, you are proposing quite some improvements here. I understand your ideas, but most would require very deep changes of how restic works and are not fully related to cold storages, so I would like to exclude most from the discussion here. Hope for your understanding 😉

* We could have a --lazy flag which avoids uploading not-full-packs if the backend doesn't support appending data to files. The blocks would remain marked on the hot storage and would be transferred on the next call when the pack gets completed.

There is no concept of "complete" pack files. Blobs are accumulated and saved if enough space is required or if the backup run finishes. This goes in the direction of saving large data files in the repo which is discussed separately.

* We could add redundancy files over the packs, like having 3 redundancy file per 50 pack files. Since most cold storages spread the storage in different physical locations on file-level individual files might just get unaccessible in a worst case scenario. Being able to recover from up to 3 unreadable file per 50 files could be worth the additional storage cost.

Also redundancy is not a cold-storage-specific topic...

* We could add the configs of the secondary storage and the data retention strategies as well as the ususal backup cycle to the repo. This way the user wouldn't have to send all those flags all the time to the repo and wouldn't have to specify the secondary repo. The path/credentials would just be read from the primary repo.

Saving config options in some files is also topic independent from cold-storage.

* We could also locate the cache files for the secondary repo in the primary repo, to allow different clients to use the same encrypted cache files. So if one client has pushed some new data to the cold storage, another client could fetch them and have an up-to-date cache without accessing the cold repo.

If you think about the "cache-approach", the hot part is just a cache. In fact, then we have a 1st level cache on the local storage and a 2nd level cache which is the "hot repo part". Of course, this 2nd level cache can be used from different clients. If the 2nd level cache is accessible fast enough, users could specify --no-cache, an then the 1st level cache is not needed.
This is also already implemented in #3235.

* We could have a more general approach by calling it tiering. A simple flag would mark a real 'cold storage' where we try to do everything to minimize the bandwidth use, like the caching mentioned before. This would allow us to have something like a primary and a secondary location plus a cold storage where we push the weekly snapshots to the secondary location and the monthly to the cold storage.

I think this can be achieved by using the copy command. I agree that this could look like a bit of boilerplate

If the "repo-cold" is then located on some real cold storage with restrictions, we are in the use case I'd like to discuss here, i.e. this "standard" repository could be split to hot and cold storage...

Not sure what you meant with that? :)

Ok, I'll explain what I had in mind using #3235: With this PR, you use three storages repo-hot, repo-cold and repo-cold-hotpart and can do:

restic -r repo-hot init
restic -r repo-cold --repo-hot repo-cold-hotpart init
restic -r repo-hot backup /dir
restic -r repo-hot --repo2 repo-cold --repo-hot2 repo-cold-hotpart copy --path /dir

Here repo-cold and repo-cold-hotpart can be used in combination like a standard repo, but the files/objects in repo-cold are not read.

[WebSpider]

Wow, awesome to see this being discussed, implemented. If I had known earlier, I would have waited moving my repositories to a cheaper storage supplier :-)
I've been active in backups and archiving/compliance for about 15 years now, mostly in enterprises, and would like to chime in a bit ;)

So, in general storage suppliers these days give you quality levels of their service. Most implement this using tiers in their product, which seems like a great functionality for restic to use as well. Some of them have seperate products with different characteristics, and users need to shift their data depending on what's needed. This is a valid use-case, but will always result in much traffic, so savings would not be as much.

I think the ideal implementation of this feature is:

• Transparent to users of restic
• Configurable at run-time and initialisation of the repo
• Aimed towards cost saving
• Possibly adding compliancy as well

Various cloud providers have various mechanisms of determining which tier a file needs to be at:

1- During initial placement
2- After expiration of a set time
3- When altering a blob, the storage tier can be altered

and I think restic should support both, since I see use-cases for all:

1- Initial placement would be when the user KNOWS this backup is there for compliance/legal reasons mostly, and will probably never be used as an actual restore. The yearly backup of the HR system comes to mind.
2- After expiration of a set time makes most sense for backups that have multiple child (generations), who will most likely be used to perform any restores on. This is your typical daily backup, that probably wont be used for restoring after 1wk/2wk
3- When altering a blob would most typically be when you "promote" a backup. So a daily gets promoted to weekly, gets promoted to yearly. This promotion changes the retention requirements of this backup, and might also change the tier it should be at.

Commands to perform backups should be seperated from commands to modify the structure of a repository. So if I want to change the initial placement / automated tiering of a repo, this should not affect the way I perform my backups. Restic should "just do this", depending on what defaults I have set in my repo. Offcourse, when I change the layout of my repository I know this may mean a longrunning maintenance job.

Also, what I have found, is that having metadata around for things that are in cold storage really makes your life easier, and saves a lot of trips to costly API's to find out just what's there. So when moving things to the archive, we should keep metadata readily available when we for instance need to expire data in the archive. So ideally, when restic decides it's time to delete a pack, all it would need to do is go to the supplier to check the checksum and last-modified. If they match metadata, it can be safely deleted.
Offcourse, rewrites are a different beast altogether. The threshold for rewrites would be great to have differ by tier, since a rewrite on frozen storage is costly timewise and moneywise. In all fairness, with the recall times for frozen storage, this also should not be implemented as a blocking operation for the entire repository. A recall can (and will!) easily last hours when it has to be thawed.