For cutomer-hosted instances, you can create a backup of a basic Looker installation simply by making a copy of the Looker user's home directory (including all normal and hidden subdirectories). This may be accomplished via scp
, rsync
, or any standard backup application. Similarly, restoring a basic Looker installation just requires restoring the files and starting up
Looker.
In some configurations, including clustered environments, Looker uses an external MySQL database for application settings, user accounts, and other data. In this case we recommend creating a backup of the MySQL database, in addition to the Looker home directory.
We highly recommend that you create these backups daily. We also recommend performing a test restoration once per quarter.
Directory structure
The standard subdirectories under the Looker user's home directory (usually /home/looker) are described here.
- folder home
- folder looker
- folder .ssh
- folder looker
- folder .cache
- folder .db
- folder .ssl
- folder .tmp
- folder deploy_keys
- folder log
- folder models
- folder models-user-1
Directory | Backup Required | Change Frequency | Description |
---|---|---|---|
.ssh | Yes | Rare | ssh keys used for authenticating to Git for LookML projects created with Looker 4.6 or older |
looker/.cache | No | Frequent | Temporary cache files |
looker/.db | Yes, unless backend DB has been migrated to MySQL | Frequent | Looker internal database |
looker/.snapshots | No | On Update | A backup copy of the Looker jar and .db directory are stored here during updates |
looker/.ssl | Maybe | Rare | Self-signed SSL certificates (see note) |
looker/.tmp | No | Frequent | Temporary files |
looker/deploy_keys | Yes | Rare | ssh keys used for authenticating to Git for LookML projects created with Looker 4.8 or later |
looker/log | Maybe | Frequent | Log files; only needed if required by your retention policies |
looker/models | No | Variable | Production models, copied from the source repository (usually GitHub) |
looker/models-user-* | Yes | Variable | Each user's development models are stored in separate directories with the user's ID number |
SSL Note: By default the SSL directory only contains a self-signed SSL cert, which does not need to be retained. However, if you store any additional files in this directory — such as SSL certificates signed by a certificate authority — this directory should be added to your backup.
Files outside of the Looker home directory, which should be added to your backup, are:
Directory | Backup Required | Change Frequency | Description |
---|---|---|---|
/etc/init.d/looker | Yes | Rare | System startup script for Looker |
SSL Certificates | Yes | Rare | If you are using SSL certificates, ensure all required files are included |
Although it doesn't typically cause problems, some customers have reported issues if they include the
looker/.db/looker.lck
file in their backups. You can safely exclude this file if necessary.
Creating a Looker backup
You can create a Looker backup with any standard backup application, as well as with command line tools such as rsync.
It is best for the backup process to run when the application is as lightly used as possible. In addition to normal user interaction, consider the times that scheduled Looks might be running, derived tables might be rebuilding, etc.
Clustered environments
Clustered Lookers store their application configuration, user accounts, and other data in an external MySQL database. We recommend creating a backup of this database at the same time as the Looker application. See the MySQL documentation for more details on how to backup MySQL databases.
Generating a keystore-independent backup
A customer-hosted installation that has migrated to AES-256 GCM encryption and is not using AWS KMS can use this procedure to create a backup of their Looker instance that is independent of their local Customer Master Key (CMK). This provides a method for a self-hosted customer to move to a Looker-hosted installation without having to provide their CMK, or to move a customer-hosted installation to a new host that does not have access to the same local keystore.
To create a keystore-independent backup:
Stop Looker:
cd looker ./looker stop
If Looker is clustered, make sure to stop every node before proceeding.
Ensure that Looker can access your CMK. If your CMK is stored in a file, you can use the environment variable
LKR_MASTER_KEY_FILE
to point to the path of your CMK file:export LKR_MASTER_KEY_FILE=<path_to_CMK_file>
Or, to provide your CMK directly in an environment variable, you can use the
LKR_MASTER_KEY_ENV
environment variable:export LKR_MASTER_KEY_ENV=<CMK_value>
Generate a new key file that will be used to re-encrypt the Key Encryption Key (KEK):
./looker generate_keyfile_for_backup <key_file_name>
Where
<key_file_name>
is the name you want to use for the file that Looker will create and then use to write the new key.The contents of the new key file will look like:
{"dbmk":"vr1LUwO3q6weY8iS3JykVljSjiD4m6eGk227Cs7Qu9Q=\n","backup_uid":"XCXvRa38mNeqT6+HRBCo2Q=="}
Where the value for
dbmk
is a Base64 encoding 256 bit encryption key andbackup_uid
is a unique name used when saving the key to the database.Use the new key file to create a new key entry in Looker's internal database:
./looker keystore_independent_recrypt <key_file_name>
Where
<key_file_name>
is the key file created earlier.This decrypts the KEK in the internal database using the CMK, then re-encrypts the KEK with the new key and persists that encrypted value to the database.
Create a backup of Looker using your regular backup method.
To restore this keystore-independent backup, you will need the new key file created earlier.
Restoring backups
To restore a Looker backup, see the Restoring backups documentation page.
Next steps
After you have set up backups, you will be ready to ensure that Looker can access necessary services.