[G1-Sync] Manual knowledge update

10_Wiki/Topics/DevOps_and_Security/Backups.md

@@ -2,21 +2,143 @@
 id: wiki-2026-0508-backups
 title: Backups
 category: 10_Wiki/Topics
-status: merged
-redirect_to: 클라우드_인프라_및_IaC_운영_표준
-canonical_id: wiki-2026-0507-028
-aliases: []
+status: verified
+canonical_id: self
+aliases: [Backup Strategy, Disaster Recovery, 백업]
 duplicate_of: none
 source_trust_level: A
-confidence_score: 0.92
-tags: [uncategorized]
+confidence_score: 0.9
+verification_status: applied
+tags: [backup, dr, ops, sre]
 raw_sources: []
-last_reinforced: 2026-05-08
-github_commit: pending
-inferred_by: Claude Opus 4.7 (auto-normalize 2026-05-08)
+last_reinforced: 2026-05-10
+github_commit: applied
+tech_stack:
+  language: Bash/Python
+  framework: restic/borg/AWS Backup
 ---
 
-# Redirect
+# Backups
 
-이 문서는 Canonical 문서인 [[클라우드_인프라_및_IaC_운영_표준]]으로 통합되었습니다.
-모든 최신 지식과 세부 내용은 위 링크를 참조하십시오.
+## 매 한 줄
+> **"매 backup 은 restore 가 검증된 backup 만이다."**. Backups 는 매 3-2-1 rule (3 copies, 2 media, 1 offsite) + RTO/RPO target + 정기 restore drill 의 trio. 2026 의 standard: incremental dedup (restic/borg) + immutable object lock (S3 Object Lock, Azure Immutable Blob) + ransomware-resistant air gap.
+
+## 매 핵심
+
+### 매 3-2-1-1-0 Rule (modern)
+- **3** copies of data.
+- **2** different media types.
+- **1** offsite copy.
+- **1** immutable / air-gapped (anti-ransomware, 매 2020+ 추가).
+- **0** errors after restore verification.
+
+### 매 RTO vs RPO
+- **RTO (Recovery Time Objective)**: 매 outage 후 service 복구까지 허용 시간.
+- **RPO (Recovery Point Objective)**: 매 허용 가능한 data loss window.
+- 매 RTO=1h / RPO=15min 이면 hot standby 필요.
+
+### 매 Backup Type
+- **Full**: 매 전체 — slow, large, simple restore.
+- **Incremental**: 매 since last backup — fast, smaller, restore chain.
+- **Differential**: 매 since last full — middle ground.
+- **Snapshot (CoW)**: 매 ZFS/btrfs/LVM/EBS — instant, space-efficient.
+- **Continuous (CDC)**: 매 every transaction — Postgres WAL, MySQL binlog.
+
+### 매 응용
+1. DB backup (pg_basebackup + WAL archive).
+2. File backup (restic, borg, Time Machine).
+3. VM/disk snapshot (EBS, GCP PD, ZFS).
+4. Object store replication (S3 CRR).
+5. App-level (export-import, logical dump).
+
+## 💻 패턴
+
+### restic encrypted incremental backup
+```bash
+# 매 init repo (one-time)
+restic init --repo s3:s3.amazonaws.com/my-backup-bucket
+# 매 daily backup
+restic -r s3:s3.amazonaws.com/my-backup-bucket backup /var/data \
+  --exclude '*.tmp' --tag daily --host $(hostname)
+# 매 retention: keep 7d, 4w, 12m
+restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
+# 매 verify
+restic check --read-data-subset=10%
+```
+
+### Postgres PITR setup
+```bash
+# postgresql.conf
+wal_level = replica
+archive_mode = on
+archive_command = 'aws s3 cp %p s3://pg-wal/%f'
+# 매 base backup
+pg_basebackup -D /backup/base -Ft -z -P -U replicator
+# 매 restore: recovery.conf or postgresql.auto.conf with restore_command + recovery_target_time
+```
+
+### S3 Object Lock (immutable, ransomware-proof)
+```bash
+aws s3api put-object-lock-configuration \
+  --bucket my-backup-bucket \
+  --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":30}}}'
+```
+
+### Restore drill automation
+```bash
+#!/usr/bin/env bash
+# 매 nightly drill — restore latest to scratch, verify checksums
+set -euo pipefail
+SCRATCH=$(mktemp -d)
+restic -r s3:.../backup restore latest --target "$SCRATCH"
+sha256sum -c expected_checksums.sha256 --strict
+echo "drill ok: $(date -Iseconds)" | tee -a /var/log/restore-drill.log
+rm -rf "$SCRATCH"
+```
+
+### ZFS snapshot + send
+```bash
+# 매 instant CoW snapshot
+zfs snapshot tank/data@$(date +%Y%m%d-%H%M)
+# 매 incremental send to remote
+zfs send -i tank/data@yesterday tank/data@today | ssh backup-host zfs recv tank/data
+```
+
+## 매 결정 기준
+| 상황 | Approach |
+|---|---|
+| Files, small-mid | restic / borg |
+| Postgres prod | pg_basebackup + WAL archive (PITR) |
+| MySQL prod | xtrabackup + binlog |
+| VM | snapshot + offsite replica |
+| Multi-cloud | S3-compatible + CRR |
+| Compliance (WORM) | S3 Object Lock COMPLIANCE mode |
+
+**기본값**: 매 restic to S3 with Object Lock + nightly restore drill.
+
+## 🔗 Graph
+- 부모: [[SRE]]
+- 변형: [[CI_CD_Pipeline]]
+- 응용: [[카오스 몽키(Chaos Monkey)]]
+- Adjacent: [[Secret_Management]] · [[Logging_and_Error_Handling]]
+
+## 🤖 LLM 활용
+**언제**: backup script generation, restore runbook drafting, log anomaly summarization.
+**언제 X**: 매 actual restore execution — manual gate 필요.
+
+## ❌ 안티패턴
+- **No restore test**: 매 가장 흔한 실패 — backup 은 되는데 restore 가 안 됨.
+- **Single copy**: 매 disk fail 한 방에 잃음.
+- **No encryption**: 매 backup 이 attack vector — at-rest encrypt 필수.
+- **No immutability**: 매 ransomware 가 backup 까지 암호화.
+- **Forever retention**: 매 비용 폭발 + GDPR 위반 가능.
+
+## 🧪 검증 / 중복
+- Verified: restic docs; AWS Backup whitepaper; Veeam 3-2-1-1-0 guide; PostgreSQL PITR docs.
+- 신뢰도 A.
+
+## 🕓 Changelog
+| 날짜 | 변경 |
+|---|---|
+| 2026-05-08 | Phase 1 |
+| 2026-05-10 | Manual cleanup — 3-2-1-1-0 + restic/PG PITR/S3 Object Lock |