Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

Acronis Cyber Cloud: Immutable Bucket Cleaner Guide

This article explains why the storage usage reported by Acronis may differ from the storage usage reported by Impossible Cloud and why Acronis Cyber Protect retention policies may not reduce your storage usage in an Impossible Cloud bucket with Object Lock enabled.

Content Summary

  1. The Issue Description: A brief explanation of the problem.
  2. The Solution: An overview of the provided storage cleanup solution.
  3. Prerequisites: What you need before you start.
  4. Configuring Permissions in Impossible Cloud: Setting up the required IAM user and policy.
  5. Configuring and Running the Immutable Bucket Cleaner on Windows: A detailed guide for Windows users.
  6. Configuring and Running the Immutable Bucket Cleaner on Linux: A detailed guide for Linux users.
  7. Cleaning Up Multiple Bucketsa guide to cleanup multiple Acronis immutable buckets.
  8. Troubleshooting: How to check logs and resolve common issues.

The Issue Description

If you are using Acronis Cyber Cloud and Impossible Cloud bucket with Immutability (Object Lock) option, you may have noticed a discrepancy between the storage usage reported in your Acronis Cyber Protect console and the higher usage reported by Impossible Cloud. For instance, Acronis might report that your backups occupy 1 TB of space, while your Impossible Cloud invoice indicates you are using 1.5 TB or more.

This is not an error but an expected behavior when using Acronis with S3-compatible storage that has Object Lock and Versioning enabled. The root cause of this issue lies in how Acronis interacts with immutable storage. When Acronis's retention rules run to delete old backups, the data is not permanently erased from your bucket. Instead, the objects are marked for deletion, but the underlying data remains, continuing to consume storage space.

Acronis's official recommendation for this scenario is to use a bucket lifecycle policy to manage the expiration of old object versions. Since this feature is not currently supported by Impossible Cloud, a different approach is necessary. This guide provides the official Impossible Cloud guide to ensure your storage usage aligns with your expectations.

The Solution

To resolve this issue and reclaim your storage space, Impossible Cloud provides an official cleanup script written on Python.

Here’s how the script works:

  • It securely connects to your Impossible Cloud bucket using credentials by a dedicated IAM user that you will create and scans the bucket for any objects whose most recent version is a delete marker.

  • For each object marked for deletion, the script permanently removes the underlying data versions that Acronis intended to delete, if that data protection is already expired.

  • The script will not touch any active, latest versions of your backups. It only targets data that has already been marked for deletion by Acronis, ensuring the integrity of your current backup chain is always maintained.

By running this cleanup script periodically, you can ensure that your storage consumption reflects the data retained by your Acronis policies.

Prerequisites

Before you begin, please ensure you have the following in place:

Recommended environment:

    • A machine (Windows or Linux) that has the Acronis Cyber Protect agent installed. This is the simplest method, as the agent includes a self-contained Python environment called acropsh that the script uses.

    • Alternative: Any other machine with Python 3.6 or newer installed. If you choose this method, you will also need to install the boto3 library by running pip install boto3. This guide will focus on the recommended method using a machine with the Acronis agent.

Supported Operating Systems

    • The script has been successfully tested on Windows Server 2012 R2, Windows Server 2022, CentOS 7, CentOS 9, and the Acronis ESXi Virtual Appliance (which uses a BusyBox environment). It is expected to work on most modern Windows Server and Linux distributions.

Permissions

    • You will need a login access on the machine where you intend to run the script.

    • You will need an Impossible Cloud root user account to create an IAM user, assign an IAM policy, and generate access keys.

Configuring Permissions in Impossible Cloud

To allow the script to safely do its job, you must first create a dedicated Identity and Access Management (IAM) user with a restricted set of permissions, ensuring the script has only the access it needs to perform its task and nothing more.

  1. Log in to the Impossible Cloud Storage Console and add an IAM user.
  2. Open the newly created user, browse to the Inline Policies tab and click Create New Policy.
  3. Give the policy a descriptive name, such as acronis-cleanup-policy. In the JSON editor field, copy and paste the entire policy below. Click Save.
{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions",
        "s3:HeadBucket",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-acronis-immutable-bucket"
    },
    {
      "Action": [
        "s3:GetObjectRetention",
        "s3:DeleteObjectVersion"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-acronis-immutable-bucket/*"
    }
  ],
  "Version": "2012-10-17"
}

You must replace the placeholder [my-acronis-immutable-bucket] with the actual name of your Acronis backup bucket. This placeholder appears in two locations in the policy; ensure you update both.

Finally, you need to generate a set of access keys for the new IAM user. The script will use these keys to authenticate with your Impossible Cloud account.

  1. Browse to the IAM user that you've created above and click on it.
  2. Go to the Access keys tab and click Add access key.
  3. Save the generated Access Key and a Secret Key, you will need both later.
  4. Proceed to the Windows or Linux configuration accordingly to your preference.

Configuring and Scheduling the Immutable Bucket Cleaner on Windows

This section provides a detailed guide for setting up and automating the cleanup script on a Windows machine, preferably one with an Acronis Cyber Protect agent installed.

Step 1: Prepare the Script Files

  1. Create a simple folder on your C: drive, for example: C:\ImpossibleCloud 
    Do not use spaces in the folder name! 
  2. Download the script archive from the following link: https://console.impossiblecloud.com/static/support/acrofix.zip
  3. Extract the contents of the acrofix.zip file into the C:\ImpossibleCloud folder you created.

 

Step 2: Configure the config.ini File

  1. Navigate to C:\ImpossibleCloud\acrofix and open the config.ini file using a text editor like Notepad.
  2. Configure the parameters according to your bucket name and location endpoint URL and use access key/secret key from the IAM users you've created during Configuring permissions part of this guide.
[S3]
# S3 endpoint URL (required)
ENDPOINT_URL=https://eu-central-2.storage.impossibleapi.net

# S3 access credentials (optional if using IAM roles or other auth methods)
ACCESS_KEY=ADA2.........01EA
SECRET_KEY=zt71v...........................f3ho1

# S3 bucket name to clean up (required)
BUCKET_NAME=my-acronis-immutable-bucket

Step 3: Automate with Windows Task Scheduler

To ensure the cleanup runs regularly without manual intervention, you can create a scheduled task.

  1. Open Task Scheduler by pressing Win + R, typing taskschd.msc, and clicking OK.
  2. In the Actions pane on the right, click Create Task....
  3. On the General tab:
  • Name: Give the task a descriptive name, like Impossible Cloud Acronis Cleanup.
  • Under Security options, select Run whether user is logged on or not.
Switch to the Triggers tab and click New....
  • Set the schedule to Weekly.
  • Choose a day and time for the task to run. It is best to schedule this during off-peak hours, for example, on a Saturday at 2:00 AM.
  • Ensure the Enabled checkbox is checked and click OK.
Switch to the Actions tab and click New....
  • Action: Ensure Start a program is selected.
  • Program/script: Type acropsh. (This executable is part of the Acronis agent installation).
  • Add arguments (optional): Type the full path to the Python script:
    C:\ImpossibleCloud\acrofix\cleanup_immutable_bucket_simple.py
  • Start in (optional): Type the path to the script's folder:
    C:\ImpossibleCloud\acrofix
    This step is crucial, as it tells the task where to find the config.ini and where to write the log file!
  • Click OK.

Click OK to save the task. You will be prompted to enter the credentials for a user account with permissions to run the task.

The scheduled task is now configured and will run automatically each week to clean up your Acronis backups.

Configuring and Scheduling the Immutable Bucket Cleaner on Linux

This section provides instructions for setting up and automating the cleanup script on a Linux machine or an Acronis Virtual Appliance (e.g., for ESXi).

Step 1: Prepare the Script Files

  1. Log in to your Linux machine or Acronis Virtual Appliance via SSH or the console.
  2. Navigate to a suitable directory, such as your home directory:
    cd ~
  3. Run the following command to download and extract the script archive. This single command performs both actions:
    wget https://console.impossiblecloud.com/static/support/acrofix.tar.gz && tar -xvf acrofix.tar.gz
  4. After the command completes, you will have a new directory named acrofix in your current location (e.g., /home/youruserlogin/acrofix)

Step 2: Configure the config.ini File

  1. Open the config.ini file for editing using a command-line text editor like nano or vi:
    nano ~/acrofix/config.ini
  2. Configure the parameters according to your bucket name and location endpoint URL and use access key/secret key from the IAM users you've created during Configuring permissions part of this guide.
[S3]
# S3 endpoint URL (required)
ENDPOINT_URL=https://eu-central-2.storage.impossibleapi.net

# S3 access credentials (optional if using IAM roles or other auth methods)
ACCESS_KEY=ADA2.........01EA
SECRET_KEY=zt71vxx79sr2c76k2elv2tz8o5jgumrqh84f3ho1

# S3 bucket name to clean up (required)
BUCKET_NAME=my-acronis-immutable-bucket

Step 3: Automate with Crontab

To ensure the cleanup runs regularly without manual intervention, you can create a scheduled task.

  1. Open your user's crontab file for editing by running:
    crontab -e 
  2. Add the following line to the bottom of the file. This line defines the schedule and the command to be executed.
    30 05 * * 6 /sbin/acropsh /home/youruser/acrofix/cleanup_immutable_bucket_simple.py  

    This particular example cronjob will run the script once per week, every Saturday (6th day) at 5:30 AM.

You must replace /home/youruser/acrofix/ with the absolute path to where you extracted the script files. You can find the full path by navigating to the acrofix directory and running the pwd command.

The scheduled task is now configured and will run automatically each week to clean up your Acronis backups.

Cleaning Up Multiple Buckets

If you use multiple Acronis backup buckets with Object Lock enabled under the same Impossible Cloud storage account, you can use the same IAM user and script to clean them all up. This involves updating your IAM policy and creating separate instances of the cleanup script.

Step 1: Update the IAM Policy

For example, if you want to grant access to bucket-one and bucket-two, your inline policy should be updated to look like this:

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions",
        "s3:HeadBucket",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-one",
        "arn:aws:s3:::bucket-two"
      ]
    },
    {
      "Action": [
        "s3:GetObjectRetention",
        "s3:DeleteObjectVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-one/*",
        "arn:aws:s3:::bucket-two/*"
      ]
    }
  ],
  "Version": "2012-10-17"
}

You can add as many buckets as you need into the same single policy.

Step 2: Create Separate Script Instances

The cleanup script is designed to work on one bucket at a time, as defined in its config.ini file. To clean multiple buckets, you must create a separate folder for each one.

    • On Windows: C:\ImpossibleCloud\Acronis-Bucket-One and C:\ImpossibleCloud\Acronis-Bucket-Two
    • On Linux: ~/acrofix_bucket_one and ~/acrofix_bucket_two    

Step 2: Create Separate Script Schedules

Repeat Windows or Linux scheduling steps for each script instance accordingly.

Troubleshooting

If the script does not appear to be working or you encounter errors, these steps can help you diagnose the problem.

Checking the Logs

The script is designed to create a log file in the log directory. Depending on your environment, 

  • on Windows, the log files will be likely located at C:\ImpossibleCloud\acrofix\log.
  • On Linux, the log files will be located at ~/acrofix/log (or wherever you extracted the files).

Open log file(s) in a text editor. Logs contain detailed information about each run, and any errors that were encountered. This log is the first and most important place to look when troubleshooting.

If you have followed this guide and continue to experience issues, please do not hesitate to contact our support team for assistance. You can submit a support request and attach the script logs here.