Getting started with BOSH Backup and Restore – Pt.1 Backup

Starting with a working PCF 1.11 deployment, a random linux VM and the BOSH Backup and Restore bits, let’s try it out!

Background

• We’ll perform two types of backup jobs using BBR; one against the BOSH director and one against the Elastic Runtime deployment. The command and parameters are different between the jobs.
• BBR stores the backup data in subfolders where the executable is run
• Tiles other than Elastic Runtime (CF) may be backed up with BBR later, but as of late June 2017, they do not have the BBR scripts in place.
• If you don’t turn on MySQL backups and the Backup Prepare Node in Elastic Runtime, the CF deployment backup job will fail in that it cannot find the backup scripts for the MySQL database
• I’m using a CentOS VM in the environment as the jumpbox to run BBR.  You’ll want to make sure that the jumpbox is able to reach the BOSH director on TCP22 and TCP25555.

Steps

1. Prepare PCF
   • Logon to Ops Manager
   • Click the “Pivotal Elastic Runtime” tile
   • Assuming you’re using the internal MySQL, click “Internal MySQL” on the Settings tab
   • Under Automated Backups Configuration, select “Enable automated backups from MySQL to and S3 bucket or other S3-compatible file store”.  Right here, you’re thinking, “but I don’t have an S3 server or account or whatever”.  That’s ok, just fake it.  Put bogus values in the fields and an unreachable date (like February 31st).  Click Save.

     

     Bogus S3 info

   • Under Resource Config, make sure the Backup Prepare Node instance count is 1 (or more?).  Click Save
   • Return to the Installation Dashboard and Apply Changes
2. Get the BBR credentials.
   • Logon to Ops Manager
   • Click the “Ops Manager Director” tile
   • Click the “Credentials” tab
   • Click the “Link to Credential” link beside “Bbr Ssh Credentials”

     

     BBR Director Backup Credential

   • The page the loads will display a yml-type file with the PEM-encoded Private and Public Keys.  Select and copy from “—–BEGIN RSA PRIVATE KEY—–” through “—–END RSA PRIVATE KEY—–“.
   • Paste this into a text editor.  In my case, on Windows, the content used literally “/n” to indicate new-line rather than an actual newline.  So, to convert it, I used Notepad++ to replace “//n” with “/n” in the Extended Search Mode.

     

     Using Notepad++

   • The username that BBR will use for the director job is “bbr”
   • Back on the “Credentials” tab of Ops Manager Director, click “Link to Credential” beside “Uaa Bbr Client Credentials”
   • On the page that loads, note that the identity is”bbr_client” and record the password value. This will be used for the BBR deployment job(s)
   • Back on the “Credentials” tab of Ops Manager Director, click “Link to Credential” beside “Director Credentials”
   • On the page that loads, note that the identity is”director” and record the password value.  You’ll need this to login to BOSH in order to get the deployment name next
3. Get the deployment name
   • Open an SSH session to the Ops Manager, logging on as ubuntu
   • Run this:
     

     uaac target –ca-cert /var/tempest/workspaces/default/root_ca_certificate https://DIRECTOR-IP-ADDRESS:8443

     bosh –ca-cert /var/tempest/workspaces/default/root_ca_certificate target DIRECTOR-IP-ADDRESS

     Logon as “director” with the password saved earlier

   • Run this:
     

     bosh deployments

   • In the results, copy the deployment name that begins with “cf-“. (eg: cf-67afe56410858743331)
4. Prepare the jumpbox
   • Logon with a privileged account
   • Using SCP or similar, copy “/var/tempest/workspaces/default/root_ca_certificate” from Ops Manager to the jump box
   • Copy the bbr-0.1.2.tar file to the jumpbox
   • Extract it – tar -xvf bbr-0.1.2.tar
   • Make sure you have plenty of space on the jumpbox.  In my case, I mounted a NFS share and ran BBR from the mount point.
   • Copy <extracted files>/release/bbr to the root folder where you want the backups to reside.
   • Save the PEM-encoded RSA Private Key from above to the jumpbox, making a note of it’s path and filename.  I just stuck it in the same folder as the bbr executable.
   • Make sure you can connect to the BOSH director via ssh
     ssh -i bbr@
5. Director Backup
   • On the jumpbox, navigate to where you placed the bbr executable.  Remember that it will create a time-stamped subfolder here and dump all the backups into it.
   • Run this, replacing the values in red with the correct path to the private key file and BOSH Director IP address :
     ./bbr director –private-key-path ./private.key –username bbr –host 172.16.9.16 pre-backup-check
   • Check that the pre-check results indicate that the director can be backed up
   • Run this to perform the backup: (same as before, just passing the “backup” sub-command instead of the “pre-backup-check’ subcommand)
     ./bbr director –private-key-path ./private.key –username bbr –host 172.16.9.16 backup
   • Wait a while for the backup to complete
6. What’d it do?
   • Backed up BOSH director database to bosh-0-director.tar
   • Dumped credhub database to bosh-0-credhub.tar
   • Dumped uaa database to bosh-0-uaa.tar
   • Backed up the BOSH director blobstore to bosh-0-blobstore.tar
   • Saved the blobstore metadata to a file named metadata
7. Elastic Runtime Backup
   • On the jumpbox, navigate to where you placed the bbr executable.  Remember that it will create a time-stamped subfolder here and dump all the backups into it.
   • Run this, replacing the values in red with the IP/FQDN of your BOSH director, password for the bbr_client account retrieved from Ops Manager, the Elastic Runtime deployment name and path to the root_ca-certificate copied from the Ops Manager:

     

     Deployment Pre-check

     ./bbr deployment –target 172.16.9.16 –username bbr_client –password abc123 –deployment cf-abcdef123456 –ca-cert ./root_ca_certificate pre-backup-check

   • Check that the pre-check results indicate that the director can be backed up
   • Run this to perform the backup: (same as before, just passing the “backup” sub-command instead of the “pre-backup-check’ subcommand)

     

     Deployment Backup

     ./bbr deployment –target 172.16.9.16 –username bbr_client –password abc123 –deployment cf-abcdef123456 –ca-cert ./root_ca_certificate backup

   • Wait a while for the backup to complete
8. What’d it do this time?
   • Backed up the MySQL Cloud Controller Database to mysql-artifact.tar
   • Backed up uaa to uaa-0-uaa.tar (this is different from the UAA backup performed against the director)
   • Backed up the blobstore (in my case, from the internal NFS server) to nfs_server-0-blobstore-backup.tar
   • Saved the blobstore metadata to a file named metadata

 

References:

• http://www.boshbackuprestore.io/bosh-backup-and-restore/index.html
• https://docs.pivotal.io/pivotalcf/1-11/customizing/backup-restore/backup-pcf-bbr.html

 

Advertisement