AWS Deployment using EFS
Note
Note
- If the user chooses
backup_configasefsinconfig.tomlbackup is already configured during deployment, the below steps are not required and can be skipped. i.e.,backup_config = "efs". If we have kept thebackup_configblank, then the configuration needs to be configured manually.
Overview
A shared file system is always required to create OpenSearch snapshots. To register the snapshot repository using OpenSearch, it is necessary to mount the same shared filesystem to the exact location on all master and data nodes. Register the location in the path.repo setting on all master and data nodes.
Setting up the backup configuration
To create an EFS file system, please refer to the sample steps on the Create your Amazon EFS file system page.
Let’s create a folder structure
/mnt/automate_backups/on all the Frontend and backend nodes, then we have to mount EFS to all the vm’s manually. To do that please refer this
Configuration in OpenSearch Node
Mount the EFS on all OpenSearch Node. For example you mount the EFS to folder structure
/mnt/automate_backups/Create an
opensearchsub-directory and set permissions as mention below (all the OpenSearch nodes).sudo mkdir -p /mnt/automate_backups/opensearch sudo chown hab:hab /mnt/automate_backups/opensearch/
Configuration for OpenSearch Node from Provision host
Configure the OpenSearch path.repo attribute.
Create a toml file (
os_config.toml) and add below template[path] repo = "/mnt/automate_backups/opensearch"Patch the config
os_config.tomlfrom bastion to the OpenSearch cluster.chef-automate config patch --opensearch os_config.tomlAbove command will restart the OpenSearch cluster.
Healthcheck commands
Get the OpenSearch Cluster status
chef-automate status --osFollowing command can be run in the OpenSearch node
hab svc status (check whether OpenSearch service is up or not) curl -k -X GET "<https://localhost:9200/_cat/indices/*?v=true&s=index&pretty>" -u admin:admin (Another way to check is to check whether all the indices are green or not) # Watch for a message about OpenSearch going from RED to GREEN `journalctl -u hab-sup -f | grep 'automate-ha-opensearch'
Configuration for Automate node from Bastion host
Mount the EFS to all the Frontend node manually. For example you mount the EFS to folder structure
/mnt/automate_backupsCreate an
automate.tomlfile on the bastion host using the following command:touch automate.tomlAdd the following configuration to
automate.tomlon the bastion host:[global.v1.external.opensearch.backup] enable = true location = "fs" [global.v1.external.opensearch.backup.fs] # The `path.repo` setting you've configured on your OpenSearch nodes must be a parent directory of the setting you configure here: path = "/mnt/automate_backups/opensearch" [global.v1.backups.filesystem] path = "/mnt/automate_backups/backups"Patch the
configusing the below command../chef-automate config patch --frontend automate.toml
Backup and Restore commands
Backup
Run the backup command from Bastion as shown below to create a backup:
chef-automate backup create
Restore
Pre-Restore Validation
Run the restore command with the –verify-restore-config flag to validate the configuration settings before initiating the restore process. To perform the pre-check, run the following command from the bastion host:
chef-automate backup restore <BACKUP-ID> --yes -b /mnt/automate_backups/backups --verify-restore-config
The verification process ensures that the backup and restore configurations are correct and identifies potential issues so they can be addressed in advance.
Run Restore
To restore backed-up data of the Chef Automate High Availability (HA) using External File System (EFS), follow the steps given below:
Check the status of all Chef Automate and Chef Infra Server front-end nodes by executing the
chef-automate statuscommand.Execute the restore command from bastion
chef-automate backup restore <BACKUP-ID> -b /mnt/automate_backups/backups --airgap-bundle </path/to/bundle>.
Note
- If you are restoring the backup from an older version, then you need to provide the
--airgap-bundle </path/to/current/bundle>. - Large Compliance Report is not supported in Automate HA
Troubleshooting
Follow the steps below if Chef Automate encounters an error during data restoration.
Check the Chef Automate status.
chef-automate statusCheck the status of your Habitat service on the Automate node.
hab svc statusIf the deployment services are not healthy, reload them.
hab svc load chef/deployment-serviceCheck the status of the Automate node, and then attempt to run the restore command from the bastion host.
To change the
base_pathorpath, follow the steps below for performing a backup.File System
- During deployment, the
backup_mountis default set to/mnt/automate_backups. - The deployment process will automatically apply the updated path if you update the
backup_mountvalue in theconfig.tomlfile before deployment. - If the
backup_mountvalue is changed after deployment (e.g., to /bkp/backps), you must manually patch the configuration on all frontend and backend nodes. - Update the FE nodes using the template below. To update the configuration, use the command
chef-automate config patch fe.toml --fe.
[global.v1.backups] [global.v1.backups.filesystem] path = "/bkp/backps" [global.v1.external.opensearch.backup] [global.v1.external.opensearch.backup.fs] path = "/bkp/backps"- Update the OpenSearch nodes using the template provided below. Use the
chef-automate config patch os.toml --oscommand to update the Opensearch node configs.
[path] repo = "/bkp/backps"Run the curl request against one of the Automate frontend nodes.
curl localhost:10144/_snapshot?prettyIf the response is an empty JSON object
{}, no changes are required to the snapshot settings in the OpenSearch cluster.If you see a JSON response similar to the example below, check that the
backup_mountsetting is correctly configured. Use thelocationvalue in the response to verify. It should start with/bkp/backps.
{ "chef-automate-es6-event-feed-service" : { "type" : "fs", "settings" : { "location" : "/mnt/automate_backups/opensearch/automate-elasticsearch-data/chef-automate-es6-event-feed-service" } }, "chef-automate-es6-compliance-service" : { "type" : "fs", "settings" : { "location" : "/mnt/automate_backups/opensearch/automate-elasticsearch-data/chef-automate-es6-compliance-service" } }, "chef-automate-es6-ingest-service" : { "type" : "fs", "settings" : { "location" : "/mnt/automate_backups/opensearch/automate-elasticsearch-data/chef-automate-es6-ingest-service" } }, "chef-automate-es6-automate-cs-oc-erchef" : { "type" : "fs", "settings" : { "location" : "/mnt/automate_backups/opensearch/automate-elasticsearch-data/chef-automate-es6-automate-cs-oc-erchef" } } }- If the prefix in the
locationvalue does not match thebackup_mount, the existing snapshots must be deleted. Use the script below to delete the snapshots from the one of the Automate frontend nodes.
snapshot=$(curl -XGET http://localhost:10144/_snapshot?pretty | jq 'keys[]') for name in $snapshot;do key=$(echo $name | tr -d '"') curl -XDELETE localhost:10144/_snapshot/$key?pretty done- The above script requires
jqto be installed, You can install it from the airgap bundle. To locate thejqpackage, run the command below on one of the Automate frontend nodes.
ls -ltrh /hab/cache/artifacts/ | grep jq -rw-r--r--. 1 ec2-user ec2-user 730K Dec 8 08:53 core-jq-static-1.6-20220312062012-x86_64-linux.hart -rw-r--r--. 1 ec2-user ec2-user 730K Dec 8 08:55 core-jq-static-1.6-20190703002933-x86_64-linux.hart- If multiple versions of
jqare available, install the latest one. Use the command below to install thejqpackage on one of the Automate frontend nodes.
hab pkg install /hab/cache/artifacts/core-jq-static-1.6-20190703002933-x86_64-linux.hart -bf
- During deployment, the
Object Storage
- During deployment, the
backup_configshould be set toobject_storage. - To use
object_storage, we use the following template during deployment.
[object_storage.config] google_service_account_file = "" location = "" bucket_name = "" access_key = "" secret_key = "" endpoint = "" region = ""- If you configured it before deployment, then you are all set.
- If you want to change the
bucketorbase_path, use the following template for Frontend nodes.
[global.v1] [global.v1.external.opensearch.backup.s3] bucket = "<BUCKET_NAME>" base_path = "opensearch" [global.v1.backups.s3.bucket] name = "<BUCKET_NAME>" base_path = "automate"You can assign any value to the
base_pathvariable. Thebase_pathconfiguration is required only for the Frontend nodes.Use the command
chef-automate config patch frontend.toml --feto apply the above template and update the configuration.Use the following curl request to validate the configuration.
curl localhost:10144/_snapshot?prettyIf the response is an empty JSON object ({}), the configuration is valid.
If the response contains a JSON output similar to the example below, it should have the correct value for the
base_path.{ "chef-automate-es6-event-feed-service" : { "type" : "s3", "settings" : { "bucket" : "MY-BUCKET", "base_path" : "opensearch/automate-elasticsearch-data/chef-automate-es6-event-feed-service", "readonly" : "false", "compress" : "false" } }, "chef-automate-es6-compliance-service" : { "type" : "s3", "settings" : { "bucket" : "MY-BUCKET", "base_path" : "opensearch/automate-elasticsearch-data/chef-automate-es6-compliance-service", "readonly" : "false", "compress" : "false" } }, "chef-automate-es6-ingest-service" : { "type" : "s3", "settings" : { "bucket" : "MY-BUCKET", "base_path" : "opensearch/automate-elasticsearch-data/chef-automate-es6-ingest-service", "readonly" : "false", "compress" : "false" } }, "chef-automate-es6-automate-cs-oc-erchef" : { "type" : "s3", "settings" : { "bucket" : "MY-BUCKET", "base_path" : "opensearch/automate-elasticsearch-data/chef-automate-es6-automate-cs-oc-erchef", "readonly" : "false", "compress" : "false" } } }- If the
base_pathvalue does not match, you must delete the existing snapshots. Please take a look at the File System troubleshooting steps for guidance.
- If the
- During deployment, the