-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IaaS standard on user data backup #541
IaaS standard on user data backup #541
Comments
Current StateBackup sources:
1. Glance Images1.1. Glance image downloadGlance images can be downloaded via Source: Glance storage backend On the contrary, Glance itself acts as a backup target for Ephemeral Storage disks of VMs in Nova or volume in Cinder, see section II. 2. Nova Server Disks (Ephemeral Storage)2.1. Nova disk to Glance image (Nova createImage API action)When
Source: Nova Ephemeral Storage backend 2.1.a Shelve actionFor the Source: Nova Ephemeral Storage backend 3. Cinder Volumes3.1. Cinder Backup APIWhen Backup backends are Swift, NFS, GlusterFS among others. The backup backend must be configured in Cinder.
Source: Cinder storage backend (e.g. Ceph RBD, LVM, etc.) 3.2. Nova createImage API actionWhen
This means that a VM with only volumes attached will result in an image that does only consist of metadata and links to Cinder snapshot references but no actual binary image data in Glance itself!
Source: Cinder storage backend 3.3. Cinder volume to Glance imageWhen Note that this does not work on volumes currently attached to VMs. To avoid having to detach them, a detour using a volume snapshot can be taken as shown below. 3.3.a Attached volume to Glance image
Source: Cinder storage backend 4. Barbican secretsBarbican secrets can originate from one of two actions:
4.1. Barbican secret downloadBarbican does not offer any backup mechanisms for secrets. Source: Barbican database |
Backups of encrypted volumes become useless if the encryption key is not backed up as well.
1. Retrieving encryption keysBefore Wallaby, point 1 was problematic for users since the secret reference was not visible to them via the API, so the key could not be identified in Barbican easily. Open question: do Glance images created from encrypted volumes have the key ID reference added to their metadata? I believe this should be the case otherwise they couldn't be restored properly? 2. Converting Barbican secrets to work with image backupsGlance images created from encrypted Cinder volumes using OpenStack uses a character transformation to convert potentially binary encryption keys to valid ASCII using This means that secrets downloaded from Barbican must pass the same conversion in case the image data (LUKS encrypted) is to be decrypted outside of OpenStack for backup restoration purposes. Footnotes |
I used an extended DevStack environment1 to answer the open questions above: Question 1
The secret of the volume is cloned and the clone's ID is then bound to the image and referenced as
Question 2
I was able to successfully mimick what OpenStack does with LUKS and the Barbican secret outside of Glance/Cinder using the following procedure: openstack image save --file image.raw $IMAGE_NAME_OR_ID
openstack image show -f value -c properties $IMAGE_NAME_OR_ID
# (use the value of `cinder_encryption_key_id` as `$SECRET_ID` below)
openstack secret get --file image.key --payload_content_type "application/octet-stream" $SECRET_ID
python3 -c "import binascii; \
f = open('image.key', 'rb'); \
print(binascii.hexlify(f.read()).decode('utf-8'))" \
| sudo cryptsetup luksOpen ./image.raw decrypted_image The image's contents are now loaded as Footnotes |
I've integrated the findings of the previous comment about the secret handling into the docs PR. |
Should we also add the user data provided via the meta data service to a running instance? |
Are you referring to the script/configuration data that can be passed as Your statement makes it sound like something that can be added at runtime but I'm not aware of anything after the creation of the server. It doesn't seem like In any case good point, I'll have a look. Footnotes |
FTR, I also inspected the behavior of Cinder Backup and encrypted volumes after adding Swift and Cinder Backup to my DevStack. When using
This is mostly identical to the behavior of |
I was thinking more about what happens if you use the backup for a migration to another cloud or have a DR case where you have to restore everything. In that case it makes sense IMO to backup the user data as well, even if it can't be modified. The user data itself is created by some external tool (e.g. Terraform). |
I had a look and this is stored in the
I have verified this and indeed the field is shown as empty if the API call is made as a normal user (even if it was the creator of the server) and only shows up when authenticated as admin. This is one thing we could change at the CSP side of things by creating a standard/decision that CSPs have to adjust their Nova API policy to make this field visible to users in the project. Footnotes |
It doesn't seem to be that easy because the policy file is not fine-grained enough: the visibility of all I don't think we can offer any means of retrieving the originally supplied Footnotes |
Cinder Backup problems with encrypted volume backupsWhile researching and testing proper instructions for handling Cinder volume backups, I stumbled upon some issues related to encrypted volumes. When the type of the volume, from which a backup is created, is a non-default encrypted type, things get messy. # create an encrypted (non-default) volume type
openstack volume type create \
--property volume_backend_name='lvmdriver-1' \
--encryption-provider luks \
--encryption-cipher aes-xts-plain64 \
--encryption-key-size 256 \
--encryption-control-location front-end \
lvmdriver-1-LUKS
# create encrypted volume
openstack volume create --size 2 --image "cirros-0.6.2-x86_64-disk" --type lvmdriver-1-LUKS encrypted-volume
# create backup from encrypted volume
openstack volume backup create --name volume-backup encrypted-volume
# restore backup into new volume
openstack volume backup restore volume-backup new-volume-restored-from-backup
# check the status of the volume
openstack volume show new-volume-restored-from-backup -f value -c status
error_restoring When inspecting the log output of the Cinder Backup service, the following log message can be seen:
The openstack volume create --size 2 --type lvmdriver-1-LUKS empty-volume
openstack volume backup restore --force volume-backup empty-volume openstack volume delete empty-volume encrypted-volume
# switch to admin and delete the volume type (DevStack example)
source openrc admin admin
openstack volume type delete lvmdriver-1-LUKS Now, the volume type that the backup originally was based on has been deleted, rendering the backup unusable because the matching volume type ID cannot be achieved by any new volume. In summary, this poses the following problems:
Here is the code part in Cinder Backup that compares the volume type IDs: |
I reported the issues identified in #541 (comment) as https://bugs.launchpad.net/cinder/+bug/2061458 upstream. |
For the CSP side of things, I drafted a standard at #567 to make Cinder volume backup mandatory. This ties in with what I wrote down in the user guide docs PR in regards to how to use the functionality. Beyond that I don't feel confident to create any other CSP-side standards on the IaaS user data backup topic and I think #527 is a better place for a holistic approach to CSP-side backups in general. Combining the availability of the volume backup functionality as per #567 and the user guide of SovereignCloudStack/docs#176 should give users the basic tools needed to create backups of their IaaS resources' data if necessary. |
As a CSP I want to know where user data1 is aggregated, how it can be backed up and which standards SCS establishes in regards to those backups.
As a customer I want clear documentation and guidelines on how to backup my user data1 using native OpenStack mechanisms or alternatives compatible with SCS clouds.
Definition of Done:
Footnotes
user data as in data uploaded by the user to the cloud and data generated by the user in the cloud at runtime (e.g. VM disk filesystems). This excludes network traffic, RAM contents and IDM data in Keystone as well as cloud resource configuration data (VM, volume, network metadata etc.). ↩ ↩2
The text was updated successfully, but these errors were encountered: