Comments (2)
mjenk664
commented on August 23, 2024
Hey @peterhaochen47 ,
I was able to find a Workaround, see my notes below on Potential Fix 1) and 2).
Potential Fix 1)
This suggestion did not work for me. After adding
features:
use_dns_addresses: true
to my concourse manifest, re-deploying, and performing the backup - I received the following error:
In the above screenshot, the BOSH DNS Name is used. However, the Full DNS name is returned. Unfortunately, it still does not match the Common Name that is used on the postgres server certificate.
There is another property in the bosh docs for features.use_short_dns_addresses that states this property is used for certificate common names, so I tried that. However, this also did not work.
When adding this property to the manifest and re-deploying Concourse, the deployment fails when it starting the uaa Job on the Web VM with the following error:
Potential Fix 2)
I was able to get Potential Fix 2) working using the bbr-postgres-db Job from the postgres bosh release
The bbr-postgres-db job has a property to disable SSL Hostname Verfication:
It appears there is no option that exists for this in the bbr-credhubdb job, which is why the backup fails with the hostname verification error when consuming this job from the credhub release
Below are the steps I implemented:
- Created a new operations file called
backup-postgres.ymlwith the following config:
# Add release for backup-and-restore-sdk
- type: replace
path: /releases/name=backup-and-restore-sdk?
value:
name: backup-and-restore-sdk
version: ((bbr_sdk_version))
url: https://bosh.io/d/github.com/cloudfoundry-incubator/backup-and-restore-sdk-release?v=((bbr_sdk_version))
# Add the database-backup-restore job to the db VM
- type: replace
path: /instance_groups/name=db/jobs/-
value:
release: backup-and-restore-sdk
name: database-backup-restorer
# Add the bbr-postgres-db job to enable BBR backups for the postgres db
# NOTE: When TLS is enabled for postgres, the BBR backup fails with a hostname verification error
# Therefore, we must set the ssl_verify_hostname property to FALSE (Sets to TRUE by default)
#---------------------------------
- type: replace
path: /instance_groups/name=db/jobs/-
value:
name: bbr-postgres-db
release: postgres
properties:
postgres:
databases:
- credhub
- atc
- uaa
ssl_verify_hostname: false
- Removed the
backup-atc.ymlfrom my deploy script and added my newly createdbackup-postgres.ymlops file:
#!/bin/bash
bosh deploy \
-d concourse ./cluster/concourse.yml \
-l vars.yml \
-l versions.yml \
-o ./cluster/operations/basic-auth.yml \
-o ./cluster/operations/privileged-https.yml \
-o ./cluster/operations/tls.yml \
-o ./cluster/operations/encryption.yml \
-o ./cluster/operations/uaa.yml \
-o ./cluster/operations/credhub-colocated.yml \
-o ./cluster/operations/secure-internal-postgres.yml \
-o ./cluster/operations/secure-internal-postgres-bbr.yml \
-o ./cluster/operations/secure-internal-postgres-uaa.yml \
-o ./cluster/operations/secure-internal-postgres-credhub.yml \
-o ./backup-postgres.yml
-
Re-deployed Concourse
-
Once Concourse re-deployed, I ran my backup-concourse Job and was able to successfully take a backup of the postgres database containing the ATC, CredHub, and UAA databases:
After taking the backup, I untarred the tgz/tar file and I could see the .sql files for each database.
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100# ls -l backup/
total 160
drwx------ 1 root root 0 Feb 26 04:50 concourse_20210226T045031Z
-rw-r--r-- 1 root root 163236 Feb 26 04:50 product_concourse_2021-02-26-04-50-54.tgz
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100# cd backup/
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100/backup# tar -xvf product_concourse_2021-02-26-04-50-54.tgz
concourse_20210226T045031Z/db-0-bbr-postgres-db.tar
concourse_20210226T045031Z/manifest.yml
concourse_20210226T045031Z/metadata
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100/backup# ls -l concourse_20210226T045031Z/
total 368
-rw-r--r-- 1 root root 358400 Feb 26 04:50 db-0-bbr-postgres-db.tar
-rw-r--r-- 1 root root 8276 Feb 26 04:50 manifest.yml
-rw-r--r-- 1 root root 460 Feb 26 04:50 metadata
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100/backup# cd concourse_20210226T045031Z/
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100/backup/concourse_20210226T045031Z# tar -xvf db-0-bbr-postgres-db.tar
./
./postgres_uaa.sql
./postgres_credhub.sql
./postgres_atc.sql
root@3333a357-0504-458c-51f0-a1c4dac8a6f1:/tmp/build/c03f8100/backup/concourse_20210226T045031Z# ls -l
total 712
-rw-r--r-- 1 root root 358400 Feb 26 04:50 db-0-bbr-postgres-db.tar
-rw-r--r-- 1 root root 8276 Feb 26 04:50 manifest.yml
-rw-r--r-- 1 root root 460 Feb 26 04:50 metadata
-rw-r--r-- 1 root root 261771 Feb 26 04:50 postgres_atc.sql
-rw-r--r-- 1 root root 30200 Feb 26 04:50 postgres_credhub.sql
-rw-r--r-- 1 root root 53704 Feb 26 04:50 postgres_uaa.sql
Let me know if you have any questions on this workaround. I hope this helps!
from concourse-bosh-deployment.
Related Issues (20)
- versions file assumes access to bosh.io, provide an operations file that _forces_ offline mode
- uaa requires the disabling of postgres TLS to be used correctly HOT 2
- uaa requires larger canary watch
- documented uaa and credhub versions as vars files
- make AZs a variables, rather than hard code it, it is never `z1` HOT 1
- AZs need to be parameterized in all Ops files
- v6.1.0 - tagged incorrectly in this repo - Concourse unable to track HOT 2
- basic-auth.yml ops file has a misleading name
- Oauth2: cannot fetch token: 404.. Response: 404 page not found; Concourse 5.5.11 to 6.3.0 upgrade HOT 1
- credhub and uaa dbs are not backed up when colocated on web HOT 2
- bionic stemcell HOT 8
- mTLS unintentionally(?) enabled when deploying v7.0.0+ HOT 3
- concourse 7.3.1 upgrade failure HOT 4
- BBR 1.15.0 deployment fails, but 1.18.9 succeeds
- uaa job fails to start when using ssl mode on self signed certs
- The v7.4.4 versions.yml references v.7.4.0. HOT 4
- Empty versions.yml for 7.9.0 concourse release HOT 5
- Are there plans to update the stemcell to Jammy Jellyfish? HOT 2
- Web instance is not running after update. (pthread_create failed) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from concourse-bosh-deployment.