This is a collection of Concourse tasks for backing up a Pivotal Cloud Foundry installation using bbr. The intention of this collection is to provide a set of example Concourse scripts to perform BBR tasks. This is not a supported product, although we will try out best to respond via Github issues to any problems faced.
- export-om-installation: Export Ops Manager installation settings
- bbr-backup-director: Run
bbr director backup
- bbr-cleanup-director: Run
bbr director backup-cleanup
- check-opsman-status: Check
Apply changes
is not inflight before taking a backup. If it is, the task fails. This should prevent a backup from taking place. Please refer to the example pipelines to see how the task is used.
- bbr-backup-pas: Run
bbr deployment backup
for PAS - bbr-cleanup-pas: Run
bbr deployment backup-cleanup
for PAS
- bbr-backup-pks: Run
bbr deployment backup
for PKS control plane - bbr-cleanup-pks: Run
bbr deployment backup-cleanup
for PKS control plane - bbr-backup-pks-clusters: Run
bbr deployment --all-deployments backup
for all PKS clusters - bbr-cleanup-pks-clusters: Run
bbr deployment --all-deployments backup-cleanup
for all PKS clusters - lock-pks: Lock PKS control plane
- unlock-pks: Unlock PKS control plane
- extract-bbr-binary: Extracts the linux bbr binary from tarfile
For Concourse to pull the tasks it needs to reach out to GitHub. We use the SSH method to download the tasks from GitHub in the example pipelines and we strongly recommend that the HTTPS method is not used. Concourse typically polls GitHub for any changes to the target Git repo and the HTTPS method is subject to rate limits. The SSH method is not subject to the same rate limits as it authenticates the client against a GitHub user which has much higher limits.
Please create and add and SSH key to your GitHub account as this will needs to be used in the pipeline secrets.
To use any of these tasks, apart from export-om-installation
, you will need either:
- a Concourse worker with access to your Ops Manager private networks. You can find an example template for deploying an external worker in a different network to your Concourse deployment here
- or, provide the
OPSMAN_PRIVATE_KEY
to use a SSH tunnel via the Ops Manager VM. This key is not required if your concourse worker has access to the Ops Manager private networks. Please note, using a SSH tunnel may increase the time taken to drain backup artifacts. Backup artifacts can be very large and using a SSH tunnel will be a significant overhead on network performance.
The backup tasks will run bbr
commands on your Concourse worker. Ensure that your Concourse workers have enough disk space to accommodate your backup artifacts.
Example pipelines and secrets are provided to show how to use these tasks to back up PAS or PKS.
Running regular backups (at least every 24 hours) and storing multiple copies of backup artifacts in different datacenters is highly recommended. The time Concourse resource can be added to the pipeline to trigger backups regularly.
There are a variety of storage resources such as S3 that can be used to move backups to storage. A list of Concourse resources can be found here.
The BBR task for backing up deployments will communicate with the BOSH API.
You can proxy this request by setting the BOSH_ALL_PROXY
environment variable:
BOSH_ALL_PROXY
:: Proxy used to reach the bosh director. Example:ssh+socks5://[email protected]:22
In addition, you may be in the habit of proxying other requests using
the HTTPS_PROXY
environment variable. This is common if, for
example, you have a concourse deployed on one k8s cluster that is
usually used to test apps deployed to another k8s cluster.
HTTPS_PROXY
:: Proxy for all other requests. Example:proxy.example.com
You can also set the NO_PROXY
environment variable with a list of
IPs, IP prefixes, or domains where the proxy should not be used. This
will cause BBR and other utilities to ignore BOSH_ALL_PROXY
and
HTTPS_PROXY
for requests to those addresses. BBR uses standard go
libraries for
interpreting NO_PROXY
, and so will behave similarly to other
utilities.
A common pattern is to use a proxy for the majority of your network
communication, but to exclude the bosh director. For this use-case,
you can set the SET_NO_PROXY
environment variable to true
in your
backup task. This will have the effect of prepending the BOSH director
IP to the NO_PROXY
list. Otherwise, the NO_PROXY
environment
variable will not be changed.
- task: bbr-backup-pas
file: bbr-pipeline-tasks-repo/tasks/bbr-backup-pas/task.yml
params:
SKIP_SSL_VALIDATION: ((skip-ssl-validation))
OPSMAN_URL: ((opsman-url))
OPSMAN_USERNAME: ((opsman-username))
OPSMAN_PASSWORD: ((opsman-password))
OPSMAN_PRIVATE_KEY: ((opsman-private-key))
SET_NO_PROXY: true
The inputs, outputs, params, filename, and filepath of all task files in this repo are part of a semantically versioned API. See our documentation for a detailed discussion of our semver API. See www.semver.org for an explanation of semantic versioning.
This repository has git tags that can be used to pin to a specific version. For example, here is how to pin to v1.0.0 using tag_filter
:
resources:
- name: bbr-pipeline-tasks-repo
type: git
source:
uri: https://github.com/pivotal-cf/bbr-pcf-pipeline-tasks.git
branch: master
tag_filter: v1.0.0