Sidecar Backups
In this example use case we provide three different strategies for accessing files that have been written to an Ondat persistent volume.
In the following examples the “application” container is the container main
,
which has a rsync, Nginx or sftp sidecar container. The Ondat volume that
the application is writing to will be mounted into the sidecar container so
files written by the application are available for export. Files can be
exported using Nginx as a web file server, transferred using rsync or accessed
via SFTP.
The files create a stateful set that can be used AFTER an Ondat cluster has been created. See our guide on how to install Ondat on Kubernetes for more information.
Clone Repository
In order to deploy the examples, clone this repository and use kubectl to create the Kubernetes objects.
git clone https://github.com/storageos/use-cases.git storageos-usecases
cd storageos-usecases/backup
💡 Before deploying the backup-example stateful set we recommend looking through the examples to understand how the different containers are configured
Exfiltrating files through HTTP
-
Deploy the Nginx example
$ kubectl create -f nginx/ service/backup-example created configmap/nginx-config created statefulset.apps/backup-example created pod/busybox created
-
Check that a backup-example pod is running
$ kubectl get pods -w -l app=backup-example-nginx NAME READY STATUS RESTARTS AGE backup-example-0 1/1 Running 0 1m
-
Exec into the
main
container and write some data to a file$ kubectl exec -it backup-example-nginx-0 -c main bash root@backup-example-0:/# echo $(date) > /data/date.txt
-
Check that the service exists
$ kubectl get svc backup-example-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE backup-example-nginx ClusterIP 100.65.18.199 <none> 80/TCP 46s
-
Use wget to access the files served by Nginx. Nginx is sharing files from the same volume that the
main
application container is writing to. The connection to the Nginx container is made via the backup-example service.$ kubectl exec -it busybox -- /bin/wget -q -O- http://backup-example-nginx <html> <head><title>Index of /</title></head> <body> <h1>Index of /</h1><hr><pre><a href="/docs/">/docs/</a> <a href="lost%2Bfound/">lost+found/</a> 12-Feb-2019 12:32 - <a href="date.txt">date.txt</a> 12-Feb-2019 12:49 29 </pre><hr></body> </html> $ kubectl exec -it busybox -- /bin/wget -q -O- http://backup-example-nginx/date.txt Tue Feb 12 12:49:15 UTC 2019
Depending on what files have been written to the Ondat volume the output of the index file will be different. In the example the date.txt file we created in Step 2 is present on the volume.
Exfiltrating files through Rsync
-
Deploy the rsync example
$ kubectl create -f rsync/ service/backup-example created configmap/rsync-config created secret/rsync-credentials created statefulset.apps/backup-example created pod/rsync created
-
Check that a backup-example pod is running
$ kubectl get pods -w -l app=backup-example-rsync NAME READY STATUS RESTARTS AGE backup-example-0 1/1 Running 0 1m
-
Exec into the
main
container and write some data to a file$ kubectl exec -it backup-example-rsync-0 -c main bash root@backup-example-0:/# echo $(date) > /data/date.txt
-
Check that the service exists
$ kubectl get svc backup-example-rsync NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE backup-example-rsync ClusterIP 100.65.18.199 <none> 873/TCP 46s
-
Use rsync to access the files shared by the rsync daemon. rsync is sharing files from the same volume that the
main
container is writing to. A username and password that are set in the rsync-credentials secret. The secret supplied in the example has the username and password set to username and password.$ kubectl exec -it rsync sh / # rsync --list-only rsync://username@backup-example-rsync/share Password: drwxr-xr-x 4,096 2019/02/12 12:49:15 . -rw-r--r-- 29 2019/02/12 12:49:15 date.txt drwx------ 16,384 2019/02/12 12:32:40 lost+found / # rsync -chavzP rsync://username@backup-example-rsync/share/date.txt . Password: receiving incremental file list date.txt 29 100% 28.32kB/s 0:00:00 (xfr#1, to-chk=0/1) sent 43 bytes received 135 bytes 50.86 bytes/sec total size is 29 speedup is 0.16 / # cat date.txt Tue Feb 12 12:49:15 UTC 2019
In the example above the list of available files was shown and a file called date.txt was synchronized to the rsync container.
Exfiltrating files through SFTP
-
Deploy the sftp example
kubectl create -f sftp/
-
Exec into the
main
container and write some data to a file$ kubectl exec -it backup-example-sftp-0 -c main bash root@backup-example-0:/# echo $(date) > /data/date.txt
-
Check that the service exists
$ kubectl get svc backup-example-sftp NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE backup-example-sftp ClusterIP 100.70.50.56 <none> 22/TCP 2h
-
Use SFTP to access the files shared by the SFTP container. If you have made no changes to the sftp-config secret the password is password.
$ kubectl exec -it sftp -- bash root@sftp:/# sftp alex@backup-example-sftp alex@backup-example-sftp's password: Connected to backup-example-sftp. sftp> ls date.txt lost+found sftp> get date.txt Fetching /date.txt to date.txt /date.txt 100% 29 15.9KB/s 00:00 sftp> bye root@sftp:/# cat date.txt Tue Feb 12 17:51:32 UTC 2019
In order to do this a SFTP user needs to be configured. The details for the
user are stored in the sftp-config secret (see sftp/17-secret.yaml
). The secret
consists of base64 encoded username:password:uid:guid and the user is chroot’ed
inside their home directory so the mount point for the Ondat volume in the
SFTP container in sftp/20-backup-pod.yaml
needs to be configured.
Using custom SSH Keys
The ConfigMap ssh-key-pub (see sftp/15-configmap.yaml
) needs to be populated with a
public key. The corresponding private key needs to be base64 encoded and put
into the ssh-key-private secret (see sftp/17-secret.yaml
). The user to connect as is
determined by the user that is configured in the sftp-config configMap. To
restrict logins to the SSH key edit the sftp-config secret so it contains no
password (user::uid:guid).
-
Connect to the sftp pod and connect through the service to the SFTP container running inside the backup-example pod.
$ kubectl exec -it sftp -- bash root@sftp:/# sftp -i /home/alex/.ssh/id_rsa alex@backup-example-sftp Connected to backup-example-sftp. sftp> ls date.txt lost+found