(SOLARCH-581) Implement recovery actions

Author: reidmv

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+    "python.linting.pylintEnabled": true,
+    "python.linting.enabled": true
+}

functions/recovery_opts_default.pp

@@ -0,0 +1,10 @@
+function peadm::recovery_opts_default () {
+  {
+    'orchestrator' => true,
+    'puppetdb'     => true,
+    'rbac'         => true,
+    'activity'     => true,
+    'ca'           => false,
+    'classifier'   => true,
+  }
+}

plans/backup.pp

@@ -1,77 +1,118 @@
 # @summary Backup the core user settings for puppet infrastructure
 #
-# This plan can backup data as outlined at insert doc 
+# This plan can backup data as outlined at insert doc
 # 
 plan peadm::backup (
-  Peadm::SingleTargetSpec $primary_host,
+  # This plan should be run on the primary server
+  Peadm::SingleTargetSpec $targets,
 
   # Which data to backup
-  Boolean                 $backup_orchestrator    = true,
-  Boolean                 $backup_rbac            = true,
-  Boolean                 $backup_activity        = true,
-  Boolean                 $backup_ca_ssl          = true,
-  Boolean                 $backup_puppetdb        = false,
-  Boolean                 $backup_classification  = true,
-  String                  $output_directory       = '/tmp',
+  Peadm::Recovery_opts    $backup = {},
+
+  # Where to put the backup folder
+  String                  $output_directory = '/tmp',
 ) {
   peadm::assert_supported_bolt_version()
-  $cluster = run_task('peadm::get_peadm_config', $primary_host).first
+
+  $recovery_opts = (peadm::recovery_opts_default() + $backup)
+  $cluster = run_task('peadm::get_peadm_config', $targets).first.value
   $arch = peadm::assert_supported_architecture(
-    $primary_host,
-    $cluster['replica_host'],
-    $cluster['primary_postgresql_host'],
-    $cluster['replica_postgresql_host'],
-    $cluster['compiler_hosts'],
+    getvar('cluster.params.primary_host'),
+    getvar('cluster.params.replica_host'),
+    getvar('cluster.params.primary_postgresql_host'),
+    getvar('cluster.params.replica_postgresql_host'),
+    getvar('cluster.params.compiler_hosts'),
   )
 
-  $timestamp = Timestamp.new().strftime('%F_%T')
+  $timestamp = Timestamp.new().strftime('%Y-%m-%dT%H%M%SZ')
   $backup_directory = "${output_directory}/pe-backup-${timestamp}"
 
-  # Create backup folder
-  apply($primary_host){
+  $primary_target = getvar('cluster.params.primary_host')
+  $puppetdb_postgresql_target = getvar('cluster.params.primary_postgresql_host') ? {
+    undef   => getvar('cluster.params.primary_host'),
+    default => getvar('cluster.params.primary_postgresql_host'),
+  }
+
+  $backup_databases = {
+    'orchestrator' => $primary_target,
+    'activity'     => $primary_target,
+    'rbac'         => $primary_target,
+    'puppetdb'     => $puppetdb_postgresql_target,
+  }.filter |$key,$_| {
+    $recovery_opts[$key] == true
+  }
+
+  # Create backup folders
+  apply($primary_target) {
     file { $backup_directory :
       ensure => 'directory',
       owner  => 'root',
-      group  => 'pe-postgres',
-      mode   => '0770'
+      group  => 'root',
+      mode   => '0700'
     }
-  }
 
-  # Create an array of the names of databases and whether they have to be backed up to use in a lambda later
-  $database_to_backup = [ $backup_orchestrator, $backup_activity, $backup_rbac, $backup_puppetdb]
-  $database_names     = [ 'pe-orchestrator' , 'pe-activity' , 'pe-rbac' , 'pe-puppetdb' ]
+    # Create a subdir for each backup type selected
+    $recovery_opts.filter |$_,$val| { $val == true }.each |$dir,$_| {
+      file { "${backup_directory}/${dir}":
+        ensure => 'directory',
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0700'
+      }
+    }
+  }
 
-  if $backup_classification {
+  if getvar('recovery_opts.classifier') {
     out::message('# Backing up classification')
-    run_task('peadm::backup_classification', $primary_host,
-    directory => $backup_directory,
+    run_task('peadm::backup_classification', $primary_target,
+      directory => "${backup_directory}/classifier",
     )
   }
 
-  if $backup_ca_ssl {
+  if getvar('recovery_opts.ca') {
     out::message('# Backing up ca and ssl certificates')
-    run_command("/opt/puppetlabs/bin/puppet-backup create --dir=${backup_directory} --scope=certs", $primary_host)
+    run_command(@("CMD"), $primary_target)
+      /opt/puppetlabs/bin/puppet-backup create --dir=${shellquote($backup_directory)}/ca --scope=certs
+      | CMD
   }
 
   # Check if /etc/puppetlabs/console-services/conf.d/secrets/keys.json exists and if so back it up
-  out::message('# Backing up ldap secret key if it exists')
-  run_command("test -f /etc/puppetlabs/console-services/conf.d/secrets/keys.json && cp -rp /etc/puppetlabs/console-services/conf.d/secrets/keys.json ${backup_directory} || echo secret ldap key doesnt exist" , $primary_host) # lint:ignore:140chars
+  if getvar('recovery_opts.rbac') {
+    out::message('# Backing up ldap secret key if it exists')
+    run_command(@("CMD"/L), $primary_target)
+      test -f /etc/puppetlabs/console-services/conf.d/secrets/keys.json \
+        && cp -rp /etc/puppetlabs/console-services/conf.d/secrets ${shellquote($backup_directory)}/rbac/ \
+        || echo secret ldap key doesnt exist
+      | CMD
+  }
 
   # IF backing up orchestrator back up the secrets too /etc/puppetlabs/orchestration-services/conf.d/secrets/
-  if $backup_orchestrator {
+  if getvar('recovery_opts.orchestrator') {
     out::message('# Backing up orchestrator secret keys')
-    run_command("cp -rp /etc/puppetlabs/orchestration-services/conf.d/secrets ${backup_directory}/", $primary_host)
+    run_command(@("CMD"), $primary_target)
+      cp -rp /etc/puppetlabs/orchestration-services/conf.d/secrets ${shellquote($backup_directory)}/orchestrator/
+      | CMD
   }
 
-  $database_to_backup.each |Integer $index, Boolean $value | {
-    if $value {
-    out::message("# Backing up database ${database_names[$index]}")
-      # If the primary postgresql host is set then pe-puppetdb needs to be remotely backed up to primary.
-      if $database_names[$index] == 'pe-puppetdb' and $cluster['primary_postgresql_host'] {
-        run_command("sudo -u pe-puppetdb /opt/puppetlabs/server/bin/pg_dump \"sslmode=verify-ca host=${cluster['primary_postgresql_host']} sslcert=/etc/puppetlabs/puppetdb/ssl/${primary_host}.cert.pem sslkey=/etc/puppetlabs/puppetdb/ssl/${primary_host}.private_key.pem sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem dbname=pe-puppetdb\" -f /tmp/puppetdb_$(date +%F_%T).bin" , $primary_host) # lint:ignore:140chars
-      } else {
-        run_command("sudo -u pe-postgres /opt/puppetlabs/server/bin/pg_dump -Fc \"${database_names[$index]}\" -f \"${backup_directory}/${database_names[$index]}_$(date +%F_%T).bin\"" , $primary_host) # lint:ignore:140chars
-      }
-    }
+  $backup_databases.each |$name,$database_target| {
+    run_command(@("CMD"/L), $primary_target)
+      /opt/puppetlabs/server/bin/pg_dump -Fd -Z3 -j4 \
+        -f ${shellquote($backup_directory)}/${shellquote($name)}/pe-${shellquote($name)}.dump.d \
+        "sslmode=verify-ca \
+         host=${shellquote($database_target.peadm::certname())} \
+         user=pe-${shellquote($name)} \
+         sslcert=/etc/puppetlabs/puppetdb/ssl/${shellquote($primary_target.peadm::certname())}.cert.pem \
+         sslkey=/etc/puppetlabs/puppetdb/ssl/${shellquote($primary_target.peadm::certname())}.private_key.pem \
+         sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem \
+         dbname=pe-${shellquote($name)}"
+      | CMD
   }
+
+  run_command(@("CMD"/L), $primary_target)
+    umask 0077 \
+      && tar -czf ${shellquote($backup_directory)}.tar.gz ${shellquote($backup_directory)} \
+      && rm -rf ${shellquote($backup_directory)}
+    | CMD
+
+  return({'path' => "${backup_directory}.tar.gz"})
 }

plans/restore.pp

@@ -0,0 +1,204 @@
+# @summary Restore the core user settings for puppet infrastructure from backup
+#
+# This plan can restore data to puppet infrastructure for DR and rebuilds
+# 
+plan peadm::restore (
+  # Standard
+  Peadm::SingleTargetSpec           $primary_host,
+  # Which data to restore
+  Boolean                            $restore_orchestrator    = true,
+  Boolean                            $restore_rbac            = true,
+  Boolean                            $restore_activity        = true,
+  Boolean                            $restore_ca_ssl          = true,
+  Boolean                            $restore_puppetdb        = false,
+  Boolean                            $restore_classification  = true,
+  String                             $input_directory         = '/tmp',
+  String                             $working_directory       = '/tmp',
+  String                             $backup_timestamp,
+){
+  peadm::assert_supported_bolt_version()
+  $cluster = run_task('peadm::get_peadm_config', $primary_host).first.value
+
+  $arch = peadm::assert_supported_architecture(
+    $primary_host,
+    $cluster['params']['replica_host'],
+    $cluster['params']['primary_postgresql_host'],
+    $cluster['params']['replica_postgresql_host'],
+    $cluster['params']['compiler_hosts'],
+  )
+  $servers = delete_undef_values([$primary_host , $cluster['params']['replica_host'] ])
+  $cluster_servers = delete_undef_values($servers + $cluster['params']['compiler_hosts'] + [ $cluster['params']['primary_postgresql_host'], $cluster['params']['replica_postgresql_host']]) # lint:ignore:140chars
+  if $cluster['params']['compiler_hosts'] {
+    $check_puppetdb_on_compilers = run_task('service', $cluster['params']['compiler_hosts'],
+      action => 'status',
+      name   => 'pe-puppetdb'
+    )
+    $puppetdb_on_compilers = $check_puppetdb_on_compilers.filter_set | $result | {
+      $result['enabled'] == 'enabled'
+    }.targets
+  } else {
+    $puppetdb_on_compilers = undef
+  }
+  $puppetdb_servers = delete_undef_values([$servers,$puppetdb_on_compilers])
+  $backup_directory = "${input_directory}/pe-backup-${backup_timestamp}"
+  $database_backup_directory = "${working_directory}/pe-backup-databases-${backup_timestamp}"
+  # I need the actual hostname for the certificate in a remote puppetdb backup. If a user sends primary host as IP it will fail
+  $primary_host_fqdn = $cluster['params']['primary_host']
+  $primary_postgresql_host = $cluster['params']['primary_postgresql_host']
+  apply($primary_host){
+    file { $database_backup_directory :
+      ensure => 'directory',
+      owner  => 'pe-puppetdb',
+      group  => 'pe-postgres',
+      mode   => '0770'
+    }
+  }
+
+  # Create an array of the names of databases and whether they have to be backed up to use in a lambda later
+  $database_to_restore = [ $restore_orchestrator, $restore_activity, $restore_rbac, $restore_puppetdb]
+  $database_names      = [ 'pe-orchestrator' , 'pe-activity' , 'pe-rbac' , 'pe-puppetdb' ]
+
+  peadm::assert_supported_bolt_version()
+
+  if $restore_classification {
+
+    out::message('# Restoring classification')
+    run_task('peadm::backup_classification', $primary_host,
+      directory => $working_directory
+    )
+    out::message("# Backed up current classification to ${working_directory}/classification_backup.json")
+
+    run_task('peadm::transform_classification_groups', $primary_host,
+      source_directory => $backup_directory,
+      working_directory => $working_directory
+    )
+
+    run_task('peadm::restore_classification', $primary_host,
+    classification_file => "${working_directory}/classification_backup.json",
+    )
+  }
+
+  if $restore_ca_ssl {
+    out::message('# Restoring ca and ssl certificates')
+    run_command("/opt/puppetlabs/bin/puppet-backup restore ${backup_directory}/pe_backup-*tgz --scope=certs --tempdir=${working_directory} --force", $primary_host) # lint:ignore:140chars
+  }
+
+  ## shutdown services
+    run_task('service', $servers,
+      action => 'stop',
+      name   => 'pe-console-services'
+    )
+    run_task('service', $primary_host,
+      action => 'stop',
+      name   => 'pe-nginx'
+    )
+    run_task('service', $servers,
+      action => 'stop',
+      name   => 'pe-puppetserver'
+    )
+    run_task('service', $servers,
+      action => 'stop',
+      name   => 'pxp-agent'
+    )
+    run_task('service', $primary_host,
+      action => 'stop',
+      name   => 'pe-orchestration-services'
+    )
+    run_task('service', $cluster_servers,
+      action => 'stop',
+      name   => 'puppet'
+    )
+    run_task('service', $puppetdb_servers ,
+      action => 'stop',
+      name   => 'pe-puppetdb'
+    )
+
+
+  # Restore secrets/keys.json if it exists
+  out::message('# Restoring ldap secret key if it exists')
+  run_command("test -f ${backup_directory}//keys.json && cp -rp ${backup_directory}/keys.json /etc/puppetlabs/console-services/conf.d/secrets/ || echo secret ldap key doesnt exist" , $primary_host) # lint:ignore:140chars
+
+  # IF restoring orchestrator restore the secrets too /etc/puppetlabs/orchestration-services/conf.d/secrets/
+  if $restore_orchestrator {
+    out::message('# Restoring orchestrator secret keys')
+    run_command("cp -rp ${backup_directory}/secrets/* /etc/puppetlabs/orchestration-services/conf.d/secrets ", $primary_host)
+  }
+
+  $database_to_restore.each |Integer $index, Boolean $value | {
+    if $value {
+    out::message("# Restoring database ${database_names[$index]}")
+      # If the primary postgresql host is set then pe-puppetdb needs to be remotely backed up to primary.
+      if $database_names[$index] == 'pe-puppetdb' and $primary_postgresql_host {
+        # Drop pglogical extensions and schema if present
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql --tuples-only -d '${database_names[$index]}' -c 'DROP SCHEMA IF EXISTS pglogical CASCADE;'\"", $primary_postgresql_host) # lint:ignore:140chars
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql -d '${database_names[$index]}' -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public;'\"", $primary_postgresql_host) # lint:ignore:140chars
+        # To allow pe-puppetdb to restore the database grant temporary privileges
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql -d '${database_names[$index]}' -c 'ALTER USER \\\"pe-puppetdb\\\" WITH SUPERUSER;'\"", $primary_postgresql_host) # lint:ignore:140chars
+        # Restore database
+        run_command("/opt/puppetlabs/server/bin/pg_restore -d \"sslmode=verify-ca host=${primary_postgresql_host} sslcert=/etc/puppetlabs/puppetdb/ssl/${primary_host_fqdn}.cert.pem sslkey=/etc/puppetlabs/puppetdb/ssl/${primary_host_fqdn}.private_key.pem sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem dbname=pe-puppetdb user=pe-puppetdb\" -Fd ${backup_directory}/puppetdb_*" , $primary_host) # lint:ignore:140chars
+        # Remove pe-puppetdb privileges post restore
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql -d '${database_names[$index]}' -c 'ALTER USER \\\"pe-puppetdb\\\" WITH NOSUPERUSER;'\"", $primary_postgresql_host) # lint:ignore:140chars
+        # Drop pglogical extension and schema (again) if present after db restore
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql --tuples-only -d '${database_names[$index]}' -c 'DROP SCHEMA IF EXISTS pglogical CASCADE;'\"",$primary_postgresql_host) # lint:ignore:140chars
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql -d '${database_names[$index]}' -c 'DROP EXTENSION IF EXISTS pglogical CASCADE;;'\"",$primary_postgresql_host) # lint:ignore:140chars
+      } else {
+        # Drop pglogical extensions and schema if present
+        run_command("su - pe-postgres -s '/bin/bash' -c \"/opt/puppetlabs/server/bin/psql --tuples-only -d '${database_names[$index]}' -c 'DROP SCHEMA IF EXISTS pglogical CASCADE;'\"", $primary_host) # lint:ignore:140chars
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql -d '${database_names[$index]}' -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public;'\"", $primary_host) # lint:ignore:140chars
+        # Restore database
+        run_command("cp -pr ${backup_directory}/${database_names[$index]}_* ${database_backup_directory}/ ", $primary_host )
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/pg_restore ${database_backup_directory}/${database_names[$index]}_* -Fd -j4 --dbname=${database_names[$index]}\"", $primary_host)# lint:ignore:140chars
+        run_command("sudo -H -u pe-postgres /opt/puppetlabs/server/bin/pg_restore -d ${database_names[$index]} -c ${database_backup_directory}/${database_names[$index]}_*",$primary_host) # lint:ignore:140chars
+        run_command("rm -rf ${database_backup_directory}/${database_names[$index]}_*", $primary_host )
+        # Drop pglogical extension and schema (again) if present after db restore
+        run_command("su - pe-postgres -s '/bin/bash' -c \"/opt/puppetlabs/server/bin/psql --tuples-only -d '${database_names[$index]}' -c 'DROP SCHEMA IF EXISTS pglogical CASCADE;'\"",$primary_host) # lint:ignore:140chars
+        run_command("su - pe-postgres -s /bin/bash -c \"/opt/puppetlabs/server/bin/psql -d '${database_names[$index]}' -c 'DROP EXTENSION IF EXISTS pglogical CASCADE;'\"",$primary_host) # lint:ignore:140chars
+      }
+    }
+  }
+
+  ## Restart services
+  run_task('service', $primary_host,
+    action => 'start',
+    name   => 'pe-orchestration-services'
+  )
+  run_task('service', $servers,
+    action => 'start',
+    name   => 'pxp-agent'
+  )
+  run_task('service', $servers,
+    action => 'start',
+    name   => 'pe-puppetserver'
+  )
+  run_task('service', $primary_host,
+    action => 'start',
+    name   => 'pe-nginx'
+  )
+  run_task('service', $servers,
+    action => 'start',
+    name   => 'pe-console-services'
+  )
+  run_task('service', $cluster_servers,
+    action => 'start',
+    name   => 'puppet'
+  )
+  run_task('service', $puppetdb_servers,
+    action => 'start',
+    name   => 'pe-puppetdb'
+  )
+# If we have replicas reinitalise any databases restored
+  if $cluster['params']['replica_host'] {
+    $database_to_restore.each |Integer $index, Boolean $value | {
+      if $database_names[$index] != 'pe-puppetdb' and $cluster['params']['replica_postgresql_host'] {
+        run_command("/opt/puppetlabs/bin/puppet-infra reinitialize replica --db ${database_names[$index]} -y", $cluster['params']['replica_host'] ) # lint:ignore:140chars
+      }
+    }
+  }
+
+  apply($primary_host){
+    file { $database_backup_directory :
+      ensure => 'absent',
+      force  => true
+    }
+  }
+}

spec/plans/backup_spec.rb

@@ -6,10 +6,12 @@
 
   it 'runs with default params' do
     allow_apply
+    pending('a lack of support for functions requires a workaround to be written')
     expect_task('peadm::get_peadm_config').always_return({ 'primary_postgresql_host' => 'postgres' })
     expect_out_message.with_params('# Backing up ca and ssl certificates')
-    # The commands all have a timestamp in them and frankly its prooved to hard with bolt spec to work this out
+    # The commands all have a timestamp in them and frankly its proved to hard with bolt spec to work this out
     allow_any_command
+    allow_apply
     expect_out_message.with_params('# Backing up database pe-orchestrator')
     expect_out_message.with_params('# Backing up database pe-activity')
     expect_out_message.with_params('# Backing up database pe-rbac')