Consul Backup and Restore to new nodes
979 views
Skip to first unread message
Sougrakpam
Mar 8, 2017, 6:16:03 PM3/8/17
to Vault
Hello,
Just checking if anyone has been successful in restoring vault data into another consul node.
Vault Version: 0.6.4
Consul Version : 0.7.1
Using consul-backinator for backup and restore: https://github.com/myENA/consul-backinator
We have been trying to automate recovery from a disaster scenario when all off our server dies and we have to standup a new cluster as fast as possible.
The following scenario works:
Standup Consul in a docker container
- Restore the data into consul data.
- Remove core/leader and core/lock data.
- Stand up Vault natively on the machine
- Connect to Consul and unseal.
What has not worked:
Standup both Consul and Vault in a docker container
- Restore the data into consul data.
- Remove core/leader and core/lock data.
- Connect to Consul and unseal. All good up to this point,
After this the leader Vault node gets stuck in standby mode.
Leader election goes into a loop and the core/leader keeps filling up really fast.
Not sure what if I am missing any configuration or consul/vault does not like the internal docker network.
Jeff Mitchell
Mar 8, 2017, 6:28:17 PM3/8/17
to Vault
Hi,
Many of the third party tools don't properly base64 data going in and out. With recent Consul I recommend (and have myself used) the built-in 'consul kv export' capability to export and 'consul kv import' capability to import. It worked great.
If you're a Consul Enterprise customer there is the snapshotting capability as well.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9eb13c59-85b8-4272-b289-8b49e80aeefe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Randy Fay
Mar 8, 2017, 6:30:51 PM3/8/17
to vault...@googlegroups.com
You say "connect to consul and unseal" - I'm sure you meant "Connect to vault and unseal".
I have definitely restored consul snapshots containing a full set of vault secrets (without enterprise) into different clusters without any trouble. Note that all the values are encrypted with the unseal key that only you know (neither consul nor vault knows how to make sense of the data without you providing this).
-Randy
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9eb13c59-85b8-4272-b289-8b49e80aeefe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sougrakpam
Mar 8, 2017, 6:48:32 PM3/8/17
to Vault
Thanks Jeff. I will try with the consul kv export and see if that works.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Sougrakpam
Mar 8, 2017, 6:51:14 PM3/8/17
to Vault
Thanks Randy, yes I meant connect to Vault and unseal. The weird thing was that I was able to unseal and make vault operational when Vault was running natively on the machine but not when it was running in a container.
I will if using the consul snapshot works out.
Cheers,
Sougrakpam
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9eb13c59-85b8-4272-b289-8b49e80aeefe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Richard Mauri
May 26, 2017, 9:07:48 AM5/26/17
to Vault
Is it possible to restore just the Vault config and data obtained via consul snapshot save ?
We have a backup system that periodically runs consul snapshot save
We intend to restore the entire state of the consul snapshot to the same datacenter cluster in case of a DR situation.
But could we also restore just the vault config and data from this same consul snapshot to the same or different datacenter cluster/
Just to be clear, the vault config I mentioned includes things like policy setup,appid,approle,userpass and the like. The vault data is secrets from the generic secret backend.
Alternatively, if we would instead use consul kv export / import what would have to be filtered out to get just the vault config&data?
I hear mention in the groups about removing core/leader and core/lock data.? Is it documented? What is the complete recipe?
Thanks, Richard
Reply all
Reply to author
Forward
0 new messages