NAS backup: automated infrastructure backup (database, configs, certificates)#12900
NAS backup: automated infrastructure backup (database, configs, certificates)#12900jmsperu wants to merge 2 commits into
Conversation
Adds automated backup of CloudStack infrastructure to NAS storage: - MySQL databases (cloud + cloud_usage if enabled) - Management server configuration (/etc/cloudstack/management/) - Agent configuration (/etc/cloudstack/agent/) - SSL certificates and keystores Backup runs daily via BackgroundPollManager, configurable via global settings: - nas.infra.backup.enabled (default: false) - nas.infra.backup.location (NAS mount path) - nas.infra.backup.retention (default: 7 backup sets) - nas.infra.backup.include.usage.db (default: true) Backups are stored in the NAS backup storage under infra-backup/ with automatic retention management. Uses mysqldump --single-transaction for hot database backup (no table locks, InnoDB consistent snapshot). Database credentials are read from /etc/cloudstack/management/db.properties.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## 4.22 #12900 +/- ##
============================================
+ Coverage 17.61% 17.68% +0.06%
- Complexity 15676 15801 +125
============================================
Files 5917 5923 +6
Lines 531537 533336 +1799
Branches 64985 65232 +247
============================================
+ Hits 93610 94297 +687
- Misses 427369 428387 +1018
- Partials 10558 10652 +94
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Code LGTM. However, I wonder whether backing up the CloudStack database from within CloudStack itself is the right approach. In most deployments, database backups are usually handled externally by administrators (e.g., via cron jobs or existing backup tooling). That approach may be simpler and more flexible operationally. |
|
@weizhouapache fair point — the intent here was never to replace external/operational DB backup tooling, but to give small and edge deployments a one-knob "backup the management plane to the same NAS that already holds my VM backups" option for disaster recovery (rebuild from a fresh management server using only what's on the NAS). Concrete adjustments I can make:
Does that split land closer to where you'd want it? |
sound like good improvements to the PR @jmsperu (not sure if @weizhouapache agrees ;) ) |
@jmsperu |
|
Thanks both — and @weizhouapache, the cron-job suggestion is fair for any deployment with existing ops tooling. The hard mode here is the first-day greenfield small deployment where the operator has CloudStack + a NAS and not yet a cron infrastructure; they should be able to opt-in to a unified backup target without standing up a separate process. But that's an opt-in, not a default. I'll push the three-point scope reduction in the next revision:
If even the opt-in DB path is undesirable (you'd rather we don't ship that code at all and just keep configs+certs), happy to drop it entirely — let me know. Also need to fix the codecov failures — adding unit tests in the next push. |
Addresses @weizhouapache's review: by default, production deployments should manage CloudStack DB backups via existing external tooling (cron + mysqldump, replication, etc), not via the in-process backup task. The DB component is now gated on a new explicit ConfigKey that defaults to false. - New ConfigKey: nas.infra.backup.include.database (Boolean, default false, Global scope). When false, the InfrastructureBackupTask runs only the configs + certs path (where there is no reasonable external alternative). - nas.infra.backup.enabled description rewritten to make the new split clear and to steer production users toward the cron-job pattern for the DB. - nas.infra.backup.include.usage.db description updated to clarify it has no effect unless include.database is also true. - New InfrastructureBackupTaskTest with 9 tests covering the gating decisions: master switch off, empty location, DB-skipped-by-default, both DBs when usage enabled, usage flag ignored when DB excluded, props unreadable, retention always runs, daily interval. Addresses codecov coverage gap on this PR (143 untested lines was the original report). - backupDatabase/backupDirectory/cleanupOldBackups + loadDbProperties + the ConfigKey accessors made protected so tests can override the side-effecting paths without standing up ProcessBuilder.
|
Pushed the scope reduction discussed above.
Ready for another look. If you'd still rather drop the DB component entirely and ship configs+certs only, happy to do that in a follow-up — let me know. |
|
Friendly nudge — the opt-in DB ConfigKey push + new unit tests are queued but GH Actions has it as |
There was a problem hiding this comment.
Pull request overview
This PR extends the NAS backup plugin beyond VM disk backups by adding a scheduled background task that backs up CloudStack “infrastructure” artifacts (management/agent config + SSL certs, and optionally the DB) to a NAS location, with retention cleanup.
Changes:
- Adds
InfrastructureBackupTask(BackgroundPollTask) that creates timestamped backup sets under{nas.infra.backup.location}/infra-backup/. - Adds new global ConfigKeys to enable/locate/configure retention and optional DB + usage DB backups.
- Adds unit tests covering enablement/location gating and DB include flag behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/InfrastructureBackupTask.java | Implements the daily infra backup workflow (mysqldump + tar) and retention cleanup. |
| plugins/backup/nas/src/main/java/org/apache/cloudstack/backup/NASBackupProvider.java | Registers new ConfigKeys and schedules the new background poll task. |
| plugins/backup/nas/src/test/java/org/apache/cloudstack/backup/InfrastructureBackupTaskTest.java | Adds tests for feature gating and DB inclusion toggles. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Use --single-transaction for InnoDB hot backup (no table locks, consistent snapshot) | ||
| String[] cmd = {"/bin/bash", "-c", | ||
| String.format("mysqldump --single-transaction --routines --triggers --events " + | ||
| "-h '%s' -u '%s' -p'%s' '%s' | gzip > '%s'", | ||
| dbHost, dbUser, dbPassword, dbName, dumpFile)}; |
| File[] backups = infraDir.listFiles(File::isDirectory); | ||
| if (backups == null || backups.length <= retentionCount) { | ||
| return; | ||
| } | ||
|
|
||
| // Sort by name (timestamp-based), oldest first | ||
| Arrays.sort(backups, Comparator.comparing(File::getName)); | ||
|
|
||
| int toDelete = backups.length - retentionCount; |
| private void deleteDirectory(File dir) { | ||
| File[] files = dir.listFiles(); | ||
| if (files != null) { | ||
| for (File file : files) { | ||
| if (file.isDirectory()) { | ||
| deleteDirectory(file); | ||
| } else { |
| @Override | ||
| public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { | ||
| super.configure(name, params); | ||
| backgroundPollManager.submitTask(new InfrastructureBackupTask(this)); | ||
| return true; |
| private final NASBackupProvider provider; | ||
|
|
||
| public InfrastructureBackupTask(NASBackupProvider provider) { | ||
| this.provider = provider; |
| if (!dir.mkdirs()) { | ||
| LOG.error("Failed to create backup directory: {}", backupDir); | ||
| return; | ||
| } |
|
Hi @DaanHoogland @sureshanaparti @kiranchavala — this one's been green for a while now. Adds an automated NAS infrastructure backup (mgmt server db, configs, certs) on top of the existing NAS backup framework. CI is clean, no merge conflicts. Could one of you take a look when you have a moment? Happy to clarify anything about the design choices in the PR description. |
|
Hi @jmsperu you have lots of open PRs around improving the NAS provider. We will get to all your PRs, but it might take some time. So please be patient.
|
|
Thanks @abh1sar — completely understood on the prioritisation, and no rush from me. Happy for this one to sit until #13074 is through your queue. In the meantime, on all my open NAS-provider PRs I'll:
I'll scope the activity to test-plan confirmations + Copilot replies (no rebases / no force-pushes that would re-trigger reviewers). If you'd prefer I close any of these as low-priority and re-open after #13074 lands, say the word and I'll do that instead. |
|
Quick clarification on my previous comment — rather than proactively sweeping the open Copilot threads / TestPlans, I'll stand by for your direction. When you (or whoever picks each PR up) want me to act on a specific thread, tick a specific TestPlan item, push a fix, or close a PR as superseded, just ping and I'll turn it around quickly. Goal is to not add work to your queue while you're heads-down on #13074. Standing by. |
|
Dear @jmsperu, this is an excellent idea. Many ACS deployments lack thorough backups for real disaster recovery situations. Here is our current approach for anyone looking for alternative methods:
Example of the line that dumps, encrypts, and uploads backups: mysqldump --no-tablespaces --lock-tables=false -R cloud | gpg -r "<PUB_KEY_ID>" --yes --encrypt - | mc pipe --quiet <BUCKET>/acs/cloud.sql.pgp || success=falseI hope it helps someone! |
Summary
Adds a new
InfrastructureBackupTaskto the NAS backup plugin that performs daily backups of CloudStack infrastructure (database, management/agent configs, SSL certs) to NAS storage.Problem
CloudStack's NAS backup provider only backs up VM disks. The management server database, agent configurations, SSL certificates, and global settings are not backed up. If the management server fails, all metadata is lost unless someone manually configured mysqldump cron.
Solution
A new background poll task that automatically backs up:
cloud+ optionallycloud_usage) usingmysqldump --single-transactionfor InnoDB-consistent hot backups/etc/cloudstack/management/)/etc/cloudstack/agent/) if present/etc/cloudstack/management/cert/) if presentDatabase credentials are read from
/etc/cloudstack/management/db.propertiesat runtime (no secrets stored in global config).Configuration
nas.infra.backup.enabledfalsenas.infra.backup.location/mnt/nas-backup)nas.infra.backup.retention7nas.infra.backup.include.usage.dbtruecloud_usagedatabaseBackup Structure
Changes
InfrastructureBackupTask.java- background task implementingBackgroundPollTaskNASBackupProvider.java- added 4 ConfigKeys, scheduled the backup taskTest plan
nas.infra.backup.enabled=trueandnas.infra.backup.location=/mnt/test-backupcloud-*.sql.gzdatabase dump is created and restorablemanagement-config.tar.gzcontains/etc/cloudstack/management/filesagent-config.tar.gzis created only when agent config dir existsdb.propertiesgracefullycloud_usagebackup is included/excluded based on config