Chef server backups

There are few ways to backup a Chef server. Opscode has some documenation on their wiki Backing up Chef Server. Some of this is outdated now because chef no longer uses Couch DB.

However there is this little gem (pun intended) called knife-backup.

To put this to test, install it first

gem install knife-backup

More details are here

An execution looks like this

knife backup export -D ./backups
Backing up clients
Backing up clients chef-validator
Backing up clients chef-webui
Backing up clients
Backing up clients
Backing up nodes
...Output Truncated...

This nicely exports all your settings such as nodes, clients, roles, environments and cookbooks into the backups directory. Typically your cookbooks would be version controlled via Git or some other revision control system and you can restore it from there as well. This method allows you to completely mirror cookbooks from one chef server to another along with the other stuff in couple of simple commands.

ls backups
clients      cookbooks    data_bags    environments nodes        roles

To test your backup spin up a new server and install chef per your OS

If you want to try this on a existing server, you can use the following

**WARNING** : This will erase all your chef server data

sudo chef-server-ctl cleanse
sudo chef-server-ctl reconfigure

Copy /etc/chef-server/admin.pem from the new server to your local workstation. You will use this user to perform the restore. Once you have restored you can use other clients/users that you were using with the original server.

knife backup restore -D ./backups -u admin -k <path to admin key> -s  <new server url>

This will restore to the new server with the exception of few things. This is because knife restore does not overwrite existing clients.

  1. The admin user and it’s credentials.

  2. The chef-webui. This is used by the web-interface and so it makes sense to leave it.

  3. The chef-validator client. Now this has some implications. chef-validator’s key is used on a node when it runs the chef-client for the first time in order to get an API client identity. Since this is now different from your original server, and if you are using knife to bootstrap nodes, you will need to re-copy this to your knife workstation setup. Existing nodes don’t need this as they are already registered.

All said this is a handy tool and with a little bit of scripting you can run these backups hourly/daily and use time stamped directories.

post avatar
Sriram Rajan

Share this information: