├── .catwatch.yaml ├── .github └── workflows │ └── ci.yaml ├── .gitignore ├── .zappr.yml ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE.txt ├── MAINTAINERS ├── README.md ├── SECURITY.md ├── ZalandoGithubEnterprise.jpg ├── backup.config ├── bashtest ├── cleanup-tests.sh ├── prepare-tests.sh ├── test-convert-kms-private-ssh-key.sh ├── test-delete-instuck-progress.sh └── test-replace-convert-properties.sh ├── convert-kms-private-ssh-key.sh ├── cron-ghe-backup ├── cron-ghe-backup-another-aws-account ├── cron-ghe-backup-k8s-sample ├── final-docker-cmd.sh ├── python ├── delete_instuck_progress.py ├── extract_decrypt_kms.py ├── requirements.txt ├── test_delete_instuck_progress.py └── test_extract_decrypt_kms.py ├── replace-convert-properties.sh ├── run-tests.sh └── start_backup.sh /.catwatch.yaml: -------------------------------------------------------------------------------- 1 | # this file will be read by Catwatch 2 | # see https://github.com/zalando/catwatch/issues/32 3 | title: Github Enterprise AWS Backup 4 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | pull_request: 8 | branches: 9 | - master 10 | 11 | jobs: 12 | build: 13 | 14 | runs-on: ubuntu-latest 15 | strategy: 16 | matrix: 17 | python-version: [3.8] 18 | 19 | steps: 20 | - uses: actions/checkout@v2 21 | - name: Set up Python ${{ matrix.python-version }} 22 | uses: actions/setup-python@v2 23 | with: 24 | python-version: ${{ matrix.python-version }} 25 | - name: Install dependencies 26 | run: | 27 | python -m pip install --upgrade pip 28 | if [ -f python/requirements.txt ]; then pip install -r python/requirements.txt; fi 29 | - name: Run tests 30 | run: | 31 | nosetests -w python 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | python/__pycache__/ 3 | scm-source.json 4 | .idea 5 | *.pyc 6 | 7 | # testing folders 8 | ghe-backup-test/ 9 | ssh/ 10 | -------------------------------------------------------------------------------- /.zappr.yml: -------------------------------------------------------------------------------- 1 | X-Zalando-Team: machinery 2 | X-Zalando-Type: code 3 | 4 | approvals: 5 | groups: 6 | zalando: 7 | minimum: 2 8 | from: 9 | orgs: 10 | - zalando 11 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Contributions are welcome, and they are greatly appreciated! Every 4 | little bit helps, and credit will always be given. 5 | 6 | You can contribute in many ways: 7 | 8 | ## Types of Contributions 9 | 10 | ### Report Bugs 11 | 12 | 13 | Report bugs at [GitHub Issues](https://github.com/zalando/ghe-backup/issues) 14 | 15 | If you are reporting a bug, please include: 16 | 17 | * Any details about your setup that might be helpful in troubleshooting. 18 | * Detailed steps to reproduce the bug. 19 | 20 | ### Fix Bugs 21 | 22 | 23 | Look through the [GitHub Issues](https://github.com/zalando/ghe-backup/issues) for bugs. Anything tagged with [bug](https://github.com/zalando/ghe-backup/issues?utf8=%E2%9C%93&q=label%3Abug%20) 24 | and [help wanted](https://github.com/zalando/ghe-backup/issues?utf8=%E2%9C%93&q=label%3A%22help%20wanted%22%20) is open to whoever wants to implement it. 25 | 26 | ### Implement Features 27 | 28 | 29 | Look through the GitHub issues for features. Anything tagged with [enhancement](https://github.com/zalando/ghe-backup/issues?utf8=%E2%9C%93&q=label%3Aenhancement%20) 30 | and [help wanted](https://github.com/zalando/ghe-backup/issues?utf8=%E2%9C%93&q=label%3A%22help%20wanted%22%20) is open to whoever wants to implement it. 31 | 32 | 33 | ## Pull Request Guidelines 34 | 35 | 36 | Before you submit a pull request, check that it meets these guidelines: 37 | 38 | 1. Submit an issue or a detailed pull request description. 39 | 2. Add respective tests if the pull request contains code changes. 40 | 2. If the pull request changes or adds functionality, the readme should be updated. 41 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.opensource.zalan.do/library/python-3.8:latest 2 | MAINTAINER team-code@zalando.de 3 | 4 | ARG BACKUP_UTILS_VERSION=stable 5 | 6 | # folder structure and user 7 | RUN \ 8 | # read package lists 9 | apt-get update -y && \ 10 | # update w/ latest security patches 11 | # install python pip3 & english, git, screen etc 12 | apt-get install -y --no-install-recommends unattended-upgrades python3 python3-dev python3-pip python3-yaml && \ 13 | apt-get install -y --no-install-recommends git && \ 14 | apt-get install -y --no-install-recommends ssh && \ 15 | apt-get install -y --no-install-recommends bash && \ 16 | apt-get install -y --no-install-recommends rsync && \ 17 | apt-get install -y --no-install-recommends cron && \ 18 | # install boto3 19 | pip3 install --upgrade boto boto3 && \ 20 | # clean apt-get lists 21 | rm -rf /var/lib/apt/lists/* && \ 22 | # create directories 23 | mkdir -p /backup/backup-utils/ && \ 24 | mkdir -p /kms && mkdir -p /var/log/ && mkdir /delete-instuck-backups 25 | WORKDIR /backup 26 | 27 | RUN \ 28 | # clone backup-utils 29 | git clone https://github.com/github/backup-utils.git && \ 30 | git -C /backup/backup-utils checkout $BACKUP_UTILS_VERSION 31 | 32 | # copy predefined backup config 33 | COPY backup.config /backup/backup-utils/backup.config 34 | 35 | # copy files to decrypt private ssh key using kms 36 | COPY python/extract_decrypt_kms.py /kms/extract_decrypt_kms.py 37 | COPY convert-kms-private-ssh-key.sh /kms/convert-kms-private-ssh-key.sh 38 | COPY start_backup.sh /start_backup.sh 39 | 40 | # copy file to drop in stuck backup 41 | COPY python/delete_instuck_progress.py /delete-instuck-backups/delete_instuck_progress.py 42 | 43 | # copy cron job 44 | COPY cron-ghe-backup /etc/cron.d/ghe-backup 45 | 46 | # copy finale CMD commands 47 | COPY final-docker-cmd.sh /backup/final-docker-cmd.sh 48 | COPY replace-convert-properties.sh /backup/replace-convert-properties.sh 49 | 50 | 51 | #PLACEHOLDER_4_COPY_SCM_SOURCE_JSON 52 | 53 | RUN \ 54 | # change mode of files 55 | chmod 0644 /etc/cron.d/ghe-backup && \ 56 | chmod +x /kms/extract_decrypt_kms.py && \ 57 | chmod +x /kms/convert-kms-private-ssh-key.sh && \ 58 | chmod +x /delete-instuck-backups/delete_instuck_progress.py && \ 59 | chmod +x /start_backup.sh && \ 60 | chmod +x /backup/replace-convert-properties.sh && \ 61 | chmod +x /backup/final-docker-cmd.sh 62 | 63 | USER root 64 | 65 | # cron must run as root 66 | CMD "/backup/final-docker-cmd.sh" 67 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2015 Zalando SE 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | Rasha Malek 2 | Serhii Cherniavskyi 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Deprecation Notice 2 | This repository is deprecated. 3 | No further engineering work or support will happen. 4 | If you are interested in further development of the code please feel free to fork it. 5 | 6 | 7 | # Github Enterprise Backup 8 | 9 | [![Build Status](https://travis-ci.org/zalando/ghe-backup.svg?branch=master)](https://travis-ci.org/zalando/ghe-backup) 10 | [![Code Climate](https://codeclimate.com/github/zalando/ghe-backup/badges/gpa.svg)](https://codeclimate.com/github/zalando/ghe-backup) 11 | [![Hex.pm](https://img.shields.io/hexpm/l/plug.svg)](https://github.com/zalando/ghe-backup/blob/master/LICENSE.txt) 12 | 13 | [Zalando Tech's ](https://tech.zalando.com/) [Github Enterprise](https://enterprise.github.com/) backup approach. 14 | 15 | ## Overview 16 | [Github Enterprise](https://enterprise.github.com/) at Zalando Tech is a 17 | [high availability](https://help.github.com/enterprise/2.11/admin/guides/installation/configuring-github-enterprise-for-high-availability/) 18 | setup running master and replica instances on AWS. 19 | The AWS account that runs the [high availability](https://help.github.com/enterprise/2.11/admin/guides/installation/configuring-github-enterprise-for-high-availability/) 20 | setup also runs one backup host. 21 | [Zalando Tech's ](https://tech.zalando.com/) [Github Enterprise](https://enterprise.github.com/) backup 22 | can also run as a [POD](https://kubernetes.io/docs/concepts/workloads/pods/pod/#what-is-a-pod) 23 | inside a [Kubernetes](https://kubernetes.io/) cluster. 24 | 25 | We believe this backup approach provides reliable backup data even in case one AWS account or Kubernetes cluster is compromised. 26 | 27 | ![overview](/ZalandoGithubEnterprise.jpg "backup approach overview") 28 | 29 | Basically [Zalando Tech's ](https://tech.zalando.com/) [Github Enterprise](https://enterprise.github.com/) backup 30 | wraps github's [backup-utils](https://github.com/github/backup-utils) in a 31 | [Docker](https://www.docker.com/) container. 32 | 33 | If running on Kubernetes, a [stateful set](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/) 34 | including [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) and 35 | [volume claims](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) stores the actual backup data. 36 | See a sample [statefulset below]()https://github.com/zalando/ghe-backup/blob/master/README.md#kubernetes-stateful-set,-volume,-volume-claim) 37 | [Zalando Kubernetes](https://github.com/zalando-incubator/kubernetes-on-aws#kubernetes-on-aws) is based on AWS, so [volume claims 38 | are based on EBS](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#aws). 39 | 40 | If running on AWS, an [EBS volume](https://aws.amazon.com/de/ebs/) stores the actual backup data. 41 | This way one can access the data even if the regarding backup host is down. 42 | 43 | 44 | 45 | ## Local docker development 46 | 47 | ### create a ghe-backup docker image 48 | ```docker build --rm -t [repo name]:[tag] . ``` 49 | e.g. 50 | ```docker build --rm -t pierone.stups.zalan.do/machinery/ghe-backup:0.0.7 . ``` 51 | 52 | #### run the image 53 | ```docker run -d --name [repo name]:[tag] ``` 54 | e.g. 55 | ```docker run -d --name ghe-backup pierone.stups.zalan.do/machinery/ghe-backup:0.0.7 ``` 56 | 57 | or with connected bash: 58 | ```docker run -it --entrypoint /bin/bash --name [repo name]:[tag] ``` 59 | e.g. 60 | ```docker run -it --entrypoint /bin/bash --name ghe-backup pierone.stups.zalan.do/machinery/ghe-backup:0.0.7 ``` 61 | 62 | ##### attach to the running local container 63 | ```docker attach --sig-proxy=false [repo name] ``` 64 | ###### detach from the running local container (does not stop the container) 65 | ```CTRL+C ``` 66 | 67 | ##### run bash in running docker container 68 | ```sudo docker exec -i -t [ContainerID] bash ``` 69 | ###### exit bash 70 | ```exit ``` 71 | 72 | 73 | ### IAM [policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) settings 74 | 75 | [Zalando Tech's ](https://tech.zalando.com/) [Github Enterprise](https://enterprise.github.com/) backup hosts contain 76 | private ssh keys that have to match with public ssh keys registered on the Github Enterprise main instance. 77 | Private ssh keys should not be propagated unencrypted with deployments. 78 | AWS KMS allows to encrypt any kind of data, so this service is used to encrypt the private ssh key for both, 79 | [Zalando Tech's ](https://tech.zalando.com/) [Github Enterprise](https://enterprise.github.com/) backup running on AWS and Kubernetes. 80 | KMS actions are managed by policies to make sure only configured tasks can be performed. 81 | 82 | A kms policy similar to the one shown below is needed to: 83 | * allow kms decryption of the encrypted ssh key 84 | * access s3 bucket 85 | * use EBS volume 86 | ``` 87 | ... 88 | "Resource": [ 89 | "arn:aws:s3:::[yourMintBucket]/[repo name]/*" 90 | ] 91 | ... 92 | "Effect": "Allow", 93 | "Action": [ 94 | "ec2:DescribeVolumes", 95 | "ec2:AttachVolume", 96 | "ec2:DetachVolume" 97 | ], 98 | "Resource": "*" 99 | ... 100 | ``` 101 | You can find a full policy sample here in the [gist "ghe-backup-kms-policy-sample" ](https://gist.github.com/lotharschulz/725026cfdd599cf6243d) 102 | 103 | Make sure you have an according [role](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that allows managing your policy. 104 | 105 | ### Configure an [EBS](https://aws.amazon.com/de/ebs/) volume for backup data 106 | 107 | Backup data shall be saved on an [EBS](https://aws.amazon.com/de/ebs/) volume to persist backups even if the backup instance goes down. The creation of such an ebs volume is described in [creating-ebs-volume guide](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html). 108 | After creating an EBS volume, you have to make sure you can use it as described in [ebs-using-volumes](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html). 109 | 110 | Pls note: You need to format the EBS volume before you use it, otherwise you may experience issues like: 111 | [_You must specify the file type_](https://forums.aws.amazon.com/thread.jspa?messageID=450413). 112 | 113 | 114 | ## Tests 115 | There are two kinds of tests available: 116 | * python nose tests 117 | * bash tests 118 | 119 | Both can be run with ```./run-tests.sh```. 120 | Pls note: 121 | 122 | * tests leveraging kms require aws logins e.g. via aws cli. Thats why those don not run on ci environments out of the box. The `run-tests.sh` script uses _zaws_ (a zalando internal tool that is the successor of the former open source tool mai) 123 | * *make sure* you run ```bashtest/cleanup-tests.sh``` in order to clean up afterwards. 124 | 125 | ### Nosetest 126 | 127 | #### decrypt test 128 | * precondition: you are logged in with AWS e.g. using [mai](https://stups.io/mai) 129 | ```mai login [awsaccount-role]``` 130 | * test run: 131 | ```nosetests -w python -v --nocapture test_extract_decrypt_kms.py``` 132 | 133 | #### delete in stuck in progress files 134 | ```nosetests -w python -v --nocapture test_delete_instuck_progress.py``` 135 | 136 | #### run all test minimum output 137 | ```nosetests -w python``` 138 | 139 | ### Bash tests 140 | Pls go to bashtest directory: 141 | ``` cd bashtest ``` and run the tests: 142 | ``` ./test-convert-kms-private-ssh-key.sh ``` 143 | 144 | ### Running in an additional AWS account 145 | Please adapt the cron tab definitions when running in another AWS account e.g. to the values in cron-ghe-backup-alternative. 146 | This lowers the load on the Github Enterprise master with respect to backup attempts. 147 | 148 | 149 | ### Restore 150 | 151 | Restoring backups is based on github's _(using the backup and restore commands)[https://github.com/github/backup-utils#using-the-backup-and-restore-commands]_. 152 | The actual _ghe-restore_ command gets issued from the backup host. Please note: the backup restore can run for several hours. 153 | (Nohup)[https://en.wikipedia.org/wiki/Nohup] is recommended to keep the restore process running even if the shell connection is lost. 154 | 155 | sample steps include: 156 | ``` 157 | put ghe instance to restor to into maintenance mode 158 | # ssh into your ec2 instance and exec into your container 159 | # docker exec -it [container label or ID] bash/sh 160 | # or 161 | # exec into your pod 162 | # kubectl exec -it [your pod e.g. statefulset-ghe-backup-0] bash/sh 163 | nohup /backup/backup-utils/bin/ghe-restore -f [IP address of the ghe master to restore] & 164 | # monitor the backup progress 165 | tail -f nohup.out 166 | ``` 167 | 168 | ## Contribution 169 | pls refer to [CONTRIBUTING.md](CONTRIBUTING.md) 170 | 171 | ## Zalando specifics 172 | 173 | ### [Taupage AMI](https://github.com/zalando-stups/taupage) 174 | The [Taupage AMI](https://github.com/zalando-stups/taupage) is mandatory for backup hosts of [Zalando Tech's ](https://tech.zalando.com/) [Github Enterprise](https://enterprise.github.com/) for compliance reasons. 175 | As [Taupage AMI](https://github.com/zalando-stups/taupage) is part of [Stups](https://stups.io/), other [Stups](https://stups.io/) technologies like [Senza](https://github.com/zalando-stups/senza) are also used for local development. 176 | 177 | ### Upload Docker images to [pierone](https://github.com/zalando-stups/pierone) (a Zalando docker registry) would be: 178 | ```docker push [repo name]:[tag]``` 179 | e.g. 180 | ```docker push pierone.stups.zalan.do/machinery/ghe-backup:cdp-master-38``` 181 | 182 | ### Senza yaml file 183 | [Stups](https://stups.io/) requires a [senza yaml file](http://docs.stups.io/en/latest/components/senza.html#senza-info) 184 | to deploy an artefact to AWS. Such a yaml file gets basically translated to 185 | [AWS CloudFormation templates ](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html) 186 | that causes a stack being deployed. 187 | 188 | A sample senza yaml file would be: 189 | ``` 190 | # basic information for generating and executing this definition 191 | SenzaInfo: 192 | StackName: hello-world 193 | Parameters: 194 | - ImageVersion: 195 | Description: "Docker image version of hello-world." 196 | # a list of senza components to apply to the definition 197 | SenzaComponents: 198 | # this basic configuration is required for the other components 199 | - Configuration: 200 | Type: Senza::StupsAutoConfiguration # auto-detect network setup 201 | AvailabilityZones: [myAZ] # use EBS volume's AZ 202 | # will create a launch configuration and auto scaling group with scaling triggers 203 | - AppServer: 204 | Type: Senza::TaupageAutoScalingGroup 205 | InstanceType: t2.micro 206 | SecurityGroups: 207 | - app-{{Arguments.ApplicationId}} 208 | IamRoles: 209 | - app-{{Arguments.ApplicationId}} 210 | AssociatePublicIpAddress: false # change for standalone deployment in default VPC 211 | TaupageConfig: 212 | application_version: "{{Arguments.ImageVersion}}" 213 | runtime: Docker 214 | source: "stups/hello-world:{{Arguments.ImageVersion}}" 215 | mint_bucket: "{{Arguments.MintBucket}}" 216 | kms_private_ssh_key: "aws:kms:myAWSregion:123456789:key/myrandomstringwithnumbers123456567890" 217 | volumes: 218 | ebs: 219 | /dev/sdf: my-volume 220 | mounts: 221 | /data: 222 | partition: /dev/xvdf 223 | ``` 224 | _If you copy/paste the template above, make sure your details replace the dummy values_ 225 | 226 | 227 | ### EBS volumes with Senza 228 | Please follow these instructions: [senza's storage guild](https://docs.stups.io/en/latest/user-guide/storage.html) to create a EBS volume the stups way. 229 | 230 | ### Kubernetes stateful set, volume, volume claim 231 | 232 | The statefulset resource definition is the main kubernetes configuration file: 233 | ``` 234 | apiVersion: apps/v1beta1 235 | kind: StatefulSet 236 | metadata: 237 | name: statefulset-ghe-backup 238 | spec: 239 | serviceName: deploy-ghe-backup 240 | replicas: 1 241 | template: 242 | metadata: 243 | labels: 244 | app: ghe-backup 245 | annotations: 246 | pod.alpha.kubernetes.io/initialized: "true" 247 | spec: 248 | containers: 249 | - name: container-{ghe-backup} 250 | image: pierone.stups.zalan.do/machinery/ghe-backup:cdp-master-38 251 | resources: 252 | requests: 253 | cpu: 100m 254 | memory: 1Gi 255 | limits: 256 | cpu: 400m 257 | memory: 4Gi 258 | volumeMounts: 259 | - name: data-{ghe-backup} 260 | mountPath: /data 261 | - name: {ghe-backup}-secret 262 | mountPath: /meta/ghe-backup-secret 263 | readOnly: true 264 | - name: podinfo 265 | mountPath: /details 266 | readOnly: false 267 | volumes: 268 | - name: {ghe-backup}-secret 269 | secret: 270 | secretName: {ghe-backup}-secret 271 | - name: podinfo 272 | downwardAPI: 273 | items: 274 | - path: "labels" 275 | fieldRef: 276 | fieldPath: metadata.labels 277 | volumeClaimTemplates: 278 | - metadata: 279 | name: data-ghe-backup 280 | annotations: 281 | volume.beta.kubernetes.io/storage-class: standard 282 | spec: 283 | accessModes: 284 | - ReadWriteOnce 285 | resources: 286 | requests: 287 | storage: 1000Gi 288 | ``` 289 | 290 | === 291 | ### License 292 | 293 | 294 | Copyright © 2015 Zalando SE 295 | 296 | Licensed under the Apache License, Version 2.0 (the "License"); 297 | you may not use this file except in compliance with the License. 298 | You may obtain a copy of the License at 299 | 300 | http://www.apache.org/licenses/LICENSE-2.0 301 | 302 | Unless required by applicable law or agreed to in writing, software 303 | distributed under the License is distributed on an "AS IS" BASIS, 304 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 305 | See the License for the specific language governing permissions and 306 | limitations under the License. 307 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | We acknowledge that every line of code that we write may potentially contain security issues. 2 | We are trying to deal with it responsibly and provide patches as quickly as possible. 3 | 4 | We host our bug bounty program on HackerOne, it is currently private, therefore if you would like to report a vulnerability and get rewarded for it, please ask to join our program by filling this form: 5 | 6 | https://corporate.zalando.com/en/services-and-contact#security-form 7 | 8 | You can also send your report via this form if you do not want to join our bug bounty program and just want to report a vulnerability or security issue. 9 | -------------------------------------------------------------------------------- /ZalandoGithubEnterprise.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zalando/ghe-backup/cdea83c1a7234df30da5b46a588f6282e72874b3/ZalandoGithubEnterprise.jpg -------------------------------------------------------------------------------- /backup.config: -------------------------------------------------------------------------------- 1 | GHE_HOSTNAME="github-master.bus.zalan.do" 2 | GHE_DATA_DIR="/data/ghe-production-data" 3 | GHE_NUM_SNAPSHOTS=40 4 | GHE_EXTRA_SSH_OPTS=" -o StrictHostKeyChecking=no " 5 | GHE_EXTRA_RSYNC_OPTS=" --bwlimit=30000 " -------------------------------------------------------------------------------- /bashtest/cleanup-tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # clean up test folder & files 4 | rm -rf ./ghe-backup-test 5 | rm -rf ./ssh 6 | 7 | echo -e "\nCleanup tests script finished." 8 | -------------------------------------------------------------------------------- /bashtest/prepare-tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | ghe_backup_test_base_folder="./ghe-backup-test" 7 | string_replace_test="$ghe_backup_test_base_folder/region-replacement" 8 | kms_base_folder="$ghe_backup_test_base_folder/kms" 9 | ghe_production_data_base_folder="$ghe_backup_test_base_folder/data/ghe-production-data" 10 | ghe_data_in_progress_file="$ghe_production_data_base_folder/in-progress" 11 | mymeta_base_folder="$ghe_backup_test_base_folder/mymeta" 12 | 13 | # create folder and file structure for region replacement test 14 | mkdir -p $string_replace_test 15 | cp ../convert-kms-private-ssh-key.sh $string_replace_test/convert-kms-private-ssh-key.sh 16 | 17 | # create folder and file structure for decryption test 18 | mkdir -p $kms_base_folder 19 | cp ../python/extract_decrypt_kms.py $kms_base_folder/extract_decrypt_kms.py 20 | 21 | ###### 22 | mkdir -p $ghe_production_data_base_folder 23 | cat <> $ghe_data_in_progress_file 24 | foo bla fasel 25 | EOT1 26 | 27 | ###### 28 | mkdir -p $mymeta_base_folder 29 | # create a dummy senza yaml file 30 | # http://stups.readthedocs.org/en/latest/components/senza.html 31 | # kms_private_ssh_key should be decryptable via kms, 32 | # otherwise the decryption test may fail 33 | cat <> $mymeta_base_folder/taupage.yaml 34 | application_id: ghe-backup 35 | application_version: 0.0.0 36 | instance_logs_url: https://my.logs.url 37 | kms_private_ssh_key: aws:kms:AQECAHjZzNgloNStoxLGlW7zt1M3wLRLUhgdzHy+BTQzoMJMgQAAAL4wgbsGCSqGSIb3DQEHBqCBrTCBqgIBADCBpAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyfjtZRzn/hG79GjSQCARCAd2NFtV7NFy+WnDnFvJaWn3v4MNMtKWYR+e28dLl/JphJ4ube4X08TKSypKWL2U6ASBy4X32V8ee5mNk+0AFCKll6xC7NV18rsIDWU5vZhY2hqiVL098bqCBRY17vBaDxRPaEKqwJ5z9kPxC/RAJUhFZWH/0oMzuX= 38 | logentries_account_key: mylogentriesaccoutnkey 39 | mint_bucket: amintbucket 40 | mounts: 41 | /data: 42 | partition: /dev/xvdf 43 | notify_cfn: 44 | resource: AppServer 45 | stack: mystack 46 | oauth_access_token_url: anoauthaccesstokenurl 47 | root: true 48 | runtime: Docker 49 | scalyr_account_key: myscalyraccoutnkey 50 | source: dockerreghost/reponame:tag 51 | token_service_url: https://my.token.service.url 52 | volumes: 53 | ebs: 54 | /dev/sdf: abackupvolume 55 | EOT2 56 | 57 | echo -e "Prepare tests script finished.\n" 58 | -------------------------------------------------------------------------------- /bashtest/test-convert-kms-private-ssh-key.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | # start with clean setup 7 | ./cleanup-tests.sh 8 | 9 | ./prepare-tests.sh 10 | echo "-----------------" 11 | ./test-replace-convert-properties.sh 12 | if [ $? -eq 0 ] 13 | then 14 | echo "test 'test-replace-convert-properties.sh' succesfully passed." # ../convert-kms-private-ssh-key.sh executed w/o error. 15 | else 16 | echo "test 'test-replace-convert-properties.sh' NOT succesfully passed." # ../convert-kms-private-ssh-key.sh executed w/ error. 17 | fi 18 | 19 | ../convert-kms-private-ssh-key.sh /mymeta test 20 | 21 | if [ $? -eq 0 ] 22 | then 23 | echo "test conversion 'convert-kms-private-ssh-key.sh' succesfully passed." # ../convert-kms-private-ssh-key.sh executed w/o error. 24 | else 25 | echo "test conversion 'convert-kms-private-ssh-key.sh' NOT succesfully passed." # ../convert-kms-private-ssh-key.sh executed w/ error. 26 | fi 27 | echo "-----------------" 28 | 29 | # clean up 30 | ./cleanup-tests.sh 31 | -------------------------------------------------------------------------------- /bashtest/test-delete-instuck-progress.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ./prepare-tests.sh 4 | python3 ../python/delete-instuck-progress.py 5 | 6 | file='/data/ghe-production-data/in-progress' 7 | if [ -e $file ] 8 | then 9 | echo "Error: $file should not exist." 10 | false 11 | else 12 | echo "Test succesfully passed." 13 | fi 14 | -------------------------------------------------------------------------------- /bashtest/test-replace-convert-properties.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | test_file="./ghe-backup-test/region-replacement/convert-kms-private-ssh-key.sh" 7 | 8 | ../replace-convert-properties.sh "###REGION###" "eu-west-1" $test_file 9 | 10 | if grep -Fxq "###REGION###" "$test_file" 11 | then 12 | exit 1 # NO success 13 | else 14 | exit 0 # success 15 | fi 16 | -------------------------------------------------------------------------------- /convert-kms-private-ssh-key.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | folder="" 7 | private_key_folder=~/.ssh 8 | private_key_path="$private_key_folder/id_rsa" 9 | kms_base="/kms" 10 | aws_region_placeholder="###REGION###" 11 | kubernetes_labels="/details/labels" 12 | 13 | set +u 14 | if [ ! -z "$1" ]; 15 | then 16 | folder=$1 17 | else 18 | folder="/meta" 19 | fi 20 | 21 | if [ ! -z "$2" ]; 22 | then 23 | private_key_folder="./ssh" 24 | private_key_path="./ssh/id_rsa_test" 25 | folder="./ghe-backup-test/mymeta" 26 | aws_region_placeholder="eu-west-1" 27 | kms_base="$PWD/ghe-backup-test/kms" 28 | fi 29 | 30 | # Treat unset variables as an error when substituting. 31 | set -u 32 | 33 | # @TODO: add test for $kubernetes_labels existance 34 | if [ -f $kubernetes_labels ] 35 | then 36 | # @TODO: avoid DRY -> create new function -> parameter would be private key content ($SSHKEY /meta/ghe-backup-secret/kms_private_ssh_key) 37 | if [ -f $private_key_path ] 38 | then 39 | echo "The file $private_key_path exists already. Won't be overridden." >&2 40 | exit 0 41 | else 42 | echo "The file $private_key_path does not exists. Start writing private ssh key." 43 | mkdir -p $private_key_folder 44 | cp $folder/ghe-backup-secret/kms_private_ssh_key $private_key_path 45 | chmod 0600 $private_key_path 46 | echo "Private ssh key file '$private_key_path' written." 47 | exit 0 48 | fi 49 | ### end of separate function 50 | exit 1 51 | elif [ -f $folder/taupage.yaml ] 52 | then 53 | echo "File $folder/taupage.yaml exists." 54 | SSHKEY=$(python3 $kms_base/extract_decrypt_kms.py -f "$folder/taupage.yaml" -k "kms_private_ssh_key" -r "$aws_region_placeholder") 55 | if [[ $SSHKEY == "Invalid KMS key." ]] 56 | then 57 | echo "KMS key or KMS string is invalid." 58 | echo "Expected KMS string format: aws:kms:" 59 | echo "KMS key must be usable via Host-IAM-Profile" 60 | exit 1 61 | fi 62 | 63 | if [ -f $private_key_path ] 64 | then 65 | echo "The file $private_key_path exists already. Won't be overridden." >&2 66 | exit 0 67 | else 68 | echo "The file $private_key_path does not exists. Start writing private ssh key." 69 | mkdir -p $private_key_folder 70 | printf "%s" "$SSHKEY" >> $private_key_path 71 | chmod 0600 $private_key_path 72 | echo "Private ssh key file '$private_key_path' written." 73 | exit 0 74 | fi 75 | else 76 | echo "Neither $kubernetes_labels nor $folder/taupage.yaml exist." 77 | fi 78 | 79 | exit 1 80 | -------------------------------------------------------------------------------- /cron-ghe-backup: -------------------------------------------------------------------------------- 1 | # ghe prod backups 2 | 0 */2 * * 1-6 root find /data/ghe-production-data/ -maxdepth 2 -mindepth 2 -name incomplete -atime +1 -printf "%h\0" | xargs -0 rm -Rf > /var/log/application.log 2>&1 3 | 17 3,9,12,13,15,17,18,21 * * 1-6 root /start_backup.sh > /var/log/application.log 2>&1 4 | 17 9,15,21 * * 7 root /start_backup.sh > /var/log/application.log 2>&1 5 | 55 7,8,9,10,11,12,13,14,15,16,17,18,19 * * 1-6 root python3 /delete-instuck-backups/delete_instuck_progress.py > /var/log/application.log 2>&1 6 | -------------------------------------------------------------------------------- /cron-ghe-backup-another-aws-account: -------------------------------------------------------------------------------- 1 | # ghe prod backups another AWS account 2 | 13 8,11,14,17,18,20 * * 1-6 root /start_backup.sh 3 | 13 8,14,20 * * 7 root /start_backup.sh 4 | 53 7,8,9,10,11,12,13,14,15,16,17,18,19 * * 1-6 root python3 /delete-instuck-backups/delete_instuck_progress.py 2>&1 > /var/log/application.log 5 | -------------------------------------------------------------------------------- /cron-ghe-backup-k8s-sample: -------------------------------------------------------------------------------- 1 | # ghe bus k8s prod backups 2 | 21 10,13,16,19,22 * * 1-6 root /start_backup.sh 3 | 21 10,16,22 * * 7 root /start_backup.sh 4 | 57 7,8,9,10,11,12,13,14,15,16,17,18,19 * * 1-6 root python3 /delete-instuck-backups/delete_instuck_progress.py 2>&1 > /var/log/application.log 5 | -------------------------------------------------------------------------------- /final-docker-cmd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | ln -sf /proc/$$/fd/1 /var/log/application.log 7 | 8 | python3 /delete-instuck-backups/delete_instuck_progress.py 9 | REGION=$(curl http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}') 10 | # fall back to Ireland AWS region if REGION is unset or set to the empty string 11 | if [ -z "$REGION" ] 12 | then 13 | REGION="eu-west-1" 14 | fi 15 | 16 | /backup/replace-convert-properties.sh "###REGION###" "$REGION" /kms/convert-kms-private-ssh-key.sh 17 | /kms/convert-kms-private-ssh-key.sh 18 | 19 | # do the actual backups via cron 20 | # everything in sbin directory needs to be executed as privileged user 21 | /usr/sbin/cron -f 22 | -------------------------------------------------------------------------------- /python/delete_instuck_progress.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | ''' 3 | deletes file in case it exists 4 | ''' 5 | 6 | import os 7 | import os.path 8 | from datetime import date 9 | 10 | 11 | def drop_outdated_inprogress_file(abs_folder, filename): 12 | if os.path.isfile(os.path.join(abs_folder, filename)): 13 | modification_time = os.stat(os.path.join(abs_folder, filename)).st_mtime 14 | today = date.today() 15 | modification_day = date.fromtimestamp(modification_time) 16 | if today > modification_day: 17 | os.remove(os.path.join(abs_folder, filename)) 18 | return True 19 | return False 20 | 21 | if __name__ == "__main__": 22 | try: 23 | drop_outdated_inprogress_file('/data/ghe-production-data', 'in-progress') 24 | except FileNotFoundError as e: 25 | pass 26 | # print("error: file does not exists: %s" % e.message) 27 | -------------------------------------------------------------------------------- /python/extract_decrypt_kms.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | """ 4 | @attention: inspired by 5 | - https://github.com/zalando/kmsclient on 2015 10 15 6 | - https://github.com/zalando-stups/taupage/blob/master/runtime/opt/taupage/bin/decrypt_kms.py on 2015 10 15 7 | """ 8 | 9 | import argparse 10 | import yaml 11 | import boto3 12 | import base64 13 | 14 | 15 | class Kms: 16 | service_name = 'kms' 17 | aws_kms_str = 'aws:kms:' 18 | 19 | @classmethod 20 | def __init__(cls, 21 | file, 22 | key: str, 23 | region: str): 24 | cls.file = file 25 | cls.key = key 26 | cls.region = region 27 | 28 | @classmethod 29 | def extract_kms_string(cls, file, key: str) -> str: 30 | """ 31 | Prints value of provided key based on given yml file 32 | :param file: taupage yml file 33 | :param key: kms key string 34 | :return: the kms string identified by the kms key 35 | """ 36 | 37 | data = yaml.safe_load(file if file is not None else cls.file) 38 | kms_key = key if key is not None else cls.key 39 | if isinstance(data, dict) and kms_key in data.keys(): 40 | result = data[kms_key] 41 | if result.startswith(cls.aws_kms_str): 42 | result = result.replace(cls.aws_kms_str, '', 1) 43 | return result 44 | return "" 45 | 46 | @classmethod 47 | def aws_kms_client(cls, region: str = None) -> str: 48 | return boto3.client(service_name=cls.service_name, region_name=region if region is not None else cls.region) 49 | 50 | @classmethod 51 | def aws_decrypt(cls, to_decrypt: str) -> str: 52 | if to_decrypt is "": 53 | return "" 54 | client = cls.aws_kms_client() 55 | response = client.decrypt( 56 | CiphertextBlob=base64.urlsafe_b64decode(to_decrypt) 57 | ) 58 | return str(response['Plaintext'], "UTF-8") 59 | 60 | @classmethod 61 | def aws_encrypt(cls, key_id: str, to_encrypt: str) -> str: 62 | if key_id is "" or to_encrypt is "": 63 | return "" 64 | client = cls.aws_kms_client() 65 | response = client.encrypt( 66 | KeyId=key_id, 67 | Plaintext=to_encrypt 68 | ) 69 | return str(base64.b64encode(response['CiphertextBlob']), "UTF-8") 70 | 71 | if __name__ == '__main__': 72 | parser = argparse.ArgumentParser() 73 | parser.add_argument('-f', '--file', help="taupage yml file", required=True, type=argparse.FileType('r')) 74 | parser.add_argument('-k', '--key', help="taupage yml 'key'", required=True) 75 | parser.add_argument('-r', '--region', help="aws region", required=True) 76 | 77 | args = parser.parse_args() 78 | 79 | kms = Kms(file=args.file, key=args.key, region=args.region) 80 | print(kms.aws_decrypt(to_decrypt=kms.extract_kms_string(file=args.file, key=args.key))) 81 | -------------------------------------------------------------------------------- /python/requirements.txt: -------------------------------------------------------------------------------- 1 | pyyaml 2 | boto3 3 | requests 4 | nose 5 | typing -------------------------------------------------------------------------------- /python/test_delete_instuck_progress.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import delete_instuck_progress 4 | import datetime 5 | import nose.tools as nt 6 | from nose.tools import nottest 7 | import os 8 | import os.path 9 | import tempfile as tf 10 | import time 11 | 12 | 13 | @nottest 14 | def create_test_files(abs_folder='mytmp', filename='in-progress'): 15 | full_path = os.path.join(abs_folder, filename) 16 | if not os.path.exists(full_path): 17 | if not os.path.isdir(abs_folder): 18 | os.makedirs(abs_folder) 19 | with open(full_path, 'a'): 20 | today_full = datetime.date.today() 21 | t = datetime.datetime(today_full.year, today_full.month, 22 | today_full.day - 1 if today_full.day > 1 else today_full.day, 0, 0) 23 | am_time = time.mktime(t.timetuple()) 24 | os.utime(full_path, (am_time, am_time)) 25 | 26 | 27 | def test_drop_outdated_inprogress_file(filename='in-progress'): 28 | with tf.TemporaryDirectory() as tmp_dir: 29 | create_test_files(tmp_dir, filename) 30 | res = delete_instuck_progress.drop_outdated_inprogress_file(tmp_dir, filename) 31 | 32 | # if first day of the month, utime day is the same day 33 | if 1 == datetime.date.today().day: 34 | res = True 35 | os.remove(os.path.join(tmp_dir, filename)) 36 | 37 | nt.assert_equal(True, res and not os.path.exists(os.path.join(tmp_dir, filename))) 38 | -------------------------------------------------------------------------------- /python/test_extract_decrypt_kms.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import nose.tools as nt 3 | 4 | import os 5 | import binascii 6 | import extract_decrypt_kms 7 | import unittest 8 | import sys 9 | 10 | 11 | class Test(unittest.TestCase): 12 | 13 | kms = None 14 | 15 | @classmethod 16 | def setupAll(cls): 17 | cls.kms = extract_decrypt_kms.Kms(file="/meta/taupage.yaml", key="kms_private_ssh_key", region="eu-west-1") 18 | 19 | @classmethod 20 | def teardownAll(cls): 21 | cls.kms = None 22 | 23 | @classmethod 24 | def test_several_aws_decrypt(cls, s=44, t=47): 25 | for i in range(s,t): 26 | print("\nrandomword({}): {}\n".format(i, cls.random_word(i))) 27 | cls.test_aws_decrypt(cls.random_word(i)) 28 | 29 | @classmethod 30 | def random_word(cls, length): 31 | return binascii.b2a_hex(os.urandom(length)).decode('ascii') 32 | 33 | @classmethod 34 | def test_aws_decrypt(cls, to_encrypt="BCDE"): 35 | encryption_res = None 36 | try: 37 | encryption_res = cls.kms.aws_encrypt(key_id="b44f5008-cebc-4cba-b677-02c938f7a197", to_encrypt=to_encrypt) 38 | except Exception as nfe: 39 | if str(nfe).find("NotFoundException") > 0: 40 | # KMS operation can't be executed properly because either boto client 41 | # can't connect to an AWS account or the wrong one 42 | sys.stderr.write('\nExpected boto client error due to misconfigured AWS account: %s\n' % str(nfe)) 43 | elif str(nfe).find("ExpiredToken") > 0: 44 | # KMS operation can't be executed properly because either AWS token exprired. 45 | sys.stderr.write('\nExpected boto client error due to expired token: %s\n' % str(nfe)) 46 | elif str(nfe).find("credentials") > 0: 47 | # no boto client credentials in CI environment 48 | sys.stderr.write('\nExpected boto client error due to missing credentials: %s\n' % str(nfe)) 49 | else: 50 | raise 51 | if encryption_res: 52 | decryption_res = cls.kms.aws_decrypt(to_decrypt=encryption_res) 53 | nt.assert_equal(to_encrypt, decryption_res) 54 | 55 | @classmethod 56 | def test_aws_decrypt_with_method_file_key_parameter(cls, to_encrypt="BCDE"): 57 | encryption_res = None 58 | try: 59 | encryption_res = cls.kms.aws_encrypt(key_id="b44f5008-cebc-4cba-b677-02c938f7a197", to_encrypt=to_encrypt) 60 | except Exception as nfe: 61 | if str(nfe).find("NotFoundException") > 0: 62 | # KMS operation can't be executed properly because either boto client 63 | # can't connect to an AWS account or the wrong one 64 | sys.stderr.write('\nExpected boto client error due to misconfigured AWS account: %s\n' % str(nfe)) 65 | elif str(nfe).find("ExpiredToken") > 0: 66 | # KMS operation can't be executed properly because either AWS token exprired. 67 | sys.stderr.write('\nExpected boto client error due to expired token: %s\n' % str(nfe)) 68 | elif str(nfe).find("credentials") > 0: 69 | # no boto client credentials in CI environment 70 | sys.stderr.write('\nExpected boto client error due to missing credentials: %s\n' % str(nfe)) 71 | else: 72 | raise 73 | if encryption_res: 74 | decryption_res = cls.kms.aws_decrypt(to_decrypt=cls.kms.extract_kms_string(file="dummy_file", key="dummy_string")) 75 | nt.assert_not_equal(to_encrypt, decryption_res) 76 | 77 | @classmethod 78 | def test_aws_kms_client(cls): 79 | nt.assert_equal(str(cls.kms.aws_kms_client()._endpoint), 80 | str(cls.kms.aws_kms_client(region="eu-west-1")._endpoint)) -------------------------------------------------------------------------------- /replace-convert-properties.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | usage="$(basename "$0") searchstring replacement file-to-replace-the-strings-into" 7 | 8 | # $1 - string to replace 9 | # $2 - replacement string 10 | # $3 - file to replace the strings into 11 | 12 | if [ "$1" == "-h" ] || [ "$1" == "--help" ] ; then 13 | echo "Usage: $usage" 14 | exit 0 15 | fi 16 | 17 | # Mac: use gnu-sed - brew install gnu-sed 18 | # set the path in bash - PATH="/usr/local/opt/gnu-sed/libexec/gnubin:$PATH" 19 | # http://daoyuan.li/a-normal-sed-on-mac/ 20 | if [ ! -z $1 ] && [ ! -z $2 ] && [ ! -z $3 ] ; 21 | then 22 | sed -i "s;$1;$2;g" $3 23 | fi 24 | -------------------------------------------------------------------------------- /run-tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # http://stackoverflow.com/questions/19622198/what-does-set-e-mean-in-a-bash-script 4 | set -e 5 | 6 | # do zaws login if you are _not_ in AWS environment 7 | # won't work in CI environment 8 | # (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) 9 | link="http://169.254.169.254/latest/meta-data/" 10 | if ! curl --max-time 2 --output /dev/null --silent --head --fail "$link"; then 11 | zaws login bus PowerUser 12 | fi 13 | nosetests -w python 14 | # uncomment for verbose output: 15 | #nosetests -w python -vv --nocapture test_extract_decrypt_kms.py 16 | 17 | cd bashtest 18 | ./test-convert-kms-private-ssh-key.sh 19 | 20 | # make sure you run bashtest/cleanup-tests.sh in order to clean up afterwards 21 | -------------------------------------------------------------------------------- /start_backup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 3 | set -euo pipefail 4 | IFS=$'\n\t' 5 | 6 | # exit if the same process runs already 7 | pidof -o $$ -x "$0" >/dev/null 2>&1 && exit 1 8 | 9 | if [ ! -d "/data/ghe-production-data/" ]; then 10 | mkdir -p /data/ghe-production-data/ 11 | fi 12 | /backup/backup-utils/bin/ghe-backup 13 | --------------------------------------------------------------------------------