Bug 1795235 - ETCD backups should keep keys and data separate
Summary: ETCD backups should keep keys and data separate
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Etcd
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Suresh Kolichala
QA Contact: ge liu
Depends On:
Blocks: 1796440
TreeView+ depends on / blocked
Reported: 2020-01-27 13:59 UTC by Suresh Kolichala
Modified: 2020-05-04 11:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1796440 (view as bug list)
Last Closed: 2020-05-04 11:27:22 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:27:38 UTC

Description Suresh Kolichala 2020-01-27 13:59:14 UTC
Description of problem:

When etcd is encrypted, the encryption key is stored as a part of static pod resources. Current backup procedure combines the etcd snapshot database and static pod resources into a single tar archive.

For enhanced security, they should not be stored together.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Take a snapshot backup using DR scripts.

Actual results:
It produces a single tar.gz archive containing keys and snapshot data.

Expected results:
For enhanced security, it is expected that encryption keys and data are kept separate.

Additional info:

Comment 6 ge liu 2020-02-03 13:01:20 UTC
Verified with 4.4.0-0.nightly-2020-02-02-201619,
$ cd assets/
$ ls
backup  bin  manifests  manifests-stopped  restore  shared  templates  tmp
$ cd backup/
$ ls
etcd  etcd-ca-bundle.crt  etcd-member.yaml  snapshot_2020-02-03_115156.db  static_kuberesources_2020-02-03_115156.tar.gz

Comment 8 errata-xmlrpc 2020-05-04 11:27:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.