Cloud Volumes Backup: Support tool - Configuration
The config
sub-commands are provided to verify entries in the secure_client_config.yaml
configuration file. When running the config
sub-commands it is recommended that you designate the current working directory as the location for the secure_client_config.yaml
file (As the default configuration of provided key/certificates within the secure_client_config.yaml
are relative file-system paths).
All of the sub-commands within the config
command take a single parameter, the file-system path of the secure client configuration file (typically secure_client_config.yaml
). The only exception is in the check-processes
sub-command.
The available sub-commands in the config
module are:
check-certificates
.check-endpoints
check-ports
check-processes
verify
check-certificates - Check certificates and keys are valid
The check-certificates
sub-command enables you to verify information pertaining to the provided certificate and key. It will check whether the provided files exist, as well as file permissions for owner and group. Finally, it will output discovered info for the provided certificate. Certificates are expected to have permissions of 644 while keys are expected to have permissions of 600. If you have set up a secureclient
user as the owner of these files, you should run the command as the secureclient
user.
Example usage:
To check the permissions/existence on certificates provided in secure_client_config.yaml
, run the following command:
bash$ ./cvbu-support-tool config check-certificates ./secure_client_config.yaml
File Exists
---------- --------
ca.crt True
client.crt True
client.key True
File Owner Group. Permissions Recommended permissions
---------- ------------ ------------ ------------- -------------------------
ca.crt secureclient secureclient 644 644
client.crt secureclient secureclient 644 644
client.key secureclient secureclient 600 600
------------ ------------------------------------
Store name tom-test-store
Store id 980eabd0-ef8e-4b13-989a-225f8c456c9d
Cmd forward 10.10.13.111:30828
Data forward 10.10.13.111:31536
Expiry 2020-09-24 09:11:15
Expired False
------------ ------------------------------------
Certificate verified to CA successfully
Key and certificate match!
check-endpoints - Check endpoints are valid
The check-endpoints
sub-command enables you to verify that the provided endpoints specified as target1/target2 are valid targets. It does so by verifying against the api/v2/services
endpoint within Cloud Volumes Backup to determine if the specified endpoint is in the returned endpoint set.
The optional parameter --api-endpoint
can be provided to change the endpoint this verification is completed against. Valid options are: demo
or production
Example usage:
To check the endpoints specified under target1/target2 in ./secure_client_config.yaml
, run the following command:
bash$ ./cvbu-support-tool config check-endpoints ./secure_client_config.yaml
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid
check-ports - Check local ports
The check-ports
sub-command enables you to check the bind status of secure_client processes on the system. It is recommended that you run the command with superuser/sudo access (Alternatively you can set the CAP_NET_ADMIN capability bit on the binary with: setcap cap_net_admin+eip ./cvbu-support-tool
). If the secure client is running as the current user, sudo is not required. If Bound is 0 for CMD or DATA, the secure client is not detected listening on the required ports. If Bound is 1, the secure_client is bound successfully to the ports. If Bound > 1, you may have more than 1 secure client processes listening on the same port, potentially causing transport errors. The ports tested are specified in the config file as source1/source2.
Example usage:
To check if the secure client is listening on the specified ports on the local system, run the following command:
bash$ sudo ./cvbu-support-tool config check-ports ./secure_client_config.yaml
Name Port Bound
------ ------ -------
CMD 9387 1
DATA 9388 1
check-processes - Check secure client process state
The check-processes
sub-command enables you to check the number of secure_client processes running on the current machine. Running multiple secure_client processes on the same machine is an advanced configuration setup, and for most users, having more than 1 entry should be considered a mis-configuration.
Note that this command does not require a configuration parameter.
The --cmd
optional parameter allows you to modify the command checked for. If you have renamed the binary to something other than secure_client
you will need to set this flag.
Example usage:
To view running secure_client processes on the local node, run the following command:
bash$ sudo ./cvbu-support-tool config check-processes
PID CMD USER PORTS
----- ------------- ------------ ----------
21278 secure_client secureclient 9387, 9388
verify - Check config file values
The verify
sub-command enables you to run all component tests from the configuration module. It takes as parameter a configuration file and optionally an --api-endpoint
.
The --api-endpoint
optional parameter can be provided to change the endpoint this verification is completed against. Valid options are: demo
or production
Example usage:
To verify the configuration file ./secure_client_config.yaml
, run the following command:
bash$ sudo ./cvbu-support-tool config verify ./secure_client_config.yaml
Validate: ca, key, cert
File Exists
---------- --------
ca.crt True
client.crt True
client.key True
File Owner Group Permissions Recommended permissions
---------- ------------ ------------ ------------- -------------------------
ca.crt secureclient secureclient 644 644
client.crt secureclient secureclient 644 644
client.key secureclient secureclient 600 600
------------ ------------------------------------
Store name tom-test-store
Store id 980eabd0-ef8e-4b13-989a-225f8c456c9d
Cmd forward 10.10.13.111:30828
Data forward 10.10.13.111:31536
Expiry 2020-09-24 09:11:15
Expired False
------------ ------------------------------------
Certicicate verified to CA successfully
Key and certificate match!
Validate: target1, target2
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid
Validate: source1, source2
Name Port Bound
------ ------ -------
CMD 9387 1
DATA 9388 1