Cloud Volumes Backup: Support tool - Configuration

The config sub-commands are provided to verify entries in the secure_client_config.yaml configuration file. When running the config sub-commands it is recommended that you designate the current working directory as the location for the secure_client_config.yaml file (As the default configuration of provided key/certificates within the secure_client_config.yaml are relative file-system paths).

All of the sub-commands within the config command take a single parameter, the file-system path of the secure client configuration file (typically secure_client_config.yaml). The only exception is in the check-processes sub-command.

The available sub-commands in the config module are:

  • check-certificates.
  • check-endpoints
  • check-ports
  • check-processes
  • verify

check-certificates - Check certificates and keys are valid

The check-certificates sub-command enables you to verify information pertaining to the provided certificate and key. It will check whether the provided files exist, as well as file permissions for owner and group. Finally, it will output discovered info for the provided certificate. Certificates are expected to have permissions of 644 while keys are expected to have permissions of 600. If you have set up a secureclient user as the owner of these files, you should run the command as the secureclient user.

Example usage:

To check the permissions/existence on certificates provided in secure_client_config.yaml, run the following command: 

bash$ ./cvbu-support-tool config check-certificates ./secure_client_config.yaml


File        Exists
----------  --------
ca.crt      True
client.crt  True
client.key  True

File        Owner          Group.           Permissions    Recommended permissions
----------  ------------   ------------   -------------  -------------------------
ca.crt      secureclient   secureclient             644                        644
client.crt  secureclient   secureclient             644                        644
client.key  secureclient   secureclient             600                        600

------------  ------------------------------------
Store name    tom-test-store
Store id      980eabd0-ef8e-4b13-989a-225f8c456c9d
Cmd forward   10.10.13.111:30828
Data forward  10.10.13.111:31536
Expiry        2020-09-24 09:11:15
Expired       False
------------  ------------------------------------

Certificate verified to CA successfully

Key and certificate match!

check-endpoints - Check endpoints are valid

The check-endpoints sub-command enables you to verify that the provided endpoints specified as target1/target2 are valid targets. It does so by verifying against the api/v2/services endpoint within Cloud Volumes Backup to determine if the specified endpoint is in the returned endpoint set.

The optional parameter --api-endpoint can be provided to change the endpoint this verification is completed against. Valid options are: demo or production

Example usage:

To check the endpoints specified under target1/target2 in ./secure_client_config.yaml, run the following command: 

bash$ ./cvbu-support-tool config check-endpoints ./secure_client_config.yaml


Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid

check-ports - Check local ports

The check-ports sub-command enables you to check the bind status of secure_client processes on the system. It is recommended that you run the command with superuser/sudo access (Alternatively you can set the CAP_NET_ADMIN capability bit on the binary with: setcap cap_net_admin+eip ./cvbu-support-tool). If the secure client is running as the current user, sudo is not required. If Bound is 0 for CMD or DATA, the secure client is not detected listening on the required ports. If Bound is 1, the secure_client is bound successfully to the ports. If Bound > 1, you may have more than 1 secure client processes listening on the same port, potentially causing transport errors. The ports tested are specified in the config file as source1/source2.

Example usage:

To check if the secure client is listening on the specified ports on the local system, run the following command: 

bash$ sudo ./cvbu-support-tool config check-ports ./secure_client_config.yaml


Name      Port    Bound
------  ------  -------
CMD       9387        1
DATA      9388        1

check-processes - Check secure client process state

The check-processes sub-command enables you to check the number of secure_client processes running on the current machine. Running multiple secure_client processes on the same machine is an advanced configuration setup, and for most users, having more than 1 entry should be considered a mis-configuration.

Note that this command does not require a configuration parameter.

The --cmd optional parameter allows you to modify the command checked for. If you have renamed the binary to something other than secure_client you will need to set this flag.

Example usage:

To view running secure_client processes on the local node, run the following command: 

bash$ sudo ./cvbu-support-tool config check-processes


  PID  CMD            USER          PORTS
-----  -------------  ------------  ----------
21278  secure_client  secureclient  9387, 9388

verify - Check config file values

The verify sub-command enables you to run all component tests from the configuration module. It takes as parameter a configuration file and optionally an --api-endpoint.

The --api-endpoint optional parameter can be provided to change the endpoint this verification is completed against. Valid options are: demo or production

Example usage:

To verify the configuration file ./secure_client_config.yaml, run the following command: 

bash$ sudo ./cvbu-support-tool config verify ./secure_client_config.yaml


Validate: ca, key, cert
File        Exists
----------  --------
ca.crt      True
client.crt  True
client.key  True

File        Owner          Group         Permissions    Recommended permissions
----------  ------------   ------------  -------------  -------------------------
ca.crt      secureclient   secureclient             644                        644
client.crt  secureclient   secureclient             644                        644
client.key  secureclient   secureclient             600                        600

------------  ------------------------------------
Store name    tom-test-store
Store id      980eabd0-ef8e-4b13-989a-225f8c456c9d
Cmd forward   10.10.13.111:30828
Data forward  10.10.13.111:31536
Expiry        2020-09-24 09:11:15
Expired       False
------------  ------------------------------------

Certicicate verified to CA successfully

Key and certificate match!


Validate: target1, target2
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid
Endpoint: eu-dublin-2.cloudvolumes.hpe.com valid


Validate: source1, source2
Name      Port    Bound
------  ------  -------
CMD       9387        1
DATA      9388        1