Back up your infrastructure

The backup process creates a copy of your primary server, including configuration, certificates, code, and PuppetDB. Backup can take several hours depending on the size of PuppetDB.

Before you begin: If you want to encrypt your backup, you must import your GPG public key to your primary server.
To create a complete set of backup data, you need to backup your infrastructure's secret keys and use the puppet-backup command to backup your PE configuration, PE certificates, Puppet code, and PuppetDB data. For details about the data included in backup files, refer to Customize scope of backup and restore.
  1. To ensure that pg_repack doesn't run during the backup process, stop the pe_databases module timers:
    systemctl stop pe_databases-*.timer
  2. Run the puppet-backup command on your primary server. The default command is:
    sudo puppet-backup create --dir=<BACKUP_DIRECTORY>

    You can customize your backup by specifying the following optional parameters:

    • --dir=<BACKUP_DIRECTORY>: Specify a separate a secure location for your backup.
    • --name=<BACKUP_NAME>: Specify the backup file's name. The default name is pe_backup with a timestamp indicating when the backup file was created, such as: pe_backup-<TIMESTAMP>.tgz.
    • --pe-environment=<ENVIRONMENT>: Specify an environment to back up. To ensure the configuration is recovered correctly, this must be the environment where your primary server is located. The default value is production.
    • --scope=<SCOPE_LIST>: Specify the data you want the backup file to contain. This is used for Customize scope of backup and restore. The default scope is all. To backup specific data, limit the scope by using one or more of the following values: certs, code, config, or puppetdb.
    Back up all four data sets at once with --scope=all if you intend to use the backup for a PE migration or to recover an installation. If you are restoring for a PE migration or recovering an installation, you must restore all four data sets at once with --scope=all.
    If you specify --scope, specify a --name that describes the file's scope.
    • --gpgkey=<KEY_ID>: Specify a GPG key ID to use to encrypt the backup file.
    • --force: Specify this parameter if you want to bypass validation checks and ignore warnings.

  3. Back up the secret keys directory and, if applicable, the secret key for the LDAP service.
    The puppet-backup command does not include secret keys. You must back up this data separately.

    Secure the keys as you would any sensitive information.

    • The secret keys directory is located at: /etc/puppetlabs/orchestration-services/conf.d/secrets/
    • (If applicable) The LDAP service key is located at: /etc/puppetlabs/console-services/conf.d/secrets/keys.json
  4. Restart the pe_databases module timers:
    systemctl start pe_databases-catalogs.timer pe_databases-facts.timer pe_databases-other.timer
Results

Each time you use puppet-backup to create a new backup, PE creates a single backup file containing everything you're backing up (defined by the --scope). PE writes backup files to /var/puppetlabs/backups, unless you specify a different location in the puppet-backup command. The file name follows the default naming convention (pe_backup-<TIMESTAMP>.tgz), unless you specified a different name in the puppet-backup command.