红帽全球峰会11.3. 从备份中恢复堆栈
如果升级过程失败,您可以使用升级前备份的文件备份来恢复堆栈。
注意
以下流程是可选的。
11.3.1. 拉取 ansible-on-clouds-ops 容器镜像
复制链接链接已复制到粘贴板!
流程
使用与基础部署相同的标签版本拉取
ansible-on-clouds-ops 2.2容器镜像。注意在拉取 docker 镜像前,请确保使用 docker 登录到 registry.redhat.com。使用以下命令登录到 registry.redhat.com。
$ docker login registry.redhat.io有关 registry 登录的更多信息,请参阅 Registry 身份验证
$ export IMAGE=registry.redhat.io/ansible-on-clouds/ansible-on-clouds-ops-rhel8:2.2.20230215 $ docker pull $IMAGE --platform=linux/amd64
对于 EMEA 区域 (欧洲、中东、非洲) 运行以下命令:
$ export IMAGE=registry.redhat.io/ansible-on-clouds/ansible-on-clouds-ops-emea-rhel8:2.2.20230215
$ docker pull $IMAGE --platform=linux/amd6411.3.2. IAM 最低权限
复制链接链接已复制到粘贴板!
您必须具有以下 ASW IAM 权限才能恢复堆栈:
required-roles:
autoscaling:
actions:
- autoscaling:CreateAutoScalingGroup
- autoscaling:CreateLaunchConfiguration
- autoscaling:DeleteAutoScalingGroup
- autoscaling:DeleteLaunchConfiguration
- autoscaling:DescribeAutoScalingGroups
- autoscaling:DescribeAutoScalingInstances
- autoscaling:DescribeLaunchConfigurations
- autoscaling:DescribeScalingActivities
- autoscaling:UpdateAutoScalingGroup
resources:
- '*'
backup:
actions:
- backup:DescribeRestoreJob
- backup:StartRestoreJob
resources:
- '*'
cloudformation:
actions:
- cloudformation:CreateChangeSet
- cloudformation:CreateStack
- cloudformation:CreateUploadBucket
- cloudformation:DeleteStack
- cloudformation:DescribeChangeSet
- cloudformation:DescribeStackEvents
- cloudformation:DescribeStacks
- cloudformation:ExecuteChangeSet
- cloudformation:GetStackPolicy
- cloudformation:GetTemplateSummary
- cloudformation:ListChangeSets
- cloudformation:ListStackResources
- cloudformation:ListStacks
- cloudformation:TagResource
- cloudformation:UpdateStack
- cloudformation:ValidateTemplate
resources:
- '*'
ec2:
actions:
- ec2:AllocateAddress
- ec2:AssociateAddress
- ec2:AssociateNatGatewayAddress
- ec2:AssociateRouteTable
- ec2:AssociateSubnetCidrBlock
- ec2:AttachInternetGateway
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateInternetGateway
- ec2:CreateNatGateway
- ec2:CreateRoute
- ec2:CreateRouteTable
- ec2:CreateSecurityGroup
- ec2:CreateSubnet
- ec2:CreateSubnetCidrReservation
- ec2:CreateTags
- ec2:CreateVpc
- ec2:DeleteInternetGateway
- ec2:DeleteNatGateway
- ec2:DeleteRoute
- ec2:DeleteRouteTable
- ec2:DeleteSecurityGroup
- ec2:DeleteSubnet
- ec2:DeleteSubnetCidrReservation
- ec2:DeleteVpc
- ec2:DescribeAccountAttributes
- ec2:DescribeAddresses
- ec2:DescribeAddressesAttribute
- ec2:DescribeAvailabilityZones
- ec2:DescribeInstances
- ec2:DescribeInternetGateways
- ec2:DescribeKeyPairs
- ec2:DescribeNatGateways
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVpcs
- ec2:DetachInternetGateway
- ec2:DisassociateAddress
- ec2:DisassociateNatGatewayAddress
- ec2:DisassociateRouteTable
- ec2:DisassociateSubnetCidrBlock
- ec2:GetSubnetCidrReservations
- ec2:ModifyAddressAttribute
- ec2:ModifyVpcAttribute
- ec2:ReleaseAddress
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
resources:
- '*'
elasticfilesystem:
actions:
- elasticfilesystem:CreateAccessPoint
- elasticfilesystem:CreateFileSystem
- elasticfilesystem:CreateMountTarget
- elasticfilesystem:DeleteAccessPoint
- elasticfilesystem:DeleteFileSystem
- elasticfilesystem:DeleteMountTarget
- elasticfilesystem:DescribeAccessPoints
- elasticfilesystem:DescribeBackupPolicy
- elasticfilesystem:DescribeFileSystemPolicy
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DescribeLifecycleConfiguration
- elasticfilesystem:DescribeMountTargets
resources:
- '*'
elasticloadbalancing:
actions:
- elasticloadbalancing:AddTags
- elasticloadbalancing:CreateListener
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteListener
- elasticloadbalancing:DeleteTargetGroup
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DescribeTargetGroups
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyTargetGroupAttributes
resources:
- '*'
iam:
actions:
- iam:AddRoleToInstanceProfile
- iam:AttachRolePolicy
- iam:CreateInstanceProfile
- iam:CreateRole
- iam:DeleteInstanceProfile
- iam:DeleteRole
- iam:DeleteRolePolicy
- iam:DetachRolePolicy
- iam:GetRolePolicy
- iam:ListRoles
- iam:PassRole
- iam:PutRolePolicy
- iam:RemoveRoleFromInstanceProfile
- iam:TagRole
resources:
- '*'
kms:
actions:
- kms:CreateGrant
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey
resources:
- '*'
rds:
actions:
- rds:AddTagsToResource
- rds:CreateDBInstance
- rds:CreateDBSubnetGroup
- rds:DeleteDBInstance
- rds:DeleteDBSubnetGroup
- rds:DescribeDBInstances
- rds:DescribeDBSnapshots
- rds:DescribeDBSubnetGroups
- rds:ModifyDBInstance
- rds:RestoreDBInstanceFromDBSnapshot
resources:
- '*'
s3:
actions:
- s3:CreateBucket
- s3:GetObject
- s3:PutObject
resources:
- '*'
secretsmanager:
actions:
- secretsmanager:CreateSecret
- secretsmanager:DeleteSecret
- secretsmanager:GetRandomPassword
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
- secretsmanager:TagResource
resources:
- '*'
sns:
actions:
- sns:ListTopics
resources:
- '*'11.3.3. 准备环境
复制链接链接已复制到粘贴板!
流程
确保
AWS_CREDS_ABS_PATH环境变量已定义指向 AWS 凭证文件。export AWS_CREDS_ABS_PATH=/Users/<USER>/.aws/credentials创建一个
extra_vars/vars.yml文件,并确保该文件包含以下值,并且自定义它们以匹配您的环境。-
aws_foundation_stack_name= "my-foundation-stack" -
aws_restored_stack_name= "my-foundation-stack-restored" -
aws_region= us-east-1 -
aws_backup_vault_name= "Default" -
aws_rds_db_snapshot_arn= "arn:aws:rds:us-east-1:123456789012:snapshot:my-foundation-stack-rds169785b9-55rtrqwtj4e6-snap-2023-03-07" -
aws_backup_restore_point_arn= "arn:aws:backup:us-east-1:123456789012:recovery-point:878a542c-0f59-42d7-ad4d-f46848c21757" -
aws_backup_iam_role_arn= "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole" -
aws_s3_bucket= "my-example-bucket" -
aws_efs_physical_id= "fs-05a4f9a1049c00977" aws_cf_keypair_name= "my-key-pair"其中:
-
aws_foundation_stack_name是现有部署的名称。 -
aws_restored_stack_name是您要用于新恢复的部署的名称。 -
aws_region是部署现有堆栈的区域,以及新恢复的堆栈将部署到的区域。 -
aws_backup_vault_name是您的 EFS 备份存储的备份库的名称。 aws_rds_db_snapshot_arn是您要用于恢复的 RDS 快照的 ARN,它可作为rds_db_snapshot_arn从备份 playbook 输出中找到。注意如果您有要使用的特定 RDS 快照,则必须在 AWS 控制台中手动找到其 ARN。您还必须确保 RDS 快照在云部署中来自与您要用来运行恢复操作的
ansible-on-clouds-ops容器版本匹配的 Ansible。aws_backup_restore_point_arn是您要用于恢复的恢复点的 ARN,可以从备份 playbook 输出中找到为 RecoveryPointArn。注意如果您设置了自动备份,且有要使用的特定 EFS 恢复点,则必须在 AWS 控制台中手动找到其 ARN。您还必须确保 EFS 恢复点是云部署的 Ansible 中,其版本与您要用来运行恢复操作的 ansible-on-clouds-ops 容器匹配。
aws_backup_iam_role_arn是 AWS IAM 角色,具有执行备份操作的权限。注意您可以使用 AWS Backup Default Service Role,其格式为
arn:aws:iam::<Your AWS Account Number>:role/service-role/AWSBackupDefaultServiceRole。-
aws_s3_bucket是 S3 存储桶的名称,playbook 可以访问它来上传 CloudFormation 模板。名称不得包含大写字母。 -
aws_efs_physical_id是原始部署中的 EFS 的物理 Id。例如:fs-06837574544929090。 aws_cf_keypair_name是创建新恢复部署时作为参数传递的密钥对。注意使用的密钥对必须存在于您要恢复到的 AWS 区域中。
-
11.3.4. 运行 ansible-on-clouds-ops 2.2 容器来恢复堆栈
复制链接链接已复制到粘贴板!
要在环境准备后恢复堆栈,请运行以下命令来触发恢复:
$ docker run --rm --env PLATFORM=AWS \
-v $(pwd)/extra_vars:/extra_vars:ro \
-v ${AWS_CREDS_ABS_PATH}:/home/runner/.aws/credentials \
$IMAGE \
redhat.ansible_on_clouds.aws_restore_stack \
-e @/extra_vars/vars.yml
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}