4.3.7.1 Restoring a backup

If you are provisioning a new set of OpenCRVS servers, perhaps during an upgrade procedure, you may wish to restore from a previous backup onto a staging or production environment. These steps document the required process.

Once your servers are provisioned, follow these steps:

1. SSH into the backup server (using details for a user who has permission to access the backup environment , e.g.: a user in your backup.yml inventory file), and make a directory named the date of the backup you wish to restore from where the variable $DATE_OF_REQUIRED_BACKUP is in this format: YYYY-MM-DD, in the following provisioned directory:

mkdir /home/backup/backups/$DATE_OF_REQUIRED_BACKUP

1. Exit the backup server and use the rsync command to copy an encrypted backup file from (in this example - a local environment) onto your backup server into the above directory, in the following manner. $SSH_HOST, $SSH_PORT, $SSH_USER are the details for a user has permission to access the backup environment , e.g.: a user in your backup.yml inventory file

rsync -a -r --delete --progress --rsh="ssh -o StrictHostKeyChecking=no -p $SSH_PORT" \
  ${DATE_OF_REQUIRED_BACKUP}.tar.gz.enc \
  $SSH_USER@$SSH_HOST:/home/backup/backups/$DATE_OF_REQUIRED_BACKUP/${DATE_OF_REQUIRED_BACKUP}.tar.gz.enc

1. You will need the appropriate BACKUP_ENCRYPTION_PASSPHRASE that was used to encrypt the backup that you are restoring.

2. You also need the REPLICAS, ELASTICSEARCH_ADMIN_PASSWORD, MONGODB_ADMIN_USER, MONGODB_ADMIN_PASSWORD secrets for the staging or production environment you are restoring to. You created and stored these in your password manager in this step.

3. SSH into the provisioned environment that you wish to restore the backup onto, e.g. a staging or production server manager node.

4. Export the required variables that the commands will use so that they are available as environment variables in your terminal session

export ELASTICSEARCH_ADMIN_USER=elastic \
export ELASTICSEARCH_ADMIN_PASSWORD=<enter the appropriate secret here> \
export MONGODB_ADMIN_USER=<enter the appropriate secret here> \
export MONGODB_ADMIN_PASSWORD=<enter the appropriate secret here> \
export BACKUP_ENCRYPTION_PASSPHRASE=<enter the BACKUP_ENCRYPTION_PASSPHRASE that was used to encrypt the backup that you are restoring> \
export SSH_HOST=<enter the backup server host> \
export SSH_PORT=<enter the backup server SSH port> \
export LABEL=<enter the DATE_OF_REQUIRED_BACKUP in this format: YYYY-MM-DD> \
export REPLICAS=<enter the appropriate secret for this environment> \

1. Run this command to download and decrypt the backup from the backup environment onto your current environment. Any errors will output to: /var/log/opencrvs-restore.log

cd / && bash /opt/opencrvs/infrastructure/backups/download.sh --passphrase=$BACKUP_ENCRYPTION_PASSPHRASE --ssh_user=backup --ssh_host=$SSH_HOST --ssh_port=$SSH_PORT --label=$LABEL --remote_dir=/home/backup/backups >> /var/log/opencrvs-restore.log 2>&1

1. Run this command to restore the backup onto your server. Any errors will output to: /var/log/opencrvs-restore.log

cd / && bash /opt/opencrvs/infrastructure/backups/restore.sh --replicas=$REPLICAS --label=$LABEL >> /var/log/opencrvs-restore.log 2>&1

1. OpenCRVS requires to be re-deployed to function properly once a backup has been restored. Run this command to take OpenCRVS down / OFFLINE.

docker stack opencrvs down

1. Run this command to clear your terminal session of the history of any exported secrets (security step)

history -c
history -w

1. Now exit the server follow the "Running a deployment step" step to re-deploy OpenCRVS. Do not seed the environment. You can use the user details to login as they existed on the backup as soon as OpenCRVS deploys.