Layer7 API Management

  • Private Community
 View Only
Back to Library

Backing up and Restoring a CA API Gateway docker container 

Aug 10, 2016 12:25 PM

Hello API Community!

 

We will share with you some caveats on how to backup and restore your CA API Gateway running on a docker container. By following the documented steps here you will be able to spin up a fresh CA API Gateway docker container (gateway + mysql), run a full backup of it, destroy the containers, recreate them and restore to the point you left before kill them. This helps a lot as containers are not static things and usually rely on some sort of devops procedures to deploy things into it case you need to recreate everything from scratch.

 

This article is a result of a team effort and I wanted to include hocmo01 and solda01 as the co-authors of this tutorial

 

Some assumptions, before we get to it:

 

  1. None of the steps are meant to replace any Devops procedures for production environments, that means, you should use your own approach to make sure you have all the required information saved in order to do a full restore.
  2. All the steps were executed on a test lab environment and their replication will depend on your environment and expertise.
  3. The steps were made using a Mac but you still can use Windows/Linux to do so. You just have to adapt the command's name for the GMU;
  4. You may find a better way to do it and if so, don't by shy and post it on the comments below

 

Let's get started!

 

Backing up your containers:

 

We will be using 03 different tools to save everything we've changed on our CA API Gateway docker container. They are:

  • The Gateway Migration Utility (aka GMU), that you can find inside the development tools through CA support/download website;
  • The Gateway's native backup tool; &
  • The MySQL Dump tool.

 

Using the GMU to export the gateway's configuration:

 

1. Open the Terminal and go to the folder where you saved the GMU. The version we're using in this tutorial is the 1.3.00. Run this command to export your gateway's configuration:

 

GMU Command to backup the gateway
./GatewayMigrationUtility.sh migrateOut -h gwlab10.apimca.com -p 8443 -u pmadmin --plaintextPassword 7layer --trustCertificate --trustHostname --plaintextEncryptionPassphrase 7layer --all -d docker/migrateout.xml

 

Command's arguments detailed:

Argument
Explanation
migrateOutIt wil perform a full export
-h gwlab10.apimca.comYour gateway's hostname or IP address
-p 8443Gateway's port
-u pmadminAdmin user name to connect to the gateway
--plaintextPassword 7layerThe Admin's plain text password

--trustCertificate

--trustHostname

--plaintextEncryptionPassphrase 7layer

Some arguments to allow the communication to be smoothly
--allSave everything
-d docker/migrateout-20160810.xmlWhere the exported XML file will be saved. You have to create the folder (in this case docker) first

 

This is the result of the above command being executed:

 

2016-08-10_11-40-03.png

 

Using the Gateway's native tool to save a full backup:

 

1. Go to your docker host and connect to your gateway's container using the command: docker exec -it <container ID> bash. If you don't know your container ID, you can run a docker ps and get the CONTAINER ID of your running caapim/gateway.

 

2. Once inside your gateway's container, navigate to /opt/SecureSpan/Gateway/config/backup/ and run the following command:

 

./ssgbackup.sh -image mygatewayexport.zip -config -ext -ca -ma

 

Where mygatewayexport.zip is the name of the file that will be generated as your backup. After run that command you will be seeing something like that:

2016-08-10_11-49-42.png

The backup file will be saved here: /opt/SecureSpan/Gateway/config/backup/images.

 

3. Exit the container by typing exit and copy the generated file from the container into the docker host. You will be using that file later during the restore process. To copy that file from the gateway's container, run the following command, using your own container ID and export file:

 

docker cp 838a073f638b:/opt/SecureSpan/Gateway/config/backup/images/20160810164925_mygatewayexport.zip .

 

2016-08-10_11-56-08.png

 

Backing up the MySQL Database:

 

1. Connect yo your MySQL container, using the docker exec command, and run the mysqldump command as follows:

 

mysqldump -u root -p --all-databases > dump.sql

 

2016-08-10_12-00-12.png

 

This will save a dump.sql file, which you have to copy from the container into your docker host like you did in the step #3 previously.

 

At this point you should have 03 different files:

 

  • migrateout-20160810.xml --> created by the GMU;
  • 20160810164925_mygatewayexport.zip --> created by the gateway's native backup tool; and
  • dump.sql --> created by the MySQL dump tool;

 

I'd suggest you to put those 3 files in the same folder, to facilitate the restoring process.

 

Restoring everything:

 

Assuming you have destroyed your containers and spun up new ones, we're going to restore everything from the saved backups. Although we had used both the GMU the and Gateway's native backup tool, we will be using only one of them to restore the gateway's configuration. You don't need to use both. In this tutorial we will be using the gateway's restore tool but will be showing you how to use the GMU as well.

 

Stoping the SSG service and restoring the gateway's configuration and MySQL database:

 

1. Connect to your new Gateway's container and stop the SSG service using the command service sag stop

2016-08-10_12-09-24.png

 

2. Close the connection and go to the folder where you saved your backup files. Now copy the gateway's image (zip file) to your new gateway's container using the following command:

 

docker cp 20160810151553_name.zip bd26c8e4fbee:/opt/SecureSpan/Gateway/config/backup/images/

 

3. Connect to your gateway's container again and go to the folder /opt/SecureSpan/Gateway/config/backup/

 

4. Now run the following command to restore the backup. Make sure you're using the right path and name of your backup file:

 

./ssgrestore.sh -image /opt/SecureSpan/Gateway/config/backup/images/20160810151553_name.zip -config -ca -ma

 

2016-08-10_12-15-15.png

 

5. Exit the gateway's container and connect to your new MySQL one;

 

6. From the same folder you saved your backup files, run the following command to copy the saved MySQL dump file to the container:

 

docker cp dump.sql 1eaba1c1a4d6:/

 

7. Now connect to your MySQL container again to run the dump using the following command:

 

mysql -u root -p < dump.sql

 

2016-08-10_12-18-56.png

 

8. In our environment we had issues with the OTK after restoring the files. If you experience any issues with either the OAuth Manager or Test Client, you will need to drop your OTK_DB and recreate it using the otk_db_schema.sql and otk_db_testdata.sql. The following will show you how to do it:

 

2016-08-10_12-21-25.png

 

After copying the files, connect to the MySQL console and drop the otk_db (use the same name you used when installed the OTK), and then recreate it:

 

# mysql -u root -p

mysql> drop database otk_db;

mysql> create database otk_db;

mysql> flush privileges;

# mysql -u root -p otk_db < otk_db_schema.sql

# mysql -u root -p otk_db < otk_db_testdata.sql

 

2016-08-10_12-25-05.png

 

9. Now go back and connect to your gateway's container again. At this time, run the following command to start the SSG service again:

 

# service ssg start

 

10. Wait until the service SSG is fully started and make some tests by connecting to your gateway using the Policy Manager and also OAuth Manager / TestClient (if you had them installed before the backup). If you had the OTK installed previously, you will need to reconfigure the clients to match your gateway's hostname following this document: Post-Installation Tasks - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation

 

These are some screenshots from our restored gateway:

 

2016-08-10_12-28-07.png

 

2016-08-10_12-28-48.png

 

Documentation references:

 

Statistics
0 Favorited
36 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Carl_Lum
May 15, 2018 01:21 PM

It is important to note that the instructions provided in this post are intended for the pre-9.3 Gateway Docker Appliance. These instructions DO NOT apply to the Container Gateway (which is also based on Docker) found in version 9.3 and higher. 

ravikiranbg
Jan 24, 2017 07:53 AM

Hi Alan,

 

I have an issue in exporting using GMU.

 

 ./GatewayMigrationUtility.sh migrateOut -h xmlgw.int.staging.cims.trilegiant.com -p 8443 -u admin --plaintextPassword password --trustCertificate --trustHostname --plaintextEncryptionPassphrase password --all -d docker/migrateout.xml
Warning: TLS hostname verification has been disabled
Warning: TLS server certificate check has been disabled
Running..
Execution failed. Reason: Internal Server Error. Detail: Service Not Found.  The request may have been sent to an invalid URL, or intended for an unsupported operation.

 

I have tried with both IP and Hostname, Port number 7443&9443. We are running layer 7 in Docker container. Can you please let me know why i see the below error in GMU.log

 

javax.ws.rs.WebApplicationException: 500 Internal Server Error
    at com.ca.gateway.rest.api.GatewayManagementGatewayClient$IP10Bundle.getAsItemReferenceType(Unknown Source)
    at com.ca.gateway.rest.api.resource.impl.BundleResource.getBundle(Unknown Source)
    at com.ca.gateway.rest.commandline.command.MigrateOutCommand.a(Unknown Source)
    at com.ca.gateway.rest.commandline.command.MigrateOutCommand.run(Unknown Source)
    at com.ca.gateway.rest.commandline.command.GatewayCommand.run(Unknown Source)
    at com.ca.gateway.rest.commandline.command.Command.runCommand(Unknown Source)
    at com.ca.gateway.rest.commandline.Main.main(Unknown Source)

 

 

Thanks,

Ravi

David Brinkworth
Aug 22, 2016 10:16 PM

Hi

 

Yes, if there are files that aren't persisted they will be recreated.  You could also try mapping the volume the MQ jars are copied  to in the same manner as the mysql data. I'm still trying to get my head around the best way to resolve these sorts of issues, which will tend to come up as docker is used more and more.

 

I suspect from my reading that the "proper" way to resolve this is to use the docker build command to create a new image based on the caapim/gateway:latest image but copying your MQ jars as required.  Then you point docker-compose to the new image.  (just a thought)

 

Cheers

David

ljlima
Aug 22, 2016 12:32 PM

Hi David,

 

I tried this solution before I had to create my own "dirty" solution. In my case,  I need to copy the MQ Native .jars to gateway and restart it. If I use docker-compose, it recreates APIM from scratch and destroy my files. I will try change the docker-compose.yml to copy MQ files to gateway on start.

 

Thanks for sharing.

Regards.

Luciano.

David Brinkworth
Aug 21, 2016 10:20 PM

Hi

 

I found a "quick and dirty" way to persist a gateway config (appropriate for a "playing around" setup , prob not for anything else)  May be of interest in some circumstances, I haven't tested it seriously so there may be some lurking problems.

 

volumes:

    - /c/Users/brida02/mysqldatadir:/var/lib/mysql

  • Spin up the docker containers "docker-compose -f "./docker-compose.yml" -p docops up -d"
  • Apply the license, add any policy required.
  • All changes now persist to your hard disk
  • Change the following line in the docker-compose from

SSG_CLUSTER_COMMAND: "create"

to:

SSG_CLUSTER_COMMAND: "join"

 

  • Now when you destroy/restart containers mysql just picks up the contents of the old database and SSG startup doesn't do any initialization it just connects to the mysql database

 

 

Cheers

David

ljlima
Aug 21, 2016 12:59 AM

Hey Alan Cota, I want to share some progress I done with my research.

 

The command "create" used to docker-compose it's working to create the container. But when I need to stop/start/restart this Container SSG there are many issues that I found in /root/entryPoint.sh (due to Docker run this script with the original environment at container creation time). Then I change the script to do this:

 

1- Create a file in /userdata named "created". It's a proof the entryPoint.sh worked and already to use.

2- When you start/restart Docker SSG, this script now tests if /userdata/created exists. On affirmative, the script will not configurate anymore the database and node.properties

3- If you stop a Docker container, Docker send SIGTERM to your container. Then now I trace this event to create the /userdata/shutdown file, that starts the natural process to stop the Gateway and finish it gracefully.

 

Now, my SSG in a box can be stopped and restarted anytime.

 

Feel free to send this message to the SSG engineering team. I'm happy to answer other info about my share. Below a link to my entryPoint.sh. Thank you.

 

https://drive.google.com/open?id=0B8VuNPO1f9h8Y1lSOUZvS0dTcFE

 

Best Regards.

ljlima
Aug 20, 2016 10:27 AM

Hi Alan Cota, great work. Is there a way to restart a gateway docker image today? Entrypoint.sh always to try copy the license again and fail.

Alan Cota
Aug 10, 2016 02:40 PM

Thanks Doyle!

Doyle_Reece
Aug 10, 2016 02:21 PM

Awesome stuff guys!

Related Entries and Links

No Related Resource entered.