Backup and restore

Save a backup copy of the StackRox Kubernetes Security Platform database or restore from a backup.

2 minute read

You can perform data backups for the StackRox Kubernetes Security Platform. You can use these backups for data restoration in the case of an infrastructure disaster, or corrupt data. You can configure automatic or on-demand backups by integrating with Amazon S3 or Google Cloud Storage.

You can also perform on-demand backups by using the roxctl command-line client.

The backup includes the StackRox Kubernetes Security Platform’s entire database, which includes all configurations, resources, events, and certificates. Make sure that backups are stored securely.

If you’re using the StackRox Kubernetes Security Platform version 3.0.53 or older, the backup doesn’t include certificates.

On-demand backups

Use the roxctl command-line client to take the backups:

Using an API token

  1. Set the ROX_API_TOKEN and CENTRAL_ADDRESS environment variables.
    Copy
    export ROX_API_TOKEN=<api-token>
    export CENTRAL_ADDRESS=<address>:<port-number>
  2. Run the backup command.
    • For the StackRox Kubernetes Security Platform version 3.0.55 or newer:
      Copy
      roxctl -e "$CENTRAL_ADDRESS" central backup
    • For the StackRox Kubernetes Security Platform version 3.0.54 or older:
      Copy
      roxctl -e "$CENTRAL_ADDRESS" central db backup
  • The API token you use must have read permission for all resources of the StackRox Kubernetes Security Platform.
  • You can assign the Analyst system role role to grant this level of access as the Analyst role has read permissions for all resources.

Using the administrator password

  1. Set the CENTRAL_ADDRESS environment variable.
    Copy
    export CENTRAL_ADDRESS=<address>:<port-number>
  2. Run the backup command.
    • For the StackRox Kubernetes Security Platform version 3.0.55 or newer:
      Copy
      roxctl -p <admin-password> -e "$CENTRAL_ADDRESS" central backup
    • For the StackRox Kubernetes Security Platform version 3.0.54 or older:
      Copy
      roxctl -p <admin-password> -e "$CENTRAL_ADDRESS" central db backup

By default, the roxctl command-line client saves the backup file in the directory in which you run the command. You can use the --output option to specify the backup file location.

Restore

You can restore the StackRox Kubernetes Security Platform from an existing backup by using the roxctl command-line client. To do this:

  1. Download the backup files.

  2. Use the following commands to restore:

    • by using an API token:
      Copy
      export ROX_API_TOKEN=<api-token>
      export CENTRAL_ADDRESS=<address>:<port-number>
      roxctl -e "$CENTRAL_ADDRESS" central db restore <backup-filename>
    • by using the administrator password:
      Copy
      export CENTRAL_ADDRESS=<address>:<port-number>
      roxctl -p <admin-password> -e "$CENTRAL_ADDRESS" central db restore <backup-filename>

During a restore operation, if your connection is interrupted or you need to go offline, you can resume the restore operation.

  • If you don’t have access to the machine running the resume operation, use the roxctl central db restore status command to check the status of an ongoing restore operation.
  • In case of connection interruptions, the roxctl command-line client automatically tries to restore a task when the connection becomes available. The automatic connection retries depend on the duration specified by the timeout option.
  • Use the --timeout option to specify the time (in seconds, minutes, or hours) after which the roxctl command-line client stops trying to resume a restore operation. If not specified, the default timeout is 10 minutes (10m).
  • If a restore operation is stuck or if you want to cancel it, use the roxctl central db restore cancel command to cancel an ongoing restore operation.
  • If a restore operation is stuck, or you’ve canceled it, or it timed out, you can resume the previous restore by re-running the original command.
  • During interruptions, the StackRox Kubernetes Security Platform caches an ongoing restore operation for 24 hours. You can resume this operation by re-running the original restore command.
  • The --timeout option only governs client-side connection retries and does not affect the 24 hours server-side restore cache.
  • You can’t resume restore operations across restarts of the Central pod.
  • If a restore operation is interrupted, you must restart it within 24 hours and before Central restarts, otherwise the StackRox Kubernetes Security Platform cancels the restore operation.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.