Performing backups without TLS

Hi folks,

I have a FoundationDB cluster that does not have TLS enabled I’d like to back up. FoundationDB fdbbackup covers flags to feed the agent to address self-made certificates and (Solved) Correct setup of TLS for FoundationDB covers setting up TLS but the docs suggest I may be able to get backups without having to first flip traffic in my cluster to use TLS. From Backup, Restore, and Replication for Disaster Recovery:

By default, backup will communicate over https.

This I read to suggest that it’s possible to communicate otherwise but, as far as I can tell from reading the source, https is mandatory. Is this true? If so that’s okay but I sure wouldn’t mind getting a backup regime running before I start adding TLS into my cluster.

The following configs worked for me:

FDB_TLS_VERIFY_PEERS=Check.Valid=0 FDB_TLS_CERTIFICATE_FILE="/etc/foundationdb/fdb.pem" FDB_TLS_KEY_FILE="/etc/foundationdb/private.key" FDB_TLS_CA_FILE="/etc/foundationdb/cert.crt" fdbbackup ...

I can’t remember, but you may have to add sc=0 to the blobstore url like blobstore://access:secret@host:port/route?bucket=bucket_name&sc=0.

More info here.

@surprisetalk, I may be missing something but the instructions you linked are for establishing TLS within a cluster so that backup will work, not getting backup working over a non-secure connection first and then transitioning a cluster to use TLS, no?

I did try adding &sc=0 to the end of my blobstore URL and was told that the URL was invalid. I’m on version 6.0.18.

Sorry I wasn’t clear. I remember encountering configuration issues when some of the TLS options weren’t defined, but I may be misremembering.

Try running fdbbackup after running sudo tcpdump port 80. You should be able to see the attempted requests to AWS when TLS is successfully turned off. You may also want to run fdbbackup start --log ... and read through the resulting xml file to find out exactly what’s going wrong.

@surprisetalk is right that sc=0 or secure_connection=0 as a URL parameter in a blobstore:// URL will disable HTTPS for S3 API requests.

However, communicating with your FDB cluster with TLS or not is actually independent from talking to an S3 API with HTTPS. Using HTTPS is strongly recommended because although your credentials are not at risk (due to how authentication works) the backup data itself (keys, values, and mutations from your db) - is not encrypted so it would be visible to anyone sniffing the network traffic between you and S3.

I just tested the scenario of connecting to an FDB cluster without TLS and using the S3 client with HTTPS at the same time to make sure this works as we intended. The command I used was fdbbackup describe -C <cluster_file> -d <url> --version_timestamps. This uses the S3 client to list backup files and uses the cluster file to resolve versions in the backup filenames into timestamps.

I had these three environment variables set:

FDB_TLS_CERTIFICATE_FILE
FDB_TLS_CA_FILE
FDB_TLS_KEY_FILE