Container Image restore from gateway backup results in temp user,roles

Nathaniel.Jarrett · August 14, 2024, 10:41pm

Setting up to utilize the container images for sub-prod development and testing and have not been able to get the gateway to do a restore from back up without creating a temp user/role.

I have tried a combination of several combinations of differing environment parameters, but nothing seems to work.

apiVersion: v1
kind: Pod
metadata:
  name: setup-mes
spec:
  restartPolicy: Always
  containers:
  - name: setup-frontend
    image: inductiveautomation/ignition:8.1.42
    resources:
      requests:
        memory: "1024Mi"
        cpu: "500m"
      limits:
        memory: "4096Mi"
        cpu: "2000m"
    args:
    - -r
    - "/restore.gwbk"
    env:
    # - name: GATEWAY_SYSTEM_NAME
    #   value: Ignition-setup
    # - name: GATEWAY_ADMIN_USERNAME
    #   value: <admin>
    # - name: GATEWAY_ADMIN_PASSWORD
    #   value: <password>
    # - name: IGNITION_EDITION
    #   value: standard
    # - name: ACCEPT_IGNITION_EULA
    #   value: Y
    - name: GATEWAY_MODULES_ENABLED
      value: opc-ua,perspective,reporting,tag-historian,web-developer
    ports:
    - containerPort: 8088
      protocol: TCP
      hostPort: 8088
    - containerPort: 8043
      protocol: TCP
      hostPort: 8043
    - containerPort: 8060
      protocol: TCP
      hostPort: 8060
    volumeMounts:
    - mountPath: /usr/local/bin/ignition/data
      name: setup-frontend-data
    - mountPath: /modules
      name: setup-frontend-modules
    - mountPath: /restore.gwbk
      name: setup-frontend-gwbk
  volumes:
  - name: setup-frontend-data
    persistentVolumeClaim:
      claimName: setup-frontend-gw
  #   hostPath:
  #     path: ./services/setup-frontend/ignition-data
  #     type: DirectoryOrCreate
  - name: setup-frontend-modules
    hostPath:
      path: ./modules
      type: DirectoryOrCreate
  - name: setup-frontend-gwbk
    hostPath:
      path: ./backups/gateway/setup-frontend.gwbk
      type: File

Our company uses RHEL and an architecture that doesn't support docker so have been utilizing podman and the play kube functionality based on kubernetes to do the "compose" files. I've been able to make this work to a point but when trying to restore from backup I continually get the temp profile created. The AD user/role is what I'd like to be able to enable from startup and be good to go so that user/customer testing is immediately available.

Nathaniel.Jarrett · August 14, 2024, 11:15pm

@kcollins1, Hoping you have some input as to what triggers that temp user/role to be created by the container image after restoring from backup. Hoping it's just a silly miss.

Nathaniel.Jarrett · August 15, 2024, 12:18am

Main issue looks to be the below. No matter how I update the parameters this seems to happen each time. I found a relevant link below but have not found a relevant way to implement the restore and skip the commissioning.
Gateway Restore command (gwcmd) showing warning and needs manual startup - #4 by kcollins1

init | 2024/08/15 00:13:40 | Attempting to stage gateway restore file: Gateway backup restored, manual startup required

kcollins1 · August 15, 2024, 3:46pm

One key aspect is to ensure that you're NOT specifying GATEWAY_ADMIN_PASSWORD as an env var if you're restoring from GWBK and wanting to keep the built-in auth as-is.

Nathaniel.Jarrett · August 15, 2024, 4:59pm

Hmm, I've tried both specifying and not specifying the GATEWAY_ADMIN_PASSWORD env var and see the same results of the temp profile being created. I've restored the same gwbk after the container is up and see it shows as expected. Below is the args I'm using.
A caveat is I am trying to use the bwdesigngroup docker image but have seen the same results on the IA image as well.

    args:
    - -r 
    - "/restore.gwbk"
    env:
    - name: TZ
      value: America/Los_Angeles
    - name: GATEWAY_ADMIN_USERNAME
      value: admin
    - name: IGNITION_EDITION
      value: standard
    - name: ACCEPT_IGNITION_EULA
      value: Y
    - name: GATEWAY_MODULES_ENABLED
      value: opc-ua,perspective,reporting,tag-historian,web-developer
    - name: GATEWAY_PUBLIC_ADDRESS
      value: setup-frontend.localtest.me

these are the logs I'm seeing with those parameters

Running entrypoint with args -r /restore.gwbk -s 8043 -a setup-frontend.localtest.me -h 8088 -- -Dignition.projects.scanFrequency=10 -Dlogback.configurationFile=/workdir/logback.xml
init     | 2024/08/15 09:48:23 | Parsed restoreFilePath argument; new value: /restore.gwbk
init     | 2024/08/15 09:48:23 | Parsed httpsPort argument; new value: 8043
init     | 2024/08/15 09:48:23 | Parsed httpAddress argument; new value: setup-frontend.localtest.me
init     | 2024/08/15 09:48:23 | Parsed httpPort argument; new value: 8088
init     | 2024/08/15 09:48:23 | Creating init.properties file
init     | 2024/08/15 09:48:23 | Creating gateway.xml
init     | 2024/08/15 09:48:23 | Collected JVM arg: -Dignition.projects.scanFrequency=10
init     | 2024/08/15 09:48:23 | Collected JVM arg: -Dlogback.configurationFile=/workdir/logback.xml
init     | 2024/08/15 09:48:23 | Processing GATEWAY_MODULES_ENABLED=opc-ua,perspective,reporting,tag-historian,web-developer
init     | 2024/08/15 09:48:23 |   Uninstalling 'Logix Driver-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Modbus Driver v2-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Symbol Factory-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Web Browser Module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Mitsubishi-Driver.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Serial Support Client-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Siemens Drivers-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'SFC-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Allen-Bradley Drivers-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'SQL Bridge-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'DNP3-Driver.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Enterprise Administration-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'UDP and TCP Drivers-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'DNP3-Driver-v2.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'SMS Notification-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Serial Support Gateway-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Alarm Notification-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Voice Notification-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Micro800 Driver-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'BACnet Driver-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Omron-Driver.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'IEC 61850 Driver-module.modl'
init     | 2024/08/15 09:48:23 |   Uninstalling 'Vision-module.modl'
init     | 2024/08/15 09:48:23 |   Assuming module Production-module.modl is third-party, skipping...
init     | 2024/08/15 09:48:23 |   Assuming module SPC-module.modl is third-party, skipping...
init     | 2024/08/15 09:48:23 |   Assuming module OEE_Downtime-module.modl is third-party, skipping...
init     | 2024/08/15 09:48:23 |   Assuming module Settings_and_Changeover-module.modl is third-party, skipping...
init     | 2024/08/15 09:48:23 | Writing Container Init File to /usr/local/bin/ignition/data/.container-init.conf
init     | 2024/08/15 09:48:23 | Attempting to stage gateway restore file: Gateway backup restored, manual startup required
init     | 2024/08/15 09:48:24 | Setting gateway.publicAddress.autoDetect=false in gateway.xml
init     | 2024/08/15 09:48:24 | Setting gateway.publicAddress.httpPort=8088 in gateway.xml
init     | 2024/08/15 09:48:24 | Setting gateway.publicAddress.httpsPort=8043 in gateway.xml
init     | 2024/08/15 09:48:24 | Setting gateway.publicAddress.address=setup-frontend.localtest.me in gateway.xml
init     | 2024/08/15 09:48:24 | Adjusting ownership of 6 Ignition installation files to uid=1000,gid=1000.
init     | 2024/08/15 09:48:24 | Staging user step-down from root to uid=1000,gid=1000
init     | 2024/08/15 09:48:24 | Starting Ignition gateway
wrapper  | 2024/08/15 09:48:24 | --> Wrapper Started as Console

kcollins1 · August 15, 2024, 9:19pm

At this point, I'd take a look at a couple of things:

Check the env vars of the running container. Keep in mind that derived images might bake in default values for env vars prior to any you define at container configuration time.
Check the gwbk file and the embedded SQLite3 DB (in 8.1.x) to verify that there isn't a temp user source in there already.

For the first, you can do something like below for a container named my-ignition

# Use a Go template to print each env var on a new line
docker inspect my-ignition -f '{{ range $v := .Config.Env }}{{ println $v }}{{ end }}'

For the latter, you'll need sqlite3 CLI installed as well as unzip (assumes a Linux/macOS/WSL2 operating environment):

# Extract the config db to the current folder
unzip restore.gwbk db_backup_sqlite.idb
# View the AUTHPROFILES table (list of user sources), 
# checking that 'temp' is not there.
sqlite3 db_backup_sqlite.idb "SELECT * FROM AUTHPROFILES"
# Remove the temporary DB you extracted above
rm db_backup_sqlite.idb

Nathaniel.Jarrett · August 16, 2024, 4:38am

@kcollins1 thanks for feedback. I rechecked assumptions with the base IA image and was able to get it to restore as expected with the env vars you mentioned, nothing a good off and on again reset everything.

Like you said, the derived image is likely not applying the env vars in the order I'd hope it would. Now onto following ICC 2023 guide to get this working as I'd like it to.