juju-backup-all

Security overview

This charm creates a cron job that periodically performs backup for the Juju controller and various database charms. It uses the Juju Backup All library to run actions on other charms in the same models, and copy the backup result from other charms to this charm via Juju SSH. This charm is also an exporter server built with the prometheus_client library, and the collected backup metrics are exposed over the HTTP protocol.

Risks

This charm offers config options to connect to Juju controllers. The config options include sensitive data, such as Juju controller information and Juju accounts. All the config options are visible in Juju CLI, and rendered and stored in an on-disk, plain-text configuration file only readable by the user created by the charm called jujubackupall. Users are recommended to create a new Juju user for backups with appropriate scopes.

This charm supports installing the Juju Backup All Exporter snap from the charm resource uploaded by users. However, the uploaded resource will not be verified by the charm, and will be installed in dangerous mode (i.e. via snap install <resource> --dangerous). Therefore, a malicious snap resource can be installed to the system, and lead to data leakage or even a system outage. Users uploading the snap resource should be aware of these risks, and ensure the resources are correct and secure. In addition, the exporter service currently only supports HTTP, so users should also be aware that the communication is not encrypted.

In order to run backup actions on other charms and collect backup files from other charms, Juju Backup All charm manages a pair of public and private keys in /var/lib/jujubackupall/ssh for the jujubackupall user. The public key is added to the Juju model, granting this user an access to all the machines in the same model. Similar to other files managed by this charm, those keys are only readable by jujubackupall user.