Nexus IQ server can be deployed in kubernetes platform using embedded h2 database, using Sonatype helm charts
Note: Sonatype does not support IQ instances with embedded DB in container Environment and strongly recommend to use external database.
This article explains migrating IQ instance to external DB.
PreRequisites:
- Kubernetes 1.19+
- kubectl CLI with admin access
- Nexus IQ instance deployed using Sonatype Helm chart, with embedded DB
- External Postgresql DB for nexus instance
- Adequate free space on persistent volume ( minimum of Double the existing DB size )
- Familiarize high level steps from migration document
Identifying Nexus Deployment
Collect below details from existing nexus iq deployment
- Namespace in which nexus iq is deployed (This example uses nx3)
- Deployment name
$ kubectl get deploy -n nx3
NAME READY UP-TO-DATE AVAILABLE AGE
iqdep-nexus-iq-server 1/1 1 1 74m
sri-postgres 1/1 1 1 100d - Note down the IQ container name and JAVA_OPTS argument value used in the deployment
$ kubectl get deploy -n nx3 iqdep-nexus-iq-server -o jsonpath='{.spec.template.spec.containers[*].name}'
nexus-iq-server
$ kubectl get deploy -n nx3 iqdep-nexus-iq-server -o jsonpath='{.spec.template.spec.containers[*].env}'
[{"name":"SONATYPE_INTERNAL_HOST_SYSTEM","value":"Helm+Docker"},{"name":"SONATYPE_WORK","value":"/sonatype-work"},{"name":"JAVA_OPTS","value":"-Djava.util.prefs.userRoot=$(SONATYPE_WORK)/javaprefs"}]
Migrating to external DB
- Schedule adequate downtime for migration
- Shut down Nexus IQ instance gracefully
$ kubectl -n nx3 scale --replicas=0 deploy/iqdep-nexus-iq-server
deployment.apps/iqdep-nexus-iq-server scaled
$ kubectl get deploy -n nx3
NAME READY UP-TO-DATE AVAILABLE AGE
iqdep-nexus-iq-server 0/0 0 0 79m
sri-postgres 1/1 1 1 99d - Prepare the patch file (replacing with local DB values and container name)
$ cat iq-patch-file.yaml
spec:
template:
spec:
containers:
- name: nexus-iq-server
command: ["/bin/bash"]
args: ["-c", "while true; do echo ; sleep 100;done"]
env:
- name: JAVA_OPTS
value: "-Djava.util.prefs.userRoot=$(SONATYPE_WORK)/javaprefs -Ddw.database.type=postgresql -Ddw.database.hostname=sri-postgres-svc -Ddw.database.port=5432 -Ddw.database.name=iqdb -Ddw.database.username=iq -Ddw.database.password=iq123"
livenessProbe:
failureThreshold: 600
readinessProbe:
failureThreshold: 600 - Patch the deployment so it starts a bash shell for DB export.
$ kubectl patch deploy iqdep-nexus-iq-server -n nx3 --patch-file iq-patch-file.yaml
deployment.apps/iqdep-nexus-iq-server patched - Start the IQ deployment
$ kubectl -n nx3 scale --replicas=1 deploy/iqdep-nexus-iq-server
deployment.apps/iqdep-nexus-iq-server scaled - Perform a full backup using normal backup procedures
- Login to the IQ Pod and export the embedded DB to SQL file
bash-4.4$ cd /sonatype-work
bash-4.4$ java -jar /opt/sonatype/nexus-iq-server/nexus-iq-server-1.145.0-01.jar export-embedded-db --dump-file /sonatype-work/iq-db-dump.sql.gz /etc/nexus-iq-server/config.yml
WARN [2022-11-0905:29:27,277] com.sonatype.insight.brain.service.InsightConfig: The support for initial admin password setting via config.yml was removed in Nexus IQ Server 142. Use the NXIQ_INITIAL_ADMIN_PASSWORD environment variable instead.
2022-11-0905:29:27,607+0000INFO [main] com.sonatype.insight.brain.service.DatabaseConfigProvider - Using embedded database at /sonatype-work/data
;
;
2022-11-09 05:29:30,581+0000 INFO [main] com.sonatype.insight.brain.service.ExportEmbeddedDatabaseCommand - Exporting table "insight_brain_third_party_scans"."third_party_vulnerability"
2022-11-09 05:29:30,581+0000 INFO [main] com.sonatype.insight.brain.service.ExportEmbeddedDatabaseCommand - Exporting table "insight_brain_third_party_scans"."schema_version"
2022-11-09 05:29:30,583+0000 INFO [main] com.sonatype.insight.brain.service.ExportEmbeddedDatabaseCommand - Completed export to '/sonatype-work/iq-db-dump.sql.gz' in 2977 ms.
bash-4.4$
8. Copy the sql dump file to postgresql system and follow the migration document to import the data to configured database
9. Once the data import is succeeded, stop the IQ deployment
$ kubectl -n nx3 scale --replicas=0 deploy/iqdep-nexus-iq-server
deployment.apps/iqdep-nexus-iq-server scaled
10. Create a patch file, like below to remove command and args from IQ deployment, so IQ process can start normally
$ cat patch-remove.yaml
- op: remove
path: "/spec/template/spec/containers/0/command"
- op: remove
path: "/spec/template/spec/containers/0/args"
11. Use the patch file created to update IQ deployment
$ kubectl patch deploy iqdep-nexus-iq-server -n nx3 --patch-file patch-remove.yaml --type json
deployment.apps/iqdep-nexus-iq-server patched
12. Start the IQ deployment and confirm its connected to external database by checking the clm-server.log file
$ kubectl -n nx3 scale --replicas=1 deploy/iqdep-nexus-iq-server
deployment.apps/iqdep-nexus-iq-server scaled
bash-4.4$ egrep -i 'external database|DB URL' clm-server.log | tail -4
2022-11-09 05:45:54,509+0000 INFO [main] *SYSTEM com.sonatype.insight.brain.service.DatabaseConfigProvider - Using external database at sri-postgres-svc
2022-11-09 05:45:54,509+0000 DEBUG [main] *SYSTEM com.sonatype.insight.db.AbstractDataSourceFactory - DB URL: 'jdbc:postgresql://sri-postgres-svc:5432/iqdb'
2022-11-09 05:45:54,561+0000 INFO [main] *SYSTEM com.sonatype.insight.brain.service.DatabaseConfigProvider - Using external database at sri-postgres-svc
2022-11-09 05:45:54,562+0000 DEBUG [main] *SYSTEM com.sonatype.insight.db.AbstractDataSourceFactory - DB URL: 'jdbc:postgresql://sri-postgres-svc:5432/iqdb'