Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fedora Copr Keygen disk redundancy #3532

Open
praiskup opened this issue Nov 26, 2024 · 4 comments
Open

Fedora Copr Keygen disk redundancy #3532

praiskup opened this issue Nov 26, 2024 · 4 comments
Assignees

Comments

@praiskup
Copy link
Member

While working on the "how to check docs" document #3506, I realized that we only snapshot the Keygen data volume weekly.

We do the same for Frontend (the database is though backed up hourly), and DistGit (low priority data). We only rsync backups for Backend weekly, too (but we have a complicated RAID for redundancy there).

The missing part is Keygen -> if we accidentally lost a week of keys, recovery would be difficult. It seems reasonable to make the disk SW RAID1, or at least backup/snapshot hourly (the volume is just 12G).

@praiskup
Copy link
Member Author

Or backup similarly to Frontend (hourly tarball created, lifted by Fedora Infra)

@praiskup
Copy link
Member Author

praiskup commented Dec 11, 2024

There's actually

[root@copr-keygen ~][PROD]# cat /etc/cron.hourly/backup_keyring.sh 
#!/bin/sh

# used as root
# root gpg keychain should have PUBLIC key with `user name` copr-keygen-backup-key
# (per https://pagure.io/fedora-infrastructure/issue/8904)

PATH_TO_KEYRING_DIR="/var/lib/copr-keygen"
BACKUP_DIR=/backup
OUTPUT_FILE="$BACKUP_DIR/copr_keygen_keyring_$(date -I).tar.gz.gpg"

tar --exclude="*agent*" -czPf - "$PATH_TO_KEYRING_DIR" \
    | gpg2 --output "$OUTPUT_FILE".tmp --encrypt \
           --recipient copr-keygen-backup-key --always-trust \
&& mv "$OUTPUT_FILE.tmp" "$OUTPUT_FILE"

# shell pattern matching provides sorted output
previous=
for file in "$BACKUP_DIR"/*; do
    test -z "$previous" || rm "$previous"
    previous=$file
done

@nikromen
Copy link
Member

AI: do the weekly snapshots daily, so in case of disaster we lose only day worth of data. Throw away the broken hourly cron

@nikromen nikromen moved this from Needs triage to In 3 months in CPT Kanban Dec 11, 2024
@praiskup
Copy link
Member Author

We should check that /etc/cron.hourly/backup_keyring.sh doesn't generate dangling hanged gpg/tar processes...

@praiskup praiskup moved this from In 3 months to In Progress in CPT Kanban Jan 6, 2025
@praiskup praiskup self-assigned this Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: In Progress
Development

No branches or pull requests

2 participants