sans-self.org / infrastructure
this repo has no description
fork atom

Fix PDS backup and add media blob sync

Backups were silently failing because apk runs as non-root. Move
sqlite installation to a root init container that copies the binary
and shared libraries to an emptyDir volume. Add missing rclone sync
for /pds/blocks so media files are actually backed up to S3.

sans-self.org 77dedace 5b2fe637

+40 -6
+40 -6
k8s/pds/backup-cronjob.yaml
··· 14 14 spec: 15 15 restartPolicy: OnFailure 16 16 securityContext: 17 - runAsUser: 1000 18 - runAsGroup: 1000 19 - runAsNonRoot: true 17 + fsGroup: 1000 18 + initContainers: 19 + - name: install-sqlite 20 + image: rclone/rclone:1.69 21 + command: 22 + - sh 23 + - -c 24 + - | 25 + apk add --no-cache sqlite > /dev/null 26 + cp /usr/bin/sqlite3 /tools/ 27 + # Copy dynamically linked libraries sqlite3 needs 28 + for lib in $(ldd /usr/bin/sqlite3 | awk '/=>/ {print $3}'); do 29 + cp "$lib" /tools/ 30 + done 31 + volumeMounts: 32 + - name: tools 33 + mountPath: /tools 34 + securityContext: 35 + runAsUser: 0 36 + allowPrivilegeEscalation: false 37 + capabilities: 38 + drop: 39 + - ALL 40 + resources: 41 + requests: 42 + cpu: 50m 43 + memory: 64Mi 44 + limits: 45 + cpu: 100m 46 + memory: 128Mi 20 47 containers: 21 48 - name: backup 22 49 image: rclone/rclone:1.69 ··· 24 51 - sh 25 52 - -ec 26 53 - | 27 - apk add --no-cache sqlite > /dev/null 28 - 54 + export LD_LIBRARY_PATH=/tools 29 55 S3_OPTS="--s3-provider Other --s3-access-key-id ${S3_ACCESS_KEY} --s3-secret-access-key ${S3_SECRET_KEY} --s3-endpoint nbg1.your-objectstorage.com --s3-region nbg1 --s3-no-check-bucket --s3-acl private" 30 56 TIMESTAMP=$(date +%Y%m%d-%H%M%S) 31 57 32 58 # Safe SQLite backup for each database 33 59 for db in /pds/*.sqlite; do 34 60 name=$(basename "$db" .sqlite) 35 - sqlite3 "$db" ".backup /tmp/${name}-${TIMESTAMP}.sqlite" 61 + /tools/sqlite3 "$db" ".backup /tmp/${name}-${TIMESTAMP}.sqlite" 36 62 rclone copyto "/tmp/${name}-${TIMESTAMP}.sqlite" \ 37 63 ":s3:sans-self-net/pds/db/${name}-${TIMESTAMP}.sqlite" \ 38 64 ${S3_OPTS} ··· 69 95 readOnly: true 70 96 - name: tmp 71 97 mountPath: /tmp 98 + - name: tools 99 + mountPath: /tools 100 + readOnly: true 72 101 securityContext: 102 + runAsUser: 1000 103 + runAsNonRoot: true 73 104 allowPrivilegeEscalation: false 74 105 capabilities: 75 106 drop: ··· 88 119 - name: tmp 89 120 emptyDir: 90 121 sizeLimit: 1Gi 122 + - name: tools 123 + emptyDir: 124 + sizeLimit: 50Mi