Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GDB-11621 Run cronjob as root, to make sure that backup rotation works correctly. #91

Merged
merged 4 commits into from
Mar 26, 2025
Merged

GDB-11621 Run cronjob as root, to make sure that backup rotation works correctly. #91

merged 4 commits into from
Mar 26, 2025

Conversation

vanxa
Copy link
Contributor

@vanxa vanxa commented Mar 20, 2025
edited
Loading

Description

Run cronjob as root user to make sure that the backup rotation works correctly (without exposing aws cli to low-priv users)

Related Issues

GDB-11621

Changes

  • Run cronjob as root
  • Make sure backup log file is initialized correctly during provision

Checklist

  • I have tested these changes thoroughly.
  • My code follows the project's coding style.
  • I have added appropriate comments to my code, especially in complex areas.
  • All new and existing tests passed locally.

@viktor-ribchev
Copy link
Contributor

Changes look legit, but need to be tested.

@vanxa
Copy link
Contributor Author

vanxa commented Mar 24, 2025

Tests confirm that the backup and rotation is working as expected.
Setup backup with retention count 30, backup running every minute:
image

Waiting for the 30 items to be uploaded
image

After a few minutes, some items have been rotated
image

Log has correct access flags
image

@vanxa
Copy link
Contributor Author

vanxa commented Mar 25, 2025

As discussed with @viktor-ribchev ,
changed the user to gdb_backup - if backup is enabled. This user will be the only one with access to aws cli.
If backup is disabled, simply restrict aws cli to root only.

image

image

image

viktor-ribchev
viktor-ribchev approved these changes Mar 26, 2025
View reviewed changes
modules/graphdb/templates/05_gdb_backup_conf.sh.tpl Outdated
# Initialize the log file so that we are safe from potential attacks
[[ -f /var/opt/graphdb/node/graphdb_backup.log ]] && rm /var/opt/graphdb/node/graphdb_backup.log
touch /var/opt/graphdb/node/graphdb_backup.log
# We should already be root but let's make sure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment needs updating

@vanxa vanxa merged commit 3e94cd4 into main Mar 26, 2025
2 checks passed
@vanxa vanxa deleted the GDB-11621 branch March 26, 2025 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viktor-ribchev viktor-ribchev viktor-ribchev approved these changes

@simonzhekoff simonzhekoff Awaiting requested review from simonzhekoff

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vanxa @viktor-ribchev