Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDB-11621 Run cronjob as root, to make sure that backup rotation works correctly. #91

Merged
merged 4 commits into from
Mar 26, 2025
Merged

GDB-11621 Run cronjob as root, to make sure that backup rotation works correctly. #91

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
182bc78
Run cronjob as root, to make sure that backup rotation works correctly.
Mar 20, 2025
664ed7a
Create gdb_backup user for backups (access to cli as well)
Mar 25, 2025
568683d
Fix sed breaking 04_gdb_conf_overrides if JVM options contain /
Mar 25, 2025
ef7a610
Remove obsolete comment
Mar 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ GDB_PROPERTIES=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${regi
extra_graphdb_java_options="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/graphdb_java_options" --with-decryption 2>/dev/null | jq -r .Parameter.Value || /bin/true )"
if [[ -n $extra_graphdb_java_options ]]; then
if grep GDB_JAVA_OPTS /etc/graphdb/graphdb.env &>/dev/null; then
sed -ie "s/GDB_JAVA_OPTS=\"\(.*\)\"/GDB_JAVA_OPTS=\"\1 $extra_graphdb_java_options\"/g" /etc/graphdb/graphdb.env
sed -ie "s|GDB_JAVA_OPTS=\"\(.*\)\"|GDB_JAVA_OPTS=\"\1 $extra_graphdb_java_options\"|g" /etc/graphdb/graphdb.env
else
echo "GDB_JAVA_OPTS=$extra_graphdb_java_options" > /etc/graphdb/graphdb.env
fi
Expand Down
18 changes: 14 additions & 4 deletions modules/graphdb/templates/05_gdb_backup_conf.sh.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,20 @@ echo "# Configuring the GraphDB backup cron job #"
echo "#################################################"

if [ ${deploy_backup} == "true" ]; then
GRAPHDB_ADMIN_PASSWORD="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption | jq -r .Parameter.Value | base64 -d)"
# Create the backup user. ID : 1010
echo "Creating the backup user"
useradd -r -M -s /usr/sbin/nologin gdb-backup
# Initialize the log file so that we are safe from potential attacks
[[ -f /var/opt/graphdb/node/graphdb_backup.log ]] && rm /var/opt/graphdb/node/graphdb_backup.log
touch /var/opt/graphdb/node/graphdb_backup.log
# We should already be root but let's make sure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment needs updating

chown gdb-backup:gdb-backup /var/opt/graphdb/node/graphdb_backup.log
chmod og-rw /var/opt/graphdb/node/graphdb_backup.log
cat <<-EOF >/usr/bin/graphdb_backup
#!/bin/bash

set -euo pipefail
GRAPHDB_ADMIN_PASSWORD="\$1"
GRAPHDB_ADMIN_PASSWORD="\$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption | jq -r .Parameter.Value | base64 -d)"
NODE_STATE="\$(curl --silent -u "admin:\$GRAPHDB_ADMIN_PASSWORD" http://localhost:7201/rest/cluster/node/status | jq -r .nodeState)"

function trigger_backup {
Expand Down Expand Up @@ -83,9 +91,11 @@ fi
EOF

chmod +x /usr/bin/graphdb_backup
echo "${backup_schedule} graphdb /usr/bin/graphdb_backup $GRAPHDB_ADMIN_PASSWORD" >/etc/cron.d/graphdb_backup
echo "${backup_schedule} gdb-backup /usr/bin/graphdb_backup" >/etc/cron.d/graphdb_backup
chmod og-rwx /etc/cron.d/graphdb_backup

# Set ownership of aws-cli to backup user
chown -R gdb-backup:gdb-backup /usr/local/aws-cli
chmod -R og-rwx /usr/local/aws-cli/
log_with_timestamp "Cron job created"
else
log_with_timestamp "Backup module is not deployed, skipping provisioning..."
Expand Down
40 changes: 25 additions & 15 deletions modules/graphdb/user_data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,16 +72,20 @@ data "cloudinit_config" "graphdb_user_data" {
})
}

part {
content_type = "text/x-shellscript"
content = templatefile("${path.module}/templates/05_gdb_backup_conf.sh.tpl", {
name : var.resource_name_prefix
region : var.aws_region
backup_schedule : var.backup_schedule
backup_retention_count : var.backup_retention_count
backup_bucket_name : var.backup_bucket_name
deploy_backup : var.deploy_backup
})
dynamic "part" {
for_each = var.deploy_backup ? [1] : []

content {
content_type = "text/x-shellscript"
content = templatefile("${path.module}/templates/05_gdb_backup_conf.sh.tpl", {
name : var.resource_name_prefix
region : var.aws_region
backup_schedule : var.backup_schedule
backup_retention_count : var.backup_retention_count
backup_bucket_name : var.backup_bucket_name
deploy_backup : var.deploy_backup
})
}
}

part {
Expand Down Expand Up @@ -154,13 +158,19 @@ data "cloudinit_config" "graphdb_user_data" {
}
}

# 12 Make aws-cli accessible only for root user
part {
content_type = "text/x-shellscript"
content = <<-EOF
#!/bin/bash
# 12 Make aws-cli accessible only for root user iff backup is not enabled (otherwise, will be owned by the backup user)
dynamic "part" {
for_each = var.deploy_backup ? [] : [1]

content {
content_type = "text/x-shellscript"
content = <<-EOF
#!/bin/bash
set -euo pipefail
chmod -R og-rwx /usr/local/aws-cli/
EOF
}

}

}
Loading