lifecycle: improve backup restore by dropping database before

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-11-20 00:32:24 +01:00
parent 0ee9b07172
commit 61621e7d60
3 changed files with 39 additions and 5 deletions

View file

@ -536,6 +536,7 @@ _LOGGING_HANDLER_MAP = {
"asyncio": "WARNING", "asyncio": "WARNING",
"aioredis": "WARNING", "aioredis": "WARNING",
"s3transfer": "WARNING", "s3transfer": "WARNING",
"botocore": "WARNING",
} }
for handler_name, level in _LOGGING_HANDLER_MAP.items(): for handler_name, level in _LOGGING_HANDLER_MAP.items():
# pyright: reportGeneralTypeIssues=false # pyright: reportGeneralTypeIssues=false

View file

@ -1,10 +1,15 @@
#!/bin/bash -e #!/bin/bash -e
python -m lifecycle.wait_for_db python -m lifecycle.wait_for_db
printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr
function log {
printf '{"event": "%s", "level": "info", "logger": "bootstrap"}\n' "$@" > /dev/stderr
}
log "Bootstrap completed"
function check_if_root { function check_if_root {
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
printf '{"event": "Not running as root, disabling permission fixes", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr log "Not running as root, disabling permission fixes"
$1 $1
return return
fi fi
@ -26,6 +31,30 @@ function check_if_root {
chpst -u authentik:$GROUP env HOME=/authentik $1 chpst -u authentik:$GROUP env HOME=/authentik $1
} }
function prefixwith {
local prefix="$1"
shift
"$@" > >(sed "s/^/$prefix: /") 2> >(sed "s/^/$prefix (err): /" >&2)
}
function restore {
PG_HOST=$(python -m authentik.lib.config postgresql.host 2> /dev/null)
PG_NAME=$(python -m authentik.lib.config postgresql.name 2> /dev/null)
PG_USER=$(python -m authentik.lib.config postgresql.user 2> /dev/null)
PG_PORT=$(python -m authentik.lib.config postgresql.port 2> /dev/null)
export PGPASSWORD=$(python -m authentik.lib.config postgresql.password 2> /dev/null)
log "Ensuring no one can connect to the database"
prefixwith "psql" psql -h"${PG_HOST}" -U"${PG_USER}" -c"UPDATE pg_database SET datallowconn = 'false' WHERE datname = '${PG_NAME}';" "postgres"
prefixwith "psql" psql -h"${PG_HOST}" -U"${PG_USER}" -c"SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname = '${PG_NAME}';" "postgres"
log "deleting and re-creating database"
prefixwith "psql" dropdb -h"${PG_HOST}" -U"${PG_USER}" "${PG_NAME}" || trueacku
prefixwith "psql" createdb -h"${PG_HOST}" -U"${PG_USER}" "${PG_NAME}"
log "running initial migrations"
prefixwith "migrate" python -m lifecycle.migrate 2> /dev/null
log "restoring database"
prefixwith "restore" python -m manage dbrestore -i ${@:2}
}
MODE_FILE="/tmp/authentik-mode" MODE_FILE="/tmp/authentik-mode"
if [[ "$1" == "server" ]]; then if [[ "$1" == "server" ]]; then
@ -40,7 +69,7 @@ elif [[ "$1" == "worker" ]]; then
elif [[ "$1" == "backup" ]]; then elif [[ "$1" == "backup" ]]; then
python -m manage dbbackup --clean python -m manage dbbackup --clean
elif [[ "$1" == "restore" ]]; then elif [[ "$1" == "restore" ]]; then
python -m manage dbrestore ${@:2} restore $@
elif [[ "$1" == "bash" ]]; then elif [[ "$1" == "bash" ]]; then
/bin/bash /bin/bash
elif [[ "$1" == "test" ]]; then elif [[ "$1" == "test" ]]; then

View file

@ -29,6 +29,10 @@ Currently, it is only supported to restore backups into the same version they ha
Instead, install the version the backup was taken with, restore the backup and then upgrade. Instead, install the version the backup was taken with, restore the backup and then upgrade.
::: :::
:::info
The restore command expects to have superuser-permissions on the PostgreSQL instance. To get a clean restore, it deletes the current database, re-creates it and then imports the data.
:::
Run this command in your authentik installation directory. Run this command in your authentik installation directory.
To see all available backups, run To see all available backups, run
@ -42,9 +46,9 @@ kubectl exec -it deployment/authentik-worker -c authentik -- ak listbackups
Then, to restore, run Then, to restore, run
``` ```
docker-compose run --rm worker restore -i default-2020-10-03-115557.psql docker-compose run --rm worker restore default-2020-10-03-115557.psql
# Or for kubernetes # Or for kubernetes
kubectl exec -it deployment/authentik-worker -c authentik -- ak restore -i default-2020-10-03-115557.psql kubectl exec -it deployment/authentik-worker -c authentik -- ak restore default-2020-10-03-115557.psql
``` ```
After you've restored the backup, it is recommended to restart all services with `docker-compose restart` or `kubectl rollout restart deployment --all`. After you've restored the backup, it is recommended to restart all services with `docker-compose restart` or `kubectl rollout restart deployment --all`.