this repo has no description
Fix PDS backup and add media blob sync
Backups were silently failing because apk runs as non-root. Move
sqlite installation to a root init container that copies the binary
and shared libraries to an emptyDir volume. Add missing rclone sync
for /pds/blocks so media files are actually backed up to S3.
+40
-6
+40
-6
k8s/pds/backup-cronjob.yaml
+40
-6
k8s/pds/backup-cronjob.yaml
···
14
14
spec:
15
15
restartPolicy: OnFailure
16
16
securityContext:
17
-
runAsUser: 1000
18
-
runAsGroup: 1000
19
-
runAsNonRoot: true
17
+
fsGroup: 1000
18
+
initContainers:
19
+
- name: install-sqlite
20
+
image: rclone/rclone:1.69
21
+
command:
22
+
- sh
23
+
- -c
24
+
- |
25
+
apk add --no-cache sqlite > /dev/null
26
+
cp /usr/bin/sqlite3 /tools/
27
+
# Copy dynamically linked libraries sqlite3 needs
28
+
for lib in $(ldd /usr/bin/sqlite3 | awk '/=>/ {print $3}'); do
29
+
cp "$lib" /tools/
30
+
done
31
+
volumeMounts:
32
+
- name: tools
33
+
mountPath: /tools
34
+
securityContext:
35
+
runAsUser: 0
36
+
allowPrivilegeEscalation: false
37
+
capabilities:
38
+
drop:
39
+
- ALL
40
+
resources:
41
+
requests:
42
+
cpu: 50m
43
+
memory: 64Mi
44
+
limits:
45
+
cpu: 100m
46
+
memory: 128Mi
20
47
containers:
21
48
- name: backup
22
49
image: rclone/rclone:1.69
···
24
51
- sh
25
52
- -ec
26
53
- |
27
-
apk add --no-cache sqlite > /dev/null
28
-
54
+
export LD_LIBRARY_PATH=/tools
29
55
S3_OPTS="--s3-provider Other --s3-access-key-id ${S3_ACCESS_KEY} --s3-secret-access-key ${S3_SECRET_KEY} --s3-endpoint nbg1.your-objectstorage.com --s3-region nbg1 --s3-no-check-bucket --s3-acl private"
30
56
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
31
57
32
58
# Safe SQLite backup for each database
33
59
for db in /pds/*.sqlite; do
34
60
name=$(basename "$db" .sqlite)
35
-
sqlite3 "$db" ".backup /tmp/${name}-${TIMESTAMP}.sqlite"
61
+
/tools/sqlite3 "$db" ".backup /tmp/${name}-${TIMESTAMP}.sqlite"
36
62
rclone copyto "/tmp/${name}-${TIMESTAMP}.sqlite" \
37
63
":s3:sans-self-net/pds/db/${name}-${TIMESTAMP}.sqlite" \
38
64
${S3_OPTS}
···
69
95
readOnly: true
70
96
- name: tmp
71
97
mountPath: /tmp
98
+
- name: tools
99
+
mountPath: /tools
100
+
readOnly: true
72
101
securityContext:
102
+
runAsUser: 1000
103
+
runAsNonRoot: true
73
104
allowPrivilegeEscalation: false
74
105
capabilities:
75
106
drop:
···
88
119
- name: tmp
89
120
emptyDir:
90
121
sizeLimit: 1Gi
122
+
- name: tools
123
+
emptyDir:
124
+
sizeLimit: 50Mi