Skip to content

feat: additional config for pgbackrest#2099

Open
Crispy1975 wants to merge 3 commits intodevelopfrom
pjc/indata-403-admin-agent-pgbackrest
Open

feat: additional config for pgbackrest#2099
Crispy1975 wants to merge 3 commits intodevelopfrom
pjc/indata-403-admin-agent-pgbackrest

Conversation

@Crispy1975
Copy link
Copy Markdown
Contributor

@Crispy1975 Crispy1975 commented Mar 30, 2026

What kind of change does this PR introduce?

Additional config for pgBackRest backups and restores. Details further in: https://linear.app/supabase/issue/INDATA-403/admin-agent-add-new-command-to-control-pgbackrest

@Crispy1975 Crispy1975 self-assigned this Mar 30, 2026
@Crispy1975 Crispy1975 force-pushed the pjc/indata-403-admin-agent-pgbackrest branch from 8f44ad4 to 2370c92 Compare March 31, 2026 16:50
hunleyd
hunleyd requested changes Mar 31, 2026
View reviewed changes
@Crispy1975
feat: additional config for pgbackrest
d1b6678 
- pgdata-signal: add remove-pid action to remove stale postmaster.pid
  via the constrained wrapper rather than a broad sudo rm entry,
  keeping the sudoers scope limited to this script
@Crispy1975 Crispy1975 force-pushed the pjc/indata-403-admin-agent-pgbackrest branch from 2370c92 to d1b6678 Compare April 2, 2026 13:19
@Crispy1975
fix: address pgbackrest PR review feedback
892ca92 
- pgdata-chown: simplify case; use group=postgres consistently for both
  ownership targets (pgbackrest:postgres and postgres:postgres)
- pgdata-signal: consolidate recovery/standby case into single pattern
- pgdata-signal: deploy at mode 0755 so postgres can execute via sudo -u
- setup-pgbackrest.yml: combine dir creation into single task with dict
  loop; conf.d gets 02770 setgid, others get default 0770
- setup-pgbackrest.yml: sort logrotate task keys alphabetically
@Crispy1975
fix: add missing pgbackrest sudoers entries and pre-create log files
abe09f7 
Three gaps found by cross-referencing SAA commands against Ansible:

1. adminapi.sudoers.conf: add two entries so adminapi can call the
   pgbackrest binary via the wrapper.
   - NewRunner() path: wrapper calls sudo -u pgbackrest <real binary>,
     requires adminapi -> pgbackrest NOPASSWD for the real binary path.
   - NewRunnerAs("pgbackrest") path: SAA does sudo -n -u pgbackrest
     /usr/bin/pgbackrest, requires adminapi -> pgbackrest NOPASSWD for
     the wrapper path.

2. setup-pgbackrest.yml: add pgbackrest -> pgbackrest sudoers entry for
   the real binary. When NewRunnerAs runs the wrapper as the pgbackrest
   user, the wrapper still calls sudo -u pgbackrest internally; without
   this entry that inner sudo fails.

3. setup-pgbackrest.yml: pre-create the three SAA log files
   (saa-pgb.log, wal-push.log, wal-fetch.log) as pgbackrest:postgres
   0660. SAA opens them with O_APPEND|O_WRONLY (no O_CREATE) — a missing
   file causes enable to fail immediately before any pgBackRest work.
   modification_time/access_time: preserve means the task is idempotent.
@Crispy1975 Crispy1975 requested a review from hunleyd April 3, 2026 15:55
hunleyd
hunleyd approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hunleyd hunleyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Crispy1975 Crispy1975 marked this pull request as ready for review April 3, 2026 16:59
@Crispy1975 Crispy1975 requested review from a team as code owners April 3, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hunleyd hunleyd hunleyd approved these changes

Assignees

@Crispy1975 Crispy1975

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Crispy1975 @hunleyd