feat: rehaul to simplify container structure

b4ck5p4c3 · Dec 8, 2024 · e546ff8 · e546ff8
1 parent e0d86f1
commit e546ff8
Show file tree

Hide file tree

Showing 9 changed files with 140 additions and 155 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,5 @@
+# Don't include anything into context
+*
+
+# Except for wal-g wrapper
+!walg-wrapper.sh
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,6 @@
 .snapshots/*
 
 .env
+.env.*
+
+docker-compose.yml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:1
+# check=skip=SecretsUsedInArgOrEnv;error=true
+FROM postgres:16-bookworm
+
+# Install Peg dependencies
+RUN <<-EOF
+    set -x
+
+    # Install curl, ca-certifcates, and B4CKSP4CE Root CA
+    apt update
+    apt install -y curl ca-certificates
+    mkdir -p /usr/share/ca-certificates/bksp
+    curl -fSsl https://ca.bksp.in/root/bksp-root.crt -o /usr/share/ca-certificates/bksp/B4CKSP4CE_Root_CA.crt
+    echo "bksp/B4CKSP4CE_Root_CA.crt" | tee -a /etc/ca-certificates.conf
+    update-ca-certificates
+
+    # Determine WALG download URL and digest depending on architecture
+    ARCH=$(uname -m)
+    if [ "$ARCH" = "aarch64" ]; then
+        WALG_URL="https://github.com/wal-g/wal-g/releases/download/v3.0.3/wal-g-pg-ubuntu20.04-aarch64"
+        WALG_SHA256="3aec9024959319468ac637ea4b2e215fe20511672669969077733ee5c3fd1466"
+    elif [ "$ARCH" = "x86_64" ]; then
+        WALG_URL="https://github.com/wal-g/wal-g/releases/download/v3.0.3/wal-g-pg-ubuntu-20.04-amd64"
+        WALG_SHA256="0b46652f23fb4d09fa08f3d536b72806e597c4e20d0a09d960d6337bc2368e8b"
+    else
+        echo "Unsupported architecture"
+        exit 1
+    fi
+
+    # Download wal-g and verify its checksum
+    curl -fsSL -o "/usr/local/bin/wal-g" "$WALG_URL"
+    echo "${WALG_SHA256}  /usr/local/bin/wal-g" | sha256sum -c -
+    chmod +x /usr/local/bin/wal-g
+
+    # Tidy up
+    apt clean
+    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
+EOF
+
+# Define B4CKSP4CE-specific environment variables
+ENV \
+    # Prefer unix socket connection for wal-g 
+    PGHOST=/var/run/postgresql \
+    # Set Governance Object Lock for 10 years by default
+    S3_RETENTION_MODE="GOVERNANCE" \
+    S3_RETENTION_PERIOD=315569520 \
+    # Expect encryption key to be in Base64
+    WALG_LIBSODIUM_KEY_TRANSFORM="base64" \
+    # Set default compression method to zstd
+    WALG_COMPRESSION_METHOD="zstd" \
+    # Use Yandex Cloud as default storage
+    AWS_ENDPOINT="https://storage.yandexcloud.net"
+
+# Enable pg_isready healthcheck
+HEALTHCHECK --interval=10s --start-period=10s --timeout=5s --retries=5 CMD [ "pg_isready" ]
+
+# Copy wal-g wrapper, ensuring it is executable
+COPY ./walg-wrapper.sh /usr/local/bin/walg-wrapper.sh
+RUN chmod +x /usr/local/bin/walg-wrapper.sh
+
+# Drop privileges to postgres user
+USER postgres
+
+# Append WAL configuration to default postgresql.conf
+ENV POSTGRES_INITDB_ARGS="-c archive_mode=always -c archive_timeout=1h -c archive_command='walg-wrapper.sh wal-push /var/lib/postgresql/data/%p' -c restore_command='walg-wrapper.sh wal-fetch %f /var/lib/postgresql/data/%p'"
diff --git a/docker/Dockerfile b/docker/Dockerfile
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
diff --git a/docker/install.sh b/docker/install.sh
diff --git a/docker/walg-fetch b/docker/walg-fetch
diff --git a/docker/walg-push b/docker/walg-push
diff --git a/walg-wrapper.sh b/walg-wrapper.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+set -euo pipefail  # Add error handling and strict mode
+
+# Configuration
+readonly HEALTHCHECKS_UUID="${HEALTHCHECKS_UUID:-}"
+readonly HEALTHCHECKS_BASE_URL="${HEALTHCHECKS_BASE_URL:-https://hc.bksp.in/ping}"
+
+# Function for error handling
+error_exit() {
+    echo "Error: $1" >&2
+    exit 1
+}
+
+# Validate and set S3 prefix
+[[ -z "${BACKUP_PREFIX-}" && -z "${WALG_S3_PREFIX-}" ]] && error_exit "BACKUP_PREFIX or WALG_S3_PREFIX must be set"
+[[ -n "${BACKUP_PREFIX-}" ]] && export WALG_S3_PREFIX="s3://bksp-backups/$BACKUP_PREFIX"
+
+# Export PostgreSQL credentials
+export PGUSER PGPASSWORD
+
+# Function to report status to Healthchecks
+report_status() {
+    [[ -z "$HEALTHCHECKS_UUID" ]] && return 0
+
+    local status="$1"
+    local message="${2:-}"
+    local url="$HEALTHCHECKS_BASE_URL/$HEALTHCHECKS_UUID"
+
+    case "$status" in
+        start)   url+="/start" ;;
+        failure) url+="/fail" ;;
+    esac
+
+    if [[ -n "$message" ]]; then
+        curl --silent -m 10 --retry 5 --data-raw "$message" "$url"
+    else
+        curl --silent -m 10 --retry 5 "$url"
+    fi
+}
+
+# Main archiving function
+archive_wal() {
+    local wal_file="$1"
+    report_status "start"
+
+    if output=$(/usr/local/bin/wal-g wal-push "$wal_file" 2>&1); then
+        report_status "success" "WAL $wal_file archived successfully"
+        return 0
+    fi
+
+    report_status "failure" "WAL archiving failed for $wal_file: $output"
+    return 1
+}
+
+fetch_wal() {
+    exec /usr/local/bin/wal-g wal-fetch "$1" "$2"
+}
+
+case "$1" in
+    wal-push)  archive_wal "$2" ;;
+    wal-fetch) fetch_wal "$2" "$3" ;;
+    *)
+        echo "Usage: $0 (wal-push|wal-fetch) <wal-archive> <wal-new>" >&2
+        exit 1
+        ;;
+esac
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,3 +9,6 @@ @@
     .snapshots/*
     .env
+    .env.*
+    docker-compose.yml