Merge pull request #5 from siameseoriental/DO-168

DO-168: Add retention policy

Author: hxmn

.github/workflows/main.yaml

@@ -26,7 +26,7 @@ jobs:
       # Login against a Docker registry
       # https://github.com/docker/login-action
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -50,3 +50,9 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Docker Hub Description
+        uses: peter-evans/dockerhub-description@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: numdes/nd_postgres_backup

CHANGELOG.md

@@ -18,6 +18,34 @@ Stub:
 
 # nd_postgres_backup
 
+## [0.3.0] - 2024-01-09
+
+### Added
+
+- Add publish decription to Docker Hub from README.md 
+- Add jq to container build 
+- Add abilty to change alias for S3 connection. Variable `S3_ALIAS`
+- Add docker-compose [example](compose-example/docker-compose.yml)
+- Add `crontab` file for managing schedule
+- Add retention functionallity 
+
+### Removed
+
+- Remove Go-Cron, replace it with standard cron
+- Cut notifications for hourly backups
+
+### Changed
+
+- Replace manual backup routine logic. To start manual backup run container without S3_BUCKET variable. See [README](README.md)
+- Change S3 storage directory from `${S3_BUCKET}/${POSTGRES_DB}` to `${S3_BUCKET}/${backup_path}`
+- Rename notification scripts. Add `.sh` extention
+
+
+### Braking changes
+- Removed:
+  - `SCHEDULE` - variable was used by Go-Cron
+  - `HEALTHCHECK_PORT` - variable was used by Go-Cron
+
 ## [0.2.2] - 2023-08-25
 - Make docker-entrypoint.sh to easy manual run
 - Fix bug with `S3_OBJECT_PATH` var

Dockerfile

@@ -2,55 +2,69 @@
 
 FROM debian:stable as base
 
-MAINTAINER NumDes <[email protected]>
-
+LABEL org.opencontainers.image.authors="[email protected]"
 LABEL org.opencontainers.image.vendor="Numerical Design LLC"
-LABEL org.opencontainers.image.description="Docker image for universal postgres backups"
-
-ARG GOCRONVER=v0.0.10
+LABEL org.opencontainers.image.description="Docker image for complex store and retention backups on S3"
 
 RUN apt-get update \
     && apt-get install --no-install-recommends -y \
     curl \
     ca-certificates \
+    cron \
+    jq \
     postgresql-client \
+    postgresql-common \
+    libpq-dev \
     && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
-    && curl --fail \
-        --retry 4 \
-        --retry-all-errors \
-        --output /usr/local/bin/go-cron.gz \
-        --location https://github.com/prodrigestivill/go-cron/releases/download/$GOCRONVER/go-cron-linux-amd64.gz \
-    && gzip --verbose \
-          --no-name \
-          --decompress /usr/local/bin/go-cron.gz \
-    && chmod a+x /usr/local/bin/go-cron
+    && rm -rf /var/lib/apt/lists/*
 
 RUN curl --location --output /usr/local/bin/mcli "https://dl.min.io/client/mc/release/linux-amd64/mc" && \
     chmod +x /usr/local/bin/mcli
 RUN mcli --version
 
+# PosgeSQL related variables
 ENV POSTGRES_DB="**None**" \
     POSTGRES_HOST="**None**" \
     POSTGRES_PORT=5432 \
     POSTGRES_USER="**None**" \
     POSTGRES_PASSWORD="**None**" \
-    POSTGRES_EXTRA_OPTS="--blobs" \
-    SCHEDULE="**None**" \
-    HEALTHCHECK_PORT=8080 \
+    POSTGRES_EXTRA_OPTS="--blobs"
+# Paths and depth related variables
+ENV HOURLY_BACKUP_PATH="hourly" \
+    DAILY_BACKUP_PATH="daily" \
+    WEEKLY_BACKUP_PATH="weekly" \
+    WEEKLY_BACKUP_LIMIT=5 \
+    DAILY_BACKUP_LIMIT=10 \
+    HOURLY_BACKUP_LIMIT=25
+# Notification related variables
+ENV NOTIFICATION_SERVER_URL="**None**" \
+    TELEGRAM_CHAT_ID="**None**" \
+    TELEGRAM_BOT_TOKEN="**None**"
+# S3 bucket related variables
+ENV S3_OBJECT_PATH="**None**" \
     S3_ACCESS_KEY="**None**" \
     S3_SECRET_KEY="**None**" \
-    S3_BUCKET="**None**" \
     S3_ENDPOINT="**None**" \
-    S3_OBJECT_PATH="**None**"
+    S3_BUCKET="**None**" \
+    S3_ALIAS="backup"
 
-COPY backup.sh /
-COPY docker-entrypoint.sh /
+RUN mkdir /script
 
+# Copy scripts
+COPY backup.sh /script/backup.sh
+COPY retention.sh /script/retention.sh
 COPY hooks /hooks
 
-HEALTHCHECK --interval=5m --timeout=3s \
-  CMD curl -f "http://localhost:$HEALTHCHECK_PORT/" || exit 1
+RUN chmod +x /script/backup.sh
+RUN chmod +x /script/retention.sh
+RUN chmod +x /hooks/0-send_private_notification.sh
+RUN chmod +x /hooks/1-send_telegram_message.sh
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+COPY docker-entrypoint.sh /
+RUN chmod +x docker-entrypoint.sh
 
+ADD crontab /etc/cron.d/my-cron-file
+RUN chmod 0644 /etc/cron.d/my-cron-file
+RUN crontab /etc/cron.d/my-cron-file
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

README.md

@@ -1,54 +1,76 @@
-# nd_postgres_backup
-
-Docker image for universal postgres backups
+# PostgreSQL Backup to S3 and retention container
 
 # Roadmap
 
 - [X] Add support for S3
 - [X] Add CI/CD to publish image to DockerHub
-- [ ] Add retention policy settings by env vars
+- [X] Add retention policy settings by env vars
 - [X] Notify about backup status by HTTP-request
-- [ ] Add docker-compose example
+- [X] Add docker-compose example
+
+## Description
+
+Image created to automate backing up procedure of PostgreSQL databases, store backups to S3 Object storage and implement retention of stored archives with `Grandfather-father-son` backup rotation [scheme](https://en.wikipedia.org/wiki/Backup_rotation_scheme).     
+It is also possible to use this container to create a single backup of specific DB.  
 
-# Usage
+## Usage
+
+Key idea of usage was to add this container as a service to `docker-compose.yml` manifest alongside with PostgreSQL database container. See `compose-example/docker-compose.yml`.    
+To run container as a standalone backupper, to backup cloud SaaS or bare-metal deployed PostgreSQL, for example, use following command:
 
-## Backup manually:
-Use next command if you need to backup DB manually:
 ```shell
-docker run --rm \
-    --env POSTGRES_HOST="FQDN-OR-IP" \
-    --env POSTGRES_DB="DB-NAME" \
-    --env POSTGRES_USER="DB-USER" \
-    --env POSTGRES_PASSWORD="PASS" \
-    --env S3_ENDPOINT=https://YOUR-S3 \
-    --env S3_ACCESS_KEY="access-key" \
-    --env S3_SECRET_KEY="secret-key" \
-    --env S3_BUCKET="BUCKET-NAME" \
-    numdes/nd_postgres_backup:v0.2.2
+docker run -d --rm \
+    --env POSTGRES_HOST="DB_IP_OR_HOSTNAME" \
+    --env POSTGRES_DB="DB_NAME" \
+    --env POSTGRES_USER="DB_USERNAME" \
+    --env POSTGRES_PORT="NON_DEFAULT_PORT" \
+    --env POSTGRES_PASSWORD="DB_USERNAME_PASSWORD" \
+    --env NOTIFICATION_SERVER_URL="ONLY_SET_IF_PRIVATE_TELEGRAM_BOT_USED" \
+    --env TELEGRAM_CHAT_ID="PRIVATE_OR_TELEGRAM_BOT_ID" \
+    --env S3_ENDPOINT="S3_API_URL" \
+    --env S3_ACCESS_KEY="S3_ACCESS_KEY" \
+    --env S3_SECRET_KEY="S3_SECERT_KEY" \
+    --env S3_BUCKET="S3_BUCKET_NAME(+POSSIBLE_PATH_DEEPER)" \
+    --env S3_ALIAS="S3_CONFIG_SET_ALIAS" \
+    numdes/nd_postgres_backup:v0.3.0
 ```
-It will backup given Postgres DB and upload it to S3 bucket.
 
-## Backup using `go-cron`
+### Manual one-time backup without schedule
+
+Set full S3 path (e.g `bucket_name/project_name/stage_branch/database_name.tar.gz`) as the value of variable `S3_OBJECT_PATH`  to execute single backup 
 
 ```shell
-docker run --detach \
-    --env POSTGRES_HOST="FQDN-OR-IP" \
-    --env POSTGRES_DB="DB-NAME" \
-    --env POSTGRES_USER="DB-USER" \
-    --env POSTGRES_PASSWORD="PASS" \
-    --env S3_ENDPOINT=http://YOUR-S3 \
-    --env S3_ACCESS_KEY="KEY-ID" \
-    --env S3_SECRET_KEY="KEY-SECRET" \
-    --env S3_BUCKET="BUCKET-NAME" \
-    --env PRIVATE_NOTIFICATION_URL=http://webhook \
-    --env TELEGRAM_CHAT_ID=point_to_notify_group \
-    --env POSTGRES_PORT=if_not_5432 \
-    --env SCHEDULE=Chosen_schedule \
-    numdes/nd_postgres_backup:v0.2.1
+docker run -d --rm \
+    --env POSTGRES_HOST="DB_IP_OR_HOSTNAME" \
+    --env POSTGRES_DB="DB_NAME" \
+    --env POSTGRES_USER="DB_USERNAME" \
+    --env POSTGRES_PORT="NON_DEFAULT_PORT" \
+    --env POSTGRES_PASSWORD="DB_USERNAME_PASSWORD" \
+    --env NOTIFICATION_SERVER_URL="ONLY_SET_IF_PRIVATE_TELEGRAM_BOT_USED" \
+    --env TELEGRAM_CHAT_ID="PRIVATE_OR_TELEGRAM_BOT_ID" \
+    --env S3_ENDPOINT="S3_API_URL" \
+    --env S3_ACCESS_KEY="S3_ACCESS_KEY" \
+    --env S3_SECRET_KEY="S3_SECERT_KEY" \
+    --env S3_OBJECT_PATH="FULL_S3_PATH (e.g `bucket_name/project_name/stage_branch/database_name.tar.gz`)" \
+    --env S3_ALIAS="S3_CONFIG_SET_ALIAS" \
+    numdes/nd_postgres_backup:v0.3.0
 ```
 
-:wave: By default `SCHEDULE` variable is set to `@daily` in case if you need other scheduling options, please refer
-to `go-cron` *[Documentation](https://pkg.go.dev/github.com/robfig/cron?utm_source=godoc#hdr-Predefined_schedules)*.
+## Backup strategy
+
+By default set to make backup every hour, plus one separate backup a day, plus one separate backup a week
+
+Schedule can be tuned or changed by editing of `crontab` file
+
+## Retention strategy
+
+Maximum depth of storage for each type of backup can be tuned by changing values of these variables:
+
+- `WEEKLY_BACKUP_LIMIT`
+- `DAILY_BACKUP_LIMIT`
+- `HOURLY_BACKUP_LIMIT`
+
+Schedule of retention script (`retention.sh`) execution can be edited in `crontab` file 
 
 ## Variables
 
@@ -57,58 +79,37 @@ to `go-cron` *[Documentation](https://pkg.go.dev/github.com/robfig/cron?utm_sour
 
 | Name               | Description                 |
 |--------------------|-----------------------------|
-| DOCKERHUB_LOGIN    | `Actions` Repository secret |
-| DOCKERHUB_PASSWORD | `Actions` Repository secret |
+| DOCKERHUB_USERNAME | `Actions` Repository secret |
+| DOCKERHUB_TOKEN    | `Actions` Repository secret |
 
 ### Notification environmental variables
 
-| Name                     | Description                             |
-|--------------------------|-----------------------------------------|
-| TELEGRAM_CHAT_ID         | Notifying group                         |
-| PRIVATE_NOTIFICATION_URL | Private notifier URL                    |
-| TELEGRAM_BOT_TOKEN       | Only used to call Telegram's public API |
+| Name                      | Description                                                           |
+|---------------------------|-----------------------------------------------------------------------|
+| NOTIFICATION_SERVER_URL   | URL of private telegram bot                                           |
+| TELEGRAM_CHAT_ID          | Custom bot ID or Telegram Bot ID when bot created using `@botfather`  |
+| TELEGRAM_BOT_TOKEN        | Created by `@botfather` bot security token                            |
 
 ### Environmental variables
 
-| Name                | Default value | Is mandatory | Description                                                               |
-|---------------------|:--------------|:------------:|---------------------------------------------------------------------------|
-| POSTGRES_DB         | -             |     YES      | Database name                                                             |
-| POSTGRES_HOST       | -             |     YES      | PostgreSQL IP address or hostname                                         |
-| POSTGRES_PORT       | 5432          |      -       | Connection TCP port                                                       |
-| POSTGRES_USER       | -             |     YES      | Database user                                                             |
-| POSTGRES_PASSWORD   | -             |     YES      | Database user password                                                    |
-| POSTGRES_EXTRA_OPTS | --blobs       |      -       | Extra options `pg_dump` run                                               |
-| SCHEDULE            | @daily        |      -       | `go-cron` schedule. See [this](#backup-using-go-cron)                     |
-| HEALTHCHECK_PORT    | 8080          |      -       | Port listening for cron-schedule health check.                            |
-| S3_ACCESS_KEY       | -             |     YES      | Key or username with RW access to bucket                                  |
-| S3_SECRET_KEY       | -             |     YES      | Secret or password for `S3_ACCESS_KEY`                                    |
-| S3_BUCKET           | -             |     YES      | Name of S3 bucket                                                         |
-| S3_ENDPOINT         | -             |     YES      | URL of S3 storage                                                         |
-| S3_OBJECT_PATH      | -             |      NO      | Full path to archive including bucket name and desired file name. If not present will be generated automatically |
-
-### Notification selection
-
-It is possible to use either private Telegram bot if you have it or Telegram public API.
-
-In scenario with private bot `PRIVATE_NOTIFICATION_URL` must be set alongside with `TELEGRAM_CHAT_ID`.
-
-In scenario with Telegram's public API `TELEGRAM_BOT_TOKEN` must be set as it is
-received (`Use this token to access the HTTP API:`) from `@BotFather` Telegram Bot. Variable `TELEGRAM_CHAT_ID` must be
-a proper Telegram ID of bot
-
-In `docker ...` command need to replace:
-
-```
-    --env PRIVATE_NOTIFICATION_URL=http://webhook \
-    --env TELEGRAM_CHAT_ID=point_to_notify_group \
-```
-
-to
-
-```
-    --env TELEGRAM_BOT_TOKEN='XXXXXXX:XXXXxxxxXXXXxxx' \
-    --env TELEGRAM_CHAT_ID=000000000 \
-```
+| Variable Name             | Default Value | Is Mandatory? | Description                                                          |
+|---------------------------|:-------------:|:-------------:|----------------------------------------------------------------------|
+| HOURLY_BACKUP_PATH        | `hourly`      |     NO        | Path suffix to hourly-made backups storage                           |
+| DAILY_BACKUP_PATH         | `daily`       |     NO        | Path suffix to daily-made backups storage                            |
+| WEEKLY_BACKUP_PATH        | `weekly`      |     NO        | Path suffix to weekly-made backups storage                           |
+| HOURLY_BACKUP_LIMIT       | `25`          |     NO        | Max number of weekly backups                                         |
+| DAILY_BACKUP_LIMIT        | `10`          |     NO        | Max number of daily backups                                          |
+| WEEKLY_BACKUP_LIMIT       | `5`           |     NO        | Max number of hourly backups                                         |
+| S3_ACCESS_KEY             | -             |     YES       | ${S3_BUCKET} READ-WRITE S3 ACCESS KEY                                |
+| S3_SECRET_KEY             | -             |     YES       | ${S3_BUCKET} READ-WRITE S3 ACCESS SECRET                             |
+| S3_ENDPOINT               | -             |     YES       | S3 API URL                                                           |
+| S3_BUCKET                 | -             |     YES       | Path to hourly, daily, weekly directories. Including bucket name     |
+| S3_ALIAS                  | `backup`      |     NO        | Name of config set in `mcli` command `mcli alias set`                |
+| S3_OBJECT_PATH            | -             |     NO        | Optional variable to use single backup [functionality](#manual-backup-without-schedule) |
+| POSTGRES_DB               | -             |     YES       | PostgreSQL database name                                             |
+| POSTGRES_HOST             | -             |     YES       | PostgreSQL IP or host name                                           |
+| POSTGRES_PORT             | `5432`        |     NO        | TCP connection port                                                  |
+| POSTGRES_USER             | -             |     YES       | DB usermane                                                          |
+| POSTGRES_PASSWORD         | -             |     YES       | DB username password                                                 |
+| POSTGRES_EXTRA_OPTS       | `--blobs`     |     NO        | `pg_dump` extra options                                              |
 
-- If `TELEGRAM_CHAT_ID` has a proper format (Only digits not less than 5 not more than 32) and `TELEGRAM_BOT_TOKEN` is
-  set, script will try to send notification through Telegram's public API.