Merge branch 'master' into pluehne/record-total-runtime-of-ghe-backup-and-ghe-restore

gamefiend · web-flow · commit 18f02ea40962 · 2023-09-12T09:43:27.000-04:00
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,26 @@
+# PR Details
+
+### Description
+<!--
+[Please fill out a brief description of the change being made]
+-->
+### Testing
+<!--
+[Please add testing done as part of this change.] 
+-->
+<!-- Keep in mind that for backup-utils the following applies:
+- Backup-util [current version] will support
+   - GHES [current version]
+   - GHES [current version -1]
+   - GHES [current version -2]
+- Any changes that are made to backup-utils will also need to be supported on those GHES versions above (n-2)
+- Please make sure those versions are tested against for this change 
+-->
+
+### Ownership
+<!-- [Add any relevants owners for this change]
+-->
+
+### Related Links
+<!-- [Please add any related links/issues to this PR]
+-->
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -0,0 +1,53 @@
+name: Build and Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version - patch version of the release (e.g. x.y.z)'
+        required: true
+        type: string
+      release-notes:
+        description: 'Release Notes - string of markdown'
+        required: true
+        type: string
+      draft:
+        description: 'Draft - true if the release should be a draft'
+        required: true
+        type: boolean
+        default: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y moreutils debhelper help2man
+      - name: Create tag
+        run: |
+          git tag -a v${{ github.event.inputs.version }} -m "v${{ github.event.inputs.version }}"
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Package deb
+        run: |
+          bash scripts/package-deb
+      - name: Package tarball
+        run: |
+          bash scripts/package-tarball
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create Release
+        uses: ncipollo/release-action@v1
+        with:
+          repo: github/backup-utils
+          artifacts: |
+            ./dist/github-backup-utils-v${{ github.event.inputs.version }}.tar.gz
+            ./dist/github-backup-utils_${{ github.event.inputs.version }}_all.deb
+          # token: ${{ secrets.GITHUB_TOKEN }} may need token, but try without first
+          name: v${{ github.event.inputs.version }}
+          draft: ${{ github.event.inputs.draft }}
+          body: ${{ github.event.inputs.release-notes }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,9 +6,6 @@ jobs:
   build:
     strategy:
       matrix:
-        # macos-latest references are kept here for historical purposes. removed macos-latest from the 
-        #matrix as it is not a typical case for users and causes a lot of friction with other linux-based 
-        # installs. Recommend developing on codespaces or using an ubuntu container. 
         os: ['ubuntu-22.04', 'ubuntu-20.04']
       fail-fast: false
     runs-on: ${{ matrix.os }}
@@ -20,12 +17,6 @@ jobs:
         wget "https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz"
         tar --xz -xvf "shellcheck-stable.linux.x86_64.tar.xz"
         sudo cp shellcheck-stable/shellcheck /usr/bin/shellcheck
-      if: matrix.os != 'macos-latest'
-    - name: Install Dependencies (macOS)
-      run: |
-        brew install gnu-tar shellcheck jq pigz coreutils gnu-sed gnu-getopt wget
-        brew install moreutils gawk
-      if: matrix.os == 'macos-latest'
     - name: Get Sources
       uses: actions/checkout@v3
     - name: Test
@@ -35,4 +26,3 @@ jobs:
       shell: bash
     - name: Build (Linux)
       run: DEB_BUILD_OPTIONS=nocheck debuild -us -uc
-      if: matrix.os != 'macos-latest'
diff --git a/bin/ghe-backup b/bin/ghe-backup
@@ -165,11 +165,11 @@ echo "$GHE_REMOTE_VERSION" > version
 # Setup progress tracking
 init-progress
 export PROGRESS_TOTAL=14 # Minimum number of steps in backup is 14
-echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress-total
+echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress/total
 export PROGRESS_TYPE="Backup"
-echo "$PROGRESS_TYPE" > /tmp/backup-utils-progress-type
+echo "$PROGRESS_TYPE" > /tmp/backup-utils-progress/type
 export PROGRESS=0 # Used to track progress of backup
-echo "$PROGRESS" > /tmp/backup-utils-progress
+echo "$PROGRESS" > /tmp/backup-utils-progress/progress
 
 OPTIONAL_STEPS=0
 # Backup actions+mssql
@@ -193,7 +193,7 @@ if [ "$GHE_BACKUP_PAGES" != "no" ]; then
 fi
 
 PROGRESS_TOTAL=$((OPTIONAL_STEPS + PROGRESS_TOTAL)) # Minimum number of steps in backup is 14
-echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress-total
+echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress/total
 
 # check that incremental settings are valid if set
 is_inc=$(is_incremental_backup_feature_on)
diff --git a/bin/ghe-backup-progress b/bin/ghe-backup-progress
@@ -31,26 +31,26 @@ while true; do
 done
 
 check_for_progress_file() {
-    if [ ! -f /tmp/backup-utils-progress-info ]; then
+    if [ ! -f /tmp/backup-utils-progress/info ]; then
         echo "No progress file found. Has a backup or restore been started?"
         exit 1
     fi
 }
 
 if [ -n "$ONCE" ]; then
     check_for_progress_file
-    cat /tmp/backup-utils-progress-info
+    cat /tmp/backup-utils-progress/info
 else
     check_for_progress_file
     clear
-    cat /tmp/backup-utils-progress-info
+    cat /tmp/backup-utils-progress/info
     while true; do
     if read -r -t 1 -n 1; then
 	clear
         exit ;
     else
 	clear
-	cat /tmp/backup-utils-progress-info
+	cat /tmp/backup-utils-progress/info
     fi
     done
 fi
diff --git a/bin/ghe-restore b/bin/ghe-restore
@@ -317,11 +317,11 @@ fi
 export PROGRESS_TOTAL=$((OPTIONAL_STEPS + 7))
 
 init-progress
-echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress-total
+echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress/total
 export PROGRESS_TYPE="Restore"
-echo "$PROGRESS_TYPE" > /tmp/backup-utils-progress-type
+echo "$PROGRESS_TYPE" > /tmp/backup-utils-progress/type
 export PROGRESS=0 # Used to track progress of restore
-echo "$PROGRESS" > /tmp/backup-utils-progress
+echo "$PROGRESS" > /tmp/backup-utils-progress/progress
 
 # Log restore start message locally and in /var/log/syslog on remote instance
 bm_start "$(basename $0)"
diff --git a/script/cibuild b/script/cibuild
@@ -5,7 +5,7 @@ set -e
 # Enable verbose logging of ssh commands
 export GHE_VERBOSE_SSH=true
 
-if ! find test -name "test-*.sh" -print0 | xargs -0 -P 4 -n 1 /bin/bash; then
+if ! find test -name "test-*.sh" -print0 | xargs -0 -n 1 /bin/bash; then
   exit 1
 fi
 
diff --git a/share/github-backup-utils/ghe-backup-config b/share/github-backup-utils/ghe-backup-config
@@ -217,8 +217,10 @@ ghe_parallel_check() {
   GHE_PARALLEL_COMMAND="parallel"
   local x
   for x in \
+      /usr/bin/parallel-moreutils \
       /usr/bin/parallel.moreutils \
       /usr/bin/parallel_moreutils \
+      /usr/bin/moreutils-parallel \
       /usr/bin/moreutils.parallel \
       /usr/bin/moreutils_parallel \
       ; do
@@ -650,12 +652,21 @@ restore-secret() {
 
 #initialize progress tracking by clearing out the temp files used to track
 init-progress() {
-  rm -f /tmp/backup-utils-progress*
+  if [ -d /tmp/backup-utils-progress ]; then
+    rm -rf /tmp/backup-utils-progress/*
+  else
+    mkdir /tmp/backup-utils-progress
+  fi
+  touch /tmp/backup-utils-progress/total
+  touch /tmp/backup-utils-progress/type
+  touch /tmp/backup-utils-progress/progress
+  touch /tmp/backup-utils-progress/info
+  chmod -R 777 /tmp/backup-utils-progress
 }
 
 
 #increase total count of progress
 increment-progress-total-count() {
   ((PROGRESS_TOTAL += $1))
-  echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress-total
+  echo "$PROGRESS_TOTAL" > /tmp/backup-utils-progress/total
 }
diff --git a/share/github-backup-utils/ghe-backup-settings b/share/github-backup-utils/ghe-backup-settings
@@ -94,6 +94,10 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
     backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
 fi
 
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.11.0)" ]; then
+  backup-secret "secret scanning encrypted content keys" "secret-scanning-user-content-delimited-encryption-root-keys" "secrets.secret-scanning.secret-scanning-user-content-delimited-encryption-root-keys"
+fi
+
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
 if [[ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" && "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.2)" ]]; then
   backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
diff --git a/share/github-backup-utils/ghe-restore-repositories b/share/github-backup-utils/ghe-restore-repositories
@@ -104,42 +104,60 @@ done > $tmp_list
 IFS=$OLDIFS
 bm_end "$(basename $0) - Building network list"
 
-# The server returns a list of routes:
-#
-# a/nw/a8/3f/02/100000855 dgit-node1 dgit-node2 dgit-node3
-# a/nw/a8/bc/8d/100000880 dgit-node1 dgit-node2 dgit-node4
-# a/nw/a5/06/81/100000659 dgit-node3 dgit-node2 dgit-node4
-# ...
-#
-# One route per line.
-#
-# NOTE: The route generation is performed on the appliance as it is considerably
-# more performant than performing over an SSH pipe.
-#
-bm_start "$(basename $0) - Transferring network list"
-cat $tmp_list | ghe-ssh "$GHE_HOSTNAME" -- sponge $remote_tmp_list
-cat $tmp_list | ghe_debug
-bm_end "$(basename $0) - Transferring network list"
-
-bm_start "$(basename $0) - Generating routes"
-restore_routes_script="github-env ./bin/dgit-cluster-restore-routes"
-if ghe-ssh "$GHE_HOSTNAME" test -e /usr/local/share/enterprise/ghe-restore-network-routes; then
-  restore_routes_script="/usr/local/share/enterprise/ghe-restore-network-routes"
+# In cluster environments, we need to ensure that all repository networks are replicated back to the
+# same Spokes nodes that they were present on when the backup was taken. For this, the list of
+# routes of each repository network is first obtained. Afterward, an rsync file list is created for
+# each Spokes node including only those repository networks for which there was a route to the
+# respective Spokes node.
+if $CLUSTER; then
+  log_info "* Restoring repository networks to cluster nodes according to Spokes routes" 1>&3
+
+  # The server returns a list of routes:
+  #
+  # a/nw/a8/3f/02/100000855 dgit-node1 dgit-node2 dgit-node3
+  # a/nw/a8/bc/8d/100000880 dgit-node1 dgit-node2 dgit-node4
+  # a/nw/a5/06/81/100000659 dgit-node3 dgit-node2 dgit-node4
+  # ...
+  #
+  # One route per line.
+  #
+  # NOTE: The route generation is performed on the appliance as it is considerably
+  # more performant than performing over an SSH pipe.
+  #
+  bm_start "$(basename $0) - Transferring network list"
+  cat $tmp_list | ghe-ssh "$GHE_HOSTNAME" -- sponge $remote_tmp_list
+  cat $tmp_list | ghe_debug
+  bm_end "$(basename $0) - Transferring network list"
+
+  bm_start "$(basename $0) - Generating routes"
+  restore_routes_script="github-env ./bin/dgit-cluster-restore-routes"
+  if ghe-ssh "$GHE_HOSTNAME" test -e /usr/local/share/enterprise/ghe-restore-network-routes; then
+    restore_routes_script="/usr/local/share/enterprise/ghe-restore-network-routes"
+  fi
+  echo "cat $remote_tmp_list | $restore_routes_script | grep 'git-server-' > $remote_routes_list" | ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
+  ghe-ssh "$GHE_HOSTNAME" -- cat $remote_routes_list | ghe_debug
+  bm_end "$(basename $0) - Generating routes"
+
+  bm_start "$(basename $0) - Fetching routes"
+  ghe-ssh "$GHE_HOSTNAME" -- gzip -c $remote_routes_list | gzip -d > $routes_list
+  cat $routes_list | ghe_debug
+  bm_end "$(basename $0) - Fetching routes"
+
+  bm_start "$(basename $0) - Processing routes"
+
+  cat $routes_list | awk -v tempdir="$tempdir" '{ for(i=2;i<=NF;i++){ print $1 > (tempdir"/"$i".rsync") }}'
+  cat $routes_list | awk '{ n = split($1, p, "/"); printf p[n] " /data/repositories/" $1; $1=""; print $0}' > $to_restore
+  ghe_debug "\n$(find "$tempdir" -maxdepth 1 -name '*.rsync')"
+  bm_end "$(basename $0) - Processing routes"
+# There is no need to collect routes and split them by Spokes server in noncluster setups because
+# we need to transfer all repository networks to the primary instance unconditionally, regardless of
+# the Spokes route list captured during the backup. As we already have the list of all repository
+# network paths, we can simply use that as the rsync file list in noncluster environments.
+else
+  log_info "* Restoring all repository networks to target host unconditionally" 1>&3
+
+  cp "$tmp_list" "$tempdir/git-server-primary.rsync"
 fi
-echo "cat $remote_tmp_list | $restore_routes_script | grep 'git-server-' > $remote_routes_list" | ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
-ghe-ssh "$GHE_HOSTNAME" -- cat $remote_routes_list | ghe_debug
-bm_end "$(basename $0) - Generating routes"
-
-bm_start "$(basename $0) - Fetching routes"
-ghe-ssh "$GHE_HOSTNAME" -- gzip -c $remote_routes_list | gzip -d > $routes_list
-cat $routes_list | ghe_debug
-bm_end "$(basename $0) - Fetching routes"
-
-bm_start "$(basename $0) - Processing routes"
-cat $routes_list | awk -v tempdir="$tempdir" '{ for(i=2;i<=NF;i++){ print $1 > (tempdir"/"$i".rsync") }}'
-cat $routes_list | awk '{ n = split($1, p, "/"); printf p[n] " /data/repositories/" $1; $1=""; print $0}' > $to_restore
-ghe_debug "\n$(find "$tempdir" -maxdepth 1 -name '*.rsync')"
-bm_end "$(basename $0) - Processing routes"
 
 if [ -z "$(find "$tempdir" -maxdepth 1 -name '*.rsync')" ]; then
   log_warn "Warning: no routes found, skipping repositories restore ..."
diff --git a/share/github-backup-utils/ghe-restore-secret-scanning-encryption-keys b/share/github-backup-utils/ghe-restore-secret-scanning-encryption-keys
@@ -36,4 +36,10 @@ log_info "Restoring secret scanning encrypted secrets transit keys"
 restore-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
 restore-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
 
+# Restore secret scanning content scanning keys if present
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.11.0)" ]; then
+  log_info "Restoring secret scanning content scanning keys"
+  restore-secret "secret scanning user content delimited encryption root keys" "secret-scanning-user-content-delimited-encryption-root-keys" "secrets.secret-scanning.secret-scanning-user-content-delimited-encryption-root-keys"
+fi
+
 bm_end "$(basename $0)"
diff --git a/share/github-backup-utils/ghe-rsync-size b/share/github-backup-utils/ghe-rsync-size
@@ -21,6 +21,7 @@ fi
 
 transfer_size()
 {
+  local host=$GHE_HOSTNAME
   local backup_data=$1
   if [[ "$1" == "mssql" ]]; then
     data_user_dir="/data/user/$1/backups"
@@ -58,20 +59,41 @@ transfer_size()
     ;;
   esac
 
+  # Check if instance is cluster and fetch appropriate primary host for the different components
+  if "$CLUSTER"; then
+    cluster_nodes_output=$(ghe-ssh "$host" "ghe-cluster-nodes -i")
+      case $1 in
+	elasticsearch | storage | pages | actions | mssql)
+          cluster_host=$(ghe-ssh "$host" "ghe-cluster-nodes -r $backup_data" | head -1)
+          ;;
+        mysql)
+          cluster_host=$(ghe-ssh "$host" "ghe-config cluster.mysql-master")
+          ;;
+        repositories)
+	  cluster_host=$(ghe-ssh "$host" "ghe-cluster-nodes -r git" | head -1)
+          ;;
+        *)
+          exit 0
+          ;;
+      esac
+    host=$(echo "$cluster_nodes_output" | grep "$cluster_host" | awk '{print $2}' | head -1)
+  fi
+
+  # Get file transfer size estimates
   if [ -d "${GHE_DATA_DIR}/current/$1" ]; then
     total_file_size=$(ghe-rsync -arn --stats \
       -e "ssh -q $GHE_EXTRA_SSH_OPTS -p 122 -l admin" \
       --rsync-path="sudo -u $user rsync" \
       "$link_dest"/"$1" \
       --ignore-missing-args \
-      "$GHE_HOSTNAME:$data_user_dir/" \
+      "$host:$data_user_dir/" \
       "$dest_dir/" | grep "Total transferred file size" | sed 's/.*size: //; s/,//g')
   else
     total_file_size=$(ghe-rsync -arn --stats \
       -e "ssh -q $GHE_EXTRA_SSH_OPTS -p 122 -l admin" \
       --rsync-path="sudo -u $user rsync" \
       --ignore-missing-args \
-      "$GHE_HOSTNAME:$data_user_dir/" \
+      "$host:$data_user_dir/" \
       "$dest_dir/" | grep "Total transferred file size" | sed 's/.*size: //; s/,//g')
   fi
 
diff --git a/share/github-backup-utils/track-progress b/share/github-backup-utils/track-progress
diff --git a/test/test-ghe-backup.sh b/test/test-ghe-backup.sh
diff --git a/test/test-ghe-host-check.sh b/test/test-ghe-host-check.sh
diff --git a/test/test-ghe-incremental-restore.sh b/test/test-ghe-incremental-restore.sh
diff --git a/test/test-ghe-restore.sh b/test/test-ghe-restore.sh
diff --git a/test/testlib.sh b/test/testlib.sh
