server, bin: purge old already-archived jobs to avoid perpetual database growth

Author: jclulow

bin/src/main.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Oxide Computer Company
+ * Copyright 2025 Oxide Computer Company
  */
 
 #![allow(clippy::many_single_char_names)]
@@ -2378,6 +2378,25 @@ async fn do_admin_job_archive(mut l: Level<Stuff>) -> Result<()> {
     Ok(())
 }
 
+async fn do_admin_job_purge(mut l: Level<Stuff>) -> Result<()> {
+    l.usage_args(Some("JOB..."));
+
+    let a = args!(l);
+    if a.args().is_empty() {
+        bad_args!(l, "specify a job to purge");
+    }
+
+    for arg in a.args() {
+        if let Err(e) =
+            l.context().admin().admin_job_purge_request().job(arg).send().await
+        {
+            bail!("ERROR: purging {}: {:?}", arg, e);
+        }
+    }
+
+    Ok(())
+}
+
 async fn do_admin_job_list(mut l: Level<Stuff>) -> Result<()> {
     l.add_column("id", WIDTH_ID, true);
     l.add_column("age", WIDTH_AGE, true);
@@ -2507,6 +2526,7 @@ async fn do_admin_job_list(mut l: Level<Stuff>) -> Result<()> {
 async fn do_admin_job(mut l: Level<Stuff>) -> Result<()> {
     l.cmda("list", "ls", "list jobs", cmd!(do_admin_job_list))?;
     l.cmd("archive", "request archive of a job", cmd!(do_admin_job_archive))?;
+    l.cmd("purge", "request purge of a job", cmd!(do_admin_job_purge))?;
     l.cmd("dump", "dump information about jobs", cmd!(do_admin_job_dump))?;
 
     sel!(l).run().await

client/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.3",
   "info": {
     "title": "Buildomat",
-    "version": "1.0"
+    "version": "1.0.0"
   },
   "paths": {
     "/0/admin/factories": {
@@ -232,6 +232,32 @@
         }
       }
     },
+    "/0/admin/jobs/{job}/purge": {
+      "post": {
+        "operationId": "admin_job_purge_request",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "job",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "resource updated"
+          },
+          "4XX": {
+            "$ref": "#/components/responses/Error"
+          },
+          "5XX": {
+            "$ref": "#/components/responses/Error"
+          }
+        }
+      }
+    },
     "/0/admin/target": {
       "post": {
         "operationId": "target_create",
@@ -2972,6 +2998,16 @@
               "$ref": "#/components/schemas/Task"
             }
           },
+          "time_archived": {
+            "nullable": true,
+            "type": "string",
+            "format": "date-time"
+          },
+          "time_purged": {
+            "nullable": true,
+            "type": "string",
+            "format": "date-time"
+          },
           "times": {
             "default": {},
             "type": "object",

server/schema.sql

@@ -332,3 +332,11 @@ ALTER TABLE worker ADD COLUMN
 -- v 55
 ALTER TABLE worker ADD COLUMN
     factory_ip      TEXT;
+
+-- v 56
+ALTER TABLE job ADD COLUMN
+    time_purged     TEXT;
+
+-- v 57
+CREATE INDEX job_purging_queue ON job (id, complete, time_archived, time_purged)
+    WHERE complete = true AND time_archived IS NOT NULL AND time_purged IS NULL;

server/src/api/admin.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Oxide Computer Company
+ * Copyright 2025 Oxide Computer Company
  */
 
 use super::prelude::*;
@@ -464,6 +464,40 @@ pub(crate) async fn admin_job_archive_request(
     Ok(HttpResponseUpdatedNoContent())
 }
 
+#[endpoint {
+    method = POST,
+    path = "/0/admin/jobs/{job}/purge",
+}]
+pub(crate) async fn admin_job_purge_request(
+    rqctx: RequestContext<Arc<Central>>,
+    path: TypedPath<JobPath>,
+) -> DSResult<HttpResponseUpdatedNoContent> {
+    let c = rqctx.context();
+    let log = &rqctx.log;
+
+    c.require_admin(log, &rqctx.request, "job.purge").await?;
+
+    let id = path.into_inner().job.parse::<db::JobId>().or_500()?;
+    let job = c.db.job(id).or_500()?;
+
+    if !job.is_archived() {
+        return Err(HttpError::for_bad_request(
+            None,
+            "job cannot be purge until archived".into(),
+        ));
+    }
+
+    /*
+     * If a job is archived, it should already have been complete previously:
+     */
+    assert!(job.complete);
+
+    info!(log, "admin: requested purge of job {}", job.id);
+    c.inner.lock().unwrap().purge_queue.push_back(job.id);
+
+    Ok(HttpResponseUpdatedNoContent())
+}
+
 #[endpoint {
     method = POST,
     path = "/0/control/hold",

server/src/api/mod.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Oxide Computer Company
+ * Copyright 2025 Oxide Computer Company
  */
 
 mod prelude {
@@ -20,7 +20,7 @@ mod prelude {
     pub use rusty_ulid::Ulid;
     pub use schemars::JsonSchema;
     pub use serde::{Deserialize, Serialize};
-    pub use slog::{error, info, warn, Logger};
+    pub use slog::{error, info, o, warn, Logger};
     pub use std::collections::HashMap;
     pub use std::str::FromStr;
     pub use std::sync::Arc;

server/src/api/user.rs

@@ -1,9 +1,7 @@
 /*
- * Copyright 2024 Oxide Computer Company
+ * Copyright 2025 Oxide Computer Company
  */
 
-use slog::o;
-
 use super::prelude::*;
 
 use super::worker::UploadedChunk;
@@ -608,6 +606,8 @@ pub(crate) fn format_job(
         tags,
         cancelled: j.cancelled,
         times,
+        time_archived: j.time_archived.map(|d| d.0),
+        time_purged: j.time_purged.map(|d| d.0),
     }
 }
 
@@ -665,7 +665,7 @@ pub(crate) async fn jobs_get_old(
         marker = Some(page.last().unwrap().id);
 
         for job in page {
-            out.push(super::user::Job::load(log, c, &job).await.or_500()?);
+            out.push(Job::load(log, c, &job).await.or_500()?);
         }
 
         /*
@@ -826,6 +826,8 @@ pub(crate) struct Job {
     cancelled: bool,
     #[serde(default)]
     times: HashMap<String, DateTime<Utc>>,
+    time_archived: Option<DateTime<Utc>>,
+    time_purged: Option<DateTime<Utc>>,
 }
 
 impl Job {

server/src/archive/jobs.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Oxide Computer Company
+ * Copyright 2025 Oxide Computer Company
  */
 
 use core::mem::size_of;
@@ -981,10 +981,11 @@ fn archive_jobs_sync_work(
         waiting: _,
 
         /*
-         * This field tracks when the job was successfully archived, and thus
-         * cannot appear in the archive itself.
+         * These fields track when the job was successfully archived or purged,
+         * and thus cannot appear in the archive itself.
          */
         time_archived: _,
+        time_purged: _,
 
         /*
          * We use the target_id value we already fetched above, so ignore it
@@ -1001,7 +1002,7 @@ fn archive_jobs_sync_work(
      * This structure should store things that don't grow substantially for
      * longer-running jobs that produce more output.  In particular, we store
      * the job event stream in a different way.  This is important because we
-     * wil need to deserialize this object (at a cost of CPU and memory) in
+     * will need to deserialise this object (at a cost of CPU and memory) in
      * order to answer questions about the job: heavier jobs should not use more
      * resources than lighter jobs.
      */
@@ -1198,3 +1199,100 @@ pub(crate) async fn archive_jobs(log: Logger, c: Arc<Central>) -> Result<()> {
         tokio::time::sleep(delay).await;
     }
 }
+
+fn purge_jobs_sync_work(
+    log: &Logger,
+    c: &Central,
+) -> Result<Option<db::JobId>> {
+    let (reason, job) = if let Some(job) =
+        c.inner.lock().unwrap().purge_queue.pop_front()
+    {
+        /*
+         * Service explicit requests from the operator to purge a job first.
+         */
+        let job = c.db.job(job)?;
+        if !job.is_archived() {
+            warn!(log, "job {} not archived; cannot purge yet", job.id);
+            return Ok(None);
+        }
+        if job.is_purged() {
+            warn!(log, "job {} was already purged; ignoring request", job.id);
+            return Ok(None);
+        }
+        ("operator request", job)
+    } else if c.config.job.auto_purge {
+        /*
+         * Otherwise, if auto-purging is enabled, purge the next as-yet
+         * unpurged job.
+         */
+        if let Some(job) = c.db.job_next_unpurged()? {
+            if let Some(time) = job.time_archived {
+                if time.age().as_secs() < 14 * 86400 {
+                    /*
+                     * Only purge once the job has been archived for at least a
+                     * fortnight.
+                     */
+                    return Ok(None);
+                }
+            }
+
+            ("automatic", job)
+        } else {
+            return Ok(None);
+        }
+    } else {
+        return Ok(None);
+    };
+
+    assert!(job.complete);
+    assert!(job.time_archived.is_some());
+    assert!(job.time_purged.is_none());
+
+    info!(log, "purging job {} [{reason}]...", job.id);
+
+    /*
+     * Purging a job from the database involves removing the live records. This
+     * should have no impact on access to details about the job, as we will
+     * fetch those details from the archive file once the job has been archived.
+     */
+    c.db.job_purge(job.id)?;
+
+    Ok(Some(job.id))
+}
+
+async fn purge_jobs_one(log: &Logger, c: &Arc<Central>) -> Result<bool> {
+    let start = Instant::now();
+
+    /*
+     * The work to purge a job is synchronous and may take several seconds for
+     * larger jobs.  Avoid holding up other async tasks while we wait:
+     */
+    let id = tokio::task::block_in_place(|| purge_jobs_sync_work(log, c))?;
+
+    if let Some(id) = id {
+        let dur = Instant::now().saturating_duration_since(start);
+        info!(log, "job {id} purged"; "duration_msec" => dur.as_millis());
+    }
+
+    Ok(id.is_some())
+}
+
+pub(crate) async fn purge_jobs(log: Logger, c: Arc<Central>) -> Result<()> {
+    let delay = Duration::from_secs(1);
+    let ok_delay = Duration::from_millis(c.config.job.purge_delay_msec);
+
+    info!(log, "start job purge task");
+
+    loop {
+        match purge_jobs_one(&log, &c).await {
+            Ok(true) => {
+                tokio::time::sleep(ok_delay).await;
+                continue;
+            }
+            Ok(false) => (),
+            Err(e) => error!(log, "job purge task error: {:?}", e),
+        }
+
+        tokio::time::sleep(delay).await;
+    }
+}

server/src/config.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Oxide Computer Company
+ * Copyright 2025 Oxide Computer Company
  */
 
 use std::path::Path;
@@ -38,6 +38,10 @@ pub struct ConfigFileJob {
     pub max_size_per_file_mb: u64,
     #[serde(default)]
     pub auto_archive: bool,
+    #[serde(default)]
+    pub auto_purge: bool,
+    #[serde(default = "default_purge_delay_msec")]
+    pub purge_delay_msec: u64,
 }
 
 impl ConfigFileJob {
@@ -57,6 +61,15 @@ fn default_max_size_per_file_mb() -> u64 {
     1024
 }
 
+fn default_purge_delay_msec() -> u64 {
+    /*
+     * By default, wait half a second after a successful purge before purging
+     * another job.  When there are a lot of jobs to purge, this can help to
+     * keep the system responsive to active jobs.
+     */
+    500
+}
+
 #[derive(Deserialize, Debug, Default)]
 #[serde(deny_unknown_fields)]
 pub struct ConfigFileFile {