pyrox.dev / nixpkgs
lol
fork atom

mysqlBackup service: let it work with default settings

* Grants enough privileges to the configured user so that it can run
mysqldump.

* Adds a nixos test.

* Use systemd timers instead of a cronjob (by @fadenb).

* Creates a new user for backups by default, instead of using mysql
user.

* Ensures that backup user has write permissions on backup location.

* Write backup to a temporary file before renaming so that a failed
backup won't overwrite the previous backup, and so that the backup
location will never contain a partial backup.

Breaking changes:

* Renamed period to calendar to reflect the change in how to
configure the backup time.

* A failed backup will no longer result in cron sending an e-mail --
users' monitoring systems must be updated.

Resolves #24728

Rodney Lorrimar 56eba66f 75ba415f

options
unified split
Changed files
+112 -18
nixos
modules
services
backup
mysql-backup.nix
release.nix
tests
mysql-backup.nix
testdb.sql
+68 -18
nixos/modules/services/backup/mysql-backup.nix 
···

       
6

       
6

       
 

       



     

       
7

       
7

       
 

       
  inherit (pkgs) mysql gzip;


     

       
8

       
8

       
 

       



     

       
9

       

       
-

       
  cfg = config.services.mysqlBackup ;


     

       
10

       

       
-

       
  location = cfg.location ;


     

       
11

       

       
-

       
  mysqlBackupCron = db : ''


     

       
12

       

       
-

       
    ${cfg.period} ${cfg.user} ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz


     

       

       
9

       
+

       
  cfg = config.services.mysqlBackup;


     

       

       
10

       
+

       
  defaultUser = "mysqlbackup";


     

       

       
11

       
+

       



     

       

       
12

       
+

       
  backupScript = ''


     

       

       
13

       
+

       
    set -o pipefail


     

       

       
14

       
+

       
    failed=""


     

       

       
15

       
+

       
    ${concatMapStringsSep "\n" backupDatabaseScript cfg.databases}


     

       

       
16

       
+

       
    if [ -n "$failed" ]; then


     

       

       
17

       
+

       
      echo "Backup of database(s) failed:$failed"


     

       

       
18

       
+

       
      exit 1


     

       

       
19

       
+

       
    fi


     

       

       
20

       
+

       
  '';


     

       

       
21

       
+

       
  backupDatabaseScript = db: ''


     

       

       
22

       
+

       
    dest="${cfg.location}/${db}.gz"


     

       

       
23

       
+

       
    if ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then


     

       

       
24

       
+

       
      mv $dest.tmp $dest


     

       

       
25

       
+

       
      echo "Backed up to $dest"


     

       

       
26

       
+

       
    else


     

       

       
27

       
+

       
      echo "Failed to back up to $dest"


     

       

       
28

       
+

       
      rm -f $dest.tmp


     

       

       
29

       
+

       
      failed="$failed ${db}"


     

       

       
30

       
+

       
    fi


     

       
13

       
31

       
 

       
  '';


     

       
14

       
32

       
 

       



     

       
15

       
33

       
 

       
in


     
···

       
26

       
44

       
 

       
        '';


     

       
27

       
45

       
 

       
      };


     

       
28

       
46

       
 

       



     

       
29

       

       
-

       
      period = mkOption {


     

       
30

       

       
-

       
        default = "15 01 * * *";


     

       

       
47

       
+

       
      calendar = mkOption {


     

       

       
48

       
+

       
        type = types.str;


     

       

       
49

       
+

       
        default = "01:15:00";


     

       
31

       
50

       
 

       
        description = ''


     

       
32

       

       
-

       
          This option defines (in the format used by cron) when the


     

       
33

       

       
-

       
          databases should be dumped.


     

       
34

       

       
-

       
          The default is to update at 01:15 (at night) every day.


     

       

       
51

       
+

       
          Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).


     

       
35

       
52

       
 

       
        '';


     

       
36

       
53

       
 

       
      };


     

       
37

       
54

       
 

       



     

       
38

       
55

       
 

       
      user = mkOption {


     

       
39

       

       
-

       
        default = "mysql";


     

       

       
56

       
+

       
        default = defaultUser;


     

       
40

       
57

       
 

       
        description = ''


     

       
41

       
58

       
 

       
          User to be used to perform backup.


     

       
42

       
59

       
 

       
        '';


     
···

       
66

       
83

       
 

       



     

       
67

       
84

       
 

       
  };


     

       
68

       
85

       
 

       



     

       
69

       

       
-

       
  config = mkIf config.services.mysqlBackup.enable {


     

       
70

       

       
-

       



     

       
71

       

       
-

       
    services.cron.systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;


     

       

       
86

       
+

       
  config = mkIf cfg.enable {


     

       

       
87

       
+

       
    users.extraUsers = optionalAttrs (cfg.user == defaultUser) (singleton


     

       

       
88

       
+

       
      { name = defaultUser;


     

       

       
89

       
+

       
        isSystemUser = true;


     

       

       
90

       
+

       
        createHome = false;


     

       

       
91

       
+

       
        home = cfg.location;


     

       

       
92

       
+

       
        group = "nogroup";


     

       

       
93

       
+

       
      });


     

       
72

       
94

       
 

       



     

       
73

       

       
-

       
    system.activationScripts.mysqlBackup = stringAfter [ "stdio" "users" ]


     

       
74

       

       
-

       
      ''


     

       
75

       

       
-

       
        mkdir -m 0700 -p ${config.services.mysqlBackup.location}


     

       
76

       

       
-

       
        chown ${config.services.mysqlBackup.user} ${config.services.mysqlBackup.location}


     

       
77

       

       
-

       
      '';


     

       

       
95

       
+

       
    services.mysql.ensureUsers = [{


     

       

       
96

       
+

       
      name = cfg.user;


     

       

       
97

       
+

       
      ensurePermissions = with lib;


     

       

       
98

       
+

       
        let


     

       

       
99

       
+

       
          privs = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES";


     

       

       
100

       
+

       
          grant = db: nameValuePair "${db}.*" privs;


     

       

       
101

       
+

       
        in


     

       

       
102

       
+

       
          listToAttrs (map grant cfg.databases);


     

       

       
103

       
+

       
    }];


     

       
78

       
104

       
 

       



     

       

       
105

       
+

       
    systemd = {


     

       

       
106

       
+

       
      timers."mysql-backup" = {


     

       

       
107

       
+

       
        description = "Mysql backup timer";


     

       

       
108

       
+

       
        wantedBy = [ "timers.target" ];


     

       

       
109

       
+

       
        timerConfig = {


     

       

       
110

       
+

       
          OnCalendar = cfg.calendar;


     

       

       
111

       
+

       
          AccuracySec = "5m";


     

       

       
112

       
+

       
          Unit = "mysql-backup.service";


     

       

       
113

       
+

       
        };


     

       

       
114

       
+

       
      };


     

       

       
115

       
+

       
      services."mysql-backup" = {


     

       

       
116

       
+

       
        description = "Mysql backup service";


     

       

       
117

       
+

       
        enable = true;


     

       

       
118

       
+

       
        serviceConfig = {


     

       

       
119

       
+

       
          User = cfg.user;


     

       

       
120

       
+

       
          PermissionsStartOnly = true;


     

       

       
121

       
+

       
        };


     

       

       
122

       
+

       
        preStart = ''


     

       

       
123

       
+

       
          mkdir -m 0700 -p ${cfg.location}


     

       

       
124

       
+

       
          chown -R ${cfg.user} ${cfg.location}


     

       

       
125

       
+

       
        '';


     

       

       
126

       
+

       
        script = backupScript;


     

       

       
127

       
+

       
      };


     

       

       
128

       
+

       
    };


     

       
79

       
129

       
 

       
  };


     

       
80

       
130

       
 

       



     

       
81

       
131

       
 

       
}
+1
nixos/release.nix 
···

       
283

       
283

       
 

       
  tests.mumble = callTest tests/mumble.nix {};


     

       
284

       
284

       
 

       
  tests.munin = callTest tests/munin.nix {};


     

       
285

       
285

       
 

       
  tests.mysql = callTest tests/mysql.nix {};


     

       

       
286

       
+

       
  tests.mysqlBackup = callTest tests/mysql-backup.nix {};


     

       
286

       
287

       
 

       
  tests.mysqlReplication = callTest tests/mysql-replication.nix {};


     

       
287

       
288

       
 

       
  tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };


     

       
288

       
289

       
 

       
  tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; };
+42
nixos/tests/mysql-backup.nix 
···

       

       
1

       
+

       
# Test whether mysqlBackup option works


     

       

       
2

       
+

       
import ./make-test.nix ({ pkgs, ... } : {


     

       

       
3

       
+

       
  name = "mysql-backup";


     

       

       
4

       
+

       
  meta = with pkgs.stdenv.lib.maintainers; {


     

       

       
5

       
+

       
    maintainers = [ rvl ];


     

       

       
6

       
+

       
  };


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  nodes = {


     

       

       
9

       
+

       
    master = { config, pkgs, ... }: {


     

       

       
10

       
+

       
      services.mysql = {


     

       

       
11

       
+

       
        enable = true;


     

       

       
12

       
+

       
        initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];


     

       

       
13

       
+

       
        package = pkgs.mysql;


     

       

       
14

       
+

       
      };


     

       

       
15

       
+

       



     

       

       
16

       
+

       
      services.mysqlBackup = {


     

       

       
17

       
+

       
        enable = true;


     

       

       
18

       
+

       
        databases = [ "doesnotexist" "testdb" ];


     

       

       
19

       
+

       
      };


     

       

       
20

       
+

       
    };


     

       

       
21

       
+

       
  };


     

       

       
22

       
+

       



     

       

       
23

       
+

       
  testScript =


     

       

       
24

       
+

       
    '' startAll;


     

       

       
25

       
+

       



     

       

       
26

       
+

       
       # Need to have mysql started so that it can be populated with data.


     

       

       
27

       
+

       
       $master->waitForUnit("mysql.service");


     

       

       
28

       
+

       



     

       

       
29

       
+

       
       # Wait for testdb to be populated.


     

       

       
30

       
+

       
       $master->sleep(10);


     

       

       
31

       
+

       



     

       

       
32

       
+

       
       # Do a backup and wait for it to finish.


     

       

       
33

       
+

       
       $master->startJob("mysql-backup.service");


     

       

       
34

       
+

       
       $master->waitForJob("mysql-backup.service");


     

       

       
35

       
+

       



     

       

       
36

       
+

       
       # Check that data appears in backup


     

       

       
37

       
+

       
       $master->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello");


     

       

       
38

       
+

       



     

       

       
39

       
+

       
       # Check that a failed backup is logged


     

       

       
40

       
+

       
       $master->succeed("journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null");


     

       

       
41

       
+

       
    '';


     

       

       
42

       
+

       
})
+1
nixos/tests/testdb.sql 
···

       
8

       
8

       
 

       
insert into tests values (2, 'b');


     

       
9

       
9

       
 

       
insert into tests values (3, 'c');


     

       
10

       
10

       
 

       
insert into tests values (4, 'd');


     

       

       
11

       
+

       
insert into tests values (5, 'hello');