hippogrief/pobsync
1
0
Fork 0
Code Issues 21 Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
f86c67aeee0ff2a5ea6d9ba36a7e9517efdd9d7e
pobsync/src/pobsync_backend/retention.py

353 lines
12 KiB
Python
Raw Normal View History

Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
from __future__ import annotations
import shutil
(bugfix) Prune snapshots with preserved read-only permissions Make SQL retention delete the snapshot root when records point at the snapshot data directory, matching how backup metadata is stored on disk. Before removing a snapshot tree, temporarily add user write permission to directories inside that snapshot so rsync-preserved source permissions do not block cleanup. Add a regression test for pruning snapshots whose data directory mirrors a read-only remote root.
2026-05-19 23:29:36 +02:00
import stat
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
from pobsync.errors import ConfigError
from pobsync.lock import acquire_host_lock
from pobsync.paths import PobsyncPaths
from pobsync.retention import Snapshot, apply_base_protection, build_retention_plan
from pobsync.util import sanitize_host
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
from .models import HostConfig, PurgedSnapshot, SnapshotRecord
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
def run_sql_retention_plan(*, host: str, kind: str, protect_bases: bool) -> dict[str, Any]:
host = sanitize_host(host)
if kind not in {"scheduled", "manual", "all"}:
raise ConfigError("kind must be scheduled, manual, or all")
host_config = _enabled_host_config(host)
retention = _retention_for_host(host_config)
snapshots = _snapshots_for_retention(host_config=host_config, kind=kind)
(ui) Make retention planning warnings explicit Show keep/delete reasons in the retention plan, surface scheduled prune limit warnings, and explain base snapshot protection before retention is applied. Also surface incomplete snapshots from the retention views without deleting them automatically, so interrupted backups are visible on the dashboard, host detail, and retention plan.
2026-05-21 01:10:45 +02:00
incomplete_snapshots = _incomplete_snapshots_for_host(host_config)
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
plan = build_retention_plan(
snapshots=snapshots,
retention=retention,
now=datetime.now(timezone.utc),
)
keep = set(plan.keep)
reasons = dict(plan.reasons)
if protect_bases:
keep, reasons = apply_base_protection(snapshots=snapshots, keep=keep, reasons=reasons)
delete = [snapshot for snapshot in snapshots if snapshot.dirname not in keep]
(ui) Make retention planning warnings explicit Show keep/delete reasons in the retention plan, surface scheduled prune limit warnings, and explain base snapshot protection before retention is applied. Also surface incomplete snapshots from the retention views without deleting them automatically, so interrupted backups are visible on the dashboard, host detail, and retention plan.
2026-05-21 01:10:45 +02:00
keep_items = [snapshot for snapshot in snapshots if snapshot.dirname in keep]
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
return {
"ok": True,
"host": host,
"kind": kind,
"protect_bases": bool(protect_bases),
"retention": retention,
"source": "sql",
"keep": sorted(keep),
(ui) Make retention planning warnings explicit Show keep/delete reasons in the retention plan, surface scheduled prune limit warnings, and explain base snapshot protection before retention is applied. Also surface incomplete snapshots from the retention views without deleting them automatically, so interrupted backups are visible on the dashboard, host detail, and retention plan.
2026-05-21 01:10:45 +02:00
"keep_items": [_snapshot_to_item(snapshot, reasons=reasons.get(snapshot.dirname, [])) for snapshot in keep_items],
"delete": [_snapshot_to_item(snapshot, reasons=["outside retention policy"]) for snapshot in delete],
"incomplete": [
_snapshot_to_item(snapshot, reasons=["incomplete snapshot; excluded from retention cleanup"])
for snapshot in incomplete_snapshots
],
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
"reasons": reasons,
}
def run_sql_retention_apply(
*,
prefix: Path,
host: str,
kind: str,
protect_bases: bool,
yes: bool,
max_delete: int,
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
action: str = PurgedSnapshot.Action.MANUAL,
triggered_by: str = "",
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
acquire_lock: bool = True,
) -> dict[str, Any]:
host = sanitize_host(host)
if not yes:
raise ConfigError("Refusing to delete snapshots without --yes")
if max_delete < 0:
raise ConfigError("--max-delete must be >= 0")
paths = PobsyncPaths(home=prefix)
def _do_apply() -> dict[str, Any]:
plan = run_sql_retention_plan(host=host, kind=kind, protect_bases=bool(protect_bases))
delete_list = plan.get("delete") or []
(ui) Show retention apply details on run detail Record planned delete counts, max-delete settings, base protection, and ignored incomplete snapshots in retention apply results. Surface those details on run detail pages so scheduled and manual prune outcomes are understandable without reading the raw JSON payload.
2026-05-21 01:25:40 +02:00
incomplete_list = plan.get("incomplete") or []
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
if not isinstance(delete_list, list):
raise ConfigError("Invalid retention plan output: delete is not a list")
(ui) Show retention apply details on run detail Record planned delete counts, max-delete settings, base protection, and ignored incomplete snapshots in retention apply results. Surface those details on run detail pages so scheduled and manual prune outcomes are understandable without reading the raw JSON payload.
2026-05-21 01:25:40 +02:00
if not isinstance(incomplete_list, list):
raise ConfigError("Invalid retention plan output: incomplete is not a list")
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
if max_delete == 0 and len(delete_list) > 0:
raise ConfigError("Deletion blocked by --max-delete=0")
if len(delete_list) > max_delete:
raise ConfigError(f"Refusing to delete {len(delete_list)} snapshots (exceeds --max-delete={max_delete})")
actions: list[str] = []
deleted: list[dict[str, Any]] = []
for item in delete_list:
dirname = item.get("dirname") if isinstance(item, dict) else None
snap_kind = item.get("kind") if isinstance(item, dict) else None
snap_path = item.get("path") if isinstance(item, dict) else None
if not isinstance(dirname, str) or not isinstance(snap_kind, str) or not isinstance(snap_path, str):
continue
if snap_kind not in {"scheduled", "manual"}:
raise ConfigError(f"Refusing to delete unsupported snapshot kind: {snap_kind!r}")
(bugfix) Prune snapshots with preserved read-only permissions Make SQL retention delete the snapshot root when records point at the snapshot data directory, matching how backup metadata is stored on disk. Before removing a snapshot tree, temporarily add user write permission to directories inside that snapshot so rsync-preserved source permissions do not block cleanup. Add a regression test for pruning snapshots whose data directory mirrors a read-only remote root.
2026-05-19 23:29:36 +02:00
path = _snapshot_delete_path(path=Path(snap_path), dirname=dirname)
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
reason = str(item.get("reason") or "outside retention policy")
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
if not path.exists():
actions.append(f"skip missing {snap_kind}/{dirname}")
continue
if not path.is_dir():
(bugfix) Prune snapshots with preserved read-only permissions Make SQL retention delete the snapshot root when records point at the snapshot data directory, matching how backup metadata is stored on disk. Before removing a snapshot tree, temporarily add user write permission to directories inside that snapshot so rsync-preserved source permissions do not block cleanup. Add a regression test for pruning snapshots whose data directory mirrors a read-only remote root.
2026-05-19 23:29:36 +02:00
raise ConfigError(f"Refusing to delete non-directory path: {path}")
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
(bugfix) Prune snapshots with preserved read-only permissions Make SQL retention delete the snapshot root when records point at the snapshot data directory, matching how backup metadata is stored on disk. Before removing a snapshot tree, temporarily add user write permission to directories inside that snapshot so rsync-preserved source permissions do not block cleanup. Add a regression test for pruning snapshots whose data directory mirrors a read-only remote root.
2026-05-19 23:29:36 +02:00
_remove_snapshot_tree(path)
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
_record_purged_snapshot(
host_config=_enabled_host_config(host),
kind=snap_kind,
dirname=dirname,
path=path,
reason=reason,
action=action,
triggered_by=triggered_by,
metadata={"source": "retention", "protect_bases": bool(protect_bases), "retention_kind": kind},
)
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
SnapshotRecord.objects.filter(host__host=host, kind=snap_kind, dirname=dirname).delete()
actions.append(f"deleted {snap_kind} {dirname}")
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
deleted.append({"dirname": dirname, "kind": snap_kind, "path": str(path), "reason": reason})
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
return {
"ok": True,
"host": host,
"kind": kind,
"protect_bases": bool(protect_bases),
"max_delete": max_delete,
"source": "sql",
(ui) Show retention apply details on run detail Record planned delete counts, max-delete settings, base protection, and ignored incomplete snapshots in retention apply results. Surface those details on run detail pages so scheduled and manual prune outcomes are understandable without reading the raw JSON payload.
2026-05-21 01:25:40 +02:00
"planned_delete_count": len(delete_list),
"incomplete_ignored_count": len(incomplete_list),
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
"deleted": deleted,
"actions": actions,
}
if acquire_lock:
with acquire_host_lock(paths.locks_dir, host, command="retention-apply"):
return _do_apply()
return _do_apply()
(release) Add explicit incomplete snapshot cleanup Add a dedicated cleanup path for incomplete snapshots instead of letting retention prune them implicitly. The retention plan now exposes a guarded form that requires host and delete-count confirmation before removing .incomplete snapshot directories and their SQL records. Keep scheduled/manual retention behavior unchanged, add path safety checks, and cover cleanup success, confirmation failures, max-delete limits, and unexpected paths in tests. Refs #10
2026-05-21 03:26:21 +02:00
def run_incomplete_cleanup(
*,
prefix: Path,
host: str,
yes: bool,
max_delete: int,
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
triggered_by: str = "",
(release) Add explicit incomplete snapshot cleanup Add a dedicated cleanup path for incomplete snapshots instead of letting retention prune them implicitly. The retention plan now exposes a guarded form that requires host and delete-count confirmation before removing .incomplete snapshot directories and their SQL records. Keep scheduled/manual retention behavior unchanged, add path safety checks, and cover cleanup success, confirmation failures, max-delete limits, and unexpected paths in tests. Refs #10
2026-05-21 03:26:21 +02:00
acquire_lock: bool = True,
) -> dict[str, Any]:
host = sanitize_host(host)
if not yes:
raise ConfigError("Refusing to delete incomplete snapshots without --yes")
if max_delete < 0:
raise ConfigError("--max-delete must be >= 0")
paths = PobsyncPaths(home=prefix)
def _do_cleanup() -> dict[str, Any]:
host_config = _enabled_host_config(host)
incomplete_list = [
_snapshot_to_item(snapshot, reasons=["manual incomplete cleanup"])
for snapshot in _incomplete_snapshots_for_host(host_config)
]
if max_delete == 0 and len(incomplete_list) > 0:
raise ConfigError("Incomplete cleanup blocked by --max-delete=0")
if len(incomplete_list) > max_delete:
raise ConfigError(
f"Refusing to delete {len(incomplete_list)} incomplete snapshots (exceeds --max-delete={max_delete})"
)
actions: list[str] = []
deleted: list[dict[str, Any]] = []
for item in incomplete_list:
dirname = item["dirname"]
snap_path = Path(item["path"])
path = _snapshot_delete_path(path=snap_path, dirname=dirname)
_validate_incomplete_delete_path(host=host, path=path, dirname=dirname)
if not path.exists():
actions.append(f"skip missing incomplete/{dirname}")
elif not path.is_dir():
raise ConfigError(f"Refusing to delete non-directory path: {path}")
else:
_remove_snapshot_tree(path)
actions.append(f"deleted incomplete {dirname}")
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
_record_purged_snapshot(
host_config=host_config,
kind=SnapshotRecord.Kind.INCOMPLETE,
dirname=dirname,
path=path,
reason="manual incomplete cleanup",
action=PurgedSnapshot.Action.INCOMPLETE_CLEANUP,
triggered_by=triggered_by,
metadata={"source": "incomplete_cleanup"},
)
(release) Add explicit incomplete snapshot cleanup Add a dedicated cleanup path for incomplete snapshots instead of letting retention prune them implicitly. The retention plan now exposes a guarded form that requires host and delete-count confirmation before removing .incomplete snapshot directories and their SQL records. Keep scheduled/manual retention behavior unchanged, add path safety checks, and cover cleanup success, confirmation failures, max-delete limits, and unexpected paths in tests. Refs #10
2026-05-21 03:26:21 +02:00
SnapshotRecord.objects.filter(
host__host=host,
kind=SnapshotRecord.Kind.INCOMPLETE,
dirname=dirname,
).delete()
deleted.append({"dirname": dirname, "kind": SnapshotRecord.Kind.INCOMPLETE, "path": str(path)})
return {
"ok": True,
"host": host,
"kind": SnapshotRecord.Kind.INCOMPLETE,
"max_delete": max_delete,
"source": "sql",
"planned_delete_count": len(incomplete_list),
"deleted": deleted,
"actions": actions,
}
if acquire_lock:
with acquire_host_lock(paths.locks_dir, host, command="incomplete-cleanup"):
return _do_cleanup()
return _do_cleanup()
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
def _enabled_host_config(host: str) -> HostConfig:
try:
return HostConfig.objects.get(host=host, enabled=True)
except HostConfig.DoesNotExist as exc:
(refactor) Use operator-facing config errors Replace remaining model-name based configuration errors with labels that match the Django-first operating model. Add coverage for missing global config and host configuration errors so operator-facing messages stay readable.
2026-05-21 02:56:00 +02:00
raise ConfigError(f"Missing enabled host {host!r}") from exc
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
def _retention_for_host(host_config: HostConfig) -> dict[str, int]:
return {
"daily": host_config.retention_daily,
"weekly": host_config.retention_weekly,
"monthly": host_config.retention_monthly,
"yearly": host_config.retention_yearly,
}
def _snapshots_for_retention(*, host_config: HostConfig, kind: str) -> list[Snapshot]:
kinds = ["scheduled", "manual"] if kind == "all" else [kind]
records = (
SnapshotRecord.objects.filter(host=host_config, kind__in=kinds)
.exclude(kind=SnapshotRecord.Kind.INCOMPLETE)
.select_related("base")
.order_by("-started_at", "dirname")
)
return [_snapshot_from_record(record) for record in records]
(ui) Make retention planning warnings explicit Show keep/delete reasons in the retention plan, surface scheduled prune limit warnings, and explain base snapshot protection before retention is applied. Also surface incomplete snapshots from the retention views without deleting them automatically, so interrupted backups are visible on the dashboard, host detail, and retention plan.
2026-05-21 01:10:45 +02:00
def _incomplete_snapshots_for_host(host_config: HostConfig) -> list[Snapshot]:
records = (
SnapshotRecord.objects.filter(host=host_config, kind=SnapshotRecord.Kind.INCOMPLETE)
.select_related("base")
.order_by("-started_at", "dirname")
)
return [_snapshot_from_record(record) for record in records]
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
def _snapshot_from_record(record: SnapshotRecord) -> Snapshot:
return Snapshot(
kind=record.kind,
dirname=record.dirname,
path=record.path,
dt=record.started_at or datetime.fromtimestamp(0, tz=timezone.utc),
status=record.status or None,
base=_base_meta_from_record(record),
)
def _base_meta_from_record(record: SnapshotRecord) -> dict[str, str] | None:
if record.base is not None:
return {
"kind": record.base.kind,
"dirname": record.base.dirname,
"path": record.base.path,
}
if record.base_kind and record.base_dirname:
return {
"kind": record.base_kind,
"dirname": record.base_dirname,
"path": record.base_path,
}
return None
(ui) Make retention planning warnings explicit Show keep/delete reasons in the retention plan, surface scheduled prune limit warnings, and explain base snapshot protection before retention is applied. Also surface incomplete snapshots from the retention views without deleting them automatically, so interrupted backups are visible on the dashboard, host detail, and retention plan.
2026-05-21 01:10:45 +02:00
def _snapshot_to_item(snapshot: Snapshot, *, reasons: list[str]) -> dict[str, Any]:
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
return {
"dirname": snapshot.dirname,
"kind": snapshot.kind,
"path": snapshot.path,
"dt": snapshot.dt.isoformat(),
"status": snapshot.status,
(ui) Make retention planning warnings explicit Show keep/delete reasons in the retention plan, surface scheduled prune limit warnings, and explain base snapshot protection before retention is applied. Also surface incomplete snapshots from the retention views without deleting them automatically, so interrupted backups are visible on the dashboard, host detail, and retention plan.
2026-05-21 01:10:45 +02:00
"reasons": reasons,
"reason": ", ".join(reasons),
Plan Django retention from snapshot records
2026-05-19 11:24:48 +02:00
}
(bugfix) Prune snapshots with preserved read-only permissions Make SQL retention delete the snapshot root when records point at the snapshot data directory, matching how backup metadata is stored on disk. Before removing a snapshot tree, temporarily add user write permission to directories inside that snapshot so rsync-preserved source permissions do not block cleanup. Add a regression test for pruning snapshots whose data directory mirrors a read-only remote root.
2026-05-19 23:29:36 +02:00
def _snapshot_delete_path(*, path: Path, dirname: str) -> Path:
if path.name == "data" and path.parent.name == dirname:
return path.parent
return path
(release) Add purged snapshot audit overview Record snapshot purge history whenever retention or incomplete cleanup removes snapshot directories and SQL records. Store the purge reason, original kind, path, action source, and triggering operator so manual, scheduled, CLI, and incomplete cleanup actions remain auditable after the original snapshot record is deleted. Add a staff-only Purged Snapshots page with host/action filters and register the audit model in Django admin. Refs #16 Refs #8
2026-05-21 03:46:38 +02:00
def _record_purged_snapshot(
*,
host_config: HostConfig,
kind: str,
dirname: str,
path: Path,
reason: str,
action: str,
triggered_by: str,
metadata: dict[str, Any],
) -> None:
PurgedSnapshot.objects.create(
host=host_config,
host_name=host_config.host,
kind=kind,
dirname=dirname,
path=str(path),
reason=reason,
action=action,
triggered_by=triggered_by,
metadata=metadata,
)
(release) Add explicit incomplete snapshot cleanup Add a dedicated cleanup path for incomplete snapshots instead of letting retention prune them implicitly. The retention plan now exposes a guarded form that requires host and delete-count confirmation before removing .incomplete snapshot directories and their SQL records. Keep scheduled/manual retention behavior unchanged, add path safety checks, and cover cleanup success, confirmation failures, max-delete limits, and unexpected paths in tests. Refs #10
2026-05-21 03:26:21 +02:00
def _validate_incomplete_delete_path(*, host: str, path: Path, dirname: str) -> None:
path_parts = path.parts
if path.name != dirname or ".incomplete" not in path_parts or host not in path_parts:
raise ConfigError(f"Refusing to delete unexpected incomplete snapshot path: {path}")
incomplete_index = path_parts.index(".incomplete")
if incomplete_index == 0 or path_parts[incomplete_index - 1] != host:
raise ConfigError(f"Refusing to delete incomplete snapshot outside host backup root: {path}")
(bugfix) Prune snapshots with preserved read-only permissions Make SQL retention delete the snapshot root when records point at the snapshot data directory, matching how backup metadata is stored on disk. Before removing a snapshot tree, temporarily add user write permission to directories inside that snapshot so rsync-preserved source permissions do not block cleanup. Add a regression test for pruning snapshots whose data directory mirrors a read-only remote root.
2026-05-19 23:29:36 +02:00
def _remove_snapshot_tree(path: Path) -> None:
_make_directories_user_writable(path)
shutil.rmtree(path)
def _make_directories_user_writable(path: Path) -> None:
for directory in [path, *[child for child in path.rglob("*") if child.is_dir() and not child.is_symlink()]]:
mode = directory.stat().st_mode
if mode & stat.S_IWUSR:
continue
directory.chmod(mode | stat.S_IWUSR)
Reference in New Issue Copy Permalink