logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Backups-and-redundancy-at-sr.ht.md (6966B)

    

  1. ---
  2. date: 2019-01-13
  3. layout: post
  4. title: "Backups & redundancy at sr.ht"
  5. tags: ["sourcehut", "ops"]
  6. ---
  8. [sr.ht](https://sr.ht)[^1] is [100% open source][sr.ht-code] and I encourage
  9. people to install it on their own infrastructure, especially if they'll be
  10. sending patches upstream. However, I am equally thrilled to host sr.ht for you
  11. on the "official" instance, and most users find this useful because the
  12. maintenance burden is non-trivial. Today I'll give you an idea of what your
  13. subscription fee pays for. In this first post on ops at sr.ht, I'll talk about
  14. backups and redundancy. In future posts, I'll talk about security, high
  15. availability, automation, and more.
  17. [^1]: sr.ht is a software project hosting website, with git hosting, ticket tracking, continuous integration, mailing lists, and more. [Try it out!](https://sr.ht)
  19. [sr.ht-code]: https://git.sr.ht/~sircmpwn?search=sr.ht
  21. As sr.ht is still in the alpha phase, high availability has been on the
  22. backburner. However, data integrity has always been of paramount importance to
  23. me. The very earliest versions of sr.ht, from well before it was even trying to
  24. be a software forge, made a point to never lose a single byte of user data.
  25. Outages are okay - so long as when service is restored, everything is still
  26. there. Over time I'm working to make outages a thing of the past, too, but let's
  27. start with backups.
  29. There are several ways that sr.ht stores data:
  31. - Important data on the filesystem (e.g. bare git repositories)
  32. - Important persistent data in PostgreSQL
  33. - Unimportant ephemeral data in Redis (& caches)
  34. - Miscellaneous filesystem storage, like the operating system
  36. Some of this data is important and kept redundant (PostgreSQL, git repos), and
  37. others are unimportant and is not redundant. For example, I store a rendered
  38. Markdown cache for git.sr.ht in Redis. If the Redis cluster goes *poof*, the
  39. source Markdown is still available, so I don't bother backing up Redis. Most
  40. services run in a VM and I generally don't store important data on these - the
  41. hosts usually only have one hard drive with no backups and no redundancy. If the
  42. host dies, I have to reprovision all of those VMs.
  44. Other data is more important. Consider PostgreSQL, which contains some of the
  45. most important data for sr.ht. I have one master PostgreSQL server, a dedicated
  46. server in the space I colocate in my home town of Philadelphia. I run sr.ht on
  47. this server, but I also use it for a variety of other projects - I maintain many
  48. myself, and I volunteer as a sysadmin for more still. This box (named Remilia)
  49. has four hard drives configured in a ZRAID (ZFS). I buy these hard drives from a
  50. variety of vendors, mostly Western Digital and Seagate, and from different
  51. batches - reducing the likelihood that they'll fail around the same time. ZFS is
  52. well-known for it's excellent design, featureset and for simply keeping your
  53. data intact, and I don't trust any other filesystem with important data. I take
  54. ZFS snapshots every 15 minutes and retain them for 30 days. These snapshots are
  55. important for correcting the "oh shit, I rm'd something important" mistakes -
  56. you can mount them later and see what the filesystem looked like at the time
  57. they were taken.
  59. On top of this, the PostgreSQL server is set up with two additional important
  60. features: continuous archiving and streaming replication. Continuous archiving
  61. has PostgreSQL writing each transaction to log files on disk, which represents a
  62. re-playable history of the entire database, and allows you to restore the
  63. database to any point in time. This helps with "oh shit, I dropped an important
  64. table" mistakes. Streaming replication ships changes to an off-site standby
  65. server, in this case set up in my second colocation in San Francisco (the main
  66. backup box, which we'll talk about more shortly). This takes a near real-time
  67. backup of the database, and has the advantage of being able to quickly failover
  68. to it as the primary database during maintenance and outages (more on this
  69. during the upcoming high availability article). Soon I'll be setting up a second
  70. failover server as well, on-site.
  72. So there are multiple layers to this:
  74. - ZFS & zraid prevents disk failure from causing data loss
  75. - ZFS snapshots allows retrieving filesystem-level data from the past
  76. - Continuous archiving allows retrieving database-level data from the past
  77. - Streaming replication prevents datacenter existence failure from causing data
  78.   loss
  80. Having multiple layers of data redundancy here protects sr.ht from a wide
  81. variety of failure modes, and also protects each redundant system from itself -
  82. if any of these systems fails, there's another place to get this data from.
  84. The off-site backup in San Francisco (this box is called Konpaku) has a whopping
  85. 52T of storage in two ZFS pools, named "small" (4T) and "large" (48T). The
  86. PostgreSQL standby server lives in the small pool, and [borg
  87. backups](https://www.borgbackup.org/) live in the large pool. This has the same
  88. ZFS snapshotting and retention policy as Remilia, and also has drives sourced
  89. from a variety of vendors and batches. Borg is how important filesystem-level
  90. data is backed up, for example git repositories on git.sr.ht. Borg is nice
  91. enough to compress, encrypt, and deduplicate its backups for us, which I take
  92. hourly with a cronjob on the machines which own that data. The retention policy
  93. is hourly backups stored for 48 hours, daily backups for 2 weeks, and weekly
  94. backups stored indefinitely.
  96. There are two other crucial steps in maintaining a working backup system:
  97. monitoring and testing. The old wisdom is "you don't have backups until you've
  98. tested them". The simplest monitoring comes from cron - when I provision a new
  99. box, I make sure to set `MAILTO`, make sure sendmail works, and set up a
  100. deliberately failing cron entry to ensure I hear about it when it breaks. I also
  101. set up zfs-zed to email me whenever ZFS encounters issues, which also has a test
  102. mode you should use. For testing, I periodically provision private replicas of
  103. sr.ht services from backups and make sure that they work as expected. PostgreSQL
  104. replication is fairly new to my setup, but my intention is to switch the primary
  105. and standby servers on every database upgrade for HA[^2] purposes, which
  106. conveniently also tests that each standby is up-to-date and still replicating.
  108. [^2]: High availability
  110. To many veteran sysadmins, a lot of this is basic stuff, but it took me a long
  111. time to learn how all of this worked and establish a set of best practices for
  112. myself. With the rise in popularity of managed ops like AWS and GCP, it seems
  113. like ops & sysadmin roles are becoming less common. Some of us still love the
  114. sound of a datacenter and the greater level of control you have over your
  115. services, and as a bonus my users aren't worrying about $bigcorp having access
  116. to their data.
  118. The next ops thing on my todo list is high availability, which is still
  119. in-progress on sr.ht. When it's done, expect another blog post!