Freeze break: exclude session data from db dumps

Kevin Fenzi kevin at scrye.com
Thu Apr 2 15:41:02 UTC 2015


It was noted yesterday that the koji db dump we have published
contained the 'sessions' table in it. Sessions are cleared every 24
hours (a cron job on koji02) and also only contain a session key, which
is tied to a specific IP address. While the exposure is small/close to
0 here, I would still like to close it out and make sure it is 0.  

I already added the below change to our koji backup-databases script
and removed the old db dump from yesterday, so there should be no
active sessions that are public from the previous dump now. 

This would also affect other postgresql servers db dumps. For those
databases that don't have a 'sessions' table, it's a noop. If some
databases do have such a table, I contend we don't want to back it up
there either. ;) 

After this change is made, a run of the postgresql-server playbook is
also needed to push the change out. 

+1s?

kevin
--
diff --git a/roles/postgresql_server/files/backup-database b/roles/postgresql_server/files/backup-database
index 3f6e7d8..cd2bede 100644
--- a/roles/postgresql_server/files/backup-database
+++ b/roles/postgresql_server/files/backup-database
@@ -4,7 +4,7 @@
 DB=$1
 
 # Make our latest backup
-/usr/bin/pg_dump -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz
+/usr/bin/pg_dump --exclude-table-data=sessions -C $DB | /usr/bin/xz > /backups/$DB-$(date +%F).dump.xz
 
 # Also, delete the backup from a few days ago.
 rm -f /backups/$DB-$(date --date="3 days ago" +%F).dump.xz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20150402/b5a48395/attachment.sig>


More information about the infrastructure mailing list