feat(volsnap): volume snapshot restore (backlog #6)
Restore a captured volume snapshot onto an image workload's live host-bind
data volumes, then redeploy — the most destructive workload action, built to
the adversarially-reviewed design (C1–C6) with all data-loss guards.
- Engine.Restore (engine-owned): all-or-nothing pre-flight re-resolution from
the workload's CURRENT config (never the tamperable manifest), per-filesystem
disk pre-check, per-workload lock, container quiesce, extract-to-tmp, durable
pre-restore snapshot, write-ahead journal, atomic rename swap, redeploy, and
crash-recovery sweep (RecoverInterruptedRestores) wired before serving.
- internal/keyedmutex: shared per-key lock; deployer now serializes every
deploy entrypoint per workload via DispatchPlugin (+ LockWorkload/RedeployLocked
for the restore re-dispatch, no deadlock).
- Untrusted-archive extractor: zip-slip containment, type allow-list (reg/dir
only), decompression-bomb cap, manifest-index bounds.
- POST /api/workloads/{id}/snapshots/{sid}/restore: admin, X-Confirm-Restore
header (CSRF), per-workload single-flight (409).
- WebUI: Restore button + danger ConfirmDialog + busy state + i18n (en/ru).
Scope: image-source only; scopes absolute/stage/project (driven off the same
supportedScopes constant capture uses).
Plan-reviewed before coding; per-phase go/security/ts reviews; final review
READY TO MERGE. Security review caught + fixed a CRITICAL manifest-Source path
traversal (re-derive target from current config + base containment).
Plan: plans/volume-snapshot-restore/
This commit is contained in:
@@ -17,6 +17,26 @@ Start/restart with: `./scripts/dev-server.sh`
|
||||
- **"App" = workload with `source_kind !== ''`.** Triggers are first-class bindings (`workload_trigger_bindings`), NOT on the workload row — never gate app lists/counts on `trigger_kind` (it's empty for plugin workloads). Legacy pre-cutover `kind:project/stack/site` rows have an empty `source_kind` and must be excluded everywhere.
|
||||
- **i18n parity is mandatory** — every key in BOTH `web/src/lib/i18n/{en,ru}.json`. A missing key is NOT a build error (`$t` returns the key string), so verify parity manually.
|
||||
|
||||
## Backend
|
||||
|
||||
- **Per-workload deploy lock.** Every deploy entrypoint (API deploy, rollback, promote,
|
||||
generic-hooks, webhook trigger dispatch) funnels through `deployer.DispatchPlugin`, which
|
||||
holds a per-workload `keyedmutex` lock (`internal/keyedmutex`) for the whole dispatch;
|
||||
`DispatchTeardown` takes it too. This serializes all container/volume mutation per workload.
|
||||
Do NOT add a deploy/teardown path that bypasses `DispatchPlugin`. Operations that must run
|
||||
a deploy *while already holding* the lock (volume-snapshot restore) use
|
||||
`Deployer.LockWorkload` + `RedeployLocked` (the unlocked dispatch) — calling `DispatchPlugin`
|
||||
under the held lock would deadlock (Go mutexes are not reentrant). `activeWg` is a global
|
||||
drain barrier for shutdown, NOT a per-workload lock.
|
||||
- **Volume snapshot restore** lives in `volsnap.Engine.Restore` (engine-owned, not the API
|
||||
handler): preflight re-resolves volumes from the workload's CURRENT config (never the
|
||||
snapshot manifest — that's tamper-influenceable) → lock → stop → extract-to-tmp →
|
||||
pre-restore snapshot → journal → atomic rename swap → redeploy. A startup
|
||||
`RecoverInterruptedRestores` sweep replays the journal after a crash; it MUST be wired (with
|
||||
`SetLifecycle`) before the API serves. The archive extractor treats the tar as untrusted
|
||||
(zip-slip/type-allowlist/bomb-cap); the endpoint requires an `X-Confirm-Restore: <sid>`
|
||||
header (CSRF), like the DB restore.
|
||||
|
||||
## Build & Test
|
||||
|
||||
- Frontend (from `web/`): `npm run check` (svelte-check — expect 0 errors), `npm run build`, `npm run test` (vitest; pure-logic units like `sourceForms.test.ts`).
|
||||
|
||||
Reference in New Issue
Block a user