git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity
Files
da5a94d83842711d3844148888b5725e4b9a7098
linux_patch_manager/docs/runbooks/restore.md
Echo da5a94d838 feat(M1): Project scaffolding, DB schema, core infrastructure 
- Initialize Rust workspace with 7 crates (pm-web, pm-worker, pm-core,
  pm-agent-client, pm-auth, pm-ca, pm-reports)
- React + TypeScript + Vite + MUI frontend scaffold
- Full PostgreSQL schema: all 17 tables with indexes and constraints
- pm-core: config (TOML+env), db (SQLx pool + migrations), error
  (unified AppError + JSON envelope), request_id (ULID middleware),
  logging (tracing JSON/pretty)
- pm-web: Axum skeleton, /status/health endpoint, static file serving
- pm-worker: Tokio skeleton, heartbeat writer, schema version check
- Embedded sqlx migrations with advisory lock (single-writer)
- systemd unit files, setup.sh, build-frontend.sh
- config.example.toml with all configuration keys
- docs/runbooks/restore.md
- cargo check passes with zero warnings

Closes M1.
2026-04-23 15:55:53 +00:00

2.1 KiB
Raw Blame History

Linux Patch Manager — Backup & Restore Runbook

Overview

This runbook covers backup and restoration of the Linux Patch Manager. The application state lives in:

  • PostgreSQL database (patch_manager)
  • Internal CA private key (/etc/patch-manager/ca/ca.key)
  • JWT signing key (/etc/patch-manager/jwt/signing.pem)
  • Application config (/etc/patch-manager/config.toml)
  • Operator-supplied TLS cert/key (if using operator_supplied strategy)

Backup

1. Database

pg_dump -U patch_manager -Fc patch_manager > patch_manager_$(date +%Y%m%d_%H%M%S).dump

2. Configuration and Keys

tar -czf patch_manager_config_$(date +%Y%m%d_%H%M%S).tar.gz \
    /etc/patch-manager/

Security: The archive contains private keys. Encrypt before storing: gpg --symmetric patch_manager_config_*.tar.gz

3. Recommended Backup Schedule

  • Database: daily pg_dump, retained 30 days
  • Config/keys: on every change, retained indefinitely (encrypted)

Restore

Prerequisites

  • Fresh Ubuntu 24.04 host
  • Run scripts/setup.sh to create user, directories, and PostgreSQL

1. Restore Configuration and Keys

tar -xzf patch_manager_config_<timestamp>.tar.gz -C /
chown -R patch-manager:patch-manager /etc/patch-manager/
chmod 600 /etc/patch-manager/ca/ca.key
chmod 600 /etc/patch-manager/jwt/signing.pem

2. Restore Database

# Create empty database (if not already created by setup.sh)
sudo -u postgres createdb -O patch_manager patch_manager

# Restore
pg_restore -U patch_manager -d patch_manager -Fc patch_manager_<timestamp>.dump

3. Install and Start Services

# Install binaries
cp pm-web pm-worker /usr/local/bin/

# Install frontend
scripts/build-frontend.sh

# Start services
systemctl enable --now patch-manager-web patch-manager-worker

4. Verify

curl -k https://localhost/status/health
# Expected: {"status": "healthy", ...}

Notes

  • Migrations run automatically on web process startup.
  • The CA private key is the most critical secret — losing it requires re-issuing all mTLS certificates.
  • JWT signing key rotation is handled automatically every 90 days; no manual intervention needed.