Merge remote-tracking branch 'origin/main' into codex/sre-typed-automation-20260715
This commit is contained in:
@@ -395,7 +395,14 @@ mkdir -m 0700 "${RECEIPT_DIR}" "${CANDIDATE_DIR}"
|
||||
: > "${RECEIPT_LOG}"
|
||||
chmod 0600 "${RECEIPT_LOG}"
|
||||
|
||||
exec 8>>/tmp/awoooi-signoz-backup-operation.lock
|
||||
OPERATION_LOCK=/tmp/awoooi-signoz-backup-operation.lock
|
||||
[ -f "${OPERATION_LOCK}" ] && [ ! -L "${OPERATION_LOCK}" ]
|
||||
# The shared lock is intentionally owned by the unprivileged backup account.
|
||||
# Open the existing inode read-only so Linux fs.protected_regular=2 cannot
|
||||
# reject a root O_CREAT/O_APPEND open in sticky /tmp. flock(2) still provides
|
||||
# the same exclusive inter-process lock without changing file contents,
|
||||
# ownership, or mode. Missing/unsafe lock state fails closed.
|
||||
exec 8<"${OPERATION_LOCK}"
|
||||
flock -n 8
|
||||
active_operations="$(
|
||||
(pgrep -af '(^|/|[[:space:]])(backup-signoz|clickhouse-native-backup|clickhouse-native-restore-drill|run-signoz-backup-canary)[.]sh([[:space:]]|$)' || true) \
|
||||
|
||||
@@ -165,6 +165,15 @@ def test_deployer_has_no_active_pointer_or_destructive_fallback() -> None:
|
||||
assert "ln -s" not in source
|
||||
|
||||
|
||||
def test_shared_operation_lock_is_existing_read_only_and_fail_closed() -> None:
|
||||
source = DEPLOYER.read_text(encoding="utf-8")
|
||||
assert "OPERATION_LOCK=/tmp/awoooi-signoz-backup-operation.lock" in source
|
||||
assert '[ -f "${OPERATION_LOCK}" ] && [ ! -L "${OPERATION_LOCK}" ]' in source
|
||||
assert 'exec 8<"${OPERATION_LOCK}"' in source
|
||||
assert "flock -n 8" in source
|
||||
assert "exec 8>>/tmp/awoooi-signoz-backup-operation.lock" not in source
|
||||
|
||||
|
||||
def test_exact_five_file_supply_chain_and_modes_are_fixed() -> None:
|
||||
source = DEPLOYER.read_text(encoding="utf-8")
|
||||
for path in (
|
||||
|
||||
@@ -865,7 +865,7 @@ def evaluate(root: Path, contract_path: Path) -> dict[str, Any]:
|
||||
== len(METADATA_EXPORT_SOURCE_PATHS)
|
||||
and set(declared_metadata_export_hashes) == set(METADATA_EXPORT_SOURCE_PATHS)
|
||||
and declared_metadata_export_hashes == actual_metadata_export_hashes
|
||||
and metadata_export_source_contract.get("test_terminal") == "19_passed"
|
||||
and metadata_export_source_contract.get("test_terminal") == "20_passed"
|
||||
)
|
||||
offsite_backup = pending_verifiers.get("signoz_backup_offsite_dr", {})
|
||||
failed_artifacts = pending_verifiers.get(
|
||||
|
||||
@@ -877,7 +877,7 @@ def test_post_release_verifier_and_native_backup_close_with_remaining_gaps() ->
|
||||
field: hashlib.sha256((ROOT / relative).read_bytes()).hexdigest()
|
||||
for field, relative in metadata_paths.items()
|
||||
}
|
||||
assert source_contract["test_terminal"] == "19_passed"
|
||||
assert source_contract["test_terminal"] == "20_passed"
|
||||
assert source_contract["raw_sqlite_read"] is False
|
||||
assert source_contract["raw_volume_read"] is False
|
||||
assert source_contract["secret_value_persistence"] is False
|
||||
|
||||
Reference in New Issue
Block a user