Skip to content

feat(ns-plug): dual-send backup to my-new proxy#1608

Open
edospadoni wants to merge 1 commit intomainfrom
feat/backup-dual-send-proxy
Open

feat(ns-plug): dual-send backup to my-new proxy#1608
edospadoni wants to merge 1 commit intomainfrom
feat/backup-dual-send-proxy

Conversation

@edospadoni
Copy link
Copy Markdown
Member

@edospadoni edospadoni commented Apr 22, 2026

Summary

Add a second upload to https://my.nethesis.it/proxy/backup inside send-backup, after remote-backup finishes uploading to the legacy backupd.nethesis.it. Mirrors the transitional pattern already in place for send-heartbeat and send-inventory.

Context

The new my.nethesis.it platform ships a first-class configuration-backup subsystem (ingest on collect, managed reads on backend, S3-compatible storage) — see the referenced issues. During the migration window NethSecurity keeps uploading to the legacy backupd and dual-sends to my-new via a translation proxy (nethinfra role). The proxy accepts the existing system_id:secret Basic Auth pair and translates it into the my-new system_key:system_secret as it forwards the request to collect, so nothing changes on the appliance in terms of UCI config or registration.

What changes

packages/ns-plug/files/send-backup:

  • After remote-backup upload completes successfully, if ns-plug.config.type == enterprise the script POSTs the same encrypted blob (via curl --data-binary @$BACKUP.gpg) to https://my.nethesis.it/proxy/backup using HTTP Basic auth with system_id:secret from UCI.
  • X-Filename is propagated so the user-facing filename ends up as S3 object metadata on my-new.
  • The proxy call is best-effort (|| :): a proxy outage does not block the primary upload already completed against backupd, and the md5 marker is still updated so the same backup is not re-uploaded the next night.

Same guard style as the other dual-send scripts — enterprise-only, same -m 900 --retry 3 -L -s curl flags.

Not included

  • Rewriting the legacy upload path — out of scope; happens in a later cycle once the new platform is promoted.
  • MY registration on the appliance — not needed: the proxy absorbs the credential difference.

Refs: NethServer/my#82 NethServer/my#83

@edospadoni
feat(ns-plug): dual-send backup to my-new proxy
9473670 
Adds a second upload to https://my.nethesis.it/proxy/backup after
remote-backup finishes its upload to backupd.nethesis.it. Same
transitional pattern already used by send-heartbeat and send-inventory:
the proxy accepts the existing system_id:secret Basic Auth pair and
translates it into the my-new system_key:system_secret on its way to
the new collect endpoint, so no UCI or registration change is needed
on the appliance.

Gated to enterprise subscriptions via `TYPE = enterprise` to stay in
sync with the other dual-send scripts. Best-effort (`|| :`): a proxy
outage does not block the primary upload that already completed
against backupd, and the md5 marker is still updated so the same
backup is not re-uploaded the next night.

X-Filename is propagated so the user-facing filename ends up as S3
object metadata on my-new.

Refs: NethServer/my#82 NethServer/my#83
@edospadoni edospadoni mentioned this pull request Apr 22, 2026
Open
28 tasks
@edospadoni edospadoni marked this pull request as draft April 23, 2026 08:38
@edospadoni edospadoni force-pushed the feat/backup-dual-send-proxy branch from b5b223b to 9473670 Compare April 23, 2026 08:45
This was referenced Apr 23, 2026
Draft
Draft
@edospadoni edospadoni marked this pull request as ready for review April 23, 2026 09:21
@edospadoni edospadoni mentioned this pull request Apr 24, 2026
Open
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edospadoni