2026-02-22 16:36:07 +00:00
|
|
|
groups:
|
|
|
|
|
- name: veza_critical
|
|
|
|
|
rules:
|
|
|
|
|
- alert: ServiceDown
|
|
|
|
|
expr: up == 0
|
|
|
|
|
for: 30s
|
|
|
|
|
labels:
|
|
|
|
|
severity: critical
|
|
|
|
|
annotations:
|
|
|
|
|
summary: "Service {{ $labels.job }} is down"
|
|
|
|
|
description: "{{ $labels.instance }} has been down for more than 30 seconds."
|
|
|
|
|
|
|
|
|
|
- alert: HighErrorRate
|
|
|
|
|
expr: rate(http_requests_total{status=~"5.."}[5m]) / rate(http_requests_total[5m]) > 0.05
|
|
|
|
|
for: 5m
|
|
|
|
|
labels:
|
|
|
|
|
severity: warning
|
|
|
|
|
annotations:
|
|
|
|
|
summary: "High error rate on {{ $labels.job }}"
|
|
|
|
|
description: "Error rate is above 5% for the last 5 minutes."
|
|
|
|
|
|
|
|
|
|
- alert: HighLatencyP99
|
|
|
|
|
expr: histogram_quantile(0.99, rate(http_request_duration_seconds_bucket[5m])) > 2
|
|
|
|
|
for: 5m
|
|
|
|
|
labels:
|
|
|
|
|
severity: warning
|
|
|
|
|
annotations:
|
|
|
|
|
summary: "High P99 latency on {{ $labels.job }}"
|
|
|
|
|
description: "P99 latency is above 2 seconds for the last 5 minutes."
|
|
|
|
|
|
|
|
|
|
- alert: RedisUnreachable
|
|
|
|
|
expr: redis_up == 0
|
|
|
|
|
for: 30s
|
|
|
|
|
labels:
|
|
|
|
|
severity: critical
|
|
|
|
|
annotations:
|
|
|
|
|
summary: "Redis is unreachable"
|
|
|
|
|
description: "Redis has been unreachable for more than 30 seconds."
|
feat(infra): pgbackrest role + dr-drill + Prometheus backup alerts (W2 Day 8)
ROADMAP_V1.0_LAUNCH.md §Semaine 2 day 8 deliverable:
- Postgres backups land in MinIO via pgbackrest
- dr-drill restores them weekly into an ephemeral Incus container
and asserts the data round-trips
- Prometheus alerts fire when the drill fails OR when the timer
has stopped firing for >8 days
Cadence:
full — weekly (Sun 02:00 UTC, systemd timer)
diff — daily (Mon-Sat 02:00 UTC, systemd timer)
WAL — continuous (postgres archive_command, archive_timeout=60s)
drill — weekly (Sun 04:00 UTC — runs 2h after the Sun full so
the restore exercises fresh data)
RPO ≈ 1 min (archive_timeout). RTO ≤ 30 min (drill measures actual
restore wall-clock).
Files:
infra/ansible/roles/pgbackrest/
defaults/main.yml — repo1-* config (MinIO/S3, path-style,
aes-256-cbc encryption, vault-backed creds), retention 4 full
/ 7 diff / 4 archive cycles, zstd@3 compression. The role's
first task asserts the placeholder secrets are gone — refuses
to apply until the vault carries real keys.
tasks/main.yml — install pgbackrest, render
/etc/pgbackrest/pgbackrest.conf, set archive_command on the
postgres instance via ALTER SYSTEM, detect role at runtime
via `pg_autoctl show state --json`, stanza-create from primary
only, render + enable systemd timers (full + diff + drill).
templates/pgbackrest.conf.j2 — global + per-stanza sections;
pg1-path defaults to the pg_auto_failover state dir so the
role plugs straight into the Day 6 formation.
templates/pgbackrest-{full,diff,drill}.{service,timer}.j2 —
systemd units. Backup services run as `postgres`,
drill service runs as `root` (needs `incus`).
RandomizedDelaySec on every timer to absorb clock skew + node
collision risk.
README.md — RPO/RTO guarantees, vault setup, repo wiring,
operational cheatsheet (info / check / manual backup),
restore procedure documented separately as the dr-drill.
scripts/dr-drill.sh
Acceptance script for the day. Sequence:
0. pre-flight: required tools, latest backup metadata visible
1. launch ephemeral `pg-restore-drill` Incus container
2. install postgres + pgbackrest inside, push the SAME
pgbackrest.conf as the host (read-only against the bucket
by pgbackrest semantics — the same s3 keys get reused so
the drill exercises the production credential path)
3. `pgbackrest restore` — full + WAL replay
4. start postgres, wait for pg_isready
5. smoke query: SELECT count(*) FROM users — must be ≥ MIN_USERS_EXPECTED
6. write veza_backup_drill_* metrics to the textfile-collector
7. teardown (or --keep for postmortem inspection)
Exit codes 0/1/2 (pass / drill failure / env problem) so a
Prometheus runner can plug in directly.
config/prometheus/alert_rules.yml — new `veza_backup` group:
- BackupRestoreDrillFailed (critical, 5m): the last drill
reported success=0. Pages because a backup we haven't proved
restorable is dette technique waiting for a disaster.
- BackupRestoreDrillStale (warning, 1h after >8 days): the
drill timer has stopped firing. Catches a broken cron / unit
/ runner before the failure-mode alert above ever sees data.
Both annotations include a runbook_url stub
(veza.fr/runbooks/...) — those land alongside W2 day 10's
SLO runbook batch.
infra/ansible/playbooks/postgres_ha.yml
Two new plays:
6. apply pgbackrest role to postgres_ha_nodes (install +
config + full/diff timers on every data node;
pgbackrest's repo lock arbitrates collision)
7. install dr-drill on the incus_hosts group (push
/usr/local/bin/dr-drill.sh + render drill timer + ensure
/var/lib/node_exporter/textfile_collector exists)
Acceptance verified locally:
$ ansible-playbook -i inventory/lab.yml playbooks/postgres_ha.yml \
--syntax-check
playbook: playbooks/postgres_ha.yml ← clean
$ python3 -c "import yaml; yaml.safe_load(open('config/prometheus/alert_rules.yml'))"
YAML OK
$ bash -n scripts/dr-drill.sh
syntax OK
Real apply + drill needs the lab R720 + a populated MinIO bucket
+ the secrets in vault — operator's call.
Out of scope (deferred per ROADMAP §2):
- Off-site backup replica (B2 / Bunny.net) — v1.1+
- Logical export pipeline for RGPD per-user dumps — separate
feature track, not a backup-system concern
- PITR admin UI — CLI-only via `--type=time` for v1.0
- pgbackrest_exporter Prometheus integration — W2 day 9
alongside the OTel collector
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 22:51:00 +00:00
|
|
|
|
|
|
|
|
# v1.0.9 Day 8: backup integrity. The dr-drill.sh script writes
|
|
|
|
|
# textfile-collector metrics on every run. Two failure modes are
|
|
|
|
|
# caught:
|
|
|
|
|
# 1. last drill reported a failure (success=0)
|
|
|
|
|
# 2. drill hasn't run in 8+ days (timer broke, runner offline,
|
|
|
|
|
# script crashed before write_metric)
|
|
|
|
|
# Both are pages because a backup we haven't proved restorable is
|
|
|
|
|
# dette technique waiting for a disaster to bite — finding out at
|
|
|
|
|
# restore-time is too late.
|
|
|
|
|
- name: veza_backup
|
|
|
|
|
rules:
|
|
|
|
|
- alert: BackupRestoreDrillFailed
|
|
|
|
|
expr: veza_backup_drill_last_success == 0
|
|
|
|
|
for: 5m
|
|
|
|
|
labels:
|
|
|
|
|
severity: critical
|
|
|
|
|
annotations:
|
|
|
|
|
summary: "pgBackRest dr-drill last run failed (stanza={{ $labels.stanza }})"
|
|
|
|
|
description: |
|
|
|
|
|
The most recent dr-drill.sh execution reported failure
|
|
|
|
|
(reason={{ $labels.reason }}). Backups exist but a
|
|
|
|
|
restore from them did NOT round-trip the smoke query.
|
|
|
|
|
Investigate via: journalctl -u pgbackrest-drill.service -n 200
|
|
|
|
|
and consider running the drill manually with --keep to
|
|
|
|
|
inspect the restored container before teardown.
|
|
|
|
|
runbook_url: "https://veza.fr/runbooks/backup-restore-drill-failed"
|
|
|
|
|
|
|
|
|
|
- alert: BackupRestoreDrillStale
|
|
|
|
|
expr: time() - veza_backup_drill_last_run_timestamp_seconds > 691200 # 8 days
|
|
|
|
|
for: 1h
|
|
|
|
|
labels:
|
|
|
|
|
severity: warning
|
|
|
|
|
annotations:
|
|
|
|
|
summary: "pgBackRest dr-drill hasn't run in 8+ days"
|
|
|
|
|
description: |
|
|
|
|
|
The dr-drill timer fires weekly (Sun 04:00 UTC). A run
|
|
|
|
|
older than 8 days means the timer is broken, the runner
|
|
|
|
|
is offline, or the script crashed before writing its
|
|
|
|
|
metrics file. Verify with:
|
|
|
|
|
systemctl status pgbackrest-drill.timer
|
|
|
|
|
journalctl -u pgbackrest-drill.service -n 200
|
|
|
|
|
runbook_url: "https://veza.fr/runbooks/backup-restore-drill-stale"
|