[Engine-devel] Tweaking backup/restore of engine and the table 'audit_log'

Yedidyah Bar David didi at redhat.com
Mon Mar 3 20:41:14 UTC 2014 

----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: engine-devel at ovirt.org
> Sent: Monday, March 3, 2014 6:25:39 PM
> Subject: [Engine-devel] Tweaking backup/restore of engine
> 
> Hi,
> 
> currently all events are stored in the table audit_log
> which all gets saved when you use the engine-backup
> shell script.
> 
> 
> the event log is full of these login lines (engine 3.3.2):
> 
> 25652	fdfc627c-d875-11e0-90f0-83df133b58cc	admin at internal
> 00000000-0000-0000-0000-000000000000	\N	\N	\N	\N	\N	2014-01-20
> 06:39:17.222+01	USER_VDC_LOGIN	30	0	User admin at internal
> logged in.	f	\N		\N		00000000-0000-0000-0000-000000000000		\N	\N	\N
> \N	00000000-0000-0000-0000-000000000000	\N	oVirt	-1	30		f	\N
> 
> this makes the log and db grow very large when you use the REST-API
> to query ovirt for various data.
> 
> Is this necessary for a working restore?

I have no idea - I guess the data is not necessary.

I also guess that the schema is.

> It would be cool if we could tweak the engine-backup
> tool to just dump necessary tables so you don't have
> to restore events from the past no one is interested
> in.
> 
> How does ovirt react, if I do not restore the content of the audit_log
> table?
> 
> If this works (restore without audit_log) I would prefer to have
> this code upstream in ovirt git so I don't have to maintain
> my own backupscript.
> 
> Would it be possible to extend the existing backupscript
> with a switch to not backup logs?
> Currently it's just "all" or "just db".

It would be easy to let you pass an "extra options" argument for pg_dump.
This will allow adding '-T audit_log'. As I said, I am pretty certain
that you do need the table itself, so this will not help you much.

I personally think that this isn't the right way to go. If you do not need
the data, create a cron job that will periodically truncate it - say, keep
the last X days and delete the rest. Perhaps also archive before deleting
if you want. If you want, open a bug to provide a script to do that for you.
Or make the engine itself do that, etc.

Of course, after verifying that this does not have a significant impact on
the engine :-)

> 
> I also recall that there shouldn't occur multiple login events any
> more since ovirt 3.3. but it still seems to be the case.
> 
> I also do not understand how you would manage a stored authentication
> via REST as REST is stateless.
> 
> I would appreciate any feedback or thoughts on this topic.

Best regards,
-- 
Didi

More information about the Engine-devel mailing list