Automating Passbolt Maintenance

Introduction

Ensuring smooth operations of the passbolt server is paramount. One of the common challenges administrators face is managing disk space effectively. While passbolt provides commands to help with maintenance, running these manually can be time consuming. In this blog article, let's explore the issues that arise without proper maintenance, introduce a custom bash script to automate these tasks, and show you how to set up a cron job for effortless upkeep.

Reduction of hard disk space

Over time, passbolt servers can accumulate a significant amount of data, particularly in tables like directory_reports_items (especially on Passbolt PRO when using LDAP integration) and action logs. This accumulation can lead to:

• Decreased performance: A bloated database can slow down queries, affecting the overall responsiveness of the Passbolt server.
• Disk space exhaustion: Excessive disk usage can lead to storage limits being reached, potentially causing service interruptions.
• Maintenance challenges: Manually running maintenance commands regularly is not scalable and can be forgotten, leading to the issues above.

Why automating maintenance tasks?

While passbolt provides built-in commands to manage disk space, relying on manual execution has drawbacks. Manually performing routine tasks is time-consuming and detracts from more critical responsibilities. It can also lead to complexity having different environments (Docker, RPM, Debian/Ubuntu) and versions (CE vs. PRO) require nuanced handling.

Automating these tasks ensures that maintenance is consistent, the tasks run the same way every time, reducing the chance of errors. Automation frees up time for other important activities and it’s also reliable, scheduled automation means maintenance isn't forgotten or delayed.

Introducing the purge automation bash script

A sample bash script to automate common passbolt server maintenance tasks, which can be adapted for specific infrastructure needs

• It automatically detects the environment: Automatically identifies whether it's running on Docker (root or non-root), RPM, or Debian/Ubuntu, and whether the passbolt version is CE or PRO.
• Providing flexibility: Includes flags  for setting retention periods and specifying LDAP purging with -r and –ldap
• Simplifies execution: Runs all necessary commands with appropriate parameters, ensuring a smooth maintenance process.
• User-friendly outputs: Colored terminal output for better readability and status messages to inform you of progress.

Understanding the script

Here's a breakdown of what the script does:

• Environment detection: It detects on which environment the server is.
• User detection: Determines the correct web server user (www-data or nginx) and sets the appropriate command execution method.
• Argument parsing: Accepts optional arguments
  • -r: Sets the retention period for action logs (default is 90 days).
  • --ldap: Triggers the purge of LDAP-related tables (PRO only)
• Passbolt version check: Identifies if the server is running CE or PRO to ensure compatibility with commands.
• Maintenance commands execution:
  • Email queue purge: Clears out the email queue to free up space.
  • Action logs purge: Deletes non-essential action logs older than the specified retention period.
  • LDAP tables purge (PRO only): If the --ldap flag is set, purges old records from LDAP synchronization tables.
  • Cleanup shell: To ensure that there are no database integrity issues. It usually happens when manual iterations are made on a table.

Setting up the script

Download the script

In order to download the sample script, this command can be ran:

curl -LO https://gist.githubusercontent.com/qntoni/e63467f714af03057d2ad31676ec7085/raw/7cf65002a98724fef4c022379eddc874b7f4e38c/passbolt_maintenance.sh

Updating script permissions

Using readable and executable permissions only for this script might be recommended, setting also the ownership to root as individual user and the web server as group and no permissions for other users is a good practice. 

sudo chmod 550 passbolt_maintenance.sh
sudo chown root:<WEB_SERVER> passbolt_maintenance.sh # replace <WEB_SERVER> with nginx on RPM or www-data on debian like distributions

Run the script manually (optional)

The script can be tested using:

sudo ./passbolt_maintenance.sh

To specify a custom retention period (e.g., 60 days):

sudo ./passbolt_maintenance.sh -r 60

To also include directory_items_reports table purging (for PRO only):

sudo ./passbolt_maintenance.sh -r 60 --ldap

Automate with cron

To ensure this maintenance runs regularly, a cron job can be set. It is possible to use the crontab editor for the web server user to do that:

sudo -u <WEB_SERVER> crontab -e # replace <WEB_SERVER> with nginx on RPM or www-data on debian like distributions

For the cronjob entry, running the maintenance script every day at midnight is the example chosen below:

0 0 * * * /path/to/passbolt_maintenance.sh --ldap

Please note that on CE, the --ldap flag can be removed. It’s important to save and exit and the maintenance script, it should now run automatically every day at midnight. 

Benefits of using the maintenance script

The benefits of using this script are basically proactive management, as regular maintenance helps prevent disk space issues before they impact performance. It’s also time saving because automation reduces the need for manual intervention, allowing you to focus on other tasks and it helps with the flexibility, you can easily adjust retention periods and include LDAP purging as needed. The last benefit to take in consideration is that it works across different environments and passbolt editions without modification.

Conclusion

Managing disk space on your passbolt server doesn't have to be a headache. By automating maintenance tasks with our custom bash script, you can ensure your server runs smoothly and efficiently. This script simplifies the process, handling the nuances of different environments and editions, so you don't have to.

This script can be adapted to suit different organisational needs. Share your experiences, suggest improvements, or ask questions on our community forum. Together, we can continue to enhance the tools that keep passbolt running at its best.

What's Next?

Interested in more automation? Let us know what other aspects of passbolt you'd like to streamline. Whether it's backup solutions, monitoring integrations, or scaling deployments, we're here to help make your passbolt experience as seamless as possible. 🚀