feat(snap): automatic wallet backup on snap removal#13
Conversation
Implement the remove hook to archive critical node files (identity, erl_inetrc, nodedata_*) to /var/backups/diode-node before snap data is deleted. Adds backup-dir system-files plug, restore helper, unit tests, and README documentation. Closes #2 Co-authored-by: Dominic Letz <dominicletz@users.noreply.github.com>
dominicletz
added
the
cursor-waiting
Cursor
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces an automatic backup and restoration mechanism for the diode-node snap. It adds scripts to archive critical node data (identity and wallet databases) during the snap removal process and provides a corresponding restoration script, supported by new tests and updated documentation. The review feedback focuses on security hardening for handling sensitive wallet data, specifically recommending the use of a restrictive umask (077) in both scripts and ensuring the backup directory is secured immediately upon creation. Additionally, there is a suggestion to align the restoration script's usage instructions with the recommended commands in the README.
|
|
||
| sudo snap install diode-node | ||
| sudo snap stop diode-node.service | ||
| sudo $0 /var/backups/diode-node/diode_node_backup_YYYY-MM-DD_HHMMSS.tar.gz |
There was a problem hiding this comment.
The usage example suggests running the script directly with sudo, but since it relies on SNAP environment variables, it is better to align this message with the recommended command in the README which uses snap run --shell.
| sudo $0 /var/backups/diode-node/diode_node_backup_YYYY-MM-DD_HHMMSS.tar.gz | |
| sudo snap run --shell diode-node -c 'bin/restore_snap_backup /var/backups/diode-node/diode_node_backup_YYYY-MM-DD_HHMMSS.tar.gz' |
| exit 1 | ||
| fi | ||
|
|
||
| staging_dir=$(mktemp -d) |
There was a problem hiding this comment.
Setting a restrictive umask is recommended when handling sensitive data like wallet backups to ensure that any temporary files or directories created during the restoration process are not world-readable.
| staging_dir=$(mktemp -d) | |
| umask 077 | |
| staging_dir=$(mktemp -d) |
| if ! mkdir -p "$BACKUP_DIR" 2>/dev/null; then | ||
| log "cannot create backup directory $BACKUP_DIR (is backup-dir plug connected?)" | ||
| log "use 'snap saved' within 31 days to recover data via 'snap restore'" | ||
| exit 0 | ||
| fi |
There was a problem hiding this comment.
For better security hardening, consider applying chmod 0700 to the backup directory immediately after it is created, rather than at the end of the script. This ensures the directory is secured before the sensitive tarball is written into it.
| if ! mkdir -p "$BACKUP_DIR" 2>/dev/null; then | |
| log "cannot create backup directory $BACKUP_DIR (is backup-dir plug connected?)" | |
| log "use 'snap saved' within 31 days to recover data via 'snap restore'" | |
| exit 0 | |
| fi | |
| if ! mkdir -p "$BACKUP_DIR" 2>/dev/null; then | |
| log "cannot create backup directory $BACKUP_DIR (is backup-dir plug connected?)" | |
| log "use 'snap saved' within 31 days to recover data via 'snap restore'" | |
| exit 0 | |
| fi | |
| chmod 0700 "$BACKUP_DIR" 2>/dev/null || true |
|
@gemini review this PR |
cursor-automation
Bot
added
cursor-waiting-for-ci
- Set umask 077 before creating staging dirs and backup archives - chmod 0700 backup directory before writing the tarball - Align restore usage/errors with snap run --shell workflow - Grant shell app backup-dir plug so restore can read /var/backups - Document snap connect backup-dir in README restore steps - Assert backup directory permissions in ExUnit test Co-authored-by: Dominic Letz <dominicletz@users.noreply.github.com>
cursor-automation
Bot
added
cursor-demo
|
@cursoragent Remove erl_inetrc from the backup strategy and documentation. DNS data is not critical to be backed up. |
|
Addressed @dominicletz's feedback — Changes made
Changes are committed and pushed to the PR branch.   |
DNS config is regenerated on service start and is not required to resurrect the node. Update tests and README accordingly. Co-authored-by: Dominic Letz <dominicletz@users.noreply.github.com>
2 participants
Summary
Closes #2
When a user runs
snap remove diode-node, the snap's data directories are deleted and wallet access can be lost permanently. This PR adds an automatic backup that runs in the snapremovehook before data is wiped.Approach
This follows the design in issue #2:
removehook (snap/hooks/remove) runs before snap data deletion and invokes the backup script bundled in the snap.backup-dirplug requests write access to/var/backups/diode-nodevia thesystem-filesinterface.scripts/snap_backup_on_remove.sh) archives the critical resurrection files:$SNAP_USER_DATA/node(node identity)$SNAP_DATA/nodedata_*(wallet/database)snap saved/snap restorewithin the 31-day snapd retention window — removal still succeeds.scripts/restore_snap_backup.sh, installed asbin/restore_snap_backup) and README documentation for manual recovery.Note:
erl_inetrcis intentionally excluded — DNS config is regenerated on service start and is not required to resurrect the node.Business case
Users who uninstall the snap without knowing about wallet persistence lose access to their node identity and funds. Automatic backup on removal makes recovery possible without requiring users to know about manual
snap saveprocedures upfront.Demo
Simulated snap-removal flow (mock
$SNAP_DATA/$SNAP_USER_DATAdirectories):1. Critical files present before removal
2. Remove hook creates secure backup archive
3. Archive preserves resurrection files + manifest
4. Restore after reinstall
5. Fallback when backup-dir plug is not connected
Testing
Added
test/snap_backup_on_remove_test.exscovering:0600)erl_inetrceven when presentValidated locally with bash integration tests mirroring the ExUnit cases.
Notes
backup-dirsystem-files plug will need a separate Snap Store forum request.