Skip to content

No cleanup on authorized_keys file backups #17117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost opened this issue Sep 22, 2021 · 7 comments · Fixed by #25412
Closed

No cleanup on authorized_keys file backups #17117

ghost opened this issue Sep 22, 2021 · 7 comments · Fixed by #25412
Labels
type/enhancement An improvement of existing functionality

Comments

@ghost
Copy link

ghost commented Sep 22, 2021

Gitea Version

1.12.0

Git Version

2.24.1

Operating System

Debian (Docker)

How are you running Gitea?

We are using the official Docker image.

Database

PostgreSQL

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

Hello,

When an user adds their SSH key to their profile, Gitea regenerates the authorized_keys file and renames the previous one as authorized_keys_TIMESTAMP.gitea_bak.
In Docker, this folder is located by default in /data/git/.ssh.

According to Gitea's dashboard, we currently have 17 500 users, with 26 400 public keys and 616 800 repositories.

Here's how it started:

bash-5.0# pwd
/data/git/.ssh
bash-5.0# ls -alh | head
total 1003G  
drwx------    2 git      git        11.6M Sep 22 09:16 .
drwxr-xr-x    4 git      git         4.0K Jun 28 07:06 ..
-rw-------    1 git      git        14.2M Sep 22 09:16 authorized_keys
-rw-------    1 git      git         3.2K Jan 23  2020 authorized_keys_1579798826.gitea_bak
-rw-------    1 git      git         3.2K Jan 23  2020 authorized_keys_1579798873.gitea_bak
-rw-------    1 git      git         3.2K Jan 23  2020 authorized_keys_1579798917.gitea_bak
-rw-------    1 git      git        33.7K Jan 23  2020 authorized_keys_1579799227.gitea_bak
-rw-------    1 git      git        33.7K Jan 23  2020 authorized_keys_1579799244.gitea_bak
-rw-------    1 git      git        34.7K Jan 23  2020 authorized_keys_1579799314.gitea_bak

Here's how it's going:

bash-5.0# ls -alh | tail
-rw-------    1 git      git        14.2M Sep 22 08:47 authorized_keys_1632300479.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 08:48 authorized_keys_1632300618.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 08:55 authorized_keys_1632300964.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 08:56 authorized_keys_1632301093.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 08:58 authorized_keys_1632301095.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 09:09 authorized_keys_1632301830.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 09:12 authorized_keys_1632301972.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 09:12 authorized_keys_1632301976.gitea_bak
-rw-------    1 git      git        14.2M Sep 22 09:16 authorized_keys_1632302204.gitea_bak
-rw-------    1 git      git           25 Jan 22  2020 environment

The size of the authorized_keys backups has reached 1 To:

bash-5.0# du -h -d 1 .
1002.7G	.

Can Gitea somehow cleanup its backups on a regular basis, while keeping the last X backups (e.g.: 50) ?

We have the opportunity to test Gitea in a large-scale organization, and up until now we're satisfied with it, it's very performant even though we have a lot of users:

NAME              CPU %        MEM USAGE / LIMIT     MEM %        NET I/O                  BLOCK I/O           PIDS
gitea_server_1    29.85%       775.7MiB / 7.791GiB   9.72%          639GB / 75GB        104TB / 549GB       51

I believe it only needs some minor adjustments to be scalable without issues, and this authorized_keys backup issue is one of those.

Do you think this issue can be fixed in Gitea ?

Thanks!

Screenshots

No response
@lunny lunny added the type/enhancement An improvement of existing functionality label Sep 22, 2021
@lunny
Copy link
Member

lunny commented Sep 22, 2021

Maybe we should only keep last x backups.

@mattrpav
Copy link

Suggest having config option similar to CI jobs that provides good flexibility for small installations and large:

  • Max n number of backups
  • Max n number of days

@mattrpav
Copy link

Note to users: if you experience slow startup times in Kubernetes, this could be the cause. Add a task to delete the '/data/git/.ssh/authorized_keys_*.gitea_bak' files periodically.

@mattrpav
Copy link

@lunny any update on a fix approach for this one?

@lunny
Copy link
Member

lunny commented May 12, 2023

Maybe we should have a cron job to do that. A PR is needed and it should not be very difficult.

@mattrpav
Copy link

Curiously, why are the backups made? We have a custom task that cleans out 30-50 around every 5 minutes or so.

@lonix1
Copy link
Contributor

lonix1 commented Jun 21, 2023

workaround for now:

[server]
SSH_AUTHORIZED_KEYS_BACKUP = false

@lunny lunny closed this as completed Jun 21, 2023
@techknowlogick techknowlogick mentioned this issue Jun 21, 2023
Merged
techknowlogick added a commit that referenced this issue Jul 1, 2023
@techknowlogick
Set SSH_AUTHORIZED_KEYS_BACKUP to false (#25412)
469d89b 
This prevents the disk from overflowing with auth keys file

Fixes #17117

## ⚠️ BREAKING

This changes the default option for creating a backup of the authorized
key file when an update is made to default to false.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set SSH_AUTHORIZED_KEYS_BACKUP to false techknowlogick/gitea
3 participants
@lunny @mattrpav @lonix1