forked from crowetic/QORTector-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvm-data-maintenance.sh
More file actions
232 lines (196 loc) · 7.68 KB
/
vm-data-maintenance.sh
File metadata and controls
232 lines (196 loc) · 7.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
#!/usr/bin/env bash
set -euo pipefail
# vm-data-maintenance.sh
# Keep VM disk usage low: vacuum logs/temp/caches (opt-in extras), then fstrim.
# Intended to run inside Linux guests (systemd preferred).
SCRIPT_NAME="vm-data-maintenance"
CONFIG_FILE="${CONFIG_FILE:-/etc/vm-data-maintenance.conf}"
log() { echo "[$(date -Is)] $SCRIPT_NAME: $*"; }
# -------- defaults (can be overridden by config) --------
DRY_RUN="${DRY_RUN:-0}" # 1 = show actions, don't delete
ENABLE_TRIM="${ENABLE_TRIM:-1}" # 1 = run fstrim -av
ENABLE_PACKAGE_CLEAN="${ENABLE_PACKAGE_CLEAN:-1}"
ENABLE_LOG_CLEAN="${ENABLE_LOG_CLEAN:-1}"
ENABLE_TMP_CLEAN="${ENABLE_TMP_CLEAN:-1}"
ENABLE_USER_CACHE_CLEAN="${ENABLE_USER_CACHE_CLEAN:-0}" # off by default (can surprise users)
ENABLE_DOCKER_PRUNE="${ENABLE_DOCKER_PRUNE:-0}" # off by default (can be destructive)
# log/journal retention
JOURNAL_MAX_SIZE="${JOURNAL_MAX_SIZE:-200M}" # journald vacuum target size
JOURNAL_MAX_AGE_DAYS="${JOURNAL_MAX_AGE_DAYS:-14}" # vacuum older than N days too (best effort)
# temp retention
TMP_MAX_AGE_DAYS="${TMP_MAX_AGE_DAYS:-10}"
VAR_TMP_MAX_AGE_DAYS="${VAR_TMP_MAX_AGE_DAYS:-10}"
# log retention for plain files
LOG_MAX_AGE_DAYS="${LOG_MAX_AGE_DAYS:-30}"
# Explicit extra cleanup targets (opt-in)
# Arrays require bash; define in config like:
# EXTRA_DELETE_DIRS=( "/var/log/myapp" "/opt/something/tmp" )
# EXTRA_DELETE_GLOBS=( "/var/lib/foo/*.old" )
EXTRA_DELETE_DIRS=()
EXTRA_DELETE_GLOBS=()
# Safety: never delete these paths even if configured badly
DENYLIST_PREFIXES=(
"/"
"/bin" "/boot" "/dev" "/etc" "/home" "/lib" "/lib64"
"/proc" "/root" "/run" "/sbin" "/sys" "/usr" "/var"
)
is_denylisted() {
local p="$1"
for d in "${DENYLIST_PREFIXES[@]}"; do
if [[ "$p" == "$d" ]]; then return 0; fi
done
return 1
}
run_cmd() {
if [[ "$DRY_RUN" == "1" ]]; then
log "DRY_RUN: $*"
else
eval "$@"
fi
}
delete_find_older_than_days() {
local base="$1"
local days="$2"
[[ -e "$base" ]] || { log "skip (missing): $base"; return 0; }
# basic sanity: do not allow obviously dangerous bases
if is_denylisted "$base"; then
log "REFUSING to operate on denylisted base: $base"
return 1
fi
# Use -xdev so we don't cross filesystem boundaries (good for mounts)
# Delete files first, then empty dirs (older than days).
log "clean: $base (files/dirs older than ${days}d)"
run_cmd "find \"$base\" -xdev -type f -mtime +\"$days\" -print -delete 2>/dev/null || true"
run_cmd "find \"$base\" -xdev -type d -empty -mtime +\"$days\" -print -delete 2>/dev/null || true"
}
delete_glob_targets() {
local g="$1"
# shellcheck disable=SC2086
local matches=( $g )
if (( ${#matches[@]} == 0 )); then
log "skip (no matches): $g"
return 0
fi
for m in "${matches[@]}"; do
# sanity: don't allow deleting denylisted exact prefixes
if is_denylisted "$m"; then
log "REFUSING to delete denylisted path: $m"
continue
fi
log "delete: $m"
run_cmd "rm -rf --one-file-system \"$m\" 2>/dev/null || true"
done
}
maybe_vacuum_journal() {
command -v journalctl >/dev/null 2>&1 || { log "journalctl not found; skipping journald vacuum"; return 0; }
log "journald: vacuum by size -> ${JOURNAL_MAX_SIZE}"
run_cmd "journalctl --vacuum-size=\"$JOURNAL_MAX_SIZE\" >/dev/null 2>&1 || true"
if [[ "${JOURNAL_MAX_AGE_DAYS}" =~ ^[0-9]+$ ]]; then
log "journald: vacuum by age -> ${JOURNAL_MAX_AGE_DAYS}d"
run_cmd "journalctl --vacuum-time=\"${JOURNAL_MAX_AGE_DAYS}days\" >/dev/null 2>&1 || true"
fi
}
maybe_logrotate_force() {
if [[ -x /usr/sbin/logrotate ]] && [[ -f /etc/logrotate.conf ]]; then
log "logrotate: force run"
run_cmd "/usr/sbin/logrotate -f /etc/logrotate.conf >/dev/null 2>&1 || true"
else
log "logrotate not available; skipping"
fi
}
maybe_clean_packages() {
[[ "$ENABLE_PACKAGE_CLEAN" == "1" ]] || { log "package cache clean disabled"; return 0; }
if command -v apt-get >/dev/null 2>&1; then
log "apt: clean + autoremove"
run_cmd "apt-get -y autoclean >/dev/null 2>&1 || true"
run_cmd "apt-get -y clean >/dev/null 2>&1 || true"
run_cmd "apt-get -y autoremove --purge >/dev/null 2>&1 || true"
elif command -v dnf >/dev/null 2>&1; then
log "dnf: clean all"
run_cmd "dnf -y clean all >/dev/null 2>&1 || true"
elif command -v yum >/dev/null 2>&1; then
log "yum: clean all"
run_cmd "yum -y clean all >/dev/null 2>&1 || true"
elif command -v pacman >/dev/null 2>&1; then
log "pacman: clean cache (keep 1 version)"
run_cmd "paccache -rk1 >/dev/null 2>&1 || true"
elif command -v zypper >/dev/null 2>&1; then
log "zypper: clean --all"
run_cmd "zypper clean -a >/dev/null 2>&1 || true"
else
log "no known package manager found; skipping package cache clean"
fi
}
maybe_clean_tmp() {
[[ "$ENABLE_TMP_CLEAN" == "1" ]] || { log "tmp clean disabled"; return 0; }
delete_find_older_than_days "/tmp" "$TMP_MAX_AGE_DAYS"
delete_find_older_than_days "/var/tmp" "$VAR_TMP_MAX_AGE_DAYS"
}
maybe_clean_plain_logs() {
[[ "$ENABLE_LOG_CLEAN" == "1" ]] || { log "log clean disabled"; return 0; }
# journald handles /var/log/journal; we still trim old rotated logs.
# This is conservative: only files older than N days under /var/log.
log "plain logs: delete /var/log/* files older than ${LOG_MAX_AGE_DAYS}d (conservative)"
run_cmd "find /var/log -xdev -type f -mtime +\"$LOG_MAX_AGE_DAYS\" -print -delete 2>/dev/null || true"
run_cmd "find /var/log -xdev -type d -empty -mtime +\"$LOG_MAX_AGE_DAYS\" -print -delete 2>/dev/null || true"
}
maybe_clean_user_caches() {
[[ "$ENABLE_USER_CACHE_CLEAN" == "1" ]] || { log "user cache clean disabled"; return 0; }
# This can annoy users if you nuke browser caches etc. Off by default.
log "user caches: delete ~/.cache files older than ${TMP_MAX_AGE_DAYS}d for all users (conservative)"
while IFS=: read -r user _ uid _ _ home _; do
[[ "$uid" -ge 1000 ]] || continue
[[ -d "$home/.cache" ]] || continue
delete_find_older_than_days "$home/.cache" "$TMP_MAX_AGE_DAYS"
done </etc/passwd
}
maybe_docker_prune() {
[[ "$ENABLE_DOCKER_PRUNE" == "1" ]] || { log "docker prune disabled"; return 0; }
command -v docker >/dev/null 2>&1 || { log "docker not found; skipping"; return 0; }
log "docker: system prune (including unused images/containers/networks)"
log "WARNING: This may remove stopped containers and unused images. Volumes remain unless you change the command."
run_cmd "docker system prune -af >/dev/null 2>&1 || true"
}
run_extra_cleanups() {
if (( ${#EXTRA_DELETE_DIRS[@]} > 0 )); then
for d in "${EXTRA_DELETE_DIRS[@]}"; do
# Extra dirs: delete *contents older than TMP_MAX_AGE_DAYS* (override by per-dir patterns if you want)
delete_find_older_than_days "$d" "$TMP_MAX_AGE_DAYS"
done
fi
if (( ${#EXTRA_DELETE_GLOBS[@]} > 0 )); then
for g in "${EXTRA_DELETE_GLOBS[@]}"; do
delete_glob_targets "$g"
done
fi
}
maybe_trim() {
[[ "$ENABLE_TRIM" == "1" ]] || { log "fstrim disabled"; return 0; }
command -v fstrim >/dev/null 2>&1 || { log "fstrim not found; skipping"; return 0; }
# If running in containers, fstrim can fail; tolerate it.
log "fstrim: running fstrim -av"
if [[ "$DRY_RUN" == "1" ]]; then
log "DRY_RUN: fstrim -av"
else
fstrim -av || true
fi
}
# -------- load config (if present) --------
if [[ -f "$CONFIG_FILE" ]]; then
log "loading config: $CONFIG_FILE"
# shellcheck disable=SC1090
source "$CONFIG_FILE"
else
log "no config found at $CONFIG_FILE (using defaults)"
fi
log "starting (dry_run=$DRY_RUN)"
maybe_vacuum_journal
maybe_logrotate_force
maybe_clean_plain_logs
maybe_clean_tmp
maybe_clean_packages
maybe_clean_user_caches
run_extra_cleanups
maybe_docker_prune
maybe_trim
log "done"