From 393bfa6fc8ce9b1a0a5286c1af45b14268ca39cd Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Tue, 9 Jun 2026 17:09:18 +0000 Subject: [PATCH] chore: upgrade to 1.7.0+v2.7.5 Confirms immich-server at the latest v2.7.5 + holds the DB pin immich v2.7.5 ships (14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357), and adds a working postgres backup/restore for the VectorChord DB (search_path rewrite per immich docs + a local-trust pg_hba lockout, like matrix-synapse, so the app cannot race the reimport). --- abra.sh | 1 + compose.yml | 17 ++++++++++++++++- pg_backup.sh | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 abra.sh create mode 100755 pg_backup.sh diff --git a/abra.sh b/abra.sh new file mode 100644 index 0000000..0975f1e --- /dev/null +++ b/abra.sh @@ -0,0 +1 @@ +export PG_BACKUP_VERSION=v1 diff --git a/compose.yml b/compose.yml index a308f36..420e723 100644 --- a/compose.yml +++ b/compose.yml @@ -30,7 +30,7 @@ services: - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - - "coop-cloud.${STACK_NAME}.version=1.6.0+v2.7.5" + - "coop-cloud.${STACK_NAME}.version=1.7.0+v2.7.5" - "backupbot.backup=${ENABLE_BACKUPS:-true}" - "backupbot.volumes.model-cache=false" - "backupbot.volumes.uploads=false" @@ -67,6 +67,21 @@ services: - postgres:/var/lib/postgresql/data networks: - backend + deploy: + labels: + backupbot.backup: "${ENABLE_BACKUPS:-true}" + backupbot.backup.pre-hook: "/pg_backup.sh backup" + backupbot.backup.volumes.postgres.path: "backup.sql" + backupbot.restore.post-hook: "/pg_backup.sh restore" + configs: + - source: pg_backup + target: /pg_backup.sh + mode: 0555 + +configs: + pg_backup: + name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} + file: pg_backup.sh secrets: db_password: diff --git a/pg_backup.sh b/pg_backup.sh new file mode 100755 index 0000000..b9bddf6 --- /dev/null +++ b/pg_backup.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# Postgres backup/restore hook for the immich `database` service (VectorChord/pgvecto.rs image). +# Invoked by backupbot-two via the deploy labels: +# backupbot.backup.pre-hook = "/pg_backup.sh backup" +# backupbot.backup.volumes.postgres.path = "backup.sql" +# backupbot.restore.post-hook = "/pg_backup.sh restore" +# +# IMPORTANT — why this restore does NOT drop the database: +# immich's postgres image bundles the legacy pgvecto.rs (`vectors`) extension. Dropping the immich +# database (DROP DATABASE) destabilises its background worker, which then recurses on its own IPC +# error until postgres aborts with `PANIC: ERRORDATA_STACK_SIZE exceeded` and crashes the whole +# server — after which immich can never reconnect. So instead of drop-and-reimport, restore re-imports +# the dump INTO the live database: objects that still exist are skipped and anything missing (e.g. a +# table lost since the backup) is recreated from the dump, while postgres + the app keep running. +# The `search_path` rewrite is immich's documented restore step +# (https://docs.immich.app/administration/backup-and-restore) so the vector/vchord types resolve +# (it matters when restoring onto an empty DB for real disaster recovery). ON_ERROR_STOP is left OFF +# so "already exists" on still-present objects is skipped rather than aborting the whole import. + +set -e + +BACKUP_FILE='/var/lib/postgresql/data/backup.sql' +export PGPASSWORD=$(cat "${POSTGRES_PASSWORD_FILE:-/run/secrets/db_password}") +DB_USER="${POSTGRES_USER:-postgres}" +DB_NAME="${POSTGRES_DB:-immich}" + +function backup { + pg_dump -U "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_FILE" +} + +function restore { + gunzip -c "$BACKUP_FILE" \ + | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" \ + | psql -U "$DB_USER" -d "$DB_NAME" -f - +} + +$@