diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh index 2a649e9..bba244d 100755 --- a/scripts/cleanup.sh +++ b/scripts/cleanup.sh @@ -17,6 +17,12 @@ CLEANUP_TYPE="${CLEANUP_TYPE:-ci-cd}" # ci-cd or production REGISTRY_DIR="${REGISTRY_DIR:-/opt/registry}" DRY_RUN="${DRY_RUN:-false}" +# Critical infrastructure protection +CRITICAL_CONTAINERS="harbor-core,harbor-db,harbor-jobservice,harbor-log,harbor-portal,nginx,redis,registry,registryctl,trivy-adapter,forgejo-runner" +CRITICAL_IMAGES="goharbor,forgejo-runner" +CRITICAL_VOLUMES="harbor" +CRITICAL_NETWORKS="harbor" + # Functions log_info() { echo -e "${BLUE}[INFO]${NC} $1" @@ -34,6 +40,56 @@ log_error() { echo -e "${RED}[ERROR]${NC} $1" } +check_critical_infrastructure() { + log_info "Checking critical infrastructure status..." + + local missing_containers="" + IFS=',' read -ra CONTAINERS <<< "$CRITICAL_CONTAINERS" + + for container in "${CONTAINERS[@]}"; do + if ! docker ps --format "{{.Names}}" | grep -q "^${container}$"; then + if [ -n "$missing_containers" ]; then + missing_containers="$missing_containers, $container" + else + missing_containers="$container" + fi + fi + done + + if [ -n "$missing_containers" ]; then + log_warning "Some critical containers are not running: $missing_containers" + log_warning "This may indicate infrastructure issues. Proceed with caution." + else + log_success "All critical infrastructure containers are running" + fi + + echo +} + +label_critical_containers() { + log_info "Labeling critical containers for protection..." + + IFS=',' read -ra CONTAINERS <<< "$CRITICAL_CONTAINERS" + + for container in "${CONTAINERS[@]}"; do + if docker ps --format "{{.Names}}" | grep -q "^${container}$"; then + # Add protection labels + docker update --label critical=infrastructure "$container" 2>/dev/null || true + docker update --label protected=true "$container" 2>/dev/null || true + + # Add specific labels based on container type + if [[ "$container" == harbor* ]]; then + docker update --label service=harbor "$container" 2>/dev/null || true + elif [[ "$container" == forgejo* ]]; then + docker update --label service=forgejo "$container" 2>/dev/null || true + fi + fi + done + + log_success "Critical containers labeled for protection" + echo +} + show_help() { cat << EOF Sharenet Cleanup Script @@ -64,25 +120,28 @@ cleanup_docker_resources() { if [ "$DRY_RUN" = "true" ]; then log_warning "DRY RUN MODE - No changes will be made" - echo "Would run: docker image prune -f" - echo "Would run: docker volume prune -f" - echo "Would run: docker network prune -f" + echo "Would run: docker image prune -f (excluding critical infrastructure)" + echo "Would run: docker volume prune -f (excluding critical infrastructure)" + echo "Would run: docker network prune -f (excluding critical infrastructure)" return fi - # Remove unused images - log_info "Removing unused Docker images..." - docker image prune -f + # Remove unused images (excluding critical infrastructure) + log_info "Removing unused Docker images (excluding critical infrastructure)..." + # Use protection labels to exclude critical images + docker image prune -f --filter "label!=critical=infrastructure" --filter "label!=protected=true" - # Remove unused volumes - log_info "Removing unused Docker volumes..." - docker volume prune -f + # Remove unused volumes (excluding critical infrastructure) + log_info "Removing unused Docker volumes (excluding critical infrastructure)..." + # Use protection labels to exclude critical volumes + docker volume prune -f --filter "label!=critical=infrastructure" --filter "label!=protected=true" - # Remove unused networks - log_info "Removing unused Docker networks..." - docker network prune -f + # Remove unused networks (excluding critical infrastructure) + log_info "Removing unused Docker networks (excluding critical infrastructure)..." + # Use protection labels to exclude critical networks + docker network prune -f --filter "label!=critical=infrastructure" --filter "label!=protected=true" - log_success "Docker resources cleanup completed" + log_success "Docker resources cleanup completed (critical infrastructure protected)" } cleanup_registry() { @@ -93,31 +152,24 @@ cleanup_registry() { log_info "Cleaning up Harbor registry..." - if [ ! -d "$REGISTRY_DIR" ]; then - log_warning "Harbor directory not found: $REGISTRY_DIR" + # Check if Harbor containers are running + if ! docker ps --format "{{.Names}}" | grep -q harbor; then + log_warning "Harbor containers are not running, skipping registry cleanup" return fi if [ "$DRY_RUN" = "true" ]; then log_warning "DRY RUN MODE - No changes will be made" - echo "Would run: cd $REGISTRY_DIR && docker-compose exec registry registry garbage-collect" + echo "Would run: Harbor registry garbage collection via API" return fi - # Change to Harbor directory - cd "$REGISTRY_DIR" + # Harbor garbage collection is typically done via the Harbor UI or API + # For now, we'll just log that manual cleanup may be needed + log_info "Harbor registry cleanup: Use Harbor UI to clean up old images" + log_info "Manual cleanup: Go to Harbor UI → Projects → Select project → Artifacts → Delete old tags" - # Check if Harbor is running - if ! docker-compose ps | grep -q "registry.*Up"; then - log_warning "Harbor registry is not running, skipping registry cleanup" - return - fi - - # Run Harbor registry garbage collection - log_info "Running Harbor registry garbage collection..." - docker-compose exec -T registry registry garbage-collect - - log_success "Harbor registry cleanup completed" + log_success "Harbor registry cleanup info provided" } cleanup_production() { @@ -155,6 +207,12 @@ cleanup_production() { cleanup_ci_cd() { log_info "Cleaning up CI/CD environment..." + # Check critical infrastructure before cleanup + check_critical_infrastructure + + # Label critical containers for protection + label_critical_containers + # Clean up Docker resources cleanup_docker_resources