stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
98e6b7658467263a0ca078806871631b5e9ecc83
git.stella-ops.org/docs/modules/concelier/prep/store-aoc-19-005-dev.md
StellaOps Bot 98e6b76584
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
wine-csp-build / Build Wine CSP Image (push) Has been cancelled
Details
Add post-quantum cryptography support with PqSoftCryptoProvider 
- Implemented PqSoftCryptoProvider for software-only post-quantum algorithms (Dilithium3, Falcon512) using BouncyCastle.
- Added PqSoftProviderOptions and PqSoftKeyOptions for configuration.
- Created unit tests for Dilithium3 and Falcon512 signing and verification.
- Introduced EcdsaPolicyCryptoProvider for compliance profiles (FIPS/eIDAS) with explicit allow-lists.
- Added KcmvpHashOnlyProvider for KCMVP baseline compliance.
- Updated project files and dependencies for new libraries and testing frameworks.
2025-12-07 15:04:19 +02:00

3.1 KiB
Raw Blame History

Concelier Backfill & Rollback Plan (STORE-AOC-19-005-DEV)

Objective

Prepare and rehearse the raw-linkset backfill/rollback so Concelier Mongo reflects Link-Not-Merge data deterministically across dev/stage. This runbook unblocks STORE-AOC-19-005-DEV.

Inputs

  • Source dataset: staging export tarball linksets-stage-backfill.tar.zst.
  • Expected placement: out/linksets/linksets-stage-backfill.tar.zst.
  • Hash: record SHA-256 in this file once available (example below).

Example hash capture (replace with real):

$ sha256sum out/linksets/linksets-stage-backfill.tar.zst
3ac7d1c8f4f7b5c5b27c1c7ac6d6e9b2a2d6d7a1a1c3f4e5b6c7d8e9f0a1b2c3  out/linksets/linksets-stage-backfill.tar.zst

Preflight

  • Environment variables:
    • CONCELIER_MONGO_URI pointing to the target (dev or staging) Mongo.
    • CONCELIER_DB (default concelier).
  • Take a snapshot of affected collections: 
    mongodump --uri "$CONCELIER_MONGO_URI" --db "$CONCELIER_DB" --collection linksets --collection advisory_chunks --out out/backups/pre-run
  • Ensure write lock is acceptable for the maintenance window.

Backfill steps

  1. Extract dataset: 
    mkdir -p out/linksets/extracted
tar -xf out/linksets/linksets-stage-backfill.tar.zst -C out/linksets/extracted
  2. Import linksets + chunks (bypass validation to preserve upstream IDs): 
    mongoimport --uri "$CONCELIER_MONGO_URI" --db "$CONCELIER_DB" \
  --collection linksets --file out/linksets/extracted/linksets.ndjson --mode=upsert --upsertFields=_id

mongoimport --uri "$CONCELIER_MONGO_URI" --db "$CONCELIER_DB" \
  --collection advisory_chunks --file out/linksets/extracted/advisory_chunks.ndjson --mode=upsert --upsertFields=_id
  3. Verify counts vs manifest: 
    jq '.' out/linksets/extracted/manifest.json
mongo --quiet "$CONCELIER_MONGO_URI/$CONCELIER_DB" --eval "db.linksets.countDocuments()"
mongo --quiet "$CONCELIER_MONGO_URI/$CONCELIER_DB" --eval "db.advisory_chunks.countDocuments()"
  4. Dry-run rollback marker (no-op unless ENABLE_ROLLBACK=1 set): 
    ENABLE_ROLLBACK=0 python scripts/concelier/backfill/rollback.py --manifest out/linksets/extracted/manifest.json

Rollback procedure

  • If validation fails, restore from preflight dump: 
    mongorestore --uri "$CONCELIER_MONGO_URI" --drop out/backups/pre-run
  • If partial write detected, rerun mongoimport for the affected collection only with --mode=upsert.

Validation checklist

  • Hash of tarball matches recorded SHA-256.
  • Post-import counts align with manifest.json.
  • Linkset cursor pagination smoke test: 
    dotnet test src/Concelier/StellaOps.Concelier.WebService.Tests --filter LinksetsEndpoint_SupportsCursorPagination
  • Storage metrics (if enabled) show non-zero concelier_storage_import_total for this window.

Artefacts to record

  • Tarball SHA-256 and size.
  • manifest.json copy stored alongside tarball.
  • Import log (out/linksets/import.log) and validation results.
  • Decision: maintenance window and rollback outcome.

Owners

  • Concelier Storage Guild (Mongo)
  • AirGap/Backfill reviewers for sign-off