From 996bdfc9b6706c352ce104a7f19a2b3a38f361b8 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 17 Apr 2026 08:20:55 +0000 Subject: [PATCH] [technitium] Uninstall MySQL+SQLite query log plugins instead of just disabling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context Disabling MySQL/SQLite query logging via config was not durable — Technitium re-enables disabled plugins on pod restart, causing 46 GB/day of writes to the standalone MySQL (15M inserts to technitium.dns_logs between CronJob runs). ## This change: The password-sync CronJob now UNINSTALLS MySQL and SQLite query log plugins via `/api/apps/uninstall` instead of setting `enableLogging:false`. This is permanent — the plugin files are removed from the PVC, so they can't re-enable on restart. The CronJob checks if the plugins are present first (idempotent). Only PostgreSQL query logging remains (90-day retention). Co-Authored-By: Claude Opus 4.6 (1M context) --- stacks/technitium/modules/technitium/main.tf | 40 ++++++++++++-------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf index e5cd5a24..b2d51008 100644 --- a/stacks/technitium/modules/technitium/main.tf +++ b/stacks/technitium/modules/technitium/main.tf @@ -481,34 +481,42 @@ resource "kubernetes_cron_job_v1" "technitium_password_sync" { TOKEN=$$(curl -sf "http://technitium-web:5380/api/user/login?user=$$TECH_USER&pass=$$TECH_PASS" | grep -o '"token":"[^"]*"' | cut -d'"' -f4) if [ -z "$$TOKEN" ]; then echo "Login failed"; exit 1; fi - # Disable SQLite query logging (eliminates ~18 GB/day write amplification on encrypted PVC) - SQLITE_CONFIG="{\"enableLogging\":false,\"maxLogDays\":0,\"maxLogRecords\":0}" - curl -sf -X POST "http://technitium-web:5380/api/apps/config/set?token=$$TOKEN" --data-urlencode "name=Query Logs (Sqlite)" --data-urlencode "config=$$SQLITE_CONFIG" - echo "SQLite logging disabled on primary" + # Uninstall MySQL + SQLite query log plugins if present. + # These must be REMOVED, not just disabled — Technitium re-enables + # disabled plugins on pod restart, causing 46+ GB/day of writes. + # Only PostgreSQL query logging should remain. + APPS=$$(curl -sf "http://technitium-web:5380/api/apps/list?token=$$TOKEN") + if echo "$$APPS" | grep -q 'Query Logs (MySQL)'; then + curl -sf -X POST "http://technitium-web:5380/api/apps/uninstall?token=$$TOKEN&name=Query%20Logs%20(MySQL)" + echo "MySQL query log plugin UNINSTALLED" + else + echo "MySQL query log plugin already absent" + fi + if echo "$$APPS" | grep -q 'Query Logs (Sqlite)'; then + curl -sf -X POST "http://technitium-web:5380/api/apps/uninstall?token=$$TOKEN&name=Query%20Logs%20(Sqlite)" + echo "SQLite query log plugin UNINSTALLED" + else + echo "SQLite query log plugin already absent" + fi - # Disable MySQL query logging - MYSQL_CONFIG="{\"enableLogging\":false,\"maxQueueSize\":1000000,\"maxLogDays\":30,\"maxLogRecords\":0,\"databaseName\":\"technitium\",\"connectionString\":\"Server=mysql.dbaas.svc.cluster.local; Port=3306; Uid=technitium; Pwd=$$DB_PASSWORD;\"}" - curl -sf -X POST "http://technitium-web:5380/api/apps/config/set?token=$$TOKEN" --data-urlencode "name=Query Logs (MySQL)" --data-urlencode "config=$$MYSQL_CONFIG" - echo "MySQL logging disabled" - - # Check PG plugin is loaded (installed persistently in Technitium data dir) - PG_LOADED=$$(curl -sf "http://technitium-web:5380/api/apps/list?token=$$TOKEN" | grep -c 'QueryLogsPostgres.App' || true) - if [ "$$PG_LOADED" = "0" ]; then + # Ensure PG plugin is loaded + if ! echo "$$APPS" | grep -q 'Query Logs (Postgres)'; then echo "WARNING: PG plugin not loaded — reinstall manually via Technitium UI" fi - # Configure PG query logging + # Configure PG query logging (updates password from Vault rotation) PG_CONFIG="{\"enableLogging\":true,\"maxQueueSize\":1000000,\"maxLogDays\":90,\"maxLogRecords\":0,\"databaseName\":\"technitium\",\"connectionString\":\"Host=${var.postgresql_host}; Port=5432; Username=technitium; Password=$$DB_PASSWORD;\"}" curl -sf -X POST "http://technitium-web:5380/api/apps/config/set?token=$$TOKEN" --data-urlencode "name=Query Logs (Postgres)" --data-urlencode "config=$$PG_CONFIG" echo "PG logging configured on primary" - # Disable SQLite on secondary and tertiary instances + # Uninstall MySQL/SQLite on secondary and tertiary instances too for INST in http://technitium-secondary-web:5380 http://technitium-tertiary-web:5380; do echo "Configuring $$INST" R_TOKEN=$$(curl -sf "$$INST/api/user/login?user=$$TECH_USER&pass=$$TECH_PASS" | grep -o '"token":"[^"]*"' | cut -d'"' -f4) if [ -z "$$R_TOKEN" ]; then echo "Login failed for $$INST, skipping"; continue; fi - curl -sf -X POST "$$INST/api/apps/config/set?token=$$R_TOKEN" --data-urlencode "name=Query Logs (Sqlite)" --data-urlencode "config=$$SQLITE_CONFIG" || echo "WARN: SQLite plugin not present on $$INST" - echo "SQLite logging disabled on $$INST" + R_APPS=$$(curl -sf "$$INST/api/apps/list?token=$$R_TOKEN") + echo "$$R_APPS" | grep -q 'Query Logs (MySQL)' && curl -sf -X POST "$$INST/api/apps/uninstall?token=$$R_TOKEN&name=Query%20Logs%20(MySQL)" && echo "MySQL uninstalled on $$INST" + echo "$$R_APPS" | grep -q 'Query Logs (Sqlite)' && curl -sf -X POST "$$INST/api/apps/uninstall?token=$$R_TOKEN&name=Query%20Logs%20(Sqlite)" && echo "SQLite uninstalled on $$INST" done echo "Password sync complete" EOT