3.0 KiB
DR Audit Findings — Jul 11, 2026
Backup Pipeline Failure
Trigger: Daily full backup (1 AM UTC) and root-essentials backup (3 AM UTC) both failed silently on Jul 11.
Root cause: hermes-backup.sh was missing source /opt/awscli-venv/bin/activate. The aws command is only available inside the virtualenv at /opt/awscli-venv/. In cron's minimal PATH (/usr/bin:/bin), aws is not found. The root-essentials-backup.sh script HAS the venv activation line but also failed — likely the same issue or a system-level path problem for tar appends.
Evidence from journalctl:
Jul 11 01:00:46 core hermes-full-backup[19447]: /root/.hermes/scripts/hermes-backup.sh: line 215: aws: command not found
Fix applied (Jul 11, 07:30 UTC):
# Added after "set -euo pipefail" in hermes-backup.sh:
if [ -f /opt/awscli-venv/bin/activate ]; then
source /opt/awscli-venv/bin/activate
fi
Verification: Manual backup ran successfully after fix — 541 MB tarball uploaded to s3://hermes-vps-backups/hermes-full-backup/hermes-full-backup-2026-07-11.tar.gz.
Standby Server Disk Crisis
Finding: app1-bu (5.161.114.8) disk at 97% — only 1.2 GB free on 38 GB root partition.
Impact: If Core had failed, the standby wouldn't have had disk space to complete a failover (state.db is ~1.9 GB, plus logs and temp files). The watchdog script would crash mid-sync.
Required cleanup (not yet performed):
ssh -i /root/.ssh/itpp-infra root@5.161.114.8 "
apt-get clean && apt-get autoremove --purge -y
journalctl --vacuum-size=200M
> /var/log/hermes-standby-sync.log
docker system prune -a -f 2>/dev/null || true
df -h /
"
Target: at least 5 GB free.
Backup Integrity Verification Workflow
The Jul 11 audit established a reliable pattern for verifying backup integrity:
- List S3 to find the latest tarball
- Download it to
/tmp/withaws s3 cp - Test with
tar tzf(not justaws s3 ls) - Report file count and any corruption
- Clean up the local copy
This catches silent failures that S3 listing alone misses. The audit watchdog (backup-audit-check.sh) only checks that a file EXISTS — a zero-byte or corrupted tarball passes that check.
Restore Plan Template
When an incident requires a restore plan, structure it with these sections:
- Pre-Restore Assessment — backup status table, standby status, system health, dependency inventory
- Recovery Path A — In-place fix (preferred when system is running)
- Recovery Path B — Failover to standby (when Core is unreachable)
- Recovery Path C — Full rebuild from backup tarball (when OS is corrupted)
- Post-Restore Verification Checklist — Hermes, web services, model access, email, backups, standby
- Critical Fixes — any permanent fixes needed to prevent recurrence
- Team Contact & Escalation — who to call and when
- Rollback Plan — how to undo the restore if it makes things worse
See /root/.hermes/references/restore-plan-2026-07-11.md for the complete worked example.