Posted by perusio on December 19, 2010 at 6:25pm
Hello,
I've just set up a github repo with a couple of drush extra commands for provinding secure and compressed SQL dumps.
The secure version uses openssl for encrypting the compressed dump. I thought this might be of use to someone, and who knows, the drush team can find it interesting enough to be included in the official release ;)
Thanks,
António
Comments
Nice work. I actually put
Nice work. I actually put --gzip into core drush (less cusomizable than your command).
Encryption is tricky enough that I am not putting that in core for right now.
Thanks Moshe
You're right encryption is sort of a can of worms. I opted for openssl because of the fact that it's an established project, available in most UNIX systems, therefore providing a good toolbox for handling encryption without being afraid of some bug in the crypto algorithm that makes it vulnerable.
Perhaps using mcrypt is an avenue worth exploring.
There's also a openssl module but requires PHP ≥ 5.3 and is mostly undocumented right now.
I tried to use mcrypt a while
I tried to use mcrypt a while back and had a ton of problems -- but that was because I wanted to encrypt in php and decrypt in C. I never got the two libraries to line up; maybe they're incompatible. I thought that the openssl module might have been easier to use and more compatible on the PHP / C front, but I didn't want to require PHP 5.3. mcrypt might not be too bad for your purposes, since it would be PHP-to-PHP encryption/decryption, which isn't too hard to get working. Might be worth looking at.
An openssl-solution could go in drush_extras. I haven't had the time to look at your commands yet, though. Once I finish the refactoring in http://drupal.org/node/716412, it might be possible to add compression / encryption as a hook (e.g. post-dump and pre-import). Then you could have your code outside of core still work as if they were in core.
Yes
I was afraid of existing problems between C and PHP. So I aimed for the lowest common denominator: openssl CLI client.
I like the idea of hooks very much. It's IMHO one of the things that I find great in Drupal. Since drush is a toolkit for managing Drupal sites, I think the idea of user defined hooks that extend the command without the need to create a new command is a great idea. I thought about that. I wanted to know if it was possible to run a hook after issuing a
drush sql-dumpand get it compressed and written to a given location. I browsed through the code very briefly and it didn't seem to be supported. Perhaps I'm wrong.I definitely think that creating for Drush a system like emacs hooks will allow each drush user to extend the commands without the need to become privy to the drush API.
Just an idea.
Yes, if you have a file
Yes, if you have a file called encrypt.drush.inc, and inside it you define
function drush_encrypt_post_sql_dump(...), then your hook will be called at the end of every sql-dump command. The problem is, though, that sql-sync does not call drush_invoke to dump the database, it just calls the sql dump function directly, so hooks don't work here. Also, at the moment, there is no sql-import command, so there's nothing to hook. That is what #716412 aims to fix. However, that won't happen until drush-5.Yes indeed
It's documented in the
docs/drush.api.phpfile. It certainly needs to be further promoted since it's a great feature. People can begin to share code snippets for extending drush commands, just like there are a gazillion emacs customizations out there that extend a certain mode.No big stretch to hook it up with some testing. Let's say you update Views in your site and want to make sure that everything works in order to push the update to the staging/production/live site. You issue a drush up views and as a post-command hook we run the test and invoke a rollback hook to revert the changes done if the test fails. It can be hooked up with a SCM like git.
It can be used to create a custom CI setup.