fix(backup): switch to binary SQLite snapshot, eliminate cross-table data smearing

The previous dump-conf-db produced gzipped text SQL via `sqlite3 .dump`
to a shared `tmp.dmp` with no locking. Concurrent cron invocations
interleaved their stdout into the same file, and the resulting archive
parsed as valid (but semantically wrong) SQL — values from one table
smeared into INSERTs of unrelated tables on restore. Symptom reported
from the field: rows from m_CustomFiles surfacing inside m_ConferenceRooms
and garbage in m_OutgoingRoutingTable after restoration.

dump-conf-db
- Use the SQLite online backup API (.backup) for a page-consistent
  binary snapshot instead of textual .dump. Eliminates the SQL
  parseability that made interleaving silently dangerous.
- Atomic mkdir-lock with PID published via tmp+rename inside the
  owned lock directory. Stale detection combines kill -0 with a
  /proc/<pid>/comm + /proc/<pid>/cmdline two-stage identity check
  to defeat PID reuse on long-uptime appliances.
- Stale-lock reclaim uses `mv lockDir lockDir.dead.\$\$` as the atomic
  arbiter — racing reclaimers can no longer both win and double-rm.
- Per-PID temporary artefacts; .publish.*.gz staged on the same FS
  as the final target and atomically renamed.
- WAL checkpointed before .backup; PRAGMA quick_check gates publish.
- Content dedup via md5 of logical .dump (binary pages differ each
  run due to internal counters). Dedup is bypassed when no archive
  exists on disk to prevent a poisoned .last_hash from permanently
  disabling backups.
- Defensive sweep of orphaned .publish.*.gz older than 60 minutes.
- Single timestamp captured once to avoid hourly/daily date drift.

SystemConfiguration::tryRestoreConf
- Magic-byte detection (SQLite format 3\0) on the gunzipped payload:
  binary snapshots are restored via atomic file copy, legacy SQL
  dumps via sqlite3 replay (backward compat for pre-fix archives).
- pickFreshestBackup prefers the newest BINARY archive across all
  mounted storage; legacy archives are chosen only when no binary
  is available — prevents regression to the smearing path on boxes
  with mixed-age archive directories.
- isBinaryArchive probes via popen+fread with a full pipe drain
  before pclose to avoid SIGPIPE-induced false "probe failed" warnings
  on every successful binary archive.
- Legacy SQL replay path emits LOG_WARNING so operators see the
  fallback in syslog and can audit data after boot.
- purgeConfDb removes the live DB and -wal/-shm/-journal sidecars
  via PHP glob+unlink (no shell glob, no rm).
- failRestore funnel: every failure path falls back to
  DEFAULT_CONFIG_DB with an explicit syslog reason; if the fallback
  copy itself fails it surfaces LOG_CRIT.
- Reboot loop guard via /var/run/conf-restored marker; @touch return
  checked and reboot is refused if the marker cannot be created.
- foreign_key_check runs as a WARN-only diagnostic post-restore.
- Hard prerequisite check on Util::which('gzip')/('sqlite3'); the
  guard uses str_contains('/') because Util::which falls back to the
  bare command name rather than an empty string when nothing is found.
- Operator breadcrumb (RESULT_SKIPPED + LOG_NOTICE) when no backup
  is found on any mounted storage.

Verified functionally in Docker (mikopbx/mikopbx-arm64:2026.1.21):
- Binary snapshot creation, dedup, atomic publish, lock contention
  (5 parallel runs), stale-lock reclaim (synthetic PID), and
  rotation all behave correctly.
- restoreFromArchive replays a real legacy SQL archive from
  boffart.miko.ru (2026-05-07_mikopbx.db.gz, 39 tables) and
  produces a quick_check-clean DB.
- pickFreshestBackup correctly picks an older binary archive over
  a newer legacy archive — confirms prefer-binary protection
  against re-introducing the smearing path on mixed shelves.
- Zero "gzip probe failed" entries in syslog after the drain-loop
  fix; LEGACY SQL warning emitted as expected on the legacy path.

Also sets executable bit on dump-conf-db (mode 100755 in index).

Author: boffart

src/Core/System/RootFS/sbin/dump-conf-db

@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # MikoPBX - free phone system for small business
-# Copyright © 2017-2022 Alexey Portnov and Nikolay Beketov
+# Copyright © 2017-2026 Alexey Portnov and Nikolay Beketov
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -16,61 +16,266 @@
 # You should have received a copy of the GNU General Public License along with this program.
 # If not, see <https://www.gnu.org/licenses/>.
 #
+# ----------------------------------------------------------------------------
+# Creates an online binary backup of the MikoPBX configuration database via
+# the SQLite ".backup" API. Produces a page-consistent snapshot that does
+# not block concurrent readers/writers and cannot smear data across tables
+# (unlike a textual ".dump" stream which is parseable as SQL and therefore
+# vulnerable to interleaving under race conditions).
+#
+# Invariants:
+#   1. Mutual exclusion across concurrent invocations: atomic mkdir-lock
+#      with stale-detection that distinguishes a live dump-conf-db from
+#      an unrelated process that has inherited the same PID after reuse.
+#   2. The PID inside the lock directory is published atomically (tmp+mv)
+#      so a racing reader can never observe an empty pid file.
+#   3. Temporary artefacts are PID-suffixed so a crashed previous run
+#      cannot poison the next invocation.
+#   4. The gzipped archive is staged as a .part file and atomically
+#      renamed into place — readers never observe a half-written gz.
+#   5. WAL is checkpointed before .backup so the snapshot reflects all
+#      committed transactions.
+#   6. Snapshots are validated (PRAGMA quick_check) before being kept.
+#   7. Content deduplication uses md5 of the LOGICAL .dump (binary
+#      pages always differ due to internal counters). If on-disk
+#      archives are absent, dedup is bypassed — this prevents a
+#      poisoned .last_hash from permanently disabling backups.
+# ----------------------------------------------------------------------------
 
-# Extract the media mount point from the configuration file
-confBackupDir="$(/bin/busybox grep "confBackupDir" < /etc/inc/mikopbx-settings.json | /bin/busybox cut -f 4 -d '"')";
+# === Configuration ===
 
-# Extract the path to the database from the configuration file
-dbPath="$(/bin/busybox grep "mikopbx.db" < /etc/inc/mikopbx-settings.json | /bin/busybox cut -f 4 -d '"')";
+confBackupDir="$(/bin/busybox grep 'confBackupDir' < /etc/inc/mikopbx-settings.json | /bin/busybox cut -f 4 -d '"')"
+dbPath="$(/bin/busybox grep 'mikopbx.db' < /etc/inc/mikopbx-settings.json | /bin/busybox cut -f 4 -d '"')"
 
-# Define the backup directory path
 backupDir="${confBackupDir}"
-
-# Catalog for daily backups
 backupDirDay="${confBackupDir}/day"
 
-# Ensure the backup directory exists
-mkdir -p "$backupDirDay";
+if ! /bin/busybox mkdir -p "$backupDirDay" 2>/dev/null; then
+    /bin/busybox logger -t dump-conf-db "ERROR: cannot create $backupDirDay (storage not mounted?)"
+    exit 1
+fi
 
-# Restrict backup file permissions to root only (prevent nginx/www from reading)
-umask 077;
+# Restrict backup readability — these files may contain credential hashes.
+umask 077
 
-# A file for temporary storage of a backup copy
-tmpBackup="$backupDir/tmp.dmp";
-/usr/bin/sqlite3 "$dbPath" .dump > "$tmpBackup";
+# === Atomic mkdir-lock with hardened stale detection ===
+#
+# Race-safe lock acquisition:
+#   1. mkdir is the single arbiter — if it fails, somebody else holds the lock.
+#   2. PID is published via tmp + mv so a reader never observes an empty file.
+#   3. Stale detection checks both liveness (kill -0) AND identity
+#      (/proc/<pid>/comm) to defeat PID reuse on long-uptime appliances.
 
-# Calculate the MD5 checksum of the database dump
-md5="$(/bin/busybox cat "$tmpBackup" | /bin/gzip -c | /usr/bin/md5sum | cut -f 1 -d ' ')" ;
+lockDir="$backupDir/.dump-conf-db.lock"
 
-# Check if a backup with the same MD5 checksum already exists
-/usr/bin/md5sum "$backupDir"/*_mikopbx.db.gz | /bin/busybox grep "$md5"> /dev/null 2> /dev/null
-result="$?"
+acquire_lock() {
+    /bin/busybox mkdir "$lockDir" 2>/dev/null || return 1
+    # Publish PID atomically inside the directory we already own.
+    echo "$$" > "$lockDir/pid.tmp"
+    /bin/busybox mv "$lockDir/pid.tmp" "$lockDir/pid"
+    return 0
+}
 
-# If no matching backup is found, create a new backup
-if [ "$result" = "1" ];then
-  /bin/busybox cat "$tmpBackup"  | /bin/gzip -c > "$backupDir/$(date '+%Y-%m-%d_h%H_m%M_s%S')_mikopbx.db.gz"
-fi;
+# Returns 0 if the held lock is stale (safe to break), 1 if it is live.
+#
+# Two-stage identity check defeats PID reuse on long-uptime appliances:
+#   1) /proc/<pid>/comm matches our binary basename exactly → live.
+#   2) For generic shell names (sh/ash/bash/busybox) — which are too common
+#      to be conclusive — additionally inspect /proc/<pid>/cmdline for the
+#      "dump-conf-db" substring. Only then accept as live.
+lock_is_stale() {
+    pidFile="$lockDir/pid"
 
-# Remove the oldest backups, keeping only the 5 most recent ones
-(
-  cd "$backupDir" || exit;
-  /bin/busybox ls -1tr | grep 'db.gz' | /bin/busybox head -n-5 | /bin/xargs /bin/busybox rm 2> /dev/null
-)
+    # No pid file yet → very fresh lock held by a racing acquirer; respect it.
+    [ ! -f "$pidFile" ] && return 1
+
+    oldPid="$(/bin/busybox cat "$pidFile" 2>/dev/null)"
+    [ -z "$oldPid" ] && return 1
+
+    # Process is gone → certainly stale.
+    if ! /bin/busybox kill -0 "$oldPid" 2>/dev/null; then
+        return 0
+    fi
+
+    comm="$(/bin/busybox cat "/proc/$oldPid/comm" 2>/dev/null)"
+    case "$comm" in
+        dump-conf-db)
+            return 1
+            ;;
+        sh|ash|bash|busybox)
+            # Generic shell name — verify the actual command line.
+            cmdline="$(/bin/busybox cat "/proc/$oldPid/cmdline" 2>/dev/null \
+                     | /bin/busybox tr '\0' ' ')"
+            case "$cmdline" in
+                *dump-conf-db*) return 1 ;;  # live (script under a shell)
+                *)              return 0 ;;  # PID reused by an unrelated shell
+            esac
+            ;;
+        *)
+            return 0  # PID reused by unrelated process
+            ;;
+    esac
+}
+
+# Reclaim a stale lock atomically.
+#
+# Naive `rm -rf "$lockDir"; mkdir "$lockDir"` is racy: two reclaimers can
+# both observe "stale", both rm, the first one's fresh mkdir gets blown
+# away by the second's rm. mv is atomic at the FS level — only one
+# reclaimer succeeds, the other observes ENOENT and defers.
+reclaim_stale_lock() {
+    deadDir="$lockDir.dead.$$"
+    if /bin/busybox mv "$lockDir" "$deadDir" 2>/dev/null; then
+        /bin/busybox rm -rf "$deadDir"
+        return 0
+    fi
+    return 1
+}
+
+if ! acquire_lock; then
+    if lock_is_stale; then
+        if reclaim_stale_lock; then
+            /bin/busybox logger -t dump-conf-db \
+                "WARN: reclaimed stale lock (pid=$oldPid comm=$comm)"
+            if ! acquire_lock; then
+                /bin/busybox logger -t dump-conf-db \
+                    "INFO: lost acquire race after reclaim, exiting"
+                exit 0
+            fi
+        else
+            # Another reclaimer won the atomic rename — defer to them.
+            /bin/busybox logger -t dump-conf-db \
+                "INFO: stale-reclaim lost to a concurrent reclaimer, exiting"
+            exit 0
+        fi
+    else
+        # A genuine concurrent run owns the lock; skip this tick quietly.
+        exit 0
+    fi
+fi
+
+# Per-PID artefacts — uniquely owned by THIS invocation regardless of races.
+tmpBackup="$backupDir/.tmp.$$.db"
+tmpCompressed="$backupDir/.tmp.$$.db.gz"
+hourlyPart="$backupDir/.publish.$$.hourly.gz"
+dailyPart="$backupDirDay/.publish.$$.daily.gz"
+
+cleanup() {
+    /bin/busybox rm -f "$tmpBackup" "$tmpCompressed" "$hourlyPart" "$dailyPart"
+    /bin/busybox rm -rf "$lockDir"
+}
+trap cleanup EXIT INT TERM HUP
+
+# === Flush WAL into the main file so the .backup snapshot is current ===
+
+/usr/bin/sqlite3 "$dbPath" "PRAGMA wal_checkpoint(TRUNCATE);" >/dev/null 2>&1
+
+# === Create a consistent binary snapshot, capture stderr for diagnostics ===
+
+if ! backupErr="$(/usr/bin/sqlite3 "$dbPath" ".backup '$tmpBackup'" 2>&1 >/dev/null)"; then
+    /bin/busybox logger -t dump-conf-db "ERROR: sqlite3 .backup failed: $backupErr"
+    exit 1
+fi
 
-# Daily backup
-# Check if a backup with the same MD5 checksum already exists
-/usr/bin/md5sum "$backupDirDay"/*_mikopbx.db.gz | /bin/busybox grep "$md5"> /dev/null 2> /dev/null
-result="$?"
+# === Validate snapshot — quick_check is sufficient pre-publish and bounded ===
 
-# If no matching backup is found, create a new backup
-if [ "$result" = "1" ];then
-  /bin/busybox cat "$tmpBackup" | /bin/gzip -c > "$backupDirDay/$(date '+%Y-%m-%d')_mikopbx.db.gz"
-fi;
+quickCheck="$(/usr/bin/sqlite3 "$tmpBackup" "PRAGMA quick_check;" 2>/dev/null | /bin/busybox head -n 1)"
+if [ "$quickCheck" != "ok" ]; then
+    /bin/busybox logger -t dump-conf-db "ERROR: quick_check failed: $quickCheck"
+    exit 1
+fi
+
+# === Content-based deduplication with poisoned-hash recovery ===
+#
+# The hash is computed over the LOGICAL .dump of the snapshot (which is
+# isolated from concurrent writers, so the smearing risk on the live DB
+# is irrelevant here). If, for any reason, every on-disk archive has
+# been removed but .last_hash remains, treat the hash as void and
+# force a backup — otherwise the file would silently disable us forever.
+
+contentHash="$(/usr/bin/sqlite3 "$tmpBackup" .dump | /usr/bin/md5sum | /bin/busybox cut -f 1 -d ' ')"
+if [ -z "$contentHash" ]; then
+    /bin/busybox logger -t dump-conf-db \
+        "WARN: empty content hash — sqlite3 .dump or md5sum returned nothing"
+fi
+lastHashFile="$backupDir/.last_hash"
+prevHash=""
+[ -r "$lastHashFile" ] && prevHash="$(/bin/busybox cat "$lastHashFile" 2>/dev/null)"
+
+archivesPresent=0
+for existing in "$backupDir"/*_mikopbx.db.gz "$backupDirDay"/*_mikopbx.db.gz; do
+    if [ -f "$existing" ]; then
+        archivesPresent=1
+        break
+    fi
+done
+
+if [ "$archivesPresent" = "1" ] \
+   && [ -n "$contentHash" ] \
+   && [ "$contentHash" = "$prevHash" ]; then
+    # Identical content AND we already have at least one archive on disk.
+    exit 0
+fi
+
+# === Compress the snapshot once ===
+
+if ! /bin/gzip -c "$tmpBackup" > "$tmpCompressed"; then
+    /bin/busybox logger -t dump-conf-db "ERROR: gzip failed"
+    exit 1
+fi
+
+# === Atomic publish: stage in same FS as target, then rename ===
+
+# Capture the timestamp once so an unlucky second-boundary crossing
+# can't make the hourly and daily filenames disagree on the date.
+ts_full="$(/bin/busybox date '+%Y-%m-%d_h%H_m%M_s%S')"
+ts_day="${ts_full%%_h*}"
+
+hourlyFile="$backupDir/${ts_full}_mikopbx.db.gz"
+dailyFile="$backupDirDay/${ts_day}_mikopbx.db.gz"
+
+if ! /bin/busybox cp "$tmpCompressed" "$hourlyPart"; then
+    /bin/busybox logger -t dump-conf-db "ERROR: cp $tmpCompressed -> $hourlyPart failed"
+    exit 1
+fi
+if ! /bin/busybox mv "$hourlyPart" "$hourlyFile"; then
+    /bin/busybox logger -t dump-conf-db "ERROR: mv hourly publish failed"
+    exit 1
+fi
+
+if ! /bin/busybox cp "$tmpCompressed" "$dailyPart"; then
+    /bin/busybox logger -t dump-conf-db "ERROR: cp $tmpCompressed -> $dailyPart failed"
+    exit 1
+fi
+if ! /bin/busybox mv "$dailyPart" "$dailyFile"; then
+    /bin/busybox logger -t dump-conf-db "ERROR: mv daily publish failed"
+    exit 1
+fi
+
+# Persist content hash only after both artefacts are visible.
+echo "$contentHash" > "$lastHashFile"
+
+# === Rotation: keep last 5 hourly, last 7 daily ===
 
-# Remove the oldest backups, keeping only the 5 most recent ones
 (
-  cd "$backupDirDay" || exit;
-  /bin/busybox ls -1tr | /bin/busybox head -n-7 | /bin/xargs /bin/busybox rm 2> /dev/null
+    cd "$backupDir" 2>/dev/null || exit 0
+    /bin/busybox ls -1tr 2>/dev/null \
+        | /bin/busybox grep '_mikopbx\.db\.gz$' \
+        | /bin/busybox head -n -5 \
+        | /bin/busybox xargs /bin/busybox rm -f 2>/dev/null
 )
 
-rm -rf "$tmpBackup";
+(
+    cd "$backupDirDay" 2>/dev/null || exit 0
+    /bin/busybox ls -1tr 2>/dev/null \
+        | /bin/busybox grep '_mikopbx\.db\.gz$' \
+        | /bin/busybox head -n -7 \
+        | /bin/busybox xargs /bin/busybox rm -f 2>/dev/null
+)
+
+# Defensive sweep — stale .publish.*.gz left by crashes (own cleanup() handles
+# OUR crash, but a hard kill -9 can still leave files behind).
+/bin/busybox find "$backupDir" "$backupDirDay" -maxdepth 1 -type f \
+    -name '.publish.*.gz' -mmin +60 -delete 2>/dev/null
+
+exit 0