ns8_backup_monitor/repo_check.py

#!/usr/bin/env python3
"""
repo_check.py - Verifies reachability and health of NS8 backup repositories.

For each backup destination configured in the cluster, attempts a
`restic snapshots --last` command to verify the repo is accessible.
Distinguishes between:
  - UNREACHABLE: network/mount error, cannot connect at all
  - LOCKED:      restic repo is locked (previous backup crashed)
  - CORRUPTED:   repo exists but integrity check fails
  - OK:          repo is accessible

Handles NS8 multi-backend credentials:
  - local / fs:  path only
  - S3 / B2:     url + AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY or
                 B2_ACCOUNT_ID / B2_ACCOUNT_KEY from Redis hash
  - SFTP:        url with sftp: prefix
  - rclone:      rclone: prefix
"""

import logging
import os
import subprocess
from typing import Optional

log = logging.getLogger(__name__)


def _redis_cmd(config: dict, *args) -> str:
    socket = config.get("redis", {}).get("socket", "/var/lib/nethserver/cluster/state/redis.sock")
    cmd = ["redis-cli", "-s", socket] + list(args)
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
    return result.stdout.strip()


def _redis_hgetall(config: dict, key: str) -> dict:
    """Return all fields of a Redis hash as a dict."""
    socket = config.get("redis", {}).get("socket", "/var/lib/nethserver/cluster/state/redis.sock")
    cmd = ["redis-cli", "-s", socket, "HGETALL", key]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
    lines = [l for l in result.stdout.strip().splitlines() if l]
    # redis-cli HGETALL returns alternating key/value lines
    return dict(zip(lines[::2], lines[1::2]))


def _get_backup_destinations(config: dict) -> list:
    """
    Read all configured backup destinations from NS8 Redis.
    Key pattern: cluster/backup_repository/<repo_id>/parameters
    Returns list of dicts with full repo config.
    """
    raw = _redis_cmd(config, "KEYS", "cluster/backup_repository/*/parameters")
    keys = [k for k in raw.splitlines() if k]
    destinations = []

    for key in keys:
        parts = key.split("/")
        repo_id = parts[2] if len(parts) > 2 else "unknown"
        fields = _redis_hgetall(config, key)
        destinations.append({
            "repo_id": repo_id,
            "url": fields.get("url", ""),
            "path": fields.get("path", ""),
            "password": fields.get("password", ""),
            "backend": fields.get("backend", ""),
            # S3 / B2 credentials
            "aws_access_key": fields.get("aws_access_key_id", fields.get("b2_account_id", "")),
            "aws_secret_key": fields.get("aws_secret_access_key", fields.get("b2_account_key", "")),
            # rclone / extra
            "rclone_config": fields.get("rclone_config", ""),
            "extra_env": fields.get("extra_env", ""),
        })

    return destinations


def _build_env(dest: dict) -> dict:
    """
    Build the environment dict for restic based on the backend type.
    Always inherits from os.environ so system-level creds are preserved.
    """
    env = dict(os.environ)
    backend = dest.get("backend", "").lower()

    if dest.get("password"):
        env["RESTIC_PASSWORD"] = dest["password"]

    if backend in ("s3", "aws") and dest.get("aws_access_key"):
        env["AWS_ACCESS_KEY_ID"] = dest["aws_access_key"]
        env["AWS_SECRET_ACCESS_KEY"] = dest["aws_secret_key"]

    elif backend in ("b2", "backblaze") and dest.get("aws_access_key"):
        env["B2_ACCOUNT_ID"] = dest["aws_access_key"]
        env["B2_ACCOUNT_KEY"] = dest["aws_secret_key"]

    elif backend == "rclone" and dest.get("rclone_config"):
        env["RCLONE_CONFIG"] = dest["rclone_config"]

    return env


def _check_restic_repo(dest: dict, config: dict) -> dict:
    """Run restic snapshots --last to verify repo is accessible."""
    timeout = config.get("repo_check", {}).get("timeout", 60)
    extra_flags = config.get("repo_check", {}).get("restic_flags", "")

    repo_url = dest.get("url") or dest.get("path") or ""
    if not repo_url:
        return {"repo_id": dest["repo_id"], "status": "UNCONFIGURED", "error": "No URL or path found"}

    cmd = ["restic", "-r", repo_url, "snapshots", "--last", "--no-cache"]
    if extra_flags:
        cmd += extra_flags.split()

    env = _build_env(dest)

    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
            timeout=timeout,
            env=env
        )
        stderr = result.stderr.lower()

        if result.returncode == 0:
            return {"repo_id": dest["repo_id"], "status": "OK", "error": ""}
        elif any(x in stderr for x in ("unable to open config", "no such file", "does not exist",
                                        "connection refused", "network", "timeout", "no route")):
            return {"repo_id": dest["repo_id"], "status": "UNREACHABLE", "error": result.stderr.strip()}
        elif "locked" in stderr or "lock" in stderr:
            return {"repo_id": dest["repo_id"], "status": "LOCKED", "error": result.stderr.strip()}
        elif "pack" in stderr and "error" in stderr:
            return {"repo_id": dest["repo_id"], "status": "CORRUPTED", "error": result.stderr.strip()}
        elif "error" in stderr or "fatal" in stderr:
            return {"repo_id": dest["repo_id"], "status": "ERROR", "error": result.stderr.strip()}
        else:
            return {"repo_id": dest["repo_id"], "status": "UNKNOWN", "error": result.stderr.strip()}

    except subprocess.TimeoutExpired:
        return {"repo_id": dest["repo_id"], "status": "UNREACHABLE", "error": f"Timeout after {timeout}s"}
    except FileNotFoundError:
        return {"repo_id": dest["repo_id"], "status": "ERROR", "error": "restic binary not found in PATH"}
    except Exception as e:
        return {"repo_id": dest["repo_id"], "status": "ERROR", "error": str(e)}


def check_repositories(config: dict, correlation: dict) -> dict:
    """
    Main entry point for repository check.

    Returns:
    {
        "destinations": [
            {"repo_id": ..., "status": OK|UNREACHABLE|LOCKED|CORRUPTED|ERROR, "error": ...},
            ...
        ],
        "any_unreachable": bool,
        "any_locked": bool,
        "all_ok": bool,
    }
    """
    destinations = _get_backup_destinations(config)

    if not destinations:
        log.warning("No backup destinations found in Redis")
        return {
            "destinations": [],
            "any_unreachable": True,
            "any_locked": False,
            "all_ok": False,
            "note": "No backup destinations configured or readable from Redis"
        }

    results = []
    for dest in destinations:
        log.info(f"Checking repository {dest['repo_id']} (backend={dest.get('backend','unknown')})...")
        res = _check_restic_repo(dest, config)
        log.info(f"  -> {res['status']}: {res.get('error', '')}")
        results.append(res)

    any_unreachable = any(r["status"] == "UNREACHABLE" for r in results)
    any_locked = any(r["status"] == "LOCKED" for r in results)
    all_ok = all(r["status"] == "OK" for r in results)

    return {
        "destinations": results,
        "any_unreachable": any_unreachable,
        "any_locked": any_locked,
        "all_ok": all_ok,
    }
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`#!/usr/bin/env python3`
			`"""`
			`repo_check.py - Verifies reachability and health of NS8 backup repositories.`

			`For each backup destination configured in the cluster, attempts a`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`restic snapshots --last` command to verify the repo is accessible.
			`Distinguishes between:`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`- UNREACHABLE: network/mount error, cannot connect at all`
			`- LOCKED: restic repo is locked (previous backup crashed)`
			`- CORRUPTED: repo exists but integrity check fails`
			`- OK: repo is accessible`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00
			`Handles NS8 multi-backend credentials:`
			`- local / fs: path only`
			`- S3 / B2: url + AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY or`
			`B2_ACCOUNT_ID / B2_ACCOUNT_KEY from Redis hash`
			`- SFTP: url with sftp: prefix`
			`- rclone: rclone: prefix`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`"""`

			`import logging`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`import os`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`import subprocess`
			`from typing import Optional`

			`log = logging.getLogger(__name__)`


			`def _redis_cmd(config: dict, *args) -> str:`
			`socket = config.get("redis", {}).get("socket", "/var/lib/nethserver/cluster/state/redis.sock")`
			`cmd = ["redis-cli", "-s", socket] + list(args)`
			`result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)`
			`return result.stdout.strip()`


fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`def _redis_hgetall(config: dict, key: str) -> dict:`
			`"""Return all fields of a Redis hash as a dict."""`
			`socket = config.get("redis", {}).get("socket", "/var/lib/nethserver/cluster/state/redis.sock")`
			`cmd = ["redis-cli", "-s", socket, "HGETALL", key]`
			`result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)`
			`lines = [l for l in result.stdout.strip().splitlines() if l]`
			`# redis-cli HGETALL returns alternating key/value lines`
			`return dict(zip(lines[::2], lines[1::2]))`


feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`def _get_backup_destinations(config: dict) -> list:`
			`"""`
			`Read all configured backup destinations from NS8 Redis.`
			`Key pattern: cluster/backup_repository/<repo_id>/parameters`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`Returns list of dicts with full repo config.`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`"""`
			`raw = _redis_cmd(config, "KEYS", "cluster/backup_repository/*/parameters")`
			`keys = [k for k in raw.splitlines() if k]`
			`destinations = []`

			`for key in keys:`
			`parts = key.split("/")`
			`repo_id = parts[2] if len(parts) > 2 else "unknown"`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`fields = _redis_hgetall(config, key)`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`destinations.append({`
			`"repo_id": repo_id,`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`"url": fields.get("url", ""),`
			`"path": fields.get("path", ""),`
			`"password": fields.get("password", ""),`
			`"backend": fields.get("backend", ""),`
			`# S3 / B2 credentials`
			`"aws_access_key": fields.get("aws_access_key_id", fields.get("b2_account_id", "")),`
			`"aws_secret_key": fields.get("aws_secret_access_key", fields.get("b2_account_key", "")),`
			`# rclone / extra`
			`"rclone_config": fields.get("rclone_config", ""),`
			`"extra_env": fields.get("extra_env", ""),`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`})`

			`return destinations`


fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`def _build_env(dest: dict) -> dict:`
			`"""`
			`Build the environment dict for restic based on the backend type.`
			`Always inherits from os.environ so system-level creds are preserved.`
			`"""`
			`env = dict(os.environ)`
			`backend = dest.get("backend", "").lower()`

			`if dest.get("password"):`
			`env["RESTIC_PASSWORD"] = dest["password"]`

			`if backend in ("s3", "aws") and dest.get("aws_access_key"):`
			`env["AWS_ACCESS_KEY_ID"] = dest["aws_access_key"]`
			`env["AWS_SECRET_ACCESS_KEY"] = dest["aws_secret_key"]`

			`elif backend in ("b2", "backblaze") and dest.get("aws_access_key"):`
			`env["B2_ACCOUNT_ID"] = dest["aws_access_key"]`
			`env["B2_ACCOUNT_KEY"] = dest["aws_secret_key"]`

			`elif backend == "rclone" and dest.get("rclone_config"):`
			`env["RCLONE_CONFIG"] = dest["rclone_config"]`

			`return env`


feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`def _check_restic_repo(dest: dict, config: dict) -> dict:`
			`"""Run restic snapshots --last to verify repo is accessible."""`
			`timeout = config.get("repo_check", {}).get("timeout", 60)`
			`extra_flags = config.get("repo_check", {}).get("restic_flags", "")`

fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`repo_url = dest.get("url") or dest.get("path") or ""`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`if not repo_url:`
			`return {"repo_id": dest["repo_id"], "status": "UNCONFIGURED", "error": "No URL or path found"}`

			`cmd = ["restic", "-r", repo_url, "snapshots", "--last", "--no-cache"]`
			`if extra_flags:`
			`cmd += extra_flags.split()`

fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`env = _build_env(dest)`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00
			`try:`
			`result = subprocess.run(`
			`cmd,`
			`capture_output=True,`
			`text=True,`
			`timeout=timeout,`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`env=env`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`)`
			`stderr = result.stderr.lower()`

			`if result.returncode == 0:`
			`return {"repo_id": dest["repo_id"], "status": "OK", "error": ""}`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`elif any(x in stderr for x in ("unable to open config", "no such file", "does not exist",`
			`"connection refused", "network", "timeout", "no route")):`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`return {"repo_id": dest["repo_id"], "status": "UNREACHABLE", "error": result.stderr.strip()}`
			`elif "locked" in stderr or "lock" in stderr:`
			`return {"repo_id": dest["repo_id"], "status": "LOCKED", "error": result.stderr.strip()}`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`elif "pack" in stderr and "error" in stderr:`
			`return {"repo_id": dest["repo_id"], "status": "CORRUPTED", "error": result.stderr.strip()}`
			`elif "error" in stderr or "fatal" in stderr:`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`return {"repo_id": dest["repo_id"], "status": "ERROR", "error": result.stderr.strip()}`
			`else:`
			`return {"repo_id": dest["repo_id"], "status": "UNKNOWN", "error": result.stderr.strip()}`

			`except subprocess.TimeoutExpired:`
			`return {"repo_id": dest["repo_id"], "status": "UNREACHABLE", "error": f"Timeout after {timeout}s"}`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`except FileNotFoundError:`
			`return {"repo_id": dest["repo_id"], "status": "ERROR", "error": "restic binary not found in PATH"}`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`except Exception as e:`
			`return {"repo_id": dest["repo_id"], "status": "ERROR", "error": str(e)}`


			`def check_repositories(config: dict, correlation: dict) -> dict:`
			`"""`
			`Main entry point for repository check.`

			`Returns:`
			`{`
			`"destinations": [`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`{"repo_id": ..., "status": OK\|UNREACHABLE\|LOCKED\|CORRUPTED\|ERROR, "error": ...},`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`...`
			`],`
			`"any_unreachable": bool,`
			`"any_locked": bool,`
			`"all_ok": bool,`
			`}`
			`"""`
			`destinations = _get_backup_destinations(config)`

			`if not destinations:`
			`log.warning("No backup destinations found in Redis")`
			`return {`
			`"destinations": [],`
			`"any_unreachable": True,`
			`"any_locked": False,`
			`"all_ok": False,`
			`"note": "No backup destinations configured or readable from Redis"`
			`}`

			`results = []`
			`for dest in destinations:`
fix: repo_check - handle multi-backend NS8 credentials (B2, S3, SFTP, local) 2026-05-18 15:24:33 +00:00			`log.info(f"Checking repository {dest['repo_id']} (backend={dest.get('backend','unknown')})...")`
feat: add repository reachability and health check 2026-05-18 15:12:01 +00:00			`res = _check_restic_repo(dest, config)`
			`log.info(f" -> {res['status']}: {res.get('error', '')}")`
			`results.append(res)`

			`any_unreachable = any(r["status"] == "UNREACHABLE" for r in results)`
			`any_locked = any(r["status"] == "LOCKED" for r in results)`
			`all_ok = all(r["status"] == "OK" for r in results)`

			`return {`
			`"destinations": results,`
			`"any_unreachable": any_unreachable,`
			`"any_locked": any_locked,`
			`"all_ok": all_ok,`
			`}`