Add offline backup for foremanctl

[sjha4]

Implements comprehensive offline backup functionality for Foreman deployments:

• Backs up all databases (foreman, candlepin, pulp, 5 IOP DBs)
• Backs up foremanctl state
• Includes metadata with container image digests for restore compatibility
• Preflight checks for running tasks and database integrity (amcheck)
• Automatic service restoration on failure

Why are you introducing these changes? (Problem description, related links)

What are the changes introduced in this pull request?

• Offline backup

How to test this pull request

I got a foremanctl box with normal deploy. On this box, clone foremanctl repo and checkout this branch.
cd /root/foremanctl
source .venv/bin/activate
export OBSAH_STATE=/var/lib/foremanctl

Then try ./foremanctl --help

Also,

(.venv) [root@ip-10-0-167-40 foremanctl]# ./foremanctl backup  --help
usage: foremanctl backup [-h] [-v] [--incremental] [--online] [--skip-pulp-content] [--tar-volume-size TAR_VOLUME_SIZE] [--wait-for-tasks]
                         backup_dir

Create offline backup of Foreman databases and configuration

positional arguments:
  backup_dir            Directory where backup files will be stored

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         verbose output
  --incremental         Perform incremental backup (not yet implemented)
  --online              Perform online backup without stopping services (not yet implemented)
  --skip-pulp-content   Skip Pulp content directory backup (not yet implemented)
  --tar-volume-size TAR_VOLUME_SIZE
                        Split tar archives at specified size in MB (not yet implemented, for Pulp content only)
  --wait-for-tasks      Wait for running tasks to complete instead of failing immediately

The help section has placeholders for incremental, online and --tar-volume-size which will be implemented in follow up cards/PRs.

You can run :
Command:

cd /root/foremanctl
source .venv/bin/activate
export OBSAH_STATE=/var/lib/foremanctl
./foremanctl backup /var/tmp/foreman-backup-test --wait-for-tasks

I have a dummy restore script which can be used for testing and also getting steps to run manually when testing.:

Download the script

wget https://gist.githubusercontent.com/sjha4/35d98b318f15753a678a406fb0fb14ad/raw/test-restore-final.sh

Make it executable

chmod +x test-restore-final.sh

Run restore

./test-restore-final.sh /path/to/backup/foreman-backup-TIMESTAMP

Steps to reproduce:

• On a foremanctl box, run foremanctl backup BACKUP_DIR

Checklist

• Tests added/updated (if applicable)
• Documentation updated (if applicable)

[ianballou]

I did an automated test run, take these with a grain of salt, but I wanted to post early in case they're real for extra time to test and fix.

Firstly, the DBs did get backed up, so awesome, but there were some hiccups that stopped the full process from running:

Bug #1: podman_network.yaml fails when no custom networks exist

File: src/playbooks/backup/tasks/podman_network.yaml
Severity: Blocker — prevents backup from completing
Description: The shell command podman network ls --format '{{.Name}}' | grep -v '^podman$' | while read net; do ... returns exit code 1 when there are no custom networks, because grep -v finds no matching lines.
Fix: Add || true after the grep, or use a different approach:

# Option A: tolerate empty result
  failed_when: networks_json.rc not in [0, 1]

# Option B: check first, skip if no custom networks

Bug #2: Wrong Foreman tasks API endpoint

File: src/playbooks/backup/tasks/preflight.yaml
Severity: High — preflight silently skips running task detection
Description: Uses https://{{ fqdn }}/api/v2/tasks?state=running which returns 404. The correct endpoint is https://{{ fqdn }}/foreman_tasks/api/tasks?state=running&search=state%3Drunning. Because failed_when: false is set, the error is silently ignored.
Impact: Backups will proceed even with running Foreman tasks, risking data inconsistency.

Bug #3: pg_isready and pg_dump not available on host

... I cut the output here, I'm not sure why these commands weren't on my box. It's not related to this PR I don't think.

Bug #4: Hardcoded parameters.yaml path in metadata task

File: src/playbooks/backup/tasks/metadata.yaml
Severity: Low — affects metadata accuracy only
Description: ansible.builtin.slurp reads from /var/lib/foremanctl/parameters.yaml but foremanctl's state directory is configurable via OBSAH_STATE. In dev/vagrant setups, the actual path is different (e.g., /vagrant/.var/lib/foremanctl/parameters.yaml).
Impact: enabled_features: [] in metadata despite features being configured. Doesn't affect DB dump correctness.
Fix: Use the state_dir variable instead of hardcoding the path.

[sjha4]

Will update the tasks endpoint and parameters.yaml path..

About the podman networks, those are created for IOP.. Like https://github.com/theforeman/foremanctl/blob/master/src/roles/iop_network/tasks/main.yaml so I'd assume we have that present in production deployments. We can add some handling for when it's not.

[aidenfine]

Maybe nitpick but does it make sense to include the not yet implemented flags when doing backup --help? Would you be opposed to just leaving them out in this PR?

[sjha4]

Maybe nitpick but does it make sense to include the not yet implemented flags when doing backup --help? Would you be opposed to just leaving them out in this PR?

I am fine either way but it's helpful guidance for future PRs and documentation to look at.

[evgeni]

not a full review (I stopped somewhere around the secrets backup), but overall this feels a lot like "let's write a huge bash script and then wrap it in YAML" and not like Ansible :(

[ehelms]

Is this relevant to the user or a detail?

[sjha4]

I think it's relevant cause it is one of the steps users see on their playbook execution ouput. I will make it more user facing and less detail-y..

[ehelms]

This would be nice for the backup command to do if we want users to see this information or perform this procedure.

[sjha4]

Not sure I follow..Like a backup verify command? The playbook does track all backups and provides a summary at the end of execution.

[ehelms]

This could be a future improvement, non-blocking.

[ehelms]

Is this task actually doing the calculation or more of a data collection?

[sjha4]

This is gathering file info..Let me name it better.. 👍🏼

[ehelms]

What happens if this test fails?

[sjha4]

The backup would fail at this step and throw a permissions error..I can catch it and show a better message instead of the default one.

[ehelms]

Should this be done before any other actions take place? For example, if preflight checks fail, the tasks above would keep creating timestamped directories that are empty.

[ehelms]

This is bleeding a non-role variable into the role.

[sjha4]

database_mode is more a deployment config i'd expect to be available for use across roles?

[sjha4]

Passed this as a var in the playbook more explicitly for the role. 👍🏼

[ehelms]

Was it discussed already why we can not rely on community.postgresql.postgresql_db for these actions?

[sjha4]

Support for incremental dumps is not available which we need eventually, hence we went with pg_dump here.

[ehelms]

All of the database config is bleeding non-role variables into the role, and we are getting into duplicated logic territory. For example, we solve this same problem over in https://github.com/theforeman/foremanctl/blob/master/src/playbooks/deploy/deploy.yaml#L16

There should be something we can do here to rely more on the database config that is already centralized.

[sjha4]

Refactored this to build this list from database and database_iop in the playbook pre-task similar to the deploy playbook..

[ehelms]

This should be covered by https://github.com/theforeman/foremanctl/pull/521/changes#diff-51346a793c52cfeb20781f4661d8b25d80d642aeb7d5aa678c40b7b81722696cR22 you may just need to coordinate merge order.

[sjha4]

It's similar but that one is looking for failed tasks and this one's looking for running tasks and polling them till they finish to stop the services for backup..

[ehelms]

Will this be relevant to other commands such as update ?

[sjha4]

I'd say the entire file could be relevant. Waiting for foreman tasks, pulp tasks and maybe running integrity checks on DB..All should be meaningful before an update..

[ehelms]

if amcheck is available. We should call that out here if the availability of this tool is not guaranteed within the users setup or our baseline requirements.

[sjha4]

This will need updating to run inside container and not on the host. Will update to use :

containers.podman.podman_container_exec:                                                                                               
        name: "{{ postgresql_container_name }}"                                                                                              
        command: pg_isready -h {{ database_host }} -p {{ database_port }}

[sjha4]

We can keep this here and assume postgresql is installed on host and pg_isready and pg_dump are available..I will add a pre_flight check to ensure posgreql package is available on the host.