forked from borgmatic-collective/borgmatic
Document systemd configuration changes for the ZFS filesystem hook (#1114).
This commit is contained in:
1
NEWS
1
NEWS
@@ -1,4 +1,5 @@
|
||||
2.0.8.dev0
|
||||
* #1114: Document systemd configuration changes for the ZFS filesystem hook.
|
||||
* #1118: Fix a bug in which Borg hangs during database backup when different filesystems are in
|
||||
use.
|
||||
* When running tests, use Ruff for faster and more comprehensive code linting and formatting,
|
||||
|
||||
@@ -41,6 +41,10 @@ zfs:
|
||||
umount_command: /usr/local/bin/umount
|
||||
```
|
||||
|
||||
If you're using systemd to run borgmatic, you will likely need to modify the [sample systemd service
|
||||
file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
|
||||
to work with ZFS. See the comments in that file for details.
|
||||
|
||||
As long as the ZFS hook is in beta, it may be subject to breaking changes
|
||||
and/or may not work well for your use cases. But feel free to use it in
|
||||
production if you're okay with these caveats, and please [provide any
|
||||
@@ -160,6 +164,10 @@ btrfs:
|
||||
findmnt_command: /usr/local/bin/findmnt
|
||||
```
|
||||
|
||||
If you're using systemd to run borgmatic, you may need to modify the [sample systemd service
|
||||
file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
|
||||
to work with Btrfs. See the comments in that file for details.
|
||||
|
||||
As long as the Btrfs hook is in beta, it may be subject to breaking changes
|
||||
and/or may not work well for your use cases. But feel free to use it in
|
||||
production if you're okay with these caveats, and please [provide any
|
||||
@@ -276,6 +284,10 @@ lvm:
|
||||
umount_command: /usr/local/bin/umount
|
||||
```
|
||||
|
||||
If you're using systemd to run borgmatic, you may need to modify the [sample systemd service
|
||||
file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
|
||||
to work with LVM. See the comments in that file for details.
|
||||
|
||||
As long as the LVM hook is in beta, it may be subject to breaking changes
|
||||
and/or may not work well for your use cases. But feel free to use it in
|
||||
production if you're okay with these caveats, and please [provide any
|
||||
|
||||
@@ -26,6 +26,7 @@ LockPersonality=true
|
||||
# But you can try setting it to "yes" for improved security if you don't use those features.
|
||||
MemoryDenyWriteExecute=no
|
||||
NoNewPrivileges=yes
|
||||
# Filesystem hooks like ZFS may not work unless PrivateDevices is disabled.
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
@@ -39,7 +40,7 @@ RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=@system-service @mount
|
||||
SystemCallErrorNumber=EPERM
|
||||
# To restrict write access further, change "ProtectSystem" to "strict" and
|
||||
# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
|
||||
@@ -52,7 +53,8 @@ ProtectSystem=full
|
||||
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
||||
# BindReadOnlyPaths=-/root/.ssh
|
||||
|
||||
# May interfere with running external programs within borgmatic hooks.
|
||||
# May interfere with running external programs within borgmatic hooks. This
|
||||
# includes, for instance, programs to snapshot filesystems (e.g. ZFS).
|
||||
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
||||
|
||||
# Lower CPU and I/O priority.
|
||||
|
||||
Reference in New Issue
Block a user