borgmatic-collective/borgmatic
9
73
Fork 51
Code Issues 52 Pull Requests 3 Actions 1 Packages Releases 158 Activity

The sample systemd unit file prevents the ZFS integration from working #1114

New Issue
Closed
opened 2025-06-29 11:06:56 +00:00 by Cysioland · 2 comments
Cysioland commented 2025-06-29 11:06:56 +00:00
Copy Link

What I'm trying to do and why

When trying to use the ZFS integration to make snapshots of backed up directories, while running Borgmatic through the enclosed systemd unit file, one gets permission errors

Steps to reproduce

  1. Install the ZFS Debian package (they use a systemd unit file consistent with what's provided under sample/systemd/borgmatic.service)
  2. Setup ZFS integration in your config file

Actual behavior

systemd-inhibit[1613548]: /dev/zfs and /proc/self/mounts are required.
systemd-inhibit[1613548]: Try running 'udevadm trigger' and 'mount -t proc proc /proc' as root.
borgmatic[1613220]: CRITICAL nas: Error running actions for repository
CRITICAL nas: Command '('zfs', 'list', '-H', '-t', 'filesystem', '-o', 'name,mountpoint,canmount,org.torsion.borgmatic:backup')' returned non-zero exit status 1.
borgmatic[1613220]: CRITICAL /etc/borgmatic/config.yaml: An error occurred

CRITICAL cannot create snapshots : permission denied
CRITICAL Command 'zfs snapshot hdd@borgmatic-1670783' returned non-zero exit status 1.

CRITICAL filesystem 'hdd@borgmatic-1674374' can not be mounted: Operation not permitted
CRITICAL Command 'mount -t zfs -o ro hdd@borgmatic-1674374 /run/borgmatic/zfs_snapshots/eb72ccdc3f97b208385c/hdd' returned non-zero exit status 1.

Expected behavior

The snapshots should be created successfully

Other notes / implementation ideas

I tracked down the offending unit file settings.

The ZFS dataset listing fails due to the PrivateDevices=yes line (the borgmatic process loses access to /dev/zfs that way)
Snapshotting fails due to the CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW line. I'm not sure which capabilities the ZFS snapshot process needs, but clearing the setting allowed the snapshots to be made.
Mounting snapshots is prevented by the SystemCallFilter=@system-service line. Setting it to SystemCallFilter=@system-service @mount allowed the backup to proceed.

borgmatic version

1.9.14 (the offending settings are present in the current version's sample unit file too)

borgmatic installation method

Debian package

Borg version

borg 1.2.8

Python version

Python 3.12.3

Database version (if applicable)

No response

Operating system and version

PRETTY_NAME="Ubuntu 24.04.2 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04.2 LTS (Noble Numbat)" VERSION_CODENAME=noble ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=noble LOGO=ubuntu-logo

### What I'm trying to do and why When trying to use the ZFS integration to make snapshots of backed up directories, while running Borgmatic through the enclosed systemd unit file, one gets permission errors ### Steps to reproduce 1. Install the ZFS Debian package (they use a systemd unit file consistent with what's provided under sample/systemd/borgmatic.service) 2. Setup ZFS integration in your config file ### Actual behavior ``` systemd-inhibit[1613548]: /dev/zfs and /proc/self/mounts are required. systemd-inhibit[1613548]: Try running 'udevadm trigger' and 'mount -t proc proc /proc' as root. borgmatic[1613220]: CRITICAL nas: Error running actions for repository CRITICAL nas: Command '('zfs', 'list', '-H', '-t', 'filesystem', '-o', 'name,mountpoint,canmount,org.torsion.borgmatic:backup')' returned non-zero exit status 1. borgmatic[1613220]: CRITICAL /etc/borgmatic/config.yaml: An error occurred ``` ``` CRITICAL cannot create snapshots : permission denied CRITICAL Command 'zfs snapshot hdd@borgmatic-1670783' returned non-zero exit status 1. ``` ``` CRITICAL filesystem 'hdd@borgmatic-1674374' can not be mounted: Operation not permitted CRITICAL Command 'mount -t zfs -o ro hdd@borgmatic-1674374 /run/borgmatic/zfs_snapshots/eb72ccdc3f97b208385c/hdd' returned non-zero exit status 1. ``` ### Expected behavior The snapshots should be created successfully ### Other notes / implementation ideas I tracked down the offending unit file settings. The ZFS dataset listing fails due to the `PrivateDevices=yes` line (the borgmatic process loses access to /dev/zfs that way) Snapshotting fails due to the `CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW` line. I'm not sure which capabilities the ZFS snapshot process needs, but clearing the setting allowed the snapshots to be made. Mounting snapshots is prevented by the `SystemCallFilter=@system-service` line. Setting it to `SystemCallFilter=@system-service @mount` allowed the backup to proceed. ### borgmatic version 1.9.14 (the offending settings are present in the current version's sample unit file too) ### borgmatic installation method Debian package ### Borg version borg 1.2.8 ### Python version Python 3.12.3 ### Database version (if applicable) _No response_ ### Operating system and version PRETTY_NAME="Ubuntu 24.04.2 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04.2 LTS (Noble Numbat)" VERSION_CODENAME=noble ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=noble LOGO=ubuntu-logo
witten commented 2025-07-01 00:19:21 +00:00
Owner
Copy Link

Thanks for filing this and providing all the details about the offending system settings. Unfortunately, there's no one-size-fits-all systemd service given all the ways borgmatic can be used. So I think I'm going to treat this as a documentation issue (including potentially the comments in the sample systemd service).

Thanks for filing this and providing all the details about the offending system settings. Unfortunately, there's no one-size-fits-all systemd service given all the ways borgmatic can be used. So I think I'm going to treat this as a documentation issue (including potentially the comments in the sample systemd service).
witten commented 2025-07-19 04:34:35 +00:00
Owner
Copy Link

I went ahead and documented this and also added a few relevant comments to the sample systemd service file. Additionally, I added @mount to the SystemCallFilter= setting as you suggested.

Thanks again!

I went ahead and documented this and also added a few relevant comments to the sample systemd service file. Additionally, I added `@mount` to the `SystemCallFilter=` setting as you suggested. Thanks again!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
blocked
breaking
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
witten
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#1114
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?