Automation with systemd failing to connect over ssh #340

New Issue

Closed

opened 2020-07-14 22:08:36 +00:00 by wooten · 3 comments

wooten commented 2020-07-14 22:08:36 +00:00

Copy Link

What I'm trying to do and why

Automatic borgmatic backups using systemd service

Steps to reproduce (if a bug)

Contents of /etc/systemd/system/borgmatic.service

[Unit]
Description=borgmatic backup
Wants=network-online.target
After=network-online.target
ConditionACPower=true

[Service]
Type=oneshot

Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

Restart=no

ExecStartPre=/bin/sleep 1m

ExecStart=/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /home/myuser/anaconda3/bin/borgmatic --syslog-verbosity 2 --files

Contents of /etc/borgmatic.d/work.yaml

location:
    source_directories:
        - aaa

    repositories:
        - bbb@ccc.rsync.net:ddd

storage:
    encryption_passphrase: eee

retention:
    keep_daily: 7
    keep_weekly: 4
    keep_monthly: 6

consistency:
    checks:
        - repository
        - archives

hooks:
    healthchecks: fff

I have ~/.ssh/id_rsa.pub in bbb@ccc.rsync.net:.ssh/authorized_keys, and can successfully ssh bbb@ccc.rsync.net from the terminal.

Actual behavior (if a bug)

When I manually run borgmatic --verbosity 1 --files it is successful. However, when I run systemctl start borgmatic.service I get an error:

35 self tests completed in 0.06 seconds
SSH command line: ['ssh', 'bbb@ccc.rsync.net', 'borg', 'serve', '--umask=077', '--debug']
Remote: Host key verification failed.
Connection closed by remote host. Is borg working on the server?
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/borg/archiver.py", line 4253, in main

Expected behavior (if a bug)

borgmatic should be able to ssh into rsync.net when run from systemd.

Environment

borgmatic version: [version here]

1.5.8

borgmatic installation method:

pip install borgmatic (within the base conda environment)

Borg version: [version here]

1.1.5

Python version: [version here]

3.8.2

operating system and version:

Ubuntu 18.04

#### What I'm trying to do and why Automatic borgmatic backups using systemd service #### Steps to reproduce (if a bug) Contents of /etc/systemd/system/borgmatic.service ``` [Unit] Description=borgmatic backup Wants=network-online.target After=network-online.target ConditionACPower=true [Service] Type=oneshot Nice=19 CPUSchedulingPolicy=batch IOSchedulingClass=best-effort IOSchedulingPriority=7 IOWeight=100 Restart=no ExecStartPre=/bin/sleep 1m ExecStart=/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /home/myuser/anaconda3/bin/borgmatic --syslog-verbosity 2 --files ``` Contents of /etc/borgmatic.d/work.yaml ``` location: source_directories: - aaa repositories: - bbb@ccc.rsync.net:ddd storage: encryption_passphrase: eee retention: keep_daily: 7 keep_weekly: 4 keep_monthly: 6 consistency: checks: - repository - archives hooks: healthchecks: fff ``` I have `~/.ssh/id_rsa.pub` in `bbb@ccc.rsync.net:.ssh/authorized_keys`, and can successfully `ssh bbb@ccc.rsync.net` from the terminal. #### Actual behavior (if a bug) When I manually run `borgmatic --verbosity 1 --files` it is successful. However, when I run `systemctl start borgmatic.service` I get an error: ``` 35 self tests completed in 0.06 seconds SSH command line: ['ssh', 'bbb@ccc.rsync.net', 'borg', 'serve', '--umask=077', '--debug'] Remote: Host key verification failed. Connection closed by remote host. Is borg working on the server? Traceback (most recent call last): File "/usr/lib/python3/dist-packages/borg/archiver.py", line 4253, in main ``` #### Expected behavior (if a bug) borgmatic should be able to ssh into rsync.net when run from systemd. #### Environment **borgmatic version:** [version here] 1.5.8 **borgmatic installation method:** pip install borgmatic (within the base conda environment) **Borg version:** [version here] 1.1.5 **Python version:** [version here] 3.8.2 **operating system and version:** Ubuntu 18.04

s1shed commented 2020-07-14 22:17:02 +00:00

Contributor

Copy Link

Remote: Host key verification failed.

The problem is likely that you've run borgmatic from a different user account than it's running with under systemd (root) and the root user doesn't have the remote server's host key yet.

To resolve this:

SSH into the remote server once as root. You'll probably get a prompt like this:

The authenticity of host 'ccc.rsync.net (1.1.1.1)' can't be established.
ED25519 key fingerprint is SHA256:HASH.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

Type yes to add the host key to /root/.ssh/known_hosts.

You could also ssh_keyscan ccc.rsync.net >> /etc/ssh/ssh_known_hosts to add the host key to the global SSH configuration.

> Remote: Host key verification failed. The problem is likely that you've run borgmatic from a different user account than it's running with under systemd (root) and the root user doesn't have the remote server's host key yet. To resolve this: SSH into the remote server once as root. You'll probably get a prompt like this: ``` The authenticity of host 'ccc.rsync.net (1.1.1.1)' can't be established. ED25519 key fingerprint is SHA256:HASH. Are you sure you want to continue connecting (yes/no/[fingerprint])? ``` Type *yes* to add the host key to `/root/.ssh/known_hosts`. You could also `ssh_keyscan ccc.rsync.net >> /etc/ssh/ssh_known_hosts` to add the host key to the global SSH configuration.

👍 1

wooten commented 2020-07-14 22:32:25 +00:00

Author

Copy Link

Thanks,

I ran sudo ssh ... and added the host key, but borgmatic still does not successfully ssh, giving

SSH command line: ['ssh', 'bbb@ccc.rsync.net', 'borg', 'serve', '--umask=077', '--debug']
Remote: Permission denied, please try again.
Remote: Permission denied, please try again.
Remote: Received disconnect from xxx.xxx.xxx.xxx port 22:2: Too many authentication failures
Remote: Disconnected from xxx.xxx.xxx.xxx port 22
Connection closed by remote host. Is borg working on the server?

I assume the problem is that root is not using my local user's /home/myuser/.ssh/id_rsa keypair.

Thanks, I ran `sudo ssh ...` and added the host key, but borgmatic still does not successfully ssh, giving ``` SSH command line: ['ssh', 'bbb@ccc.rsync.net', 'borg', 'serve', '--umask=077', '--debug'] Remote: Permission denied, please try again. Remote: Permission denied, please try again. Remote: Received disconnect from xxx.xxx.xxx.xxx port 22:2: Too many authentication failures Remote: Disconnected from xxx.xxx.xxx.xxx port 22 Connection closed by remote host. Is borg working on the server? ``` I assume the problem is that root is not using my local user's `/home/myuser/.ssh/id_rsa` keypair.

wooten commented 2020-07-14 22:53:48 +00:00

Author

Copy Link

Aha, I just saw the config option

storage:
	ssh_command: ssh -i /home/myuser/.ssh/id_rsa

which resolves this issue.

It then raised a new issue, specific to rsync.net, which by defualt uses borg 0.29.0. I had previously set export BORG_REMOTE_PATH=/usr/local/bin/borg1/borg1 in my .bashrc, but systemd and root do not load this (conversly, export BORG_RSH="ssh -i /home/myuser/.ssh/id_rsa" likewise does not work). To overcome this, I just set the config

location:
	remote_path: /usr/local/bin/borg1/borg1 

With these two changes, borgmatic.service works for me as expected. Thanks for your help!

Aha, I just saw the config option ``` storage: ssh_command: ssh -i /home/myuser/.ssh/id_rsa ``` which resolves this issue. It then raised a new issue, specific to rsync.net, which by defualt uses borg 0.29.0. I had previously set `export BORG_REMOTE_PATH=/usr/local/bin/borg1/borg1` in my .bashrc, but systemd and root do not load this (conversly, `export BORG_RSH="ssh -i /home/myuser/.ssh/id_rsa"` likewise does not work). To overcome this, I just set the config ``` location: remote_path: /usr/local/bin/borg1/borg1 ``` With these two changes, borgmatic.service works for me as expected. Thanks for your help!

wooten closed this issue 2020-07-14 22:53:50 +00:00

Sign in to join this conversation.

1.5.8

Branches Tags

Clear current reference

main

spot-check

Clear current reference

1.8.11

1.8.10

1.8.9

1.8.8

1.8.7

1.8.6

1.8.5

1.8.4

1.8.3

1.8.2

1.8.1

1.8.0

1.7.15

1.7.14

1.7.13

1.7.12

1.7.11

1.7.10

1.7.9

1.7.8

1.7.7

1.7.6

1.7.5

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.6

1.6.5

1.6.4

1.6.3

1.6.2

1.6.1

1.6.0

1.5.24

1.5.23

1.5.22

1.5.21

1.5.20

1.5.19

1.5.18

1.5.17

1.5.16

1.5.15

1.5.14

1.5.13

1.5.12

1.5.11

1.5.10

1.5.9

1.5.8

1.5.7

1.5.7.dev0

1.5.6

1.5.5

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.22

1.4.21

1.4.20

1.4.19

1.4.18

1.4.17

1.4.16

1.4.15

1.4.14

1.4.13

1.4.12

1.4.11

1.4.10

1.4.9

1.4.8

1.4.7

1.4.6

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.26

1.3.25

1.3.24

1.3.23

1.3.22

1.3.21

1.3.20

1.3.19

1.3.18

1.3.17

1.3.16

1.3.15

1.3.14

1.3.13

1.3.12

1.3.11

1.3.10

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.18

1.2.17

1.2.16

1.2.15

1.2.14

1.2.13

1.2.12

1.2.11

1.2.10

1.2.9

1.2.8

1.2.7

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.15

1.1.14

1.1.13

1.1.12

1.1.11

1.1.10

1.1.9

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.3

1.0.2

1.0.1

1.0.0

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

Labels

Clear labels   

bug

  

data loss

  

design finalized

  

good first issue

  

new feature area

  

question / support

  

security

  

waiting for response

No Label

bug

data loss

design finalized

good first issue

new feature area

question / support

security

waiting for response

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#340

No description provided.