borgmatic-collective/borgmatic
borgmatic-collective
/
borgmatic
15
57
Fork 40
Code Issues 54 Pull Requests 2 Actions Packages Releases 121 Activity

systemd service unit fails following security hardening in 1.5.19 #466

New Issue
Closed
opened 2021-11-17 12:16:45 +00:00 by pseud · 11 comments
pseud commented 2021-11-17 12:16:45 +00:00
Copy Link

What I'm trying to do and why

run borgmatic.service

Steps to reproduce (if a bug)

Install borgmatic to run borgmatic
Attempt to run systemctl start borgmatic.service

Actual behavior (if a bug)

See attached borgmatic-output.txt from l86

Expected behavior (if a bug)

[admin@frontserver ~]$ sudo systemctl status borgmatic.service
● borgmatic.service - borgmatic backup
   Loaded: loaded (/etc/systemd/system/borgmatic.service; static; vendor preset: disabled)
   Active: inactive (dead) since Wed 2021-11-17 08:09:49 GMT; 3h 50min ago
  Process: 199521 ExecStart=/usr/bin/systemd-inhibit --who=borgmatic --why=Prevent interrupting scheduled backup /usr/bin/borgmatic>
  Process: 199442 ExecStartPre=/usr/bin/sleep 1m (code=exited, status=0/SUCCESS)
 Main PID: 199521 (code=exited, status=0/SUCCESS)

Nov 17 08:09:14 frontserver.lan borgmatic[199523]: INFO Starting archive consistency check...
Nov 17 08:09:15 frontserver.lan borgmatic[199523]: INFO Analyzing archive frontserver-2021-11-16-175729 (1/2)
Nov 17 08:09:32 frontserver.lan borgmatic[199523]: INFO Analyzing archive frontserver-2021-11-17-080048 (2/2)
Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO Orphaned objects check skipped (needs all archives checked).
Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO Archive consistency check complete, no problems found.
Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO
Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO summary:
Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO /etc/borgmatic/config.yaml: Successfully ran configuration file
Nov 17 08:09:49 frontserver.lan systemd[1]: borgmatic.service: Succeeded.
Nov 17 08:09:49 frontserver.lan systemd[1]: Started borgmatic backup.

With borgmatic.service from here:
https://projects.torsion.org/borgmatic-collective/borgmatic/raw/commit/602ad9e7ee36b2b1fdbf6083bd16919d45be8045/sample/systemd/borgmatic.service

Environment

borgmatic version:

[admin@frontserver ~]$ sudo borgmatic --version
1.5.20

borgmatic installation method:
sudo dnf install borgmatic
From here:
https://copr.fedorainfracloud.org/coprs/heffer/borgmatic/repo/epel-8/heffer-borgmatic-epel-8.repo

Borg version:

[admin@frontserver ~]$ sudo borg --version
borg 1.1.17

Python version:

[admin@frontserver ~]$ python3 --version
Python 3.6.8

Database version (if applicable):
n/a

operating system and version:
Rocky gnu/linux 8.5

#### What I'm trying to do and why run `borgmatic.service` #### Steps to reproduce (if a bug) Install borgmatic to run `borgmatic` Attempt to run `systemctl start borgmatic.service` #### Actual behavior (if a bug) See attached [`borgmatic-output.txt`](https://projects.torsion.org/attachments/9ff231c2-fd36-4a32-ae0f-1c07254f72a1) from l86 #### Expected behavior (if a bug) ``` [admin@frontserver ~]$ sudo systemctl status borgmatic.service ● borgmatic.service - borgmatic backup Loaded: loaded (/etc/systemd/system/borgmatic.service; static; vendor preset: disabled) Active: inactive (dead) since Wed 2021-11-17 08:09:49 GMT; 3h 50min ago Process: 199521 ExecStart=/usr/bin/systemd-inhibit --who=borgmatic --why=Prevent interrupting scheduled backup /usr/bin/borgmatic> Process: 199442 ExecStartPre=/usr/bin/sleep 1m (code=exited, status=0/SUCCESS) Main PID: 199521 (code=exited, status=0/SUCCESS) Nov 17 08:09:14 frontserver.lan borgmatic[199523]: INFO Starting archive consistency check... Nov 17 08:09:15 frontserver.lan borgmatic[199523]: INFO Analyzing archive frontserver-2021-11-16-175729 (1/2) Nov 17 08:09:32 frontserver.lan borgmatic[199523]: INFO Analyzing archive frontserver-2021-11-17-080048 (2/2) Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO Orphaned objects check skipped (needs all archives checked). Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO Archive consistency check complete, no problems found. Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO summary: Nov 17 08:09:49 frontserver.lan borgmatic[199523]: INFO /etc/borgmatic/config.yaml: Successfully ran configuration file Nov 17 08:09:49 frontserver.lan systemd[1]: borgmatic.service: Succeeded. Nov 17 08:09:49 frontserver.lan systemd[1]: Started borgmatic backup. ``` With `borgmatic.service` from here: [https://projects.torsion.org/borgmatic-collective/borgmatic/raw/commit/602ad9e7ee36b2b1fdbf6083bd16919d45be8045/sample/systemd/borgmatic.service](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/commit/602ad9e7ee36b2b1fdbf6083bd16919d45be8045/sample/systemd/borgmatic.service) #### Environment **borgmatic version:** ``` [admin@frontserver ~]$ sudo borgmatic --version 1.5.20 ``` **borgmatic installation method:** `sudo dnf install borgmatic` From here: [https://copr.fedorainfracloud.org/coprs/heffer/borgmatic/repo/epel-8/heffer-borgmatic-epel-8.repo](https://copr.fedorainfracloud.org/coprs/heffer/borgmatic/repo/epel-8/heffer-borgmatic-epel-8.repo) **Borg version:** ``` [admin@frontserver ~]$ sudo borg --version borg 1.1.17 ``` **Python version:** ``` [admin@frontserver ~]$ python3 --version Python 3.6.8 ``` **Database version (if applicable):** n/a **operating system and version:** Rocky gnu/linux 8.5
borgmatic-output.txt
16 KiB
👍 1
smoove commented 2021-11-26 14:43:35 +00:00
Copy Link

I have the simliar problem on arch.

$ sudo borgmatic --version
1.5.21

$ sudo borg --version
borg 1.1.17

$ python3 --version
Python 3.9.7

Nov 26 15:35:46 tyr kernel: audit: type=1334 audit(1637937346.519:339): prog-id=66 op=LOAD
Nov 26 15:36:46 tyr systemd-inhibit[74846]: /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found
Nov 26 15:36:46 tyr systemd-inhibit[74846]: summary:
Nov 26 15:36:46 tyr systemd-inhibit[74846]: /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found
Nov 26 15:36:46 tyr systemd-inhibit[74846]: Need some help? https://torsion.org/borgmatic/#issues
Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found
Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL
Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL summary:
Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found
Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL
Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues
Nov 26 15:36:46 tyr systemd-inhibit[74845]: /usr/bin/borgmatic failed with exit status 1.
Nov 26 15:36:46 tyr systemd[1]: borgmatic.service: Main process exited, code=exited, status=1/FAILURE

$ validate-borgmatic-config
All given configuration files are valid: /home/smoove/.config/borgmatic/config.yaml
I have the simliar problem on arch. ``` $ sudo borgmatic --version 1.5.21 ``` ``` $ sudo borg --version borg 1.1.17 ``` ``` $ python3 --version Python 3.9.7 ``` ``` Nov 26 15:35:46 tyr kernel: audit: type=1334 audit(1637937346.519:339): prog-id=66 op=LOAD Nov 26 15:36:46 tyr systemd-inhibit[74846]: /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found Nov 26 15:36:46 tyr systemd-inhibit[74846]: summary: Nov 26 15:36:46 tyr systemd-inhibit[74846]: /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found Nov 26 15:36:46 tyr systemd-inhibit[74846]: Need some help? https://torsion.org/borgmatic/#issues Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL summary: Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues Nov 26 15:36:46 tyr systemd-inhibit[74845]: /usr/bin/borgmatic failed with exit status 1. Nov 26 15:36:46 tyr systemd[1]: borgmatic.service: Main process exited, code=exited, status=1/FAILURE ``` ``` $ validate-borgmatic-config All given configuration files are valid: /home/smoove/.config/borgmatic/config.yaml ```
witten commented 2021-11-29 19:25:19 +00:00
Owner
Copy Link

@pseud Thanks for filing this! But I'm not sure what's going on here. So you're saying borgmatic 1.5.18 worked just fine, and starting with 1.5.19/1.5.20, borgmatic started giving permissions errors on Borg lock files? The borgmatic.service file you've linked doesn't seem to have any of the security hardening changes introduced in 1.5.19. Is that your pre-1.5.19 systemd service file? Can I get a look at your updated borgmatic.service that's causing problems? And possibly a (redacted) borgmatic configuration file?

@smoove Same questions for you! So borgmatic stopped working around 1.5.19? Did you update your borgmatic.service file around that time or not? Can I get a peek at that file and your (redacted) borgmatic configuration?

Appreciate it!

@pseud Thanks for filing this! But I'm not sure what's going on here. So you're saying borgmatic 1.5.18 worked just fine, and starting with 1.5.19/1.5.20, borgmatic started giving permissions errors on Borg lock files? The `borgmatic.service` file you've linked doesn't seem to have any of the security hardening changes introduced in 1.5.19. Is that your pre-1.5.19 systemd service file? Can I get a look at your updated `borgmatic.service` that's causing problems? And possibly a (redacted) borgmatic configuration file? @smoove Same questions for you! So borgmatic stopped working around 1.5.19? Did you update your `borgmatic.service` file around that time or not? Can I get a peek at that file and your (redacted) borgmatic configuration? Appreciate it!
pseud commented 2021-11-29 23:04:00 +00:00
Author
Copy Link

Hmm, not exactly...
I installed

$ borgmatic --version
1.5.20

thusly:
sudo dnf install borgmatic
From here:
https://copr.fedorainfracloud.org/coprs/heffer/borgmatic/repo/epel-8/heffer-borgmatic-epel-8.repo

But, the systemd service files failed, like so: borgmatic-output.txt

So, I contacted 'heffer' - the owner of heffer/borgmatic and he pointed me at borgmatic.service

So, I don't know if 1.5.18 worked just fine - I've never installed it. My first install of borgmatic was 1.5.20 - I just used the replacement borgmatic.service file I was pointed to. It was 'heffer's suggestion that the security hardening was the cause of the problem and that seems to have been correct (from my limited understanding). I actually wasn't aware that I was pointed to 1.5.18, but assumed it was from a pre hardening version.

The borgmatic.service file I'm using - I thought... was exactly as per the link above, but I see there seems to have been a comment dropped and I've changed the location of borgmatic to that installed. So, mine's attached. I've emailed the config.

Hmm, not exactly... I installed ``` $ borgmatic --version 1.5.20 ``` thusly: `sudo dnf install borgmatic` From here: https://copr.fedorainfracloud.org/coprs/heffer/borgmatic/repo/epel-8/heffer-borgmatic-epel-8.repo But, the systemd service files failed, like so: [borgmatic-output.txt](https://projects.torsion.org/attachments/9ff231c2-fd36-4a32-ae0f-1c07254f72a1) So, I contacted 'heffer' - the owner of [heffer/borgmatic](https://copr.fedorainfracloud.org/coprs/heffer/borgmatic/) and he pointed me at [`borgmatic.service`](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/commit/602ad9e7ee36b2b1fdbf6083bd16919d45be8045/sample/systemd/borgmatic.service) So, I don't know if 1.5.18 worked just fine - I've never installed it. My first install of borgmatic was 1.5.20 - I just used the replacement `borgmatic.service` file I was pointed to. It was 'heffer's suggestion that the security hardening was the cause of the problem and that seems to have been correct (from my limited understanding). I actually wasn't aware that I was pointed to 1.5.18, but assumed it was from a pre hardening version. The `borgmatic.service` file I'm using - I thought... was exactly as per the link above, but I see there seems to have been a comment dropped and I've changed the location of borgmatic to that installed. So, mine's attached. I've emailed the config.
borgmatic.service.txt
911 B
pseud commented 2021-11-29 23:39:16 +00:00
Author
Copy Link

Oops, you asked for the borgmatic.service that's causing the problems - it was whatever came with 1.5.20. From 'heffer's email to me:

the 1.5.19 version released last month did some changes to the sample systemd filethat is provided with borgmatic.
As of now the package just installs this sight unseen.

It's no longer on my system.

Oops, you asked for the `borgmatic.service` that's causing the problems - it was whatever came with 1.5.20. From 'heffer's email to me: > the 1.5.19 version released last month did some changes to the sample systemd filethat is provided with borgmatic. As of now the package just installs this sight unseen. It's no longer on my system.
smoove commented 2021-11-30 10:37:09 +00:00
Copy Link

@witten i never had another version of the service installed, i installed borgmatic for the first time a few days before posting.

This is the package i use: https://archlinux.org/packages/community/any/borgmatic/ (borgmatic 1.5.21-1)

$ cat /usr/lib/systemd/system/borgmatic.timer
[Unit]
Description=Run borgmatic backup

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

$ cat /usr/lib/systemd/system/borgmatic.service
[Unit]
Description=borgmatic backup
Wants=network-online.target
After=network-online.target
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
# want to allow borgmatic to run anytime.
ConditionACPower=true

[Service]
Type=oneshot

# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
# leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths
# ProtectHome=tmpfs
# BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW

# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
# doesn't support this (pre-240 or so), you may have to remove this option.
LogRateLimitIntervalSec=0

# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1

$ cat .config/borgmatic/config.yaml
location:
  source_directories:
    - [REDACTED]
  repositories:
    - [REDACTED]@[REDACTED].repo.borgbase.com:repo
  patterns:
    - '[REDACTED]'
  exclude_patterns:
    - '*node_modules*'
storage:
  encryption_passcommand: cat /home/[REDACTED]/.borg-passphrase
  archive_name_format: '{hostname}-{now:%Y-%m-%d-%H%M%S}'
  ssh_command: ssh -i /home/[REDACTED]/.ssh/[REDACTED]
retention:
  keep_daily: 7
  keep_weekly: 4
  keep_monthly: 6
  prefix: '{hostname}-'
hooks:
  before_backup:
    - /usr/bin/pacman -Qe > /home/[REDACTED]/pacman_packages.txt
  after_backup:
    - /usr/bin/rm /home/[REDACTED]/pacman_packages.txt

Btw.: running borgmatic manually works as expected.

@witten i never had another version of the service installed, i installed borgmatic for the first time a few days before posting. This is the package i use: https://archlinux.org/packages/community/any/borgmatic/ (borgmatic 1.5.21-1) ``` $ cat /usr/lib/systemd/system/borgmatic.timer [Unit] Description=Run borgmatic backup [Timer] OnCalendar=daily Persistent=true [Install] WantedBy=timers.target ``` ``` $ cat /usr/lib/systemd/system/borgmatic.service [Unit] Description=borgmatic backup Wants=network-online.target After=network-online.target # Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you # want to allow borgmatic to run anytime. ConditionACPower=true [Service] Type=oneshot # Security settings for systemd running as root, optional but recommended to improve security. You # can disable individual settings if they cause problems for your use case. For more details, see # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html LockPersonality=true # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. # But you can try setting it to "yes" for improved security if you don't use those features. MemoryDenyWriteExecute=no NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallErrorNumber=EPERM # To restrict write access further, change "ProtectSystem" to "strict" and uncomment # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This # leaves most of the filesystem read-only to borgmatic. ProtectSystem=full # ReadWritePaths=-/mnt/my_backup_drive # ReadOnlyPaths=-/var/lib/my_backup_source # This will mount a tmpfs on top of /root and pass through needed paths # ProtectHome=tmpfs # BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW # Lower CPU and I/O priority. Nice=19 CPUSchedulingPolicy=batch IOSchedulingClass=best-effort IOSchedulingPriority=7 IOWeight=100 Restart=no # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that # doesn't support this (pre-240 or so), you may have to remove this option. LogRateLimitIntervalSec=0 # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and # dbus-user-session to be installed. ExecStartPre=sleep 1m ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 ``` ``` $ cat .config/borgmatic/config.yaml location: source_directories: - [REDACTED] repositories: - [REDACTED]@[REDACTED].repo.borgbase.com:repo patterns: - '[REDACTED]' exclude_patterns: - '*node_modules*' storage: encryption_passcommand: cat /home/[REDACTED]/.borg-passphrase archive_name_format: '{hostname}-{now:%Y-%m-%d-%H%M%S}' ssh_command: ssh -i /home/[REDACTED]/.ssh/[REDACTED] retention: keep_daily: 7 keep_weekly: 4 keep_monthly: 6 prefix: '{hostname}-' hooks: before_backup: - /usr/bin/pacman -Qe > /home/[REDACTED]/pacman_packages.txt after_backup: - /usr/bin/rm /home/[REDACTED]/pacman_packages.txt ``` Btw.: running borgmatic manually works as expected.
witten commented 2021-12-06 20:18:24 +00:00
Owner
Copy Link

the 1.5.19 version released last month did some changes to the sample systemd filethat is provided with borgmatic.

The only changes to borgmatic.service in 1.5.19 were commented-out examples!

@pseud It looks like the working borgmatic.service file you're using is from borgmatic 1.5.10 or so—and doesn't include any security hardening at all. Which is fine if that works for your use case—borgmatic.service is intended as a sample/example file rather than the final word on systemd configuration for borgmatic.

Having said that, I would like to know what setting in the 1.5.20 sample service file is causing problems. If you're willing to debug this further, my ask would be to grab a copy of the newest service file, install it on your system (don't forget sudo systemctl daemon-reload), and confirm the problem still occurs with borgmatic. Then, comment out options in that file (then daemon-reload) until the permissions error stops happening. Also, out of curiosity, what filesystem is your repository mounted on?

@smoove Your error is different in that it doesn't appear to be a permissions issue on Borg's lock file. Instead, it looks like borgmatic isn't able to find any configuration files. I suggest a similar debugging approach as described above though: Comment out service configuration options, daemon-reloading each time, until borgmatic starts working. That will hopefully pinpoint the problem option.

Thanks for both of your help here.

> the 1.5.19 version released last month did some changes to the sample systemd filethat is provided with borgmatic. The only changes to `borgmatic.service` in 1.5.19 were commented-out examples! @pseud It looks like the working `borgmatic.service` file you're using is from borgmatic 1.5.10 or so—and doesn't include any security hardening at all. Which is fine if that works for your use case—`borgmatic.service` is intended as a sample/example file rather than the final word on systemd configuration for borgmatic. Having said that, I would like to know what setting in the 1.5.20 sample service file is causing problems. If you're willing to debug this further, my ask would be to grab a copy of the [newest service file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service), install it on your system (don't forget `sudo systemctl daemon-reload`), and confirm the problem still occurs with borgmatic. Then, comment out options in that file (then `daemon-reload`) until the permissions error stops happening. Also, out of curiosity, what filesystem is your repository mounted on? @smoove Your error is different in that it doesn't appear to be a permissions issue on Borg's lock file. Instead, it looks like borgmatic isn't able to *find* any configuration files. I suggest a similar debugging approach as described above though: Comment out service configuration options, `daemon-reload`ing each time, until borgmatic starts working. That will hopefully pinpoint the problem option. Thanks for both of your help here.
smoove commented 2021-12-07 11:20:56 +00:00
Copy Link

@witten I commented out everything until just the ExecStart line remained, (daemon-reload'ing every time). The same problem still persists.

However, it just occured to me that the service is executed as root, and my config is in my $HOME.
This explains why no config is found:

Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found

I tried symlinking my config to /etc/borgmatic/config.yaml, after that the config is indeed found, but it fails with CRITICAL Remote: Host key verification failed., which is probably caused by this line in my conf: encryption_passcommand: cat /home/[REDACTED]/.borg-passphrase.

For some reason borgmatic has no access to my home directory, but only if it is triggered from the service.

My knowledge about systemd services is very limited, but is this simply a bug in the arch package? Should they just install the service file to /usr/lib/systemd/user instead of /usr/lib/systemd/system?

I hope atleast some of this makes sense :)

@witten I commented out everything until just the `ExecStart` line remained, (daemon-reload'ing every time). The same problem still persists. However, it just occured to me that the service is executed as root, and my config is in my $HOME. This explains why no config is found: ``` Nov 26 15:36:46 tyr borgmatic[74846]: CRITICAL /etc/borgmatic/config.yaml /etc/borgmatic.d $HOME/.config/borgmatic/config.yaml $HOME/.config/borgmatic.d: No valid configuration files found ``` I tried symlinking my config to /etc/borgmatic/config.yaml, after that the config is indeed found, but it fails with `CRITICAL Remote: Host key verification failed.`, which is probably caused by this line in my conf: `encryption_passcommand: cat /home/[REDACTED]/.borg-passphrase`. For some reason borgmatic has no access to my home directory, but only if it is triggered from the service. My knowledge about systemd services is very limited, but is this simply a bug in the arch package? Should they just install the service file to /usr/lib/systemd/user instead of /usr/lib/systemd/system? I hope atleast some of this makes sense :)
pseud commented 2021-12-07 11:45:04 +00:00
Author
Copy Link

@witten Soz, haven't been here for a day or two:

Having said that, I would like to know what setting in the 1.5.20 sample service file is causing problems.

Happy to help - give me another day or two :)

@witten Soz, haven't been here for a day or two: > Having said that, I would like to know what setting in the 1.5.20 sample service file is causing problems. Happy to help - give me another day or two :)
frnmst commented 2021-12-19 18:12:57 +00:00
Copy Link

I have a similar problem (maybe?) with borgmatic 1.5.21 and the Systemd service, since I noticed these lines from the original poster:

Nov 17 08:09:49 frontserver.lan systemd[1]: borgmatic.service: Succeeded.
Nov 17 08:09:49 frontserver.lan systemd[1]: Started borgmatic backup.

In my case the process remains open even after succeeding, messing up my service timers. This issue is not reproducible: happens on some repositories only and not always.

My ExecStart line was like this:

ExecStart=/usr/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --config /home/jobs/scripts/by-user/root/borgmatic.server_postgresql_giteadb.yaml --syslog-verbosity 2 --log-file-verbosity 2 --monitoring-verbosity 2

However if i run this in a shell it works:

/usr/local/bin/borgmatic --config /home/jobs/scripts/by-user/root/borgmatic.server_postgresql_giteadb.yaml --syslog-verbosity 2 --log-file-verbosity 2 --monitoring-verbosity 2 -v2

I think borgmatic does not like something in the Systemd's shell so what I did is
wrap borgmatic in bash like this:

ExecStart=/usr/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/bash -c "/usr/local/bin/borgmatic --config /home/jobs/scripts/by-user/root/borgmatic.server_postgresql_giteadb.yaml --syslog-verbosity 2 --log-file-verbosity 2 --monitoring-verbosity 2"

Note: I am running an older version of the Systemd service unit file without the Systemd hardening options added recently.

I have a similar problem (maybe?) with borgmatic 1.5.21 and the Systemd service, since I noticed these lines from the original poster: ``` Nov 17 08:09:49 frontserver.lan systemd[1]: borgmatic.service: Succeeded. Nov 17 08:09:49 frontserver.lan systemd[1]: Started borgmatic backup. ``` In my case the process remains open even after succeeding, messing up my service timers. This issue is not reproducible: happens on some repositories only and not always. My `ExecStart` line was like this: ```ini ExecStart=/usr/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --config /home/jobs/scripts/by-user/root/borgmatic.server_postgresql_giteadb.yaml --syslog-verbosity 2 --log-file-verbosity 2 --monitoring-verbosity 2 ``` However if i run this in a shell it works: ```shell /usr/local/bin/borgmatic --config /home/jobs/scripts/by-user/root/borgmatic.server_postgresql_giteadb.yaml --syslog-verbosity 2 --log-file-verbosity 2 --monitoring-verbosity 2 -v2 ``` I think borgmatic does not like something in the Systemd's shell so what I did is wrap borgmatic in bash like this: ```ini ExecStart=/usr/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/bash -c "/usr/local/bin/borgmatic --config /home/jobs/scripts/by-user/root/borgmatic.server_postgresql_giteadb.yaml --syslog-verbosity 2 --log-file-verbosity 2 --monitoring-verbosity 2" ``` Note: I am running an older version of the Systemd service unit file without the Systemd hardening options added recently.
witten commented 2021-12-27 23:55:56 +00:00
Owner
Copy Link

@smoove

However, it just occured to me that the service is executed as root, and my config is in my $HOME.

If the service is executed as root, then IMO the config should be either in root's $HOME or configured globally in /etc. It shouldn't be in another user's $HOME.

As for Remote: Host key verification failed, that means that your local copy of a remote server's SSH key is somehow not matching the remote server anymore. See https://www.thegeekdiary.com/how-to-fix-the-error-host-key-verification-failed/ for some troubleshooting steps for that, keeping in mind that borgmatic is probably connecting as the root SSH user (and with the root user's SSH keys) if it's running as root.

@frnmst Interesting workaround you have there. Feel free to file a separate ticket with more info if you like some help debugging.

@smoove > However, it just occured to me that the service is executed as root, and my config is in my $HOME. If the service is executed as root, then IMO the config should be either in root's $HOME or configured globally in `/etc`. It shouldn't be in another user's $HOME. As for `Remote: Host key verification failed`, that means that your local copy of a remote server's SSH key is somehow not matching the remote server anymore. See https://www.thegeekdiary.com/how-to-fix-the-error-host-key-verification-failed/ for some troubleshooting steps for that, keeping in mind that borgmatic is probably connecting as the root SSH user (and with the root user's SSH keys) if it's running as root. @frnmst Interesting workaround you have there. Feel free to file a separate ticket with more info if you like some help debugging.
witten commented 2022-05-23 17:44:00 +00:00
Owner
Copy Link

I'm closing this ticket now due to inactivity, but please feel free to follow up here or on another ticket if anyone needs more assistance!

I'm closing this ticket now due to inactivity, but please feel free to follow up here or on another ticket if anyone needs more assistance!
witten added the
question / support
 label 2022-05-23 17:44:06 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
spot-check
1.8.10
1.8.9
1.8.8
1.8.7
1.8.6
1.8.5
1.8.4
1.8.3
1.8.2
1.8.1
1.8.0
1.7.15
1.7.14
1.7.13
1.7.12
1.7.11
1.7.10
1.7.9
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.6
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.24
1.5.23
1.5.22
1.5.21
1.5.20
1.5.19
1.5.18
1.5.17
1.5.16
1.5.15
1.5.14
1.5.13
1.5.12
1.5.11
1.5.10
1.5.9
1.5.8
1.5.7
1.5.7.dev0
1.5.6
1.5.5
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.4.22
1.4.21
1.4.20
1.4.19
1.4.18
1.4.17
1.4.16
1.4.15
1.4.14
1.4.13
1.4.12
1.4.11
1.4.10
1.4.9
1.4.8
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.26
1.3.25
1.3.24
1.3.23
1.3.22
1.3.21
1.3.20
1.3.19
1.3.18
1.3.17
1.3.16
1.3.15
1.3.14
1.3.13
1.3.12
1.3.11
1.3.10
1.3.9
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.15
1.1.14
1.1.13
1.1.12
1.1.11
1.1.10
1.1.9
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0
0.1.8
0.1.7
0.1.6
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
Labels
Clear labels   
bug

   
data loss

   
design finalized

   
good first issue

   
new feature area

   
question / support

   
security

   
waiting for response
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#466
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?