Borgmatic not working with systemd, while runs fine manually #718
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#718
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Trying to setup nightly backups
Followed the steps from the documentation
Actual behavior (if a bug)
Expected behavior (if a bug)
Other notes / implementation ideas
Environment
borgmatic version: [1.7.15]`
borgmatic installation method: [pip3, as shown in documentation]
Borg version: [borg 1.2.0]
Python version: [Python 3.10.6]
operating system and version: [Ubuntu server 22.04.2 LTS]
Thanks for taking the time to file this. This might be a system path issue such that systemd can't find borgmatic. Or perhaps some of the systemd security settings could be interfering. Could I get a look at your complete systemd file (redacted as necessary)?
One of the things I'm interested in your last line where borgmatic is invoked. What is the path to borgmatic there? Is it
/root/.local/bin/borgmatic
for instance? Does borgmatic actually exist at that location? If not, then you can probably change/root/.local/bin/borgmatic
to borgmatic's actual location. To find that, open a shell and typewhich borgmatic
.Thanks for quick reply, yes the issue was due to incorrect system path for borgmatic.
Now that's fixed and I'm facing a new issue.
Again, the command from shell works without any issues
That's looking like a permission issue on writing Borg's lock file. My guess on the cause is either:
A difference between your command-line borgmatic user versus the user systemd is running borgmatic as. So do you know what those respective users are? Is this a root-level systemd service or a systemd user service? And what user is running the command-line when you run borgmatic via shell?
Or it's possible the systemd security settings in the borgmatic service file are interfering. You could try commenting out some or all of them (temporarily) to see if that helps.
I use sudo to run borgmatic from command line (I've added /root/.local/bin to sudoers default path). It seems that it's root-level service as I followed the exact instructions from the docs.
I've disabled every security setting in /etc/systemd/system/borgmatic.service, still the issue persists.
Some more ideas:
systemd daemon-reload
command?Yes, I do reload the daemon after making changes to the service file.
Yes, I can run borgmatic successfully from the command line even now.
That service file looks like most of the security settings are still in place...? For instance, I'd recommend commenting out everything from
LockPersonality
throughCapabilityBoundingSet
inclusive (followed by adaemon-reload
) to see if that makes a difference.That worked !!
Is it okay to leave them all disabled ?
I'm glad to hear that worked! Leaving them disabled really depends on your security needs. It is probably more secure to include them, as it reduces the attack surface for any would-be intruder. If you want to try including them, you can do a binary search to find which option is causing you trouble. For instance, uncomment half of the security options and try again. If that works, uncomment another half of the options. If you start getting the permissions error again, re-comment options by half until you find the offending option. Then you can just leave it out or read up on what tweaks it might need to make things work on your system.
Finally figured it out, thanks @witten .
It was
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
that was causing trouble.So enabled everything except this.
What purpose does this serve ? safe to leave it disabled ?
I'm happy to hear you've got it figured out! I believe that particular line restricts borgmatic filesystem access to read-only (except for files owned by the same user it's running as). That's likely why it failed to write to the lock file. So you could try making sure that the lock file/directory is owned by the same user borgmatic is running as (root?), or you could just leave this line out if you're comfortable with borgmatic having read-write access to your filesystem. It's really your call as to what level of security you're comfortable with.
You can read more about this here: https://www.man7.org/linux/man-pages/man5/systemd-system.conf.5.html
Also here: https://www.man7.org/linux/man-pages/man7/capabilities.7.html
Indeed, the directory I was trying to write was not owned by root.
Thanks for the help mate !!
Sure thing!