How can I provide my password if I'm running borgmatic through a systemd unit? #762

New Issue

Closed

opened 2023-09-30 00:48:11 +00:00 by PopeRigby · 7 comments

PopeRigby commented 2023-09-30 00:48:11 +00:00

Copy Link

What I'm trying to do and why

I'm trying to setup Borgmatic to run with systemd. I'm using repokey mode, so I have to give my password.

I tried editing my systemd drop-in to have Environment="BORG_PASSPHRASE=REDACTED", but that didn't work:

Steps to reproduce

1. sudo borgmatic rcreate --encryption repokey-aes-ocb
2. sudo systemctl enable borgmatic.timer

Actual behavior

I get this error in the systemd journal:

Sep 19 16:42:49 haddock borgmatic[97984]: CRITICAL borgbase: Error running actions for repository
Sep 19 16:42:49 haddock borgmatic[97984]: CRITICAL /usr/lib64/python3.11/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
                                          Warning: Password input may be echoed.
                                          Enter passphrase for key ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo:
                                          can not acquire a passphrase: BORG_PASSPHRASE is not set. BORG_PASSCOMMAND is not set. Interactive password query failed.

Expected behavior

Borgmatic is able to read my password

Other notes / implementation ideas

No response

borgmatic version

1.8.2

borgmatic installation method

Fedora package

Borg version

1.2.6

Python version

Python 3.11.5

Database version (if applicable)

No response

Operating system and version

Fedora 38

### What I'm trying to do and why I'm trying to setup Borgmatic to run with systemd. I'm using repokey mode, so I have to give my password. I tried editing my systemd drop-in to have `Environment="BORG_PASSPHRASE=REDACTED"`, but that didn't work: ### Steps to reproduce 1. `sudo borgmatic rcreate --encryption repokey-aes-ocb` 2. `sudo systemctl enable borgmatic.timer` ### Actual behavior I get this error in the systemd journal: ``` Sep 19 16:42:49 haddock borgmatic[97984]: CRITICAL borgbase: Error running actions for repository Sep 19 16:42:49 haddock borgmatic[97984]: CRITICAL /usr/lib64/python3.11/getpass.py:91: GetPassWarning: Can not control echo on the terminal. Warning: Password input may be echoed. Enter passphrase for key ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo: can not acquire a passphrase: BORG_PASSPHRASE is not set. BORG_PASSCOMMAND is not set. Interactive password query failed. ``` ### Expected behavior Borgmatic is able to read my password ### Other notes / implementation ideas _No response_ ### borgmatic version 1.8.2 ### borgmatic installation method Fedora package ### Borg version 1.2.6 ### Python version Python 3.11.5 ### Database version (if applicable) _No response_ ### Operating system and version Fedora 38

witten commented 2023-09-30 02:42:13 +00:00

Owner

Copy Link

Setting the BORG_PASSPHRASE environment variable should work, although I guess it's conceivable there's a borgmatic bug around that. (There are several other options for providing your password to borgmatic as well.) Some things to try:

• Can I get a look at your full systemd service (with anything redacted that you don't want to share)?
• Make sure Environment="BORG_PASSPHRASE=REDACTED" is under the [Service] heading in your service file.
• Have you reloaded the systemd daemon after modifying the service file? Example: sudo systemctl daemon-reload?
• The environment variable being set should show up in your service logs. For instance, run journalctl -xeu borgmatic.service and you should see something like Sep 30 04:24:42 fedora38 borgmatic.service[1234]: BORG_PASSPHRASE=REDACTED. If you don't see that, it could indicate the environment variable is not actually getting set.

Setting the `BORG_PASSPHRASE` environment variable _should_ work, although I guess it's conceivable there's a borgmatic bug around that. (There are several other options for [providing your password to borgmatic](https://torsion.org/borgmatic/docs/how-to/provide-your-passwords/) as well.) Some things to try: * Can I get a look at your full systemd service (with anything redacted that you don't want to share)? * Make sure `Environment="BORG_PASSPHRASE=REDACTED"` is under the `[Service]` heading in your service file. * Have you reloaded the systemd daemon after modifying the service file? Example: `sudo systemctl daemon-reload`? * The environment variable being set should show up in your service logs. For instance, run `journalctl -xeu borgmatic.service` and you should see something like `Sep 30 04:24:42 fedora38 borgmatic.service[1234]: BORG_PASSPHRASE=REDACTED`. If you don't see that, it could indicate the environment variable is not actually getting set.

witten added the

question / support

label 2023-09-30 02:42:22 +00:00

PopeRigby commented 2023-10-01 02:29:49 +00:00

Author

Copy Link

Setting the BORG_PASSPHRASE environment variable should work, although I guess it's conceivable there's a borgmatic bug around that. (There are several other options for providing your password to borgmatic as well.)

Oh, I might try one of those options then. Is there a recommend way to provide your password for a systemd unit?

• Can I get a look at your full systemd service (with anything redacted that you don't want to share)?

I just used sudo systemctl edit borgmatic.service to make a drop-in file, but the contents of that is this:

[Service]
Environment="BORG_PASSPHRASE=REDACTED"

The contents of the unit file at /usr/lib/systemd/system/borgmatic.conf:

[Unit]
Description=borgmatic backup
Wants=network-online.target
After=network-online.target
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
# want to allow borgmatic to run anytime.
ConditionACPower=true

[Service]
Type=oneshot

# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
# leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths
# ProtectHome=tmpfs
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic

# May interfere with running external programs within borgmatic hooks.
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW

# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
# doesn't support this (pre-240 or so), you may have to remove this option.
LogRateLimitIntervalSec=0

# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -2 --syslog-verbosity 1

• Have you reloaded the systemd daemon after modifying the service file? Example: sudo systemctl daemon-reload?

Yep, I made sure to do that.

• The environment variable being set should show up in your service logs. For instance, run journalctl -xeu borgmatic.service and you should see something like Sep 30 04:24:42 fedora38 borgmatic.service[1234]: BORG_PASSPHRASE=REDACTED. If you don't see that, it could indicate the environment variable is not actually getting set.

I can't find it in the log, but here it is:

Sep 30 19:26:27 haddock borgmatic[4016410]: INFO borgbase: Creating archive
Sep 30 19:26:31 haddock borgmatic[4016410]: INFO /usr/lib64/python3.11/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
Sep 30 19:26:31 haddock borgmatic[4016410]: INFO Warning: Password input may be echoed.
Sep 30 19:26:31 haddock borgmatic[4016410]: INFO Enter passphrase for key ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo:
Sep 30 19:26:32 haddock borgmatic[4016410]: INFO can not acquire a passphrase: BORG_PASSPHRASE is not set. BORG_PASSCOMMAND is not set. Interactive password query failed.
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL borgbase: Error running actions for repository
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Command 'borg create --info ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo::{hostname}-{now:%Y-%m-%dT%H:%M:%S.%f} /etc /root /var/home/cassidy/.config /var/home/cassidy/.local/share/containers/storage/volumes /var/home/shane' re>
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL /etc/borgmatic/config.yaml: An error occurred
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL summary:
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL /etc/borgmatic/config.yaml: An error occurred
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL borgbase: Error running actions for repository
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL /usr/lib64/python3.11/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
                                            Warning: Password input may be echoed.
                                            Enter passphrase for key ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo:
                                            can not acquire a passphrase: BORG_PASSPHRASE is not set. BORG_PASSCOMMAND is not set. Interactive password query failed.
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Command 'borg create --info ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo::{hostname}-{now:%Y-%m-%dT%H:%M:%S.%f} /etc /root /var/home/cassidy/.config /var/home/cassidy/.local/share/containers/storage/volumes /var/home/shane' re>
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL
Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues
Sep 30 19:26:32 haddock systemd-inhibit[4016408]: /usr/bin/borgmatic failed with exit status 1.
Sep 30 19:26:32 haddock systemd[1]: borgmatic.service: Main process exited, code=exited, status=1/FAILURE

> Setting the `BORG_PASSPHRASE` environment variable _should_ work, although I guess it's conceivable there's a borgmatic bug around that. (There are several other options for [providing your password to borgmatic](https://torsion.org/borgmatic/docs/how-to/provide-your-passwords/) as well.) Oh, I might try one of those options then. Is there a recommend way to provide your password for a systemd unit? > * Can I get a look at your full systemd service (with anything redacted that you don't want to share)? I just used `sudo systemctl edit borgmatic.service` to make a drop-in file, but the contents of that is this: ``` [Service] Environment="BORG_PASSPHRASE=REDACTED" ``` The contents of the unit file at `/usr/lib/systemd/system/borgmatic.conf`: ``` [Unit] Description=borgmatic backup Wants=network-online.target After=network-online.target # Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you # want to allow borgmatic to run anytime. ConditionACPower=true [Service] Type=oneshot # Security settings for systemd running as root, optional but recommended to improve security. You # can disable individual settings if they cause problems for your use case. For more details, see # the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html LockPersonality=true # Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. # But you can try setting it to "yes" for improved security if you don't use those features. MemoryDenyWriteExecute=no NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallErrorNumber=EPERM # To restrict write access further, change "ProtectSystem" to "strict" and uncomment # "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository # paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This # leaves most of the filesystem read-only to borgmatic. ProtectSystem=full # ReadWritePaths=-/mnt/my_backup_drive # ReadOnlyPaths=-/var/lib/my_backup_source # This will mount a tmpfs on top of /root and pass through needed paths # ProtectHome=tmpfs # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic # May interfere with running external programs within borgmatic hooks. CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW # Lower CPU and I/O priority. Nice=19 CPUSchedulingPolicy=batch IOSchedulingClass=best-effort IOSchedulingPriority=7 IOWeight=100 Restart=no # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that # doesn't support this (pre-240 or so), you may have to remove this option. LogRateLimitIntervalSec=0 # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and # dbus-user-session to be installed. ExecStartPre=sleep 1m ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -2 --syslog-verbosity 1 ``` > * Have you reloaded the systemd daemon after modifying the service file? Example: `sudo systemctl daemon-reload`? Yep, I made sure to do that. > * The environment variable being set should show up in your service logs. For instance, run `journalctl -xeu borgmatic.service` and you should see something like `Sep 30 04:24:42 fedora38 borgmatic.service[1234]: BORG_PASSPHRASE=REDACTED`. If you don't see that, it could indicate the environment variable is not actually getting set. I can't find it in the log, but here it is: ``` Sep 30 19:26:27 haddock borgmatic[4016410]: INFO borgbase: Creating archive Sep 30 19:26:31 haddock borgmatic[4016410]: INFO /usr/lib64/python3.11/getpass.py:91: GetPassWarning: Can not control echo on the terminal. Sep 30 19:26:31 haddock borgmatic[4016410]: INFO Warning: Password input may be echoed. Sep 30 19:26:31 haddock borgmatic[4016410]: INFO Enter passphrase for key ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo: Sep 30 19:26:32 haddock borgmatic[4016410]: INFO can not acquire a passphrase: BORG_PASSPHRASE is not set. BORG_PASSCOMMAND is not set. Interactive password query failed. Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL borgbase: Error running actions for repository Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Command 'borg create --info ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo::{hostname}-{now:%Y-%m-%dT%H:%M:%S.%f} /etc /root /var/home/cassidy/.config /var/home/cassidy/.local/share/containers/storage/volumes /var/home/shane' re> Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL /etc/borgmatic/config.yaml: An error occurred Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL summary: Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL /etc/borgmatic/config.yaml: An error occurred Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL borgbase: Error running actions for repository Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL /usr/lib64/python3.11/getpass.py:91: GetPassWarning: Can not control echo on the terminal. Warning: Password input may be echoed. Enter passphrase for key ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo: can not acquire a passphrase: BORG_PASSPHRASE is not set. BORG_PASSCOMMAND is not set. Interactive password query failed. Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Command 'borg create --info ssh://byr71ulz@byr71ulz.repo.borgbase.com/./repo::{hostname}-{now:%Y-%m-%dT%H:%M:%S.%f} /etc /root /var/home/cassidy/.config /var/home/cassidy/.local/share/containers/storage/volumes /var/home/shane' re> Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Sep 30 19:26:32 haddock borgmatic[4016410]: CRITICAL Need some help? https://torsion.org/borgmatic/#issues Sep 30 19:26:32 haddock systemd-inhibit[4016408]: /usr/bin/borgmatic failed with exit status 1. Sep 30 19:26:32 haddock systemd[1]: borgmatic.service: Main process exited, code=exited, status=1/FAILURE ```

witten commented 2023-10-01 04:35:36 +00:00

Owner

Copy Link

Oh, I might try one of those options then. Is there a recommend way to provide your password for a systemd unit?

The short answer is no, there isn't, as how you pass passwords to a system service varies based on your requirements and threat model. Some light reading on the topic can be found here though: https://unix.stackexchange.com/questions/391040/is-there-a-typical-way-to-pass-a-password-to-a-systemd-unit-file

I just used sudo systemctl edit borgmatic.service to make a drop-in file, but the contents of that is this:

So I've never used systemd drop-in files before. The fact the the passphrase envirionment variable doesn't show up in logs makes me think it's not working properly though. You could try putting the Environment= directly in the unit file to see if that fixes the problem. That would tell you something is going wrong with the drop-in.

I assume in addition to reloading the daemon, you've also run systemctl restart borgmatic.service after making changes?

> Oh, I might try one of those options then. Is there a recommend way to provide your password for a systemd unit? The short answer is no, there isn't, as how you pass passwords to a system service varies based on your requirements and threat model. Some light reading on the topic can be found here though: https://unix.stackexchange.com/questions/391040/is-there-a-typical-way-to-pass-a-password-to-a-systemd-unit-file > I just used sudo systemctl edit borgmatic.service to make a drop-in file, but the contents of that is this: So I've never used systemd drop-in files before. The fact the the passphrase envirionment variable doesn't show up in logs makes me think it's not working properly though. You could try putting the `Environment=` directly in the unit file to see if that fixes the problem. That would tell you something is going wrong with the drop-in. I assume in addition to reloading the daemon, you've also run `systemctl restart borgmatic.service` after making changes?

PopeRigby commented 2023-10-08 03:06:13 +00:00

Author

Copy Link

@witten Sorry for the late response, I was away from my computer. Am I able to specify my encryption passphrase directly in the config.yaml?

Edit: Found it.

storage:
    encryption_passphrase: <passphrase>

@witten Sorry for the late response, I was away from my computer. Am I able to specify my encryption passphrase directly in the `config.yaml`? Edit: Found it. ```yaml storage: encryption_passphrase: <passphrase> ```

witten commented 2023-10-08 04:24:34 +00:00

Owner

Copy Link

Yup, that's it! Let me know whether that works out for you.

Yup, that's it! Let me know whether that works out for you.

PopeRigby commented 2023-10-08 06:26:09 +00:00

Author

Copy Link

Thank you 🙂. That seems to work.

Thank you 🙂. That seems to work.

PopeRigby closed this issue 2023-10-08 06:26:09 +00:00

witten commented 2023-10-10 16:29:40 +00:00

Owner

Copy Link

Awesome, glad to hear that worked!

Awesome, glad to hear that worked!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

spot-check

1.8.11

1.8.10

1.8.9

1.8.8

1.8.7

1.8.6

1.8.5

1.8.4

1.8.3

1.8.2

1.8.1

1.8.0

1.7.15

1.7.14

1.7.13

1.7.12

1.7.11

1.7.10

1.7.9

1.7.8

1.7.7

1.7.6

1.7.5

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.6

1.6.5

1.6.4

1.6.3

1.6.2

1.6.1

1.6.0

1.5.24

1.5.23

1.5.22

1.5.21

1.5.20

1.5.19

1.5.18

1.5.17

1.5.16

1.5.15

1.5.14

1.5.13

1.5.12

1.5.11

1.5.10

1.5.9

1.5.8

1.5.7

1.5.7.dev0

1.5.6

1.5.5

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.22

1.4.21

1.4.20

1.4.19

1.4.18

1.4.17

1.4.16

1.4.15

1.4.14

1.4.13

1.4.12

1.4.11

1.4.10

1.4.9

1.4.8

1.4.7

1.4.6

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.26

1.3.25

1.3.24

1.3.23

1.3.22

1.3.21

1.3.20

1.3.19

1.3.18

1.3.17

1.3.16

1.3.15

1.3.14

1.3.13

1.3.12

1.3.11

1.3.10

1.3.9

1.3.8

1.3.7

1.3.6

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.18

1.2.17

1.2.16

1.2.15

1.2.14

1.2.13

1.2.12

1.2.11

1.2.10

1.2.9

1.2.8

1.2.7

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.15

1.1.14

1.1.13

1.1.12

1.1.11

1.1.10

1.1.9

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.3

1.0.2

1.0.1

1.0.0

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

Labels

Clear labels   

bug

  

data loss

  

design finalized

  

good first issue

  

new feature area

  

question / support

  

security

  

waiting for response

No Label

bug

data loss

design finalized

good first issue

new feature area

question / support

security

waiting for response

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: borgmatic-collective/borgmatic#762

No description provided.