Retention policy appears to have no effect #772
Labels
No Label
bug
data loss
design finalized
good first issue
new feature area
question / support
security
waiting for response
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: borgmatic-collective/borgmatic#772
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What I'm trying to do and why
I'm attempting to test borgmatic's prune capability. Creating a config file, I've tried the configs which will be listed under Steps to reproduce. Running
borgmatic prune
had no result and I'm wondering what I'm trying to do wrong.Also, the documentation of borgmatic (e.g. https://torsion.org/borgmatic/) states that the sections
keep_within
etc. are part of the root namespace, but they're actually underretention
.Steps to reproduce
Relevant extract from config (and the config is applied, writing nonsense causes the commands below to fail):
Alternatively, I've also tried to comment out secondly and have yearly set to 1 or 2 instead.
borgmatic list
returns:Steps:
Actual behavior
There are still 3 archives after pruning.
Expected behavior
There should be 2 (or in the alternative, 1) archive.
Other notes / implementation ideas
Not sure if this is a me-problem or a bug. Any help would be appreciated.
borgmatic version
1.7.7
borgmatic installation method
Debian 12 via apt and official sources
Borg version
1.2.4
Python version
3.11.2
Database version (if applicable)
Operating system and version
Debian 12.2
These schema changes were introduced in borgmatic 1.8.0, so you'd need a newer version for
keep_within
to be at the top level of the configuration.Anyway, as to your main issue: My understanding of Borg's pruning logic is that a
keep_secondly
value of2
literally means: For archives made in the same second (so, sharing the exact same timestamp down to a second), keep at most two of them. And the three archives you're seeing all seem to satisfy that ask because none of them share the same second.So my question is: What exactly are you trying to do in terms of retaining archives? Maybe
keep_within
or one of the otherkeep_*
options would better suit your needs?This I would expect to resulting in archive pruning, given that your three archives share the same year. My recommendation would be to run borgmatic with
--verbosity 2
which will in turn cause Borg to log what it's doing with each archive during pruning. We can look at that output and try to figure out what might be going on.For the yearly pruning, is it possible you ran
borgmatic
without any command-line action arguments (prune
, etc.)? Because that would actuallycreate
a new archives even after pruning takes place—resulting in three archives.Hi Witten and thank you for your very fast answer!
About documentation and secondly, all good. About yearly, here is the command and output:
Best,
Kalsan
Maybe you didn't save your configuration file changes with
keep_yearly
? Because the Borg command that's actually getting run according to that output is:So it's still using a
keep_secondly
value!Sorry for posting the wrong log. When switching to yearly, the line is:
No backup gets deleted.
Best,
Kalsan
...which makes the whole log:
Hmm.. I'm not sure what might be going on. Is it possible your hostname has changed recently? Because the
--glob-archives
value limits Borg's consideration to only archives matching that pattern. You could try running theborg prune
command directly without--glob-archives
and see if that changes what gets pruned.If that doesn't help, then this is either a Borg bug or at minimum a misunderstanding on our part in how Borg does pruning. You might give the docs a skim and see if there's anything we're missing.. I just did that but didn't come up with anything. Worst case, you can file a Borg ticket about this assuming it repros with just Borg.
Bingo. I'm backing up from one host (append-only) and pruning from the other. While this had worked with my custom borg script (before I discovered borgmatic which does all of that, but much better and more), obviously borgmatic uses the current hostname.
So the problem is my stupidity.
And the solution is a single config change:
Thank you for your help, much appreciated. Hopefully this post will help someone in the future and cause a similar facepalm.
Best,
Kalsan
It's not your stupidity if the software doesn't make it clear what's going on! A couple more notes on this:
prefix
will totally work for now, but it is deprecated. (In Borg as well, not just in borgmatic.) So you might consider usingmatch_archives: "my-client-*"
instead once you upgrade to a newer version of borgmatic.I like your spirit @witten ! Also thank you for the deprecation warning, I'll switch to the newer option.
Indeed, #748 would have had me understand this much faster.
BTW since we're already in discussion: do you have an opinion about multi repo multi client single backup server setups? The idea is that there are many clients that don't trust each other and each has a different repo and key. I feel like a reasonnable setup to achieve this would be to have the clients share a single SSH user (but with different keys and different path restrictions), each being restricted to append-only and backing up into their own subdirectory. The path restriction makes sure they can't escape the cage (so a single SSH user should be enough) and append-only prevents them to compact. In this scenario, borgmatic is used on the server to periodically prune. Caveats are that multiple borgmatic configs are needed (and thus multiple cronjobs) due to the different repo keys and prefixes, and that clients can still perform deletions that would get pruned by the backup server on the next cleanup.
A single shared SSH user with the restrictions you describe sounds like it would work, but just as a counterexample: Both BorgBase and rsync.net (commercial Borg hosting providers) use a different SSH user account for every customer. My guess is that's because it provides even more isolation, in theory, than a single shared account. But I think which approach you go with depends on your threat model and risk tolerance.
As for the append-only + server-side pruning, yes, that could totally work and seems reasonable to me. And in fact that's an option that BorgBase provides as part of their offering.
Thank you for your inputs and have an excellent day!
You too!