Running podman within backup hooks is blocked by CapabilityBoundingSet in systemd service file #927
Loading…
x
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This prevents from running podman-exec within backup hooks. I think it's not a good idea to propose that as a default.
For pre-packaged deployments like this Fedora' one, the service file is used: https://src.fedoraproject.org/rpms/borgmatic/blob/f40/f/borgmatic.spec#_49
That's tricky to replace those setting with the defaults. Here is my replacement drop-in (in
/etc/systemd/system/borgmatic.service.d/reset-capabilites.conf
):Thanks for taking the time to file this. Unfortunately, there's no one-size-fits-all systemd configuration for a program as flexible as borgmatic, which is why this is only a "sample" systemd service file. For your use case, I'd recommend starting with a systemd configuration like your replacement drop-in, disregarding the "official" sample service file except as a reference.
Also, side note: Since you're running podman exec.. If you have any thoughts or requirements about borgmatic Podman support, feel free to weigh in on these tickets: #797, #671, and #685.
Sure. One size can't fit all, but please notice the Fodora devs took this sample file as a canonical way for setting the service file. And that file is automatically installed on your OS when you do
dnf install borgmatic
. I bet other OS' devs might do the same.So, my proposal would be to provide a default service file with loosened security to allow any root tasks in the hooks. Of course, there might be another sample with more secure setup (the current one).
In that way, OS' devs might continue to rely on the sample from upstream sources, and it would not cause friction for the new users. WDYT?
This is unfortunately one of those age-old trade-offs: Convenience vs. security. There are already two sample systemd service files maintained by the project (root and user service), and I'd rather not be responsible for maintaining yet another—especially one that strips away all (most?) of the security protections. (I'm a believer in "secure by default" as much as possible.) And yet I can appreciate the tough place this puts distribution maintainers in. My recommendation for them is either:
Having said that, if there are a few settings that are just too aggressive for most users, I'd be happy to modify the existing sample. But I'm pretty sure that most users don't run
podman-exec
from a borgmatic hook!Additionally, if I can make any updates to the borgmatic docs (or service file comments) to better clarify any of this for users, please let me know.
Thanks for your (presumed) understanding!
Closing due to inactivity, but I'd still be happy to discuss. Thanks!