Kezdőlap Felfedezés Súgó
Bejelentkezés
mirrors
/
borg
tükrözi: https://github.com/borgbackup/borg
2
0
Másolás 0
Fájlok Problémák 0 Wiki
Fa: f8d9f8c371
Branch-ok Tag-ek
borg
/
docs
/
usage
/
serve.rst

serve.rst 4.3 KB
Előzmények Nyers

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. .. include:: serve.rst.inc
    2. 

  2. 

  3. Examples
    4. 

  4. ~~~~~~~~
    5. 

  5. 

  6. ``borg serve`` has special support for SSH forced commands (see ``authorized_keys``
    7. 

  7. example below): if the environment variable SSH_ORIGINAL_COMMAND is set it will
    8. 

  8. ignore some options given on the command line and use the values from the
    9. 

  9. variable instead. This only applies to a carefully controlled allowlist of safe
    10. 

  10. options. This list currently contains:
    11. 

  11. 

  12. - Options that control the log level and debug topics printed
    13. 

  13.   such as ``--verbose``, ``--info``, ``--debug``, ``--debug-topic``, etc.
    14. 

  14. - ``--lock-wait`` to allow the client to control how long to wait before
    15. 

  15.   giving up and aborting the operation when another process is holding a lock.
    16. 

  16. 

  17. Environment variables (such as BORG_XXX) contained in the original
    18. 

  18. command sent by the client are *not* interpreted; they are ignored. If BORG_XXX environment
    19. 

  19. variables need to be set on the ``borg serve`` side, then these must be set in system-specific
    20. 

  20. locations like ``/etc/environment`` or in the forced command itself (example below).
    21. 

  21. 

  22. ::
    23. 

  23. 

  24.     # Allow an SSH key pair to only run borg, and only have access to /path/to/repo.
    25. 

  25.     # Use key options to disable unneeded and potentially dangerous SSH functionality.
    26. 

  26.     # This helps secure an automated remote backup system.
    27. 

  27.     $ cat ~/.ssh/authorized_keys
    28. 

  28.     command="borg serve --restrict-to-path /path/to/repo",restrict ssh-rsa AAAAB3[...]
    29. 

  29. 

  30.     # Set a BORG_XXX environment variable on the ``borg serve`` side.
    31. 

  31.     $ cat ~/.ssh/authorized_keys
    32. 

  32.     command="BORG_XXX=value borg serve [...]",restrict ssh-rsa [...]
    33. 

  33. 

  34. .. note::
    35. 

  35.     The examples above use the ``restrict`` directive and assume a POSIX-compliant
    36. 

  36.     shell set as the user's login shell.
    37. 

  37.     This automatically blocks potentially dangerous SSH features, even when
    38. 

  38.     they are added in a future update. Thus, this option should be preferred.
    39. 

  39. 

  40.     If you're using OpenSSH server < 7.2, however, you have to explicitly specify
    41. 

  41.     the SSH features to restrict and cannot simply use the ``restrict`` option as it
    42. 

  42.     was introduced in v7.2. We recommend using
    43. 

  43.     ``no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc``
    44. 

  44.     in this case.
    45. 

  45. 

  46. Details about sshd usage: `sshd(8) <https://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8>`_
    47. 

  47. 

  48. .. _ssh_configuration:
    49. 

  49. 

  50. SSH Configuration
    51. 

  51. ~~~~~~~~~~~~~~~~~
    52. 

  52. ``borg serve``'s pipes (``stdin``/``stdout``/``stderr``) are connected to the ``sshd`` process on the server side. In the event that the SSH connection between ``borg serve`` and the client is disconnected or stuck abnormally (for example, due to a network outage), it can take a long time for ``sshd`` to notice the client is disconnected. In the meantime, ``sshd`` continues running, and as a result so does the ``borg serve`` process holding the lock on the repository. This can cause subsequent ``borg`` operations on the remote repository to fail with the error: ``Failed to create/acquire the lock``.
    53. 

  53. 

  54. In order to avoid this, it is recommended to perform the following additional SSH configuration:
    55. 

  55. 

  56. Either in the client side's ``~/.ssh/config`` file, or in the client's ``/etc/ssh/ssh_config`` file:
    57. 

  57. ::
    58. 

  58. 

  59.     Host backupserver
    60. 

  60.             ServerAliveInterval 10
    61. 

  61.             ServerAliveCountMax 30
    62. 

  62. 

  63. Replace ``backupserver`` with the hostname, FQDN, or IP address of the Borg server.
    64. 

  64. 

  65. This will cause the client to send a keepalive to the server every 10 seconds. If 30 consecutive keepalives are sent without a response (a time of 300 seconds), the SSH client process will be terminated, causing the Borg process to terminate gracefully.
    66. 

  66. 

  67. On the server side's ``sshd`` configuration file (typically ``/etc/ssh/sshd_config``):
    68. 

  68. ::
    69. 

  69. 

  70.     ClientAliveInterval 10
    71. 

  71.     ClientAliveCountMax 30
    72. 

  72. 

  73. This will cause the server to send a keepalive to the client every 10 seconds. If 30 consecutive keepalives are sent without a response (a time of 300 seconds), the server's sshd process will be terminated, causing the ``borg serve`` process to terminate gracefully and release the lock on the repository.
    74. 

  74. 

  75. If you then run Borg commands with ``--lock-wait 600``, this gives sufficient time for the ``borg serve`` processes to terminate after the SSH connection is torn down following the 300-second wait for the keepalives to fail.
    76. 

  76. 

  77. You may, of course, modify the timeout values demonstrated above to values that suit your environment and use case.
    78.