Home Explore Help
Sign In
mirrors
/
borgmatic
mirror of https://github.com/witten/borgmatic
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Document systemd configuration changes for the ZFS filesystem hook (#1114).

Dan Helfman 2 weeks ago
parent
099d30f044
commit
88ecb96b98
3 changed files with 17 additions and 2 deletions
Split View Show Diff Stats
  1. 1 0
      NEWS
  2. 12 0
      docs/how-to/snapshot-your-filesystems.md
  3. 4 2
      sample/systemd/borgmatic.service

+ 1 - 0
NEWS
View File 

@@ -1,4 +1,5 @@
 
 2.0.8.dev0
 
+ * #1114: Document systemd configuration changes for the ZFS filesystem hook.
 
  * #1118: Fix a bug in which Borg hangs during database backup when different filesystems are in
 
    use.
 
  * When running tests, use Ruff for faster and more comprehensive code linting and formatting,

+ 12 - 0
docs/how-to/snapshot-your-filesystems.md
View File 

@@ -41,6 +41,10 @@ zfs:
 
     umount_command: /usr/local/bin/umount
 
 ```
 
 
+If you're using systemd to run borgmatic, you will likely need to modify the [sample systemd service
 
+file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
 
+to work with ZFS. See the comments in that file for details.
 
+
 
 As long as the ZFS hook is in beta, it may be subject to breaking changes
 
 and/or may not work well for your use cases. But feel free to use it in
 
 production if you're okay with these caveats, and please [provide any
 
@@ -160,6 +164,10 @@ btrfs:
 
     findmnt_command: /usr/local/bin/findmnt
 
 ```
 
 
+If you're using systemd to run borgmatic, you may need to modify the [sample systemd service
 
+file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
 
+to work with Btrfs. See the comments in that file for details.
 
+
 
 As long as the Btrfs hook is in beta, it may be subject to breaking changes
 
 and/or may not work well for your use cases. But feel free to use it in
 
 production if you're okay with these caveats, and please [provide any
 
@@ -276,6 +284,10 @@ lvm:
 
     umount_command: /usr/local/bin/umount
 
 ```
 
 
+If you're using systemd to run borgmatic, you may need to modify the [sample systemd service
 
+file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
 
+to work with LVM. See the comments in that file for details.
 
+
 
 As long as the LVM hook is in beta, it may be subject to breaking changes
 
 and/or may not work well for your use cases. But feel free to use it in
 
 production if you're okay with these caveats, and please [provide any

+ 4 - 2
sample/systemd/borgmatic.service
View File 

@@ -26,6 +26,7 @@ LockPersonality=true
 
 # But you can try setting it to "yes" for improved security if you don't use those features.
 
 MemoryDenyWriteExecute=no
 
 NoNewPrivileges=yes
 
+# Filesystem hooks like ZFS may not work unless PrivateDevices is disabled.
 
 PrivateDevices=yes
 
 PrivateTmp=yes
 
 ProtectClock=yes
 
@@ -39,7 +40,7 @@ RestrictNamespaces=yes
 
 RestrictRealtime=yes
 
 RestrictSUIDSGID=yes
 
 SystemCallArchitectures=native
 
-SystemCallFilter=@system-service
 
+SystemCallFilter=@system-service @mount
 
 SystemCallErrorNumber=EPERM
 
 # To restrict write access further, change "ProtectSystem" to "strict" and
 
 # uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
 
@@ -52,7 +53,8 @@ ProtectSystem=full
 
 # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
 
 # BindReadOnlyPaths=-/root/.ssh
 
 
-# May interfere with running external programs within borgmatic hooks.
 
+# May interfere with running external programs within borgmatic hooks. This
 
+# includes, for instance, programs to snapshot filesystems (e.g. ZFS).
 
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
 
 
 # Lower CPU and I/O priority.