Home Explore Help
Sign In
mirrors
/
borgmatic
mirror of https://github.com/witten/borgmatic
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Document systemd configuration changes for the ZFS filesystem hook (#1114).

Dan Helfman 3 months ago
parent
099d30f044
commit
88ecb96b98
3 changed files with 17 additions and 2 deletions
Unified View Show Diff Stats
  1. 1 0
      NEWS
  2. 12 0
      docs/how-to/snapshot-your-filesystems.md
  3. 4 2
      sample/systemd/borgmatic.service

+ 1 - 0
NEWS
View File 

@@ -1,4 +1,5 @@
 
 2.0.8.dev0
 
 2.0.8.dev0
 
+ * #1114: Document systemd configuration changes for the ZFS filesystem hook.
 
  * #1118: Fix a bug in which Borg hangs during database backup when different filesystems are in
 
  * #1118: Fix a bug in which Borg hangs during database backup when different filesystems are in
 
    use.
 
    use.
 
  * When running tests, use Ruff for faster and more comprehensive code linting and formatting,
 
  * When running tests, use Ruff for faster and more comprehensive code linting and formatting,

+ 12 - 0
docs/how-to/snapshot-your-filesystems.md
View File 

@@ -41,6 +41,10 @@ zfs:
 
     umount_command: /usr/local/bin/umount
 
     umount_command: /usr/local/bin/umount
 
 ```
 
 ```
 
 
 
+If you're using systemd to run borgmatic, you will likely need to modify the [sample systemd service
 
+file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
 
+to work with ZFS. See the comments in that file for details.
 
+
 
 As long as the ZFS hook is in beta, it may be subject to breaking changes
 
 As long as the ZFS hook is in beta, it may be subject to breaking changes
 
 and/or may not work well for your use cases. But feel free to use it in
 
 and/or may not work well for your use cases. But feel free to use it in
 
 production if you're okay with these caveats, and please [provide any
 
 production if you're okay with these caveats, and please [provide any
 
@@ -160,6 +164,10 @@ btrfs:
 
     findmnt_command: /usr/local/bin/findmnt
 
     findmnt_command: /usr/local/bin/findmnt
 
 ```
 
 ```
 
 
 
+If you're using systemd to run borgmatic, you may need to modify the [sample systemd service
 
+file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
 
+to work with Btrfs. See the comments in that file for details.
 
+
 
 As long as the Btrfs hook is in beta, it may be subject to breaking changes
 
 As long as the Btrfs hook is in beta, it may be subject to breaking changes
 
 and/or may not work well for your use cases. But feel free to use it in
 
 and/or may not work well for your use cases. But feel free to use it in
 
 production if you're okay with these caveats, and please [provide any
 
 production if you're okay with these caveats, and please [provide any
 
@@ -276,6 +284,10 @@ lvm:
 
     umount_command: /usr/local/bin/umount
 
     umount_command: /usr/local/bin/umount
 
 ```
 
 ```
 
 
 
+If you're using systemd to run borgmatic, you may need to modify the [sample systemd service
 
+file](https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/main/sample/systemd/borgmatic.service)
 
+to work with LVM. See the comments in that file for details.
 
+
 
 As long as the LVM hook is in beta, it may be subject to breaking changes
 
 As long as the LVM hook is in beta, it may be subject to breaking changes
 
 and/or may not work well for your use cases. But feel free to use it in
 
 and/or may not work well for your use cases. But feel free to use it in
 
 production if you're okay with these caveats, and please [provide any
 
 production if you're okay with these caveats, and please [provide any

+ 4 - 2
sample/systemd/borgmatic.service
View File 

@@ -26,6 +26,7 @@ LockPersonality=true
 
 # But you can try setting it to "yes" for improved security if you don't use those features.
 
 # But you can try setting it to "yes" for improved security if you don't use those features.
 
 MemoryDenyWriteExecute=no
 
 MemoryDenyWriteExecute=no
 
 NoNewPrivileges=yes
 
 NoNewPrivileges=yes
 
+# Filesystem hooks like ZFS may not work unless PrivateDevices is disabled.
 
 PrivateDevices=yes
 
 PrivateDevices=yes
 
 PrivateTmp=yes
 
 PrivateTmp=yes
 
 ProtectClock=yes
 
 ProtectClock=yes
 
@@ -39,7 +40,7 @@ RestrictNamespaces=yes
 
 RestrictRealtime=yes
 
 RestrictRealtime=yes
 
 RestrictSUIDSGID=yes
 
 RestrictSUIDSGID=yes
 
 SystemCallArchitectures=native
 
 SystemCallArchitectures=native
 
-SystemCallFilter=@system-service
 
+SystemCallFilter=@system-service @mount
 
 SystemCallErrorNumber=EPERM
 
 SystemCallErrorNumber=EPERM
 
 # To restrict write access further, change "ProtectSystem" to "strict" and
 
 # To restrict write access further, change "ProtectSystem" to "strict" and
 
 # uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
 
 # uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
 
@@ -52,7 +53,8 @@ ProtectSystem=full
 
 # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
 
 # BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
 
 # BindReadOnlyPaths=-/root/.ssh
 
 # BindReadOnlyPaths=-/root/.ssh
 
 
 
-# May interfere with running external programs within borgmatic hooks.
 
+# May interfere with running external programs within borgmatic hooks. This
 
+# includes, for instance, programs to snapshot filesystems (e.g. ZFS).
 
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
 
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
 
 
 
 # Lower CPU and I/O priority.
 
 # Lower CPU and I/O priority.