Give backup-borg container more permissions to perform the backup

Running with a user (like `matrix:matrix`) fails if Etherpad is enabled,
because `/matrix/etherpad` is owned by `matrix_etherpad_user_uid`/`matrix_etherpad_user_gid` (`5001:5001`).

The `matrix` user can't acccess the Etherpad directory for this reason
and Borgmatic fails when trying to make a backup.

There may be other things under `/matrix` which similarly use
non-`matrix:matrix` permissions.

Another workaround might have been to add `/matrix/etherpad` (and
potentially other things) to `matrix_backup_borg_location_exclude_patterns`, but:

- that means Etherpad won't be backed up - not great
- only excluding Etherpad may not be enough. There may be other files we
  need to exclude as well

---

Running with `root` is still not enough though.

We need at least the `CAP_DAC_OVERRIDE` capability, or we won't be able to read the
`/etc/borgmatic.d/config.yaml` configuration file (owned by
`matrix:matrix` with `0640` permissions).

---

Additionally, it seems like the backup process tries to write to at least a few directories:
- `/root/.borgmatic`
- `/root/.ssh`
- `/root/.config`

> [Errno 30] Read-only file system: '/root/.borgmatic'
> Error while creating a backup.
> /etc/borgmatic.d/config.yaml: Error running configuration file

We either need to stop mounting the container filesystem as readonly
(remove `--read-only`) or to allow writing via a `tmpfs`.

I've gone the `tmpfs` route which seems to work.

In any case, the mounted source directories (`matrix_backup_borg_location_source_directories`)
are read-only regardless, so our actual source files are protected from unintentional changes.
This commit is contained in:
Slavi Pantaleev 2022-12-05 15:28:07 +02:00
parent 7b123907e0
commit 8005557061

View File

@ -33,12 +33,16 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --n
{{ matrix_backup_borg_docker_image }} \ {{ matrix_backup_borg_docker_image }} \
sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}" sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}"
# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container
# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file,
# owned by `matrix:matrix` on the filesystem.
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
--log-driver=none \ --log-driver=none \
--cap-drop=ALL \ --cap-drop=ALL \
--cap-add=CAP_DAC_OVERRIDE \
--read-only \ --read-only \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--network={{ matrix_docker_network }} \ --network={{ matrix_docker_network }} \
--tmpfs=/root:rw,noexec,nosuid,size=100m \
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \ --tmpfs=/tmp:rw,noexec,nosuid,size=100m \
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \ --mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \ --mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \