mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-11 18:05:45 +00:00
8005557061
Running with a user (like `matrix:matrix`) fails if Etherpad is enabled, because `/matrix/etherpad` is owned by `matrix_etherpad_user_uid`/`matrix_etherpad_user_gid` (`5001:5001`). The `matrix` user can't acccess the Etherpad directory for this reason and Borgmatic fails when trying to make a backup. There may be other things under `/matrix` which similarly use non-`matrix:matrix` permissions. Another workaround might have been to add `/matrix/etherpad` (and potentially other things) to `matrix_backup_borg_location_exclude_patterns`, but: - that means Etherpad won't be backed up - not great - only excluding Etherpad may not be enough. There may be other files we need to exclude as well --- Running with `root` is still not enough though. We need at least the `CAP_DAC_OVERRIDE` capability, or we won't be able to read the `/etc/borgmatic.d/config.yaml` configuration file (owned by `matrix:matrix` with `0640` permissions). --- Additionally, it seems like the backup process tries to write to at least a few directories: - `/root/.borgmatic` - `/root/.ssh` - `/root/.config` > [Errno 30] Read-only file system: '/root/.borgmatic' > Error while creating a backup. > /etc/borgmatic.d/config.yaml: Error running configuration file We either need to stop mounting the container filesystem as readonly (remove `--read-only`) or to allow writing via a `tmpfs`. I've gone the `tmpfs` route which seems to work. In any case, the mounted source directories (`matrix_backup_borg_location_source_directories`) are read-only regardless, so our actual source files are protected from unintentional changes.
63 lines
3.0 KiB
Django/Jinja
63 lines
3.0 KiB
Django/Jinja
#jinja2: lstrip_blocks: "True"
|
|
[Unit]
|
|
Description=Matrix Borg Backup
|
|
{% for service in matrix_backup_borg_systemd_required_services_list %}
|
|
Requires={{ service }}
|
|
After={{ service }}
|
|
{% endfor %}
|
|
{% for service in matrix_backup_borg_systemd_wanted_services_list %}
|
|
Wants={{ service }}
|
|
{% endfor %}
|
|
DefaultDependencies=no
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
|
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
|
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
|
|
--log-driver=none \
|
|
--cap-drop=ALL \
|
|
--read-only \
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
|
--network={{ matrix_docker_network }} \
|
|
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
|
|
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
|
|
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
|
|
{% for source in matrix_backup_borg_location_source_directories %}
|
|
--mount type=bind,src={{ source }},dst={{ source }},ro \
|
|
{% endfor %}
|
|
{% for arg in matrix_backup_borg_container_extra_arguments %}
|
|
{{ arg }} \
|
|
{% endfor %}
|
|
{{ matrix_backup_borg_docker_image }} \
|
|
sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}"
|
|
|
|
# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container
|
|
# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file,
|
|
# owned by `matrix:matrix` on the filesystem.
|
|
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
|
|
--log-driver=none \
|
|
--cap-drop=ALL \
|
|
--cap-add=CAP_DAC_OVERRIDE \
|
|
--read-only \
|
|
--network={{ matrix_docker_network }} \
|
|
--tmpfs=/root:rw,noexec,nosuid,size=100m \
|
|
--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
|
|
--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
|
|
--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
|
|
{% for source in matrix_backup_borg_location_source_directories %}
|
|
--mount type=bind,src={{ source }},dst={{ source }},ro \
|
|
{% endfor %}
|
|
{% for arg in matrix_backup_borg_container_extra_arguments %}
|
|
{{ arg }} \
|
|
{% endfor %}
|
|
{{ matrix_backup_borg_docker_image }}
|
|
|
|
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
|
|
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
|
|
SyslogIdentifier=matrix-backup-borg
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|