I prefer to sandbox systemd services with ProtectSystem=strict. Especially so when User=root. So when ProtectSystem=strict, which dirs need to be ReadWritePaths to run `mariabackup --backup` and `mariabackup --prepare`? So far I got the --target-dir and the --tmpdir. Is that sufficient? tia Tom
Hi Tom, Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer. Mariadb itself writes to log files, so maybe the file defined in `log_error` as well if you're applying these concept to the server. (And aria_log_dir_path if you're using Aria) But mariabackup - I think it should only write to --target-dir, but I encourage you to test to be certain that works for you. Simon -----Original Message----- From: Tom Worster via discuss <discuss@lists.mariadb.org> Sent: Tuesday, July 4, 2023 2:47 PM To: discuss@lists.mariadb.org Subject: [MariaDB discuss] Sandboxing mariabackup I prefer to sandbox systemd services with ProtectSystem=strict. Especially so when User=root. So when ProtectSystem=strict, which dirs need to be ReadWritePaths to run `mariabackup --backup` and `mariabackup --prepare`? So far I got the --target-dir and the --tmpdir. Is that sufficient? tia Tom _______________________________________________ discuss mailing list -- discuss@lists.mariadb.org To unsubscribe send an email to discuss-leave@lists.mariadb.org
On 7/6/2023 3:55:39 AM, "Simon Avery" <Simon.Avery@atass-sports.co.uk> wrote:
Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer. Yeah, that's it.
I want to start hourly backups using a systemd timer and in the corresponding service I want ProtectSystem=strict. That tells systemd to run mariabackup in a sandbox with nearly all the filesystem mounted as read-only. This is appealing if the backup process has access to the datadir. Tom
participants (2)
-
Simon Avery -
Tom Worster