I prefer to sandbox systemd services with ProtectSystem=strict. Especially so when User=root.
So when ProtectSystem=strict, which dirs need to be ReadWritePaths to run `mariabackup --backup` and `mariabackup --prepare`? So far I got the --target-dir and the --tmpdir. Is that sufficient?
tia Tom
Hi Tom,
Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer.
Mariadb itself writes to log files, so maybe the file defined in `log_error` as well if you're applying these concept to the server. (And aria_log_dir_path if you're using Aria)
But mariabackup - I think it should only write to --target-dir, but I encourage you to test to be certain that works for you.
Simon
-----Original Message----- From: Tom Worster via discuss discuss@lists.mariadb.org Sent: Tuesday, July 4, 2023 2:47 PM To: discuss@lists.mariadb.org Subject: [MariaDB discuss] Sandboxing mariabackup
I prefer to sandbox systemd services with ProtectSystem=strict. Especially so when User=root.
So when ProtectSystem=strict, which dirs need to be ReadWritePaths to run `mariabackup --backup` and `mariabackup --prepare`? So far I got the --target-dir and the --tmpdir. Is that sufficient?
tia Tom
_______________________________________________ discuss mailing list -- discuss@lists.mariadb.org To unsubscribe send an email to discuss-leave@lists.mariadb.org
On 7/6/2023 3:55:39 AM, "Simon Avery" Simon.Avery@atass-sports.co.uk wrote:
Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer.
Yeah, that's it.
I want to start hourly backups using a systemd timer and in the corresponding service I want ProtectSystem=strict. That tells systemd to run mariabackup in a sandbox with nearly all the filesystem mounted as read-only. This is appealing if the backup process has access to the datadir.
Tom
participants (2)
-
Simon Avery
-
Tom Worster