![](https://secure.gravatar.com/avatar/5780d81ca8ef00d7951b96617e1c3ee7.jpg?s=120&d=mm&r=g)
I prefer to sandbox systemd services with ProtectSystem=strict. Especially so when User=root. So when ProtectSystem=strict, which dirs need to be ReadWritePaths to run `mariabackup --backup` and `mariabackup --prepare`? So far I got the --target-dir and the --tmpdir. Is that sufficient? tia Tom
![](https://secure.gravatar.com/avatar/05185fe4e11c00714957ca5e1935779e.jpg?s=120&d=mm&r=g)
Hi Tom,
Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer.
Mariadb itself writes to log files, so maybe the file defined in `log_error` as well if you're applying these concept to the server. (And aria_log_dir_path if you're using Aria)
But mariabackup - I think it should only write to --target-dir, but I encourage you to test to be certain that works for you.
Simon
-----Original Message-----
From: Tom Worster via discuss
![](https://secure.gravatar.com/avatar/5780d81ca8ef00d7951b96617e1c3ee7.jpg?s=120&d=mm&r=g)
On 7/6/2023 3:55:39 AM, "Simon Avery"
Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer. Yeah, that's it.
I want to start hourly backups using a systemd timer and in the corresponding service I want ProtectSystem=strict. That tells systemd to run mariabackup in a sandbox with nearly all the filesystem mounted as read-only. This is appealing if the backup process has access to the datadir. Tom
participants (2)
-
Simon Avery
-
Tom Worster