Full system backup into multiple host repository

Dj0k3 · September 9, 2018, 9:58pm

I don’t know if this is a dumb question maybe because I don’t have enough knowledge about this subject, but this is my scenario: I have three machines and a home server in my local network. The three machines sends daily backups to their own repository (just their /home directory. All repositories are located in an HDD attached to my home server and the transfer is done via sftp. The server is also backing up to the HDD to its own repository.

What I want to do:

I want a single repository for all machines including the server but the server itself seems to be the problem.

What I did:

I created a new repository with a regular user (non-root user). Once I created the repository I did a test backup of all machines and it went fine but as soon as I did a backup for the server (using the root account) the repository became inaccessible for all the other users. This was using just one key.

The second time I created a repository and created two keys just to test if that was the problem. I created a key for the admin user and another one for the root user. Once the keys were created I did a test backup for the admin user and it gave me errors. In fact, every command I tried (backup, snapshots, etc.) sends me the same error. I did a backup for the root user and it went okay. Everything doing by the root user is okay.

What about the output?

# create keys with regular user

[admin]:/mnt/ExternalDrive $ restic -r ./repo key list
enter password for repository: 
repository bd12621d opened successfully, password is correct
 ID          User        Host        Created
----------------------------------------------------------------------
 6c65a34c    admin       server      2018-09-09 14:34:33
*e46409ff    admin       server      2018-09-09 14:33:25
----------------------------------------------------------------------

# changing key for root

[root]:/mnt/ExternalDrive # restic -r ./repo key passwd
enter password for repository: 
repository bd12621d opened successfully, password is correct
enter password for new key: 
enter password again: 
saved new key as <Key of root@server, created on 2018-09-09 14:35:31.972671828 -0400 EDT m=+10.564116728>

# list keys

[root]:/mnt/ExternalDrive # restic -r ./repo key list
enter password for repository: 
repository bd12621d opened successfully, password is correct
 ID          User        Host        Created
----------------------------------------------------------------------
*5d4aa11b    root        server      2018-09-09 14:35:31
 e46409ff    admin       server      2018-09-09 14:33:25
----------------------------------------------------------------------

# listing keys with the regular user

[admin]:/mnt/ExternalDrive $ restic -r ./repo key list
enter password for repository: 
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 658.623438ms: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 1.104471145s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 1.140137723s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 2.251098731s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 2.718723783s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 3.026445999s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 5.048927499s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 9.182446691s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
  signal interrupt received, cleaning up

# trying to backup as regular user

[admin]:/mnt/ExternalDrive $ restic -r ./repo backup /home/admin
enter password for repository: 
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 430.682604ms: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 844.318289ms: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 1.374246337s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 1.305006662s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
Load(<key/5d4aa11bf4>, 0, 0) returned error, retrying after 3.776074804s: open repo/keys/5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5: permission denied
  signal interrupt received, cleaning up

# ownership on repo

[root]:/mnt/ExternalDrive # ls -la ./repo
total 32
drwx------   7 admin admin 4096 Sep  9 14:33 .
drwx------   7 admin admin 4096 Sep  9 14:33 ..
-rw-------   1 admin admin  155 Sep  9 14:33 config
drwx------ 258 admin admin 4096 Sep  9 14:33 data
drwx------   2 admin admin 4096 Sep  9 14:33 index
drwx------   2 admin admin 4096 Sep  9 14:35 keys
drwx------   2 admin admin 4096 Sep  9 14:37 locks
drwx------   2 admin admin 4096 Sep  9 14:33 snapshots

# keys/ ownership

[root]:/mnt/ExternalDrive # ls -la ./repo/keys
total 16
drwx------ 2 admin admin   4096 Sep  9 14:35 .
drwx------ 7 admin admin   4096 Sep  9 14:33 ..
-rw------- 1 root root      452 Sep  9 14:35 5d4aa11bf4d8cc571a16ae84cac89c4e40a5491e6a4ea89e6d34a781e962b9b5
-rw------- 1 admin admin    450 Sep  9 14:33 e46409ff1df1cd3e514a39cbc57f6419f5b6efc17a2c65b7c82cc197113b126b

Others:

Another thing that I noticed was that when I did the first test using the same key for all hosts, after the error, I deleted the snapshot of the root user and everything went back to normal. I could use the “normal users” again in the same repo.
In the second test I had to remove the root key to go back to normal.
During this tests I noticed that when you mount a repository with one user key you can still see the other hosts snapshots and the data. Can this be restricted to only see the snapshots for their own key?

What I’m assuming is that the root account is taking ownership and that is why it doesn’t allows me to do anything with another user.

I don’t know if what I’m trying to do make sense or not. For now I’ll keep the server repository. Thanks in advance for your help.

PS.: I’m using restic 0.9.2 on all hosts and the server; all machines are GNU/Linux.

Dj0k3 · September 23, 2018, 6:42pm

Basically it was all my bad. I thought about deleting this subject but maybe it can be helpful for some noob like me trying to find some answers. I tried this but it didn’t really help. What I did was to create a new user with root capabilities, like it says in the docs but:

:~ # useradd -m -ou 0 -g 0 restic

Then create a password:

:~ # passwd restic

This way you’re already giving the new user called restic root privileges and creating a /home for the new user (-m option). So, all you have to do after that is to create a repo with this new user to share it with multiple computers and connect via ssh using this new user. Obviously, you have to take precautions because it is really not a good idea to open ssh access to any user who have root privileges.

It was a pretty dumb and simple problem but it can burn your brain if you’re not really sure what you’re looking for to accomplish or simply don’t have a lot of knowledge about this subject.

fd0 · September 25, 2018, 11:03am

Glad you figured it out! It really looked like a file system permission issue… the best solution would be to always use the same system user for accessing the files (either via sftp or locally), which is what you implemented

If you ask me, I’d recommend not creating a new root user, but using a low-privilege restic user and using this one for logging into the server from the other machines. For the local machine, either run restic as that user (e.g. by giving it special permissions) or run restic as root and then run chown -R restic:restic /path/to/repo afterwards to give all other machines access to the files.

Dj0k3 · September 25, 2018, 5:26pm

You know, what? I even change the solution to yours because again, I was not totally right. In my defense, english is not my first language. I misunderstood the docs which, clearly, is all there but even when I tried that I was focusing on the “right permissions” on the user instead of the binary. So I didn’t set the cap and maybe that was my bad. I did it again right now with another user that I have already created and is working like charm. Thank you for taking your time and give me the right answer.