Unable to run Restic with systemd timers

unnerving_duck · February 28, 2024, 8:56am

I’ve set a systemd timer to run a Restic backup script daily, but each time it’s supposed to run it ends with an error. I checked the status log of the service and it’s the following:

Feb 28 08:35:07 fedora systemd[1871]: Starting restic-backup.service - Restic backup service...
Feb 28 08:35:07 fedora restic[1895]: open repository
Feb 28 08:35:07 fedora restic[1895]: Fatal: unable to open config file: Stat: Get "https://s3.us-west-004.backblazeb2.com/REDACTED/?location=": dial tcp: lookup s3.us-west-004.bac>
Feb 28 08:35:07 fedora restic[1895]: Is there a repository at the following location?
Feb 28 08:35:07 fedora restic[1895]: s3:s3.us-west-004.backblazeb2.com/REDACTED
Feb 28 08:35:07 fedora systemd[1871]: restic-backup.service: Main process exited, code=exited, status=1/FAILURE
Feb 28 08:35:07 fedora systemd[1871]: restic-backup.service: Failed with result 'exit-code'.
Feb 28 08:35:07 fedora systemd[1871]: Failed to start restic-backup.service - Restic backup service.

The config files are present though and I’ve confirmed the script works multiple times, by running it manually with systemctl --user start restic-backup. This only happens with the daily timer. Any idea of what’s going on?

gurkan · February 28, 2024, 11:32am

Hi

Is this a user unit (in your home folder), or system (/etc/systemd…)?

Can you paste the service file, by redacting ofc. Looks like it can use some environment variables.

unnerving_duck · February 28, 2024, 11:46am

It’s an user unit. The service file looks like this:

[Unit]
Description=Restic backup service
[Service]
Type=oneshot
ExecStart=restic backup --verbose --one-file-system --tag systemd.timer --exclude-file /home/duck/.config/Restic/exclude.txt --exclude-if-present .exclude_from_backup --files-from /home/duck/.config/Restic/include.txt
ExecStartPost=restic forget --verbose --tag systemd.timer --group-by "paths,tags" --keep-daily $RETENTION_DAYS --keep-weekly $RETENTION_WEEKS --keep-monthly $RETENTION_MONTHS --keep-yearly $RETENTION_YEARS
EnvironmentFile=%h/.config/Restic/restic-backup.conf

Environment variables are stored in the .conf file like this:

RETENTION_DAYS=7
RETENTION_WEEKS=4
RETENTION_MONTHS=6
RETENTION_YEARS=3
AWS_SECRET_ACCESS_KEY='REDACTED'
AWS_ACCESS_KEY_ID='REDACTED'
RESTIC_REPOSITORY='REDACTED'
RESTIC_PASSWORD='REDACTED'

gurkan · February 28, 2024, 1:57pm

Hmm this looks OK. But could you expand the line with unable to open config file? There is something going on with connection/name resolution maybe? (dial tcp: lookup…)

MichaelEischer · February 28, 2024, 9:32pm

From the initial error message: Get "https://s3.us-west-004.backblazeb2.com/REDACTED/?location=": dial tcp: lookup s3.us-west-004.bac>

Please check that you are able to connect to that server, for example, using curl https://s3.us-west-004.backblazeb2.com (should return an AccessDenied error).

Do you have any proxy settings or similar configured?

ProactiveServices · February 28, 2024, 11:47pm

systemctl cat <service> will also tell you the applied unit configuration systemd is using, including any drop-ins that may have been forgotten about; looking at the .service file doesn’t always tell the whole story.

I’ve seen connect/DNS failures in systemd services when using certain sandboxing directives.

unnerving_duck · February 29, 2024, 7:12am

It is indeed an error in name resolution

Feb 29 08:55:47 fedora restic[1837]: Fatal: unable to open config file: Stat: Get "https://s3.us-west-004.backblazeb2.com/REDACTED/?location=": dial tcp: lookup s3.us-west-004.backblazeb2.com: Temporary failure in name resolution

I can connect into it though, curl returns the AccessDenied error. No proxies or anything that I’m using.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error>
    <Code>AccessDenied</Code>
    <Message>Unauthenticated requests are not allowed for this api</Message>
</Error>

This is what it looks like when I do systemctl --user cat restic-backup

# /home/duck/.config/systemd/user/restic-backup.service
[Unit]
Description=Restic backup service
[Service]
Type=oneshot
ExecStart=restic backup --verbose --one-file-system --tag systemd.timer --exclude-file /home/duck/.config/Restic/exclude.txt --exclude-if-present .exclude_from_backup --files-from /home/duck/.config/Restic/include.txt
ExecStartPost=restic forget --verbose --tag systemd.timer --group-by "paths,tags" --keep-daily $RETENTION_DAYS --keep-weekly $RETENTION_WEEKS --keep-monthly $RETENTION_MONTHS --keep-yearly $RETENTION_YEARS
EnvironmentFile=%h/.config/Restic/restic-backup.conf

# /usr/lib/systemd/user/service.d/10-timeout-abort.conf
# This file is part of the systemd package.
# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
#
# To facilitate debugging when a service fails to stop cleanly,
# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
# the time allotted. This will cause the service to be terminated with SIGABRT
# and a coredump to be generated.
#
# To undo this configuration change, create a mask file:
#   sudo mkdir -p /etc/systemd/user/service.d
#   sudo ln -sv /dev/null /etc/systemd/user/service.d/10-timeout-abort.conf

[Service]
TimeoutStopFailureMode=abort

MichaelEischer · February 29, 2024, 9:50pm

How is DNS configured on your system, in particular what is configured in /etc/resolv.conf and /etc/nsswitch.conf?

unnerving_duck · March 1, 2024, 12:44pm

/etc/resolv.conf has the following:

nameserver 127.0.0.53
options edns0 trust-ad
search .

And /etc/nsswitch.conf:

passwd:     files sss systemd
shadow:     files
group:      files sss systemd
hosts:      files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
services:   files sss
netgroup:   files sss
automount:  files sss

aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

moritzdietz · March 3, 2024, 5:25pm

Additionally you can also try to run the following command on a shell as the user of the service:
This tries a name resolution for the given FQDN:

❯ systemd-run --user --wait -p SuccessExitStatus=11 dig +short s3.us-west-004.backblazeb2.com
Running as unit: run-u1637.service
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 196ms
CPU time consumed: 15ms

You can check the output of the command like this afterwards:

❯ journalctl --user --since '5 min ago' --identifier=systemd --identifier=dig
Mär 03 18:22:37 plumbus systemd[1391]: Started /usr/bin/dig +short s3.us-west-004.backblazeb2.com.
Mär 03 18:22:37 plumbus dig[217633]: 149.137.130.10
Mär 03 18:22:37 plumbus dig[217633]: 149.137.133.254
Mär 03 18:22:37 plumbus dig[217633]: 149.137.135.254
Mär 03 18:22:37 plumbus dig[217633]: 149.137.129.254

MichaelEischer · March 5, 2024, 7:37pm

I’m a bit surprised to see both mdns4_minimal [NOTFOUND=return] and resolve [!UNAVAIL=return] here, but I don’t know what the default for Fedora is.

Other than that, is systemd-resolved working correctly, does dig @127.0.0.53 s3.us-west-004.backblazeb2.com work?