0

I've posted the question and my own solution to this problem, to make it available to others.

This relates to borg backup and was posted to this borg github issue: Allow check on read-only filesystems

Trying to access a remote borg repository for list, info, mount and other read-only actions fails when the remote repository resides on a ZFS snapshot (read-only).

I'm backing up using borg with daily pruning (borg prune ...) for encryption and remote ZFS snapshots for retention (and backup destruction protection).

The crucial reason for doing so, is to protect the backed up data on the remote backup server from an attacker who has access to the host doing the backing up. With read-only ZFS snapshots, the attacker is unable to delete remote backups.

Thus far, I've attempted borg list, which fails with:

Remote: borg.locking.LockFailed: ('/data/backup/.zfs/snapshot/daily_2017-05-23/home/lock.exclusive', "[Errno 30] Read-only file system: '/data/backup/.zfs/snapshot/daily_2017-05-23/home/lock.exclusive'")

zoot
  • 137
  • 1
  • 2
  • 12

1 Answers1

1

The issue is that borg is unable to create the lock file inside the remote repo, because it resides on the remote read-only ZFS snapshot:

user@server:~/.zfs/snapshot/snapshot_name/repo/lock.exclusive

I have a relatively elegant workaround for this.

It creates a directory on a writable filesystem, linking the snapshot's contents into it.

The below assumes you're only permitted to run remote ssh commands as user@server, without full shell access. 

[user@client:~]

repo='foo'
snap='daily_2017-05-23'

ssh user@server "mkdir $repo.snap"

targets=$(ssh user@server "ls .zfs/snapshot/$snap/$repo")

for t in $targets; do
    ssh user@server "ln -s ../.zfs/snapshot/$snap/$repo/$t $repo.snap/$t"
done

borg list user@server:$repo.snap
zoot
  • 137
  • 1
  • 2
  • 12