[CentOS] Borgbackup question

Mon Mar 2 12:18:09 UTC 2020
Tobias Kirchhofer <collect at shift.agency>

On 2 Mar 2020, at 12:58, Alessandro Baggi wrote:

> Il 01/03/20 20:18, Tobias Kirchhofer ha scritto:
>> On 1 Mar 2020, at 20:00, Gordon Messmer wrote:
>>> On 3/1/20 12:40 AM, Alessandro Baggi wrote:
>>>> borgbackup is a very interesting backup tool with a lot of 
>>>> features. It is ready for "production" or I should expect some bad 
>>>> surprise?
>>> I don't know the answer to that, but to me that implies two 
>>> questions: 1) Are there failure conditions that it doesn't handle, 
>>> especially with an interrupted backup, and 2) Does it perform poorly 
>>> under any specific circumstances.  If anyone has experience with 
>>> those questions, or is familiar enough with the implementation to 
>>> explain why those should not be an issue, I'd be interested in their 
>>> input as well.
>>> I use borgbackup for several laptops backing up to a local file 
>>> server with sshfs, and that's been good so far.
>> We have around 50 linux clients with borg backups to two different 
>> backup server, provisioned with Ansible. A new host is in the backup 
>> in around 30 seconds :) One backup server is internal for DMZ and LAN 
>> and one is for external hosts. The internal backup server syncs its 
>> backup to the external server. Storage is made with ZFS summed up to 
>> 16 TB each server.
>> This runs nicely for around two years without interruption. We 
>> learned a bit her e and there about some side effects with borg cache 
>> in the beginning and invested some time in hardening and Ansible 
>> role.
>> Before we choosed borg restic was on the list. Looks good too. Do not 
>> now anymore why we decided for borg. Maybe the name :)
>> We startet here 
>> https://borgbackup.readthedocs.io/en/stable/deployment/central-backup-server.html
>> Tobias
> Hi Tobias,
> How do you secure the process?

Plain ssh:

authorized_keys on the backup server:

command="borg serve --restrict-to-path 
/borgbackup/vm/host-name-of-backup-client --append-only" ssh-ed25519 
AAAAC3NzaC1… root at host-name-of-backup-client

collect at shift.agency