Skip to content
GitLab

Container Backups with Restic · Changes

Page history
Backup user with restricted sudo privileges authored by Mara Karagianni's avatar Mara Karagianni
Hide whitespace changes
Inline Side-by-side
Container-Backups-with-Restic.md
View page @ 420cbe3b
......@@ -28,21 +28,44 @@ Note: all system paths and parameters in this HOWTO are fictional.
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
https://www.simplified.guide/ssh/copy-public-key
**2. How to run the backup command without root privilege**
**2. How to run the backup command without root privilege?**
The idea is to execute the restic binary with a backup user, aka execute a binary meant for root without being root.
As root we add a new user
`# useradd backupuser`
*creates the new user and a group with the same name*
`# chown root:backupuser /usr/bin/restic`
*makes user root and group backupuser owners of the restic binary*
`# chmod 750 /usr/bin/restic`
*user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary*
`# setcap cap_dac_read_search=+ep ~backupuser/bin/restic`
*assigns capabilities to backup the whole system*
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
\ No newline at end of file
*extends the capabilities of backupuser to backup the whole system*
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
**3. How to run specific root commands by a non root user?**
*Note: we need that for stopping, checking status and starting of the lxc containers.
Best practice is to run our LXC containers rootless. This requires a different configuration of the containers' network setup, see details at
https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/*
Here we will give the backupuser restricted root privilege for the specific lxc commands we need to run during the backup process.
Give the backup user the access for specific commands to be executed as 'root'.
Add these commands in a new file under /etc/sudoers.d/
`vi /etc/sudoers.d/00-backupuser`
`bintibackup ALL=(ALL) NOPASSWD: /usr/bin/lxc-stop, /usr/bin/lxc-start, /usr/bin/lxc-info, /usr/bin/lxc-ls`
*https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/*