resticprofile icon indicating copy to clipboard operation
resticprofile copied to clipboard

Published 20 hours ago verified publisher icon creativeprojects

run system scheduler as different user

Open arkanoid87 opened this issue 1 year ago • 7 comments

  • system scheduler allow running even if user is not logged in, but it writes new snapshots as root:root
  • user scheduler preserves permission and writes snapshots as if they were written by the user, but can't be scheduled to run by system when user is not logged in

To get the best of both worlds it is possible to set systemd unit to run as specific user https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#User=

problem can't be solved by providing systemd templates as they are declared in global section of configuration, but we need a per-user (or --profile) change (run-as username)

arkanoid87 avatar Feb 27 '24 18:02 arkanoid87

How about drop in files, they can be configured by profile: https://creativeprojects.github.io/resticprofile/schedules/systemd/index.html#systemd-drop-in-files

jkellerer avatar Feb 28 '24 10:02 jkellerer

Thanks! Sorry, I somehow skipped that section of the manual. It seems a perfect solution to the problem! I just re-scheduled my profiles, I'll close the issue after first round or timers.

arkanoid87 avatar Feb 29 '24 00:02 arkanoid87

systemd-drop-in-files seems to work, but drags some issue into the picture, like HOME folder not set properly when "User=" property is set, and this causes restic to complain about permission denied on "/root/.cache/restic"

One fix is to set cache-dir on resticprofile profile.

But the right way to do this probably is to switch back to "user" scheduler but enable linger https://wiki.archlinux.org/title/systemd/User#Automatic_start-up_of_systemd_user_instances

maybe it is worth speaking about linger in resticprofile system user scheduler?

arkanoid87 avatar Feb 29 '24 18:02 arkanoid87

do you know if enable linger would make resticprofile systemd user schedule behave just like the root one does?

arkanoid87 avatar Mar 02 '24 06:03 arkanoid87

do you know if enable linger would make resticprofile systemd user schedule behave just like the root one does?

No I don't know, I don't use user scheduling on any of my linux machines.

But I can certainly mention it in the documentation. It's not something resticprofile should setup automatically though.

Have you tried it yourself?

creativeprojects avatar Mar 04 '24 20:03 creativeprojects

I had same issue, and drop in config with specifying User, Group and replacing Environment works perfectly now. I am quite surprised that this is not part of resticprofile. Are there any reasons why is not implemented? Thanks!

gamelaster avatar Apr 18 '24 11:04 gamelaster

User based schedules are implemented by using resticprofile schedule from a the desired user account and everything including the profile config is read from the user context. What is not implemented is a user switch so that the root scheduler can be used out of the box. Therefore linger may be needed to run user backups when the user is not logged in.

Changing the user automatically (so that the root scheduler can be used) adds additional complexity as secrets that may just be readable by root must be transferred into a user process.

That said, systemd templates or drop-ins allow to configure it and force you to setup permissions and env so that the user context is working correctly. I do see a benefit of an automatic approach here but it is also not easy to setup and get right for a little savings in config work that could also be documented to get you started.

jkellerer avatar Apr 18 '24 14:04 jkellerer