Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/restic: correct location of cache directory #99579

Merged
merged 1 commit into from Jan 31, 2021
Merged

nixos/restic: correct location of cache directory #99579

merged 1 commit into from Jan 31, 2021

Conversation

eliasp
Copy link
Member

@eliasp eliasp commented Oct 4, 2020
edited

Motivation for this change

By default, restic determines the location of the cache based on the XDG
base dir specification, which is ~/.cache/restic when the environment
variable $XDG_CACHE_HOME isn't set.
As restic is executed as root by default, this resulted in the cache being
written to /root/.cache/restic, which is not quite right for a system
service and also meant, multiple backup services would use the same cache
directory - potentially causing issues with locking, data corruption,
etc.

The goal was to ensure, restic uses the correct cache location for a
system service - one cache per backup specification, using /var/cache
as the base directory for it.

systemd sets the environment variable $CACHE_DIRECTORY once
CacheDirectory= is defined, but restic doesn't change its behavior
based on the presence of this environment variable.
Instead, the specifier [1] %C can be used to point restic explicitly
towards the correct cache location using the --cache-dir argument.

Furthermore, the CacheDirectoryMode= was set to 0700, as the default
of 0755 is far too open in this case, as the cache might contain
sensitive data.

[1] https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Specifiers

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@eliasp eliasp requested a review from mbrgm October 21, 2020 10:45
@eliasp eliasp requested a review from cole-h January 19, 2021 22:20
@cole-h cole-h requested review from jerith666 and Mic92 and removed request for cole-h January 19, 2021 22:26
@jerith666
Copy link
Contributor

Looks quite reasonable. I merged it locally and will report back after I see whether a couple of nightly backups work okay.

jerith666
jerith666 approved these changes Jan 28, 2021
View reviewed changes
Copy link
Contributor

@jerith666 jerith666 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nightly backups seem to be working just fine; approving.

@eliasp
Copy link
Member Author

eliasp commented Jan 28, 2021
edited

Do we have to take care of the now stale /root/.cache/restic? After this change, this is basically left to rot and consume unnecessarily diskspace…

And if so, what approach could be used to handle this?

@jerith666
Copy link
Contributor

Good point. We could add a release note, not sure what else to do beyond that.

@cole-h
Copy link
Member

cole-h commented Jan 28, 2021

+1 to a release note.

@eliasp
Copy link
Member Author

eliasp commented Jan 29, 2021

I added a release note and amended it into the existing commit.
Please have a brief look, it's close to 10 years that I wrote my last docbook XML 😄

@eliasp
nixos/restic: correct location of cache directory
3b1de09 
By default, restic determines the location of the cache based on the XDG
base dir specification, which is `~/.cache/restic` when the environment
variable `$XDG_CACHE_HOME` isn't set.
As restic is executed as root by default, this resulted in the cache being
written to `/root/.cache/restic`, which is not quite right for a system
service and also meant, multiple backup services would use the same cache
directory - potentially causing issues with locking, data corruption,
etc.

The goal was to ensure, restic uses the correct cache location for a
system service - one cache per backup specification, using `/var/cache`
as the base directory for it.

systemd sets the environment variable `$CACHE_DIRECTORY` once
`CacheDirectory=` is defined, but restic doesn't change its behavior
based on the presence of this environment variable.
Instead, the specifier [1] `%C` can be used to point restic explicitly
towards the correct cache location using the `--cache-dir` argument.

Furthermore, the `CacheDirectoryMode=` was set to `0700`, as the default
of `0755` is far too open in this case, as the cache might contain
sensitive data.

[1] https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Specifiers
cole-h
cole-h approved these changes Jan 31, 2021
View reviewed changes
Copy link
Member

@cole-h cole-h left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM. Thanks!

@cole-h cole-h merged commit 27da119 into NixOS:master Jan 31, 2021
@cole-h
Copy link
Member

cole-h commented Jan 31, 2021

Also, thanks for such a great commit message. We should all strive to be as detailed as you were :)

@eliasp eliasp deleted the restic-cache-directory branch January 31, 2021 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jerith666 jerith666 jerith666 approved these changes

@cole-h cole-h cole-h approved these changes

@mbrgm mbrgm Awaiting requested review from mbrgm

@Mic92 Mic92 Awaiting requested review from Mic92

Assignees
No one assigned
Labels
6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@eliasp @jerith666 @cole-h