{"id":19556,"date":"2022-11-28T08:19:13","date_gmt":"2022-11-28T13:19:13","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=19556"},"modified":"2023-01-26T11:55:32","modified_gmt":"2023-01-26T16:55:32","slug":"borgbackup-repository-on-dsm-7-0","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2022\/11\/28\/borgbackup-repository-on-dsm-7-0\/","title":{"rendered":"BorgBackup Repository on DSM 7.0"},"content":{"rendered":"\n<p>A few years back I began <a href=\"https:\/\/nuxx.net\/blog\/2020\/01\/08\/borgbackup-repository-on-synology-dsm-6-2-2\/\" data-type=\"post\" data-id=\"18844\">using Borg for backing up nuxx.net<\/a>, sending it home to my Synology DSM 1019+. At the time this was running the 6.x family of <a href=\"https:\/\/www.synology.com\/en-us\/dsm\">DSM<\/a> and worked great, but it broke after moving to <a href=\"https:\/\/www.synology.com\/en-us\/DSM70\">v7.0<\/a>. Attempts to run Borg would result in this error:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/services\/homes\/borguser\/borg: error while loading shared libraries: libz.so.1: failed to map segment from shared object<\/code><\/pre>\n\n\n\n<p>This appears to be happening because with the upgrade to v7.0 <code>\/tmp<\/code> is mounted noexec.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>adminuser@diskstation:\/var\/services\/homes\/borguser$ mount | grep \/tmp\n<strong>tmpfs on \/tmp type tmpfs (rw,nosuid,nodev,noexec)<\/strong>\nadminuser@diskstation:\/var\/services\/homes\/borguser$<\/code><\/pre>\n\n\n\n<p>While a few online solutions (such as <a href=\"https:\/\/stackoverflow.com\/questions\/57796839\/docker-compose-error-while-loading-shared-libraries-libz-so-1-failed-to-map-s\">this one<\/a>) propose remounting <code>\/tmp<\/code> with exec, this is a poor solution as it changes the security model for DSM v7.0 and may break in the future during an upgrade. The best solution for this is to create a private temp directory for just borguser and define it as <code>$TMPDIR<\/code>.<\/p>\n\n\n\n<p>To do this create <code>~borguser\/tmp<\/code>, ensure it&#8217;s owned by your Borg user, and set it to 700:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir ~borguser\/tmp<br>chown borguser:users ~borguser\/tmp<br>chmod 700 ~borguser\/tmp<\/code><\/pre>\n\n\n\n<p>Then create a wrapper script for Borg setting this variable. The result will be Borg using <code>~borguser\/tmp<\/code> for it&#8217;s private temporary directory, leaving <code>\/tmp<\/code> alone, working nicely with the DSM v7.0 security design. I keep mine in <code>~borguser\/.ssh<\/code> and call it <code>borg.sh<\/code>. And, be sure it&#8217;s executable. Mine is like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>adminuser@diskstation:\/var\/services\/homes\/borguser$ sudo cat .ssh\/borg.sh\n<strong>!\/bin\/sh\nexport TMPDIR=$HOME\/tmp\n\/var\/services\/homes\/borguser\/borg serve --storage-quota 120G --restrict-to-repository \/volume2\/Backups\/borg<\/strong>\nadminuser@diskstation:\/var\/services\/homes\/borguser$ sudo ls -als .ssh\/borg.sh\n4 -<strong>rwx<\/strong>------ 1 borguser root 161 Nov 15 06:56 .ssh\/borg.sh\nadminuser@diskstation:\/var\/services\/homes\/borguser$<\/code><\/pre>\n\n\n\n<p>Finally, change <code>~borguser\/.ssh\/authorized_keys<\/code> limiting the backup user to executing the new script. <\/p>\n\n\n\n<p><code>command=\"\/var\/services\/homes\/backupuser\/.ssh\/borg.sh\",restrict,from=\"192.168.0.23\" ssh-rsa AAAA[...restofkeygoeshere...] remoteuser@remoteserver.example.com<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few years back I began using Borg for backing up nuxx.net, sending it home to my Synology DSM 1019+. At the time this was&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/nuxx.net\/blog\/2022\/11\/28\/borgbackup-repository-on-dsm-7-0\/\">Continue reading<span class=\"screen-reader-text\">BorgBackup Repository on DSM 7.0<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,4],"tags":[],"class_list":["post-19556","post","type-post","status-publish","format-standard","hentry","category-computers","category-nuxxnet","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=19556"}],"version-history":[{"count":5,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19556\/revisions"}],"predecessor-version":[{"id":19619,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19556\/revisions\/19619"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=19556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=19556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=19556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}