Package: autopostgresqlbackup
Version: 2.5-1
Followup-For: Bug #1098493
Dear Maintainer,
after the upgrade to Debian Trixie, we ran into a different problem
which most likely does have the same underlying reason as the bug
reported in #1098493. In our case, it was a failing POSTBACKUP script.
When looking at the systemd unit which is triggered by the timer, I
noticed the
ProtectHome=true
line. So this essentially means that /home, /root and /run/user aren't
accessible [1] for autopostgresqlbackup when run as systemd service.
Since our POSTBACKUP script requires something from /root and the
original reporter of #1098493 attempts to write backups to
/home/backups/pgsql, this is likely the culprit. Adding a drop-in using
systemctl edit autopostgresqlbackup.service
and the following content:
[Service]
ProtectHome=read-only
seemed to fix this. Of course, for backups to /home to work, this should
be something like this:
[Service]
ProtectHome=false
Or maybe this (likely more secure/safe):
[Service]
ProtectHome=tmpfs
BindPaths=/home/backups/pgsql
I'm not sure about the best solution for this on a package level, using
ProtectHome=true is certainly a good thing from a security and safety
point-of-view, so maybe just documenting this is sufficient given that
autopostgresqlbackup works in the default configuration.
Also note that the issue described in [2] actually might make it harder
to debug this kind of problem since relevant or helpful log messages
might be lost and not end up in the visible logs unless run in debug
mode.
Hope this helps,
Manfred
[1]
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html?#ProtectHome=
[2] https://github.com/k0lter/autopostgresqlbackup/issues/44
