Pull backup from nextcloud aio

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, ,
14

Thinking about it a bit more I’ll try this:

  • use pull method for borg with ssh-agent (disadvantage if I understood the configuration correctly: double encryption - double cpu usage)
  • if this works I have a good starting point to get productive

To get rid of the ssh inside ssh overhead there’d be need to change BORG_RSH like for the socat method as well.

I’ll look into that later as an improvement. I’d think that I’m not the only person for whom the backup storage is located in a security zone with a higher security level that can’t be connected to directly, but from which the repo server could pull a borg backup.

The changes for aio should be minimal to offer this as an option to admins.

Update:

Above idea didn’t work - it needs changing the containers, too. This works without changing any container:

on the docker server running nextcloud aio

  • create /etc/ssh/sshd_config.d/GatewayPorts.conf containing GatewayPorts clientspecified which will allow a client to bind to a different IP than 127.0.0.1 for a reverse port forward using ssh -R
  • set via the aio mastercontainer web interface the backup target as ssh://borgbackup@172.17.0.1/path/to/repo - make sure that 172.17.0.1 is the IP of the bridge interface for the nextcloud-aio docker network

on the backup repo server

  • create a user borgbackup
  • create the directory /path/to/repo and give read/write/access to borguser
  • make directory ~borgbackup/.ssh
  • create ~/.ssh/authorized_keys containing the key shown in the nextcloud aio web interface. Prepend the key by command="<path to borg>/borg serve",restrict
  • ssh to your docker server running nextcloud aio using ssh -R 172.17.0.1:6666:127.0.0.1:22 <nextcloud-aio-docker-server>. 172.17.0.1 should be like mentioned above the IP of the bridge interface of the nextcloud-aio network. 22 is the port sshd is listening on your backup repo server on.

With the ssh connection from the backup repo server to the docker nextcloud-aio server still open you should be able to start the initial backup from the nextcloud aio webinterface.

nextcloud-aio will start the nextcloud-aio-borgbackup container connected to the nextcloud-aio network. borg inside the container will connect via ssh to the ip of the bridge interface of the docker network nextcloud-aio port 6666.

On the bridge interface port 6666 listens sshd for connections to be forwarded back to the backup repo server port 22 where sshd of that server will answer.

sshd on the backup repo server will run the command= command defined in ~borgbackup/.ssh/authorized_keys (which in my case is important, because borg cannot be found via the default path of sshd on the synology nas which is my borg backup server).

Disadvantages

  • not very secure (see borg documentation about pull backups)
  • double encryption: ssh connection inside already encrypted ssh port forward

Todo (update: done)

  • :white_check_mark: create a ssh command to run on the backup repo server to connect to the docker nextcloud aio server and start the backup →ssh -R 172.17.0.1:6666:127.0.0.1:22 192.168.180.4 docker exec --env DAILY_BACKUP=1 nextcloud-aio-mastercontainer /daily-backup.sh
    • DAILY_BACKUP=1 create backup - despite the name creates backups every time it is used (not only once a day)
    • AUTOMATIC_UPDATES=1 stop containers, update containers, start containers after backup
    • START_CONTAINERS=1 after backup finished start containers
  • :white_check_mark: make sure nextcloud-aio will not try to start daily backups by itself →Aio web-ui: disable daily backups / updates on saturdays
  • :white_check_mark: create issue for feature request: change containers in a way that allows to use the socat way described in the borg documentation →https://github.com/nextcloud/all-in-one/discussions/6281
1 Like