Skip to content

Borg backup enable - issue

Hello,

we use borg backup hosted on our server. And recently we noticed a problem when enabling backup on the project, so I just wanted to report it here, not sure if something can be changed on lakedrops side.

$ if [[ ! -d /data/${CI_COMMIT_REF_NAME}/backup/config/security ]]; then docker compose exec -u root borgmatic borgmatic --init --encryption repokey || true; fi
Repository has no manifest.
A repository already exists at /mnt/borg-repository.
/mnt/borg-repository: Error running actions for repository
Command 'borg init --encryption repokey /mnt/borg-repository' returned non-zero exit status 2.
/etc/borgmatic.d/config.yaml: Retrying... attempt 1/3
Repository borg@xxx.example.com:project does not exist.
By default repositories initialized with this version will produce security
errors if written to with an older version (up to and including Borg 1.0.8).
If you want to use these older versions, you can disable the check by running:
borg upgrade --disable-tam ssh://borg@arnold.acolono.net/./global2000
See https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability for details about the security implications.
IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo!
If you used a repokey mode, the key is stored in the repo, but you should back it up separately.
Use "borg key export" to export the key, optionally in printable format.
Write down the passphrase. Store both at safe place(s).
/etc/borgmatic.d/config.yaml: Sleeping 300s before next retry

so the only way to make it work was to execute: borg upgrade --disable-tam ssh://borg@xxx.example.com/./project directly on the borg server

And I guess we will have to do the same on every next project.

Don't know if something can be / should be changed on lakedrops side, in order to make manifest authentication work... Or should be it disabled on deployment...? https://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#borg-upgrade

We have added BORG_PASSPHRASE and BORG_SSH_KEY to Gitlab CI CD variables. And we have this snippet in the project .lakedrops.yml file:

      backup:
        enable: true
        remoterepo: 'borg@xxx.example.com:project'
Edited by Dejan