Borg in a jail

In this short tutorial we gonna learn how-to install Borg in a jail and use borgmatic on client machine.

Remember to always read the doc if you have a doubt.

To be honest, it’s really really easy. Borg is one of the most easy backup tool I saw. Believe me, I made a lot of backups, with scripts, with tar, cpio, based on ZFS snasphot, rsnapshot, NetBackup, etc.

The host must have some configurations.

To load the fuse kernel module your can use the command: 

 sudo kldload fuse

Or, to make it permanent add the line: 

 fuse_load="YES"
in the /boot/loader.conf file.

We must change the value of the kernel variable vfs.usermount using the command: 

 sysctl vfs.usermount=1

Or by editing /etc/sysctl.conf and adding: 

 vfs.usermount=1

The jail definition

Depending of your jail usage ezjail, iocage, bastille or the old /etc/jail.conf file, define a new jail. Here my own definition in jail.conf style.

1
2
3
4
5
6
7
8

 backup{
   host.hostname="backup.exemple.com";
   path="/jails/backup";
   ip4.addr="lo1|192.168.2.29/24";
   ip4.addr+="lo0|127.0.1.29/32";
   ip6.addr="em0|2a01:4f9:4a:1fd8::dead:beef/64";
   persist=true;
}

Things to do

  • configure the firewall;
  • configure ssh on the jail (if you want to use a custom port)

Then launch your jail.

Once again depending the way you choose to install software (poudriere, pkg, ports), use it.

 pkg instakk py37-borgbackup

Create a user

We’re going to create a user (I choose own name) to receive datas form my laptop.

1
2
3

 pw groupadd -n jacques -g 1010
 pw useradd -n jacques -g 1010 -G wheel -m /usr/home/jacques
 passwd jacques

Then form my laptop I install a ssh key: 

 ssh-copy-id ~/.id_ed2519-borg jacques@backup.exemple.com

On the laptop

Borgmatic is not a Borg project but a opensource project with goal to simply Borg usage. it’s a python project to, so you must have python installed on the source computer

Simply use our preferred installation method:

 sudo pkg install python37
 sudo pkg install py37-pip
 sudo pip3 install --user --upgrade borgmatic

borgmatic configuration

We’re going to stay simple and only backup the HOME DIRECTORY of your user.

borgmatic came with several useful tool, for exemple generated a generic config file: 

1
2

 mkdir ~/.config/borgmatic
 generated-borgmatic-config -d ~/.config/borgmatic.config.yaml

Once the config file generated it’s time to make some change on it

We need to initialize the borg repository on the remote machine, using ssh.

borg init -e authenticated-blake2 ssh://jacques@backup.example.com:2229/data/laptop.borg 
The authenticity of host '[backup.example.com] ([2a01:4f9:4a:1fd8::dead:beef]:)' can't be established.
ECDSA key fingerprint is SHA256:2DwkKNiUZXqkzyTlHSfo3uq4OS9dxc552CEAnBZG5i8.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Remote: Warning: Permanently added '[backup.example.com]' (ECDSA) to the list of known hosts.
Password for jacques@backup.exemple.com:
Enter new passphrase:
Enter same passphrase again:
Do you want your passphrase to be displayed for verification? [yN]: y
Your passphrase (between double-quotes): "ThisIsMyVeryHardToGuessEncryptionPassPhrase"
Make sure the passphrase displayed above is exactly what you wanted.

Be sure to keep your passprhase in a secure way (use a password manager for example).

The configuration file

The configuration use the yaml syntax, with big section (location, storage, retention).

Location

It’s where your backup will be stored:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 location:
    # List of source directories to backup (required). Globs and
    # tildes are expanded.
    source_directories:
        - /usr/home

    # Paths to local or remote repositories (required). Tildes are
    # expanded. Multiple repositories are backed up to in
    # sequence. See ssh_command for SSH options like identity file
    # or port.
    repositories:
        - jacques@backup.example.com:/data/laptop.borg

First what I want to backup, then where I want to store it.

The main configuration line is encryption_passpharse: 

 encryption_passphrase: "ThisIsMyVeryHardToGuessEncryptionPassPhrase"

This is the part whre you define how many time borg must keep old backups. The default value are the most use.

Thereis is many other configuration possibilities, for exemple, borg can backup SQL databases (postgresql, MySQL, MariaDB, SQLite, …)

You can check your configuration file with the command validate-bormatic-config: 

 validate-borgmatic-config
 All given configuration files are valid: /home/jacques/.config/borgmatic/config.yaml

We must initialize the remote borg repository, using the configuration of our local configuration file: 

 borgmatic init --encryption repokey

 borgmatic --verbosity 1

We use verbosity, may be you can use none when launching automaticaly.

We’re gonna list our archives (for now we only have one)

 borgmatic --list                                                                          ✔ 
jacques@backup.example.com:/data/laptop.borg: Listing archives
laptop-2020-10-10T19:51:14.869552   Sat, 2020-10-10 19:51:16 [73a65edefb8279f2b316dd3ddfdeb89886192fbb841cd2362a738e0b15c942f8]

Well you have to automat your backup, with cron or periodic

Restore a backup

With borgmatic list you can find the correct archive to restore then use: 

 borgmatic extract --archive laptop-2020-10-10T19:51:14.869552

Simply give the path at the end of the extract command:

 borgmatic extract --archive laptop-2020-10-10T19:51:14.869552 --path .gnupg .ssh

Have a distant backup with borg is really easy if you have an external server.

You can also use a NAS to store your backup or even a removable disk that you can bring with you when you go out.

I use a small 4TB external disk to my backup. When I goes out without my computer, I take the disk with me, and we I goes out with my computer, the backup disk stay at home.