- put "restrict_commands.sh" in /usr/local/bin and make it executable
- install ts, lzop and optionally mbuffer
useradd zfsbackup --create-home --system
mkdir /home/zfsbackup/.ssh
zfs allow -u zfsbackup send,hold tank/dataset
echo 'restrict,command="restrict_commands.sh" ssh-ed25519 ...' > /home/zfsbackup/.ssh/authorized_keys
chown zfsbackup:zfsbackup /home/zfsbackup/.ssh -R
run cronjob with:
syncoid --no-sync-snap --no-privilege-elevation --sendoptions=Rw zfsbackup@target:tank/dataset tank/dataset
Hi @csarn
It's great to hear you've got syncoid to work without enabling root ssh logins, which is what I'm trying to achieve too.
I have tried to copy your config but I've been unable to get it to work yet:
In your example commands above, you run:
useradd zfsbackup --system
useradd
doesn't create a home dir for new users by default but we need a zfsbackup home dir to store theauthorized_keys
file and therestrict_commands.sh
script so why not run:useradd -m zfsbackup --system
Instead to create the zfsbackup home dir at the same time?
It seems syncoid prefers to be run as root and so I created a SSH key as the root user of the destination machine and its that public key that I copied to the zfsbackup users
authorized_keys
on the remote machine.I think I'm having problems because I'm running syncoid as root but the remote username is zfsbackup. I've tried specifying the path to my private key for syncoid but that hasn't worked. I have configured the .ssh directory and its files permissions correctly on both ends, I think.
Which user do you run your syncoid cron job as, if its not root? I shouldn't need to run any zfs allow commands on the destination machine if I'm running syncoid as root.
It would be great to get this process properly documented for sanoid or maybe the Arch wiki instead.
Thanks