[Borgbackup] questions about append-only mode repository

C L cl_111 at hotmail.com
Sat Sep 29 03:37:33 EDT 2018 

Hi Folks!

I've been trialing borgbackup 1.1.x for a short time now and found it to be ticking all the boxes so far.

However I'm trying to wrap my head around use-cases for append-only mode when it applies to multiple client machines accessing a central remote repository and whether this functionality is currently feature complete or should even be used in such scenarios.

Based on what I've read in the documentation, a repository can be made “append-only”, which means that Borg will never overwrite or delete committed data.  However, the documentation continues with an example of a compromised client machine that has remotely deleted backups from the repository.

On the surface of it, I would expect an append-only repository to deny any remote "borg delete" or "borg prune" commands to occur from any borg client.

Instead from the documentation a "soft-delete" is permitted on the repository and the transaction logged.  Such "soft-deleted" transactions are (silently?) processed only when the repository is accessed in a non-append-only mode with an appropriate "borg {delete,prune,create}" command, typically executed from a more trusted machine than the client machines.

For an non-compromised client machine running a scheduled backup job which applies it's own "borg prune" rules onto archives prefixed by it's hostname seems like overkill considering the administrator would have to run "borg prune" from a more trusted machine and apply it across all the archives in the repository, irrespective of prefix.

A potential race condition exists between a compromised, but undetected, client machine that has "soft-deleted" archives from the repository and the trusted machine that next "borg prunes" the repository.

There is obviously a sliding scale with:

  *   the level of trust/risk that any client machine has to the repository; and
  *   on the amount of work an administrator must perform to maintain backup sets and yet provide some flexibility with global/per-client machine retention policy; and
  *   to detect and react to compromised client machines which have access to the repository.

To the borg assimilated community, I have the current questions:

  1.  As currently implemented, are append-only mode repositories just more work to maintain with little reward, or is that just my initial, inexperienced impression with borg?
  2.  What real-world use-cases is an append-only mode repository with prunes (no plums involved haha) actually being used, if at all?
  3.  Is the documentation missing a really obvious point with append-mode repositories that is clear to everyone having expert borg knowledge but hasn't occurred to those with novice borg knowledge?
  4.  Was the implementation of an append-only mode feature a knee-jerk reaction to "fix" something without addressing the real core problem/risk underlying the feature requested (i.e.: mitigating the risk destructive operations has to a repository from borg clients on untrusted/semi-trusted client machines)?

Sincerely, and with great respect.

Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/borgbackup/attachments/20180929/eef3ae43/attachment.html>

More information about the Borgbackup mailing list