Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiew3b7fr7fdz5xsfyatbuqqxshwteuvmn3ra5yewi7myq6x7entla",
    "uri": "at://did:plc:46ti67tc37qcmwp2vaynk6fq/app.bsky.feed.post/3mnhjgqboxlq2"
  },
  "path": "/log/mount_namespace_backup/",
  "publishedAt": "2026-06-04T11:28:54.023Z",
  "site": "https://jmtd.net",
  "tags": [
    "mount on demand backups",
    "mount namespaces",
    "I moved it to Borg in 2020"
  ],
  "textContent": "It's been ten years since I configured mount on demand backups to reduce the risk of my backups being zapped by mistake. Way back then I wanted to go one step further and use dedicated mount namespaces for backup jobs, but systemd didn't provide the necessary support (and still doesn't, despite the promisingly-named `JoinsNameSpaceOf=` configuration option.)\n\nI recently updated my setup to achieve this by hand. All backup jobs now have an extra pre-start instruction `ExecStartPre=mkbackupns` which runs a shell script to either set up a persistent mount namespace, or exit quietly if it already exists.\n\n\n    #!/bin/bash\n    set -euo pipefail\n\n    nsdir=/var/namespaces\n    nsfile=$nsdir/backup\n    nsfilex=\"$(echo $nsfile | sed 's#/#\\\\/#'g)\"\n\n    private_propagation() {\n        findmnt -o+PROPAGATION \"$nsdir\" | grep -q private\n    }\n    nsfs_is_mounted() {\n        test \"nsfs\" = \"$(awk \"/$nsfilex/ { print \\$3 }\" /proc/mounts)\"\n    }\n\n    if ! nsfs_is_mounted; then\n\n        if ! private_propagation; then\n            mkdir -p \"$nsdir\"\n            mount --bind --make-private \"$nsdir\" \"$nsdir\"\n        fi\n\n        touch \"$nsfile\"\n        unshare --mount=\"$nsfile\" true\n\n        nsenter --mount=/var/namespaces/backup mount /dev/phobos_backup/backup /backup\n    fi\n\n\nI should note that I don't have the backup filesystem described in `/etc/fstab` to reduce the risk of it being mounted errantly in the main namespace.\n\nThe other change is to prefix an invocation of `nsenter` for every backup job command. E.g.:\n\n\n    ExecStart=/usr/bin/nsenter \\\n            --mount=/var/namespaces/backup \\\n            borgmatic -v 1 prune create\n\n\n### next steps\n\nMy backup scheme has lasted a decade with few tweaks (I moved it to Borg in 2020) which I am very grateful for. I want reliable, boring and robust.\n\nPersistent mount namespaces are a lot less convoluted if you have a persistent process to associate them with. I didn't, but a subsequent improvement I am making is introducing one, so I will likely simplify the above accordingly.",
  "title": "Jonathan Dowland: mount namespace for backup jobs (by hand)",
  "updatedAt": "2026-06-04T10:15:21.000Z"
}