From 413d0bdb1bda6ab0f1f6f37d4174913f12608d0d Mon Sep 17 00:00:00 2001 From: Steve Cliff Date: Sat, 2 May 2026 13:43:10 +0100 Subject: [PATCH] restic: don't fall back to parent's HOME when picking the cache dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Agent runs as root (HOME=/root from systemd) with ProtectHome= read-only, so restic's `mkdir /root/.cache/restic` fails on the first call. Backups still completed (restic falls back to no-cache) but every job log started with a noisy red "unable to open cache" warning. Default to /var/lib/restic-manager unconditionally — that's already in the unit's ReadWritePaths and survives ProtectHome. ExtraEnv overrides still win for tests / unusual setups. Co-Authored-By: Claude Opus 4.7 (1M context) --- internal/restic/runner.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/restic/runner.go b/internal/restic/runner.go index 7e40e7f..1455169 100644 --- a/internal/restic/runner.go +++ b/internal/restic/runner.go @@ -10,7 +10,6 @@ import ( "errors" "fmt" "io" - "os" "os/exec" "strings" "time" @@ -229,18 +228,21 @@ func pumpPlain(r io.Reader, stream string, handle LineHandler) error { // HOME / XDG_CACHE_HOME are set explicitly because restic insists // on one or the other for its cache dir; without it the command // fails before ever talking to the repo. +// +// Default to /var/lib/restic-manager — that's in the systemd unit's +// ReadWritePaths and survives ProtectHome=read-only. We do NOT fall +// back to the parent's HOME env var: the agent runs as root with +// HOME=/root, but ProtectHome makes /root read-only, so restic's +// `mkdir /root/.cache/restic` fails. ExtraEnv overrides win for +// callers that explicitly want a different cache location. func (e Env) envSlice() []string { home := "/var/lib/restic-manager" if h, ok := e.ExtraEnv["HOME"]; ok && h != "" { home = h - } else if h := os.Getenv("HOME"); h != "" { - home = h } xdg := home + "/.cache" if x, ok := e.ExtraEnv["XDG_CACHE_HOME"]; ok && x != "" { xdg = x - } else if x := os.Getenv("XDG_CACHE_HOME"); x != "" { - xdg = x } out := []string{ "RESTIC_REPOSITORY=" + mergeRestCreds(e.RepoURL, e.RepoUsername, e.RepoPassword),