Why can we not use SSH for Backup via Streaming Protocol? Recommend clarification in docs

14 views
Skip to first unread message

Anthony Orona

unread,
Apr 29, 2022, 4:31:55 PMApr 29
to Barman, Backup and Recovery Manager for PostgreSQL
I set up an SSH connection from my PostgreSQL docker container as the SSH server and the Barman remote host as the client. When I use backup_method=rsync I see an SSH connection established between the two. However, if I use backup_method=postgres then I do not see one. 

I imagine there is some reason this is not supported. Unfortunately this appears not supported although the docs are ambiguous about this:

"This setup, in Barman's terminology, is known as streaming-only setup, as it does not require any SSH connection for backup and archiving operations. This is particularly suitable and extremely practical for Docker environments."
 
A stronger statement would be to say SSH for streaming-only is not supported at this time.

Why is this not supported? My assumption is that if I used SSH for the psql connection it would add a layer of security. I would not have tried to do so if it were clear in the documentation that this was not possible.

Thanks,

Anthony O

Michael Wallace

unread,
May 3, 2022, 5:44:35 AMMay 3
to pgba...@googlegroups.com
Hi Anthony,

The reason SSH connections are not supported for `backup_method = postgres` is that sufficient encryption for most users can be achieved by configuring the PostgreSQL connection for SSL connections via the `conninfo` and `streaming_conninfo` configuration parameters in Barman.

A second reason is that Barman uses pg_basebackup to perform the streaming backup and this command writes the data directly to files on the local disk. It is possible to pipe the output of pg_basebackup over an SSH connection however only in a limited number of scenarios (it is not possible when either additional tablespaces or WAL streaming are used).

That's not to say such a feature cannot be added to Barman in the future; however demand so far has been limited and the implementation is not trivial.

I agree the docs could be clearer about this so I've added a note to the [relevant GitHub issue](https://github.com/EnterpriseDB/barman/issues/562).

Hope this helps,

Mike



--
--
You received this message because you are subscribed to the "Barman for PostgreSQL" group.
To post to this group, send email to pgba...@googlegroups.com
To unsubscribe from this group, send email to
pgbarman+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/pgbarman?hl=en?hl=en-GB

---
You received this message because you are subscribed to the Google Groups "Barman, Backup and Recovery Manager for PostgreSQL" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pgbarman+u...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/pgbarman/8b1d2f8a-47bf-4b34-850a-7ac55da3660dn%40googlegroups.com.

Anthony Orona

unread,
May 4, 2022, 12:23:13 PMMay 4
to Barman, Backup and Recovery Manager for PostgreSQL
Hi Mike,

Thanks, very helpful. That is what we ended up doing, adding SSL.
Reply all
Reply to author
Forward
0 new messages