Welcome to the new location of Alien's Wiki, sharing a single dokuwiki install with the SlackDocs Wiki.

Welcome to Eric Hameleers (Alien BOB)'s Wiki pages.

If you want to support my work, please consider a small donation:

no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


Previous revision
Next revision
linux:rsnapshot [2006/03/30 11:38] alien
Line 1: Line 1:
 +===== The rsnapshot backup solution =====
 +-----------------------------------------
 +
 +Rsnapshot is a filesystem snapshot utility for making backups of local and remote systems. Using rsync and hard links, it is possible to keep multiple, full backups instantly available. The disk space required is just a little more than the space of one full backup, plus incrementals. See the [[http://rsnapshot.org/ | rsnapshot web site]] for more information.\\
 +A good read is the [[http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html | Rsnapshot HOWTO]].
 +
 +
 +==== Getting the software ====
 +
 +I have created a Slackware package for rsnapshot that you can download from my [[http://www.slackware.com/~alien/slackbuilds/rsnapshot/ | SlackBuilds repository]].
 +
 +
 +==== Installing rsnapshot ====
 +
 +These are my notes on setting up "rsnapshot" so that it can start backing up (creating multiple snapshots) remote servers on the LAN or even on the Internet(at least those that have sshd running and ssh as well as rsync installed). In this document, is will call the machine that is running rsnapshot the //backupserver//. The machines that are going to be backed up are called the //target servers// or the //remote servers//.\\ Basically, using rsync over an ssh connection means that you have to do two things:
 +
 +  - Make sure the backupserver can login to the target servers using ssh, without requiring a password. We will achieve this by configuring the targets for "//public-key authentication//".
 +  - On the target servers, do **not** run as the root account, but use a dedicated non-privileged account (called for instance  "rbackup") that is allowed to do only one thing after logging in using //PubKeyAuthentication//: to run the ''rsync'' command.
 +
 +Good example docs about how to set this up are:\\
 +http://blog.innerewut.de/articles/2005/05/25/remote-filesystem-snapshots-with-rsnapshot
 +
 +and it's follow-up article:\\
 +http://blog.innerewut.de/articles/2005/06/03/follow-up-on-remote-filesystem-snapshots-with-rsnapshot
 +
 +as well as some improvements to this:\\
 +http://sourceforge.net/mailarchive/forum.php?thread_id=8991705&forum_id=41320
 +
 +
 +Now, some detailed instructions compiled from the above sources:
 +----------------------------------------------------------------
 +
 +
 +=== Configuring the backup server ===
 +
 +  * Determine what user account will run rsnapshot. I suggest using "root" since that user can set all the rsync-ed file access and ownership bits exactly like the originals.
 +  * Create a private/public key pair for the rsnapshot account (being "root" in our case) and copy the **public** key over to any and all of the servers that we are going to backup using rsnapshot: <code>
 +    local# ssh-keygen -t rsa
 +    local# scp id_rsa.pub rbackup@remote-server:id_rsa_rsnapshot.pub
 +    local# ssh remote-server
 +    ; you might have to create the directory ~/.ssh if it doesnt exist:
 +    ; "chmod 700 ~/.ssh ; chown rbackup ~/.ssh"
 +    ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right,
 +    ; passwordless login will FAIL!
 +    remote# cat id_rsa_rsnapshot.pub >> ~/.ssh/authorized_keys
 +    remote# chmod 600 ~/.ssh/authorized_keys
 +    remote# chown rbackup ~/.ssh/authorized_keys
 +</code> where //local#// and //remote#// represent the root prompts of your local backupserver and remote (aka target) server.
 +  * Make sure that the ''/etc/rsnapshot.conf'' file has this argument for the rsync: <code>
 +--rsync-path=rsync_wrapper.sh</code> The documentation mentioned above states that supplying a full path to the ''rsync_wrapper.sh'' script does not work (on OpenBSD anyway) so the wrapper should be available in the /usr/bin/ or /usr/local/bin directory of the REMOTE server. Would be nice to have the script in rbackups's homedir, so that we can contain the necessary tooling. But using a full path didn't work for me either.
 +This is a sample last line in our ''/etc/rsnapshot.conf'' on the backup server: <code>
 +backup<TAB>rbackup@fileserver.my.lan:/home/<TAB>fileserver.my.lan/<TAB>rsync_long_args=--rsync-path=rsync_wrapper.sh --delete --numeric-ids --relative --delete-excluded
 +</code> And this is what should go in the crontab for root on the backup server: <code>
 +0 */4 * * *       /usr/bin/rsnapshot hourly
 +30 23 * * *       /usr/bin/rsnapshot daily
 +15 22 * * *       /usr/bin/rsnapshot monthly
 +</code>
 +
 +
 +=== Configuring the remote server(s) ===
 +
 +  * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group.
 +  * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code>
 +    from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa 
 +    AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8=
 +    rbackup@TheVault</code>
 +  * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code>
 +    #!/bin/sh
 +    case "$SSH_ORIGINAL_COMMAND" in
 +    *\&*)
 +    echo "Rejected 1"
 +    ;;
 +    *\;*)
 +    echo "Rejected 2"
 +    ;;
 +    rsync*)
 +    $SSH_ORIGINAL_COMMAND
 +    ;;
 +    *true*)
 +    echo $SSH_ORIGINAL_COMMAND
 +    ;;
 +    *)
 +    echo "Rejected 3"
 +    ;;
 +    esac
 +</code>  and ''chmod 754 /home/rbackup/validate-rsync.sh'' to make it executable.
 +  * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh
 +/usr/bin/sudo /usr/bin/rsync "$@";
 +</code>
 +  * Add this line to ''/etc/sudoers'': <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code>
  
 The rsnapshot backup solution ()
SlackDocs