Welcome to Eric Hameleers (Alien BOB)'s Wiki pages.
This is an old revision of the document!
Rsnapshot is a filesystem snapshot utility for making backups of local and remote systems. Using rsync and hard links, it is possible to keep multiple, full backups instantly available. The disk space required is just a little more than the space of one full backup, plus incrementals. See the rsnapshot web site for more information.
A good read is the Rsnapshot HOWTO.
These are my notes on setting up “rsnapshot” so that it can start backing up (creating multiple snapshots) remote servers on the LAN or even on the Internet(at least those that have sshd running and ssh as well as rsync installed). In this document, is will call the machine that is running rsnapshot the backupserver. The machines that are going to be backed up are called the target servers or the remote servers.
Basically, using rsync over an ssh connection means that you have to do two things:
- Make sure the backupserver can login to the target servers using ssh, without requiring a password. We will achieve this by configuring the targets for ”public-key authentication”.
- On the target servers, do not run as the root account, but use a dedicated non-privileged account (called for instance “rbackup”) that is allowed to do only one thing after logging in using PubKeyAuthentication: to run the
Good example docs about how to set this up are:
and it's follow-up article:
as well as some improvements to this:
Now, some detailed instructions compiled from the above sources:
- Determine what user account will run rsnapshot. I suggest using “root” since that user can set all the rsync-ed file access and ownership bits exactly like the originals.
- Create a private/public key pair for the rsnapshot account (being “root” in our case) and copy the public key over to any and all of the servers that we are going to backup using rsnapshot:
local# ssh-keygen -t rsa local# scp id_rsa.pub rbackup@remote-server:id_rsa_rsnapshot.pub local# ssh remote-server ; you might have to create the directory ~/.ssh if it doesnt exist: ; "chmod 600 ~/.ssh ; chown rbackup ~/.ssh" ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right, ; passwordless login will FAIL! remote# cat id_rsa_rsnapshot.pub >> ~/.ssh/authorized_keys remote# chmod 600 ~/.ssh/authorized_keys remote# chown rbackup ~/.ssh/authorized_keys
where local# and remote# represent the root prompts of your local backupserver and remote (aka target) server.
- Make sure that the
/etc/rsnapshot.conffile has this argument for the rsync:
The documentation mentioned above states that supplying a full path to the
rsync_wrapper.shscript does not work (on OpenBSD anyway) so the wrapper should be available in the /usr/bin/ or /usr/local/bin directory of the REMOTE server. Would be nice to have the script in rbackups's homedir, so that we can contain the necessary tooling. But using a full path didn't work for me either.
This is a sample last line in our
/etc/rsnapshot.conf on the backup server:
backup<TAB>email@example.com:/home/<TAB>fileserver.my.lan/<TAB>rsync_long_args=--rsync-path=rsync_wrapper.sh --delete --numeric-ids --relative --delete-excluded
And this is what should go in the crontab for root on the backup server:
0 */4 * * * /usr/bin/rsnapshot hourly 30 23 * * * /usr/bin/rsnapshot daily 15 22 * * * /usr/bin/rsnapshot monthly
- Create a user ”rbackup”, which should be un-privileged, i.e. should not be part of the ”wheel” group.
- Append the BACKUPSERVER's rbackup user's public key to the REMOTE rbackup's
~/.ssh/authorized_keysand modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course.
from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= rbackup@TheVault
- Create the
/home/rbackup/validate-rsync.shvalidation script with these contents:
#!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *\&*) echo "Rejected 1" ;; *\;*) echo "Rejected 2" ;; rsync*) $SSH_ORIGINAL_COMMAND ;; *true*) echo $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected 3" ;; esac
chmod 754 /home/rbackup/validate-rsync.shto make it executable.
- Create a wrapper script for rsync (which uses sudo) in
#!/bin/sh /usr/bin/sudo /usr/bin/rsync "$@";
- Add this line to
rbackup ALL = NOPASSWD: /usr/bin/rsync