Welcome to Eric Hameleers (Alien BOB)'s Wiki pages.
Trace:
Differences
This shows you the differences between two versions of the page.
|
linux:rsnapshot [2006/03/21 12:28] alien |
linux:rsnapshot [2010/04/24 19:25] (current) alien Add a link to my article about the NSLU2 |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| A good read is the [[http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html | Rsnapshot HOWTO]]. | A good read is the [[http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html | Rsnapshot HOWTO]]. | ||
| + | Another article worth checking is my companion article about [[linux:slug | using a Linksys NAS as rsnapshot server]]. | ||
| ==== Getting the software ==== | ==== Getting the software ==== | ||
| Line 19: | Line 20: | ||
| Good example docs about how to set this up are:\\ | Good example docs about how to set this up are:\\ | ||
| - | http://blog.innerewut.de/articles/2005/05/25/remote-filesystem-snapshots-with-rsnapshot | + | http://blog.innerewut.de/articles/2005/05/25/remote-filesystem-snapshots-with-rsnapshot |
| and it's follow-up article:\\ | and it's follow-up article:\\ | ||
| - | http://blog.innerewut.de/articles/2005/06/03/follow-up-on-remote-filesystem-snapshots-with-rsnapshot | + | http://blog.innerewut.de/articles/2005/06/03/follow-up-on-remote-filesystem-snapshots-with-rsnapshot |
| as well as some improvements to this:\\ | as well as some improvements to this:\\ | ||
| - | http://sourceforge.net/mailarchive/forum.php?thread_id=8991705&forum_id=41320 | + | http://sourceforge.net/mailarchive/forum.php?thread_id=8991705&forum_id=41320 |
| Line 38: | Line 41: | ||
| local# ssh remote-server | local# ssh remote-server | ||
| ; you might have to create the directory ~/.ssh if it doesnt exist: | ; you might have to create the directory ~/.ssh if it doesnt exist: | ||
| - | ; "chmod 600 ~/.ssh ; chown rbackup ~/.ssh" | + | ; "chmod 700 ~/.ssh ; chown rbackup ~/.ssh" |
| ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right, | ; if you don't get the permissions on ~/.ssh and ~/.ssh/authorized_keys right, | ||
| ; passwordless login will FAIL! | ; passwordless login will FAIL! | ||
| Line 60: | Line 63: | ||
| * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group. | * Create a user "//rbackup//", which should be un-privileged, i.e. should not be part of the "//wheel//" group. | ||
| * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code> | * Append the //BACKUPSERVER//'s rbackup user's public key to the //REMOTE// rbackup's ''~/.ssh/authorized_keys'' and modify it to allow access from one specific machine (the backupserver), only allowed to run one specific command. This is for security reasons of course. <code> | ||
| - | from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa | + | from="192.168.200.34",command="/home/rbackup/validate-rsync.sh" ssh-rsa |
| - | AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= | + | AAAAB3NzaC1yc2EAAAAB.......0i9yTN7QTrcqKU9ugIesi3+EZnw5ES5wbpo8= |
| - | rbackup@TheVault</code> | + | rbackup@TheVault |
| - | * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code> | + | </code> Make sure your version of **''from="192.168.200.34"''** contains the IP address of your rsnapshot server! |
| - | #!/bin/sh | + | * Create the ''/home/rbackup/validate-rsync.sh'' validation script with these contents: <code bash> |
| - | case "$SSH_ORIGINAL_COMMAND" in | + | #!/bin/sh |
| - | *\&*) | + | case "$SSH_ORIGINAL_COMMAND" in |
| + | *\&*) | ||
| echo "Rejected 1" | echo "Rejected 1" | ||
| ;; | ;; | ||
| - | *\;*) | + | *\;*) |
| echo "Rejected 2" | echo "Rejected 2" | ||
| ;; | ;; | ||
| Line 75: | Line 79: | ||
| $SSH_ORIGINAL_COMMAND | $SSH_ORIGINAL_COMMAND | ||
| ;; | ;; | ||
| - | *true*) | + | *true*) |
| echo $SSH_ORIGINAL_COMMAND | echo $SSH_ORIGINAL_COMMAND | ||
| ;; | ;; | ||
| - | *) | + | *) |
| echo "Rejected 3" | echo "Rejected 3" | ||
| ;; | ;; | ||
| - | esac | + | esac |
| - | </code> and ''chmod 754 /home/rbackup/validate-rsync.sh'' to make it executable. | + | </code> and run the following commands to make it executable for user ''rbackup'': <code> |
| + | chown rbackup /home/rbackup/validate-rsync.sh | ||
| + | chmod 754 /home/rbackup/validate-rsync.sh | ||
| + | </code> | ||
| * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh | * Create a wrapper script for rsync (which uses sudo) in ''/usr/local/bin/rsync_wrapper.sh'' which contains: <code>#!/bin/sh | ||
| /usr/bin/sudo /usr/bin/rsync "$@"; | /usr/bin/sudo /usr/bin/rsync "$@"; | ||
| </code> | </code> | ||
| - | * Add this line to ''/etc/sudoers'': <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> | + | * Add this line to ''/etc/sudoers'' so that user ''rbackup'' can run the wrapper's ''rsync'' command with //root// privileges: <code>rbackup ALL = NOPASSWD: /usr/bin/rsync</code> |
| + | |||
| + | === Testing remote login === | ||
| + | |||
| + | When all configuration is complete, and before your scheduled cron jobs start, you should test whether the non-interactive passwordless login from the rsnapshot server to the remote //rbackup// account is functional.\\ You need to make a ssh connection at least once, to add the public key of the remote machine to your root account's //''known_hosts''// file. <code> | ||
| + | # ssh rbackup@client.my.lan | ||
| + | Rejected 3 | ||
| + | Connection to client.my.lan closed. | ||
| + | </code> The "''Rejected 3''" message actually means that your configuration was successful! | ||
