Linux Backups
Views:
Contents |
Linux Backup Strategy
created: 20/05/2008
There didn't seem to be any point buying another Backup Exec 12 agent licence or two to include Enyo and Phobos, especially since I could do all this for free and also start to make the most of all that disk space on Phobos, anything can then be backed up from there via BE12.
Phobos has a separate evms partition dedicated to backups which is mounted to /var/backups. There's a directory under this for each backed up linux server, currently ares and enyo. It's about 200GB in size currently but this may well have to be modified (thank flying spaghetti monster for evms) depending on the amount of space enyo needs to backup (as of 20/05/2008).
Config for the backed up servers is identical apart from the obvious host specific stuff, accounts, rsa public keys etc and of course, the backup_filesystem.path file. Ares is used as the example for the sake of documentation.
Several tools are used to back up data on ares.varndean.ac.uk and enyo.varndean.ac.uk These are:
- mysqldump
- rsync
- ssh
- bash scripts
- cron
The tools are used together to backup main configuration files, web sites, databases and some binary files. The majority of data is transferred to phobos.varndean.ac.uk in to the /var/backups/ares/ directory.
ssh
ssh is used to provide secure encrypted access to phobos.varndean.ac.uk. a user account named ares is configured on phobos with out a password (i.e. the user cannot login). Pre- shared keys between root@ares and ares@phobos are used for the authentication along with a restriction on ip address and commands that can be executed.
On phobos.varndean.ac.uk in the ares user's home directory is;
/var/backups/ares/, the .ssh/authorized_keys file contains:
from="ares.varndean.ac.uk",command="/var/backups/ares/validate-rsync" ssh-rsa AAAAB3Nza [...] DoI6+w== root@ares.varndean.ac.uk
The contents of the script /var/backups/ares/validate-rsync is:
#!/bin/bash
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
This script and ssh settings means we can be pretty sure who is able to connect and what they will do with phobos.
The keys are generated with the ssh-keygen tool. The private key is kept in /root/.ssh/id_rsa on ares.varndean.ac.uk, the public key is copied in to the /var/backups/ares/.ssh/authorized_keys file on phobos.varndean.ac.uk
rsync
rsync is used to copy changed files from ares.varndean.ac.uk to phobos.varndean.ac.uk
/root/bin/backup-filesystem.sh is a simple script to hold the rsync command:
#!/bin/bash rsync -aq --delete -e "ssh -Cc blowfish -i /root/.ssh/id_rsa" \ --include-from=/root/bin/backup-filesystem.paths / \ ares@phobos.varndean.ac.uk:/var/backups/ares/ exit $?
A separate file is used to specify the areas of the file system to be copied over to phobos.varndean.ac.uk. /root/bin/backup-filesystem.paths contains:
Ares
+ /root/ + /root/** + /etc/ + /etc/** + /var/ + /var/opt/ + /var/opt/novell/ + /var/opt/novell/tomcat/** - /var/opt/novell/tomcat/work/ - /var/opt/novell/tomcat/temp/ + /var/opt/novell/eguide/** + /var/opt/novell/eguide/WEB-INF/ - /var/opt/novell/eguide/WEB-INF/logs + /var/ + /var/lib/ + /var/lib/mysql5 + /var/lib/mysql5/my.cnf + /var/lib/mysql5-backups/ + /var/lib/mysql5-backups/** + /var/lib/mysql-backups/ + /var/lib/mysql-backups/** + /home/ + /home/russ/ + /home/russ/** + /usr/ + /usr/local/ + /usr/local/** + /srv/ + /srv/www/ + /srv/www/sms/ + /srv/www/sms/** + /srv/www/sts/ + /srv/www/sts/** + /srv/www/online + /srv/www/online/** + /srv/www/wpad/ + /srv/www/wpad/** - *
Enyo
############################################## # Enyo Backup v2 - rsync paths - rfc 05/2008 # ############################################## + /root/ + /root/** + /etc/ + /etc/** + /var/ + /var/opt/ + /var/lib/ + /home/ + /usr/ + /usr/local/ + /usr/local/** + /var/mysql-backups/ + /var/mysql-backups/** + /var/named/ + /var/named/** + /var/www/ + /var/www/** # /ETC EXCLUDES # - /etc/authlib/userdb - /etc/pki/CA - /etc/lvm/backup - /etc/lvm/archive - /etc/cups/ssl - /etc/selinux/targeted/modules/active - /etc/selinux/targeted/modules/previous - /etc/racoon/certs - /etc/cron.d - /etc/matrixsa - /etc/.pwd.lock - /etc/at.deny - /etc/authlib/authdaemonrc - /etc/authlib/authdaemonrc.dist - /etc/authlib/authldaprc - /etc/authlib/authldaprc.dist - /etc/authlib/authmysqlrc - /etc/authlib/authmysqlrc.dist - /etc/authlib/authpgsqlrc - /etc/authlib/authpgsqlrc.dist - /etc/bluetooth/pin - /etc/cups/cupsd.conf - /etc/cups/cupsd.conf.default - /etc/cups/printers.conf - /etc/default/useradd - /etc/group- - /etc/gshadow - /etc/gshadow- - /etc/libaudit.conf - /etc/logrotate.d/named - /etc/lvm/.cache - /etc/mgetty+sendfax/dialin.config - /etc/mgetty+sendfax/login.config - /etc/mgetty+sendfax/mgetty.config - /etc/named.caching-nameserver.conf - /etc/named.rfc1912.zones - /etc/ntp/keys - /etc/pam.d/atd - /etc/pam.d/crond - /etc/passwd- - /etc/pki/dovecot/certs/dovecot.pem - /etc/pki/dovecot/private/dovecot.pem - /etc/pki/tls/certs/localhost.crt - /etc/pki/tls/private/localhost.key - /etc/postfix/main.cf.save - /etc/ppp/chap-secrets - /etc/ppp/pap-secrets - /etc/racoon/psk.txt - /etc/racoon/racoon.conf - /etc/rndc.conf - /etc/rndc.key - /etc/securetty - /etc/security/opasswd - /etc/selinux/restorecond.conf - /etc/shadow - /etc/shadow- - /etc/squid/cachemgr.conf - /etc/squid/squid.conf - /etc/ssh/moduli - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_key - /etc/ssh/ssh_host_rsa_key - /etc/ssh/sshd_config - /etc/sudoers - /etc/sysconfig/iptables - /etc/sysconfig/iptables.save - /etc/sysconfig/named - /etc/sysconfig/netdump_id_dsa - /etc/wpa_supplicant/wpa_supplicant.conf - *
(see the rsync man page if you need clarification, I did ;)
A cron job is run each night:
ARES
15 22 * * * /root/bin/backup-filesystem.sh
ENYO
30 21 * * * /root/bin/backup-filesystem.sh
The Result
/var/backups/ares on phobos.varndean.ac.uk will always have a copy of anything interesting from ares.varndean.ac.uk and enyo.varndean.ac.uk
