Backup remote Linux hosts without root access, using rsnapshot

Why ?

Rsnapshot is a powerfull rotating snapshot utility.

RSnapshot rotations processing use hardlinks ; only the changed files are copied, the rest is hard linked to the most recent backup. This method reduce hard disk used space.

Using remote root ssh access, Rsnapshot is able to backup a whole distant host. But, as you know, this is not an elegant nor a secure solution.

How ?

Consider we have several Remote Hosts, and a Backup Server host.

We’ll use a common user (named backupuser).

From Backup Server, we’ll be able to log on each Remote Host using backupuser ssh public key.

The main trick is to set sudoers on Remote Host in order to allow rsync root access to backupuser, and tell rsnapshot to use additionnal parameters when calling RSync.

Let’s see in details.

Setting Up

Set up backup on Server Side

Create Backup User and generate ssh keys

Create user and generate ssh keys
sudo adduser backupuser

sudo su backupuser

ssh-keygen

exit

Copy ssh key to Remote Hosts

WORKUSER is your usual user on Remote Host.

REMOTE is adress/ip of Remote Host.

sudo scp /home/backupuser/.ssh/id_rsa.pub WORKUSER@REMOTE:

Set up Rsnapshot

sudo vim /etc/rsnapshot.conf

(Mind that separator MUST BE TAB and folders MUST ENDS WITH A TRAILING SLASH)

rnapshot.conf
#Uncomment this line
cmd_rsync       /usr/bin/rsync

#Uncomment and modify these lines
rsync_long_args         -ev --rsync-path=/home/backupuser/rsync-wrapper.sh
ssh_args                -i /home/backupuser/.ssh/id_rsa

#For each directory to backup, add this line at the end of the file
backup  backupuser@REMOTE:/PATH/     REMOTE_NAME/PATH/

#To backup /etc of myremote.org :
backup  backupuser@myremote.org:/etc/     myremote_backup/etc/

#Configure rotations. I use 3 daily, 3 weekly and 3 monthly rotations
interval        daily   3
interval        weekly  3
interval        monthly 3

Set up Cron

Edit crontab sudo crontab -e.

A cron task must be defined for each rotation type, mine is like this, according Rsnapshot config

crontab
#3am each day
0 3 * * *    /usr/bin/rsnapshot daily
#4am each week
0 4 * * 1    /usr/bin/rsnapshot weekly
#4am each month
0 4 1 * *    /usr/bin/rsnapshot monthly

Remote Host side

Repeat these steps for each remote.

Log on to remote using your usual user (WORKUSER).

Set up user and ssh key

User and ssh key
sudo useradd backupuser -c "limited backup user" -m -u 4210
sudo mkdir /home/backupuser/.ssh
sudo mv id_rsa.pub /home/backupuser/.ssh/authorized_keys (debian)

Create rsync-wrapper script

Create a file named rsync-wrapper.sh.

sudo vi /home/backupuser/rsync-wrapper.sh

rsync-wrapper.sh script content
#!/bin/sh

date >> /home/backupuser/backuplog
echo $@ >> /home/backupuser/backuplog
/usr/bin/sudo /usr/bin/rsync "$@";

Once created, you can copy this file accross all remotes using scp.

sudo chown backupuser:backupuser /home/backupuser/rsync-wrapper.sh

Set permissions

sudo chmod 755 /home/backupuser/rsync-wrapper.sh`

Edit Sudoers config

sudo vi /etc/sudoers

rsync-wrapper.sh script content
#Add this line
backupuser ALL=NOPASSWD: /usr/bin/rsync

Initialize

Each backupuser ssh connection must be initialized once.

From Backup Server, type :

ssh backupuser@REMOTE -i /home/backupuser/.ssh/id_rsa

Test

Before been called by your Cron tasks, you can test your backups calling Rnapshot manually.

rsnapshot daily

When finished, you can check the results in Rsnapshot directory (default on debian /var/cache/rsnapshot)

If repeated, you’ll see the rotations folders.

Sources

Then, I’ve read this article on Linux Puzzle blog, and, after used it with success, I’ve deciced to write a bit more detailed tutorial about this elegant solution.

comments powered by Disqus