sudo adduser backupuser
sudo su backupuser
ssh-keygen
exit
Rsnapshot is a powerfull rotating snapshot utility.
RSnapshot rotations processing use hardlinks ; only the changed files are copied, the rest is hard linked to the most recent backup. This method reduce hard disk used space.
Using remote root ssh access, Rsnapshot is able to backup a whole distant host. But, as you know, this is not an elegant nor a secure solution.
Consider we have several Remote Hosts, and a Backup Server host.
We’ll use a common user (named backupuser).
From Backup Server, we’ll be able to log on each Remote Host using backupuser ssh public key.
The main trick is to set sudoers on Remote Host in order to allow rsync root access to backupuser, and tell rsnapshot to use additionnal parameters when calling RSync.
Let’s see in details.
sudo adduser backupuser
sudo su backupuser
ssh-keygen
exit
WORKUSER
is your usual user on Remote Host.
REMOTE
is adress/ip of Remote Host.
sudo scp /home/backupuser/.ssh/id_rsa.pub WORKUSER@REMOTE:
sudo vim /etc/rsnapshot.conf
(Mind that separator MUST BE TAB and folders MUST ENDS WITH A TRAILING SLASH)
#Uncomment this line
cmd_rsync /usr/bin/rsync
#Uncomment and modify these lines
rsync_long_args -ev --rsync-path=/home/backupuser/rsync-wrapper.sh
ssh_args -i /home/backupuser/.ssh/id_rsa
#For each directory to backup, add this line at the end of the file
backup backupuser@REMOTE:/PATH/ REMOTE_NAME/PATH/
#To backup /etc of myremote.org :
backup backupuser@myremote.org:/etc/ myremote_backup/etc/
#Configure rotations. I use 3 daily, 3 weekly and 3 monthly rotations
interval daily 3
interval weekly 3
interval monthly 3
Edit crontab sudo crontab -e
.
A cron task must be defined for each rotation type, mine is like this, according Rsnapshot config
#3am each day
0 3 * * * /usr/bin/rsnapshot daily
#4am each week
0 4 * * 1 /usr/bin/rsnapshot weekly
#4am each month
0 4 1 * * /usr/bin/rsnapshot monthly
Repeat these steps for each remote.
Log on to remote using your usual user (WORKUSER).
sudo useradd backupuser -c "limited backup user" -m -u 4210
sudo mkdir /home/backupuser/.ssh
sudo mv id_rsa.pub /home/backupuser/.ssh/authorized_keys (debian)
Create a file named rsync-wrapper.sh
.
sudo vi /home/backupuser/rsync-wrapper.sh
#!/bin/sh
date >> /home/backupuser/backuplog
echo $@ >> /home/backupuser/backuplog
/usr/bin/sudo /usr/bin/rsync "$@";
Once created, you can copy this file accross all remotes using scp.
sudo chown backupuser:backupuser /home/backupuser/rsync-wrapper.sh
Set permissions
sudo chmod 755 /home/backupuser/rsync-wrapper.sh`
sudo vi /etc/sudoers
#Add this line
backupuser ALL=NOPASSWD: /usr/bin/rsync
Each backupuser ssh connection must be initialized once.
From Backup Server, type :
ssh backupuser@REMOTE -i /home/backupuser/.ssh/id_rsa
Before been called by your Cron tasks, you can test your backups calling Rnapshot manually.
rsnapshot daily
When finished, you can check the results in Rsnapshot directory (default on debian /var/cache/rsnapshot)
If repeated, you’ll see the rotations folders.
Then, I’ve read this article on Linux Puzzle blog, and, after used it with success, I’ve deciced to write a bit more detailed tutorial about this elegant solution.