Difference between revisions of "btrbk"
From wiki
(Setup SSH access) |
|||
| (8 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
{{WIP}} | {{WIP}} | ||
| − | == | + | == Setup Server == |
| − | + | The backup server will be the machine that will receive the backup data. Clients will connect to it to sent their backup data. As a consequence, your server must be reachable from all your clients. | |
| − | |||
| − | |||
| − | |||
| − | |||
=== Destination Disk === | === Destination Disk === | ||
| − | Create a Btrfs volume and mount it on <code>/backup</code>. | + | Create a Btrfs volume or subvolume and mount it on <code>/backup</code>. |
=== User === | === User === | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| − | + | $ sudo adduser --system --shell /bin/sh --home /backup/ --group --no-create-home btrbk | |
Adding system user `btrbk' (UID 122) ... | Adding system user `btrbk' (UID 122) ... | ||
Adding new group `btrbk' (GID 124) ... | Adding new group `btrbk' (GID 124) ... | ||
Adding new user `btrbk' (UID 122) with group `btrbk' ... | Adding new user `btrbk' (UID 122) with group `btrbk' ... | ||
Not creating home directory `/backup/'. | Not creating home directory `/backup/'. | ||
| − | + | $ sudo mkdir /backup/.ssh | |
| − | + | $ sudo touch /backup/.ssh/authorized_keys | |
| − | </syntaxhighlight>This user will need to run <code>btrfs</code> tools as root. Let’s add this to the <code>/etc/sudoers</code> file<syntaxhighlight> | + | $ sudo chown root:btrbk /backup/ |
| + | $ sudo chmod 710 /backup/ | ||
| + | </syntaxhighlight> | ||
| + | This user will need to run <code>btrfs</code> tools as root. Let’s add this to the <code>/etc/sudoers</code> file | ||
| + | <syntaxhighlight lang="sh"> | ||
btrbk ALL=NOPASSWD:/bin/btrfs | btrbk ALL=NOPASSWD:/bin/btrfs | ||
| − | </syntaxhighlight>If you limited access to certain users through SSH, add <code>btrbk</code> to the [[SSH|AllowUsers]] list and [[SSH|restart SSH]] | + | </syntaxhighlight>If you limited access to certain users through SSH, add <code>btrbk</code> to the [[SSH#Authentication|AllowUsers]] list and [[SSH#Restart|restart SSH]] |
== Setup Client == | == Setup Client == | ||
| + | |||
| + | === Install btrbk === | ||
| + | btrbk is not yet included in Debian Jessie. Make sure you configure [[Apt|stretch source]] before running the command bellow.<syntaxhighlight lang="console"> | ||
| + | $ sudo apt install btrbk | ||
| + | </syntaxhighlight> | ||
=== SSH Key === | === SSH Key === | ||
Create an SSH key dedicated to your backups<syntaxhighlight lang="console"> | Create an SSH key dedicated to your backups<syntaxhighlight lang="console"> | ||
| − | + | $ sudo mkdir /etc/btrbk/ssh | |
| − | + | $ sudo chmod 700 /etc/btrbk/ssh | |
| − | + | $ sudo ssh-keygen -t ed25519 -N "" -f /etc/btrbk/ssh/id_ed25519 | |
| − | ... | + | Generating public/private ed25519 key pair. |
| − | + | Your identification has been saved in /etc/btrbk/ssh/id_ed25519. | |
| − | + | Your public key has been saved in /etc/btrbk/ssh/id_ed25519.pub. | |
| − | </syntaxhighlight>Then, '''on the backup server''', add the following line to <code>/backup/.ssh/authorized_keys</code>.<syntaxhighlight lang="sh"> | + | The key fingerprint is: |
| − | command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup --sudo",restrict | + | SHA256:y5VremJsz5wHiO2KKrtupPZYbaqNeURxeLdznaCw450 root@client.example.org |
| − | </syntaxhighlight>{{TODO|msg = }}[[Category:Debian Release]] | + | The key's randomart image is: |
| + | +--[ED25519 256]--+ | ||
| + | | . | | ||
| + | | o + . . | | ||
| + | | + + o o . | | ||
| + | | . o + . + | | ||
| + | | . . ooS.o | | ||
| + | | . ....Eoo.. | | ||
| + | |o .. o oo o. | | ||
| + | |oo*.o. *=... | | ||
| + | |*X==. .+.+=. | | ||
| + | +----[SHA256]-----+ | ||
| + | $ sudo cat /etc/btrbk/ssh/id_ed25519.pub | ||
| + | AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org | ||
| + | </syntaxhighlight>Keep the result of the last command, you will need it at the next step. | ||
| + | |||
| + | === Register Client on the Server === | ||
| + | '''Note:''' On the instructions bellow, the token <code><client></code> must be replace by the machine name. | ||
| + | |||
| + | ==== Create Destination Folder ==== | ||
| + | '''On the backup server''', create a new folder for the client.<syntaxhighlight lang="console"> | ||
| + | $ sudo mkdir /backup/<client> | ||
| + | $ sudo chmod 700 /backup/<client> | ||
| + | </syntaxhighlight> | ||
| + | ==== Setup SSH Key ==== | ||
| + | Then, '''on the backup server''', add the following line to <code>/backup/.ssh/authorized_keys</code>. The key at the end of the line must be replaced with the public key that you created above. | ||
| + | |||
| + | If you have OpenSSH 7.2 or above (test using <code>ssh -V</code>), use this line<syntaxhighlight lang="sh"> | ||
| + | command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org | ||
| + | </syntaxhighlight>Otherwise, you need the more verbose version<syntaxhighlight lang="sh"> | ||
| + | command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === Configure btrbk === | ||
| + | Create file <code>/ect/btrbk/btrbk.conf</code><syntaxhighlight lang="properties"> | ||
| + | # Enable transaction log | ||
| + | transaction_log /var/log/btrbk.log | ||
| + | |||
| + | # Directory in which the btrfs snapshots are created. Relative to | ||
| + | # <volume-directory> of the volume section. | ||
| + | # If not set, the snapshots are created in <volume-directory>. | ||
| + | # | ||
| + | # If you want to set a custom name for the snapshot (and backups), | ||
| + | # use the "snapshot_name" option within the subvolume section. | ||
| + | # | ||
| + | # NOTE: btrbk does not autmatically create this directory, and the | ||
| + | # snapshot creation will fail if it is not present. | ||
| + | # | ||
| + | snapshot_dir _btrbk_snap | ||
| + | |||
| + | |||
| + | # Specify SSH private key for "ssh://" volumes / targets: | ||
| + | ssh_identity /etc/btrbk/ssh/id_ed25519 | ||
| + | ssh_user btrbk | ||
| + | #ssh_port default | ||
| + | #ssh_compression no | ||
| + | #ssh_cipher_spec default | ||
| + | |||
| + | # Don't wait for transaction commit on deletion. Set this to "after" | ||
| + | # or "each" to make sure the deletion of subvolumes is committed to | ||
| + | # disk when btrbk terminates. | ||
| + | #btrfs_commit_delete no | ||
| + | |||
| + | # Set this to "yes" to enable btrfs-progs < 3.17 compatibility. | ||
| + | # Set this either globally or in a specific "target" section. | ||
| + | #btrfs_progs_compat no | ||
| + | |||
| + | snapshot_preserve_min 5d | ||
| + | snapshot_preserve 14d 2w 1m | ||
| + | |||
| + | target_preserve_min 5d | ||
| + | target_preserve 14d 10w 24m | ||
| + | |||
| + | # | ||
| + | # Volume section: "volume <volume-directory>" | ||
| + | # | ||
| + | # <volume-directory> Directory of a btrfs volume (or subvolume) | ||
| + | # containing the subvolume to be backuped | ||
| + | # (usually the mount-point of a btrfs filesystem | ||
| + | # mounted with subvolid=0 option) | ||
| + | # | ||
| + | # Subvolume section: "subvolume <subvolume-name> | ||
| + | # | ||
| + | # <subvolume-name> Subvolume to be backuped, relative to | ||
| + | # <volume-directory> in volume section. | ||
| + | # | ||
| + | # Target section: "target <type> <volume-directory>" | ||
| + | # | ||
| + | # <type> Backup type, currently only "send-receive". | ||
| + | # <volume-directory> Directory of a btrfs volume (or subvolume) | ||
| + | # receiving the backups. | ||
| + | # | ||
| + | # NOTE: The parser does not care about indentation, this is only for | ||
| + | # human readability. The options always apply to the last section | ||
| + | # encountered, overriding the corresponding option of the upper | ||
| + | # section. This means that the global options must be set before any | ||
| + | # "volume" section. | ||
| + | # | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | == Add a Backup Volume == | ||
| + | <syntaxhighlight lang="console"> | ||
| + | $ sudo btrfs subvolume create /backup/<client>/<volume> | ||
| + | </syntaxhighlight>{{TODO|msg = }} | ||
| + | |||
| + | [[Category:Debian Release]] | ||
[[Category:Linux Desktop]] | [[Category:Linux Desktop]] | ||
[[Category:Linux Server]] | [[Category:Linux Server]] | ||
Latest revision as of 20:11, 12 February 2017
btrbk is a backup tool for Btrfs disks.
 Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Setup Server
The backup server will be the machine that will receive the backup data. Clients will connect to it to sent their backup data. As a consequence, your server must be reachable from all your clients.
Destination Disk
Create a Btrfs volume or subvolume and mount it on /backup.
User
$ sudo adduser --system --shell /bin/sh --home /backup/ --group --no-create-home btrbk
Adding system user `btrbk' (UID 122) ...
Adding new group `btrbk' (GID 124) ...
Adding new user `btrbk' (UID 122) with group `btrbk' ...
Not creating home directory `/backup/'.
$ sudo mkdir /backup/.ssh
$ sudo touch /backup/.ssh/authorized_keys
$ sudo chown root:btrbk /backup/
$ sudo chmod 710 /backup/
This user will need to run btrfs tools as root. Let’s add this to the /etc/sudoers file
btrbk ALL=NOPASSWD:/bin/btrfs
If you limited access to certain users through SSH, add btrbk to the AllowUsers list and restart SSH
Setup Client
Install btrbk
btrbk is not yet included in Debian Jessie. Make sure you configure stretch source before running the command bellow.
$ sudo apt install btrbk
SSH Key
Create an SSH key dedicated to your backups
$ sudo mkdir /etc/btrbk/ssh
$ sudo chmod 700 /etc/btrbk/ssh
$ sudo ssh-keygen -t ed25519 -N "" -f /etc/btrbk/ssh/id_ed25519
Generating public/private ed25519 key pair.
Your identification has been saved in /etc/btrbk/ssh/id_ed25519.
Your public key has been saved in /etc/btrbk/ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:y5VremJsz5wHiO2KKrtupPZYbaqNeURxeLdznaCw450 root@client.example.org
The key's randomart image is:
+--[ED25519 256]--+
| . |
| o + . . |
| + + o o . |
| . o + . + |
| . . ooS.o |
| . ....Eoo.. |
|o .. o oo o. |
|oo*.o. *=... |
|*X==. .+.+=. |
+----[SHA256]-----+
$ sudo cat /etc/btrbk/ssh/id_ed25519.pub
AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org
Keep the result of the last command, you will need it at the next step.
Register Client on the Server
Note: On the instructions bellow, the token <client> must be replace by the machine name.
Create Destination Folder
On the backup server, create a new folder for the client.
$ sudo mkdir /backup/<client>
$ sudo chmod 700 /backup/<client>
Setup SSH Key
Then, on the backup server, add the following line to /backup/.ssh/authorized_keys. The key at the end of the line must be replaced with the public key that you created above.
If you have OpenSSH 7.2 or above (test using ssh -V), use this line
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org
Otherwise, you need the more verbose version
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org
Configure btrbk
Create file /ect/btrbk/btrbk.conf
# Enable transaction log
transaction_log /var/log/btrbk.log
# Directory in which the btrfs snapshots are created. Relative to
# <volume-directory> of the volume section.
# If not set, the snapshots are created in <volume-directory>.
#
# If you want to set a custom name for the snapshot (and backups),
# use the "snapshot_name" option within the subvolume section.
#
# NOTE: btrbk does not autmatically create this directory, and the
# snapshot creation will fail if it is not present.
#
snapshot_dir _btrbk_snap
# Specify SSH private key for "ssh://" volumes / targets:
ssh_identity /etc/btrbk/ssh/id_ed25519
ssh_user btrbk
#ssh_port default
#ssh_compression no
#ssh_cipher_spec default
# Don't wait for transaction commit on deletion. Set this to "after"
# or "each" to make sure the deletion of subvolumes is committed to
# disk when btrbk terminates.
#btrfs_commit_delete no
# Set this to "yes" to enable btrfs-progs < 3.17 compatibility.
# Set this either globally or in a specific "target" section.
#btrfs_progs_compat no
snapshot_preserve_min 5d
snapshot_preserve 14d 2w 1m
target_preserve_min 5d
target_preserve 14d 10w 24m
#
# Volume section: "volume <volume-directory>"
#
# <volume-directory> Directory of a btrfs volume (or subvolume)
# containing the subvolume to be backuped
# (usually the mount-point of a btrfs filesystem
# mounted with subvolid=0 option)
#
# Subvolume section: "subvolume <subvolume-name>
#
# <subvolume-name> Subvolume to be backuped, relative to
# <volume-directory> in volume section.
#
# Target section: "target <type> <volume-directory>"
#
# <type> Backup type, currently only "send-receive".
# <volume-directory> Directory of a btrfs volume (or subvolume)
# receiving the backups.
#
# NOTE: The parser does not care about indentation, this is only for
# human readability. The options always apply to the last section
# encountered, overriding the corresponding option of the upper
# section. This means that the global options must be set before any
# "volume" section.
#
Add a Backup Volume
$ sudo btrfs subvolume create /backup/<client>/<volume>
TODO
