Difference between revisions of "btrbk"

From wiki
(Setup SSH access)
 
(8 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
{{WIP}}
 
{{WIP}}
  
== Install ==
+
== Setup Server ==
btrbk is not yet included in Debian Jessie. Make sure you configure [[Apt|stretch source]] before running the command bellow.<syntaxhighlight lang="console">
+
The backup server will be the machine that will receive the backup data. Clients will connect to it to sent their backup data. As a consequence, your server must be reachable from all your clients.
# apt install btrbk
 
</syntaxhighlight>
 
 
 
== Setup Backup Server ==
 
  
 
=== Destination Disk ===
 
=== Destination Disk ===
Create a Btrfs volume and mount it on <code>/backup</code>.
+
Create a Btrfs volume or subvolume and mount it on <code>/backup</code>.
  
 
=== User ===
 
=== User ===
 
<syntaxhighlight lang="console">
 
<syntaxhighlight lang="console">
# adduser --system --shell /bin/sh --home /backup/ --group --no-create-home btrbk
+
$ sudo adduser --system --shell /bin/sh --home /backup/ --group --no-create-home btrbk
 
Adding system user `btrbk' (UID 122) ...
 
Adding system user `btrbk' (UID 122) ...
 
Adding new group `btrbk' (GID 124) ...
 
Adding new group `btrbk' (GID 124) ...
 
Adding new user `btrbk' (UID 122) with group `btrbk' ...
 
Adding new user `btrbk' (UID 122) with group `btrbk' ...
 
Not creating home directory `/backup/'.
 
Not creating home directory `/backup/'.
# mkdir /backup/.ssh
+
$ sudo mkdir /backup/.ssh
# touch /backup/.ssh/authorized_keys
+
$ sudo touch /backup/.ssh/authorized_keys
</syntaxhighlight>This user will need to run <code>btrfs</code> tools as root. Let’s add this to the <code>/etc/sudoers</code> file<syntaxhighlight>
+
$ sudo chown root:btrbk /backup/
 +
$ sudo chmod 710 /backup/
 +
</syntaxhighlight>
 +
This user will need to run <code>btrfs</code> tools as root. Let’s add this to the <code>/etc/sudoers</code> file
 +
<syntaxhighlight lang="sh">
 
btrbk  ALL=NOPASSWD:/bin/btrfs
 
btrbk  ALL=NOPASSWD:/bin/btrfs
</syntaxhighlight>If you limited access to certain users through SSH, add <code>btrbk</code> to the [[SSH|AllowUsers]] list and [[SSH|restart SSH]]
+
</syntaxhighlight>If you limited access to certain users through SSH, add <code>btrbk</code> to the [[SSH#Authentication|AllowUsers]] list and [[SSH#Restart|restart SSH]]
  
 
== Setup Client ==
 
== Setup Client ==
 +
 +
=== Install btrbk ===
 +
btrbk is not yet included in Debian Jessie. Make sure you configure [[Apt|stretch source]] before running the command bellow.<syntaxhighlight lang="console">
 +
$ sudo apt install btrbk
 +
</syntaxhighlight>
  
 
=== SSH Key ===
 
=== SSH Key ===
 
Create an SSH key dedicated to your backups<syntaxhighlight lang="console">
 
Create an SSH key dedicated to your backups<syntaxhighlight lang="console">
# mkdir /etc/btrbk/ssh
+
$ sudo mkdir /etc/btrbk/ssh
# chmod 700 /etc/btrbk/ssh
+
$ sudo chmod 700 /etc/btrbk/ssh
# ssh-keygen -t ed25519 -N "" -f /etc/btrbk/ssh/id_ed25519
+
$ sudo ssh-keygen -t ed25519 -N "" -f /etc/btrbk/ssh/id_ed25519
...
+
Generating public/private ed25519 key pair.
# cat /etc/btrbk/ssh/id_ed25519
+
Your identification has been saved in /etc/btrbk/ssh/id_ed25519.
AAAAC3NzaC1lZDI1NTE5AAAAIFWJQzmdbnWfJqfa/YqXHQXh5bhkRir76mkkdVSln+eo root@client.example.org
+
Your public key has been saved in /etc/btrbk/ssh/id_ed25519.pub.
</syntaxhighlight>Then, '''on the backup server''', add the following line to <code>/backup/.ssh/authorized_keys</code>.<syntaxhighlight lang="sh">
+
The key fingerprint is:
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup --sudo",restrict,from="client.example.org" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwxT6AaiAjahdUBeitkRDK6FXeZhI10rVN8BIeVriXG root@client.example.org
+
SHA256:y5VremJsz5wHiO2KKrtupPZYbaqNeURxeLdznaCw450 root@client.example.org
</syntaxhighlight>{{TODO|msg = }}[[Category:Debian Release]]
+
The key's randomart image is:
 +
+--[ED25519 256]--+
 +
|    .            |
 +
|  o + . .      |
 +
|    + + o o .    |
 +
|  . o + . +    |
 +
|  . . ooS.o      |
 +
| . ....Eoo..    |
 +
|o .. o oo o.    |
 +
|oo*.o.  *=...    |
 +
|*X==. .+.+=.     |
 +
+----[SHA256]-----+
 +
$ sudo cat /etc/btrbk/ssh/id_ed25519.pub
 +
AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org
 +
</syntaxhighlight>Keep the result of the last command, you will need it at the next step.
 +
 
 +
=== Register Client on the Server ===
 +
'''Note:''' On the instructions bellow, the token <code><client></code> must be replace by the machine name.
 +
 
 +
==== Create Destination Folder ====
 +
'''On the backup server''', create a new folder for the client.<syntaxhighlight lang="console">
 +
$ sudo mkdir /backup/<client>
 +
$ sudo chmod 700 /backup/<client>
 +
</syntaxhighlight>
 +
==== Setup SSH Key ====
 +
Then, '''on the backup server''', add the following line to <code>/backup/.ssh/authorized_keys</code>. The key at the end of the line must be replaced with the public key that you created above.
 +
 
 +
If you have OpenSSH 7.2 or above (test using <code>ssh -V</code>), use this line<syntaxhighlight lang="sh">
 +
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org
 +
</syntaxhighlight>Otherwise, you need the more verbose version<syntaxhighlight lang="sh">
 +
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org
 +
</syntaxhighlight>
 +
 
 +
=== Configure btrbk ===
 +
Create file <code>/ect/btrbk/btrbk.conf</code><syntaxhighlight lang="properties">
 +
# Enable transaction log
 +
transaction_log            /var/log/btrbk.log
 +
 
 +
# Directory in which the btrfs snapshots are created. Relative to
 +
# <volume-directory> of the volume section.
 +
# If not set, the snapshots are created in <volume-directory>.
 +
#
 +
# If you want to set a custom name for the snapshot (and backups),
 +
# use the "snapshot_name" option within the subvolume section.
 +
#
 +
# NOTE: btrbk does not autmatically create this directory, and the
 +
# snapshot creation will fail if it is not present.
 +
#
 +
snapshot_dir                _btrbk_snap
 +
 
 +
 
 +
# Specify SSH private key for "ssh://" volumes / targets:
 +
ssh_identity                /etc/btrbk/ssh/id_ed25519
 +
ssh_user                    btrbk
 +
#ssh_port                  default
 +
#ssh_compression            no
 +
#ssh_cipher_spec            default
 +
 
 +
# Don't wait for transaction commit on deletion. Set this to "after"
 +
# or "each" to make sure the deletion of subvolumes is committed to
 +
# disk when btrbk terminates.
 +
#btrfs_commit_delete        no
 +
 
 +
# Set this to "yes" to enable btrfs-progs < 3.17 compatibility.
 +
# Set this either globally or in a specific "target" section.
 +
#btrfs_progs_compat        no
 +
 
 +
snapshot_preserve_min 5d
 +
snapshot_preserve    14d 2w 1m
 +
 
 +
target_preserve_min 5d
 +
target_preserve    14d 10w 24m
 +
 
 +
#
 +
# Volume section: "volume <volume-directory>"
 +
#
 +
#  <volume-directory>  Directory of a btrfs volume (or subvolume)
 +
#                      containing the subvolume to be backuped
 +
#                      (usually the mount-point of a btrfs filesystem
 +
#                      mounted with subvolid=0 option)
 +
#
 +
# Subvolume section: "subvolume <subvolume-name>
 +
#
 +
#  <subvolume-name>    Subvolume to be backuped, relative to
 +
#                      <volume-directory> in volume section.
 +
#
 +
# Target section: "target <type> <volume-directory>"
 +
#
 +
#  <type>              Backup type, currently only "send-receive".
 +
#  <volume-directory>  Directory of a btrfs volume (or subvolume)
 +
#                      receiving the backups.
 +
#
 +
# NOTE: The parser does not care about indentation, this is only for
 +
# human readability. The options always apply to the last section
 +
# encountered, overriding the corresponding option of the upper
 +
# section. This means that the global options must be set before any
 +
# "volume" section.
 +
#
 +
 
 +
</syntaxhighlight>
 +
 
 +
== Add a Backup Volume ==
 +
<syntaxhighlight lang="console">
 +
$ sudo btrfs subvolume create /backup/<client>/<volume>
 +
</syntaxhighlight>{{TODO|msg = }}
 +
 
 +
[[Category:Debian Release]]
 
[[Category:Linux Desktop]]
 
[[Category:Linux Desktop]]
 
[[Category:Linux Server]]
 
[[Category:Linux Server]]

Latest revision as of 20:11, 12 February 2017

btrbk is a backup tool for Btrfs disks.


Warning Warning: This page is a work in progress and is not completed. Important informations might be missing or wrong.

Setup Server

The backup server will be the machine that will receive the backup data. Clients will connect to it to sent their backup data. As a consequence, your server must be reachable from all your clients.

Destination Disk

Create a Btrfs volume or subvolume and mount it on /backup.

User

$ sudo adduser --system --shell /bin/sh --home /backup/ --group --no-create-home btrbk
Adding system user `btrbk' (UID 122) ...
Adding new group `btrbk' (GID 124) ...
Adding new user `btrbk' (UID 122) with group `btrbk' ...
Not creating home directory `/backup/'.
$ sudo mkdir /backup/.ssh
$ sudo touch /backup/.ssh/authorized_keys
$ sudo chown root:btrbk /backup/
$ sudo chmod 710 /backup/

This user will need to run btrfs tools as root. Let’s add this to the /etc/sudoers file

btrbk   ALL=NOPASSWD:/bin/btrfs

If you limited access to certain users through SSH, add btrbk to the AllowUsers list and restart SSH

Setup Client

Install btrbk

btrbk is not yet included in Debian Jessie. Make sure you configure stretch source before running the command bellow.

$ sudo apt install btrbk

SSH Key

Create an SSH key dedicated to your backups

$ sudo mkdir /etc/btrbk/ssh
$ sudo chmod 700 /etc/btrbk/ssh
$ sudo ssh-keygen -t ed25519 -N "" -f /etc/btrbk/ssh/id_ed25519
Generating public/private ed25519 key pair.
Your identification has been saved in /etc/btrbk/ssh/id_ed25519.
Your public key has been saved in /etc/btrbk/ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:y5VremJsz5wHiO2KKrtupPZYbaqNeURxeLdznaCw450 root@client.example.org
The key's randomart image is:
+--[ED25519 256]--+
|    .            |
|   o + . .       |
|    + + o o .    |
|   . o + . +     |
|  . . ooS.o      |
| . ....Eoo..     |
|o .. o oo o.     |
|oo*.o.  *=...    |
|*X==. .+.+=.     |
+----[SHA256]-----+
$ sudo cat /etc/btrbk/ssh/id_ed25519.pub
AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org

Keep the result of the last command, you will need it at the next step.

Register Client on the Server

Note: On the instructions bellow, the token <client> must be replace by the machine name.

Create Destination Folder

On the backup server, create a new folder for the client.

$ sudo mkdir /backup/<client>
$ sudo chmod 700 /backup/<client>

Setup SSH Key

Then, on the backup server, add the following line to /backup/.ssh/authorized_keys. The key at the end of the line must be replaced with the public key that you created above.

If you have OpenSSH 7.2 or above (test using ssh -V), use this line

command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org

Otherwise, you need the more verbose version

command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --target --info -p /backup/<client> --sudo",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5ScAgJnpqYCipj6PyrOjbXpsaQZIzys7uHcVe1J3ay root@client.example.org

Configure btrbk

Create file /ect/btrbk/btrbk.conf

# Enable transaction log
transaction_log             /var/log/btrbk.log

# Directory in which the btrfs snapshots are created. Relative to
# <volume-directory> of the volume section.
# If not set, the snapshots are created in <volume-directory>.
#
# If you want to set a custom name for the snapshot (and backups),
# use the "snapshot_name" option within the subvolume section.
#
# NOTE: btrbk does not autmatically create this directory, and the
# snapshot creation will fail if it is not present.
#
snapshot_dir                _btrbk_snap


# Specify SSH private key for "ssh://" volumes / targets:
ssh_identity                /etc/btrbk/ssh/id_ed25519
ssh_user                    btrbk
#ssh_port                   default
#ssh_compression            no
#ssh_cipher_spec            default

# Don't wait for transaction commit on deletion. Set this to "after"
# or "each" to make sure the deletion of subvolumes is committed to
# disk when btrbk terminates.
#btrfs_commit_delete        no

# Set this to "yes" to enable btrfs-progs < 3.17 compatibility.
# Set this either globally or in a specific "target" section.
#btrfs_progs_compat         no

snapshot_preserve_min 5d
snapshot_preserve     14d 2w 1m

target_preserve_min 5d
target_preserve     14d 10w 24m

#
# Volume section: "volume <volume-directory>"
#
#   <volume-directory>  Directory of a btrfs volume (or subvolume)
#                       containing the subvolume to be backuped
#                       (usually the mount-point of a btrfs filesystem
#                       mounted with subvolid=0 option)
#
# Subvolume section: "subvolume <subvolume-name>
#
#   <subvolume-name>    Subvolume to be backuped, relative to
#                       <volume-directory> in volume section.
#
# Target section: "target <type> <volume-directory>"
#
#   <type>              Backup type, currently only "send-receive".
#   <volume-directory>  Directory of a btrfs volume (or subvolume)
#                       receiving the backups.
#
# NOTE: The parser does not care about indentation, this is only for
# human readability. The options always apply to the last section
# encountered, overriding the corresponding option of the upper
# section. This means that the global options must be set before any
# "volume" section.
#

Add a Backup Volume

$ sudo btrfs subvolume create /backup/<client>/<volume>
TODO