diff --git a/infrastructure/server-backup-with-rsync.md b/infrastructure/server-backup-with-rsync.md index a650ce9..43d83bd 100644 --- a/infrastructure/server-backup-with-rsync.md +++ b/infrastructure/server-backup-with-rsync.md @@ -1,12 +1,11 @@ # Server Backup With Rsync -1. Make sure that rsync is installed on the server: +First of all make sure that rsync is installed on the server: `apt install rsync` - ``` - apt install rsync - ``` -1. Create a backup user, for example `backup1`: +## 1. Create a backup user with ssh-key access + +1. Create a backup user, for example `backup1` (in ubuntu there is already a user named `backup`): ``` useradd backup1 -m @@ -59,6 +58,8 @@ ls -al test1 ``` +## 2. Restrict the ssh key of the backup user for using only rsync + 1. Let's find out the command that the client is sending to the server through SSH. Let's try the same rsync command again, with the added SSH switch `-v` (verbose): @@ -105,7 +106,52 @@ ls -l test1 ``` -1. For convenience, we can combine the command and the key in a bash script that looks like this: +## 3. Create a read-only view of the parts of the filesystem that need to be backed up + +1. Install `bindfs`: + + ``` + apt list bindfs + apt show bindfs + apt install bindfs + ``` + +2. Create mount directories: + + ``` + mkdir -p /mnt/backup-server/scripts + mkdir -p /mnt/backup-server/apps + ``` + +3. Add these lines to `/etc/fstab` for mounting directories read-only: + + ```console + /opt/docker-scripts /mnt/backup-server/scripts fuse.bindfs perms=0000:u=rD,force-user=backup1,force-group=nogroup 0 0 + /var/ds /mnt/backup-server/apps fuse.bindfs perms=0000:u=rD,force-user=backup1,force-group=nogroup 0 0 + ``` + + Since we are using **docker-scripts** for installing and managing apps, these two directories + are what we need to backup: `/opt/docker-scripts` and `/var/ds`. + +4. Mount them: + + ```console + mount -a + ls -al /mnt/backup-server/scripts + ls -al /mnt/backup-server/apps + ``` + +5. Test that they are read-only: + + ```console + sudo -u backup1 ls -al /mnt/backup-server/scripts + sudo -u backup1 touch /mnt/backup-server/scripts/test1.txt + ``` + +## 4. Create and use a backup script + +1. For convenience, we can combine the command and the key in a bash script named `backup-server.sh` + that looks like this: ``` #!/bin/bash @@ -113,6 +159,7 @@ server=127.0.0.1 port=22 + cd $(dirname $0) rsync -a -e "ssh -p $port -i $0" backup1@${server}: . exit 0 @@ -127,18 +174,34 @@ Let's try it: ``` - chmod 700 backup1.sh + chmod 700 backup-server.sh rm -rf test1/ - ./backup1.sh + ./backup-server.sh ls -l test1/ ``` -1. Now we can move this script to the client (backup server), making sure to change - the variable `server` with the IP of the server, and it should work. +1. Now we can move this script to the client (backup server), making sure to set + the proper values for the variables `server` and `port`, and it should work. -1. To change the directory on the server that is being backed up, we should change it - on `/home/backup1/.ssh/authorized_keys` (for example from `~/test1` to `/var/backup`, - or anything else where the user `backup1` has read access). +1. Let's also fix the directory on the server that is being backed up. We should edit + `/home/backup1/.ssh/authorized_keys` and change `~/test1` to `/mnt/backup-server` -1. To backup a second directory we can create a second SSH key, append it to - `/home/backup1/.ssh/authorized_keys`, and create a second backup script. \ No newline at end of file +1. On the client (computer that is receiving the backup), let's place the script `backup-server.sh` + on a directory like `/var/backup`: + + ``` + mkdir -p /var/backup + mv backup-server.sh /var/backup/ + + cd /var/backup/ + ./backup-server.sh + ``` + +1. Let's also create a cron job that runs this script periodically each week: + + ``` + cat < /etc/cron.d/backup-server + # backup the server each tuesday + 0 0 * * TUE root /var/backup/backup-server.sh + EOF + ``` \ No newline at end of file