6. 6. 2004

Varnostne kopije

Initiative to write this short note came from members of the DXX radioamateur group who needed to backup their Linux servers to some other computer over the network.

Most of the servers in our group run Debian distribution, but most, if not all, steps should be valid for any Linux system.

Software Installation

Only basic programs are needed, so very likely you will not have to install any additional packages. Since we want to be sure, let us check if you have already installed following packages:

  • ssh,
  • tar,
  • gzip (optional, only if you want to compress your backups which is not recommended),
  • bzip2 (optional, for compression only).

Configuration

This section includes configuration for the backup server and client. Server is the computer that will store backups of the client. We will prepare two different types of backups - full and incremental. The intervals of each type of backup can be set by the user.

Some basic facts

  • Backups will be performed with two independed setups for each type of backup.
  • Authentication will be conducted by the authentication keys for ssh. We will use DSA keys, but RSA can be used with a little modification of the described procedure.
  • tar will be used for the backup of the system,
  • ssh will be used for the transfer of the data stream.

Configuration of the server and the client

  • Login to the computer that will act as a backup server as the user who will execute the backups.
  • Preparation of the authentication keys:
    1. If you plan to use ssh protocol version 2.0 (recommended)
      1. execute ssh-keygen -t dsa -f ~/.ssh/full-backup -C full-backup,
      2. when asked to enter the passphrase just press Return. This will generate DSA key without the password protection.
      3. execute ssh-keygen -t dsa -f ~/.ssh/incremental-backup -C incremental-backup,
      4. when asked to enter the passphrase just press Return. This will generate DSA key without the password protection.
    2. If you plan to use ssh protocol version 1.x and you are generating keys with the ssh-keygen from the protocol version 2.0.
      1. execute ssh-keygen -t rsa1 -f ~/.ssh/full-backup -C full-backup,
      2. when asked to enter the passphrase just press Return. This will generate DSA key without the password protection.
      3. execute ssh-keygen -t rsa1 -f ~/.ssh/incremental-backup -C incremental-backup,
      4. when asked to enter the passphrase just press Return. This will generate DSA key without the password protection.
    3. If you plan to use ssh protocol version 1.x and you are generating keys with the ssh-keygen from the protocol version 1.x.
      1. execute ssh-keygen -f ~/.ssh/full-backup -C full-backup,
      2. when asked to enter the passphrase just press Return. This will generate DSA key without the password protection.
      3. execute ssh-keygen -f ~/.ssh/incremental-backup -C incremental-backup,
      4. when asked to enter the passphrase just press Return. This will generate DSA key without the password protection.
  • Installation of the authentication keys at the client computer:
    1. securely copy the ~/.ssh/full-backup.pub and ~/.ssh/incremental-backup.pub to the client computer's root home directory (You can only create a backup of the client system as the root).
    2. login to the client computer as root,
    3. execute cat full-backup.pub >> .ssh/authorized_keys,
    4. open ~/.ssh/authorized_keys with your favorite editor and add to the beginning of the line which is describing the key with the comment "full-backup" following text:from="server.homemade.net",command="backup/backup-full",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding

      (Important: comment is at the end of the line; you should not wrap public key description to more lines - the whole key and additional preceding text should be in ONE line.)

    5. check if your authorized_keys line looks similar to the provided example,
    6. save the file (~/.ssh/authorized_keys) and exit the editor,
    7. execute cat incremental-backup.pub >> .ssh/authorized_keys,
    8. open ~/.ssh/authorized_keys with your favorite editor and add to the beginning of the line which is describing the key with the comment "incremental-backup" following text:from="server.homemade.net",command="backup/backup-inc",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding
    9. save the file (~/.ssh/authorized_keys) and exit the editor.
  • Preparation of the backup scripts at the client:
    1. you should still be logged to the client computer as the root,
    2. create backup directory by executing mkdir ~/backup,
    3. change to the directory by executing cd ~/backup,
    4. get backup_scripts-client.tar, copy the file to the ~/backup, and untar it with tar xf backup_scripts-client.tar.
    5. open configuration files with editor and change them according to your needs:
      • backup.include: directories you want to include in your backup. Always use absolute paths prefixed by . (dot). If you want to include only /home, the only line in the file should be ./home. You can put additional directories in the new line.
      • backup.exclude: directories that should be excluded from the backup. Usually you would want to exclude additional mounts in the /mnt and virtual partition /proc. You can add additional directory in the new line of the file.
      • backup.last: date and time of the last backup.
      • backup.log: log of all backups.
      • backup.snap: list of files that were backed up. It is used by the tar for the incremental backups and should not be changed by the user.
    6. open backup-full and replace all occurances of the client.homemade.net with the FQDN of your client.
    7. open backup-inc and replace all occurances of the client.homemade.net with the FQDN of your client.
  • Preparation of the backup scripts at the server:
    1. login to the server as the user who will run the backups of the client,
    2. change to the directory where you will keep the backup files,
    3. create new directory last: mkdir last,
    4. download backup_scripts-server.tar and untar it in the chosen directory,
    5. open scripts with your favorite editor and change the BROOT to the full path to directory that will hold your backups (If you followed the instructions this should be your current directory. You can get the absolute path if you executepwd before you run the editor),
    6. edit the files to reflect the name of your client and change the e-mail address to be informed if backup failed for any reason.
  • Execution of the backup is performed on the server. It can be started manually or from the cron daemon:
    1. to manually backup the client login to the server, change to the chosen directory and run the full or incremental backup script.
    2. it is recommended to setup automatic backups with the use of the cron daemon.
  • Make sure that server keys of the client exist on the server. The easiest way to check it is by logging to the client from the server. You should be logged (at the server) as the user which will execute the backups. Each user keeps track of his/her own keys. Of course, you shod login to the client as a user root (Example: ssh root@client.homemade.net).

Additional Remarks

If you want to use compression you have to modify backup scripts at the client (backup-full,backup-inc). See man tar to investigate the meaning of used parameters and to find out what should be added for the compression. I would suggest that you change the names of the archive files accordingly (that should be done on the backup server in backup-client-full andbackup-client-inc).

If you want to run backup of the client from the client computer (client.uni-mb.si), you have to redirect the output of the script to the choosen file e.i.: ./backup-full > ./test_backup.tar.

Conclusion

This step-by-step instructions were prepared by heart, so none of the steps was actually executed to double-check the correctness. Please let me know if you find any mistakes or you feel that any part of the instructions should be described in more detail.

Acknowledgements

I would like to thank S56SAC who helped me with my first backup script way back in the previous century.

Maribor, 6. 6. 2004