Rdiff-backup with ssh Configuration in Debian
What is rdiff-backup?
rdiff-backup backs up one directory to another, possibly over a network. The target directory ends up a copy of the source directory, but extra reverse diffs are stored in a special subdirectory of that target directory, so you can still recover files lost some time ago. The idea is to combine the best features of a mirror and an incremental backup. rdiff-backup also preserves subdirectories, hard links, dev files, permissions, uid/gid ownership, modification times, extended attributes, acls, and resource forks. Also, rdiff-backup can operate in a bandwidth efficient manner over a pipe, like rsync. Thus you can use rdiff-backup and ssh to securely back a hard drive up to a remote location, and only the differences will be transmitted. Finally, rdiff-backup is easy to use and settings have sensical defaults.
A POSIX operating system, like Linux or Mac OS X
Python v2.2 or later (see http://www.python.org)
librsync v0.9.7 or later
The python module pylibacl is optional, but necessary for access control list support.
The python module pyxattr is option, but necessary for extended attribute support.
rdiff-backup Documentation and Tutorials
First thing we need to make sure that you have installed ssh in your machine then you need to proceed further
Install rdiff-backup in Debian
You need to install your source machine and target machine
#apt-get install rdiff-backup
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
Need to get 0B/148kB of archives.
After unpacking 569kB of additional disk space will be used.
Selecting previously deselected package rdiff-backup.
(Reading database ... 28792 files and directories currently installed.)
Unpacking rdiff-backup (from .../rdiff-backup_0.13.4-5_i386.deb) ...
Setting up rdiff-backup (0.13.4-5) ...
This will install rdiff-backup in you machine
Create The Public Keys On Target machine
On backup.domain.com, we create a group and an unprivileged user called rdiff. This user rdiff will run the backups. We do not want root to run the backups for security reasons!
#groupadd -g 3500 rdiff
#useradd -u 3500 -s /bin/false -d /backup -m -c "rdiff" -g rdiff rdiff
The second command creates the user rdiff-backup with the home directory /backup (which is created automatically by this command if it does not exist already) who is not allowed to login on the shell (again for security reasons). If the group ID and user ID 3500 are already in use on your system, replace them by another (free) ID.
#su -m rdiff
With this command you become the user rdiff on the shell. All the following commands must be run as user rdiff
Create the keys:
#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/backup/.ssh/id_rsa):
Created directory '/backup/.ssh'.Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /backup/.ssh/id_rsa.Your public key has been saved in /backup/.ssh/id_rsa.pub.
The key fingerprint is:88:18:4e:55:e9:27:8e:2a:44:4b:03:bd:9d:0f:fc:48 [email protected]
It is ok to save the key in /backup/.ssh/id_rsa so you can simply hit enter. It is important that you do not enter a passphrase otherwise the backup will not work without human interaction so again hit enter. In the end two files are created: /backup/.ssh/id_rsa and /backup/.ssh/id_rsa.pub.
Next create the file /backup/.ssh/config with the following contents
host server1_backuphostname server1.domain.com
The value of host is what we use later on to start the backup. You can use any name the you like (e.g. server1_backup, this_is_the_machine_i_want_to_backup, etc.) (but it should not contain whitespace; underscores are ok).
Change the permissions of that file:
#chmod -R go-rwx /backup/.ssh
Now we copy over our public key to server1.domain.com:
#ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
This will look like this:
# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] authenticity of host 'server1.domain.com (220.127.116.11)' can't be established.
RSA key fingerprint is c7:19:55:7a:54:ce:93:c8:b6:f9:0e:e3:65:24:64:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1.example.com' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh '[email protected]'", and check in: .ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.
Once again you have to type in the root password of server1.example.com. What this command does is it copies the public key of the user rdiff-backup to the file /root/.ssh/authorized_keys on the remote server server1.example.com.
Log in as root on server1.domain.com and have a look at /root/.ssh/authorized_keys. It should look similar to this
ssh-rsa AAAAB3Nza[...]W1go9M= [email protected]
Now prepend the following string to /root/.ssh/authorized_keys:
command="rdiff-backup --server --restrict-read-only /",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty
It must be in one line with the key, only seperated by a space
command="rdiff-backup --server --restrict-read-only /",from="backup.domain.com",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3Nza[...]W1go9M= [email protected]
This will run the command rdiff-backup --server --restrict-read-only / when the user rdiff-backup fom backup.domain.com connects to server1.domain.com over SSH. --restrict-read-only / makes sure that rdiff-backup has only read access on server1.domain.com. It depends on your rdiff-backup version if this works. If this does not work for you you can leave out --restrict-read-only / so that it reads
In from="backup.domain.com" you should use the hostname that a reverse lookup of backup.domain.com's IP address returns.
You can as well use backup.domain.com's IP address:
#command="rdiff-backup --server --restrict-read-only /",from="18.104.22.168",no-port-forwarding,no-X11-forwarding,no-pty
#chmod -R go-rwx /root/.ssh
Then have a look at /etc/ssh/sshd_config. It should contain the lines
Restart ssh if you had to change /etc/ssh/sshd_config:
Test rdiff-backup On Target Machine
Back on backup.domain.com, again as the user rdiff-backup, we test the backup:
#rdiff-backup server1_backup::/boot boot
In the second command you see the string server1_backup. That is the string we used in /backup/.ssh/config after host. With this second command, the user rdiff will connect to server1.domain.com as the root user and save the directory /boot of server1.domain.com to the directory /backup/boot on backup.example.com. If you see that it is working and you do not have to type in a password.
Now all there is left to do is to create a cron job. Still as user rdiff-backup, run
and create a cron job like this:
40 2 * * * /usr/bin/rdiff-backup --exclude /tmp --exclude /mnt --exclude /proc --exclude /dev --exclude /cdrom --exclude /floppy server1_backup::/ /backup/server1
This runs the backup every night at 2.40h, saving the directory / with all subdirectories (excluding /tmp, /mnt, /proc, /dev, /cdrom, /floppy) of server1.domain.com in /backup/server1 on backup.domain.com.