Debianhelp.co.uk


Rdiff-backup with ssh Configuration in Debian

What is rdiff-backup?

rdiff-backup backs up one directory to another, possibly over a network. The target directory ends up a copy of the source directory, but extra reverse diffs are stored in a special subdirectory of that target directory, so you can still recover files lost some time ago. The idea is to combine the best features of a mirror and an incremental backup. rdiff-backup also preserves subdirectories, hard links, dev files, permissions, uid/gid ownership, modification times, extended attributes, acls, and resource forks. Also, rdiff-backup can operate in a bandwidth efficient manner over a pipe, like rsync. Thus you can use rdiff-backup and ssh to securely back a hard drive up to a remote location, and only the differences will be transmitted. Finally, rdiff-backup is easy to use and settings have sensical defaults.

rdiff-backup Requirements

A POSIX operating system, like Linux or Mac OS X

Python v2.2 or later (see http://www.python.org)

librsync v0.9.7 or later

The python module pylibacl is optional, but necessary for access control list support.

The python module pyxattr is option, but necessary for extended attribute support.

Download rdiff-backup

http://www.nongnu.org/rdiff-backup/index.html

rdiff-backup Documentation and Tutorials

http://www.nongnu.org/rdiff-backup/docs.html

rdiff-backup FAQ

http://www.nongnu.org/rdiff-backup/FAQ.html

First thing we need to make sure that you have installed ssh in your machine then you need to proceed further

Install rdiff-backup in Debian

You need to install your source machine and target machine

#apt-get install rdiff-backup

Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
rdiff-backup
0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
Need to get 0B/148kB of archives.
After unpacking 569kB of additional disk space will be used.
Selecting previously deselected package rdiff-backup.
(Reading database ... 28792 files and directories currently installed.)
Unpacking rdiff-backup (from .../rdiff-backup_0.13.4-5_i386.deb) ...
Setting up rdiff-backup (0.13.4-5) ...

This will install rdiff-backup in you machine

Create The Public Keys On Target machine

On backup.domain.com, we create a group and an unprivileged user called rdiff. This user rdiff will run the backups. We do not want root to run the backups for security reasons!

#groupadd -g 3500 rdiff


#useradd -u 3500 -s /bin/false -d /backup -m -c "rdiff" -g rdiff rdiff

The second command creates the user rdiff-backup with the home directory /backup (which is created automatically by this command if it does not exist already) who is not allowed to login on the shell (again for security reasons). If the group ID and user ID 3500 are already in use on your system, replace them by another (free) ID.

Then run

#su -m rdiff

With this command you become the user rdiff on the shell. All the following commands must be run as user rdiff

Create the keys:

#cd /backup

#ssh-keygen -t rsa
Generating public/private rsa key pair.

Enter file in which to save the key (/backup/.ssh/id_rsa):

Created directory '/backup/.ssh'.Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /backup/.ssh/id_rsa.Your public key has been saved in /backup/.ssh/id_rsa.pub.

The key fingerprint is:88:18:4e:55:e9:27:8e:2a:44:4b:03:bd:9d:0f:fc:48 rdiff@backup

It is ok to save the key in /backup/.ssh/id_rsa so you can simply hit enter. It is important that you do not enter a passphrase otherwise the backup will not work without human interaction so again hit enter. In the end two files are created: /backup/.ssh/id_rsa and /backup/.ssh/id_rsa.pub.

Next create the file /backup/.ssh/config with the following contents

host server1_backuphostname server1.domain.com
user root
identityfile /backup/.ssh/id_rsa
compression yes
cipher blowfish
protocol 2

The value of host is what we use later on to start the backup. You can use any name the you like (e.g. server1_backup, this_is_the_machine_i_want_to_backup, etc.) (but it should not contain whitespace; underscores are ok).

Change the permissions of that file:

#chmod -R go-rwx /backup/.ssh

Now we copy over our public key to server1.domain.com:

#ssh-copy-id -i ~/.ssh/id_rsa.pub root@server1.domain.com

This will look like this:

# ssh-copy-id -i ~/.ssh/id_rsa.pub root@server1.domain.com

ssh-copy-id -i ~/.ssh/id_rsa.pub root@server1.domain.com23The authenticity of host 'server1.domain.com (1.2.3.4)' can't be established.
RSA key fingerprint is c7:19:55:7a:54:ce:93:c8:b6:f9:0e:e3:65:24:64:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1.example.com' (RSA) to the list of known hosts.
Password:
Now try logging into the machine, with "ssh 'root@server1.domain.com'", and check in: .ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.

Once again you have to type in the root password of server1.example.com. What this command does is it copies the public key of the user rdiff-backup to the file /root/.ssh/authorized_keys on the remote server server1.example.com.
rdiff@lona:~$

Log in as root on server1.domain.com and have a look at /root/.ssh/authorized_keys. It should look similar to this

ssh-rsa AAAAB3Nza[...]W1go9M= rdiff@lona

Now prepend the following string to /root/.ssh/authorized_keys:

command="rdiff-backup --server --restrict-read-only /",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty

It must be in one line with the key, only seperated by a space

command="rdiff-backup --server --restrict-read-only /",from="backup.domain.com",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3Nza[...]W1go9M= rdiff@lona

This will run the command rdiff-backup --server --restrict-read-only / when the user rdiff-backup fom backup.domain.com connects to server1.domain.com over SSH. --restrict-read-only / makes sure that rdiff-backup has only read access on server1.domain.com. It depends on your rdiff-backup version if this works. If this does not work for you you can leave out --restrict-read-only / so that it reads

command="rdiff-backup --server",from="backup.domain.com",no-port-forwarding,no-X11-forwarding,no-pty

In from="backup.domain.com" you should use the hostname that a reverse lookup of backup.domain.com's IP address returns.

You can as well use backup.domain.com's IP address:

#command="rdiff-backup --server --restrict-read-only /",from="175.32.3.23",no-port-forwarding,no-X11-forwarding,no-pty

Next run

#chmod -R go-rwx /root/.ssh

Then have a look at /etc/ssh/sshd_config. It should contain the lines

RSAAuthentication yes
PubkeyAuthentication yes

Restart ssh if you had to change /etc/ssh/sshd_config:

#/etc/init.d/ssh restart

Test rdiff-backup On Target Machine

Back on backup.domain.com, again as the user rdiff-backup, we test the backup:

#cd /backup
#rdiff-backup server1_backup::/boot boot

In the second command you see the string server1_backup. That is the string we used in /backup/.ssh/config after host. With this second command, the user rdiff will connect to server1.domain.com as the root user and save the directory /boot of server1.domain.com to the directory /backup/boot on backup.example.com. If you see that it is working and you do not have to type in a password.

Now all there is left to do is to create a cron job. Still as user rdiff-backup, run

#crontab -e

and create a cron job like this:

40 2 * * * /usr/bin/rdiff-backup --exclude /tmp --exclude /mnt --exclude /proc --exclude /dev --exclude /cdrom --exclude /floppy server1_backup::/ /backup/server1

This runs the backup every night at 2.40h, saving the directory / with all subdirectories (excluding /tmp, /mnt, /proc, /dev, /cdrom, /floppy) of server1.domain.com in /backup/server1 on backup.domain.com.