Tyler's wiki

User Tools

Site Tools

Trace:
efficient_backups_with_rsnapshot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
efficient_backups_with_rsnapshot [2010/07/12 06:04] tkbletscefficient_backups_with_rsnapshot [2026/02/21 08:58] (current) tkbletsc
Line 1: Line 1:
 ====== Efficient backups with rsnapshot ====== ====== Efficient backups with rsnapshot ======
  
-Basically, do this: http://troy.jdmz.net/rsnapshot/+Basically, do this: [[https://documentation.ubuntu.com/server/how-to/backups/install-rsnapshot/|https://documentation.ubuntu.com/server/how-to/backups/install-rsnapshot/]]
  
-Reminder: on debian/ubuntu, you need to "sudo apt-get install liblchown-perl" so rsnapshot can set symlink ownership.+Reminder: on debian/ubuntu, you may need to "sudo apt-get install liblchown-perl" so rsnapshot can set symlink ownership.
  
-In place of his rickety ''validate-rsync'' script, use this ''rrsync'' script on clients: +To restrict the ability of the client to access or even change files on the server being backed up, use [[https://github.com/tkbletsc/rrsync|my rrsync.py]], or perhaps the one from the rsync project.
-<code perl> +
-#!/usr/bin/perl +
-# Name: /usr/local/bin/rrsync (should have a symlink in /usr/bin) +
-# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys +
-+
-# The client uses "rsync -av -e ssh srcserver:dir/", and sshd on the server +
-# executes this program when .ssh/authorized_keys has 'command="..."'+
-#       For example: +
-# command="rrsync logs/client" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzGhEeNlPr... +
-# command="rrsync -ro results" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmkHG1WCjC... +
-#   The former limits the remote client to a specific subdirectory of "logs" +
-#   and the latter allows read-only access to a different dirctory.+
  
-use Socket; 
-use constant LOGFILE => '/home/tkbletsc/rrsync.log'; 
-my $Usage = <<EOM; 
-Use 'command="$0 [-ro] subdir"' 
-        in front of lines in $ENV{HOME}/.ssh/authorized_keys 
-EOM 
  
-# Format of the envrionment variables set by sshd: 
-# SSH_ORIGINAL_COMMAND=rsync --server          -vlogDtpr --partial . dir # push 
-# SSH_ORIGINAL_COMMAND=rsync --server --sender -vlogDtpr --partial . dir # pull 
-# SSH_CLIENT=client_addr client_port server_port 
- 
-my $ro = (@ARGV and $ARGV[0] eq '-ro') ? shift : '';    # -ro = Read-Only 
-my $top1 = shift; 
-die "No subdirectory specified\n$Usage" unless defined $top1; 
-my $top2 = "$top1/"; 
- 
-my $command = $ENV{SSH_ORIGINAL_COMMAND}; 
-die "Not invoked via sshd\n$Usage"      unless defined $command; 
- 
-my ($cmd,$requested_target) = $command =~ /(.* \.) ?(.*)/; 
-die "SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $cmd =~ /^rsync\s/; 
-die "$0 -ro: sending to read-only directory $requested_target not allowed\n" 
-        if $ro and $cmd !~ /^rsync --server --sender /; 
- 
-my $dir = $requested_target; 
-$dir =~ tr|-~\\ _/a-zA-Z0-9.,:@|_|c;    # Don't allow ;|][}{*? 
-$dir =~ s%/\.\.(?=/)%__%g;              # Don't allow foo/../../etc 
- 
-# For "foo", allow "foo", "foo/" and "foo/anything". 
-# For "foo/bar" and "foo/anything/bar", interpret "bar" to be the specified 
-# path and "bar/" to be the specified path with trailing slash supplied. 
- 
-my($target,$forced); 
-if      ("/$dir" eq substr($top1,-length("/$dir"))) { 
-  $target = $top1;                      # Matched end of path 
-} elsif ("/$dir" eq substr($top2,-length("/$dir"))) { 
-  $target = $top2;                      # End of path plus trailing slash 
-} elsif ($dir eq $top1 or index($dir,$top2) == 0) { 
-  $target = $dir;                       # Exact match or subdirectory 
-} elsif (substr($dir,0,1) eq '/') { 
-  $target = "$top1$dir";                # Nonmatching absolute path 
-  $forced = 1; 
-} else { 
-  $target = "$top2$dir";                # Nonmatching relative path 
-  $forced = 1; 
-} 
- 
-$target =~ s#^//#/#; # program is dumb and sets root to '//' sometimes, which confuses windows/cygwin hosts into looking for a share 
- 
-if (-f LOGFILE and open LOG,'>>',LOGFILE) { 
-  my $hhmm = sprintf "%02d:%02d",(localtime)[2,1]; 
-  my $host = $ENV{SSH_CLIENT} || 'unknown'; 
-  $host =~ s/ .*//;                     # Keep only the client's IP addr 
-  $host = gethostbyaddr(inet_aton($host),AF_INET) || $host; 
-  $_ = sprintf "%-13s",$host; 
-  print LOG "$hhmm $_ [$command] =",($forced ? "> $target" : ' OK'),"\n"; 
-  close LOG; 
-} 
- 
-exec "$cmd $target" or die "exec($cmd $target) failed: $? $!"; 
-# Note: This assumes that the rsync protocol will not be maliciously hijacked. 
-</code> 
- 
-For Windows targets, install cygwin's SSH and rsync as per this guide.  The rsnapshot.conf lines for such hosts should look something like: 
- 
-  backup windowsuser@windowsbox-rsnapshot:/d/Documents windowsbox/ rsync_long_args=--no-numeric-ids --delete --relative --delete-excluded 
efficient_backups_with_rsnapshot.txt · Last modified: by tkbletsc
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki