N15N

The duty to backup - Yet another BackupPC tutorial

Not long ago my backup situation looked like this: Important data had been mirrored across my local net, actual project`s data had been manually rolled out on DVD. Mirroring worked fine with Unison. Outcome was a historically grown chaos. Here we want to fight it with help of open source software BackupPC.

When thinking about the design of the backup process and singling out eligible software it became obvious that i didn`t want a homebrew scripting solution. I wanted a clear system to backup a network with different operating systems (MacOS X, Windows, Linux). My search led me to BackupPC.

Content:
Introduction
Apache
BackupPC
SSH Tunnel
Wake On Lan
Further Informations

Appealing GUI for data restore,
trouble-free handling of umlauts and blanks in path and file names,
users have access their own backups,
handling of mobile devices,
in-depth documentation,
Pooling, i.d. identical data is stored only once.

These notes don`t want to be more than a mnemonic rhyme. Maybe you'll find some helpful details don't forget to read the manual. The links at the bottom of this page may lead you through that topic. Pathnames in this article are related to Gentoo Linux, you should find them on other linux flavours, too.

BackupPC basically a webserver is not needed, the webfrontend is the recommended way to administer the server. (screenshots). For that you need a running webserver. (e.g. Apache)

Apache

BackupPC is written in perl. The recommended configuration uses the module mod_perl.

Activate it /etc/conf.d/apache2:

APACHE2_OPTS="-D PERL"

http://localhost/perl-status shows you if and how mod_perl had been installed.

In my scenario apache also serves multiple local domains and is set up for name-based virtual hosts (vhosts). The backup server is accessible via localhost as default vhost.

create /etc/apache2/vhosts.d/backuppc.include with


<Directory /var/www/localhost/cgi-bin>
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions +ParseHeaders
        Options +ExecCGI +Indexes
        AllowOverride AuthConfig 
        Order deny,allow
        Deny from all
        Allow from 192.168.foo 127.0.0.1
        AuthName "backuppc"
        AuthType Basic
        AuthUserFile /usr/local/etc/apache2/.htpasswd
        Require valid-user
</Directory>

/etc/apache2/vhosts.d/00_default_vhost.conf: After the entry

default_vhost.include

the new file has to be included:

Include /etc/apache2/vhosts.d/backuppc.include

Set up users for the web frontend:

htpasswd  /usr/local/etc/apache2/.htpasswd backuppc
htpasswd  /usr/local/etc/apache2/.htpasswd userA
htpasswd  /usr/local/etc/apache2/.htpasswd userB

For use with BackupPC Apache needs to run with backuppc's rights.
httpd.conf:

User backuppc
Group backuppc

/etc/BackupPC/hosts:

localhost   0       backuppc userA
computerB    0       userA
computerC    0       userB

Apache runs as backuppc so trouble may be caused with existing local websites because of missing permissions. For that you can add backuppc to the apache group

usermod -aG apache backuppc

and adjust group permissions of affected paths. Another maybe cleaner approach is to set up another web server (e.g. lighttp), start two instances of apache, second one in a virtual machine or host a server on a separate pc.

BackupPC

For the backup process to run as root with full file permissions, extent backuppc's permissions by visudo. In the example backuppc is granted permission to execute rsync to backup and to mount and unmount partitions like e.g. /boot.

backuppc    ALL=(ALL)       NOPASSWD: /usr/bin/rsync *,/bin/mount *,/bin/umount *

How to backup

Every pc gets his own configuration file:
/etc/BackupPC/pc/hostname.pl

Adjusting the backup command for localhost:

$Conf{RsyncClientCmd} = '/usr/bin/sudo $rsyncPath $argList+';
$Conf{RsyncClientRestoreCmd} = '/usr/bin/sudo $rsyncPath $argList+';

Enabling the root access via sudo should also be done on remote Linux or MacOSX clients.

Mounting of paths that usually are unmounted. If databases should be backed up, here's the place for any commands to dump your database data to a directory backed up by BackupPC.

$Conf{DumpPreUserCmd} = '/usr/bin/sudo mount /boot';
$Conf{DumpPostUserCmd} = '/usr/bin/sudo umount /boot';
$Conf{RestorePreUserCmd} = '/usr/bin/sudo mount /boot';
$Conf{RestorePostUserCmd} = '/usr/bin/sudo umount /boot';

What to backup

$Conf{RsyncShareName}, $Conf{BackupFilesExclude}

defines which paths to backup with exemptions,

$Conf{BlackoutPeriods}

times of the day when no backup should run.

SSH tunnel

The choosen rsync method works flawlessly over a ssl tunnel. i.d. BackupPC does roughly the same as a normal user who logs into a remote client using ssh user@hostname. For the automatic way it's indispensable that user backuppc is able to log in without typing any password. Procedure: For each user in the backup network you'll have to create a key-pair without entering any password:

ssh-keygen -t rsa

The public key id_rsa.pub from user backuppc needs to be copied into ~/.ssh/authorized_keys from userA.

cat backuppc_id_rsa.pub >> ~/.ssh/authorized_keys

In this example of ~/.ssh/authorized_keys an IP filter is set for more security.

from="192.168.foo.foo" ssh-rsa c2EAAAABIwAAA(...)Qb69lo== backuppc@server-hostname

on the server userA's public key has to be added

cat userA_id_rsa.pub >> ~/.ssh/known_hosts

To make the hosts known it's easier to connect via command line - see the testcommand below. To validate the computer's fingerprint to which we want to connect:


ssh-keygen -l

at the prompt:


/etc/ssh/ssh_host_rsa_key.pub

Example known_hosts

computerA,192.168.foo.foo ssh-rsa IwAAAQEAq2PwH9(...)qDmlogB==

The home directory of backuppc must exist.
Testing the connection: Logged in as user backuppc

ssh userA@computerB

you open the tunnel. Is that working BackupPC is told to do it the same way.

$Conf{RsyncClientCmd} = '$sshPath -q -x -l userA $host /usr/bin/sudo $rsyncPath $argList+';
$Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l userA $host /usr/bin/sudo $rsyncPath $argList+';

WOL (wake on lan)

PCs which go into sleep mode after a while are woken up by

Conf{PingCmd} = '/etc/BackupPC/pc/wakeup.sh 00:16:cb:a3:39:64 1 $host';

where /etc/BackupPC/pc/wakeup.sh looks like:

#!/bin/bash
# Any output on stdout confuses BackupPC
wakeonlan $1 &>/dev/null
# time in minutes to wake up comfortable
sleep ${2}m
# is the host accessible?
/bin/ping -c 1 -w 3 $3

Mac OSX boxes: system preferences - energy saver - "Wake for Ethernet network administrator access" activate this. Mac Laptops with Snow Leopard (>2009) can be woken up, if the power supply is connected and the lid stays open.
On Windows you'll find these settings in the network card's property dialog. Where you'll find these settings depends on your hardware.
Example for a SiS 900-based PCI-Fast Ethernet-Adapter: Device manager -> network adapter -> power management -> activate "activate the computer from the stand-by mode" AND "only administration stations can activate stand-by computers".

Links:

Monday, April 26. 2010

Comments (0) | Trackbacks (0)

Select language: English, Deutsch

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.