rsnapshot:
This article explains how to do system backups of Linux systems without leaving root ssh access open.
First, download rsnapshot from rsnapshot.org.
Use ssh-keygen to create public key (id_rsa.pub) as the backup user on the rsnapshot server.
Scp to /backupuser/.ssh/authorized_keys2 on the remote system to be backed up.
The backups only connect to do a “pull” of data from each remote system to the host server.
rsnapshot.conf configuration:
rsync_long_args -ev --rsync-path=/usr/bin/rsync-wrapper.sh
ssh_args -i /home/backupuser/.ssh/id_rsa
# Add a line for each remote system to back up:
backup backupuser@systemname:/. systemname/
See ‘man rsnapshot’ for info, or http://www.rsnapshot.org
Deploying rsnapshot:
* Create user on each system:
/usr/sbin/useradd backupuser -c "limited backup user" -m -u 10000 # pick a unique id across all systems
* Create ssh public key with customized access rules on backup server as the backup user. Change first line: from="ipaddress", command=" " ssh-rsa...
* Scp the public key (or authorized_keys2) from backup server to clients at /home/backupuser/.ssh
* Add limited sudo rights for backup user to rsync
* Copy rsync-wrapper.sh to each system under /usr/bin (included via cfengine)
#!/bin/sh
/usr/bin/sudo /usr/bin/rsync "$@";
* Optional: use ‘validate-rsync.sh’ script and copy to backupuser’s home on each system. Add to “command=” line in ssh key.
* Configure each backup line in rsnapshot.conf to run the backup as the backupuser
* Check your configuration: sudo rsnapshot configtest will check /etc/rsnapshot.conf for syntax
* To “initialize” the key, you may need to run this manually once from the backup server:
sudo ssh -i /home/backupuser/.ssh/id_rsa backupuser@servername
using a nonstandard port:
For servers with ssh on a nonstandard port, create this ssh config file with options for a particular server: /home/bkupuser/.ssh/config. (In this case, the file needs to be created under root’s .ssh folder, even though it will be run as a backup user)
Host servername
User bkupuser
Port 2222
HostName servername.edu
Debian difference:
Copy public key as “authorized_keys” (not authorized_keys2) and add fully qualified domain name to the end of the ssh key.
Useful Links that may help:
[Using Rsync and SSH|http://troy.jdmz.net/rsync/#ref2]
[Remote Filesystem Snapshots with rsnapshot|http://blog.innerewut.de/2005/06/03/follow-up-on-remote-filesystem-snapshots-with-rsnapshot]
[Remote rsnapshot backups with non-root user|http://osdir.com/ml/sysutils.backup.rsnapshot.general/2005-11/msg00047.html]