Merge branch 'master' into debian
This commit is contained in:
commit
064aa55dea
98
README.md
98
README.md
|
@ -1,15 +1,18 @@
|
|||
Bkctld (aka evobackup)
|
||||
=========
|
||||
|
||||
Bkctld is a shell script to create and manage a backup server which will
|
||||
handle the backup of many servers (clients). Licence is AGPLv3.
|
||||
Bkctld is a shell script that creates and manages a backup server
|
||||
which can handle the backups of many other servers (clients). It
|
||||
is licensed under the AGPLv3.
|
||||
|
||||
The main principle uses SSH chroot (called "jails" in the FreeBSD
|
||||
world) for each client to backup. Each client will upload his data every day
|
||||
using rsync in his chroot (using root account).
|
||||
Incrementals are stored outside of the chroot using hard links or btrfs snapshots.
|
||||
(So incrementals are not available for clients). Using this method we can keep tens
|
||||
of backup of each client securely and not using too much space.
|
||||
It uses SSH chroots (called "jails" in the FreeBSD world) to sandbox
|
||||
every clients backups. Each client will upload it's data every day
|
||||
using rsync in it's chroot (using the root account). Prior backups
|
||||
are stored incrementally outside of the chroot using hard links or
|
||||
BTRFS snapshots. (So they can not be affected by the client).
|
||||
|
||||
Using this method, we can keep a large quantity of backups of each
|
||||
client securely and efficiently.
|
||||
|
||||
~~~
|
||||
Backup server
|
||||
|
@ -20,56 +23,23 @@ Server 2 ------ SSH/rsync -------> * tcp/2223 *
|
|||
************
|
||||
~~~
|
||||
|
||||
This method uses standard tools (ssh, rsync, cp -al, btrfs subvolume). EvoBackup
|
||||
is used for many years by Evolix for back up each day hundreds of servers which
|
||||
uses many terabytes of data.
|
||||
This method uses standard tools (ssh, rsync, cp -al, btrfs subvolume)
|
||||
and has been used for many years by Evolix to backup hundreds of
|
||||
servers, totaling many terabytes of data, each day. bkctld has
|
||||
been tested on Debian Jessie and should be compatible with other
|
||||
Debian versions or derived distributions like Ubuntu.
|
||||
|
||||
bkctld was test on Debian Jessie. It can be compatible with other Debian version
|
||||
or derivated distribution like Ubuntu or Debian Wheezy.
|
||||
|
||||
A big size volume must be mount on /backup, we recommend usage of **btrfs** for
|
||||
subvolume and snapshot fonctionnality.
|
||||
This volume can be encrypted by **luks** for security reason.
|
||||
A large enough volume must be mounted on `/backup`, we recommend
|
||||
the usage of **BTRFS** so you can use sub-volumes and snapshots.
|
||||
This volume can also be encrypted with **LUKS**.
|
||||
|
||||
## Install
|
||||
|
||||
A Debian package is available in Evolix repository
|
||||
See the [installation guide](docs/install.md) for instructions.
|
||||
|
||||
~~~
|
||||
echo "http://pub.evolix.net/ jessie/" >> /etc/apt/sources.list
|
||||
apt update
|
||||
apt install bkctld
|
||||
~~~
|
||||
## Testing
|
||||
|
||||
### Chroot dependency
|
||||
|
||||
Chroot jail use part of this package
|
||||
|
||||
~~~
|
||||
apt install bash coreutils sed dash mount rsync openssh-server openssh-sftp-server libc6-i386 libc6
|
||||
~~~
|
||||
|
||||
#### Install cron for incremental backup
|
||||
|
||||
Edit root crontab
|
||||
|
||||
~~~
|
||||
crontab -e
|
||||
~~~
|
||||
|
||||
Add this ligne
|
||||
|
||||
~~~
|
||||
30 10 * * * /usr/sbin/bkctld inc && /usr/sbin/bkctld rm
|
||||
~~~
|
||||
|
||||
> **Notes :**
|
||||
> If you want mutiples backups in a day (1 by hour maximum) you can run `bkctld inc` multiples times
|
||||
> If you want keep incremental backup **for ever**, you just need don't run `bkctld rm`
|
||||
|
||||
## Test
|
||||
|
||||
You can deploy tests environmments with Vagrant :
|
||||
You can deploy test environments with Vagrant :
|
||||
|
||||
~~~
|
||||
vagrant up
|
||||
|
@ -77,7 +47,8 @@ vagrant up
|
|||
|
||||
### Deployment
|
||||
|
||||
Launch rsync-auto in a terminal for automatic synchronisation of your local code with Vagrant VM :
|
||||
Launch rsync-auto in a terminal for automatic synchronization of
|
||||
your local code with Vagrant VM :
|
||||
|
||||
~~~
|
||||
vagrant rsync-auto
|
||||
|
@ -85,7 +56,8 @@ vagrant rsync-auto
|
|||
|
||||
### Bats
|
||||
|
||||
You can run [bats](https://github.com/sstephenson/bats) test with *test* provisionner :
|
||||
You can run [bats](https://github.com/sstephenson/bats) tests with
|
||||
the *test* provision :
|
||||
|
||||
~~~
|
||||
vagrant provision --provision-with test
|
||||
|
@ -95,21 +67,31 @@ vagrant provision --provision-with test
|
|||
|
||||
See [docs/usage.md](docs/usage.md).
|
||||
|
||||
Man page, in roff language, can be generated with pandoc :
|
||||
The man(1) page, in troff(7) language, can be generated with pandoc:
|
||||
|
||||
~~~
|
||||
pandoc -f markdown -t man usage.md --template default.man -V title=bkctld -V section=8 -V date="$(date '+%d %b %Y')" -V footer="$(git describe --tags)" -V header="bkctld man page"
|
||||
pandoc -f markdown \
|
||||
-t man usage.md \
|
||||
--template default.man \
|
||||
-V title=bkctld \
|
||||
-V section=8 \
|
||||
-V date="$(date '+%d %b %Y')" \
|
||||
-V footer="$(git describe --tags)" \
|
||||
-V header="bkctld man page"
|
||||
~~~
|
||||
|
||||
#### Client configuration
|
||||
|
||||
You can save various systems on evobackup jail : Linux, BSD, Windows, MacOSX. Only prequisites is rsync command.
|
||||
You can save various systems in the evobackup jails : Linux, BSD,
|
||||
Windows, MacOSX. The only prerequisite is the rsync command.
|
||||
|
||||
~~~
|
||||
rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/
|
||||
~~~
|
||||
|
||||
An example script is present in zzz_evobackup, clone evobackup repo and read **CLIENT CONFIGURATION** section of the manual.
|
||||
An example synchronization script is present in `zzz_evobackup`,
|
||||
clone the evobackup repository and read the **CLIENT CONFIGURATION**
|
||||
section of the manual.
|
||||
|
||||
~~~
|
||||
git clone https://forge.evolix.org/evobackup.git
|
||||
|
|
15
Vagrantfile
vendored
15
Vagrantfile
vendored
|
@ -9,6 +9,7 @@ load File.expand_path(vagrantfile) if File.exists?(vagrantfile)
|
|||
|
||||
Vagrant.configure('2') do |config|
|
||||
config.vm.synced_folder "./", "/vagrant", type: "rsync", rsync__exclude: [ '.vagrant', '.git' ]
|
||||
config.ssh.shell="/bin/sh"
|
||||
|
||||
config.vm.provider :libvirt do |libvirt|
|
||||
libvirt.storage :file, :size => '10G', :device => 'vdb'
|
||||
|
@ -16,14 +17,16 @@ Vagrant.configure('2') do |config|
|
|||
|
||||
$install = <<SCRIPT
|
||||
ln -fs /vagrant/bkctld /usr/sbin/bkctld
|
||||
ln -fs /vagrant/lib /usr/lib/bkctld
|
||||
ln -fs /vagrant/tpl /usr/share/bkctld
|
||||
ln -fs /vagrant/bash_completion /usr/share/bash-completion/completions/bkctld
|
||||
ln -fs /vagrant/bkctld.conf /etc/default/bkctld
|
||||
ln -fs /vagrant/bkctld.service /etc/systemd/system/bkctld.service && systemctl daemon-reload
|
||||
mkdir -p /usr/lib/nagios/plugins/
|
||||
SCRIPT
|
||||
|
||||
$deps = <<SCRIPT
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -yq install openssh-server btrfs-tools rsync lsb-base coreutils sed dash mount openssh-sftp-server libc6 bash-completion duc-nox cryptsetup
|
||||
DEBIAN_FRONTEND=noninteractive apt-get -yq install openssh-server btrfs-tools rsync lsb-base coreutils sed dash mount openssh-sftp-server libc6 bash-completion duc-nox cryptsetup bats
|
||||
SCRIPT
|
||||
|
||||
$pre_part = <<SCRIPT
|
||||
|
@ -38,8 +41,6 @@ mount /dev/vdb /backup
|
|||
SCRIPT
|
||||
|
||||
nodes = [
|
||||
{ :version => "jessie", :fs => "btrfs" },
|
||||
{ :version => "jessie", :fs => "ext4" },
|
||||
{ :version => "stretch", :fs => "btrfs" },
|
||||
{ :version => "stretch", :fs => "ext4" }
|
||||
]
|
||||
|
@ -49,14 +50,6 @@ SCRIPT
|
|||
node.vm.hostname = "bkctld-#{i[:version]}-#{i[:fs]}"
|
||||
node.vm.box = "debian/#{i[:version]}64"
|
||||
config.vm.provision "deps", type: "shell", :inline => $deps
|
||||
if ("#{i[:version]}" == "jessie") then
|
||||
config.vm.provision "backports", type: "shell" do |s|
|
||||
s.inline = "echo 'deb http://deb.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list && apt-get update"
|
||||
end
|
||||
config.vm.provision "bats", type: "shell", :inline => "DEBIAN_FRONTEND=noninteractive apt-get -yq install -t jessie-backports bats"
|
||||
else
|
||||
config.vm.provision "bats", type: "shell", :inline => "DEBIAN_FRONTEND=noninteractive apt-get -yq install bats"
|
||||
end
|
||||
config.vm.provision "install", type: "shell", :inline => $install
|
||||
config.vm.provision "pre_part", type: "shell", :inline => $pre_part
|
||||
config.vm.provision "part", type: "shell", :inline => "mkfs.btrfs -f /dev/vdb" if "#{i[:fs]}" == "btrfs"
|
||||
|
|
|
@ -9,7 +9,7 @@ function _bkctld()
|
|||
|
||||
cur=${COMP_WORDS[COMP_CWORD]};
|
||||
prev=${COMP_WORDS[COMP_CWORD-1]};
|
||||
commands="init update remove start stop reload restart sync status key port ip inc rm check stats"
|
||||
commands=$(find /usr/lib/bkctld/ -name "bkctld-*" -exec basename {} \;|sed 's/^bkctld-//')
|
||||
|
||||
if [ $COMP_CWORD -eq 1 ]; then
|
||||
COMPREPLY=($(compgen -W '${commands}' -- ${cur}))
|
||||
|
|
672
bkctld
672
bkctld
|
@ -10,652 +10,42 @@
|
|||
|
||||
set -u
|
||||
|
||||
usage(){
|
||||
cat <<EOF
|
||||
Usage: $0 <subcommand> [options]
|
||||
Subcommands:
|
||||
init <jailname> Init jail <jailname>
|
||||
update <jailname>|all Update jail <jailname> or all
|
||||
remove <jailname>|all Remove jail <jailname> or all
|
||||
start <jailname>|all Start jail <jailname> or all
|
||||
stop <jailname>|all Stop jail <jailname> or all
|
||||
reload <jailname>|all Reload jail <jailname> or all
|
||||
restart <jailname>|all Restart jail <jailname> or all
|
||||
sync <jailname>|all Sync jail <jailname> or all to another node
|
||||
status [<jailname>] Print status of <jailname> (default all jail)
|
||||
key <jailname> [<keyfile>] Set or get ssh pubic key of <jailname>
|
||||
port <jailname> [<port>|auto] Set or get ssh port of <jailname>
|
||||
ip <jailname> [<ip>|all] Set or get allowed(s) ip(s) of <jailname>
|
||||
inc Make incremental inc of all jails
|
||||
rm Remove old incremtal inc of all jails
|
||||
check Run check on jails (NRPE output)
|
||||
stats Make and display stats on jails (size, lastconn)
|
||||
[ "$(id -u)" -ne 0 ] && error "You need to be root to run ${0} !"
|
||||
|
||||
EOF
|
||||
}
|
||||
[ -d './lib' ] && LIBDIR='lib'
|
||||
[ -d '/usr/lib/bkctld' ] && LIBDIR='/usr/lib/bkctld'
|
||||
. "${LIBDIR}/config"
|
||||
|
||||
## logging functions
|
||||
subcommand="${1:-}"
|
||||
jail="${2:-}"
|
||||
option="${3:-}"
|
||||
|
||||
debug() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
if [ "${LOGLEVEL}" -ge 7 ]; then
|
||||
echo "${msg}"
|
||||
logger -t bkctld -p daemon.debug "${msg}"
|
||||
fi
|
||||
}
|
||||
if [ ! -x "${LIBDIR}/bkctld-${subcommand}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
|
||||
info() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
if [ "${LOGLEVEL}" -ge 6 ]; then
|
||||
tty -s && echo "${msg}"
|
||||
logger -t bkctld -p daemon.info "${msg}"
|
||||
fi
|
||||
}
|
||||
|
||||
notice() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
tty -s && echo "${msg}"
|
||||
[ "${LOGLEVEL}" -ge 5 ] && logger -t bkctld -p daemon.notice "${msg}"
|
||||
}
|
||||
|
||||
warning() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
tty -s && echo "WARNING : ${msg}" >&2
|
||||
if [ "${LOGLEVEL}" -ge 4 ]; then
|
||||
tty -s || echo "WARNING : ${msg}" >&2
|
||||
logger -t bkctld -p daemon.warning "${msg}"
|
||||
fi
|
||||
}
|
||||
|
||||
error() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
tty -s && echo "ERROR : ${msg}" >&2
|
||||
if [ "${LOGLEVEL}" -ge 5 ]; then
|
||||
tty -s || echo "ERROR : ${msg}" >&2
|
||||
logger -t bkctld -p daemon.error "${msg}"
|
||||
fi
|
||||
exit 1
|
||||
}
|
||||
|
||||
## check functions
|
||||
|
||||
check_jail() {
|
||||
jail="${1}"
|
||||
[ -d "${JAILDIR}/${jail}" ] && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
check_jail_on() {
|
||||
jail="${1}"
|
||||
return=1
|
||||
if [ -f "${JAILDIR}/${jail}/${SSHD_PID}" ]; then
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
ps -p "${pid}" > /dev/null && return=0
|
||||
fi
|
||||
if [ "${return}" -eq 1 ]; then
|
||||
rm -f "${JAILDIR}/${jail}/${SSHD_PID}"
|
||||
grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy "${JAILDIR}/${jail}/proc/"
|
||||
grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}/dev"
|
||||
fi
|
||||
return "${return}"
|
||||
}
|
||||
|
||||
## get functions : get info on jail
|
||||
|
||||
get_port() {
|
||||
jail="${1}"
|
||||
port=$(grep -E "Port [0-9]+" "${JAILDIR}/${jail}/${SSHD_CONFIG}"|grep -oE "[0-9]+")
|
||||
echo "${port}"
|
||||
}
|
||||
|
||||
get_key() {
|
||||
jail="${1}"
|
||||
if [ -f "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" ]; then
|
||||
cat "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
fi
|
||||
}
|
||||
|
||||
get_ip() {
|
||||
jail="${1}"
|
||||
grep -E "^AllowUsers" "${JAILDIR}/$jail/${SSHD_CONFIG}"|grep -Eo "root@[^ ]+"| while read allow; do
|
||||
echo "${allow}"|cut -d'@' -f2
|
||||
done
|
||||
}
|
||||
|
||||
get_inc() {
|
||||
jail="${1}"
|
||||
inc="0"
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}")
|
||||
month=$(grep -c "month" "${CONFDIR}/${jail}")
|
||||
inc="${day}/${month}"
|
||||
fi
|
||||
echo "${inc}"
|
||||
}
|
||||
|
||||
## set functions : set info on jail
|
||||
|
||||
set_port() {
|
||||
jail="${1}"
|
||||
port="${2}"
|
||||
if [ "${port}" = "auto" ]; then
|
||||
port=$(grep -h Port "${JAILDIR}"/*/"${SSHD_CONFIG}" 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1)
|
||||
port=$((port+1))
|
||||
[ "${port}" -le 1 ] && port=2222
|
||||
fi
|
||||
sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}"
|
||||
set_firewall "${jail}"
|
||||
}
|
||||
|
||||
set_key() {
|
||||
jail="${1}"
|
||||
keyfile="${2}"
|
||||
[ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !"
|
||||
cat "${keyfile}" > "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
chmod 600 "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
}
|
||||
|
||||
set_ip() {
|
||||
jail="${1}"
|
||||
ip="${2}"
|
||||
if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then
|
||||
ips="0.0.0.0/0"
|
||||
case "${subcommand}" in
|
||||
"inc" | "rm" | "check" | "stats" | "help" | "list")
|
||||
"${LIBDIR}/bkctld-${subcommand}"
|
||||
;;
|
||||
"init" | "is-on")
|
||||
"${LIBDIR}/bkctld-${subcommand}" "${jail}"
|
||||
;;
|
||||
"key" | "port" | "ip")
|
||||
"${LIBDIR}/bkctld-${subcommand}" "${jail}" "${option}"
|
||||
;;
|
||||
"start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall")
|
||||
if [ "${jail}" = "all" ]; then
|
||||
"${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}"
|
||||
else
|
||||
ips=$(get_ip "${jail}")
|
||||
ips=$(echo "${ips}" "${ip}"|xargs -n1|grep -v "0.0.0.0/0"|sort|uniq)
|
||||
"${LIBDIR}/bkctld-${subcommand}" "${jail}"
|
||||
fi
|
||||
allow="AllowUsers"
|
||||
for ip in $ips; do
|
||||
allow="${allow} root@${ip}"
|
||||
done
|
||||
sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}"
|
||||
set_firewall "${jail}"
|
||||
}
|
||||
|
||||
set_firewall() {
|
||||
jail="${1}"
|
||||
if [ -n "${FIREWALL_RULES}" ]; then
|
||||
if [ -f "${FIREWALL_RULES}" ]; then
|
||||
sed -i "/#${jail}$/d" "${FIREWALL_RULES}"
|
||||
fi
|
||||
if ( check_jail "${jail}" ); then
|
||||
port=$(get_port "${jail}")
|
||||
for ip in $(get_ip "${jail}"); do
|
||||
echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}"
|
||||
done
|
||||
if [ -f /etc/init.d/minifirewall ]; then
|
||||
/etc/init.d/minifirewall restart >/dev/null
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
## mk_jail function : create or update a jail
|
||||
|
||||
mk_jail() {
|
||||
jail="${1}"
|
||||
passwd="${TPLDIR}/passwd"
|
||||
shadow="${TPLDIR}/shadow"
|
||||
group="${TPLDIR}/group"
|
||||
sshrc="${TPLDIR}/sshrc"
|
||||
[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd"
|
||||
[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow"
|
||||
[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group"
|
||||
[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc"
|
||||
umask 077
|
||||
|
||||
info "1 - Creating the chroot"
|
||||
cd "${JAILDIR}/${jail}"
|
||||
rm -rf bin lib lib64 run usr var/run etc/ssh/*key
|
||||
mkdir -p dev proc
|
||||
mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64
|
||||
mkdir -p etc/ssh var/log run/sshd
|
||||
mkdir -p root/.ssh var/backup -m 0700
|
||||
ln -s usr/bin bin
|
||||
ln -s usr/lib lib
|
||||
ln -s usr/lib64 lib64
|
||||
ln -st var ../run
|
||||
touch var/log/lastlog var/log/wtmp run/utmp
|
||||
|
||||
info "2 - Copying essential files"
|
||||
[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh
|
||||
[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh
|
||||
[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh
|
||||
cp "${passwd}" etc
|
||||
cp "${shadow}" etc
|
||||
cp "${group}" etc
|
||||
cp "${sshrc}" etc/ssh
|
||||
|
||||
info "3 - Copying binaries"
|
||||
cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64
|
||||
cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu
|
||||
|
||||
for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
|
||||
cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}";
|
||||
for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
|
||||
cp -p "${lib}" "${JAILDIR}/${jail}/${lib}"
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
## sub functions : functions call by subcommand
|
||||
|
||||
sub_init() {
|
||||
jail="${1}"
|
||||
sshd_config="${TPLDIR}/sshd_config"
|
||||
inctpl="${TPLDIR}/inc.tpl"
|
||||
[ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config"
|
||||
[ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl"
|
||||
check_jail "${jail}" && error "${jail} : trying to create existant jail"
|
||||
|
||||
rootdir=$(dirname "${JAILDIR}")
|
||||
rootdir_inode=$(stat --format=%i "${rootdir}")
|
||||
jaildir_inode=$(stat --format=%i "${JAILDIR}")
|
||||
if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume create "${JAILDIR}/${jail}"
|
||||
;;
|
||||
"status")
|
||||
if [ -z "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 "${LIBDIR}/bkctld-${subcommand}"
|
||||
else
|
||||
mkdir -p "${JAILDIR}/${jail}"
|
||||
"${LIBDIR}/bkctld-${subcommand}" "${jail}"
|
||||
fi
|
||||
mk_jail "${jail}"
|
||||
info "4 - Copie default sshd_config"
|
||||
install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}"
|
||||
info "5 - Set usable sshd port"
|
||||
set_port "${jail}" auto
|
||||
info "6 - Copie default inc configuration"
|
||||
install -m 0640 "${inctpl}" "${CONFDIR}/${jail}"
|
||||
notice "${jail} : created jail"
|
||||
}
|
||||
|
||||
sub_update() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : trying to update inexistant jail"
|
||||
check_jail_on "${jail}" && sub_stop "${jail}"
|
||||
|
||||
mk_jail "${jail}"
|
||||
notice "${jail} : updated jail"
|
||||
}
|
||||
|
||||
sub_remove() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : trying to remove inexistant jail"
|
||||
|
||||
check_jail_on "${jail}" && sub_stop "${jail}"
|
||||
|
||||
rm -f "${CONFDIR}/${jail}"
|
||||
jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
|
||||
if [ "${jail_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${JAILDIR}/${jail}" | debug
|
||||
else
|
||||
rm -rf "${JAILDIR}/${jail}" | debug
|
||||
fi
|
||||
if [ -d "${INCDIR}/${jail}" ]; then
|
||||
incs=$(ls "${INCDIR}/${jail}")
|
||||
for inc in ${incs}; do
|
||||
inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug
|
||||
else
|
||||
warning "You need to purge ${INCDIR}/${jail}/${inc} manually !"
|
||||
fi
|
||||
done
|
||||
rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug
|
||||
fi
|
||||
set_firewall "${jail}"
|
||||
notice "${jail} : deleted jail"
|
||||
}
|
||||
|
||||
sub_start() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : trying to start inexistant jail"
|
||||
check_jail_on "${jail}" && error "${jail} : trying to start already running jail"
|
||||
|
||||
cd "${JAILDIR}/${jail}"
|
||||
grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc
|
||||
grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev
|
||||
[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1
|
||||
[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3
|
||||
[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5
|
||||
[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2
|
||||
[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0
|
||||
[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8
|
||||
[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9
|
||||
chown root:tty dev/console dev/ptmx dev/tty
|
||||
ln -fs proc/self/fd dev/fd
|
||||
ln -fs proc/self/fd/0 dev/stdin
|
||||
ln -fs proc/self/fd/1 dev/stdout
|
||||
ln -fs proc/self/fd/2 dev/stderr
|
||||
ln -fs proc/kcore dev/core
|
||||
mkdir -p dev/pts
|
||||
mkdir -p dev/shm
|
||||
grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts
|
||||
grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm
|
||||
chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog || error "${jail} : error on starting sshd"
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
notice "${jail} was started [${pid}]"
|
||||
}
|
||||
|
||||
sub_stop() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : trying to stop inexistant jail"
|
||||
check_jail_on "${jail}" || error "${jail} : trying to stop not running jail"
|
||||
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
for conn in $(ps --ppid "${pid}" -o pid=); do
|
||||
kill "${conn}"
|
||||
done
|
||||
kill "${pid}" && notice "${jail} was stopped [${pid}]"
|
||||
umount --lazy --recursive "${JAILDIR}/${jail}/dev"
|
||||
umount --lazy "${JAILDIR}/${jail}/proc/"
|
||||
}
|
||||
|
||||
sub_reload() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : trying to reload inexistant jail"
|
||||
check_jail_on "${jail}" || error "${jail} : trying to reload not running jail"
|
||||
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
|
||||
kill -HUP "${pid}" && notice "${jail} was reloaded [${pid}]"
|
||||
}
|
||||
|
||||
sub_status() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : inexistant jail ! Use '$0 status' for list all"
|
||||
|
||||
inc=$(get_inc "${jail}")
|
||||
if ( check_jail_on "${jail}" ); then
|
||||
status="ON "
|
||||
else
|
||||
status="OFF"
|
||||
fi
|
||||
port=$(get_port "${jail}")
|
||||
ip=$(get_ip "${jail}"|xargs|tr -s ' ' ',')
|
||||
echo "${jail} ${status} ${port} ${inc} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }'
|
||||
}
|
||||
|
||||
sub_params() {
|
||||
jail="${1}"
|
||||
params="${2}"
|
||||
option="${3}"
|
||||
check_jail "${jail}" || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${option}" ]; then
|
||||
"get_${params}" "${jail}"
|
||||
else
|
||||
"set_${params}" "${jail}" "${option}"
|
||||
check_jail_on "${jail}" && sub_reload "${jail}"
|
||||
notice "${jail} : update ${params} => ${option}"
|
||||
fi
|
||||
}
|
||||
|
||||
sub_sync() {
|
||||
jail="${1}"
|
||||
check_jail "${jail}" || error "${jail} : trying to sync inexistant jail"
|
||||
|
||||
[ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !"
|
||||
|
||||
jail="${1}"
|
||||
ssh "${NODE}" bkctld init "${jail}" | debug
|
||||
rsync -a "${JAILDIR}/${jail}/" "${NODE}:${JAILDIR}/${jail}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/*
|
||||
rsync -a "${CONFDIR}/${jail}" "${NODE}:${CONFDIR}/${jail}"
|
||||
if ( check_jail_on "${jail}" ); then
|
||||
ssh "${NODE}" bkctld start "${jail}" | debug
|
||||
fi
|
||||
if [ -n "${FIREWALL_RULES}" ]; then
|
||||
rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}"
|
||||
ssh "${NODE}" /etc/init.d/minifirewall restart | debug
|
||||
fi
|
||||
}
|
||||
|
||||
sub_inc() {
|
||||
date=$(date +"%Y-%m-%d-%H")
|
||||
jails=$(ls "${JAILDIR}")
|
||||
for jail in ${jails}; do
|
||||
inc="${INCDIR}/${jail}/${date}"
|
||||
mkdir -p "${INCDIR}/${jail}"
|
||||
if [ ! -d "${inc}" ]; then
|
||||
start=$(date +"%H:%M:%S")
|
||||
jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
|
||||
if [ "$jail_inode" -eq 256 ]; then
|
||||
/bin/btrfs subvolume snapshot -r "${JAILDIR}/${jail}" "${inc}" | debug
|
||||
else
|
||||
cp -alx "${JAILDIR}/${jail}/" "${inc}" | debug
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : made ${date} inc [${start}/${end}]"
|
||||
else
|
||||
warning "${jail} : trying to made already existant inc"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
sub_rm() {
|
||||
empty="/tmp/bkctld-${$}-$(date +%N))"
|
||||
mkdir "${empty}"
|
||||
pidfile="/var/run/bkctld-rm.pid"
|
||||
if [ -f "${pidfile}" ]; then
|
||||
pid=$(cat "${pidfile}")
|
||||
ps -u "${pid}" >/dev/null
|
||||
if [ "${?}" -eq 0 ]; then
|
||||
kill -9 "${pid}"
|
||||
warning "${0} rm always run (PID ${pid}), killed by ${$} !"
|
||||
fi
|
||||
rm "${pidfile}"
|
||||
fi
|
||||
echo "${$}" > "${pidfile}"
|
||||
jails=$(ls "${JAILDIR}")
|
||||
for jail in ${jails}; do
|
||||
incs=$(ls "${INCDIR}/${jail}")
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
keepfile="${CONFDIR}/.keep-${jail}"
|
||||
while read j; do
|
||||
date=$( echo "${j}" | cut -d. -f1 )
|
||||
before=$( echo "${j}" | cut -d. -f2 )
|
||||
date -d "$(date "${date}") ${before}" "+%Y-%m-%d"
|
||||
done < "${CONFDIR}/${jail}" > "${keepfile}"
|
||||
for j in $(echo "${incs}" | grep -v -f "${keepfile}"); do
|
||||
start=$(date +"%H:%M:%S")
|
||||
inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${j}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${INCDIR}/${jail}/${j}" | debug
|
||||
else
|
||||
cd "${INCDIR}/${jail}"
|
||||
rsync -a --delete "${empty}/" "${j}/"
|
||||
rmdir "${j}"
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : deleted ${j} inc [${start}/${end}]"
|
||||
done
|
||||
fi
|
||||
done
|
||||
rmdir "${empty}"
|
||||
rm "${pidfile}"
|
||||
}
|
||||
|
||||
sub_check() {
|
||||
cur_time=$(date "+%s")
|
||||
return=0
|
||||
nb_crit=0
|
||||
nb_warn=0
|
||||
nb_ok=0
|
||||
nb_unkn=0
|
||||
output=""
|
||||
|
||||
if [ -b "${BACKUP_DISK}" ]; then
|
||||
cryptsetup isLuks "${BACKUP_DISK}"
|
||||
if [ "$?" -eq 0 ]; then
|
||||
if [ ! -b '/dev/mapper/backup' ]; then
|
||||
echo "Luks disk ${BACKUP_DISK} is not mounted !\n"
|
||||
echo "cryptsetup luksOpen ${BACKUP_DISK} backup"
|
||||
exit 2
|
||||
fi
|
||||
BACKUP_DISK='/dev/mapper/backup'
|
||||
fi
|
||||
grep -qE "^${BACKUP_DISK} " /etc/mtab
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Backup disk ${BACKUP_DISK} is not mounted !\n"
|
||||
echo "mount ${BACKUP_DISK} /backup"
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
jails=$(ls "${JAILDIR}")
|
||||
for jail in ${jails}; do
|
||||
if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then
|
||||
last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog")
|
||||
date_diff=$(( (cur_time - last_conn) / (60*60) ))
|
||||
if [ "${date_diff}" -gt "${CRITICAL}" ]; then
|
||||
nb_crit=$((nb_crit + 1))
|
||||
output="${output}CRITICAL - ${jail} - ${date_diff} hours\n"
|
||||
[ "${return}" -le 2 ] && return=2
|
||||
elif [ "${date_diff}" -gt "${WARNING}" ]; then
|
||||
nb_warn=$((nb_warn + 1))
|
||||
output="${output}WARNING - ${jail} - ${date_diff} hours\n"
|
||||
[ "${return}" -le 1 ] && return=1
|
||||
else
|
||||
nb_ok=$((nb_ok + 1))
|
||||
output="${output}OK - ${jail} - ${date_diff} hours\n"
|
||||
fi
|
||||
else
|
||||
nb_unkn=$((nb_unkn + 1))
|
||||
output="${output}UNKNOWN - ${jail} doesn't have lastlog !\n"
|
||||
[ "${return}" -le 3 ] && return=3
|
||||
fi
|
||||
done
|
||||
|
||||
[ "${return}" -ge 0 ] && header="OK"
|
||||
[ "${return}" -ge 1 ] && header="WARNING"
|
||||
[ "${return}" -ge 2 ] && header="CRITICAL"
|
||||
[ "${return}" -ge 3 ] && header="UNKNOW"
|
||||
|
||||
printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}"
|
||||
|
||||
printf "${output}" | grep -E "^UNKNOW"
|
||||
printf "${output}" | grep -E "^CRITICAL"
|
||||
printf "${output}" | grep -E "^WARNING"
|
||||
printf "${output}" | grep -E "^OK"
|
||||
|
||||
exit "${return}"
|
||||
}
|
||||
|
||||
sub_stats() {
|
||||
lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- <<EOF >/dev/null 2>&1 &
|
||||
ionice -c3 "${DUC}" index -d "${IDX_FILE}" "${JAILDIR}"
|
||||
touch "${INDEX_DIR}/.lastrun.duc"
|
||||
EOF
|
||||
[ ! -f "${INDEX_DIR}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0
|
||||
[ ! -f ${IDX_FILE} ] && error "Index file do not exits !"
|
||||
printf "Last update of index file : "
|
||||
stat --format=%Y "${INDEX_DIR}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}"
|
||||
echo "<jail> <size> <incs> <lastconn>" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $1, $2, $3, $4); }'
|
||||
duc_output=$(mktemp)
|
||||
stat_output=$(mktemp)
|
||||
incs_output=$(mktemp)
|
||||
trap "rm ${duc_output} ${incs_output} ${stat_output}" 0
|
||||
"${DUC}" ls -d "${IDX_FILE}" "${JAILDIR}" > "${duc_output}"
|
||||
awk '{ print $2 }' "${duc_output}" | while read jail; do
|
||||
stat --format=%Y "/backup/jails/${jail}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}"
|
||||
get_inc "${jail}" >> "${incs_output}"
|
||||
done
|
||||
paste "${duc_output}" "${incs_output}" "${stat_output}" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $2, $1, $3, $4); }'
|
||||
}
|
||||
|
||||
## main function : check usage and valid params
|
||||
|
||||
main() {
|
||||
[ "$(id -u)" -ne 0 ] && error "You need to be root to run ${0} !"
|
||||
|
||||
[ -f /etc/default/bkctld ] && . /etc/default/bkctld
|
||||
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
||||
BACKUP_DISK="${BACKUP_DISK:-}"
|
||||
JAILDIR="${JAILDIR:-/backup/jails}"
|
||||
INCDIR="${INCDIR:-/backup/incs}"
|
||||
TPLDIR="${TPLDIR:-/usr/share/bkctld}"
|
||||
INDEX_DIR="${INDEX_DIR:-/backup/index}"
|
||||
IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}"
|
||||
LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
|
||||
SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
|
||||
SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
|
||||
AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}"
|
||||
FIREWALL_RULES="${FIREWALL_RULES:-}"
|
||||
LOGLEVEL="${LOGLEVEL:-6}"
|
||||
CRITICAL="${CRITICAL:-48}"
|
||||
WARNING="${WARNING:-24}"
|
||||
DUC=$(command -v duc-nox||command -v duc)
|
||||
mkdir -p "${CONFDIR}" "${JAILDIR}" "${INCDIR}" "${INDEX_DIR}"
|
||||
subcommand="${1:-}"
|
||||
jail="${2:-}"
|
||||
option="${3:-}"
|
||||
case "${subcommand}" in
|
||||
"" | "-h" | "--help")
|
||||
usage
|
||||
;;
|
||||
"inc" | "rm" | "check" | "stats")
|
||||
"sub_${subcommand}"
|
||||
;;
|
||||
"init")
|
||||
if [ -n "${jail}" ]; then
|
||||
"sub_${subcommand}" "${jail}"
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
"key" | "port" | "ip")
|
||||
if [ -n "${jail}" ]; then
|
||||
sub_params "${jail}" "${subcommand}" "${option}"
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
"start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove")
|
||||
if [ -n "${jail}" ]; then
|
||||
if [ "${jail}" = "all" ]; then
|
||||
jails=$(ls "${JAILDIR}")
|
||||
for jail in ${jails}; do
|
||||
case "${subcommand}" in
|
||||
"start")
|
||||
check_jail_on "${jail}" || "sub_${subcommand}" "${jail}"
|
||||
;;
|
||||
"stop" | "reload")
|
||||
check_jail_on "${jail}" && "sub_${subcommand}" "${jail}"
|
||||
;;
|
||||
"restart")
|
||||
check_jail_on "${jail}" && sub_stop "${jail}"
|
||||
sub_start "${jail}"
|
||||
;;
|
||||
*)
|
||||
"sub_${subcommand}" "${jail}"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
else
|
||||
if [ "${subcommand}" != "restart" ]; then
|
||||
"sub_${subcommand}" "${jail}"
|
||||
else
|
||||
check_jail_on "${jail}" && sub_stop "${jail}"
|
||||
sub_start "${jail}"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
"status")
|
||||
if [ -z "${jail}" ]; then
|
||||
jails=$(ls "${JAILDIR}")
|
||||
for jail in ${jails}; do
|
||||
"sub_${subcommand}" "${jail}"
|
||||
done
|
||||
else
|
||||
"sub_${subcommand}" "${jail}"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
warning "'${subcommand}' is not a known subcommand." && usage
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
main "${@}"
|
||||
;;
|
||||
esac
|
||||
|
|
179
bkctld.8
Normal file
179
bkctld.8
Normal file
|
@ -0,0 +1,179 @@
|
|||
.Dd December 27, 2018
|
||||
.Dt BKCTLD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm bkctld
|
||||
.Nd tool to manage evobackup jails
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Ar operand...
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a shell script that creates and manages a backup server
|
||||
which can handle the backups of many other servers (clients).
|
||||
.Pp
|
||||
It uses
|
||||
.Xr ssh 1
|
||||
and
|
||||
.Xr chroot 8
|
||||
to sandbox every client's backups.
|
||||
Each client will upload it's data every day
|
||||
using
|
||||
.Xr rsync 1
|
||||
in it's
|
||||
.Xr chroot 8
|
||||
(using the root account).
|
||||
.Pp
|
||||
Prior backups are stored incrementally outside of the
|
||||
.Xr chroot 8
|
||||
using
|
||||
.Xr ln 1
|
||||
hard links or BTRFS snapshots.
|
||||
(So they can not be affected by the client),
|
||||
which backups are kept over time can be configured in the jail's nominal
|
||||
.Xr evobackup-incl 5
|
||||
configuration file.
|
||||
.Pp
|
||||
A large enough volume must be mounted on
|
||||
.Pa /backup ,
|
||||
if the filesystem is formatted with BTRFS,
|
||||
.Nm
|
||||
will use sub-volumes and snapshots to save space.
|
||||
.Pp
|
||||
It's default settings can be overridden in
|
||||
.Xr bkctld.conf 5
|
||||
file.
|
||||
.Pp
|
||||
The following operands are available:
|
||||
.Bl -tag -width Ds
|
||||
.It Cm init Ar jailname
|
||||
Create an evobackup jail
|
||||
.It Cm update Cm all | Ar jailname
|
||||
Update an evobackup jail
|
||||
.It Cm remove Cm all | Ar jailname
|
||||
Remove an evobackup jail
|
||||
.It Cm start Cm all | Ar jailname
|
||||
Start an evobackup jail
|
||||
.It Cm stop Cm all | Ar jailname
|
||||
Stop an evobackup jail
|
||||
.It Cm reload Cm all | Ar jailname
|
||||
Reload an evobackup jail
|
||||
.It Cm restart Cm all | Ar jailname
|
||||
Restart an evobackup jail
|
||||
.It Cm sync Cm all | Ar jailname
|
||||
Sync an evobackup jail, the mirror server is defined by the
|
||||
.Ev $NODE
|
||||
variable in
|
||||
.Pa /etc/default/bkctld
|
||||
.It Cm status Op Ar jailname
|
||||
Print the status of all jails or only
|
||||
.Op Ar jailname .
|
||||
.It Cm key Ar jailname Op Ar keyfile
|
||||
Print or set the
|
||||
.Xr ssh 1
|
||||
public key of an evobackup jail
|
||||
.It Cm port Ar jailname Op Cm auto | Ar port
|
||||
Print or set the
|
||||
.Xr ssh 1
|
||||
.Op Ar port
|
||||
of an evobackup jail.
|
||||
Using
|
||||
.Op Cm auto
|
||||
will set it to the next available port.
|
||||
.It Cm ip Ar jailname Op Cm all | Ar address
|
||||
Print or set the whitelisted IP
|
||||
.Op Ar address
|
||||
for an evobackup jail.
|
||||
.Op Cm all
|
||||
allows unrestricted access and is the default.
|
||||
.It Cm inc
|
||||
Generate incremental backups
|
||||
.It Cm rm
|
||||
Remove old incremental backups
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa /etc/default/bkctld
|
||||
Template for
|
||||
.Xr bkctld.conf 5
|
||||
.It Pa /usr/share/bkctld/incl.tpl
|
||||
Default rules for the incremental backups are stored here.
|
||||
.El
|
||||
.Sh EXAMPLES
|
||||
Before creating a jail and backing up a client,
|
||||
the backup server administrator will need:
|
||||
.Bl -bullet
|
||||
.It
|
||||
The host name of the client system.
|
||||
.It
|
||||
The public RSA
|
||||
.Xr ssh 1
|
||||
key for the
|
||||
.Dq root
|
||||
user of the client system,
|
||||
it is recommended the private key be password-less if automation is desired.
|
||||
.It
|
||||
The IPv4 address of the client system is needed
|
||||
if the administrator wishes to maintain a whitelist,
|
||||
see
|
||||
.Va FIREWALL_RULES
|
||||
in
|
||||
.Xr bkctld.conf 5
|
||||
.El
|
||||
.Pp
|
||||
He can then create the jail:
|
||||
.Bd -literal -offset indent
|
||||
# bkctld init CLIENT_HOST_NAME
|
||||
# bkctld key CLIENT_HOST_NAME /root/CLIENT_HOST_NAME.pub
|
||||
# bkctld ip CLIENT_HOST_NAME CLIENT_IP_ADDRESS
|
||||
# bkctld start CLIENT_HOST_NAME
|
||||
# bkctld status CLIENT_HOST_NAME
|
||||
.Ed
|
||||
.Pp
|
||||
And override the default
|
||||
.Xr evobackup-incl 5
|
||||
rules
|
||||
.Bd -literal -offset indent
|
||||
# $EDITOR /etc/evobackup/CLIENT_HOST_NAME
|
||||
.Ed
|
||||
.Pp
|
||||
To sync itself,
|
||||
the client server will need to install
|
||||
.Xr rsync 1 .
|
||||
It can then be run manually:
|
||||
.Bd -literal -offset indent
|
||||
# rsync -av -e "ssh -p JAIL_PORT" /home/ root@BACKUP_SERVER:/var/backup/home/
|
||||
.Ed
|
||||
.Pp
|
||||
If a more automated setup is required,
|
||||
a script can be written in any programming language.
|
||||
In this case,
|
||||
it may be useful to validate the backup server's identity before hand.
|
||||
.Bd -literal -offset indent
|
||||
# ssh -p JAIL_PORT BACKUP_SERVER
|
||||
.Ed
|
||||
.Pp
|
||||
A
|
||||
.Xr bash 1
|
||||
example to be run under the
|
||||
.Dq root
|
||||
user's
|
||||
.Xr crontab 5
|
||||
can be found in the
|
||||
.Lk https://gitea.evolix.org/evolix/evobackup/src/branch/master/zzz_evobackup "source repository"
|
||||
.\" .Sh EXIT STATUS
|
||||
.\" For sections 1, 6, and 8 only.
|
||||
.\" .Sh DIAGNOSTICS
|
||||
.\" For sections 1, 4, 6, 7, 8, and 9 printf/stderr messages only.
|
||||
.Sh SEE ALSO
|
||||
.Xr rsync 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr bkctld 5 ,
|
||||
.Xr evobackup-incl 5 ,
|
||||
.Xr chroot 8 ,
|
||||
.Xr cron 8 ,
|
||||
.Xr sshd 8
|
||||
.Sh AUTHORS
|
||||
.An Victor Laborie
|
||||
.\" .Sh CAVEATS
|
||||
.\" .Sh BUGS
|
|
@ -1,4 +1,5 @@
|
|||
# Defaults for bkctld command (evobackup)
|
||||
# bkctld.conf(5)
|
||||
# Defaults for bkctld(8) command (evobackup)
|
||||
# sourced by /usr/sbin/bkctld and /etc/init.d/bkctld
|
||||
|
||||
#CONFDIR='/etc/evobackup'
|
||||
|
@ -10,5 +11,5 @@
|
|||
#SSHD_PID='/var/run/sshd.pid'
|
||||
#SSHD_CONFIG='/etc/ssh/sshd_config'
|
||||
#AUTHORIZED_KEYS='/root/.ssh/authorized_keys'
|
||||
#FIREWALL_RULES='/etc/firewall.rc.jails'
|
||||
#FIREWALL_RULES=''
|
||||
#LOGLEVEL=6
|
||||
|
|
67
bkctld.conf.5
Normal file
67
bkctld.conf.5
Normal file
|
@ -0,0 +1,67 @@
|
|||
.Dd December 28, 2018
|
||||
.Dt BKCTLD.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm bkctld.conf
|
||||
.Nd configuration file for
|
||||
.Xr bkctld 8
|
||||
.Sh SYNOPSIS
|
||||
.D1 name=[value]
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
file contains variables that override the behavior of the
|
||||
.Xr bkctld 8
|
||||
script.
|
||||
By default, it is located at
|
||||
.Pa /etc/default/bkctld .
|
||||
.Pp
|
||||
Each line must be a valid
|
||||
.Xr bash 1
|
||||
variable definition.
|
||||
Lines beginning with the
|
||||
.Sq #
|
||||
character are comments and are ignored.
|
||||
The order of the definitions does not matter.
|
||||
.Pp
|
||||
The following variables may be defined:
|
||||
.Bl -tag -width Ds
|
||||
.It Va CONFDIR
|
||||
Directory where
|
||||
.Xr evobackup-incl 5
|
||||
files are kept.
|
||||
It's default value is
|
||||
.Pa /etc/evobackup/ .
|
||||
.It Va JAILDIR
|
||||
Directory where the jails are stored,
|
||||
it is recommended that this be inside a BTRFS file system.
|
||||
It's default value is
|
||||
.Pa /backup/jails/ .
|
||||
.It Va INCDIR
|
||||
Directory where incremental backups are stored,
|
||||
it is recommended that this be inside a BTRFS file system.
|
||||
It's default value is
|
||||
.Pa /backup/incs/ .
|
||||
.It Va TPLDIR
|
||||
Directory where the default configuration files are stored.
|
||||
It's default value is
|
||||
.Pa /usr/share/bkctld/ .
|
||||
.It Va LOCALTPLDIR
|
||||
Directory where custom configuration files are stored.
|
||||
It's default is
|
||||
.Pa /usr/local/share/bkctld/ .
|
||||
.It Va LOGLEVEL
|
||||
Defines the amount of information to log, follows the same scale as in
|
||||
.In syslog.h
|
||||
and defaults to 6.
|
||||
.It Va FIREWALL_RULES
|
||||
Configuration file containing the firewall rules that govern jail access.
|
||||
This file must be sourced by your firewall.
|
||||
It does not have a default value and, if unset,
|
||||
.Xr bkctld 8
|
||||
will not automatically update the firewall.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr bash 1 ,
|
||||
.Xr evobackup-incl 5 ,
|
||||
.Xr bkctld 8
|
14
bkctld.service
Normal file
14
bkctld.service
Normal file
|
@ -0,0 +1,14 @@
|
|||
[Unit]
|
||||
Documentation=man:bkctld(8)
|
||||
Description=Backup manager using rsync and OpenSSH chroot.
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/bkctld start all
|
||||
ExecStop=/usr/sbin/bkctld stop all
|
||||
RemainAfterExit=true
|
||||
KillMode=control-group
|
||||
GuessMainPID=no
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,42 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: evobackup
|
||||
# Required-Start: $syslog
|
||||
# Required-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop:
|
||||
# Short-Description: Backup manager using rsync and OpenSSH chroot.
|
||||
### END INIT INFO
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
bkctld start all
|
||||
;;
|
||||
|
||||
stop)
|
||||
bkctld stop all
|
||||
;;
|
||||
|
||||
reload|force-reload)
|
||||
bkctld reload all
|
||||
;;
|
||||
|
||||
restart)
|
||||
bkctld restart all
|
||||
;;
|
||||
|
||||
status)
|
||||
bkctld status
|
||||
;;
|
||||
|
||||
*)
|
||||
|
||||
echo "Usage: $0 {start|stop|restart|reload|status}"
|
||||
exit 1
|
||||
|
||||
esac
|
||||
|
||||
exit 0
|
86
docs/configuration.md
Normal file
86
docs/configuration.md
Normal file
|
@ -0,0 +1,86 @@
|
|||
BKCTLD.CONF(5) - File Formats Manual
|
||||
|
||||
# NAME
|
||||
|
||||
**bkctld.conf** - configuration file for
|
||||
bkctld(8)
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
> name=\[value]
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
The
|
||||
**bkctld.conf**
|
||||
file contains variables that override the behavior of the
|
||||
bkctld(8)
|
||||
script.
|
||||
By default, it is located at
|
||||
*/etc/default/bkctld*.
|
||||
|
||||
Each line must be a valid
|
||||
bash(1)
|
||||
variable definition.
|
||||
Lines beginning with the
|
||||
'#'
|
||||
character are comments and are ignored.
|
||||
The order of the definitions does not matter.
|
||||
|
||||
The following variables may be defined:
|
||||
|
||||
*CONFDIR*
|
||||
|
||||
> Directory where
|
||||
> evobackup-incl(5)
|
||||
> files are kept.
|
||||
> It's default value is
|
||||
> */etc/evobackup/*.
|
||||
|
||||
*JAILDIR*
|
||||
|
||||
> Directory where the jails are stored,
|
||||
> it is recommended that this be inside a BTRFS file system.
|
||||
> It's default value is
|
||||
> */backup/jails/*.
|
||||
|
||||
*INCDIR*
|
||||
|
||||
> Directory where incremental backups are stored,
|
||||
> it is recommended that this be inside a BTRFS file system.
|
||||
> It's default value is
|
||||
> */backup/incs/*.
|
||||
|
||||
*TPLDIR*
|
||||
|
||||
> Directory where the default configuration files are stored.
|
||||
> It's default value is
|
||||
> */usr/share/bkctld/*.
|
||||
|
||||
*LOCALTPLDIR*
|
||||
|
||||
> Directory where custom configuration files are stored.
|
||||
> It's default is
|
||||
> */usr/local/share/bkctld/*.
|
||||
|
||||
*LOGLEVEL*
|
||||
|
||||
> Defines the amount of information to log, follows the same scale as in
|
||||
> <*syslog.h*>
|
||||
> and defaults to 6.
|
||||
|
||||
*FIREWALL\_RULES*
|
||||
|
||||
> Configuration file containing the firewall rules that govern jail access.
|
||||
> This file must be sourced by your firewall.
|
||||
> It does not have a default value and, if unset,
|
||||
> bkctld(8)
|
||||
> will not automatically update the firewall.
|
||||
|
||||
# SEE ALSO
|
||||
|
||||
bash(1),
|
||||
evobackup-incl(5),
|
||||
bkctld(8)
|
||||
|
||||
OpenBSD 6.4 - December 28, 2018
|
|
@ -1,6 +1,7 @@
|
|||
# Debian Package
|
||||
|
||||
**bkctld** package can be build from the **debian** branch of this Git repository with git-buildpackage and sbuild.
|
||||
The **bkctld** package can be built from the **debian** branch of
|
||||
this git repository with git-buildpackage and sbuild.
|
||||
|
||||
## Dependencies
|
||||
|
||||
|
@ -37,7 +38,7 @@ sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/sid ht
|
|||
|
||||
## Build
|
||||
|
||||
You must be in **debian** branch :
|
||||
You must be in the **debian** branch :
|
||||
|
||||
~~~
|
||||
git checkout debian
|
||||
|
|
80
docs/incrementals.md
Normal file
80
docs/incrementals.md
Normal file
|
@ -0,0 +1,80 @@
|
|||
EVOBACKUP-INCL(5) - File Formats Manual
|
||||
|
||||
# NAME
|
||||
|
||||
**evobackup-incl** - incremental backup configuration
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
> \+%Y-%m-%d.-%day
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
Located by default in
|
||||
*/etc/evobackup/*,
|
||||
each
|
||||
**evobackup-incl**
|
||||
file is named after the
|
||||
bkctld(8)
|
||||
backup for which the rules it contains must apply.
|
||||
|
||||
The rules it defines decide which incremental backups are kept when running
|
||||
|
||||
# bkctld rm
|
||||
|
||||
Each line defines a single rule.
|
||||
The first part of the rule describes when the backup was taken,
|
||||
the second part decides how long to keep it.
|
||||
Lines beginning with the
|
||||
'#'
|
||||
character are comments and are ignored.
|
||||
The order of the rules does not matter.
|
||||
|
||||
Evobackups that do not have their nominal
|
||||
**evobackup-incl**
|
||||
file use the default rules defined in
|
||||
*/usr/share/bkctld/inc.tpl*
|
||||
|
||||
# EXAMPLES
|
||||
|
||||
Keep today's backup:
|
||||
|
||||
+%Y-%m-%d.-0day
|
||||
|
||||
Keep yesterday's backup:
|
||||
|
||||
+%Y-%m-%d.-1day
|
||||
|
||||
Keep the first day of this month:
|
||||
|
||||
+%Y-%m-01.-0month
|
||||
|
||||
Keep the first day of last month:
|
||||
|
||||
+%Y-%m-01.-1month
|
||||
|
||||
Keep backups for every 15 days:
|
||||
|
||||
+%Y-%m-01.-1month
|
||||
+%Y-%m-15.-1month
|
||||
|
||||
Keep a backup of the first day of january:
|
||||
|
||||
+%Y-01-01.-1month
|
||||
|
||||
Keep backups of the last 4 days and the first day of the last 2 months:
|
||||
|
||||
+%Y-%m-%d.-0day
|
||||
+%Y-%m-%d.-1day
|
||||
+%Y-%m-%d.-2day
|
||||
+%Y-%m-%d.-3day
|
||||
+%Y-%m-01.-0month
|
||||
+%Y-%m-01.-1month
|
||||
|
||||
# SEE ALSO
|
||||
|
||||
bkctld(8),
|
||||
cron(8),
|
||||
*/etc/evobackup/tpl/inc.tpl*
|
||||
|
||||
OpenBSD 6.4 - December 28, 2018
|
47
docs/install.md
Normal file
47
docs/install.md
Normal file
|
@ -0,0 +1,47 @@
|
|||
# Install
|
||||
|
||||
A Debian package is available in the Evolix repository
|
||||
|
||||
~~~
|
||||
echo "http://pub.evolix.net/jessie/" >> /etc/apt/sources.list
|
||||
apt update
|
||||
apt install bkctld
|
||||
~~~
|
||||
|
||||
Then edit `/etc//bkctld`
|
||||
|
||||
## Chroot dependencies
|
||||
|
||||
The chroot jails depend on these packages
|
||||
|
||||
~~~
|
||||
apt install \
|
||||
bash \
|
||||
coreutils \
|
||||
sed \
|
||||
dash \
|
||||
mount \
|
||||
rsync \
|
||||
openssh-server \
|
||||
openssh-sftp-server \
|
||||
libc6-i386 \
|
||||
libc6
|
||||
~~~
|
||||
|
||||
## Client dependencies
|
||||
|
||||
The clients only require OpenSSH and rsync.
|
||||
|
||||
### Cron job for incremental backups
|
||||
|
||||
Edit the root crontab
|
||||
|
||||
~~~
|
||||
# crontab -e
|
||||
+ 30 10 * * * /usr/sbin/bkctld inc && /usr/sbin/bkctld rm
|
||||
~~~
|
||||
|
||||
## Notes
|
||||
If you want mutiples backups in a day (1 by hour maximum) you can
|
||||
run `bkctld inc` multiples times, if you want to keep incremental
|
||||
backups **for ever**, just don't run `bkctld rm`.
|
313
docs/usage.md
313
docs/usage.md
|
@ -1,232 +1,207 @@
|
|||
BKCTLD(8) - System Manager's Manual
|
||||
|
||||
# NAME
|
||||
|
||||
bkctld - tool to manage evobackup jail
|
||||
**bkctld** - tool to manage evobackup jails
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
~~~
|
||||
bkctld <command> [<args>]
|
||||
~~~
|
||||
**bkctld**
|
||||
\[*operand...*]
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
bkctld is a shell script used to set up and manage a backup server able to receive data from many servers (clients).
|
||||
**bkctld**
|
||||
is a shell script that creates and manages a backup server
|
||||
which can handle the backups of many other servers (clients).
|
||||
|
||||
The aim is to run a SSH chroot environment (called "jails" in the FreeBSD world) for every single client. The client will then be able to send data over SSH using rsync in his own chroot environment (using root account).
|
||||
It uses
|
||||
ssh(1)
|
||||
and
|
||||
chroot(8)
|
||||
to sandbox every client's backups.
|
||||
Each client will upload it's data every day
|
||||
using
|
||||
rsync(1)
|
||||
in it's
|
||||
chroot(8)
|
||||
(using the root account).
|
||||
|
||||
Incrementals are stored outside the chroot using hard links or btrfs snapshots (thus incrementals are not accessible by clients). This method has the advantage to keep incrementals securely isolated using low space on device.
|
||||
Prior backups are stored incrementally outside of the
|
||||
chroot(8)
|
||||
using
|
||||
ln(1)
|
||||
hard links or BTRFS snapshots.
|
||||
(So they can not be affected by the client),
|
||||
which backups are kept over time can be configured in the jail's nominal
|
||||
evobackup-incl(5)
|
||||
configuration file.
|
||||
|
||||
A suitable volume size must be mounted on /backup (usage of **btrfs** is preferable, providing subvolume and snapshot fonctionnality). For security reason, you can use an encrypted volume (e.g. **luks**)
|
||||
A large enough volume must be mounted on
|
||||
*/backup*,
|
||||
if the filesystem is formatted with BTRFS,
|
||||
**bkctld**
|
||||
will use sub-volumes and snapshots to save space.
|
||||
|
||||
# BKCTLD COMMANDS
|
||||
It's default settings can be overridden in
|
||||
bkctld.conf(5)
|
||||
file.
|
||||
|
||||
Create an evobackup jail :
|
||||
The following operands are available:
|
||||
|
||||
~~~
|
||||
bkctld init <jailname>
|
||||
~~~
|
||||
**init** *jailname*
|
||||
|
||||
Update an evobackup jail or all :
|
||||
> Create an evobackup jail
|
||||
|
||||
~~~
|
||||
bkctld update <jailname>|all
|
||||
~~~
|
||||
**update** **all** | *jailname*
|
||||
|
||||
Remove an evobackup jail or all :
|
||||
> Update an evobackup jail
|
||||
|
||||
~~~
|
||||
bkctld remove <jailname>|all
|
||||
~~~
|
||||
**remove** **all** | *jailname*
|
||||
|
||||
Start an evobackup jail or all :
|
||||
> Remove an evobackup jail
|
||||
|
||||
~~~
|
||||
bkctld start <jailname>|all
|
||||
~~~
|
||||
**start** **all** | *jailname*
|
||||
|
||||
Stop an evobackup jail or all :
|
||||
> Start an evobackup jail
|
||||
|
||||
~~~
|
||||
bkctld stop <jailname>|all
|
||||
~~~
|
||||
**stop** **all** | *jailname*
|
||||
|
||||
Reload an evobackup jail or all :
|
||||
> Stop an evobackup jail
|
||||
|
||||
~~~
|
||||
bkctld reload <jailname>|all
|
||||
~~~
|
||||
|
||||
Restart an evobackup jail or all :
|
||||
**reload** **all** | *jailname*
|
||||
|
||||
~~~
|
||||
bkctld restart <jailname>|all
|
||||
~~~
|
||||
> Reload an evobackup jail
|
||||
|
||||
Sync an evobackup jail or all.
|
||||
Second server is defined by $NODE var in /etc/default/bkctld :
|
||||
**restart** **all** | *jailname*
|
||||
|
||||
~~~
|
||||
bkctld sync <jailname>|all
|
||||
~~~
|
||||
> Restart an evobackup jail
|
||||
|
||||
Print status of all evobackup jail or one jail :
|
||||
**sync** **all** | *jailname*
|
||||
|
||||
~~~
|
||||
bkctld status [<jailname>]
|
||||
~~~
|
||||
> Sync an evobackup jail, the mirror server is defined by the
|
||||
> `$NODE`
|
||||
> variable in
|
||||
> */etc/default/bkctld*
|
||||
|
||||
Print or set the SSH public key of an evobackup jail :
|
||||
**status** \[*jailname*]
|
||||
|
||||
~~~
|
||||
bkctld key <jailname> [<keyfile>]
|
||||
~~~
|
||||
> Print the status of all jails or only
|
||||
> \[*jailname*].
|
||||
|
||||
Print or set the SSH port of an evobackup jail.
|
||||
Auto to set next available port (last + 1) :
|
||||
**key** *jailname* \[*keyfile*]
|
||||
|
||||
~~~
|
||||
bkctld port <jailname> [<ssh_port>|auto]
|
||||
~~~
|
||||
> Print or set the
|
||||
> ssh(1)
|
||||
> public key of an evobackup jail
|
||||
|
||||
Print or set allowed IP of an evobackup jail.
|
||||
All for unrestricted access (default) :
|
||||
**port** *jailname* \[**auto** | *port*]
|
||||
|
||||
~~~
|
||||
bkctld ip <jailname> [<ip>|all]
|
||||
~~~
|
||||
> Print or set the
|
||||
> ssh(1)
|
||||
> \[*port*]
|
||||
> of an evobackup jail.
|
||||
> Using
|
||||
> \[**auto**]
|
||||
> will set it to the next available port.
|
||||
|
||||
Generate inc of an evobackup jail :
|
||||
**ip** *jailname* \[**all** | *address*]
|
||||
|
||||
~~~
|
||||
bkctld inc
|
||||
~~~
|
||||
> Print or set the whitelisted IP
|
||||
> \[*address*]
|
||||
> for an evobackup jail.
|
||||
> \[**all**]
|
||||
> allows unrestricted access and is the default.
|
||||
|
||||
Remove old inc of an evobackup jail :
|
||||
**inc**
|
||||
|
||||
~~~
|
||||
bkctld rm
|
||||
~~~
|
||||
> Generate incremental backups
|
||||
|
||||
# CONFIGURATION VARS
|
||||
**rm**
|
||||
|
||||
bkctld configuration has to be set in /etc/default/bkctld file.
|
||||
> Remove old incremental backups
|
||||
|
||||
## REQUIREDS VARS
|
||||
# FILES
|
||||
|
||||
Default required vars are defined in bkctld script. Alter them to override default values.
|
||||
*/etc/default/bkctld*
|
||||
|
||||
* CONFDIR (default: /etc/evobackup) : Dir where incremental backup is configured. See INCS CONFIGURATION section for details.
|
||||
* JAILDIR (default : /backup/jails) : Dir for jail's root dir. BTRFS recommended.
|
||||
* INCDIR (default : /backups/incs) : Dir where incremental backup is stored. BTRFS recommended.
|
||||
* TPLDIR (default : /usr/share/bkctld) : Dir where jail template file is stored.
|
||||
* LOCALTPLDIR (default : /usr/local/share/bkctld) : Dir for surcharge jail templates.
|
||||
* LOGLEVEL (default : 6) : Define loglevel, based on syslog severity level.
|
||||
> Template for
|
||||
> bkctld.conf(5)
|
||||
|
||||
## OPTIONALS VARS
|
||||
*/usr/share/bkctld/incl.tpl*
|
||||
|
||||
Optionnals vars are no default value. No set them desactivate correspondant fonctionnality.
|
||||
> Default rules for the incremental backups are stored here.
|
||||
|
||||
* FIREWALL_RULES (default: no firewall auto configuration) : Configuration file were firewall was configured to allow jail access. This file must be sourced by your firewall configuration tool.
|
||||
# EXAMPLES
|
||||
|
||||
# INCS CONFIGURATION
|
||||
Before creating a jail and backing up a client,
|
||||
the backup server administrator will need:
|
||||
|
||||
Incremental backups was configured in $CONFDIR/<jailname>. Some example of syntax.
|
||||
* The host name of the client system.
|
||||
|
||||
Keep the incrememtal backup of today :
|
||||
* The public RSA
|
||||
ssh(1)
|
||||
key for the
|
||||
"root"
|
||||
user of the client system,
|
||||
it is recommended the private key be password-less if automation is desired.
|
||||
|
||||
~~~
|
||||
+%Y-%m-%d.-0day
|
||||
~~~
|
||||
* The IPv4 address of the client system is needed
|
||||
if the administrator wishes to maintain a whitelist,
|
||||
see
|
||||
*FIREWALL\_RULES*
|
||||
in
|
||||
bkctld.conf(5)
|
||||
|
||||
Keep the incremental backup of yesterday :
|
||||
He can then create the jail:
|
||||
|
||||
~~~
|
||||
+%Y-%m-%d.-1day
|
||||
~~~
|
||||
# bkctld init CLIENT_HOST_NAME
|
||||
# bkctld key CLIENT_HOST_NAME /root/CLIENT_HOST_NAME.pub
|
||||
# bkctld ip CLIENT_HOST_NAME CLIENT_IP_ADDRESS
|
||||
# bkctld start CLIENT_HOST_NAME
|
||||
# bkctld status CLIENT_HOST_NAME
|
||||
|
||||
Keep the incremental backup of the first day of this month :
|
||||
And override the default
|
||||
evobackup-incl(5)
|
||||
rules
|
||||
|
||||
~~~
|
||||
+%Y-%m-01.-0month
|
||||
~~~
|
||||
# $EDITOR /etc/evobackup/CLIENT_HOST_NAME
|
||||
|
||||
Keep the incremental backup of the first day of last month :
|
||||
To sync itself,
|
||||
the client server will need to install
|
||||
rsync(1).
|
||||
It can then be run manually:
|
||||
|
||||
~~~
|
||||
+%Y-%m-01.-1month
|
||||
~~~
|
||||
# rsync -av -e "ssh -p JAIL_PORT" /home/ root@BACKUP_SERVER:/var/backup/home/
|
||||
|
||||
Keep the incremental backup of every 15 days :
|
||||
If a more automated setup is required,
|
||||
a script can be written in any programming language.
|
||||
In this case,
|
||||
it may be useful to validate the backup server's identity before hand.
|
||||
|
||||
~~~
|
||||
+%Y-%m-01.-1month
|
||||
+%Y-%m-15.-1month
|
||||
~~~
|
||||
# ssh -p JAIL_PORT BACKUP_SERVER
|
||||
|
||||
Keep the incremental backup of the first january :
|
||||
|
||||
~~~
|
||||
+%Y-01-01.-1month
|
||||
~~~
|
||||
|
||||
Default value : keep incremental of last 4 days and last 2 months. Change default in $LOCALTPLDIR/inc.tpl :
|
||||
|
||||
~~~
|
||||
+%Y-%m-%d.-0day
|
||||
+%Y-%m-%d.-1day
|
||||
+%Y-%m-%d.-2day
|
||||
+%Y-%m-%d.-3day
|
||||
+%Y-%m-01.-0month
|
||||
+%Y-%m-01.-1month
|
||||
~~~
|
||||
|
||||
# CLIENT CONFIGURATION
|
||||
|
||||
You can save various systems on evobackup jail : Linux, BSD, Windows, MacOSX. Only prequisites is rsync command.
|
||||
|
||||
~~~
|
||||
rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/
|
||||
~~~
|
||||
|
||||
You can simply create a shell script which use rsync for backup your's servers. An example script is available in zzz_evobackup for quickstart.
|
||||
|
||||
This documentation explain how to use this example script.
|
||||
|
||||
Install example script in crontab :
|
||||
|
||||
~~~
|
||||
# For Linux
|
||||
install -v -m700 zzz_evobackup /etc/cron.daily/
|
||||
|
||||
# For FreeBSD
|
||||
install -v -m700 zzz_evobackup /etc/periodic/daily/
|
||||
~~~
|
||||
|
||||
Generate an SSH key for root account with no passphrase :
|
||||
|
||||
~~~
|
||||
ssh-keygen
|
||||
~~~
|
||||
|
||||
Sent /root/.ssh/id_rsa.pub to backup server administrator or read BKCTLD COMMANDS section.
|
||||
|
||||
Edit zzz_evobackup script and update this variables :
|
||||
|
||||
* SSH_PORT : Port of corespondant evobackup jail.
|
||||
* MAIL : Email address for notification.
|
||||
* NODE : Use for alternate between mutiple backup servers. Default value permit to save on node0 on pair day and on node1 on impair day.
|
||||
* SRV : Adress of your backup serveur.
|
||||
|
||||
Uncomment service dump, ex Mysql / LDAP / PostgreQL / ...
|
||||
|
||||
Itiniate SSH connection and validate fingerprint :
|
||||
|
||||
~~~
|
||||
ssh -p SSH_PORT SERVER_NAME
|
||||
~~~
|
||||
|
||||
Your daily evobackup is in place !
|
||||
A
|
||||
bash(1)
|
||||
example to be run under the
|
||||
"root"
|
||||
user's
|
||||
crontab(5)
|
||||
can be found in the
|
||||
[source repository](https://gitea.evolix.org/evolix/evobackup/src/branch/master/zzz_evobackup)
|
||||
|
||||
# SEE ALSO
|
||||
|
||||
rsync(1), sshd(8), chroot(8).
|
||||
rsync(1),
|
||||
ssh-keygen(1),
|
||||
bkctld(5),
|
||||
evobackup-incl(5),
|
||||
chroot(8),
|
||||
cron(8),
|
||||
sshd(8)
|
||||
|
||||
# AUTHORS
|
||||
|
||||
Victor Laborie
|
||||
|
||||
OpenBSD 6.4 - December 27, 2018
|
||||
|
|
79
evobackup-incl.5
Normal file
79
evobackup-incl.5
Normal file
|
@ -0,0 +1,79 @@
|
|||
.Dd December 28, 2018
|
||||
.Dt EVOBACKUP-INCL 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm evobackup-incl
|
||||
.Nd incremental backup configuration
|
||||
.Sh SYNOPSIS
|
||||
.D1 +%Y-%m-%d.-%day
|
||||
.Sh DESCRIPTION
|
||||
Located by default in
|
||||
.Pa /etc/evobackup/ ,
|
||||
each
|
||||
.Nm
|
||||
file is named after the
|
||||
.Xr bkctld 8
|
||||
backup for which the rules it contains must apply.
|
||||
.Pp
|
||||
The rules it defines decide which incremental backups are kept when running
|
||||
.Bd -literal -offset indent
|
||||
# bkctld rm
|
||||
.Ed
|
||||
.Pp
|
||||
Each line defines a single rule.
|
||||
The first part of the rule describes when the backup was taken,
|
||||
the second part decides how long to keep it.
|
||||
Lines beginning with the
|
||||
.Sq #
|
||||
character are comments and are ignored.
|
||||
The order of the rules does not matter.
|
||||
.Pp
|
||||
Evobackups that do not have their nominal
|
||||
.Nm
|
||||
file use the default rules defined in
|
||||
.Pa /usr/share/bkctld/inc.tpl
|
||||
.Sh EXAMPLES
|
||||
Keep today's backup:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-%m-%d.-0day
|
||||
.Ed
|
||||
.Pp
|
||||
Keep yesterday's backup:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-%m-%d.-1day
|
||||
.Ed
|
||||
.Pp
|
||||
Keep the first day of this month:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-%m-01.-0month
|
||||
.Ed
|
||||
.Pp
|
||||
Keep the first day of last month:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-%m-01.-1month
|
||||
.Ed
|
||||
.Pp
|
||||
Keep backups for every 15 days:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-%m-01.-1month
|
||||
+%Y-%m-15.-1month
|
||||
.Ed
|
||||
.Pp
|
||||
Keep a backup of the first day of january:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-01-01.-1month
|
||||
.Ed
|
||||
.Pp
|
||||
Keep backups of the last 4 days and the first day of the last 2 months:
|
||||
.Bd -literal -offset indent
|
||||
+%Y-%m-%d.-0day
|
||||
+%Y-%m-%d.-1day
|
||||
+%Y-%m-%d.-2day
|
||||
+%Y-%m-%d.-3day
|
||||
+%Y-%m-01.-0month
|
||||
+%Y-%m-01.-1month
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr bkctld 8 ,
|
||||
.Xr cron 8 ,
|
||||
.Pa /etc/evobackup/tpl/inc.tpl
|
70
lib/bkctld-check
Executable file
70
lib/bkctld-check
Executable file
|
@ -0,0 +1,70 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Run check on jails (NRPE output)
|
||||
# Usage: check
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
cur_time=$(date "+%s")
|
||||
return=0
|
||||
nb_crit=0
|
||||
nb_warn=0
|
||||
nb_ok=0
|
||||
nb_unkn=0
|
||||
output=""
|
||||
|
||||
if [ -b "${BACKUP_DISK}" ]; then
|
||||
cryptsetup isLuks "${BACKUP_DISK}"
|
||||
if [ "$?" -eq 0 ]; then
|
||||
if [ ! -b '/dev/mapper/backup' ]; then
|
||||
echo "Luks disk ${BACKUP_DISK} is not mounted !\n"
|
||||
echo "cryptsetup luksOpen ${BACKUP_DISK} backup"
|
||||
exit 2
|
||||
fi
|
||||
BACKUP_DISK='/dev/mapper/backup'
|
||||
fi
|
||||
grep -qE "^${BACKUP_DISK} " /etc/mtab
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Backup disk ${BACKUP_DISK} is not mounted !\n"
|
||||
echo "mount ${BACKUP_DISK} /backup"
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
for jail in $("${LIBDIR}/bkctld-list"); do
|
||||
if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then
|
||||
last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog")
|
||||
date_diff=$(( (cur_time - last_conn) / (60*60) ))
|
||||
if [ "${date_diff}" -gt "${CRITICAL}" ]; then
|
||||
nb_crit=$((nb_crit + 1))
|
||||
output="${output}CRITICAL - ${jail} - ${date_diff} hours\n"
|
||||
[ "${return}" -le 2 ] && return=2
|
||||
elif [ "${date_diff}" -gt "${WARNING}" ]; then
|
||||
nb_warn=$((nb_warn + 1))
|
||||
output="${output}WARNING - ${jail} - ${date_diff} hours\n"
|
||||
[ "${return}" -le 1 ] && return=1
|
||||
else
|
||||
nb_ok=$((nb_ok + 1))
|
||||
output="${output}OK - ${jail} - ${date_diff} hours\n"
|
||||
fi
|
||||
else
|
||||
nb_unkn=$((nb_unkn + 1))
|
||||
output="${output}UNKNOWN - ${jail} doesn't have lastlog !\n"
|
||||
[ "${return}" -le 3 ] && return=3
|
||||
fi
|
||||
done
|
||||
|
||||
[ "${return}" -ge 0 ] && header="OK"
|
||||
[ "${return}" -ge 1 ] && header="WARNING"
|
||||
[ "${return}" -ge 2 ] && header="CRITICAL"
|
||||
[ "${return}" -ge 3 ] && header="UNKNOW"
|
||||
|
||||
printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}"
|
||||
|
||||
printf "${output}" | grep -E "^UNKNOW"
|
||||
printf "${output}" | grep -E "^CRITICAL"
|
||||
printf "${output}" | grep -E "^WARNING"
|
||||
printf "${output}" | grep -E "^OK"
|
||||
|
||||
exit "${return}"
|
24
lib/bkctld-firewall
Executable file
24
lib/bkctld-firewall
Executable file
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Update firewall rules of <jailname> or all
|
||||
# Usage: firewall <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
|
||||
if [ -n "${FIREWALL_RULES}" ]; then
|
||||
[ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail}$/d" "${FIREWALL_RULES}"
|
||||
if [ -d "${JAILDIR}/${jail}" ]; then
|
||||
port=$("${LIBDIR}/bkctld-port" "${jail}")
|
||||
for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do
|
||||
echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}"
|
||||
done
|
||||
[ -f /etc/init.d/minifirewall ] && /etc/init.d/minifirewall restart >/dev/null
|
||||
fi
|
||||
notice "${jail} : firewall rules updated"
|
||||
fi
|
21
lib/bkctld-help
Executable file
21
lib/bkctld-help
Executable file
|
@ -0,0 +1,21 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Print this help
|
||||
# Usage: help
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
cat <<EOF
|
||||
Usage: bkctld <subcommand> [options]
|
||||
Subcommands:
|
||||
EOF
|
||||
|
||||
for subcommand in ${LIBDIR}/bkctld-*; do
|
||||
name=$(basename "${subcommand}"|sed 's/^bkctld-//')
|
||||
desc=$(grep -E "^#" "${subcommand}"|sed -n '3p'|sed "s/^# //")
|
||||
usage=$(grep -E "^# Usage: ${name}" "${subcommand}"|sed "s/^# Usage: ${name}//")
|
||||
printf " %- 10s %- 30s %- 40s\n" "${name}" "${usage}" "${desc}"
|
||||
done
|
||||
|
||||
printf "\n"
|
26
lib/bkctld-inc
Executable file
26
lib/bkctld-inc
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Make incremental inc of all jails
|
||||
# Usage: inc
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
date=$(date +"%Y-%m-%d-%H")
|
||||
for jail in $("${LIBDIR}/bkctld-list"); do
|
||||
inc="${INCDIR}/${jail}/${date}"
|
||||
mkdir -p "${INCDIR}/${jail}"
|
||||
if [ ! -d "${inc}" ]; then
|
||||
start=$(date +"%H:%M:%S")
|
||||
jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
|
||||
if [ "$jail_inode" -eq 256 ]; then
|
||||
/bin/btrfs subvolume snapshot -r "${JAILDIR}/${jail}" "${inc}" | debug
|
||||
else
|
||||
cp -alx "${JAILDIR}/${jail}/" "${inc}" | debug
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : made ${date} inc [${start}/${end}]"
|
||||
else
|
||||
warning "${jail} : trying to made already existant inc"
|
||||
fi
|
||||
done
|
35
lib/bkctld-init
Executable file
35
lib/bkctld-init
Executable file
|
@ -0,0 +1,35 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Init jail <jailname>
|
||||
# Usage: init <jailname>
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] && error "${jail} : trying to create existant jail"
|
||||
|
||||
mkdir -p "${CONFDIR}" "${JAILDIR}"
|
||||
sshd_config="${TPLDIR}/sshd_config"
|
||||
inctpl="${TPLDIR}/inc.tpl"
|
||||
[ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config"
|
||||
[ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl"
|
||||
|
||||
rootdir=$(dirname "${JAILDIR}")
|
||||
rootdir_inode=$(stat --format=%i "${rootdir}")
|
||||
jaildir_inode=$(stat --format=%i "${JAILDIR}")
|
||||
if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume create "${JAILDIR}/${jail}"
|
||||
else
|
||||
mkdir -p "${JAILDIR}/${jail}"
|
||||
fi
|
||||
. "${LIBDIR}/mkjail"
|
||||
info "4 - Copie default sshd_config"
|
||||
install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}"
|
||||
info "5 - Copie default inc configuration"
|
||||
install -m 0640 "${inctpl}" "${CONFDIR}/${jail}"
|
||||
"${LIBDIR}/bkctld-port" "${jail}" auto
|
||||
notice "${jail} : created jail"
|
35
lib/bkctld-ip
Executable file
35
lib/bkctld-ip
Executable file
|
@ -0,0 +1,35 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Set or get allowed(s) ip(s) of <jailname>
|
||||
# Usage: ip <jailname> [<ip>|all]
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
ip="${2:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${ip}" ]; then
|
||||
grep -E "^AllowUsers" "${JAILDIR}/$jail/${SSHD_CONFIG}"|grep -Eo "root@[^ ]+"| while read allow; do
|
||||
echo "${allow}"|cut -d'@' -f2
|
||||
done
|
||||
else
|
||||
if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then
|
||||
ips="0.0.0.0/0"
|
||||
else
|
||||
ips=$("${LIBDIR}/bkctld-ip" "${jail}")
|
||||
ips=$(echo "${ips}" "${ip}"|xargs -n1|grep -v "0.0.0.0/0"|sort|uniq)
|
||||
fi
|
||||
allow="AllowUsers"
|
||||
for ip in $ips; do
|
||||
allow="${allow} root@${ip}"
|
||||
done
|
||||
sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}"
|
||||
notice "${jail} : update ip => ${ip}"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
|
||||
"${LIBDIR}/bkctld-firewall" "${jail}"
|
||||
fi
|
26
lib/bkctld-is-on
Executable file
26
lib/bkctld-is-on
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Check if a jail is on or not
|
||||
# Usage: is-on <jailname>
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail"
|
||||
|
||||
jail="${1}"
|
||||
return=1
|
||||
if [ -f "${JAILDIR}/${jail}/${SSHD_PID}" ]; then
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
ps -p "${pid}" > /dev/null && return=0
|
||||
fi
|
||||
if [ "${return}" -eq 1 ]; then
|
||||
rm -f "${JAILDIR}/${jail}/${SSHD_PID}"
|
||||
grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy "${JAILDIR}/${jail}/proc/"
|
||||
grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}/dev"
|
||||
fi
|
||||
exit "${return}"
|
27
lib/bkctld-key
Executable file
27
lib/bkctld-key
Executable file
|
@ -0,0 +1,27 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Set or get ssh pubic key of <jailname>
|
||||
# Usage: key <jailname> [<keyfile>]
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
keyfile="${2:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${keyfile}" ]; then
|
||||
if [ -f "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" ]; then
|
||||
cat "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
fi
|
||||
else
|
||||
[ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !"
|
||||
cat "${keyfile}" > "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
chmod 600 "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
notice "${jail} : update key => ${keyfile}"
|
||||
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
|
||||
fi
|
12
lib/bkctld-list
Executable file
12
lib/bkctld-list
Executable file
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# List jails
|
||||
# Usage: list
|
||||
#
|
||||
|
||||
set -eu
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
[ -d "${JAILDIR}" ] || exit 0
|
||||
find "${JAILDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!'
|
28
lib/bkctld-port
Executable file
28
lib/bkctld-port
Executable file
|
@ -0,0 +1,28 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Set or get ssh port of <jailname>
|
||||
# Usage: port <jailname> [<port>|auto]
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
port="${2:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${port}" ]; then
|
||||
grep -E "Port [0-9]+" "${JAILDIR}/${jail}/${SSHD_CONFIG}"|grep -oE "[0-9]+"
|
||||
else
|
||||
if [ "${port}" = "auto" ]; then
|
||||
port=$(grep -h Port "${JAILDIR}"/*/"${SSHD_CONFIG}" 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1)
|
||||
port=$((port+1))
|
||||
[ "${port}" -le 1 ] && port=2222
|
||||
fi
|
||||
sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}"
|
||||
notice "${jail} : update port => ${port}"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
|
||||
"${LIBDIR}/bkctld-firewall" "${jail}"
|
||||
fi
|
18
lib/bkctld-reload
Executable file
18
lib/bkctld-reload
Executable file
|
@ -0,0 +1,18 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Reload jail <jailname> or all
|
||||
# Usage: reload <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" || exit 0
|
||||
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
|
||||
kill -HUP "${pid}" && notice "${jail} was reloaded [${pid}]"
|
36
lib/bkctld-remove
Executable file
36
lib/bkctld-remove
Executable file
|
@ -0,0 +1,36 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Remove jail <jailname> or all
|
||||
# Usage: remove <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
|
||||
|
||||
rm -f "${CONFDIR}/${jail}"
|
||||
jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
|
||||
if [ "${jail_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${JAILDIR}/${jail}" | debug
|
||||
else
|
||||
rm -rf "${JAILDIR}/${jail}" | debug
|
||||
fi
|
||||
if [ -d "${INCDIR}/${jail}" ]; then
|
||||
incs=$(ls "${INCDIR}/${jail}")
|
||||
for inc in ${incs}; do
|
||||
inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug
|
||||
else
|
||||
warning "You need to purge ${INCDIR}/${jail}/${inc} manually !"
|
||||
fi
|
||||
done
|
||||
rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug
|
||||
fi
|
||||
"${LIBDIR}/bkctld-firewall" "${jail}"
|
||||
notice "${jail} : deleted jail"
|
17
lib/bkctld-restart
Executable file
17
lib/bkctld-restart
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Restart jail <jailname> or all
|
||||
# Usage: restart <jailname>|all
|
||||
#
|
||||
|
||||
set -eu
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
|
||||
"${LIBDIR}/bkctld-start" "${jail}"
|
48
lib/bkctld-rm
Executable file
48
lib/bkctld-rm
Executable file
|
@ -0,0 +1,48 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Remove old incremtal inc of all jails
|
||||
# Usage: rm
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
empty="/tmp/bkctld-${$}-$(date +%N))"
|
||||
mkdir "${empty}"
|
||||
pidfile="/var/run/bkctld-rm.pid"
|
||||
if [ -f "${pidfile}" ]; then
|
||||
pid=$(cat "${pidfile}")
|
||||
ps -u "${pid}" >/dev/null
|
||||
if [ "${?}" -eq 0 ]; then
|
||||
kill -9 "${pid}"
|
||||
warning "${0} rm always run (PID ${pid}), killed by ${$} !"
|
||||
fi
|
||||
rm "${pidfile}"
|
||||
fi
|
||||
echo "${$}" > "${pidfile}"
|
||||
for jail in $("${LIBDIR}/bkctld-list"); do
|
||||
incs=$(ls "${INCDIR}/${jail}")
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
keepfile="$(mktemp)"
|
||||
while read j; do
|
||||
date=$( echo "${j}" | cut -d. -f1 )
|
||||
before=$( echo "${j}" | cut -d. -f2 )
|
||||
date -d "$(date "${date}") ${before}" "+%Y-%m-%d"
|
||||
done < "${CONFDIR}/${jail}" > "${keepfile}"
|
||||
for j in $(echo "${incs}" | grep -v -f "${keepfile}"); do
|
||||
start=$(date +"%H:%M:%S")
|
||||
inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${j}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${INCDIR}/${jail}/${j}" | debug
|
||||
else
|
||||
cd "${INCDIR}/${jail}"
|
||||
rsync -a --delete "${empty}/" "${j}/"
|
||||
rmdir "${j}"
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : deleted ${j} inc [${start}/${end}]"
|
||||
done
|
||||
rm "${keepfile}"
|
||||
fi
|
||||
done
|
||||
rmdir "${empty}"
|
||||
rm "${pidfile}"
|
42
lib/bkctld-start
Executable file
42
lib/bkctld-start
Executable file
|
@ -0,0 +1,42 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Start jail <jailname> or all
|
||||
# Usage: start <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && exit 0
|
||||
|
||||
cd "${JAILDIR}/${jail}"
|
||||
grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc
|
||||
grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev
|
||||
[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1
|
||||
[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3
|
||||
[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5
|
||||
[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2
|
||||
[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0
|
||||
[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8
|
||||
[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9
|
||||
chown root:tty dev/console dev/ptmx dev/tty
|
||||
ln -fs proc/self/fd dev/fd
|
||||
ln -fs proc/self/fd/0 dev/stdin
|
||||
ln -fs proc/self/fd/1 dev/stdout
|
||||
ln -fs proc/self/fd/2 dev/stderr
|
||||
ln -fs proc/kcore dev/core
|
||||
mkdir -p dev/pts
|
||||
mkdir -p dev/shm
|
||||
grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts
|
||||
grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm
|
||||
chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog || error "${jail} : error on starting sshd"
|
||||
pidfile="${JAILDIR}/${jail}/${SSHD_PID}"
|
||||
for try in {1..10}; do
|
||||
[ -f "${pidfile}" ] || sleep 0.3
|
||||
done
|
||||
pid=$(cat "${pidfile}")
|
||||
notice "${jail} was started [${pid}]"
|
34
lib/bkctld-stats
Executable file
34
lib/bkctld-stats
Executable file
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Make and display stats on jails (size, lastconn)
|
||||
# Usage: stats
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
mkdir -p "${INDEX_DIR}"
|
||||
lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- <<EOF >/dev/null 2>&1 &
|
||||
ionice -c3 "${DUC}" index -d "${IDX_FILE}" "${JAILDIR}"
|
||||
touch "${INDEX_DIR}/.lastrun.duc"
|
||||
EOF
|
||||
[ ! -f "${INDEX_DIR}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0
|
||||
[ ! -f ${IDX_FILE} ] && error "Index file do not exits !"
|
||||
printf "Last update of index file : "
|
||||
stat --format=%Y "${INDEX_DIR}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}"
|
||||
echo "<jail> <size> <incs> <lastconn>" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $1, $2, $3, $4); }'
|
||||
duc_output=$(mktemp)
|
||||
stat_output=$(mktemp)
|
||||
incs_output=$(mktemp)
|
||||
trap "rm ${duc_output} ${incs_output} ${stat_output}" 0
|
||||
"${DUC}" ls -d "${IDX_FILE}" "${JAILDIR}" > "${duc_output}"
|
||||
awk '{ print $2 }' "${duc_output}" | while read jail; do
|
||||
stat --format=%Y "/backup/jails/${jail}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}"
|
||||
inc=0
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}")
|
||||
month=$(grep -c "month" "${CONFDIR}/${jail}")
|
||||
inc="${day}/${month}"
|
||||
fi
|
||||
echo "${inc}" >> "${incs_output}"
|
||||
done
|
||||
paste "${duc_output}" "${incs_output}" "${stat_output}" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $2, $1, $3, $4); }'
|
25
lib/bkctld-status
Executable file
25
lib/bkctld-status
Executable file
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Print status of <jailname> (default all jail)
|
||||
# Usage: status [<jailname>]
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all"
|
||||
|
||||
inc="0"
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}")
|
||||
month=$(grep -c "month" "${CONFDIR}/${jail}")
|
||||
inc="${day}/${month}"
|
||||
fi
|
||||
status="OFF"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && status="ON "
|
||||
port=$("${LIBDIR}/bkctld-port" "${jail}")
|
||||
ip=$("${LIBDIR}/bkctld-ip" "${jail}"|xargs|tr -s ' ' ',')
|
||||
echo "${jail} ${status} ${port} ${inc} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }'
|
22
lib/bkctld-stop
Executable file
22
lib/bkctld-stop
Executable file
|
@ -0,0 +1,22 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Stop jail <jailname> or all
|
||||
# Usage: stop <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" || exit 0
|
||||
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
for conn in $(ps --ppid "${pid}" -o pid=); do
|
||||
kill "${conn}"
|
||||
done
|
||||
kill "${pid}" && notice "${jail} was stopped [${pid}]"
|
||||
umount --lazy --recursive "${JAILDIR}/${jail}/dev"
|
||||
umount --lazy "${JAILDIR}/${jail}/proc/"
|
25
lib/bkctld-sync
Executable file
25
lib/bkctld-sync
Executable file
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Sync jail <jailname> or all to another node
|
||||
# Usage: sync <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail"
|
||||
|
||||
[ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !"
|
||||
|
||||
jail="${1}"
|
||||
ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail}" | debug
|
||||
rsync -a "${JAILDIR}/${jail}/" "${NODE}:${JAILDIR}/${jail}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/*
|
||||
rsync -a "${CONFDIR}/${jail}" "${NODE}:${CONFDIR}/${jail}"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail}" | debug
|
||||
if [ -n "${FIREWALL_RULES}" ]; then
|
||||
rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}"
|
||||
ssh "${NODE}" /etc/init.d/minifirewall restart | debug
|
||||
fi
|
17
lib/bkctld-update
Executable file
17
lib/bkctld-update
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Update jail <jailname> or all
|
||||
# Usage: update <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to update inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
|
||||
|
||||
. "${LIBDIR}/mkjail"
|
||||
notice "${jail} : updated jail"
|
64
lib/config
Executable file
64
lib/config
Executable file
|
@ -0,0 +1,64 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Config for bkctld
|
||||
#
|
||||
|
||||
[ -f /etc/default/bkctld ] && . /etc/default/bkctld
|
||||
LIBDIR=${LIBDIR:-/usr/lib/bkctld}
|
||||
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
||||
BACKUP_DISK="${BACKUP_DISK:-}"
|
||||
JAILDIR="${JAILDIR:-/backup/jails}"
|
||||
INCDIR="${INCDIR:-/backup/incs}"
|
||||
TPLDIR="${TPLDIR:-/usr/share/bkctld}"
|
||||
INDEX_DIR="${INDEX_DIR:-/backup/index}"
|
||||
IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}"
|
||||
LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
|
||||
SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
|
||||
SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
|
||||
AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}"
|
||||
FIREWALL_RULES="${FIREWALL_RULES:-}"
|
||||
LOGLEVEL="${LOGLEVEL:-6}"
|
||||
CRITICAL="${CRITICAL:-48}"
|
||||
WARNING="${WARNING:-24}"
|
||||
DUC=$(command -v duc-nox||command -v duc)
|
||||
|
||||
debug() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
if [ "${LOGLEVEL}" -ge 7 ]; then
|
||||
echo "${msg}"
|
||||
logger -t bkctld -p daemon.debug "${msg}"
|
||||
fi
|
||||
}
|
||||
|
||||
info() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
if [ "${LOGLEVEL}" -ge 6 ]; then
|
||||
tty -s && echo "${msg}"
|
||||
logger -t bkctld -p daemon.info "${msg}"
|
||||
fi
|
||||
}
|
||||
|
||||
notice() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
tty -s && echo "${msg}"
|
||||
[ "${LOGLEVEL}" -ge 5 ] && logger -t bkctld -p daemon.notice "${msg}"
|
||||
}
|
||||
|
||||
warning() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
tty -s && echo "WARNING : ${msg}" >&2
|
||||
if [ "${LOGLEVEL}" -ge 4 ]; then
|
||||
tty -s || echo "WARNING : ${msg}" >&2
|
||||
logger -t bkctld -p daemon.warning "${msg}"
|
||||
fi
|
||||
}
|
||||
|
||||
error() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
tty -s && echo "ERROR : ${msg}" >&2
|
||||
if [ "${LOGLEVEL}" -ge 5 ]; then
|
||||
tty -s || echo "ERROR : ${msg}" >&2
|
||||
logger -t bkctld -p daemon.error "${msg}"
|
||||
fi
|
||||
exit 1
|
||||
}
|
44
lib/mkjail
Executable file
44
lib/mkjail
Executable file
|
@ -0,0 +1,44 @@
|
|||
#!/bin/sh
|
||||
|
||||
passwd="${TPLDIR}/passwd"
|
||||
shadow="${TPLDIR}/shadow"
|
||||
group="${TPLDIR}/group"
|
||||
sshrc="${TPLDIR}/sshrc"
|
||||
[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd"
|
||||
[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow"
|
||||
[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group"
|
||||
[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc"
|
||||
umask 077
|
||||
|
||||
info "1 - Creating the chroot"
|
||||
cd "${JAILDIR}/${jail}"
|
||||
rm -rf bin lib lib64 run usr var/run etc/ssh/*key
|
||||
mkdir -p dev proc
|
||||
mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64
|
||||
mkdir -p etc/ssh var/log run/sshd
|
||||
mkdir -p root/.ssh var/backup -m 0700
|
||||
ln -s usr/bin bin
|
||||
ln -s usr/lib lib
|
||||
ln -s usr/lib64 lib64
|
||||
ln -st var ../run
|
||||
touch var/log/lastlog var/log/wtmp run/utmp
|
||||
|
||||
info "2 - Copying essential files"
|
||||
[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh
|
||||
[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh
|
||||
[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh
|
||||
cp "${passwd}" etc
|
||||
cp "${shadow}" etc
|
||||
cp "${group}" etc
|
||||
cp "${sshrc}" etc/ssh
|
||||
|
||||
info "3 - Copying binaries"
|
||||
cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64
|
||||
cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu
|
||||
|
||||
for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
|
||||
cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}";
|
||||
for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
|
||||
cp -p "${lib}" "${JAILDIR}/${jail}/${lib}"
|
||||
done
|
||||
done
|
|
@ -1,11 +0,0 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
@test "generate" {
|
||||
jails="test0 test1 test2 test3 test4 test5"
|
||||
for jail in ${jails}; do
|
||||
bkctld init "${jail}"
|
||||
random=$(od -An -N4 -i < /dev/urandom|grep -Eo "[0-9]{2}$")
|
||||
date=$(date -d "${random} hour ago")
|
||||
touch -m --date="${date}" "/backup/jails/${jail}/var/log/lastlog"
|
||||
done
|
||||
}
|
128
test/main.bats
128
test/main.bats
|
@ -5,129 +5,129 @@ setup() {
|
|||
date=$(date +"%Y-%m-%d-%H")
|
||||
inode=$(stat --format=%i /backup)
|
||||
rm -f /root/bkctld.key* && ssh-keygen -t rsa -N "" -f /root/bkctld.key -q
|
||||
[ -f /etc/default/bkctld ] && . /etc/default/bkctld
|
||||
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
||||
JAILDIR="${JAILDIR:-/backup/jails}"
|
||||
INCDIR="${INCDIR:-/backup/incs}"
|
||||
TPLDIR="${TPLDIR:-/usr/share/bkctld}"
|
||||
LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
|
||||
SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
|
||||
SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
|
||||
AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}"
|
||||
FIREWALL_RULES="${FIREWALL_RULES:-}"
|
||||
LOGLEVEL="${LOGLEVEL:-6}"
|
||||
. /usr/lib/bkctld/config
|
||||
JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1)
|
||||
}
|
||||
|
||||
teardown() {
|
||||
bkctld remove all && rm -rf "${INCDIR}/*"
|
||||
/usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCDIR}/*"
|
||||
}
|
||||
|
||||
@test "init" {
|
||||
bkctld init test
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
inode=$(stat --format=%i /backup)
|
||||
if [ "${inode}" -eq 256 ]; then
|
||||
run stat --format=%i "${JAILDIR}/test"
|
||||
run stat --format=%i "${JAILDIR}/${JAILNAME}"
|
||||
[ "${output}" -eq 256 ]
|
||||
else
|
||||
run test -d "${JAILDIR}/test"
|
||||
run test -d "${JAILDIR}/${JAILNAME}"
|
||||
[ "${status}" -eq 0 ]
|
||||
fi
|
||||
}
|
||||
|
||||
@test "update" {
|
||||
skip
|
||||
}
|
||||
|
||||
@test "start" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
pid=$(cat "${JAILDIR}/test/${SSHD_PID}")
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
run ps --pid "${pid}"
|
||||
[ "${status}" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "stop" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
pid=$(cat "${JAILDIR}/test/${SSHD_PID}")
|
||||
bkctld stop test
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
/usr/lib/bkctld/bkctld-stop "${JAILNAME}"
|
||||
run ps --pid "${pid}"
|
||||
[ "${status}" -ne 0 ]
|
||||
}
|
||||
|
||||
@test "reload" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
bkctld reload test
|
||||
run grep "Received SIGHUP; restarting." "${JAILDIR}/test/var/log/authlog"
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-reload "${JAILNAME}"
|
||||
run grep "Received SIGHUP; restarting." "${JAILDIR}/${JAILNAME}/var/log/authlog"
|
||||
[ "${status}" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "restart" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
bpid=$(cat "${JAILDIR}/test/${SSHD_PID}")
|
||||
bkctld restart test
|
||||
apid=$(cat "${JAILDIR}/test/${SSHD_PID}")
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
bpid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
/usr/lib/bkctld/bkctld-restart "${JAILNAME}"
|
||||
apid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
[ "${bpid}" -ne "${apid}" ]
|
||||
}
|
||||
|
||||
@test "status" {
|
||||
bkctld init test
|
||||
run bkctld status test
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
run /usr/lib/bkctld/bkctld-status "${JAILNAME}"
|
||||
[ "${status}" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "key" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
bkctld key test /root/bkctld.key.pub
|
||||
run cat /backup/jails/test/root/.ssh/authorized_keys
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub
|
||||
run cat "/backup/jails/${JAILNAME}/root/.ssh/authorized_keys"
|
||||
[ "${status}" -eq 0 ]
|
||||
[ "${output}" = $(cat /root/bkctld.key.pub) ]
|
||||
}
|
||||
|
||||
@test "port" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
bkctld port test "${port}"
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-port "${JAILNAME}" "${port}"
|
||||
run nc -vz 127.0.0.1 "${port}"
|
||||
[ "${status}" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "ip" {
|
||||
skip
|
||||
}
|
||||
|
||||
@test "inc" {
|
||||
bkctld init test
|
||||
bkctld inc
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-inc
|
||||
if [ "${inode}" -eq 256 ]; then
|
||||
run stat --format=%i "${INCDIR}/test/${date}"
|
||||
run stat --format=%i "${INCDIR}/${JAILNAME}/${date}"
|
||||
[ "${output}" -eq 256 ]
|
||||
else
|
||||
run test -d "${INCDIR}/test/${date}"
|
||||
run test -d "${INCDIR}/${JAILNAME}/${date}"
|
||||
[ "${status}" -eq 0 ]
|
||||
fi
|
||||
}
|
||||
|
||||
@test "rm" {
|
||||
skip
|
||||
}
|
||||
|
||||
@test "ssh" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
bkctld port test "${port}"
|
||||
bkctld key test /root/bkctld.key.pub
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-port "${JAILNAME}" "${port}"
|
||||
/usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub
|
||||
run ssh -p "${port}" -i /root/bkctld.key -oStrictHostKeyChecking=no root@127.0.0.1 ls
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "rsync" {
|
||||
bkctld init test
|
||||
bkctld start test
|
||||
bkctld port test "${port}"
|
||||
bkctld key test /root/bkctld.key.pub
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-port "${JAILNAME}" "${port}"
|
||||
/usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub
|
||||
run rsync -a -e "ssh -p ${port} -i /root/bkctld.key -oStrictHostKeyChecking=no" /tmp/ root@127.0.0.1:/var/backup/
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "check-ok" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "check-warning" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
touch --date="$(date -d -2days)" "/backup/jails/${JAILNAME}/var/log/lastlog"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
@test "check-critical" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
touch --date="$(date -d -3days)" "/backup/jails/${JAILNAME}/var/log/lastlog"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
[ "$status" -eq 2 ]
|
||||
}
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env bats
|
||||
|
||||
setup() {
|
||||
bkctld init test
|
||||
}
|
||||
|
||||
teardown() {
|
||||
bkctld remove all
|
||||
}
|
||||
|
||||
@test "ok" {
|
||||
run bkctld check
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "warning" {
|
||||
touch --date="$(date -d -2days)" /backup/jails/*/var/log/lastlog
|
||||
run bkctld check
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
@test "critical" {
|
||||
touch --date="$(date -d -3days)" /backup/jails/*/var/log/lastlog
|
||||
run bkctld check
|
||||
[ "$status" -eq 2 ]
|
||||
}
|
4
tpl/sshrc
Normal file → Executable file
4
tpl/sshrc
Normal file → Executable file
|
@ -1,5 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
# lastlog -S isn't available in login package on Debian Jessie (need Debian Stretch or superior)
|
||||
#/usr/bin/lastlog -Su root
|
||||
/usr/bin/touch /var/log/lastlog
|
||||
/usr/bin/lastlog -Su root
|
||||
|
|
|
@ -1,12 +1,26 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Script Evobackup client
|
||||
# See https://forge.evolix.org/projects/evobackup
|
||||
# See https://gitea.evolix.org/evolix/evobackup
|
||||
#
|
||||
# Author: Gregory Colpart <reg@evolix.fr>
|
||||
# Contributor: Romain Dessort <rdessort@evolix.fr>, Benoît Série <bserie@evolix.fr>, Tristan Pilat <tpilat@evolix.fr>, Victor Laborie <vlaborie@evolix.fr>, Jérémy Lecour <jlecour@evolix.fr>
|
||||
# Contributors:
|
||||
# Romain Dessort <rdessort@evolix.fr>
|
||||
# Benoît Série <bserie@evolix.fr>
|
||||
# Tristan Pilat <tpilat@evolix.fr>
|
||||
# Victor Laborie <vlaborie@evolix.fr>
|
||||
# Jérémy Lecour <jlecour@evolix.fr>
|
||||
#
|
||||
# Licence: AGPLv3
|
||||
#
|
||||
# The following variables must be changed:
|
||||
# SSH_PORT: The Port used for the ssh(1) jail on the backup server
|
||||
# MAIL: The email address to send notifications to.
|
||||
# SRV: The hostname or IP address of the backup server.
|
||||
#
|
||||
# You must then uncomment the various
|
||||
# examples that best suit your case
|
||||
#
|
||||
|
||||
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||
|
||||
|
|
Loading…
Reference in a new issue