New upstream version 22.07
This commit is contained in:
commit
6789f12830
|
@ -5,7 +5,7 @@ pipeline {
|
||||||
agent {
|
agent {
|
||||||
docker {
|
docker {
|
||||||
image 'evolix/gbp:bullseye'
|
image 'evolix/gbp:bullseye'
|
||||||
args '-u root --privileged -v /tmp:/tmp'
|
args '-u root --privileged'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
when {
|
when {
|
||||||
|
@ -14,7 +14,7 @@ pipeline {
|
||||||
steps {
|
steps {
|
||||||
script {
|
script {
|
||||||
sh 'mk-build-deps --install --remove debian/control'
|
sh 'mk-build-deps --install --remove debian/control'
|
||||||
sh 'rm -rf source'
|
sh 'rm -rf {source,*.gz,*.bz2,*.xz,*.deb,*.dsc,*.changes,*.buildinfo,lintian.txt,.git}'
|
||||||
sh "gbp clone --debian-branch=$GIT_BRANCH $GIT_URL source"
|
sh "gbp clone --debian-branch=$GIT_BRANCH $GIT_URL source"
|
||||||
sh 'cd source && git checkout $GIT_BRANCH && gbp buildpackage -us -uc'
|
sh 'cd source && git checkout $GIT_BRANCH && gbp buildpackage -us -uc'
|
||||||
}
|
}
|
||||||
|
@ -29,8 +29,8 @@ pipeline {
|
||||||
steps {
|
steps {
|
||||||
script {
|
script {
|
||||||
sh 'echo Dummy line to remove once something actually happens.'
|
sh 'echo Dummy line to remove once something actually happens.'
|
||||||
/* No crendentials yet
|
/* No crendentials yet.
|
||||||
sh 'rsync -avP /tmp/bkctld/ droneci@pub.evolix.net:/home/droneci/bkctld/'
|
sh 'rsync -avP bkctld* droneci@pub.evolix.net:/home/droneci/bkctld/'
|
||||||
*/
|
*/
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
13
.drone.yml
13
.drone.yml
|
@ -15,9 +15,6 @@ steps:
|
||||||
- mk-build-deps --install --remove debian/control
|
- mk-build-deps --install --remove debian/control
|
||||||
- git clean --force
|
- git clean --force
|
||||||
- gbp buildpackage -us -uc
|
- gbp buildpackage -us -uc
|
||||||
volumes:
|
|
||||||
- name: tmp
|
|
||||||
path: /tmp
|
|
||||||
when:
|
when:
|
||||||
branch:
|
branch:
|
||||||
- debian
|
- debian
|
||||||
|
@ -31,16 +28,8 @@ steps:
|
||||||
key:
|
key:
|
||||||
from_secret: drone_private_key
|
from_secret: drone_private_key
|
||||||
target: /home/droneci/bkctld/
|
target: /home/droneci/bkctld/
|
||||||
source: /tmp/bkctld/
|
source: ../bkctld*
|
||||||
delete: true
|
delete: true
|
||||||
volumes:
|
|
||||||
- name: tmp
|
|
||||||
path: /tmp
|
|
||||||
when:
|
when:
|
||||||
branch:
|
branch:
|
||||||
- debian
|
- debian
|
||||||
|
|
||||||
volumes:
|
|
||||||
- name: tmp
|
|
||||||
host:
|
|
||||||
path: /tmp
|
|
||||||
|
|
|
@ -18,6 +18,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [22.07] - 2022-07-20
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* check-setup: check minifirewall version only if minifirewall is present
|
||||||
|
* check-setup: get minifirewall version from internal variable (there is no other backward compatible way)
|
||||||
|
* check-setup: use findmnt with mountpoint instead of target
|
||||||
|
|
||||||
## [22.06] - 2022-06-28
|
## [22.06] - 2022-06-28
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -4,7 +4,7 @@ Bkctld (aka server-side evobackup)
|
||||||
bkctld helps you manage the receiving side of a backup infrastructure.
|
bkctld helps you manage the receiving side of a backup infrastructure.
|
||||||
It is licensed under the AGPLv3.
|
It is licensed under the AGPLv3.
|
||||||
|
|
||||||
With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with it's own TCP port and optionnaly it's own set of iptables rules.
|
With bkctld you create and manage "jails". They contain a chrooted and dedicated SSH server, with its own TCP port and optionally its own set of iptables rules.
|
||||||
|
|
||||||
With bkctld you can have hundreds of jails, one for each client to push its data (using Rsync/SFTP). Each client can only see its own data.
|
With bkctld you can have hundreds of jails, one for each client to push its data (using Rsync/SFTP). Each client can only see its own data.
|
||||||
|
|
||||||
|
@ -30,9 +30,7 @@ This volume can also be encrypted with **LUKS**.
|
||||||
|
|
||||||
## Security considerations
|
## Security considerations
|
||||||
|
|
||||||
The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk or complete backup erasure from a compromised client.
|
The client obviously has access to its uploaded data (in the chroot), but the timestamped copies are outside the chroot, to reduce the risk of complete backup erasure from a compromised client.
|
||||||
|
|
||||||
Since the client connects to the backup server with root, it can mess with the jail and destroy the data. But the timestamped copies are out of reach because outside of the chroot.
|
|
||||||
|
|
||||||
It means that **if the client server is compromised**, an attacker can destroy the latest copy of the backed up data, but not the timestamped copies.
|
It means that **if the client server is compromised**, an attacker can destroy the latest copy of the backed up data, but not the timestamped copies.
|
||||||
And **if the backup server is compromised** an attacker has complete access to all the backup data (inside and outside the jails), but they don't have any access to the client.
|
And **if the backup server is compromised** an attacker has complete access to all the backup data (inside and outside the jails), but they don't have any access to the client.
|
||||||
|
@ -77,6 +75,8 @@ vagrant@buster-btrfs $ sudo -i
|
||||||
root@buster-btrfs # bats /vagrant/test/*.bats
|
root@buster-btrfs # bats /vagrant/test/*.bats
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
[comment]: <> (* pour vim)
|
||||||
|
|
||||||
You should shellcheck your bats files, but with shellcheck > 0.4.6, because the 0.4.0 version doesn't support bats syntax.
|
You should shellcheck your bats files, but with shellcheck > 0.4.6, because the 0.4.0 version doesn't support bats syntax.
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
@ -99,7 +99,7 @@ pandoc -f markdown \
|
||||||
#### Client configuration
|
#### Client configuration
|
||||||
|
|
||||||
You can backup various systems in the evobackup jails : Linux, BSD,
|
You can backup various systems in the evobackup jails : Linux, BSD,
|
||||||
Windows, macOS. The only need Rsync or an SFTP client.
|
Windows, macOS. The only need is Rsync or an SFTP client.
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/
|
rsync -av -e "ssh -p SSH_PORT" /home/ root@SERVER_NAME:/var/backup/home/
|
||||||
|
|
|
@ -16,7 +16,7 @@ output=""
|
||||||
|
|
||||||
# Verify backup partition is mounted and writable
|
# Verify backup partition is mounted and writable
|
||||||
|
|
||||||
findmnt -O rw --target "${BACKUP_PARTITION}" > /dev/null
|
findmnt -O rw --mountpoint "${BACKUP_PARTITION}" > /dev/null
|
||||||
if [ "$?" -ne 0 ]; then
|
if [ "$?" -ne 0 ]; then
|
||||||
nb_crit=$((nb_crit + 1))
|
nb_crit=$((nb_crit + 1))
|
||||||
output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n"
|
output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n"
|
||||||
|
@ -29,11 +29,12 @@ fi
|
||||||
# Check if the firewall file is sourced
|
# Check if the firewall file is sourced
|
||||||
|
|
||||||
minifirewall_config=/etc/default/minifirewall
|
minifirewall_config=/etc/default/minifirewall
|
||||||
minifirewall_version=$(/etc/init.d/minifirewall status | head -1 | cut -d ' ' -f 3)
|
|
||||||
|
|
||||||
if [ -n "${FIREWALL_RULES}" ] \
|
if [ -n "${FIREWALL_RULES}" ] \
|
||||||
&& [ -r "${FIREWALL_RULES}" ] \
|
&& [ -r "${FIREWALL_RULES}" ] \
|
||||||
&& [ -f "${minifirewall_config}" ]; then
|
&& [ -f "${minifirewall_config}" ]; then
|
||||||
|
minifirewall_version=$(grep -E -o "^VERSION=(\S+)" /etc/init.d/minifirewall | head -1 | cut -d '=' -f 2 | tr -d "'" | tr -d '"')
|
||||||
|
|
||||||
if [ -n "${minifirewall_version}" ] && dpkg --compare-versions "${minifirewall_version}" ge "22.03"; then
|
if [ -n "${minifirewall_version}" ] && dpkg --compare-versions "${minifirewall_version}" ge "22.03"; then
|
||||||
# Minifirewall 22.03+ includes files automatically
|
# Minifirewall 22.03+ includes files automatically
|
||||||
nb_ok=$((nb_ok + 1))
|
nb_ok=$((nb_ok + 1))
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
[ -f /etc/default/bkctld ] && . /etc/default/bkctld
|
[ -f /etc/default/bkctld ] && . /etc/default/bkctld
|
||||||
|
|
||||||
VERSION="22.04"
|
VERSION="22.07"
|
||||||
|
|
||||||
LIBDIR=${LIBDIR:-/usr/lib/bkctld}
|
LIBDIR=${LIBDIR:-/usr/lib/bkctld}
|
||||||
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
||||||
|
|
Loading…
Reference in a new issue